On November 6, 2015, the German Bundesrat approved a bill on the introduction of a national Data Retention Act (“DRA”). Following the Bundesrat’s approval, the bill is now sent to the Federal President who will most likely sign it. Therefore, the DRA will likely enter into force before the end of November. The DRA introduces data retention obligations for providers of publicly available telecommunications services (PECS). However, the retention obligations vary depending on the provided service: Providers of publicly available telephone services (PATS) must store certain traffic data for 10 weeks. This includes:
- the telephone number or another identifier of all parties involved;
- date and time of the beginning and the end of the call including time zone;
- information on the used service if the PATS enables the use of various services;
- in case of mobile phone services:
- the international identifier of the calling and called party,
- the international identifier of the calling and called device, and
- date and time including time zone of the first activation of pre-paid services;
- in case of internet telephony: also the IP addresses of the calling and called parties including allocated user identifiers.
Providers of publicly available internet access services (“ISPs“) must store certain traffic data for 10 weeks. This includes:
- the IP address allocated to the subscriber;
- a unique identifier of the used internet connection as well as the allocated user identifier;
- date and time of the beginning and the end of the internet access under the allocated IP address including the time zone.
In addition, providers must store location data generated by the use of mobile phone services for 4 weeks. If a provider does not generate or process the respective data itself, it must ensure that the data is stored properly by a third party. Upon request, it must also promptly inform the Federal Network Agency (“FNA”) about the data processor’s identity. Providers may use the respective data only for the transmission to specific law enforcement authorities as defined and to extent specifically permitted by law. They must retain the data in such a way that information requests by these authorities can be answered immediately. To this end, the DRA contains an express obligation to store the data to be retained under the DRA on a server in Germany. After expiry of the respective retention period, the data must be deleted without undue delay but at the latest within one week. Non-compliance with the retention obligations is subject to administrative fines of up to EUR 500,000. If the financial benefit derived from the breach exceeds the aforementioned amounts, the fines may be even higher (skimming of profits). Furthermore, the FNA can take “appropriate” regulatory measures including – as last resort measure and subject to the principle of proportionality – prohibiting the provision of the PECS in question. Similar legislation had already been enacted in 2007, but was invalidated by the German Constitutional Court for violation of the constitutional guaranty of the telecommunications secrecy pursuant to Art. 10 of the German Constitution. Furthermore, on April 8, 2014, the European Court of Justice invalidated the Data Retention Directive (which was the legal basis for national data retention legislation across the EU) for violation of the Charter of Fundamental Rights of the European Union. Despite these court rulings, the German Government takes the view that the new DRA will pass the constitutional test. However, critics have already announced that they will challenge the DRA before the German Constitutional Court once it has been enacted. It remains to be seen whether the DRA will be considered as constitutional. Until then, however, the DRA will be enforceable and the providers will have to comply with it.