Details

Parent Category: Practicalities

Created on Wednesday, 17 March 2010 08:32

Last Updated on Friday, 28 December 2012 19:03

Rentention of Data Collected by Telecommunication Providers – Now Passé

What once was dubbed as “big electronic eavesdropping (Großer Lauschangriff)” allowed prosecution and intelligence authorities, since 2008, to go far beyond the scope of the constitution to spy on citizens. The Act on Storage of Hoarded Data tried to establish these authorities as the rulers of bits and bytes. However, the Federal Constitutional Court curbed this with its latest judgment of March 2, 2010 (re1 BvR 256/08, 1 BvR 263/08, 1 BvR 586/08). This article is on the biggest ever class action case of this court with almost 35,000 (thirty five thousand) applicants.

The BVerfG judged and reacted unmistakably: The Act on Storage of Hoarded Data violates art. 10 I GG and is therefore null and void. Any and all collected data is to be deleted without undue delay. Why did the judges decide for such a drastic measure – without an interim period?

§§113a, 113b TKG regulated the storage of collected data without cause and the recalling of the stored traffic data from the authorities for prosecutional and intelligence purposes. These provisions were added to meet the European Directive on hoarding of data. The different offices were authorized to collect for use the data by their special statutes. §100g StPO enabled the public prosecutor and §20m Act on Federal Criminal Police Office the Bundeskriminalamt to obtain such data for purposes of prosecution, as a defense from unspecified danger and for intelligence purposes. Further regulations are in the police acts for the various states. The telecommunication providers (phone, internet, mobile) were obligated on behalf of the authorities to collect connection data on the use of

• a mobile / landline phone,
• eMail correspondence,
• internet use,
  as well as
• positioning cell phones.

All this for six months.

Several constitutional complaints (Verfassungsbeschwerden) were filed because the applicants believed their constitutional rights to be infringed. These constitutional rights were the right of informatory self-determination and secrecy of telecommunication (art. 10 I GG). They argued that such storing without any concrete reason or purpose was unreasonable. Based on the amount of the stored data, movement and personality profiles could be made. Besides, certain professions considered themselves infringed in their constitutional right of work (art. 12 GG) because they were statutorily obliged to keep entrusted information secret. These were lawyers, notaries, journalists, physicians, tax consultants, etc. When such information would get “accidently” lost, this would clearly trouble the client-professional relationship in the deepest. Anonymisizing services were virtually forbidden. In the case, the BVerfG considered itself not as competent because European directive (2006/24/EC)was to be interpreted and then this case were to be brought to the ECJ.

The judges in Karlsruhe attested constitutional deficits because the lawmaker did not provide for sufficient rules on data security, limitations on the use of this data, necessary transparency, and legal protection. However, it was not generally prohibited to collect such data – only the means was illegal.

This mass storage of phone and internet data violates the constitution because:

• regulations are much too indifferent,
• High standards for backups are missing,
• no certain purposes of use of information exist.

The court further determined that all collected data is to be deleted without undue delay. The principle of reasonability (“Verhältnismäßigkeit”) requires that the statutory arrangement considers special weight of this encroachment upon these constitutional rights. Required are sufficiently sophisticated and clear provisions concerning the data’s security, use, as well as transparency and legal recourse. The possibility of misuse gives communicating persons the feeling of being personally monitored:

• the connection data allow conceptual conclusions deep into private spheres,
• meaningful personality and movement profiles can be extracted and exploited,

A largely open data pool levers the relationship between storing and purpose of storing. However, the judges did not generally rule out such data collection and also do not question the legitimacy of the EU directive, which is the legal basis for this regulation in German law.

Since telecommunication data is of special importance for criminal prosecution and the averting of danger, collecting such data may also in future be collected but only under certain measures. The storage of this kind of information constitutes an aggravated encroachment such as Germany’s legal order has not yet experienced. Such encroachment is therefore subject to strictest requirements. These strictest requirements have by far not been met by the current regulation.

EU-Directive is Compliant to the Constitution

The compliance of the law on retaining telecommunication transmission within the constitution is inevitably derived from the directive itself. The Council Directive 2006/24/EC was passed in order to achieve a uniform retention of such data. So far all member states have passed very diverse regulations on retaining telecommunications transmission data. The directive only aims at harmonization. How such law on retention is structured is a matter of the individual member state. The Directive only provides the obligation to have such law in the realms of criminal prosecution. Germany, however, wanted to extend the official access to the area of averting threats as well as the, intelligence services. This is the reason that the directive was not tried by the European Court of Justice. Germany’s Federal Constitutional Court is only competent to determine whether European law conflicts with the (federal) German constitution or not. In other words, what the directive does not regulate, the court cannot test.

