The response of German politics regarding the ECJ’s decision on data retention in Germany
On 20 September 2022, Germany was condemned by the European Court of Justice (ECJ, Judgment of 20 September 2022, Cases C-793/19, C-794/19). The subject of the ruling was the laws on data retention.
The proceedings to which the ECJ’s ruling of 20 September 2022 refers have only a short procedural history: the Cologne Administrative Court had ruled at first instance that the service providers SpaceNet and Telekom Deutschland were not obliged to retain data relating to the telecommunications of their customers. The Federal Network Agency appealed to the Federal Administrative Court in Leipzig. The latter suspended the proceedings and referred the decisive question of whether data retention under German law is compatible with EU law to the ECJ itself. The ECJ’s decision was in favour of Germany – which is not surprising, because:
Already in 2016, the ECJ ruled on the issue of data retention and determined that unlimited storage of location and telephone data violates the Charter of Fundamental Rights of the European Union. In the decision against Germany, the ECJ remains true to this line and declares the German law on data retention to be contrary to the Union. According to the ECJ, the provisions that impose a preventive, i.e. stockpiling obligation to store data that may at some point be necessary to fight crime or prevent threats to public security are not compatible with Union law. The ECJ also considers the indiscriminate storage of traffic and location data in advance to be incompatible with Union law.
In order to remedy its error, the Federal Ministry of Justice has already prepared a draft bill. With this draft, the regulations in § 100g paragraph 2 StPO as well as in §§ 175 to 181 TKG will simply be repealed. Section 100g paragraph 2 StPO regulated the collection of traffic data. Sections 175 to 181 TKG regulated, among other things, the obligations to store traffic data, the use of this data and the guarantee of the security of the data.
The new invention of the Ministry of Justice, i.e. the replacement for the deleted norms: the “investigative instrument of a security order”. With this instrument, it should be possible to order the securing of data in the case of serious criminal offences, if the collection of the data can help to establish the facts of the case or the whereabouts of an accused person.
Thus, the data should not be able to be ordered from everyone, but only from an accused person – this is the first protective mechanism of the new norms. An accused person in the sense of criminal procedure only exists when there is a suspicion of a crime against a person and the investigating authorities initiate a formal investigation against him or her. A double judge’s prerogative is also to be standardised as a further protective instrument. First, the judge is to order the “freezing” of the data. This means that the data already collected by the providers for business reasons, as well as the data accruing from the time of the judge’s order, may no longer be deleted. Another judicial decision is supposed to be able to “thaw” this “frozen” data in turn: because only after the second judicial decision can the law enforcement authorities collect and evaluate the data for a certain period of time. Moreover, this should only be able to be ordered in the case of significant criminal offences.
Such regulations are in line with the case law of the ECJ, according to the ministry in the draft bill. The provisions of the TKG, but also of the TKÜG, BPolG, BSI-Gesetz, BKAG, ZFdG, EGStPO, JVEG are also to be amended in accordance with the ECJ’s decision. In its decision, the ECJ established clear criteria that must be fulfilled in order for data storage to be lawful. The regulations are to be adapted to this.
A look at all the laws to be changed makes it clear: the ministry has a lot planned. However, there is currently no agreement on the many changes – so it remains to be seen which regulations and when they will come into force.