Data stealing

from Wikipedia, the free encyclopedia

According to Section 202d of the German Criminal Code ( StGB ), data theft is an offense that is punishable by imprisonment for up to three years or a fine . The regulation is located in the 15th section, violation of personal life and privacy. With this provision, the legislature wants to adapt the penal code to the digital age. The sense and purpose of it is based on normal stolen goods, § 259 StGB.


The wording of § 202d StGB is:

(1) Anyone who obtains, transfers, disseminates or otherwise makes accessible data (Section 202a, Paragraph 2) that is not generally accessible and that someone else has obtained through an illegal act for himself or a third party enriching or harming someone else is punishable by imprisonment for up to three years or a fine.

(2) The punishment may not be more severe than the punishment threatened for the predicate offense.

(3) Paragraph 1 does not apply to acts that serve exclusively the fulfillment of lawful official or professional duties. This includes in particular

  1. such acts by public officials or their agents, with which data are only intended to be used in taxation proceedings, criminal proceedings or administrative offense proceedings, and
  2. such professional acts by the persons named in Section 53 (1) sentence 1 number 5 of the Code of Criminal Procedure with whom data is received, evaluated or published.


The subject of the crime is data that is not publicly available. This standard aims to protect the confidentiality of data. Actions that continue unlawful data storage and that have conceptual parallels to receiving stolen goods are punished . Some believe that this data must originate from an unlawful predicate offense that is directed against the authority to dispose of data, for example spying on data ( § 202a StGB).

On October 16, 2015, the Bundestag passed the “Law on Data Retention and Data Stealing”. The announcement in the Federal Law Gazette took place on December 17, 2015. The offense of data stealing came into force one day later on December 18, 2015.


The factual situation was already criticized in the legislative process , as it was seen, among other things, as a danger to journalism in connection with data from whistleblowers . The regulation would criminalize and deter bloggers, whistleblowers and journalists. An alliance of journalists and civil rights organizations has therefore lodged a constitutional complaint against Section 202d of the Criminal Code.

In their constitutional complaint, they mainly complain about the violation of freedom of the press. When dealing with informants (whistleblowers) and "stolen" data for the purpose of investigative journalism, there is a risk of criminal liability for the journalist himself. There is an even greater risk for other professional groups who work with journalists, first and foremost the whistleblower himself, since there are no criminal offenses at all in § 202d StGB would apply. Furthermore, the complainants complain about the vagueness of the criminal provision. In addition to the core area of ​​criminal acts, there is a wide aura of possible criminal liability.

These concerns can also be seen in the wording of the law. Because according to the wording, an intention to harm another is generally punishable, which a whistleblower without consent basically wants and usually has to justify. He makes himself generally punishable by his act and has to relieve himself of his own risk, which is not regulated in § 202d, but in § 34 StGB. In § 34 StGB, justifying state of emergency, however, very high hurdles are required, a current danger which can only have been averted by passing on the data to the journalist. In other words, the "damaged" company claims that there is an effective internal monitoring system which effectively investigates internal misconduct if the whistleblower would be excluded from punishment. He also bears the risk of predicting whether there was a risk of violation of a legal interest. For example, Facebook violates its users' right to informational self-determination when it passes on data to third parties, even though they have consented to such (without knowledge or understanding).

In terms of personnel, the exclusion from punishment only applies to persons who have participated in the production and distribution of printed works or radio broadcasts. Those persons who provided the data to the journalists, further process or explain them are not recorded.

From a factual point of view, according to the intention of the legislature, only passive actions by journalists, such as receiving the data, are excluded from criminal liability. This means that any cooperation, inquiry or other necessary interaction between the whistleblower and journalist and between different newspapers are not excluded from the criminal liability. Such acts can only alternatively be exempt from punishment at a very low level of protection under Section 34 of the Criminal Code.

A lawyer from Bavaria has in his Union law state liability suit at the LG Karlsruhe, not yet legally binding judgment (LG-Karlsruhe Az .: 10 O 39/18, previously LG-Berlin Az.:28 O 452/17) against the VDS at the same time this provision regarding the exclusion of criminal liability for acts by security authorities, § 202d III No. 2 StGB as the subject matter. In his action, he asks the ECJ to ask whether this exclusion of criminal liability for actions by authorities for the purpose of criminal prosecution is compatible with EU law. He bases his argument on the fact that data protection in general and specifically on the VDS in § 113 ff. TKG is greatly weakened. A police officer could open a shop on the Darknet to offer money for illegal data, to receive it in order to use it in criminal proceedings. He refers to the purchase of the Panama Papers by the BKA for 5 million euros in 2017. He thinks that data protection has been strengthened with the new version of the VDS laws, as required by the Federal Constitutional Court in its decision on the VDS in 2010 one weakened considerably more with § 202d III-2 StGB. The data obtained in this way are not subject to any restriction on their use in criminal proceedings.

This line of argument is also supported by the wording of the law, since here we generally speak without excluding acts by public officials whose purpose is to use the data obtained exclusively for criminal proceedings. This provision also excludes not only the public official himself, but also persons who he appoints or who work with him from criminal liability. Overall, there is a considerable imbalance between state actions and actions that private persons can undertake with regard to the criminal liability committee according to § 202d StGB. As a result, there is no criminal prosecution for the state under Section 202d of the Criminal Code. Prohibitions on the use of evidence in criminal proceedings should in principle be excluded.

Another point of criticism is that there are considerable gaps in criminal liability, particularly in the area of ​​social networks. One should think of the scandal surrounding Facebook, which passed on considerable amounts of user data to third parties. Because it is necessary to require an illegal act as a constituent element. If there is consent, there is always no criminal liability. With social networks, when giving consent, the user does not know what he is revealing about himself with his data, nor what is happening with them. The consent is usually neither read nor, due to its enormous volume, can be understood in a reasonable time.

See also

Web links

Individual evidence

  1. Daniel Neuhöfer - data stealing according to § 202d StGB accessed on January 15, 2017
  2. Lorenz Franck: data stealing according to the future § 202d StGB . In: Law of Data Processing 2015, p. 180.
  3. Bernd von Heintschel-Heinegg: § 202d , Rn. 8. In: Bernd von Heintschel-Heinegg (Ed.): Beckscher Online Commentary StGB , 30th Edition 2016.
  4. Why the proposal to criminalize “data stealing” endangers the freedom of the press, accessed on January 15, 2017
  5. Constitutional complaint against data stealing from December 16, 2016, accessed on January 15, 2017
  6. Freedom of the press, constitutional complaint against data stealing paragraphs of January 13, 2017, accessed on January 15, 2017
  7. Developing country for whistleblowers. Civil rights activists and journalists are fighting against a paragraph that intimidates their helpers. (Interview by Max Zeising with Markus Beckedahl from the blog In: Neues Deutschland from January 18, 2017, p. 18)
  8. Data retention monitoring state . In: Data Retention Monitoring State . ( [accessed May 2, 2018]).