The German law on the so-called data retention is likely to violate European law and must be revised. This follows from a ruling by the European Court of Justice (ECJ). Although the decision from Luxembourg is not formally directed against Germany, further proceedings are pending. Rather, it was triggered by lawsuits against British, French and Belgian laws, according to which telecommunications providers are obliged to store connection and location data.
With its ruling, the ECJ made it clear – as it did in a landmark ruling from 2016 – that a “general and indiscriminate” storage obligation is not compatible with the data protection directive for electronic communications and the EU Charter of Fundamental Rights.
The German regulation of 2015 – which was suspended after the 2016 ruling – was rather cautious with regard to the storage periods. Connection data should be saved for ten weeks, location data for four weeks; data about e-mails and accessed websites were not recorded at all. However, the storage obligation applies to the data of all citizens without this having given cause. However, according to the ECJ, such “unprovoked” storage is fundamentally prohibited. Germany must now withdraw the law immediately, demanded the Green MPs Konstantin von Notz and Tabea Rößner.
At the same time, after massive criticism of its very privacy-friendly line, the highest EU court is taking a step towards the security authorities. Member States may stipulate storage obligations for certain dangerous situations, such as a terrorist situation. If a serious threat to national security is “current, real and foreseeable”, then exceptions to the confidentiality of electronic communications are allowed. However, the storage obligation must be limited in time to what is absolutely necessary – although the ECJ considers an extension to be permissible for persistent threats. According to the judgment, targeted storage is also possible, for example for certain groups of people such as so-called threats, but also according to regional criteria; the court is evidently thinking of security-relevant places like airports. It should be possible for such measures to be reviewed by a court or other independent body.
Another exception should be possible for a specific group of IP addresses. This is intended to facilitate the fight against child pornography, a demand that in the past few weeks in Germany had raised calls for a new version of data retention. It was raised not only in the Union, but also in substantial parts of the SPD. The Bavarian Justice Minister Georg Eisenreich (CSU) is now calling on the Federal Justice Minister to use the leeway that the judgment leaves when storing IP addresses for a new regulation.