How Hamburg became Europe’s unlikely data protection trailblazer

Under former commissioner Johannes Caspar, Hamburg sent shock waves from Brussels to Silicon Valley

In Germany, they call him the “Facebook hunter”. He's been described as one of Europe's most powerful protectors of data privacy, has locked horns with US tech titans, and earned a troublemaker reputation across Europe. 

In over a decade as the data protection commissioner for the German city-state of Hamburg, Johannes Caspar has attempted to redefine the role of local data protection authorities. Germany has a department for data protection in each of its 16 states, plus another at the federal level. Caspar was in the job for 12 years, retiring in June 2021 because he had reached the legal limit of two terms in the post. During this time he became, arguably, the country’s most forthright data protection commissioner. And one of Europe’s most active. “If you want to make friends, this isn't the right job for you,” he says. “You get into trouble.”

A lawyer by training, Caspar started as Hamburg's privacy commissioner on May 4, 2009. Less than two weeks later, he'd already wrung concessions out of Google. At that time the tech giant was just starting its StreetView project in Hamburg, and its vehicles were taking pictures as they cruised the city's streets. The phone in Caspar's office didn't stop ringing from calls of indignant privacy-aware Germans complaining that Americans were taking their pictures. Caspar insisted that unless Google agreed to make the faces of passers-by unidentifiable in its raw data and also consented to blurring buildings if there were complaints, the StreetView project would not be allowed to go ahead in Hamburg. Google acquiesced. “It felt like a kind of culture war,” Caspar recalls, describing it as a fight between the analogue world and a newly arrived digital future.

It was the first of many battles with multinational tech giants. Facebook, WhatsApp, Clearview, PimEyes, and Amazon, have all faced the regulator. As well as local hospitals that left patient files lying around, and the local police, who tried to identify anti-globalisation protesters using automated facial recognition software. In a country already extremely fond of privacy, Hamburg stands out as one of the most private places to live.

“Behind closed doors, people would agree that something needed to be done about these things,” Franziska Boehm, a professor at the Leibniz Institute for Information Infrastructure in the southwestern German city of Karlsruhe, explains. “But Caspar actually did it. And for that, he always dealt with a lot of criticism.”

“When you go up against a company like Facebook you have to accept that, any minute, you might be sitting in front of a bunch of lawyers who suddenly appeared in your office,” Caspar says. “It's not a comfortable position to be in.”

Over the years, he's won and lost, but all the confrontation certainly brought him a measure of notoriety. In 2020, he was named one of Europe's most powerful people by Politico. Described as “one of the world’s most vocal and forceful privacy hawks”, he slid onto the list alongside heads of state including Angela Merkel, Vladimir Putin, and Boris Johnson.

“Even though his office is comparatively small, Caspar has been more proactive than many other data protection authorities,” says Jan Penfrat, a senior policy adviser at the European Digital Rights, or EDRi, network. “That has a lot to do with how he acquired this status. He hasn't shied away from going after the big guys. Other data privacy authorities could have done the same but didn't.”

It's about the individuals in the data protection office, Penfrat says, and their willingness to act. Caspar's successor in Hamburg was named in mid-August: Thomas Fuchs, former head of the state media authority. The politicians who nominated Fuchs argue that he'll find a good balance between rights and digital commerce, causing privacy activist Max Schrems to tweet, "how to make sure there is advance distrust" in Fuchs.

Caspar is forthright about why other authorities have shied away from fighting Big Tech, and why he thinks Europe's privacy regulations are not working. When the General Data Protection Regulation (GDPR) was first enforced three years, it was seen as ground-breaking. “We talk a lot about how great data protection is in Europe,” Caspar says now. “But if we can't take the power of this legislation and enact it, then it's just a piece of paper.”

GDPR has been plagued by enforcement problems. Regulators in individual countries across Europe can represent the people who live in them but when there are complaints against multinational firms, they can be handed to the country the company's EU headquarters exists. A German office would, for instance, become what's known as the “lead supervisory authority” for major German computer company SAP, while Luxembourg’s authority takes care of GDPR complaints about Amazon, as that's where the e-commerce giant is based. If there's conflict on any decision, it's taken to the European Data Protection Board, or EDPB, which includes representatives from all of Europe's data privacy agencies.

In May this year, shortly before he left the job, Caspar took on Facebook and its subsidiary, the messaging service WhatsApp, saying that the transfer of data between the two platforms breached consumers' rights. He enacted a three-month emergency order, prohibiting transfers from German users only.

The case then went to the EDPB to consider an EU-wide extension of the ban, but in July the board dismissed the case, on the grounds that the Irish Data Protection Commission was the one competent for investigating Dublin-headquartered Facebook. The office has come in for hefty criticism, including from members of the European Parliament and Ireland's highest court, because it hasn't moved fast enough in investigating data privacy breaches by the world's biggest tech firms – including Facebook, Google, TikTok, Twitter and PayPal – many of which are headquartered in Ireland. In March this year, Germany's Federal Commissioner for Data Protection, Ulrich Kelber, complained that since 2018, he had forwarded 50 complaints to Ireland about Facebook's subsidiary, WhatsApp. None had been resolved.

“If the lead supervisory authority asserts their leadership, then by law, nobody else can intervene,” says Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, whose work focuses on surveillance and data rights. “That initial assertion of leadership is important,” he says. “But then, if for whatever reason, they fail to act, there is nothing that Caspar and the rest of them [the other privacy commissioners] can do either.”

One of the Hamburg office's most significant moves was to call attention to this problem, Ryan notes. “Because there is no other way to have an impact,” he notes. “The enforcers are meeting and smiling at each other but the mechanism for collective action is broken.”

“[In Hamburg] we certainly pushed things in the right direction. But that hasn't led to things progressing any more quickly at the European level,” Caspar concedes. “In a lot of scenarios we just more or less handicap each other. The longer these decisions take and the more it seems the current system isn't working properly, the more it becomes clear that we need a central authority in Europe,” he says.

Such an authority wouldn’t necessarily replace the local privacy commissioners though. It would supplement them. “We've recommended a flying column, made up of experts from each nation and a permanent secretariat, that can help local authorities on complicated cases,” says Ryan, who also advocates for more resources for the local privacy officers, better record keeping on what GDPR has actually achieved and a more fulsome use of the law. Penfrat adds it would make sense to give the EDPB the power to take over cases.

Meanwhile Caspar remains positive about how the public's attitudes toward data privacy are evolving. He thinks that people are realising what it means, he says, the way they realised smoking wasn't healthy. But he worries that, even as those realisations arrive, the current lack of tangible results will mean that European data protection rules are no longer seen as credible. “If we don't use our legal power in full,” Caspar says, “we will screw this up.”


Digital Society is a digital magazine exploring how technology is changing society. It’s produced as a publishing partnership with Vontobel, but all content is editorially independent. 

Visit Vontobel Impact for more stories on how technology is shaping the future of society.


More great stories from WIRED

This article was originally published by WIRED UK