Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.    

Privacy and data security

Net neutrality

What is your jurisdiction’s regulatory stance on net neutrality?

Net neutrality has become one of the main aims of regulation since 2012. According to the former Section 41a of the Telecoms Act, the federal government was authorised to adopt legal regulation to establish the principles of non-discriminatory data transmission and access to content and applications. Nevertheless, as this authorisation was never used as Section 41a was removed from the amended Telecoms Act 2017.

The 2017 amendments to the Telecoms Act, which were mainly driven by the EU Open Internet Access Regulation (2015/2120), enforce the following goals:

  • End users must have access to information and content through their internet service provider.
  • End users musthave the possibility to use and provide applications and services through the Internet.
  • End users must be able to select out of different rates with specific data volumes and specific speed

The Federal Network Agency (BNetzA) will be granted rights to interment if business models may restrict the open internet.

Encryption

Are there regulations or restrictions on encryption of communications?

German law does not provide an express encryption requirement. However, the general requirements on IT security – derived from Section 109 of the Telecoms Act, Article 32 of the EU General Data Protection Regulation and Section 8a of the Federal Office for Information Security Act – require the consideration of technical measures for data security. As the encryption of communication is a state of the art data security measure, a de facto obligation to encrypt communication exists. However, there is no case law on the question of which encryption process is sufficient in which case.

Data retention

Are telecoms operators bound by any rules or requirements on the retention of consumer communications data? If so, for how long must data be retained?

On April 8 2014 the European Court of Justice (ECJ) declared the EU Data Storage Directive 2006 null and void. The German act which implemented the directive into German law was declared null and void by the Federal Constitutional Court in March 2010. However, the new Data Retention Law was enacted in December 2015 and entered into force in May 2017. According to the new act, the following data must be stored by each telecoms provider:

  • location data when initiating mobile internet usage – to be stored for four weeks;
  • the telephone numbers called and the time and duration of all calls – to be stored for 10 weeks;
  • for all text messages, the target mobile station international subscriber directory number and the time of sending and receiving – to be stored for 10 weeks; and
  • assigned internet protocol addresses of internet users and the time and duration of internet use – to be stored for 10 weeks.

Various associations have challenged the new Data Retention Act. In June 2017 the North Rhine-Westphalia Higher Administrative Court ruled that the new Data Retention Act violates EU law and does not fulfil the requirements set out by the ECJ. As a result of this ruling, the BNetzA considers the data retention obligations to be suspended.

Government interception/retention

What rules and procedures govern the authorities’ interception of communications and access to consumer communications data?

Telecoms operators providing telecoms services must provide for the technical systems to allow call interception. Details are regulated in the Telecommunications Interception Ordinance and a technical directive. Exceptions apply to operators with only a small number of end customers. At present, operators must maintain the necessary technical equipment for interception at their own costs. The Telecommunications Interception Ordinance covers any forms of telecoms including traditional telephone calls, Voice over Internet Protocol calls, emails and text messages.

Under the Telecommunications Interception Ordinance, operators providing telecoms services must transmit the intercept, including the relevant data to the competent authority. Operators must configure their interception equipment in such a way that it can implement a judicial order without delay (the same applies if the competent authority requires that an interception measure be switched off prematurely). The intercept itself is made by the operators and not by the competent authorities.

Source telecoms surveillance is implemented by the competent authorities themselves (eg, by installing so-called ‘Trojan horses’ on the target’s computer).

Data security obligations

What are telecoms operators’ general data security obligations to consumers?

Section 109(1) of the Telecoms Act contains a general obligation for all telecoms service providers to implement adequate technical and organisational measures to protect personal data and to protect the telecommunications secrecy. The technical and organisational measures must be state of the art. Similar requirements derive from the EU General Data Protection Regulation and the EU ePrivacy Regulation, and it remains unclear which regulation or act will primarily apply in the future in this respect. Against the background of the potentially high administrative fines according to the General Data Protection Regulation and the ePrivacy Regulation, this is not only an academic question. However, as neither regulation nor Section 109(1) of the Telecoms Act provide specific and detailed IT security requirements, it must be assumed that their requirements are basically identical.

According to Sections 109(2) and (3), a provider of a public telecoms network or publicly available telecoms service must appoint a data security officer and adopt a IT security concept. The security concept must be revealed to the BNetzA.

If a telecoms service provider exceeds the thresholds of the IT Security Act and the Critical Infrastructure Ordinance, it is subject to the specific IT security requirements of the Federal Office for Information Security Act and the respective ordinances.

Click here to view the full article.