Even as the European Union attempts to tighten privacy laws, law-enforcement interests have won a battle in Germany: a new law forces communications service providers there to once again make data about their customers’ communications available to police.
On Friday morning, the German parliament approved a law requiring ISPs and mobile and fixed telecommunications operators to retain communications metadata for up to ten weeks.
The country has had an on-again, off-again affair with telecommunications data retention, first introducing a law requiring it in 2008 to comply with a European Union directive.
The German Federal Constitutional Court overturned that law in March 2010 after finding it conflicted with Germany’s privacy laws, prompting the European Commission to take the country to court in May 2012 to enforce the directive.
In April 2014, it was the turn of the EU’s highest court, the Court of Justice of the EU, to overturn the directive itself on the grounds that it, too, interfered with fundamental privacy rights.
The CJEU has also just overturned the so-called Safe Harbor agreement between the Commission and U.S. authorities on the transfer of private personal data to the U.S. because the agreement did not provide Europeans with sufficient privacy protection from U.S. law enforcement.
The CJEU’s and the Constitutional Court’s previous decisions didn’t discourage German lawmakers from reintroducing the requirement for service providers to conserve the connection data of all their customers, though.
There’s a ten-week limit for information about who called whom and when, which IP addresses were attributed to whom and when, and who sent SMS text messages to whom. A four-week limit applies to the location from which an SMS was sent. The content of communications is not stored, and email is exempt from the law.
The German parliament plans to review the law once there is sufficient statistical information about its effectiveness in reducing crime.