The First Senate of the Federal Constitutional Court has ruled that the provisions of the Telecommunications Act (TKG) and the Code of Criminal Procedure (StPO) concerning data retention are incompatible with Article 10, Paragraph 1 of the Basic Law.
The constitutional complaints are directed against Sections 113a, 113b of the TKG and Section 100g of the StPO, insofar as the latter permits the collection of data stored under Section 113a TKG. These provisions were introduced by the Act on the Reorganization of Telecommunications Surveillance of December 21, 2007.
Section 113a TKG stipulates that publicly accessible telecommunications service providers are obliged to proactively and without specific cause store virtually all traffic data from telephone services (landline, mobile, fax, SMS, MMS), email services, and internet services. The retention obligation essentially extends to all information necessary to reconstruct who communicated with whom, when, for how long, and from where, or attempted to communicate. Conversely, the content of the communication, and thus also which websites are accessed by users, is not to be stored. After the six-month retention period expires, the data must be deleted within one month.
Section 113b TKG regulates the permissible purposes for which this data may be used. The provision functions as a hinge norm: it does not itself contain authorization for data retrieval, but rather broadly outlines generally possible uses that are to be specified by specialized legal regulations of the federal government and the states. Sentence 1, first half-sentence, lists the possible purposes for the direct use of the data:
The prosecution of criminal offenses, the averting of significant threats to public safety, and the fulfillment of intelligence service tasks. The second half-sentence additionally permits the indirect use of data for information requests under Section 113, Paragraph 1 TKG, in the form of a right to information against service providers for the identification of IP addresses. Authorities can, if they already know an IP address, for example through a report or their own investigations, demand information on which subscriber this address was assigned to. The legislator permits this independently of more restrictive provisions for the prosecution of criminal offenses and administrative offenses, as well as for averting dangers; neither a judicial reservation nor notification obligations are provided for in this regard.
Section 100g StPO regulates – in concretization of Section 113b, Sentence 1, Half-sentence 1, No. 1 TKG – the direct use of proactively stored data for criminal prosecution. Overall, the provision is broader and regulates access to telecommunications traffic data in general. It therefore also, and originally only, permits access to connection data that is stored by service providers for other reasons (e.g., for business processing). The legislator has decided not to differentiate between the use of data proactively stored under Section 113a TKG and other traffic data in this respect. It also permits the use of retained data, irrespective of a conclusive catalog of offenses, for the prosecution of crimes of significant importance, and furthermore, subject to an individual proportionality assessment, generally for the prosecution of crimes committed by means of telecommunication. A prior judicial decision is required; the Code of Criminal Procedure also provides for notification obligations and subsequent legal protection in this regard.
The challenged provisions are understood as the implementation of Directive 2006/24/EC of the European Parliament and of the Council on data retention from 2006. According to this Directive, providers of telecommunications services are to be obliged to store the data covered by Section 113a TKG for at least six months and a maximum of two years, and to make it available for the prosecution of serious criminal offenses. The Directive contains no further regulations on the use of the data; measures for data protection are also largely left to the Member States.
Due to the interim injunctions of the First Senate of the Federal Constitutional Court (Press Releases No. 37/2008 of March 19, 2008, and No. 92/2008 of november 6, 2008), the data stored under Section 113a TKG for criminal prosecution purposes under Section 113b, Sentence 1, No. 1 TKG could initially only be transmitted in accordance with the provisions stipulated in the interim injunction, and the data retained under Section 113a TKG for averting dangers (Section 113b, Sentence 1, No. 2 TKG) could only be transmitted by telecommunications service providers to the requesting authority under restrictive conditions.
The complainants primarily consider telecommunications secrecy and the right to informational self-determination to be violated by data retention. They deem the indiscriminate storage of all telecommunications connections to be disproportionate. In particular, they assert that personality and movement profiles could be created from the stored data. One complainant, who offers an internet anonymization service, argues that the costs associated with storage disproportionately impair the professional freedom of telecommunications service providers.
The First Senate of the Federal Constitutional Court has ruled that the provisions of the TKG and the StPO concerning data retention are incompatible with Article 10, Paragraph 1 of the Basic Law. While a retention obligation to the extent provided is not inherently
unconstitutional per se. However, there is a lack of implementation that corresponds to the principle of proportionality. The challenged provisions neither guarantee sufficient data security nor a sufficient limitation of the purposes for which the data may be used. Furthermore, they do not in all respects meet the constitutional requirements for transparency and legal protection. The regulation is thus unconstitutional and void in its entirety.
