Germany Federal Constitutional Court overturns data retention law

Germany’s Federal Constitutional Court on Tuesday 2 March overturned a 2008 law requiring telecommunications providers to store information on telephone calls, e-mails, and Internet use for six months for use in possible terrorism investigations, saying it posed a “grave intrusion” to personal privacy rights and must be revised, although it did not call into question the original EU law, which provides for member states storing telephone and internet data for up to 24 months.

The court found that Section 113 of the Telecommunications Act violates the privacy of German citizens and that the law lacks the controls to ensure the data is secure and properly utilized. The court also ruled that all stored data must be immediately deleted. The law had ordered that all data — except content — from phone calls and e-mail exchanges be retained for six months for possible use by criminal authorities, who could probe who contacted whom, from where and for how long.

“The disputed instructions neither provided a sufficient level of data security, nor sufficiently limited the possible uses of the data,” the court said, adding that “such retention represents an especially grave intrusion.”

The court said because citizens did not notice the data was being retained that caused “a vague and threatening sense of being watched.”

The law was passed in response to a 2006 European Union (EU) directive requiring the retention of telephone and e-mail records for use in terrorism investigations. The court, however, stated that the German law exceeded the requirements put forth by the EU.

The law has been widely criticized in Germany, with nearly 35,000 Germans filing complaints regarding the law with the court. Notably, Justice minister Sabine Leutheusser-Schnarrenberger joined the plaintiffs as a private citizen. Civil rights activists who had fiercely opposed the law welcomed the ruling.

“The government must not only refrain from collecting data, it must also protect citizens from the excessive gathering of information and building of profiles by the private sector,” Germany’s federal data protection watchdog, Peter Schaar, said in a statement.

Ignacio Czeguhn, a professor with Berlin’s Free University noted that while Tuesday’s ruling was limited to the government it could have an impact on the private sector as well.

“This (ruling) raises the question, of course, what happens if a company does this?” he asked.

Germany‘s top security official, Interior Minister Thomas de Maiziere, expressed disappointment at the ruling and said the government would propose narrower legislation quickly.

Germany had earlier already threatened to veto the European Union’s Telecommunications Directive 2006/24/EC (which came into force last year), a move which prompted the Council of Minister to take the unethical and devious step of redefining the Directive as belonging to the ‘commercial’ field (which requires only majority vote) as opposed to being a matter of ’security’ (in which there has to be unanimity).

Other EU member states implementing the EU-wide directive have ordered even longer storage.

Britain requires Internet service providers to store records of Web and e-mail traffic — though not their content — for a year, but a government proposal there to set up a vast central database of phone and Internet traffic met with strong opposition and was dropped.

The Netherlands also set 12 months for most data storage in a contentious decision, prompting the Dutch digital rights group Bits of Freedom to applaud the German ruling.

“This is a groundbreaking ruling with big consequences for the Netherlands, where the same mistakes have been made as in Germany only to a larger degree,” said spokesman Axel Arnbak. “This ruling goes to show: protest pays.”

In Sweden, where the EU directive has yet to be implemented, Justice Minister Beatrice Ask was quoted as saying the German ruling showed “that we have been right in that that it concerns sensitive issues that demand very difficult judgments.”

Austrian Infrastructure Minister Doris Bures — whose office has drafted its own version of the law — lauded the court decision. “Maximum data protection and maximum protection of basic rights have to be the guidelines,” for complying with EU directive, she said.

In Spain, telecom companies also have to retain data for whole year, but police are required to have a court order to access the data.

That condition seems to have been enough to prevent any significant protests in a country with a long history of fighting violent Basque separatism and more recently, Islamic terror groups, said Ruben Sanchez, spokesman for the consumer rights federation called FACUA.

The decision in Germany, Sanchez said, “might serve as a wake up call for governments not to overdo things.”

The ruling comes amid a European-wide attempt to set limits on the digital sphere in the name of protecting privacy, that includes disputes with Google Inc. over photographing citizens for its Street View maps and a vote against letting U.S. authorities see European bank transfers to track down terror cells.