German Data Retention Law Takes Effect

Under the new law, telecommunications and Internet access providers, and possibly employers providing Internet access to employees, must retain certain data for a longer time. This requirement applies not only to providers of mobile phone, telephone, Voice over Internet Protocol ('VoIP') and fax services, but also to e-mail service providers. The retention obligation applies to data that are necessary to identify the user.

The legislation extends the obligation to collect master data, which previously applied only to telephone connections or numbers, to include e-mail accounts and DSL connections.

Thus ' unlike before ' even the e-mail provider has to implement certain structures to ensure the collection and verification of user identification data prior to offering the service.

New Requirements, New Safeguards

Until Jan. 1, users could easily use fake identification data to register for a free e-mail account. Now, the data to be stored will include, among other things:

• The owner's name and address (and the subscriber line);
• The identification or calling number; and
• For mobile phones, the equipment ID (the 'IMEI,' or international mobile equipment identity number used to identify 'GSM,' or global system for mobile communications devices, and 'UMTS,' or universal mobile telecommunications system phones).

Telecom service providers also must store traffic data, i.e., data accruing during use. In the case of phone calls, providers must store the calling-party number and the called-party number, as well as the call's time and duration.

In the case of mobile-phone connections, providers are required to store additional data, such as:

• The call-line identification;
• The equipment ID; and
• The user's location.

In the case of e-mail transmissions, the following information must be stored:

• The sender's address;
• The recipient's address;
• The sender's IP address; and
• The time of use.

In addition, each instance in which the mailbox is used must be recorded and stored, with IP address and time of use, regardless of whether any e-mails have been transmitted. Internet access providers are required to store the IP address, and each session's start and end time. These obligations will also apply to services that make information and calls anonymous.

Making Crackdowns Easier

In many ways, the new law will mark a shift away from the current privacy paradigm. Up to now, such data could either not be collected, had to be deleted practically immediately upon completion of an operation or, at the latest, upon settlement of accounts. Now, the data must be retained for six months. During that time, security authorities may access the stored data to the extent necessary to:

• Prosecute offenses;
• Prevent serious hazards to public safety; or
• Fulfill statutory duties of the Federal and Regional Offices for the Protection of the Constitution, the Federal Information Service and the Military Counter-Intel-ligence Service. In this respect, the scope of the new law is significantly broader than that of the Directive.

Controversy Dogs Bill

This bill and its passage have been criticized by various parties. The dominant view among legal scholars is that the European Data Retention Directive itself violates the EC Treaty due to jurisdictional problems. In addition, its incorporation into German law has raised serious constitutional concerns.

A constitutional complaint signed by more than 30,000 citizens was filed Dec. 31. Additionally, preliminary injunctions have been requested. If the Constitutional Court grants the petition, then the law would be impeded until a decision is rendered. As of late January, the Constitutional Court hadn't decided on the petition.

The legislative bodies have pointed out several times that the retention obligation applies only to the circumstances of the communication and not to the content of the information communicated. The telecommunications providers, who will be responsible for the technical implementation, have referred to the enormous costs involved in storing the data and the extension of identification. They will have to adapt, and upgrade or replace, their equipment, and hire additional staff. According to a preliminary estimate of the industry association Bitkom (http://www.bitkom.org/), the cost of upgrading the equipment could run as high as 75 million euros, plus annual overhead in the double-digit million euro range.

President Horst Kohler was repeatedly asked not to sign and promulgate the new law, but decided otherwise. Thus, the law has taken effect despite the objections raised against it, and must be complied with by the parties concerned, under penalty of a fine.

The controversial German draft bill designed to amend legislation on communications surveillance and other secret investigation measures, and to implement the European Directive 2006/24/EC ' which was set to introduce mandatory retention of communications traffic data ' went into effect on January 1.

More Than the EU Standard

The new law implements not only the European Data Retention Directive, but contains certain other requirements that exceed the Directive's.

Under the new law, telecommunications and Internet access providers, and possibly employers providing Internet access to employees, must retain certain data for a longer time. This requirement applies not only to providers of mobile phone, telephone, Voice over Internet Protocol ('VoIP') and fax services, but also to e-mail service providers. The retention obligation applies to data that are necessary to identify the user.

The legislation extends the obligation to collect master data, which previously applied only to telephone connections or numbers, to include e-mail accounts and DSL connections.

Thus ' unlike before ' even the e-mail provider has to implement certain structures to ensure the collection and verification of user identification data prior to offering the service.

New Requirements, New Safeguards

Until Jan. 1, users could easily use fake identification data to register for a free e-mail account. Now, the data to be stored will include, among other things:

• The owner's name and address (and the subscriber line);
• The identification or calling number; and
• For mobile phones, the equipment ID (the 'IMEI,' or international mobile equipment identity number used to identify 'GSM,' or global system for mobile communications devices, and 'UMTS,' or universal mobile telecommunications system phones).

Telecom service providers also must store traffic data, i.e., data accruing during use. In the case of phone calls, providers must store the calling-party number and the called-party number, as well as the call's time and duration.

In the case of mobile-phone connections, providers are required to store additional data, such as:

• The call-line identification;
• The equipment ID; and
• The user's location.

In the case of e-mail transmissions, the following information must be stored:

• The sender's address;
• The recipient's address;
• The sender's IP address; and
• The time of use.

In addition, each instance in which the mailbox is used must be recorded and stored, with IP address and time of use, regardless of whether any e-mails have been transmitted. Internet access providers are required to store the IP address, and each session's start and end time. These obligations will also apply to services that make information and calls anonymous.

Making Crackdowns Easier

In many ways, the new law will mark a shift away from the current privacy paradigm. Up to now, such data could either not be collected, had to be deleted practically immediately upon completion of an operation or, at the latest, upon settlement of accounts. Now, the data must be retained for six months. During that time, security authorities may access the stored data to the extent necessary to:

• Prosecute offenses;
• Prevent serious hazards to public safety; or
• Fulfill statutory duties of the Federal and Regional Offices for the Protection of the Constitution, the Federal Information Service and the Military Counter-Intel-ligence Service. In this respect, the scope of the new law is significantly broader than that of the Directive.

Controversy Dogs Bill

This bill and its passage have been criticized by various parties. The dominant view among legal scholars is that the European Data Retention Directive itself violates the EC Treaty due to jurisdictional problems. In addition, its incorporation into German law has raised serious constitutional concerns.

A constitutional complaint signed by more than 30,000 citizens was filed Dec. 31. Additionally, preliminary injunctions have been requested. If the Constitutional Court grants the petition, then the law would be impeded until a decision is rendered. As of late January, the Constitutional Court hadn't decided on the petition.

The legislative bodies have pointed out several times that the retention obligation applies only to the circumstances of the communication and not to the content of the information communicated. The telecommunications providers, who will be responsible for the technical implementation, have referred to the enormous costs involved in storing the data and the extension of identification. They will have to adapt, and upgrade or replace, their equipment, and hire additional staff. According to a preliminary estimate of the industry association Bitkom (http://www.bitkom.org/), the cost of upgrading the equipment could run as high as 75 million euros, plus annual overhead in the double-digit million euro range.

President Horst Kohler was repeatedly asked not to sign and promulgate the new law, but decided otherwise. Thus, the law has taken effect despite the objections raised against it, and must be complied with by the parties concerned, under penalty of a fine.