German gov't proposes telecom data retention law

Critics say this revamped version is probably still illegal

The German Bundestag

The German Bundestag

German telecom and Internet operators could once again be forced to store customer traffic and location metadata for police investigation purposes, five years after a previous data retention law was declared unconstitutional.

The draft data retention law unveiled on Wednesday would oblige providers to store call and Internet traffic metadata for a maximum of 10 weeks while location data would have to be stored for four weeks, the German government said.

The measure is meant to help law enforcement agencies in their fight against terrorism and serious crime. According to the government, it strikes the right balance between freedom and security in the digital world.

However, plans to retain metadata for these purposes are controversial in Germany and the draft law was immediately heavily criticized.

Germany hasn't had a data retention law since 2010, when the German Federal Constitutional Court ruled the previous law unconstitutional.

The earlier law was based on the European Union's Data Retention Directive, which was itself overturned a year ago by the Court of Justice of the European Union (CJEU), because it violated fundamental privacy rights.

The government's new data retention proposal still violates the European right to privacy and the right to personal data, said Volker Tripp, advocacy manager at the German digital rights group Digitale Gesellschaft, who added that the government has failed to prove data retention is needed to fight serious crime and terrorism.

According to Federal Minister of Justice and Consumer Protection Heiko Maas, though, things are different this time. The current draft law cannot be compared to the old law, which obliged providers to store data for six months, he said.

Privacy will protected under the current proposal as the retained data has to be deleted immediately, he said. What's more, content will not be retained and the right to have private conversations will remain, while it is not allowed to build motion profiles and retention periods are far shorter than before, he added.

Not everyone's data will have to be retained. The proposed law has a provision that excludes people and organizations that have to keep secrets by profession from the retention requirement. This includes social institutions and churches, according to the draft.

Data will be retained though from people in other professions who under German law are allowed to keep professional secrets including lawyers, doctors, pharmacists, members of parliament and journalists. However, authorities are not allowed to use that data.

"So they are saving it to not use it later. Does that make sense? No it doesn't," said Tripp, who added that this part of the proposal also goes against the German legal principle of non-discrimination.

Despite the criticism, it is likely that the law will pass through the Bundestag quickly, as the government coalition has about an 80 percent majority, said Tripp.

"The government is obviously trying to push the law through parliament," he said. It only took a couple of months to prepare this draft while a normal legislative process takes several months or maybe years, he said, adding that the law could be approved before the parliament's summer recess starts at the end of June. By fast-tracking the legislation process, the government is trying to avoid a public debate, Tripp said.

A spokeswoman for the Ministry of Justice and Consumer Protection declined to comment on timing and said the process is now in the hands of the Bundestag.

Germany is not the only country struggling with data retention. In the Netherlands, where the national data retention law was scrapped by a court because it was found to violate fundamental privacy rights, the government is looking to introduce a new one as soon as possible.

The Swedish government meanwhile maintains that its data retention law can still be applied, while in the U.K. a new data retention law was rushed through by the U.K. government after the CJEU ruling. That law will be reviewed by the country's High Court to determine if it violates human rights.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags German Federal Constitutional CourttelecommunicationsecuritylegislationgovernmentCourt of Justice of the European Unionprivacy

More about EUIDGNews

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts