Update on 2022-09-26
The European Court of Justice (ECJ) has just issued an amazing ruling on data retention: Your telephone and online communication data must not be stored without cause, which makes data retention illegal in Germany - and consequently in the whole of Europe. The ruling comes after a lawsuit issued by German telecommunication providers Deutsche Telekom and SpaceNet. This decision - again - confirms the path of the new German government of SPD, Grüne and FDP, who in their coalition agreement have already decided to abolish data retention.
No data retention in Germany
"I reject data retention without any reason and would like to remove it from the law once and for all. It violates fundamental rights. If everyone has to expect that a lot about their communications will be stored without cause, then no one will feel free anymore", said the Federal Minister of Justice in an interview with the Funke Mediengruppe.
"That's why [German] courts have repeatedly stopped the use of data retention without a specific reason."
Abolish German data retention law
Finally, Marco Buschmann, the new Federal Minister of Justice, wants to abolish a surveillance instrument that has been controversial in Germany for years.
At the moment provisions for data retention for several weeks are also included in the recently amended German Telecommunications Act, but are currently suspended due to decisions by administrative courts. The European Court of Justice (ECJ) has repeatedly declared that logging telephone and Internet data without distinction is incompatible with the fundamental privacy rights guaranteed in the EU.
Data storage only after judicial order
Buschmann therefore advocates the quick-freeze procedure, in which providers would have to virtually freeze connection and location data at the instigation of law enforcement.
In order to strengthen civil rights, Buschmann proposes that data should only be stored "if there is a suspicion that serious crimes have been committed". Telecommunications providers should quickly secure these "if there is a concrete reason to do so based on a court order," "so that the police and public prosecutor's office can then evaluate them" - but not in advance and in general, so not without any criminal investigation.
The new proposal would, thus, only affect certain individuals and should "only be possible in the case of suspicion of the existence of serious crimes".
Buschmann argued that his proposal was more in line with the rule of law and would, thus, "be a gain for freedom and security at the same time".
He also said that one of his main aims is to strengthen civil rights. To achieve this, he wants to launch an independent evaluation of German surveillance laws. Together with his new colleague in the Federal Ministry of the Interior, Nancy Faeser (SPD), it has been agreed that the numerous existing security laws will be evaluated independently and scientifically during this election period.
It looks like for the first time in a long time, we now have a government that actually plans to strengthen civil rights, including online security and privacy. As a privacy-first email service, this is great new for us - and for Germany as a whole.
History of data retention in Germany
In Germany, the recent history of data retention can be best described by a zigzag course: Politicians repeatedly passed data retention laws, and the German High Court repeatedly declared these laws as invalid arguing that such extensive surveillance measures would infringe the constitutional right to privacy of all citizens.
What is currently being stored?
At its core, data retention is about collecting data that provides insight into when who contacted whom, from where, and in what form.
In Germany, the data retention law passed in October 2015 - in theory - requires telecommunications service providers such as Telekom or Telefónica to store location data, IP addresses and call lists (including phone numbers, duration and call time) on a regular basis and for each person for several weeks, and to hand them over to public authorities such as the police and public prosecutors, the Office for the Protection of the Constitution, the Federal Intelligence Service, etc. upon justified requests.
However, as the most recent law has been suspended by German courts as it violates EU law. As a result, the Federal Network Agency is refraining from issuing orders and instituting fine proceedings for failure to implement the retention obligation.
A decision from the European Court of Justice (ECJ) on the German data retention law is still pending.
Currently, for instance, the Deutsche Telekom retains IP addresses, i.e., the addresses of users on the Internet, for only one week for billing purposes. German data retention law would allow keeping of the data for ten weeks. But this regulation has been on hold for four years because the responsible Federal Network Agency suspended it following the mentioned court ruling.
Legal battle had been predicted
This legal battle over the German data retention law had been predicted by data protection experts even before the law had been passed by politicians back in 2015.
To prevent this, politicians had excluded email as a very private form of communication from this law. This meant that email providers such as Tutanota had never been forced to comply with the German data retention law.
However, the plan of the politicians that by excluding data retention on emails the law would not be questioned by the courts did not work out as expected. It was not understandable - neither to citizens nor to the courts - how communicating via phone or text message should in any case be considered as less private; consequently we now have the still ongoing legal battle.
The discussion on a European level is very similar to what is happening in Germany right now.
For instance, Moritz Körner, a member of the European Parliament for the Free Democratic Party (FDP), thinks it's time to put an end to the currently required data retention obligations:
"In recent years, the EU Commission and the member states have repeatedly failed before the European Court of Justice and have not managed to adopt a legally secure form of data retention. That's why there needs to be a rethink in security policy, away from data retention without any specific reasons."
Today, a new government (SPD, Grüne, FDP) is in power in Germany, and it looks like the new governments wants to set things right and end this legal controversy once and for all.
The plan by the current government to review the German data retention law and to update it in way that it respects civil rights and the citizen's right to privacy is a very promising outlook for Germany.