How Hamburg became Europe’s unlikely data protection trailblazer

In Germany, they call him the “Facebook hunter”. He’s been described as one of Europe’s most powerful protectors of data privacy, has locked horns with US tech titans, and earned a troublemaker reputation across Europe. 

In over a decade as the data protection commissioner for the German city-state of Hamburg, Johannes Caspar has attempted to redefine the role of local data protection authorities. Germany has a department for data protection in each of its 16 states, plus another at the federal level. Caspar was in the job for 12 years, retiring in June 2021 because he had reached the legal limit of two terms in the post. During this time he became, arguably, the country’s most forthright data protection commissioner. And one of Europe’s most active. “If you want to make friends, this isn’t the right job for you,” he says. “You get into trouble.”

A lawyer by training, Caspar started as Hamburg’s privacy commissioner on May 4, 2009. Less than two weeks later, he’d already wrung concessions out of Google. At that time the tech giant was just starting its StreetView project in Hamburg, and its vehicles were taking pictures as they cruised the city’s streets. The phone in Caspar’s office didn’t stop ringing from calls of indignant privacy-aware Germans complaining that Americans were taking their pictures. Caspar insisted that unless Google agreed to make the faces of passers-by unidentifiable in its raw data and also consented to blurring buildings if there were complaints, the StreetView project would not be allowed to go ahead in Hamburg. Google acquiesced. “It felt like a kind of culture war,” Caspar recalls, describing it as a fight between the analogue world and a newly arrived digital future.

It was the first of many battles with multinational tech giants. Facebook, WhatsApp, Clearview, PimEyes, and Amazon, have all faced the regulator. As well as local hospitals that left patient files lying around, and the local police, who tried to identify anti-globalisation protesters using automated facial recognition software. In a country already extremely fond of privacy, Hamburg stands out as one of the most private places to live.

“Behind closed doors, people would agree that something needed to be done about these things,” Franziska Boehm, a professor at the Leibniz Institute for Information Infrastructure in the southwestern German city of Karlsruhe, explains. “But Caspar actually did it. And for that, he always dealt with a lot of criticism.”

“When you go up against a company like Facebook you have to accept that, any minute, you might be sitting in front of a bunch of lawyers who suddenly appeared in your office,” Caspar says. “It’s not a comfortable position to be in.”

Over the years, he’s won and lost, but all the confrontation certainly brought him a measure of notoriety. In 2020, he was named one of Europe’s most powerful people by Politico. Described as “one of the world’s most vocal and forceful privacy hawks”, he slid onto the list alongside heads of state including Angela Merkel, Vladimir Putin, and Boris Johnson.

“Even though his office is comparatively small, Caspar has been more proactive than many other data protection authorities,” says Jan Penfrat, a senior policy adviser at the European Digital Rights, or EDRi, network. “That has a lot to do with how he acquired this status. He hasn’t shied away from going after the big guys. Other data privacy authorities could have done the same but didn’t.”

It’s about the individuals in the data protection office, Penfrat says, and their willingness to act. Caspar’s successor in Hamburg was named in mid-August: Thomas Fuchs, former head of the state media authority. The politicians who nominated Fuchs argue that he’ll find a good balance between rights and digital commerce, causing privacy activist Max Schrems to tweet, “how to make sure there is advance distrust” in Fuchs.