FAQ
Status: 09/20/2022 02:19 am
The ECJ is today ruling on the German law on data retention, which has been on hold for a long time. It will probably rekindle the discussion as to whether and how there could be a new regulation.
How does “data retention” work?
In the case of data retention, the so-called connection data saved (Step 1). For example: who called whom, when, for how long, and from which location; who wrote an email to whom; with which IP address was I surfing the Internet for how long? The saving happens without a specific reason. The content of the communication, i.e. what was specifically spoken or written, is not saved.
The storage obligation affects the private telecommunications companies. The data should then be available on their servers for a limited period of time, namely for the access of the state authorities on the data (step 2). Access at a later point in time may only take place under certain conditions, for example to be able to solve serious crimes. This is why one speaks of storage “in reserve”.
Investigators argue that they need data retention in order to be able to effectively investigate depictions of sexualized violence against children or suspected terrorism online. Critics of data retention doubt its usefulness and see a disproportionate interference with the fundamental rights of all citizens.
What exactly does the German law regulate?
The telephone numbers of a connected call, the start and end times of telephone calls and Internet use and the Internet Protocol (IP) addresses are to be stored for ten weeks; certain location data for four weeks.
The competent authorities may only access the stored data to prosecute particularly serious criminal offenses or to avert a specific threat to life, limb or freedom of a person or to the existence of the federal or state government. The hurdles for accessing the stored IP addresses are not quite as high.
Why has the German law been on hold for five years?
There has been a long political and legal dispute surrounding data retention. The original regulation in Germany was overturned by the Federal Constitutional Court in 2010. Karlsruhe approved the “storage” (step 1), but demanded higher hurdles for access to the data (step 2).
On this basis, the grand coalition passed a new law in 2015. Shortly before the storage obligation was due to begin in 2017, the Higher Administrative Court (OVG) in Münster criticized the new law because it violated EU fundamental rights. Since then, the Federal Network Agency has not enforced the storage obligation, the law is on hold and has never been applied.
The OVG Münster referred to a new judgment of the European Court of Justice (ECJ) in Luxembourg. Because the ECJ had objected to a law from another EU state in 2016 and set up strict legal hurdles. According to the Münster Higher Administrative Court at the time, these principles should also be applied to the new German law.
Why is the ECJ now examining the German law?
Now the German law of 2015 has landed before the ECJ via a submission by the German courts. Two German telecommunications companies, Telekom and SpaceNet, have sued. They do not want to be legally obliged to store certain connection data of their customers.
What has the ECJ criticized so far about data retention laws?
In a landmark judgment on the law in Sweden, the ECJ ruled in 2016: A general and indiscriminate storage of all retained data without a specific reason is not compatible with EU fundamental rights. Step 1 is therefore not permissible.
In a judgment from 2020 on national laws from Belgium and France, among others, the ECJ confirmed this principle. But: He allowed certain exceptions when saving and was no longer quite as strict as before. Allowed is:
- The storage of connection and location data is limited to certain groups of people or certain locations, such as crime hotspots such as train stations or airports
- Temporary storage when there is a threat to national security, i.e. in the event of an acute threat of terrorism.
- Storage of the IP addresses of users who have put something online without cause.
Under certain conditions, investigators are then allowed to access this stored data.
Could there be a new law in Germany?
Legally, that depends on the content of the judgment. If the ECJ continues to follow its current line, the German law in its current form would violate EU law. But a narrowly worded new law would then be legally possible. It could legislate on the exceptionally permissible storage (if national security is threatened; specific people or locations; storage of IP addresses) according to the ECJ.
The controversial question, however, is whether politically is wanted in the traffic light coalition. In the coalition agreement, it was agreed that the traffic light coalition would wait for the ECJ ruling. According to this, one wants to “design regulations on data retention in such a way that data can be stored legally and on a case-by-case basis and by judicial decision”.
Federal Minister of the Interior Faeser has already said that, in her view, limited data retention is an important tool in the fight against depictions of sexualized violence against children on the Internet. It would be important to generally save the IP addresses for this. The Greens and the FDP have already expressed negative views on this.
A possible alternative to data retention is the so-called “Quick Freeze” procedure, which has been proposed by the FDP for a long time. Investigators could only “freeze” certain data on the occasion of a specific crime with judicial approval and access it later. It is currently unclear whether there will be a new regulation overall and what exactly it will look like.