On 9 November 2007, the German Parliament ("Bundestag") adopted the contentious act on data retention and surveillance of telecommunication ("Gesetz zur Neuregelung der Telekommunikationsüberwachung und anderer verdeckter Ermittlungsmaßnahmen sowie zur Umsetzung der Richtlinie 2006/24/EG") (the "Act"). This Act has been adopted despite the claim which is being brought by the Republic of Ireland challenging the Data Retention Directive at the European Court of Justice. The Act implements Data Retention Directive 2006/24/EC and contains several new provisions on monitoring telecommunications and covert investigations.
Under the Act, the data retention provisions are implemented into the German Telecommunications Act. The Act places an obligation on telecommunication providers and ISPs who provide publicly accessible services to retain data for six months (the minimum period stipulated in the Data Retention Directive). The Act applies to various types of communication, i.e. e-mail and internet access services, telecommunications via fixed lines, and mobile telecommunications (including text messages). The providers who will become subject to the retention provisions are also required to store traffic data (i.e. data processed in order that a communication may be sent e.g. IP addresses).
The Act sets out in detail the data that should be retained which depends on the services provided:
- For telephone services the details that should be retained are in principle:
- phone numbers;
- the time when the connection began and ended;
- the particular services used;
- in the case of mobile telephone services, details including the radio cells where the mobile devices have been located at the beginning of the connection;
- in the case of VoIP, the IP address.
- For e-mail services the following details should be retained in principle:
- time of use;
- for e-mails sent and received the postbox details of the sender and recipient of e-mails and the IP address of the sender;
- for any access postbox the details of the owner and IP address of the accessing person should be retained.
- For internet access services the IP address of the user should be recorded along with details of where the access comes from and the time when the connection begins and ends.
On the other hand, Section 113a para. 8 TKG (new) expressly prohibits the retention of telecommunication content.
In practice, this provision may cause some difficulties as there may be protocols which do not allow for a precise technical separation between content and traffic data (e.g. in e-mail protocols).
As the new provisions only apply to providers of publicly accessible services, corporate networks, private branch exchanges or a university's e-mail services which are exclusively offered to its students and employees, are not subject to the retention obligations.
In principle, a court order is required before access to the retained information is granted unless it is a request from an intelligence agency. Owners of Intellectual Property Rights are not entitled to request retained data in cases of alleged infringements of their intellectual property rights.
The Act still requires the approval of the Federal Council (of the Länder) ("Bundesrat") although this is likely to be given. The Act will come into force for telecommunications providers (with few exemptions) on 1 January 2008 and for Internet Service Providers on 1 January 2009. A group of politicians in the Liberal Party (FDP) and privacy groups have already declared that they will take the Act to the Federal Constitutional Court ("Bundesverfassungsgericht") once it has passed the Federal Council. Their concerns are that the Act may breach the German constitution on the basis that the new provisions (i) are too extensive and thus breaching the constitutionally protected privacy rights of users and (ii) are too imprecise.