Translation by yours truly. Original source [A] at netzpolitik.org
Responsible for the data retention policy: Justice Minister Hubig and Interior Minister Dobrindt
Today, the federal government has approved a draft law on data retention. The bill now moves to the federal parliament [Bundestag].
The law obligates Internet access providers to store the IP addresses and port numbers of all users for three months, without cause and without suspicion of a criminal offense.
Upon order, Internet services such as email providers and messaging platforms must also store and disclose traffic data [translator's note: metadata like connection times, routing information, IPs...].
This is already the third data-retention law in Germany. Both the first law from 2007 and the second from 2015 were struck down by the highest courts.
Those earlier laws, ruled unconstitutional, were justified on the basis of combating terrorism. The federal government now justifies the new law by citing fake online shops and digital violence.
In December, Justice Minister Stefanie Hubig (SPD) presented an initial draft. During negotiations with the Interior Ministry and the Digital Ministry, a few things were modified.
Originally, only law enforcement and police authorities were to be allowed to access retained data. Now, "other authorized bodies" may also use the data, including intelligence services such as the Germany's domestic intelligence agency [Verfassungsschutz], tax authorities, and customs.
Authorities will no longer be limited to requesting traffic data only when an investigation would otherwise be "hopeless", but already when it would otherwise be "significantly more difficult".
The new draft clarifies that local Wi-Fi networks are not subject to the storage obligation - including, in addition to hotels, Freifunk [a German community-based non-commercial public Wi-Fi initiative]. Data must not be stored longer than three months, even if an Internet connection lasts longer. This had still been intended in the initial draft.
Professional confidentiality holders [think: lawyers, doctors, journalists] will not receive special protection, something media organizations had unsuccessfully demanded.
Interferences with basic rights must be necessary and proportionate. Other countries such as the USA do not have data retention, where it is not considered necessary. Germany has previously had data retention. At the time, the Max Planck Institute for the Study of Crime and Justice conducted a scientific study: Without data retention, there are no protection gaps in criminal prosecution.
In the draft law, the federal government attempts to estimate how often police will request retained data. They arrive at 143,000 per year - 86,000 requests by the Federal Criminal Police Office [Bundeskriminalamt (BKA)] and 57,000 by the federal states.
This estimates contradicts data from Deutsche Telekom. Even without data retention, Telekom received nearly 290,000 requests for IP address information in a single year - related to alleged copyright infringements on the Internet.
The storage obligation applies "without distinction to all providers of Internet access services", around 700 in Germany. Industry associations estimate costs of one to two million euros for large providers and 80.000€ for small ones.
Requests for traffic data affect "all providers of telecommunications services", including email and messaging services. The Federal Network Agency [Bundesnetzagentur, telecom regulator] estimates there are "around 3,000 obligated entities". Not all of these are commercial companies; some are volunteer-run or non-profit providers.
The federal government is thus creating more regulation and additional burdens for Internet services, against their will.
20 years ago, tens of thousands of people protested against data retention. Resistance remains broad today.
The German Bar Association had already criticized the draft in strong terms: The government "disregards the requirements of European law" and is "not aligned with the rights-protecting intentions of the Court of Justice [of the European Union]". There is no "effective limitation of purposes", meaning that "the proposed data retention is incompatible with EU law".
The [German digital rights advocacy group] Digitale Gesellschaft criticizes:
The Center for Digital Rights and Democracy criticizes:
Update: The German Bar Association criticizes:
Third attempt
Federal government approves warrantless data retention
The federal government is making a third attempt to introduce data retention. Internet access providers are to store the IP addresses of all users - indiscriminately and on a mass basis. Internet services such as email providers and messaging apps must also store and disclose data upon order.Responsible for the data retention policy: Justice Minister Hubig and Interior Minister Dobrindt
Today, the federal government has approved a draft law on data retention. The bill now moves to the federal parliament [Bundestag].
The law obligates Internet access providers to store the IP addresses and port numbers of all users for three months, without cause and without suspicion of a criminal offense.
Upon order, Internet services such as email providers and messaging platforms must also store and disclose traffic data [translator's note: metadata like connection times, routing information, IPs...].
This is already the third data-retention law in Germany. Both the first law from 2007 and the second from 2015 were struck down by the highest courts.
Those earlier laws, ruled unconstitutional, were justified on the basis of combating terrorism. The federal government now justifies the new law by citing fake online shops and digital violence.