The decision is essentially based on the following considerations:
Regarding Admissibility:
The constitutional complaints are not inadmissible insofar as the challenged provisions were enacted in implementation of Directive 2006/24/EC. The complainants seek, without being able to assert this before the specialized courts given their constitutional complaints directly against the implementing act, a referral by the Federal Constitutional Court to the European Court of Justice, so that the latter, by way of a preliminary ruling under Article 267 TFEU (formerly Article 234 EC Treaty), declares the Directive null and void, thereby clearing the way for a review of the challenged provisions against the standard of German fundamental rights. In any case, a review of the challenged provisions against the standard of the fundamental rights of the Basic Law, as requested by the complainants, is not excluded from the outset by this path.
Regarding Merits:
1. No Preliminary Ruling Procedure before the European Court of Justice
A referral to the European Court of Justice is not an option, as a possible primacy of Community law is not decisive. The effectiveness of Directive 2006/24/EC and any resulting primacy of Community law over German fundamental rights are not relevant for the decision. The content of the Directive leaves the Federal Republic of Germany a wide margin of discretion. Its provisions are essentially limited to the retention obligation and its scope, and do not regulate access to the data or its use by the authorities of the Member States. With this content, the Directive can be implemented without violating the fundamental rights of the Basic Law. The Basic Law does not prohibit such storage under all circumstances.
2. Scope of Protection of Article 10, Paragraph 1 of the Basic Law
The challenged provisions also encroach upon the scope of protection of Article 10, Paragraph 1 of the Basic Law (telecommunications secrecy) insofar as they concern the storage of internet access data and the authorization for information requests under Section 113b, Sentence 1, Half-sentence 2 TKG. The fact that storage is carried out by private service providers does not preclude this, as they are merely utilized as auxiliary persons for the fulfillment of tasks by state authorities.
3. Possibility of Indiscriminate Storage of Telecommunications Traffic Data
A six-month indiscriminate storage of telecommunications traffic data for qualified uses within the scope of criminal prosecution, averting dangers, and intelligence service tasks, as mandated by Sections 113a, 113b TKG, is not inherently incompatible with Article 10 of the Basic Law. If designed in a way that adequately considers the particular weight of the intervention involved, indiscriminate storage of telecommunications traffic data does not, as such, fall under the strict prohibition of precautionary data storage as defined by the jurisprudence of the Federal Constitutional Court. Integrated into a legal framework adequate to the intervention, it can meet the requirements of proportionality.
However, such storage constitutes a particularly severe intervention with a breadth of impact hitherto unknown to the legal system. Even if the storage does not extend to communication content, substantive conclusions reaching into the intimate sphere can be drawn from this data. Recipients, dates, times, and locations of telephone calls, when observed over a longer period, allow for detailed conclusions regarding social or political affiliations, as well as personal preferences, inclinations, and weaknesses, when combined. Depending on the use of telecommunications, such storage can enable the creation of meaningful personality and movement profiles for virtually every citizen. Furthermore, the risk for citizens of being subjected to further investigations without having given cause for them increases. Moreover, the potential for misuse associated with such data collection exacerbates its burdensome effect. Given that storage and data use go unnoticed, the indiscriminate storage of telecommunications traffic data is apt to evoke a diffuse sense of being observed, which can impair the uninhibited exercise of fundamental rights in many areas.
Nevertheless, such storage can be compatible with Article 10 (1) of the Basic Law under certain conditions. First of all, it is decisive that the planned storage of telecommunications traffic data is not realised directly by the state, but through an obligation of the private service providers. The data is thus not yet merged during the storage itself, but remains distributed among many individual companies and is not directly available to the state as a whole. The storage of telecommunication traffic data for six months is also not a measure that would be designed for a total recording of the communication or activities of citizens as a whole. Rather, it ties in with the special significance of telecommunications in the modern world in a way that remains limited and reacts to the specific potential danger associated with it. A reconstruction of telecommunications connections is therefore of particular importance for effective law enforcement and danger prevention.
The constitutional harmlessness of a precautionary storage of telecommunication traffic data without any reason presupposes that this remains an exception. It is part of the constitutional identity of the Federal Republic of Germany that the citizens' perception of freedom may not be totally recorded and registered, and the Federal Republic of Germany must stand up for this in European and international contexts. The precautionary storage of telecommunication traffic data considerably reduces the scope for further collection of data without any reason, also via the European Union.
