Recently, German President Joachim Guack signed into law the Data Retention Act. The Act, designed to provide law enforcement agencies with electronic data to combat “serious crimes,” requires public telecommunication and internet providers to retain various call detail records (CDRs). CDRs include phone numbers, the date and time of phone calls and texts, the content of text messages, and—for cellular calls—the locations of call participants. In addition, Internet providers are required to store user metadata such as IP addresses, port numbers, and the date and time of Internet access. The Act requires providers to store CDR and metadata for 10 weeks and cell phone location data for four weeks. In response to privacy and data security concerns, the Act provides extensive technical requirements for how providers store data.

Despite the Act’s relatively easy passage in the Bundestag—404 of 559 members voted in favor—the Act remains controversial in Germany. Although the law went into effect upon publication in the Federal Law Gazette on January 4, 2016, it still may face challenges in both German and EU courts. Aside from the privacy and constitutional challenges that are likely to arise after this Act takes effect, it may face a challenge in EU courts because it arguably violates the Data Protection Directive. This Directive requires a “free flow of data” and was used, in 2012, to strike down another German telecommunication law that required data to be stored physically within Germany.

Tip: The Act only applies to public companies that provide telecommunication services. However, companies that perform outsourced services for providers, such as IT support, data storage, or data analysis, will have to comply with the technical requirements of the Act. Companies that work with public German telecommunication providers will need to track the progress of the Act as it gets closer to enactment.