For her clients’ sake, she’s used to being cautious on the phone. “When I talk on the phone I always think, maybe I’m not alone,” she says. That self-consciousness even extends to phone calls with her mother. But when Hamburg passed new legislation in 2019 allowing police to use data analytics software built by the CIA-backed company Palantir, she feared she could be pulled further into the big data dragnet. A feature of Palantir’s Gotham platform allows police to map networks of phone contacts, placing people like Eder—who are connected to alleged criminals but are not criminals themselves—effectively under surveillance. “I thought, this is the next step in police trying to get more possibilities to observe people without any concrete evidence linking them to a crime,” Eder says. So she decided to become one of 11 claimants trying to get the Hamburg law annulled. Yesterday, they succeeded. A top German court ruled the Hamburg law unconstitutional and issued strict guidelines for the first time about how automatic data analysis tools like Palantir’s can be used by police, and it warned against the inclusion of data belonging to bystanders, such as witnesses or lawyers like Eder. The ruling said that the Hamburg law, and a similar law in Hesse, “allow police, with just one click, to create comprehensive profiles of persons, groups, and circles,” without differentiating between suspected criminals and people who are connected to them. The decision did not ban Palantir’s Gotham tool but limited the way police can use it. “Eder’s risk of being flagged or having her data processed by Palantir will now be dramatically reduced,” says Bijan Moini, head of legal of the Berlin-based Society for Civil Rights (GFF), which brought the case to court. Although Palantir was not the ruling’s target, the decision still dealt a blow to the 19-year-old company’s police ambitions in Europe’s biggest market. Cofounded by billionaire Peter Thiel, who remains the chairman, Palantir helps police clients connect disparate databases and pull huge amounts of people’s data into an accessible well of information. But the guidance issued by Germany’s court can influence similar decisions across the rest of the European Union, says Sebastian Golla, assistant professor for criminology at Ruhr University Bochum, who wrote the complaint against Hamburg’s Palantir law. “I think this will have a bigger impact than just in Germany.” That example did not persuade the court that people who are not suspected criminals should be exposed to this software. Almost all these types of systems collect information about innocent people within their databases, says Andrew Guthrie Ferguson, professor of law at Washington College of Law and author of the book The Rise of Big Data Policing. “The linkages are broad and deep and create a web of associational suspicion. That’s their power and their danger. Any country trying to build data-driven surveillance systems is going to run into the over-collection problem.” The court decision in Germany affects Hamburg, which was about to start using Palantir and now cannot use the company’s software until it rewrites its rules governing the way police analyze big data. Hesse, which has been using Palantir software since 2017, can keep using the platform under strict conditions but must rewrite its local legislation by September. In other states not directly implicated in the decision, political pressure is growing to cut ties with the company. “The system must NOT be used in Bavaria,” Horst Arnold, a member of Social Democratic Party, said on Twitter. “We would like to point out again that constitutional institutions should not blindly resort to error-prone technologies made by questionable IT companies,” said Green MPs Misbah Khan and Konstantin von Notz. Palantir, which reached annual profitability for the first time this week, is struggling to replicate its US successes in Europe. “Some countries, particularly in continental Europe, including Germany, have fallen behind the United States in their willingness and ability to implement enterprise software systems that challenge existing habits and modes of operation,” Alex Karp, Palantir’s CEO, said in a letter to shareholders in November 2022. Despite this, Palantir says it is happy with the court decision. “We welcome the German Federal Constitutional Court’s efforts to provide clarity on the circumstances and ways in which police authorities can process their lawfully collected data to help keep people safe,” says Paula Cipierre, head of privacy and public policy in Palantir’s Berlin office. “Thanks to its high configurability, Palantir software can be flexibly adapted to new legal conditions.” But the ruling introduces barriers into the way Palantir works. “The state has to make clear what parts of the operating system or what functions they want to use in advance,” says Golla. This will also drag Palantir’s police features out into the open—because police forces will have to publish legislation detailing what they are before they use them. For Eder, the ruling is a victory, not just for herself but also for the privacy of her clients. She has clients who have been linked to groups like the PKK, “but I also have a lot of just normal people who have a criminal case one time in their life,” she says.