On November 6, 2015, the German “Bundesrat” (the legislative body representing the 16 German states) approved a bill introducing a new national Data Retention Act ("DRA"). The bill had previously been approved by the German Parliament and now awaits the Federal President’s signature as a last step before it will likely enter into force before the end of 2015.
What Does The DRA Prescribe?
The DRA introduces data retention obligations for providers of publicly available telecommunications services ("PECS"). However, the retention obligations vary depending on the provided service:
Providers of publicly available telephone services ("PATS") must store certain traffic data for 10 weeks. This includes the telephone number or another identifier of all parties involved, date and time (i.e., beginning and end) of the call including time zone and, in case of internet telephony, also the IP addresses of the calling and called parties including allocated user identifiers. The content of communications must not be stored.
Providers of publicly available internet access services ("ISPs") must store certain traffic data for 10 weeks. This includes the IP address allocated to the subscriber, a unique identifier of the used internet connection as well as the allocated user identifier and date and time (i.e., beginning and end) of the internet access under the allocated IP address.
In addition, providers must store location data generated by the use of mobile phone services for 4 weeks.
If a provider does not generate or process the respective data itself, it must ensure that the data is stored properly by a third party. Upon request, it must promptly inform the Federal Network Agency ("FNA") about the data processor's identity.
Providers may use the respective data only for transmission to specific law enforcement authorities as defined and to the extent specifically permitted by law. The DRA contains an express obligation to store the data to be retained under the DRA on a server in Germany. After expiry of the respective retention period, the data must be deleted without undue delay but at the latest within one week.
Non-compliance with the retention obligations is subject to administrative fines of up to EUR 500,000. If the financial benefit derived from the breach exceeds this amount, the fines may be even higher (skimming of profits). Furthermore, the FNA can take "appropriate" regulatory measures including – as a last resort and subject to the principle of proportionality – prohibiting the provision of the PECS in question.
Similar legislation had already been enacted in 2007 but was invalidated by the German Constitutional Court for violation of the constitutional guaranty of the telecommunications secrecy. Furthermore, on April 8, 2014, the European Court of Justice invalidated the Data Retention Directive (which was the legal basis for national data retention legislation across the EU) for violation of the Charter of Fundamental Rights of the European Union. Despite these court rulings, the German Government takes the view that the new DRA will pass the constitutional test.
In comparison to the data retention legislation of other countries in the European Union (e.g., France, United Kingdom, Sweden) and elsewhere (e.g., Australia, Switzerland), the scope of the German DRA is fairly narrow, both with respect to the data to be retained and the duration of the mandatory storage period.
Nevertheless, critics have already announced they will challenge the DRA before the German Constitutional Court once it has been enacted. It remains to be seen whether the DRA will be considered as constitutional. Until then, however, once enacted the DRA will be enforceable and providers will have to comply with it.