4. proportionality of the legal form of the regulation (standards)
In view of the special weight of precautionary telecommunications traffic data retention, it is only compatible with Article 10 (1) of the Basic Law if its design meets special constitutional requirements. In this respect, sufficiently demanding and normatively clear regulations on data security, on limiting the use of data, on transparency and on legal protection are required.
Data security requirements:
In view of the scope and the potential informative value of the data created with such storage, data security is of great importance for the proportionality of the challenged regulations. Legal regulations are required that specify a particularly high level of security in a clear and binding manner, at least in principle. In this context, the legislator is free to entrust the technical concretisation of the specified standard to a supervisory authority. However, the legislator must ensure that the decision on the type and extent of the protective measures to be taken does not ultimately lie uncontrolled in the hands of the respective telecommunications providers.
Requirements for the direct use of data:
In view of the weight of the data storage, a use of the data can only be considered for overridingly important tasks of the protection of legal interests.
For law enforcement, it follows from this that a retrieval of data requires at least the suspicion of a serious criminal offence, even in individual cases, based on certain facts. Which criminal offences are to be covered by this has been finally determined by the legislator with the obligation to store data.
For the prevention of danger, it follows from the principle of proportionality that a retrieval of the precautionary stored telecommunications traffic data may only be permitted if there is a concrete danger to the life, limb or freedom of a person, to the existence or security of the Federation or a Land, or to avert a general danger, which is sufficiently substantiated by certain facts. These requirements apply equally to the use of data by the intelligence services, as this is also a form of danger prevention. The use of the data by the intelligence services should therefore be ruled out in many cases. However, this is due to the nature of their tasks as advance reconnaissance and does not constitute a constitutionally acceptable reason to mitigate the requirements for an intervention of this kind resulting from the principle of proportionality.
Moreover, it is constitutionally required, as a consequence of the principle of proportionality, to provide for a fundamental prohibition of transmission at least for a narrow circle of telecommunications connections that depend on special confidentiality. One could think here of connections to persons, authorities and organisations in social or ecclesiastical areas, which in principle offer anonymous callers wholly or predominantly telephone counselling in mental or social distress and which themselves or their employees are subject to other obligations of confidentiality in this respect.
Requirements for the transparency of data transmission:
Legislators must address the diffuse threat that data storage and use, imperceptible as such, can pose to citizens through effective transparency rules. This includes the principle of openness in the collection and use of personal data. The use of data without the knowledge of the data subject is constitutionally permissible only if the purpose of the investigation served by the data retrieval is otherwise frustrated. For the prevention of danger and the performance of the tasks of the intelligence services, the legislature may in principle assume this. In contrast, in the context of criminal prosecution, an open collection and use of data is also possible. Secret use of the data may only be provided for here if it is necessary in the individual case and ordered by a court. If the data is used secretly, the legislature must provide for the obligation of at least subsequent notification. This must ensure that those to whom a data query directly relates must at least be informed retrospectively. Exceptions to this must be subject to judicial review.
Requirements for legal protection and sanctions:
The transmission and use of stored data must always be subject to judicial review. If a data subject did not have the opportunity to defend himself or herself before the courts against the use of his or her telecommunication traffic data before the measure was carried out, he or she must be given the opportunity of judicial review after the fact.
A proportionate design also requires effective sanctions in the event of violations of the law. If even serious violations of telecommunications secrecy were to remain sanctionless with the result that the protection of the right of personality would wither away in view of the immaterial nature of this right, this would contradict the obligation of state power to enable the individual to develop his or her personality and to protect him or her from threats to the right of personality by third parties. The legislature, however, has a wide scope of action in this regard. In this respect, it may also take into account that in the case of serious violations of the right of personality, both prohibitions of exploitation on the basis of a balancing test and liability for non-material damage may already be justified under the current legal situation, and thus first observe whether the particular seriousness of the violation of personality, which regularly lies in the unauthorised acquisition or use of the data in question here, is possibly already sufficiently taken into account on the basis of the current law.
