Data retention: German regulation violates EU law – ECJ ruling

Indiscriminate storage of IP addresses, location and connection data of all users, as anchored in the German Telecommunications Act, is contrary to European law. This was announced by the European Court of Justice (ECJ) on Tuesday.

The storage obligation for Telecommunications provider has not been enforced by the Federal Network Agency since 2017 anyway.

The ECJ confirmed with the judgment its previous case law. According to the court’s press release, EU law conflicts with national provisions »which prevent serious crime and prevent serious threats to public security provide for general and indiscriminate retention of traffic and location data«. Only when there is a threat to national

security is indiscriminate storage legal, but even then only after a judicial decision permission and with the time limit »to what is absolutely necessary«.

Less strict restrictions apply to the targeted storage of data, i.e. that of specific people or from a specific environment.

For the storage of IP addresses: “General and indiscriminate retention of IP addresses” is legal provided it is limited in time to what is absolutely necessary and serves to protect national security, fight serious crime and prevent serious threats to public safety.

How do politicians react?

Minister of Justice Marco Buschmann (FDP) tweeted : »A good day for civil rights! The ECJ has confirmed in a historic judgment: The #data retention without cause in Germany is illegal. We will now quickly and finally remove data retention without cause from the law.«

Jens Zimmermann, digital policy spokesman for the SPD parliamentary group, was less clear: »#ECJ sticks to his line to #VDS Now it’s time to evaluate the verdict. Coalition agreement provides roadmap,” he wrote on Twitter.

Konstantin von Notz, Deputy Group Chairman of the Greens, and Helge Limburg, spokesman for legal policy said: »Data retention belongs on the dump of history. In their coalition agreement, after intensive debates, the traffic lights agreed crystal clear that they would no longer monitor the population without cause in the future, but instead would ward off dangers in a targeted manner and pursue a security policy based on fundamental rights and the rule of law. We stand by this. We see neither legal nor political scope for a new edition of data retention – of whatever kind.«

What is retained data?

The German Telecommunications Act obliges Internet providers and telephone providers to record and store so-called traffic data from all customers. This should make it possible for investigators to understand who communicated with whom by telephone and when, or surfed the Internet with which IP address. It should also be saved which device was logged into which mobile radio cell for how long. This location data should be kept for four weeks, connection data for ten weeks.

Who complained?

The starting point is the lawsuits by the provider SpaceNet and Deutsche Telekom from 2016. The Administrative Court of Cologne had decided that the two companies were not obliged to retain data. The Federal Network Agency even suspended enforcement of the regulation altogether, so no provider has to store traffic data. But 2019 the Federal Administrative Court submitted the question of compatibility with EU law to the ECJ as part of the revision .

Is the verdict unexpected?

No. Already 2000 the ECJ found the then EU directive on data retention to be disproportionate and incompatible with the explained fundamental rights. In further judgments by 2014, by 2020 and from April this year, the court reiterated its position that storage of communication data without cause violates EU law and that there is little scope for exceptions, for example for a limited period of time in the event of a threat to national security or the targeted storage of data from a sensitive location such as an airport.

What is the federal government planning now ?

Federal Minister of the Interior Nancy Faeser (SPD) is pushing for at least storing IP addresses to combat child abuse in order to identify online users to be able to Greens and FDP, however, refer to the coalition agreement and categorically reject data retention without cause

away. The Liberals propose the “quick freeze” procedure as an alternative. Data would only be backed up here if there was a concrete suspicion and by order of a judge. However, the Ministry of the Interior does not consider the procedure to be practical.


How could the Quick Freeze process work?

Ultimately, telecommunications providers such as Telefónica, Vodafone and Deutsche Telekom would have to save. “We welcome the fact that there is finally legal certainty for our employees,” Telekom spokesman Husam Azrak told SPIEGEL. So far, they have been moving in uncertain territory: either they have stored too little and thus not met the six-month storage period required by German law; or too much – with which they could have made themselves punishable under the telecommunications and telecommunications secrecy.

Should the traffic light government decide in favor of a quick freeze regulation, the provider is prepared for it and could start immediately, so the spokesman. In concrete terms, this is how it would work: if there is a specific reason, an authorized investigative authority would request a “quick freeze” of the available data on a suspect from the responsible Telekom department. This could be his telephone connection data, IP addresses, but also movement data – which are each kept for different lengths of time, with IP addresses it is ten days. The secured data would then not be released to the investigators immediately, but only after a judicial decision, which in turn would be checked again by Telekom lawyers.

What does data retention bring to criminal prosecution anyway?

Against perpetrators, for example, who record child abuse without concealment techniques Sharing online platforms, data retention could help in some cases. In any case, data retention does not help against serious cases of sexual violence against children – partly because the perpetrators use the anonymous Darknet. They do not leave an IP address for investigators to ask an Internet provider for an address. Prosecutors have explained to SPIEGEL that they consider data retention to be less relevant to their work than the exhaustion of existing and new investigative methods.

Related Articles

Back to top button