German data retention is not compatible with EU law. The European Court of Justice (ECJ) ruled on Tuesday in Luxembourg that the communication data of all citizens should not be stored without cause. Limited data storage is only permitted under certain strict conditions.
ECJ declares data retention without cause illegal
The so-called data retention is highly controversial. It is about the question of whether Internet providers and telecommunications providers have to store their customers’ data – for example IP addresses and telephone numbers – for access by authorities. This is provided for in the Telecommunications Act, which is currently on hold. While security politicians see it as a key tool in the fight against organized crime, child pornography and terrorism, civil rights activists and consumer advocates consider it an inadmissible invasion of privacy.
The background to the judgment that has now been passed is a legal dispute between the Federal Network Agency and the Internet provider SpaceNet and Telekom, which are opposing the storage obligation in the Telecommunications Act. The Federal Network Agency had already put this regulation on hold in 2017 after the Münster Higher Administrative Court decided that SpaceNet should not be obliged to store the data. That was a few days before the new rule was supposed to come into force.
The ECJ has now ruled on this. Once again, it has to be said, because the Court of Justice has regularly ruled on data retention in various countries in recent years and mostly overturned the national regulations. The line of the judges was quite clear: The storage of communication data without cause therefore violates EU law.
An exception applies in the event of an acute threat to national security. In this case, a time-limited, justified data storage may be permissible. However, the concept of national security is narrowly defined: It was only in April that the ECJ ruled on data retention in Ireland that serious crimes such as murder are not included. In his opinion on the present German case, the ECJ Advocate General confirmed the previous judgments and strengthened the position of data protection officers. The Court often, but not always, follows the Advocate General’s assessment.