GER-2010-1-005
a)  Germany / b)  Federal Constitutional Court / c)  First Panel / d)  02-03-2010 / e)  1 BvR 256/08, 1 BvR 263/08, 1 BvR 586/08 / f)  Data retention / g) / h)  Neue Juristische Wochenschrift 2010, 833-856; Wertpapier-Mitteilungen 2010, 569-586; Europäische Grundrechte-Zeitschrift 2010, 85-121; Deutsches Verwaltungsblatt 2010, 503-509; Kommunikation und Recht 2010, 248-254; CODICES (English, German).
 
Keywords of the systematic thesaurus:
 
 
Sources - Categories - Written rules - Law of the European Union/EU Law.
General Principles - Weighing of interests.
Fundamental Rights - Civil and political rights - Inviolability of communications - Telephonic communications.
 
Keywords of the alphabetical index:
 
Data, retention / Media, data, telecommunications traffic, storage / Media, data, telecommunications, retrieval and use / Media, telecommunication service, providers, storage, duty / Media, data, telecommunications traffic, security.
 
Headnotes:
 
1. Storage of telecommunications traffic data without cause for six months by way of precaution by private service providers as set out in set out in Directive 2006/24/EC of the European Parliament and the Council of 15 March 2006 (OJ L 105 of 13 April 2006, p. 54) is not in itself incompatible with Article 10 of the Basic Law; any potential priority of the Directive is therefore not relevant to the decision.
 
2. The principle of proportionality requires the formulation of the legislation on such storage to take appropriate account of the particular weight of the encroachment upon fundamental rights constituted by the storage. Sufficiently sophisticated and well-defined provisions are required with regard to data security, to the use of the data, to transparency and to legal protection.
 
3. Guaranteeing data security and the restriction of the possible use of data, in well-defined provisions, are inseparable elements of legislation that create a duty of data storage, the responsibility of the Federal legislature, under Article 73.1.7 of the Basic Law. In contrast, the responsibility for creating the retrieval provisions themselves and for drafting the provisions on transparency and legal protection depends on the legislative competence for the respective subject-matter.
 
4. With regard to data security, there is a need for statutory provisions which lay down a particularly high security standard in a well-defined and legally binding manner. It must be ensured by statute, at all events fundamentally, that this standard is oriented to the state of development of the discussion between specialists, constantly absorbs new knowledge and insights and is not subject to a free weighing of interests against general business considerations.
 
5. The retrieval and the direct use of data are only proportionate if they serve overridingly important tasks of the protection of legal interests. In the area of the prosecution of criminal offences, this requires the suspicion of a serious criminal offence based on specific facts. For warding off danger and for performing the duties of the intelligence services, they may only be permitted if there is actual evidence of a concrete danger to the life, limb or freedom of a person, to the existence or the security of the Federation or of a Land or to ward off a danger to public safety.
 
6. A merely indirect use of data by the telecommunications service providers to issue information with regard to the owners of Internet Protocol addresses is permissible, even independent of restrictive lists of legal interests or criminal offences, for the prosecution of criminal offences, for warding off danger and for carrying out intelligence-services duties. For the prosecution of regulatory offences, such information can only be allowed to be given in cases of particular weight expressly named by the legislature.
 
Summary:
 
The constitutional complaints challenge §§ 113a, 113b of the Telecommunications Act (Telekommunikationsgesetz, hereinafter, "the Act") and § 100g of the Code of Criminal Procedure (Strafprozessordnung) to the extent that the latter permits the collection of data stored pursuant to § 113a of the Act.
 
According to § 113a of the Act, the providers of publicly accessible telecommunications services have a duty to store virtually all traffic data of telephone services, email services and Internet services without cause, by way of precaution. The duty of storage essentially extends to all information that is necessary in order to reconstruct who communicated or attempted to communicate when, how long, to whom, and from where. The contents of the communication, and consequently the details of what Internet pages are visited by users, are not to be stored. At the end of the six months in which the duty of storage exists, the data are to be deleted within one month.
 
§ 113b of the Act governs the purposes for which these data may be used. This provision broadly designates intended uses that are possible in general; these are to be put in concrete terms by provisions passed by the Federal Government and the Länder (states). In the first half-sentence of the first sentence of § 113b, the possible purposes of the direct use of the data are listed: the prosecution of criminal offences, the warding off of substantial dangers to public security and the performance of intelligence tasks. The second half-sentence permits the indirect use of the data for information under § 113 of the Act in the form of a claim to information from the service providers in order to identify IP addresses. This provides that if authorities know an IP address, they may demand information as to the user to whom this address was allocated. The legislature permits this for the purposes of the prosecution of criminal offences and regulatory offences and the warding off of danger independently of more specific definitions. There is neither a requirement of judicial authority nor a duty of notification.
 
