Data retention: flogging a dead horse
On 21 December 2016 the Court of Justice of the European Union (CJEU) ruled that national laws stipulating a generalised retention of traffic and location data from electronic communications violate the EU fundamental rights to privacy and the protection of personal data. Two and a half years earlier the judges had already struck down an EU directive which obliged the member states to adopt national laws on data retention for the very same reasons. Yet another four years in advance, the German Federal Constitutional Court had invalidated the then existing German law on data retention because it infringed the fundamental right of telecommunication freedom.
Blanket retention of communication data unconstitutional
From a legal point of view there can hardly be the shadow of a doubt that any form of a generalised retention of communications metadata is simply incompatible with the EU's constitutional principles. The German Federal Government, however, keeps flogging a dead horse by holding on to the German national law on data retention passed in 2015 – with a fairly peculiar reasoning: even though both the Ministry of Justice and the Ministry of the Interior still claim to need more time in order to thoroughly evaluate the German law in light of the latest CJEU ruling, both have already declared that they deem the law consistent with the EU Charter of Fundamental Rights. This rationale is all the more surprising as the German regulation on data retention evidently does not meet a number of the fundamental rights requirements postulated by the CJEU in its 2016 ruling.
The blatant inconsistencies begin with the law's personal scope. Since the declared aim of data retention is the fight against serious crime, the CJEU demands that data retention must not affect all persons using electronic communication services but instead must be limited to those who are, even indirectly, in a situation that is liable to give rise to criminal proceedings. By contrast, the German law provides for no differentiation, limitation or exception whatsoever in respect to the individuals whose communications data is retained. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious criminal offences. Instead, it simply covers, in a generalised manner, all users of electronic communication means and services. This is true even for persons whose communications are subject to the obligation of professional secrecy, as for example lawyers, doctors or data protection officers. The CJEU, however, ruled that the traffic and location data from such professionals must not be retained at all.
German law out of scope
The German law is also lacking any restrictions in respect to its territorial scope. The CJEU, on the other hand, requires the data retention to be limited to geographical areas where the competent national authorities consider, on the basis of objective evidence, that there is a high risk of the preparation or commission of serious crimes.
Another obvious contradiction to the CJEU's 2016 decision lies in the modalities of access to the retained data. The German legislation allows law enforcement authorities to use anyone's retained data for the general purpose of prosecuting and combating serious crime, whereas the CJEU demands that the access must be restricted to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime. Only in particular situations where, for example, vital national security, defence or public security interests are threatened by terrorist activities, the CJEU deems it acceptable to grant the authorities access to the data of other persons, provided that there is objective evidence that this data might make an effective contribution to combating such activities. In order to ensure, in practice, that these conditions are fully respected, the CJEU also ruled that access to the retained data must be subject to a prior review carried out either by a court or by an independent administrative body. Due to a somewhat vague reference, the German legislation, however, allows intelligence agencies to collect certain pieces of information, as for example IP addresses, from the pool of retained data without any previous control by a judge or an otherwise independent body.
German Federal Government needs to go back to basics
All these shortcomings cannot be fixed or amended without departing from the concept of a generalised, undifferentiated and indiscriminate retention of communications data altogether. Once the horse is dead, there is not much sense in flogging it any longer. Therefore, it is high time that the German Federal Government changes its perspective and starts looking at fundamental rights as an achievement of civilisation worth defending rather than an inconvenient obstacle that needs to be overcome.