The Federal Commissioner for Data Protection and Freedom of Information

Navigation and service

Data retention

Data retention, which has always been a matter of controversial discussion, is currently suspended in Germany. At German and European level, however, its re-introduction is constantly being discussed. Data retention is and has been the subject of various legal proceedings.

many servers are shown with cables plugged in
Source: ©sonjanovak - stock.adobe.com

The so-called data retention obliges providers of publicly available telecommunications and internet services to store traffic data (i.e. information documenting who has telephoned with whom, when and for how long) for later use for a legally prescribed period of time and – if necessary – to make them available to law enforcement authorities, intelligence services or authorities entrusted with security tasks.

Data retention has been the subject of several legal proceedings. The European Court of Justice (ECJ) has laid out clear guidelines and limits in groundbreaking decisions. After the German implementation act of the EU Directive on Data Retention was invalidated by the Federal Constitutional Court already in 2010, the ECJ also declared the 2006 EU Directive null and void in 2014. Moreover, in 2016, it made clear that a national law providing for the comprehensive retention without reasonable cause of all traffic and location data of all subscribers and registered users in relation to all electronic means of communication is incompatible with the provisions of Articles 7, 8 and 11 of the EU Charter of Fundamental Rights. Such rules would be contrary to the fundamental rights of respect for private life and communication, protection of personal data and freedom of expression and information.


The current Telecommunications Act (in German) continues to contain data retention in Sections 176 to 180. According to this, in Germany, telecommunications service providers are obliged to store location data for four weeks and accurately specified traffic data generated by telecommunications for ten weeks, and they are required to make these data available to law enforcement authorities on request.

Due to pending legal proceedings, the Federal Network Agency has already declared in 2017 to suspend the retention of data provided for in the law.

The ECJ judgment of 20 September 2022

By judgment of 20 September 2022 (C-793/19 SpaceNet and C-794/19 Telekom Deutschland), the European Court of Justice (ECJ) made it perfectly clear again: The groundless retention of traffic and location data provided for in German law is incompatible with European law. The BfDI welcomes this decision, because the general and indiscriminate data retention represents a significant infringement on fundamental rights. It is correct that citizens' data should not be stored generally, but only specifically or in order to protect particularly outstanding objects of legal protection- such as national security.

Current discussion on the (re)introduction of data retention in Germany

The limits of what is legally possible have again been clearly outlined in the ECJ ruling. They should be a yardstick of the upcoming legislative initiatives. The BfDI advocates that the given corridor should be used in the best possible way in the respect of fundamental rights. It is true that the ECJ did not, per se, object to a general and indiscriminate retention of IP addresses limited to what is absolutely necessary.

From the BfDI’s point of view, the question as to what is the absolutely necessary measure can only be settled by a comprehensive, independent evaluation or the so-called overall account of surveillance. In addition, it is also important to take into account the considerable crime clearance rates of the law enforcement authorities so far because fortunately, even without groundless data retention, it is usually already possible today to identify perpetrators on the Internet.
Anyone demanding new powers to store data that are too broad, too general or too arbitrary remains exposed to the risk of failing before the ECJ at the latest.

In the course of a new legal regulation, a new regulation for a so-called “quick freeze” procedure is currently being discussed. From the BfDI’s point of view, “quick-freeze” offers a good balance between data protection and effective law enforcement. This is a two-stage procedure. In the first step, if a specific criminal offense is suspected, investigating authorities can demand telecommunications providers not to delete (on a regular basis) data on a specific customer and to store them together with data generated in the future ("freeze"). In a second step, the investigating authorities can request the data to be released if the suspicion is confirmed and if the data are relevant to the investigation. Both steps should require a court order.