Forbidden knowledge? - Criminal liability risks when accepting data leaks - part 2

16. May, 2025
Foto von MARIOLA GROBELSKA auf Unsplash

The first article on the criminal law risks associated with the acceptance of data leaks ended with the observation that the assessment of criminal liability ultimately depends on several factors. This means that each case ultimately requires a case-by-case assessment. To summarize from the last article, the most important factors for the assessment are:

  • Origin of the data (lawfully or unlawfully obtained)
  • Technical security measures (protected or not)
  • Existence of generally accessible data (when this is the case is controversial)s
  • Existence of a trade secret

Various scenarios in connection with DROPS are examined below. In each case, the legal norm to be examined is listed first, followed by the relevant actions that could potentially occur in a project such as DROPS in the event of an accepted data leak, and finally the potentially resulting criminal law risks.

  • § 202a StGB (spying on data)
    • Unauthorized access/transmission/provision of access to specially secured data.
    • DROPS does not obtain any data through its own actions. In addition, § 202a StGB only protects specially secured data, not generally accessible information. A monetary reward for data provided could theoretically constitute aiding and abetting, but is unlikely in the absence of intent.
  • § 42 (1) nos. 1 and 2 and (2) no. 1 BDSG (Unauthorized processing of personal data)
    • Unauthorized transmission or disclosure of personal data.
    • Only data that is not generally accessible can be subject to these criminal law protection provisions. Data from data leaks are generally accessible as long as they are not subject to any access restrictions. Not an uncontroversial element of the offense. The third party can neither obtain knowledge of the information content of the data via DROPS nor can he use it in the actual sense. In addition, the existence of an authorization under data protection law (Art. 6(1)f GDPR) for processing eliminates the objective fact. Furthermore, DROPS does not process/transmit any personal data, but merely compares hash values. § 202d StGB (data fencing)
    • Trafficking in unlawfully obtained data that is not generally accessible.
    • Data leaks are usually public, which means that the element of the offense “not generally accessible” does not apply. There is no legal perpetuation of the data situation of the unlawful asset situation. There is also potentially no link between the unlawful predicate offense and the perpetrator’s access to the data. Against the background of the principles developed for Sections 184b(5)/184k(3)/91(2) StGB, scientific research or acts in connection with the provision of information to members of the Bundestag may also fall under the exclusion of the offense elements.
  • § 23 GeschGehG (violation of a trade secret)
    • Unlawful acquisition or use of protected trade secrets.
    • Trade secrets are only protected if appropriate confidentiality measures have been taken. Data leaks often contain information that loses this protection when it is published. However, if there are grounds for suspicion, the recipient must investigate. This can at least be assumed when a document is marked as strictly confidential. In addition, obtaining the data leak may be justified under Section 5 No. 2 GeschGehG or permitted under Section 3 (2) GeschGehG if there is a case of whistleblowing. § 17 UWG (betrayal of business and trade secrets)
    • Unlawful acquisition or use of protected trade secrets.
    • See above. In addition, DROPS does not publish trade secrets. DROPS only compares hash values.

The criterion of “not generally accessible” proved to be particularly problematic in the assessment. In accordance with the case law of the Federal Court of Justice, information is only generally accessible if it can be obtained by anyone without significant difficulty. Data is generally accessible if it is available to everyone without legal access restrictions. According to the explanatory memorandum to the law, this includes published print media, public databases, public events and the publicly accessible internet. As a rule, such data must be generally accessible and may not only be available to a specific, limited group of people. In contrast, personal data is not generally accessible if access is restricted by technical measures (e.g. access security), factual hurdles (e.g. knowledge of a complex URL required - questionable in my opinion) or legal requirements (e.g. proof of a legitimate interest).

The darknet may be a less frequented area of the internet for the average user, but the data freely available there - without registration, authorization or payment of a fee - is still considered publicly accessible. The background to this is that it is not important that the perpetrator obtains the data from a source that is not generally accessible, but that the data is generally not publicly accessible. If the perpetrator makes the data publicly available - be it on the darknet or the clearnet - it loses its non-public character, so that the criminal law protection is restricted by the publication. Although the data is still the result of an unlawful act and the publication itself can constitute a criminal offense, the legislator has removed the possibility of tainted data with the characteristic of non-publicly accessible data. However, it is still disputed whether unlawfully published data is not considered to be generally accessible if this is recognizable. The legal interpretation of this is not uncontroversial. It is already questionable when and how such knowledge is to be assumed. However, according to the explanatory memorandum to the law, it is also crucial that the data subject has an interest in their data not being made publicly available in this constellation. However, this is rendered absurd by the fact that data leaks can regularly be offered or shared to more than one person and on more than one platform. In some literature, the problem is raised that if the publication of a first offender leads to the data becoming generally accessible, the protection of the criminal norms would be undermined. However, the legislator has removed the possibility of leaked data with the concept of data that is not generally accessible. In my opinion, data from data leaks are therefore generally accessible as long as they are not subject to any access restrictions. Future legislation is also of crucial relevance for a well-founded assessment (see blog post: https://itsec.cs.uni-bonn.de/drops/de/logbuch/24-10-25-reform-des-hackerparagraphen/). Criminal computer law is currently being revised. For research (and also for the fulfillment of lawful professional or official duties), one could also be guided by comparable exceptions. The social adequacy clauses in Sections 91 (2) and 184k (3) of the German Criminal Code (StGB) should be mentioned here, which, according to prevailing opinion, are regarded as exclusions from the offense. They also contain a privileged treatment of science and research. In summary, there is still legal uncertainty with regard to data that is not generally accessible and the following further unresolved issues:

  • The question of whether illegal trade secrets also fall under the concept of trade secrets, i.e. information about illegal actions, has not yet been clarified by the highest court in Germany.
  • It is also unclear under what conditions whistleblowing can be used as a justification under criminal law.