§ 100g of the Code of Criminal Procedure putting the first half-sentence of the first sentence of § 113b of the Act into specific terms, governs the direct use for criminal prosecution of the data stored by way of precaution. The provision governs all access to telecommunication traffic data. It also permits access to connection data that are stored by the service providers for other reasons (for example in order to carry out business transactions). The legislature does not differentiate in this respect between the use of the data stored by way of precaution under § 113a of the Act and other traffic data. It permits even the retained data to be used independently of an exhaustive list of criminal offences for the prosecution of criminal offences of substantial weight. Pursuant to an examination of proportionality based on the individual case, the data may be used generally to prosecute criminal offences that are committed via telecommunications. There must be a prior judge's decision. The Code of Criminal Procedure also provides for duties of notification and subsequent judicial relief in this connection.
 
The challenged provisions implement Directive 2006/24/EC of the European Parliament and the Council on the retention of data of the year 2006. This Directive provides that the providers of telecommunications services must be put under an obligation to store the data described in § 113a of the Act for a minimum of six months and a maximum of two years and to keep them available for the prosecution of serious criminal offences. The Directive contains no more detailed provision on the use of the data. The data protection measures are also largely left to the Member States.
 
II. The provisions of the Act and of the Code of Criminal Procedure on data retention are not compatible with Article 10.1 of the Basic Law (protection of the secrecy of telecommunications).
 
The challenged provisions do not satisfy the requirements set out in the Headnotes of the decision. The reason why § 113a of the Act is unconstitutional is not simply that the scope of the duty of storage would have to be regarded as disproportionate from the outset. But the provisions on data security, on the purposes and the transparency of the use of data and on legal protection do not meet the constitutional requirements. In consequence, the whole legislation lacks a structure complying with the principle of proportionality.
 
Even the necessary guarantee of a particularly high standard of data security is missing. The Act essentially refers only to the care generally needed in the field of telecommunications. Putting the measures in more specific terms is left to the individual telecommunications service providers. The persons with a duty of storage are neither required in a manner that can be enforced to use instruments to guarantee data security, nor is a comparable level of security otherwise guaranteed. There is also no balanced system of sanctions that attributes more weight to violations of data security than to violations of the duties of storage themselves.
 
The provisions on the use of data for criminal prosecution are also incompatible with the standards developed from the principle of proportionality. Alternative 1 of sentence 1 of § 100g.1 of the Code of Criminal Procedure does not ensure that, in general and in individual cases, only serious criminal offences may be the cause for collecting the relevant data.
 
Nor does § 100g of the Code of Criminal Procedure comply with the constitutional requirements, in that it permits data retrieval not merely for individual cases to be confirmed by a judge, but as a general rule even without the knowledge of the person affected.
 
The very structure of alternatives nos. 2 and 3 of sentence 1 of § 113b of the Act does not satisfy the requirements of sufficient limitation of the purposes of use. The Federal legislature contents itself with sketching, in a general manner, the fields of duty for which data retrieval in accordance with later legislation, in particular legislation of the Länder, is possible. In this way it does not satisfy its responsibility for the constitutionally required limitation of the purposes of use.
 
The formulation of the use of the data stored under § 113a of the Act is also disproportionate in that no protection of confidential relations is provided for the transmission. At least for a narrowly defined group of telecommunication connections, which rely on particular confidentiality, such a protection is a fundamental requirement.
 
Half-sentence 2 of sentence 1 of § 113b of the Act does not satisfy the constitutional requirements insofar as it makes the information on data possible for the general prosecution of regulatory offences, without further limitation, and as it does not provide duties of notification following the provision of such information.
 
The violation of the fundamental right to protection of the secrecy of telecommunications under Article 10.1 of the Basic Law makes §§ 113a and 113b of the Act void, as it does the first sentence of § 100g.1 of the Code of Criminal Procedure insofar as traffic data under § 113a of the Act may be collected under this provision. The challenged norms are therefore to be declared void, their violation of fundamental rights having been established.
 
With regard to the assessment of §§ 113a and 113b of the Act as unconstitutional, the decision was passed by seven votes to one as regards its result, and with regard to further questions of substantive law it was passed by six votes to two, to the extent shown in the two dissenting opinions.
 
The Senate decided by four votes to four that the provisions are to be declared void, and not merely incompatible with the Basic Law.
 
Languages:
 
German, English (on the Court´s website).