New German Data Retention Law: Retention Obligations for Providers of Publicly Available Telecommunications and Internet Access Services

By Dr. Jan Geert Meents, Dr. Thomas Jansen and Dr. Reka Hatala

Today the German Bundestag passed a highly disputed law on the retention of personal data. 404 out of 559 MEPs voted for the bill pursuant to which German providers of publicly available telecommunication and internet access services must store call detail records (CDR) for a period of ten weeks irrespective of any suspicious facts. In case of text messages not only CDRs but also the content of the text messages will be saved for technical reasons. Also, IP addresses and port numbers are to be saved.

This is not the first time that Germany introduced a bill about preserving CDRs. The EU´s Data Retention Directive, which the European Court of Justice declared void in 2014 because the means of surveillance were too far reaching, first was implemented in Germany in 2007. However, in 2010 the German Federal Constitutional Court declared the implementing bill invalid. The reasoning indicated that the implementing bill did not foresee concrete measures for data security and that the hurdles regarding access of state bodies to the data were too low. The courts also feared that the European directive and the German bill respectively could open doors for misuse of the preserved data.

Today’s discussion in the German Bundestag was naturally very controversial. MEPs who did not consent to this bill argued that passing it would put the entire German nation under suspicion. This law would go further than what George Orwell envisaged in “1984”.

On the other hand, government representatives argued that considering the interests of the civilization, this law would strengthen both justice and security. It would provide additional instruments to help solve serious crimes. It was further pointed out that the bill was the result of a careful weighting between the conflicting interests of all parties and that the law would meet all requirements set by the previous court decisions.

Fact is, that in contrary to the earlier bill, less data will be stored and for a shorter period under the new bill. Furthermore, although the storage affects each participant of the communication, state bodies can only access the data in specified cases, i.e., to prosecute serious crimes and with the permission of a judge. The data should be stored on servers in Germany. The bill further sets out requirements that the telecommunications and internet service providers must fulfill to ensure the security of the stored data.

The new law enters into force as of the day following the official announcement of the bill. Opponents to this bill immediately announced that they will file a constitutional complaint against it.