Even before the parliamentary summer recess starting on 4 July, the German government wants to push a national law on data retention through the German Bundestag. After the Ministry of Justice presented so-called guidelines in mid-April, and a complete draft law only a month later, the Parliament is now supposed to debate and pass this legal instrument within only a month.
The retention of metadata from electronic communications has been on the political agenda throughout Europe for many years now. After the EU had passed a Directive on data retention, Germany first introduced a national law that forced telecommunication providers to store metadata from electronic communications in 2008. Two years later, the German Federal Constitutional Court (FCC) came to the conclusion that this law violated fundamental rights, and therefore declared it null and void. A decision from the Court of Justice of the European Union (CJEU) followed in 2014, rescinding the EU Directive entirely. While the European Commission, for the time being, has refrained from making another attempt at introducing a Directive, the German government is still hell-bent on bringing a national law on data retention into effect.
The Ministry of Justice is trying to sell its draft law as a “well-balanced compromise between freedom and security“ which meets all the requirements set by both the FCC and the CJEU. In the draft, storage periods have been reduced to ten weeks for traffic data and four weeks for location data. Metadata on e-mails will not be collected at all and government authorities will always need a court order allowing them to access the data. Civil rights groups, academia and even parts of the Social Democrats (who form the governing “great coalition“ together with the Conservatives) beg to differ, though.
Until today neither the European Commission nor any government of an EU Member State has been able to present evidence or even indications for the effectiveness of data retention in combating terrorism or serious crime. In fact, all of the studies examining the effects of data retention on the prevention and prosecution of such offences have found that it does not lead to higher clearance rates. This is an important aspect, because every infringement of a fundamental right must be necessary and proportionate in order to be legal under international law – and a measure that does not even have a measurable effect towards the goal of the legislation can never be necessary.
The undifferentiated character of the planned data retention is the draft’s next fundamental flaw. According to the CJEU, one of the main faults of the EU Directive on data retention was the fact that it demanded storing the metadata of everyone, in the absence of a concrete suspicion of any wrongdoing or any other criterion that would limit the scope of the data collection. Even though e-mails have now been excluded from the German draft law, it still orders telecommunications providers to stockpile traffic and location data without any specific preconditions.
Another problem with the proposal is the planned protection of people with a duty for professional secrecy. While clerical and social institutions as well as government authorities in these fields are entirely exempt from the collection of metadata, traffic and location data of other professionals who equally depend upon confidentiality (like lawyers, doctors, pharmacists, psychotherapists, tax consultants and journalists) will be stored. The draft law nonetheless forbids government authorities to access this data. Apart from the fact that it defies logic to store data for the purpose of not using it later, this approach puts highly sensitive personal data at the risk of being stolen and abused by criminals and intelligence agencies. The fact that this already happened in the UK shows that this is not a just a hypothetical risk.
More importantly, this approach also violates the principles of equal treatment and legal certainty laid down in the German Constitution. There is no objective reason to consider the communications of clerical and social institutions worthier of protection than those of lawyers and doctors, rendering this differentiation entirely arbitrary. Also, it remains unclear how the protection is supposed to work in practice. There is no obvious non-intrusive way to manage this unpredictable distinction .
The list of defects in the draft law goes on and on, from the easily bypassed requirement of a judicial order to access the data, to a new offence of “data-fencing“ which threatens the work of journalists and whistleblowers. Still, with an 80 percent majority in the Parliament, the German government is simply ignoring all the protest and criticism, recklessly pushing the law into existence. This also means that the European Commissioner for Digital Economy and Society, Günther Oettinger, will soon have a chance to back up his words with deeds. In the hearing before the European Parliament on the occasion of his inauguration as a Commissioner, Oettinger announced that he will launch an infringement procedure against any Member State that attempts to introduce a law on data retention after the CJEU ruling.
Lack of protection due to the end of data retention?
UK admits unlawfully monitoring legally privileged communications (18.02.2015)
(Contribution by Volker Tripp, EDRi member Digitale Gesellschaft, Germany)