Security of the Data must be Guaranteed

Since these retained data are sensitive transaction data, a binding regulation of the data security is required. Such data collected is that is collected via telephone, internet, eMail, cell phone (incl. Short messages and multimedia messages); such as time and place of sending or receiving of message, sender and recipient, etc. Pursuant to the act, the contents are actually not to be stored. This might work with internet data but when saving text of picture files this is technically not possible. Anyhow, when no information on the contents will be saved, a profile on the likes and dislikes of a person can be made based on the transmission data. This goes so far that movement and personality profiles are possible.

For this reason, the BVerfG demands that with retention of telecommunication data highest security standards must be guaranteed. Since the telecommunication providers are under cost load and in competition it is mandatory that the lawmaker bindingly requires from them the highest technical security measurements. The storage at the telecommunication provides was not objected by the Federal Constitution Court judges. The wardens of the constitution considered it as important that retaining is performed decentralized and especially not at a super data-agency. Direct access to the retained data is refused by the constitution to the authorities. The first chamber of the court has expressly emphasized that the security standards, that the providers must meet, may not simply be transferred. The highest technical standards are to be kept.

Restrictions on the Use of the Data

Retaining and use of retained data pursuant to §113a TKG demonstrates such an aggravated encroachment in one’s personal rights which may only be permissible for superior interests protected by law. This determines the use of data by the authority’s duties. When the data is to be used for criminal prosecution, then a reasonable suspicion based on facts of a serious felony. In order to avert danger, the authorities may only retrieve this data when a concrete danger for life, limb, and freedom of a person or security of the state or country exists. The first chamber of this court, emphasized that these high obstacles must also be applied to intelligence services. The court expressly confirmed the application of the restricted data use for intelligence even though they are often used for preliminary investigations.

These high obstacles have not been codified just for a ban on transmission of especially personal and private data. Not only citizens but also members of certain professions who counsel in difficult personal problems like physicians, teacher, pastors via phone, eMail and other means of communication are greatly affected. The judges therefore demand that any transmittance of such data is to be strictly and generally banned. These problems may not be exploited by any authority.

Transparency of Retention and Exploitation

The Act on Retaining Data also lacks transparency. Randomly retaining data increases the citizen’s risk to be subjected to further prosecution by state authorities – without having just cause. Additionally, in default of an obligation to inform and subsequent legal protection, persons have the feeling of being under state monitoring. And this feeling in an individual can influence the communication and privacy of all.

The court understands as transparency that the citizen must be relieved of the feeling of the threat of a permanent surveillance. Therefore, person-related data must be publically obtained and used. Usage with knowledge of the affected person is to be strictly limited to such cases in which otherwise the goal of an examination would be jeopardized. If the secret use of the retained data is necessary and has been ordered by a judge, it will be permitted.

When this is the case, the affected person must be informed of the measure. The lawmaker must arrange the obligation to report to the affected person so that he can know of such afterwards. Exceptions to this liability are to subjected to court control.

Legal Recourse and Sanctions in Cases of Misuse

Eventually, the lawgiver will have to develop a suitable system to provide legal recourse as well as means of sanctions in the event of unauthorized use of retained data by the authorities. Everybody is to be entitled to have the court check an authority’s access to the retained data. This duty derives from the state obligation to protect the free development of its citizen’s personality.

Parliament can revert to already existing sanctions: exclusion of evidence (illegally obtained), state liability especially for immaterial damages. An interesting remark from the BVerfG in this context: When a telecommunication provider violates his duty to retain data this company’s fine will be higher than the fine for an office. The lawmaker has to eliminate this lopsided scheme of sanctions. A new regulation for data retention must come because the EU Directive 2006/24/EC obligates this.

Remark

One thing is for sure: the costs of this lawmaker’s malperformance will be paid by the Government, in other words the tax payers. But this is only the lesser evil. Doubtless maintaining the retained data would have cost citizens more: their privacy. That is an invaluable estate. The Federal Constitutional Court pointed out this very clearly.

This is a big slap in the face of the government – whichever coalition is really to be blamed. Evidently, the responsible persons, i.e. parliament, did not do its homework. And then politicians wonder on the fact that the electorate is reluctant to vote…

Need a new Provider to wipe out your traces? Check these ones out:
VoIP for Businesses:
sipgate team" target="_blank">