Please enable javascript in your browser to view this site

German Constitutional Court rules data retention rules unconstitutional

The Court found the current rules lack proportionality, and will mean the German Telecommunications Act needs revisiting.

Operators have to hand over data to public authorities: The German Telecommunications Act includes provisions under which telecoms operators are required to hand over information about their subscribers to public authorities, for investigations carried out by the Federal Criminal Police Office (Bundeskriminalamt), the Federal Police (Bundespolizei) and the Federal Office for the Protection of the Constitution (Bundesamt fur Verfassungsschutz). The information may include IP addresses, among other identifiers, and customers’ personal data held by operators as part of the contract. 

The rules lack proportionality: On 17 July 2020, following a complaint moved by associations of telecoms and internet services subscribers, the Federal Court ruled Article 113 the Telecommunications Act to be unconstitutional, alongside other laws that govern public authorities’ access to subscriber data. The Court found that these rules are in conflict with the right to privacy enshrined in the Constitution. The court stated that, in principle, law enforcement officials should be able to use such data; however, the law must ensure it happens in a proportionate way, and adequately limit the purposes for which this is done. In particular, these powers should be related to a specific danger in individual cases, when there is an initial suspicion of criminal conduct as part of an investigation. If they do not relate to a specific danger, the legislator should ensure these powers are used to protect very significant legal interests. For the most part, the Court found that the challenged provisions did not satisfy these requirements.

Data retention rules are on shaky ground: As a result of the Court’s ruling, the German government will need to review the Telecommunications Act. It is worth noting that data retention rules in the EU are left to individual countries, after the European Courts of Justice struck down the Data Retention Directive in 2014 – something which has created legal uncertainty surrounding the matter.