The Richtervorbehalt requires a judge.
There is a route that does not.
Private parking enforcement firms photograph every vehicle that enters a supervised car park. A camera at entry, a camera at exit. Software calculates duration.
The firm has location and time. It does not have a name.
To get the name, it queries the Kraftfahrtbundesamt under "berechtigtes Interesse" — legitimate interest. The authority is required to respond. In 2024, parking enforcement firms submitted nearly four million such queries.
The firm's revenue does not depend on parking management. It depends on the fine. One regional director described a daily target of 400 tickets. Penalty demands routinely exceed what courts have considered reasonable by a factor of three. The movement data is a secondary product. Both are sold.
A police investigation can also query the KBA. It can establish who owns a plate. What it cannot do, without a court order, is obtain records of where that person was and when. Location surveillance requires judicial authorisation. That is what the Richtervorbehalt is for.
The parking firm has the location. The KBA has the record. The parking firm queries the KBA and holds both.
The data was obtained legally. A movement record was assembled. The parking company's interest was enforcing its terms. The record exists regardless.
Police investigations can purchase that record from commercial data brokers. They can also purchase location data assembled from smartphone applications — records of where a handset was, and when, drawn from apps that collected it for advertising. Under EU law, selling location data without explicit user consent is prohibited. The brokers sell it regardless.
No warrant is required for either transaction. Both are commercial.
This week, BR and netzpolitik.org reported that at least two Landeskriminalämter had done exactly this. The LKA Mecklenburg-Vorpommern confirmed use of commercial location data for active investigations, describing it as limited and historical. Nine Landeskriminalämter declined to answer on grounds of operational secrecy.
Mark Zöller, professor of criminal law and digitalisation at LMU München: "Wer das im Moment macht, handelt ohne gesetzliche Grundlage."
He described a pattern: law enforcement identifies a new technical capability and adopts it before the legislative framework catches up.
The sequence is straightforward.
The Kraftfahrtbundesamt holds vehicle registration data on behalf of the public. The public funds it. A private firm requests the data under commercial law. The public funds that transaction too — the authority processes the query. The private firm assembles a movement profile. The police purchase the profile with public funds. The police now hold data they could not have obtained without a judge.
Public money enters the state. It exits through a parking enforcement firm. It returns as evidence.
The Richtervorbehalt was not repealed.
It was repriced.
The European Commission published an age verification application in April, described as privacy-preserving and ready. The Prompt reported on it. A security consultant bypassed it in under two minutes. The Commission said the issue was fixed.
The European Parliament voted the same month to establish mandatory microchip registration for all cats and dogs in the EU. The Prompt has written about that too. The transition period for privately kept cats is fifteen years.
The infrastructure described in this article carried none of those announcements. It was not described as privacy-preserving. It required no Commission launch. It was not subject to a transition period. It has been operational since at least 2024.
It was not built for cats.
By E. Halberd Filed from Sussex.
Sources: BR / netzpolitik.org (LKA location data, 2 June 2026); Kraftfahrtbundesamt (query volume, via ARD, 30 May 2026); Mark Zöller, LMU München (interview via BR, June 2026). Minden station incident previously reported, May 2026.