Commentary

German Bundestag Passes New Data Retention Law

Data Server Room Hohmann
ep_jhu / Flickr
16 Oct 2015, 
published in
Lawfare Blog

In December 2014, German Minister of Justice Heiko Maas issued a strongly worded tweet, complete with exclamation mark, stating that data retention laws violate the right to privacy and data protection, and that as a result, there should be neither German nor European legislation on this front. Ten months later, a new data retention law introduced by none other than the same Mr. Maas has passed the German Bundestag by a vote of 404 to 148. Maas, a social democrat, changed his tune following pressure from the Vice-Chancellor and leader of the Social Democratic Party, Sigmar Gabriel, who in the wake of the Charlie Hebdo attacks in January, began arguing for a new data retention policy.

The Vorratsdatenspeicherung law seeks to make law enforcement more effective in the face of increasingly pervasive information and communications technologies. Such agencies will be able to access the metadata of phone calls and internet connections of individuals that they are investigating on suspicion of severe crimes,” such as murder or kidnapping.

This marks the German government’s second attempt to implement legislation on data retention. In 2010, the German Constitutional Court ruled that a former data retention law, which had been in place since 2007, violated Article 10 of the German Basic Law, which protects the privacy of correspondence, posts and telecommunications (BVerfGE 125, 260 [in German]). While the court pointed out that a data retention law per se is not irreconcilable with the constitution, it lamented the absence of standards for protection of data, the use of data, as well as transparency and legal protection. In a similar move in 2014, the European Court of Justice overturned the European Data Retention Directive because it exceeded the limits imposed by compliance with the principle of proportionality” (Joined Cases C‑293/​12 and C‑594/​12).

As a result, telecom providers currently retain data only for business purposes – if a customer wishes to receive an itemized bill at the end of the month, for example. In the case of unlimited internet plans, data cannot be retained at all.

In contrast, the new bill will make changes to Section 113 of the German Telecommunications Act and require telecommunications providers to retain traffic data on phone calls and internet connections. More specifically, phone providers will now have to retain phone numbers, the date and time of phone calls and text messages, and, in the case of mobile phones, location (approximated through the identification of cell phone towers). Internet providers are required to save the IP addresses of users as well as the date and time of connections made.

The new bill does attempt to address the concerns previously raised by the courts. It reduces the time of retention (from six months to ten weeks), and it limits the cases in which data can be used by law enforcement by defining a list of severe crimes” in a new paragraph in Germany’s code of criminal procedure. The content of communications, websites accessed and metadata of email traffic have been explicitly excluded. All data has to be retained on servers in Germany for 10 weeks, while location data will be saved for only four weeks (§113b).

In addressing concerns over the security of the data, the bill states that the data must be saved on air-gapped servers, must be encrypted, and can only be accessed if two authorized individuals are present (§113d). Investigators can only access the data with a court order, and if any data has been accessed, the time and purpose must be logged (§113e). After three years, the law will be evaluated by the federal government on the basis of its effectiveness, costs incurred and its compliance with data protection standards.

Criticism, but Not Just from Privacy Advocates

For some, the government has now gone too far in its attempt to address the objections raised by the courts. The criminal police union (BDK) sees tremendous weaknesses” in the law and emphasizes that it does not address the reality of law enforcement work. First, they argue, police often learn about crimes several months after they have been committed, rendering a data retention of up to 10 weeks ineffective. In addition, they believe that the definition of severe crimes” is too narrow: it does not include rape, stalking or extortion, offenses for which telecommunication data may be increasingly important from an investigative standpoint; the catalog also does not include cybercrimes like phishing, sextortion or the use of ransomware. According to the BDK, the law therefore does not go far enough and thus risks ineffectiveness.

Most of the criticism, however, is coming from observers on the other side of the spectrum, who argue that the new law creates legal uncertainty and curtails civil rights without any corresponding guarantee of effectiveness.

To start, civil rights groups have raised several legal concerns. First, the parliament’s own research service claimed that data on what Germans call Berufsgeheimnisträger – people whose communication deserves special protection because of their profession, such as doctors or lawyers – will also be collected (but may not be accessed by police). Second, the law introduces a new statutory offense of Datenhehlerei – receiving of and dealing with stolen data. The latter regulation may complicate the work of investigative journalists, if they want to publish documents they received from whistleblowers (who are likely to have passed them on illegally). While the work that journalists do as part of their profession” is exempted from coverage by the law, it remains unclear how the work of bloggers or a journalists’ work in an honorary capacity will be treated. Third, Kai Biermann, a journalist at Die Zeit, pointed out that Germany’s intelligence agencies are already allowed to request information on individual IP addresses from telecommunication providers. As a result of the bill, however, providers will retain data for longer and intelligence agencies could have greater access to it. Fourth, even the European Commission joined the critics, emphasizing that the demand to retain data within Germany may not be compatible with regulations on the European Single Market. After all, a retention requirement would give German providers with existing infrastructure in Germany an advantage over competitors elsewhere in Europe, who may need to base servers in Germany in order to operate legally.

Beyond the legal, other critiques focus on a claimed mismatch between costs and benefits; the possible gains for law enforcement, the argument goes, do not justify such massive interference into personal rights,” as Andrea Vosshoff, the federal commissioner of data protection, put it. After all, telecommunication data on all German citizens will be retained whether or not they are suspects of a crime, and the government has yet to provide concrete evidence that the bill will actually improve the effectiveness of law enforcement agencies. In fact, researchers at the Max Planck Institute published a study in 2012 questioning the effectiveness of data retention laws and argued that the benefits for solving crimes were likely to be minimal.

In the process of pushing the law through the parliament, the government also ignored that many Germans are in agreement that information technology is complicating police work, but that other, more tailoredless indiscriminate ways to conduct effective investigations should be discussed. In the section on alternatives, the bill simply reads none.”

It now remains to be seen whether the law will actually pass constitutional muster. Various lawsuits have already been prepared to argue that it is does not. Once the law has passed the parliament’s upper house in a few weeks – a vote seen as all but assured – the bill will be presented to the German president Joachim Gauck for signature. If he believes the law is unconstitutional, he could either decline to sign it, or sign it, but at the same time ask the German constitutional court to verify its compliance with German Basic Law. Upon signature, the legislation will enter into effect, which then, of course, would still leave the law open to subsequent court challenges.

Until then, Maas’ tweet will be trending in Germany, and the Minister of Justice will need to deal with the unfortunate irony that Germany passed a new data retention law just one week after the European Court of Justice struck down regulation permitting the public authorities to have access on a generalized basis” because it must be regarded as compromising the essence of the fundamental right to respect for private life.” While the Safe Harbor judgment explicitly referred to the content of communications, the argument regarding metadata will likely be brought up soon.

This op-ed originally appeared in Lawfare on October 162015.