Today the German Minister for Justice and Consumer Protection, Heiko Maas, presented the “Guidelines for the Introduction of a data retention obligation and maximum retention periods for traffic data” ((GERMAN) PDF).
After the European Court of Justice in April 2014 (C-293/12) found that the European Directive on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks was is invalid and after the German Federal Constitutional Court already in 2010 found that certain provisions on data retention of the Telecommunications Act were unconstitutional in their present form (Press Release), the interested public in Germany was expecting a new proposal for a national data retention law. The guidelines published today only roughly outline the possible substance of a new data retention law in Germany. According to the Ministry, this proposal for a new bill (amending the Telecommunications Act) shall be tabled until this summer.
Very briefly, the guidelines provide the following requirements for a future data retention law:
- The data affected by the retention obligation: telephone number; point of time and duration of the call; if mobile communication is affected, also the location data; IP-address; point of time and the duration of the allocation of the IP-address
- Data not affected: content of the communication; websites visited; data of e-mail providers
- The respective data must be stored in “the interior” (it is not entirely clear whether that means Germany or the European Union)
- Retention periods: 4 weeks for location data, 10 weeks for the rest
- Access to data is in general subject to prior review by a court
- Access to the data shall only be possible in the case of criminal prosecutions concerning “severe” offences. A catalogue of the respective offences is attached to the guidelines, among them murder, aggravated robbery, robbery causing death, forming criminal organisations, forming terrorist organisations but also certain offences under the German narcotics act.
- Persons affected by an access to their communication data must in general be notified before the data is accessed by the authorities. In some circumstances, secret access might be legal, but notice must then be given afterwards.
- Legal provisions with the obligation of professional secrecy (lawyers, doctors, etc) will not exempted from the collection of the data, but this data shall not be accessed
- The creation of personal profiles and profiles consisting of location data is prohibited
- The data retained must be protected by using a particularly secure encryption method (there no reference to a specific one in the guidelines)
- If data is accessed, a double-verification-principle (four eyes) must be established
- If a telecommunication provider does not automatically delete the retained data after the respective periods, he faces monetary fines