The Federal Commissioner for Data Protection and Freedom of Information

Navigation and service

Data retention

Data retention, which has always been a matter of controversial discussion, is currently suspended in Germany. At the German and the European level, however, its re-introduction is constantly being discussed. Data retention is and has been the subject of various legal proceedings.

many servers are shown with cables plugged in
Source: Adobe Stock

The so-called data retention obliges providers of publicly accessible telecommunications and Internet services to store traffic data (i.e. information documenting who has telephoned to whom, when and how long) over a statutory period of time and to make these available – if necessary – to law enforcement authorities, intelligence services or authorities entrusted with threat prevention tasks.

After the German implementation act of the EU Directive on Data Retention was invalidated by the Federal Constitutional Court in 2010, the European Court of Justice (ECJ) also declared the 2006 EU Directive null and void in 2014.

In December 2015, however, the German legislator adopted a "Law on the introduction of a storage obligation and a maximum storage period for traffic data”, which reintroduced data retention with a reduced storage period (cf. maximum storage period for traffic data). Furthermore, the law improved data security, refrained from storing e-mails and provided for an exploitation ban of data from persons bound by professional secrecy. In addition to the German legislator, other EU Member States also passed laws reintroducing data retention.

The judgment of the European Court of Justice (ECJ) of 2016

At the end of 2016, the ECJ had to deal again with the issue of data retention. Specifically, the question was whether national data retention rules from Sweden and the United Kingdom, whose regulations were essentially in line with the invalidated Data Retention Directive, were compatible with the European Charter of Fundamental Rights. By judgment of 21 December 2016, in the legal case Tele 2 Sverige AB and Watson, the Court confirmed its position taken in 2014 and further stated that even a national law providing for the comprehensive, groundless retention of all traffic and location data of all subscribers and registered users with regard to all electronic means of communication is incompatible with the requirements of Articles 7, 8 and 11 of the EU Charter of Fundamental Rights. Therefore, these rules are contrary to fundamental rights of respect for private life and communication, protection of personal data, freedom of expression and freedom of information.

Judgments of the Higher Administrative Court of Münster and of the Administrative Court of Cologne

Even if the judgments of the ECJ have no direct impact on the German Data Retention Act, the opponents of data retention feel confirmed in their view that the current regulations constitute a disproportionate interference with data subjects’ rights. Accordingly, several constitutional complaints against the Act are currently pending before the Federal Constitutional Court (BVerfG). Moreover, in proceedings for interim legal protection before the Higher Administrative Court of Münster, a telecommunications (TK) provider has reached a provisional exemption from the storage obligation. In response to this decision of 22 June 2017, the Federal Network Agency (BNetzA) has declared that in relation to supervisory requirements, it does not want to hold accountable any telecommunications providers that do not already comply with the storage obligation from 01 July 2017 onwards until a final clarification in the proceedings on the merits has been reached (see BSI_traffic data retention). In response to this announcement, almost all telecommunications providers have not yet implemented data retention. By judgment of 20 April 2018, the Administrative Court of Cologne followed the case law of the Higher Administrative Court of Münster. The Administrative Court stated that the plaintiff – a telecommunications service provider – is not obliged to store the telecommunications connection data of its customers in the context of data retention because the legal provisions are incompatible with Union law.

Current legislative projects specify that the retention of data previously stipulated in Sections 113b to 113f of the Telecommunications Act (TKG) will continue as far as possible. According to this, within Germany, telecommunications service providers are obliged to store location data for four weeks and accurately specified traffic data generated by telecommunications for ten weeks, and they are required to make these data available to law enforcement authorities on request.

Recently, the Federal Minister of the Interior has often strongly advocated the extension of storage periods to six months. The BfDI and the Federal Ministry of Justice (BMJ) view these proposed amendments critically, particularly in the light of the following judgment:

The ECJ judgment of 2020

At the end of 2020, the European Court of Justice ruled again on data retention. On the submission of courts from France, Belgium and the United Kingdom, the ECJ declared once again in its judgment of 06 October 2020 that the groundless and blanket retention of traffic and location data documenting who has made a phone call to whom, when, for how long and from where the phone call has taken place, is incompatible with European law. At the same time, the ECJ clarified that data retention is still possible under certain conditions in order to prevent serious criminal offences and to ensure national security. However, the respective national order for storage must be limited in time and subject to an effective review by a court or an independent administrative authority. In addition, the national legislator is now free to store without reasonable cause IP addresses assigned to a participant.

Of course, the BfDI will continue to closely accompany this issue. Should the BVerfG confirm the regulations on data retention, the BfDI will monitor compliance with data protection regulations in the practical implementation of data retention during verification visits. This also corresponds to the BfDI’s previous control practice with regard to companies implementing the requirements on data retention despite the suspension of supervisory measures by the BNetzA.