Data Storage in Germany

Which development took the data storage in Germany?

From January 1st, 2008 to March 2nd, 2010, the "European Act for revision of the telecommunications surveillance and other covert investigation measures and the implementation of Directive 2006/24/EC" regulated the retention. The law allowed to store the data for six to a maximum of seven months without any evidence. Germany quite persistently refused and adamantly opposed to an unexceptional storage until the law even was declared as unconstitutional by the Federal Constitutional Court in 2010. With a judgment of the European Court of Justice (ECJ) in 2014, the legal obligation to operate data storage was eliminated for all EU members. And now one has to wonder that the Bundestag has decided reintroduce the retention just one year later.

The new law includes the retention of telecommunications data for up to 10 weeks. When it comes to telephone communication the telephone number, the time and duration (including SMS and MMS) are stored. For Internet use, the IP addresses are stored. The location data in mobile phones are kept for four weeks. Although the storage of content is not intended, the contents of SMS can be seen due to a technical mistake. But there are exceptions. The data from telephone counseling services and professional secrecy keepers as pastors, lawyers, doctors and journalists will not be saved.

In contrast to the American procedure, the access to data may only take place with judicial approval and for serious offenses (eg. as terrorism, murder, harmful robbery). The persons concerned are informed in advance, only to judicial approval of a clandestine use they are infromed afterwards.

Criticism of the new Data Retention Law

The Stanford University has conducted a study with 546 participants. In this experiment, the call behavior of each was analyzed by calling more than 30,000 numbers in a certain period of time. It is frightening, what facts were read from the phone calls. Information on diseases, abortion, divorce wishes and political and religious convictions could be analyzed. Although no content of telephone calls are recorded in Germany, an SMS can already reveal a lot about one's life.

Another criticism is the future overloading of courts. While an approval only needs to be signed, a rejection entails bureaucratic paperwork and justifications. Doesn't this pre-programm a certain procedure under stressful working conditions?

The Digital Courage e.V. is planning a constitutional complaint. Since 1987, the Association is dedicated to fundamental rights and data protection. In 2000, they introduced the Big Brother Awards in Germany. Each year, the negative prizes are given to those who interfered the privacy of individuals in a particular way or who made personally identifiable information available to third parties.

This year the prize went to the category "public administration" to the Federal Intelligence Service, the Bundesnachrichtendienst. The award was justified with the close cooperation of the BND with the NSA and the mass collection and transmission of telecommunications data.

The Greens also announced a lawsuit against the retention. To their point of view it is a restriction of fundamental rights.

International Data Rentention

Although the retention was no law in Germany until October 10th, 2015, the various EU member states already busily used it before. Whether Bulgaria, France, Ireland, Sweden, Hungary and Great Britain, the month-long storage of data was and is omnipresent.

Society longs for protection and safety, as long as there is no interference with the personal comfort zone. German politicians criticized other states and now do it likewise. 2013 the Chancellor responded shocked about the fact that the American secret service was spying on her cell phone, chronicled her data and discussions and thus violated their privacy.

In the US, data retention exists much longer. 1992 the DEA (Drug Enforcement Administration) stored calls abroad without any evidence, to combat drug trafficking. After the attacks of September 11th, 2001, the USA PATRIOT Act was adopted to block terrorism with the NSA storing and analyzing phone metadata. The monitoring rights of the FBI were strengthened through the Federal Act, house searches were carried out without the knowledge of the persons concerned and insights into financial data of bank clients were permitted without any evidence of a crime.

At least the revelations of Edward Snowden 2013 about the spying program PRISM split the the US people. So a reform of the federal law became necessary and the US Freedom Act replaced the old one on June 2nd, 2015. Large jumps do not exist. The NSA is allowed continue to monitor fixed line and mobile connections, but this data must be given to the telephone companies for storing after a period of six months. The mass surveillance of non-US Communications will continue without reservation and espionage abroad has not been reformed.

Facing this perhaps the retention in Germany does not appear so drastic, but everything is so closely entangled that it is hardly possible to find a trustful protection.

Safe Harbor Agreement

Between all the data chaos by the safe harbor agreement was invalidated two weeks ago. The Safe Harbor agreement is an arrangement between the EU and the US, which allows companies to submit personally identifiable information in accordance with the European Data Protection Directive of the EU to the US. The European Commission recognized members who guaranteed sufficient protection of personal data. A supervisory committee there was not this. Members have included Facebook, Google and Amazon. Overall, 5,500 US companies were involved.

The Austrian jurist and privacy activist Maximilian Schrems had strongly criticized that no adequate protection of his data is guaranteed because of the American mass surveillance. He had sued Facebook in Ireland for the fact that his Facebook data are communicated to the US headquarter by the Irish Facebook headquarter. After a lawsuit through several instances, ultimately, the ECJ considered the objections and came to the conclusion that fundamental rights have been infringed such as the respect for private life and an effective legal protection. It was also confirmed that victims have the right to inquire about the status of their data protection in national courts.

What does this mean for businesses?

The court's decision has far-reaching significance for US Internet companies, for whom it is now more difficult to transmit data of Europeans to the United States. But German companies that rely on US services are not less affected by the judgment.

In particular, the judgment is likely to affect smaller companies, which had previously relied completely on Safe Harbor. Every company is now responsible for its own legal framework, which means a great effort. Heavyweights such as Facebook or Google with their big legal departments can easily work out the necessary contracts for data transmission without Safe Harbor.

Until February should be considered whether further rights clauses are affected by the judgment. Many companies have hedged by so-called standard contractual clauses. Until then, privacy protectionists ask companies, on what legal basis they send data to the United States. Privacy advocates call for a rapid clarification and an enhanced agreement. A consensus is currently pending.

Perhaps this is the best opportunity to think about an alternative and to protect confidential information from US authorities. A criterion under privacy aspects should be the location of the data center. Even if the confidence in the German policy is clouded, still different rules than in the US apply. Also the law on data retention can still be tilted in this country. Although in this case there is not needed approval of the Bundesrat, however, it may decide to convene the Conciliation Committee in the so-called second passage on Novemebr 6th, 2015, as a basis to lodge an appeal. Should the law enter into force without the Bundesrat veto, proceedings before the Federal Constitutional Court are inevitable.

What can you do now and in the future for the security of your data?

Check your hosting provider, you can research your options, if necessary, consider a provider change. Do not be confused by this data chaos and weigh the best options for yourselves. Legal framework, location or certifications are certainly important criteria for the choice of the hosting provider, but in the first place trust and transparency are. Therefore, we are open to a personal on-site consultation at our premises and our customers also regularly take advantage of the opportunity to visit our data centers.