More authorities, more cases
In December, Justice Minister Stefanie Hubig (SPD) presented an initial draft. During negotiations with the Interior Ministry and the Digital Ministry, a few things were modified.
Originally, only law enforcement and police authorities were to be allowed to access retained data. Now, "other authorized bodies" may also use the data, including intelligence services such as the Germany's domestic intelligence agency [Verfassungsschutz], tax authorities, and customs.
Authorities will no longer be limited to requesting traffic data only when an investigation would otherwise be "hopeless", but already when it would otherwise be "significantly more difficult".
The new draft clarifies that local Wi-Fi networks are not subject to the storage obligation - including, in addition to hotels, Freifunk [a German community-based non-commercial public Wi-Fi initiative]. Data must not be stored longer than three months, even if an Internet connection lasts longer. This had still been intended in the initial draft.
Professional confidentiality holders [think: lawyers, doctors, journalists] will not receive special protection, something media organizations had unsuccessfully demanded.
Hundreds of thousands of requests
Interferences with basic rights must be necessary and proportionate. Other countries such as the USA do not have data retention, where it is not considered necessary. Germany has previously had data retention. At the time, the Max Planck Institute for the Study of Crime and Justice conducted a scientific study: Without data retention, there are no protection gaps in criminal prosecution.
In the draft law, the federal government attempts to estimate how often police will request retained data. They arrive at 143,000 per year - 86,000 requests by the Federal Criminal Police Office [Bundeskriminalamt (BKA)] and 57,000 by the federal states.
This estimates contradicts data from Deutsche Telekom. Even without data retention, Telekom received nearly 290,000 requests for IP address information in a single year - related to alleged copyright infringements on the Internet.
Thousands of providers affected
The storage obligation applies "without distinction to all providers of Internet access services", around 700 in Germany. Industry associations estimate costs of one to two million euros for large providers and 80.000€ for small ones.
Requests for traffic data affect "all providers of telecommunications services", including email and messaging services. The Federal Network Agency [Bundesnetzagentur, telecom regulator] estimates there are "around 3,000 obligated entities". Not all of these are commercial companies; some are volunteer-run or non-profit providers.
The federal government is thus creating more regulation and additional burdens for Internet services, against their will.
"Unlawful, misguided, dangerous"
20 years ago, tens of thousands of people protested against data retention. Resistance remains broad today.
The German Bar Association had already criticized the draft in strong terms: The government "disregards the requirements of European law" and is "not aligned with the rights-protecting intentions of the Court of Justice [of the European Union]". There is no "effective limitation of purposes", meaning that "the proposed data retention is incompatible with EU law".
The [German digital rights advocacy group] Digitale Gesellschaft criticizes:
Data retention remains a misguided approach. There is no evidence supporting the proportionality of this radical mass surveillance. In reality, large numbers of law-abiding citizens would be affected.
The Center for Digital Rights and Democracy criticizes:
At a time when new technologies are increasingly intruding into privacy, while authoritarian forces are gaining power and influence, the question arises: What happens if governments instruct or encourage law enforcement to use their access to IP addresses and port numbers to target political opponents?
Bar Association: "Legality questionable"
Update: The German Bar Association criticizes:
Even a scaled-down data retention scheme remains data retention. The warrantless storage of IP addresses affects the rights of millions of law-abiding citizens - while criminals have sufficient means to conceal their identity.
The storage period of three months clearly exceeds what is necessary. There is no provision for judicial oversight of data use, nor a limitation to offenses of a minimum level of seriousness. Its compatibility with constitutional and European law is therefore questionable.
The Left: "Mass surveillance through the back door"
Update: The Left Party in the Bundestag criticizes:This draft will once again fail spectacularly in the courts. I call on the federal government to end this deception and withdraw the proposal. As The Left, we reject any form of data retention.
Internet industry: "Decision highly problematic"
Update: The Internet industry association eco criticizes:Even after the cabinet decision, it remains clear: the draft fails to meet the requirements of the Court of Justice of the European Union and once again creates warrantless data retention without demonstrable added value for law enforcement. Three months of IP address storage do not mean more security, but more data retention based on suspicion.
Greens: "A central civil liberties issue"
Update: The Greens in the Bundestag criticize:The latest proposal by the federal government, with a three-month retention period, continues to raise significant legal concerns, e.g. regarding whether the specific requirements of the highest courts (which, among other things, limit retention periods to an absolute minimum) are being met. The risk that this regulation will not stand for long is therefore very real.
