EU Top Court Rules German Data Law Illegal

Germany’s data retention law ruled illegal by top EU court, except in cases of serious national security threat

The European Union’s top court has ruled that Germany’s data retention law is illegal, after it was challenged by local Internet Service Providers (ISPs).

The Court of Justice of the European Union (CJEU) on Tuesday ruled that Germany’s law requiring “the general and indiscriminate retention of traffic and location data,” is incompatible with EU law.

It comes after the requirement in Germany was challenged by DT’s Telekom Deutschland and internet service provider SpaceNet AG, arguing the law breached EU rules.

The Court of Justice of the European Union. Credit: CJEU
The Court of Justice of the European Communities in Luxembourg. ECJ

Court ruling

Their objection was to the obligation imposed on them by the German Law on Telecommunications (TKG) to retain, as from 1 July 2017, online traffic and location data relating to their customers’ telecommunications.

The Act was designed to provide German law enforcement agencies with electronic data to combat “serious crimes,” and it requires public telecommunication and internet providers in the country to retain various call detail records (CDRs).

In addition, ISPs were required to store user metadata such as IP addresses, port numbers, and the date and time of Internet access.

But this has now been ruled illegal.

“The Court of Justice confirms that EU law precludes the general and indiscriminate retention of traffic and location data, except in the case of a serious threat to national security,” the CJEU ruled.

“However, in order to combat serious crime, the Member States may, in strict compliance with the principle of proportionality, provide for, inter alia, the targeted or expedited retention of such data and the general and indiscriminate retention of IP addresses,” it said.

The ruling is a blow to European member states relying on blanket data collection laws to fight crime and safeguard national security.

The law may only be applied in circumstances where there is a serious threat to national security defined under very strict terms, the CJEU said.

Data retention

Governments (not just in Europe) have previously argued that access to such data, especially that collected by telecoms operators, can help prevent such terrorist and national security incidents.

However operators and privacy campaigners have long opposed such data retention laws.

It should be remembered that the UK was embroiled in a similar battle over data collections, for many years now.

Privacy concerns spiked in 2013 when the level of private data shared for intelligence purposes was universally exposed by Edward Snowden, when he revealed the extent of the US governments global surveillance programs.

In the UK there was a lengthy battle over the Investigatory Powers Bill (often called the ‘Snooper’s Charter’).

In June 2016 MPs voted 444-69 in favour of the Investigatory Powers Bill, otherwise known as the Snoopers Charter 2.0.

It had been opposed by many technology firms (including Apple) and ISPs, as it requires Internet Service Providers to store the web browsing history of all their customers, for 12 months, for government spooks.

It faced ferocious opposition from civil liberty groups and indeed MPs, forcing Home Secretary to concede a number of concessions at the time.

Six years later and people’s online data is widely shared.

In May this year a new study from the Irish Council for Civil Liberties found that average European user’s data was shared 376 times per day, rising to 747 times for US-based users.