Generalklauseln im Datenschutzrecht

German data protection laws all provide for provisions that allow public authorities to process personal data whenever this is ‘necessary’ for the respective authority to fulfil its tasks or, in the case of sensitive data in the meaning of art. 9 GDPR, if this is ‘absolutely necessary’. Therewith, in theory, data protection law provides for a high degree of administrative flexibility, e. g. to cope with unforeseen situations like the Coronavirus pandemic. However, these provisions, referred to in German doctrine as ‘Generalklauseln’ (general clauses or ‘catch-all’-provisions in English), are hardly used, as legal orthodoxy assumes that they are too vague to form a sufficiently clear legal basis for public purpose processing under the strict terms of the German fundamental right to informational self-determination (art. 2‍(1), 1‍(1) German Basic Law). As this orthodoxy appears to be supported by case law of the German Constitutional Court, legislators have dutifully reacted by creating a plethora of sector specific laws and provisions to enable data processing by public authorities. As a consequence, German administrative data protection law has become highly detailed and confusing, even for legal experts, therewith betraying the very purpose of legal clarity and foreseeability that scholars intended to foster by requiring ever more detailed legal bases. In our paper, we examine the reasons that underlie the German ‘ban’ on using the ‘Generalklauseln’. We conclude that the reasons do not justify the ban in general, but only in specific areas and/or processing situations such as security and criminal law. Finally, we list several arguments that do speak in favour of a more ‘daring’ approach when it comes to using the ‘Generalklauseln’ for public purpose data processing.