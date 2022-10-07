Although data retention in Germany contradicts European law, the highest EU court allows exceptions.

- Advertisement -

The jubilation of civil rights activists came too soon when the European Court of Justice (ECJ) announced its judgment on data retention in Germany on September 20. In principle, “Union law precludes general and indiscriminate storage of traffic and location data,” said the headline of a first communication from the court – which is why the German law is contrary to European law. However, as in previous judgments on the subject, the ECJ formulated some exceptions that open up a wide scope for new attempts.

- Advertisement -

The ruling goes back to an amendment to the German Telecommunications Act (TKG) from 2015. At that time, the coalition of CDU/CSU and SPD had enforced that providers have to store traffic data for ten weeks and, if necessary, hand them over to law enforcement authorities. These can then trace who called whom when and assign IP addresses to their connection owners. According to the TKG amendment, mobile phone locations recorded by radio cells should be stored for four weeks.

After a successful lawsuit by the providers SpaceNet and Telekom at the Cologne Administrative Court, the Federal Network Agency suspended these obligations until final legal clarification. In 2019, the Federal Administrative Court, as the highest German instance, dealt with the matter and finally asked the ECJ whether the TKG amendment was compatible with EU law.

- Advertisement - “Quick Freeze” – a lazy compromise









A commentary by Dennis-Kenji Kipker The content of the ECJ decision is by no means as groundbreaking as some would like to make it out to the public. On the contrary: The ECJ states that at least a targeted, general and indiscriminate storage of traffic and location data should continue to be possible. Government circles are now only too eager to say that the judgment is now being examined legally, which ultimately means nothing more than that you want to find out what digital surveillance is just about compatible with our European fundamental rights. And even this legal examination could actually be saved, because at least since the coalition agreement, the plans for the “little brother” of data retention have already been in the drawers, which will be called “Quick Freeze”. ASUS ZenFone 7 and 7 Pro will arrive with Snapdragon 865 and 865+ chips The difference? Traffic data will be stored by the providers as before and regularly deleted until the authorities “freeze” them at short notice as required. What the traffic light coalition is now hailing as a grand victory for digital civil rights, as if it grew out of their shit, is ultimately a rotten compromise and another take on the same tune we’ve had to endure on the subject since the 2000s. It would have been much more sensible and somehow more logical to finally take the ECJ ruling as an opportunity to subject the German surveillance legislation to a general reassessment – and to look in the junk room of often outdated state surveillance instruments to see what is still really needed and what definitely can go. This also includes any form of data retention, regardless of the name under which it is sold to us. A look at the expansion of the digital security architecture since September 11, 2001 makes it clear: There are more than enough surveillance laws, and quite a few of them are now very old. The traffic light government itself had prescribed a “monitoring accounting” in its coalition agreement. Even today, “interventions by the state in civil liberties must always be well justified and considered in their overall effect,” the work reads. In a constitutional state, every law must withstand a constitutional weighing of interests. However, it could later swing much more strongly in favor of digital civil rights than when a law was created. But instead of holding your own nose and turning in circles for better orientation, politicians are already digging out the next surveillance project with Quick Freeze. The lawyer Prof. Dennis-Kenji Kipker researches and teaches IT security law at the Bremen University of Applied Sciences.

The ECJ denied and found, among other things, violations of the EU Charter of Fundamental Rights: “Very precise conclusions” can be drawn from the data stored, for example about the private life of people, about habits of daily life or “changes of location every day or at a different rhythm”. shut down. Even strict access barriers to the data stored without cause could “neither limit nor eliminate the serious interference with the rights of those affected”.

No but …

Although the ECJ basically said “no” to data retention, it at the same time opened some back doors for the German legislature. For example, the state may oblige providers to retain data if they “face a serious threat to national security that can be classified as real and current or foreseeable”. The measure should be limited to an “absolutely necessary” period, but it can be extended.





After the verdict, the justice and interior ministers of the federal states called for a quick draft law from the federal government that implements the specifications of the ECJ. (Image: Sven Hoppe/dpa)

In addition, the ECJ allows data retention in geographically limited areas “to combat serious crime and to prevent serious threats to public security”. The problem is that no one knows exactly what “serious crime” means. In other words, everyone understands what suits them politically. It would be possible to draft a law that would allow traffic data to be stored without cause, for example at train stations, airports or crime hotspots defined by the police.

According to the ECJ, “serious crime” certainly includes “the acquisition, dissemination, transmission or provision of child pornography on the Internet”, as can be seen from the full text of the judgment. And it is precisely for these facts that the ECJ suspends its ban: Hidden in subsection 101 of the judgment, it defines that in “combating the sexual abuse and sexual exploitation of children and child pornography” the interest in criminal prosecution outweighs data protection and for this area of ​​crime a Unprovoked data retention of IP addresses is generally permitted. But how can providers recognize the law enforcement purpose for which they are storing data? The ECJ leaves this question open.

The highest EU court kicked the ball back into the political arena with verve. Already on the day the verdict was announced, the old lines of conflict between the SPD on the one hand and the FDP and the Greens on the other broke within the federal government. Federal Interior Minister Nancy Faeser (SPD) called for the scope for storage opened up by the ECJ to be exhausted. In order to make investigations into sexualised violence against children more effective, the retention of IP addresses is necessary – however, she has so far failed to provide any evidence for this thesis. A week later, Faeser received support from the majority of the state justice and interior ministers who met in Munich on the subject.

On the other hand, there is a promise that the traffic light government made in the coalition agreement. Literally it says in the paper: “We will design the regulations for data retention in such a way that data can be stored in a legally secure manner and by judicial decision.” It is precisely this agreement that the FDP and the Greens are now referring to. It is likely to result in a showdown between Nancy Faeser and her cabinet colleague Marko Buschmann (FDP), the Federal Minister of Justice.

Approaching showdown

Buschmann first announced talks with Faeser and a short time later a draft law that would only provide for event-related traffic data storage – the so-called “quick freeze”: With this procedure, providers store all data relating to a person at the request of a law enforcement agency, both in the directed towards the past as well as towards the future. If the suspicion is substantiated, the authority can request this data on the basis of a judicial decision.

This is not enough for advocates of data retention like Faeser, because allegedly providers no longer hold any data for billing purposes because of the flat rate tariffs. Critics of “Quick Freeze” already go too far with this event-related storage (see comment). So it remains open until the showdown whether Buschmann’s first comment on the ECJ judgment endure: “Today is a good day for civil rights!”

c’t issue 22/2022









(Picture: c’t 22/22 ) In c’t 22/2022 we give you tips and tricks on how to unmask power guzzlers with smart technology. We also put the new AMD CPU Ryzen 7000 to the test. Also in the test are the inexpensive mini barebones NUC11, markdown editors and nine programs for better headphone sound. We show how to manage image collections in macOS and how the post-quantum cryptographic selection process currently stands. You can read that and much more in the current issue of c’t. Save electricity with smart technology

AMD CPU Ryzen 7000 in the test

Windows 11: 22H2 update tested

Child protection for Android & iOS

Inexpensive mini barebone NUC11

Markdown text editors

E-payment: debit cards in comparison

Practice: Manage image collection in macOS

Caution customer: Bose spoils earphones

FAQ: MS Office: Locked VBA macros

c’t 22/2022 in the Heise shop



(raised)

