German policymakers have moved to strengthen data retention laws, insisting that information will only be stored in Germany, and for much shorter periods, after the European Court of Justice struck down EU legislation that required data storage for longer periods.
In 2010, Germany’s constitutional court struck down a previous data retention bill on grounds that it violated users’ privacy by broadly collecting and storing data from all users.
That law allowed for data storage in Germany, or other EU countries, for six months.
The new draft bill states that data must be stored in Germany, which has been rocked by revelations over US data espionage since 2013.
It calls for mandatory data retention of telephone use and computer IP addresses for ten weeks.
Data that flags a mobile phone user’s exact movements can only be saved for up to four weeks under the draft law.
The EU’s defunct European Data Retention Directive required data storage for between six and twenty-four months.
A 55-page draft of Germany’s planned data retention law was published on the blog Netzpolitik.org over the weekend. It is reportedly scheduled to be presented to the federal government in two weeks, and in the Bundestag in June.
The bill said about 1,000 internet and telecommunication companies will be affected by the new data retention requirements.
Some smaller ones may be eligible for government subsidies, if the costs of data storage pose a “significant hardship” to them.
According to the draft, it’s expected that other companies would “calculate these costs into their pricing and pass them on to their customers”.
European Court of Justice
Germany is one of the first EU countries to draft a new law on data retention since the European Court of Justice decision against the EU’s Data Retention Directive.
Since the judgement ruled that it violated privacy rights, national courts have struck down data retention laws in Austria, Bulgaria, the Netherlands and Romania.
Following the attack on Charlie Hebdo in January, German Chancellor Angela Merkel voiced her support for a new data retention law.
“We should push for the European Commission to present the reworked EU directive that was announced and then implement that in German law,” Merkel said.
European Home Affairs Commissioner Dimitris Avramopoulos announced in March that the European Commission is not planning new legislation following the ECJ decision.
But data security features prominently in the European Commission’s Digital Single Market plans, which were presented on 6 May. The General Data Protection Regulation and the e-Privacy Directive, part of the strategy, target the treatment of consumers’ personal data.
The Digital Single Market documents also say member states’ restrictions on data storage outside their own borders–like the new German draft bill proposes–contribute to market fragmentation in Europe.
A European Commission spokesperson said on Monday (18 May), “Member states are free to maintain their current data retention systems, revise them or set up new ones, providing of course they comply with basic principles under EU law, such as those contained in the e-Privacy Directive.”
A German Ministry of Justice spokesperson declined to comment on the new draft bill while it’s still being debated by officials. A spokesperson for the German data protection supervisor also declined to comment as the agency is still reviewing the draft bill.
Netzpolitik.org reported that Social Democrats (SPD) are discussing the draft bill tomorrow (19 May) in the Bundestag. Justice Minister Maas is a Social Democrat; the SPD has been divided over data retention.