Requirements for the indirect use of data to identify IP addresses:
Less strict constitutional requirements apply to an only indirect use of the precautionary stored data in the form of claims for information by the authorities against the service providers with regard to the connection owners of certain, already known IP addresses. It is important to note that the authorities themselves do not obtain knowledge of the data to be stored as a precaution. In the context of such information claims, the authorities do not themselves retrieve the data stored as a precautionary measure, but only receive personal information about the owner of a certain connection, who was determined by the service providers with recourse to this data. Systematic investigations over a longer period of time or the creation of personality and movement profiles cannot be realised on the basis of such information alone. On the other hand, it is decisive that for such information only a small section of the data is used, which is determined from the outset, and the storage of which in itself has a lower intrusive weight and could thus be ordered under significantly lower conditions.
However, the justification of claims for information by public authorities to identify IP addresses also carries considerable weight. With it, the legislator affects the conditions of communication on the internet and limits the scope of their anonymity. On its basis, in conjunction with the systematic storage of internet access data with regard to previously determined IP addresses, the identity of internet users can be determined to a wide extent.
Within the scope of its discretionary powers, the legislature may also permit such information independently of limiting offences or catalogues of legal interests for the prosecution of criminal offences, for the prevention of danger and the performance of tasks by the intelligence services on the basis of the general powers of intervention under specialised law. With regard to the thresholds for intervention, however, it must be ensured that information is not obtained out of the blue, but only on the basis of sufficient initial suspicion or a concrete danger on a case-by-case basis. It is not necessary to reserve the right to obtain such information to a judge; however, the persons concerned must be informed of the request for such information. Nor can such information be generally and unrestrictedly permitted for the prosecution or prevention of any administrative offence. The abolition of anonymity on the internet requires at least an impairment of a legal interest, which is also given a prominent weight by the legal system in other respects. This does not completely exclude corresponding information for the prosecution or prevention of administrative offences. However, the offences in question must also be particularly weighty in the individual case, and the legislature must explicitly name them.
Responsibility for the design of the regulations:
The constitutionally required guarantee of data security as well as a normative limitation of data use that meets the requirements of proportionality is an inseparable part of the order to store data and is therefore the responsibility of the federal legislature pursuant to Article 73 (1) no. 7 of the Basic Law. In addition to the regulations on the security of the stored data, this also includes the regulations on the security of the transmission of the data and, in this context, the guarantee of the protection of confidential relationships. Furthermore, the Federal Government is also responsible for ensuring that the purposes for which the data are stored are limited with sufficient precision and in accordance with constitutional requirements. In contrast, the responsibility for the creation of the retrieval regulations themselves as well as for the design of transparency and legal protection provisions depends on the respective competences. In the area of security and the tasks of the intelligence services, responsibility thus lies largely with the Länder.
5. the provisions in detail (application of the standards)
The challenged provisions do not meet these requirements. It is true that § 113a TKG is not unconstitutional simply because the scope of the obligation to store data would be disproportionate from the outset. However, the provisions on data security, on the purposes and transparency of the use of data as well as on legal protection do not meet the constitutional requirements. Thus, the regulation as a whole is not designed in accordance with the principle of proportionality. §§ Sections 113a, 113b TKG and Section 100g StPO, insofar as the latter permits the retrieval of data to be stored pursuant to Section 113a TKG, are therefore not compatible with Article 10 (1) GG.
Data security:
There is already a lack of the required guarantee of a particularly high standard regarding data security. The law essentially refers only to the general diligence required in the telecommunications sector (§ 113a para. 10 TKG) and thereby relativizes security requirements in an indefinitely vague manner by general economic considerations in individual cases (§ 109 para. 2 sentence 4 TKG). The detailed specification of measures is left to the individual telecommunication service providers, who, in turn, must offer their services under conditions of competition and cost pressure. Those subject to storage obligations are neither demonstrably provided with the instruments suggested by experts in the present proceedings to ensure data security (separate storage, asymmetric encryption, the four-eyes principle combined with advanced authentication procedures for key access, audit-proof logging of access and deletion), nor is a comparable level of security otherwise guaranteed. Furthermore, there is a lack of a balanced sanction system that does not attach less weight to violations of data security than to violations of the storage obligations themselves.
Direct use of data for criminal prosecution:
The regulations for the use of data for criminal prosecution are also incompatible with the standards developed from the principle of proportionality. § 100g para. 1 sentence 1 no. 1 StPO does not ensure that, generally and in individual cases, only serious offenses may give rise to the collection of corresponding data; instead, it allows for crimes of significant importance to suffice, irrespective of an exhaustive catalog. Furthermore, § 100g para. 1 sentence 1 no. 2, sentence 2 StPO falls short of constitutional requirements by allowing any offense committed via telecommunication, regardless of its severity, to be a sufficient trigger for a data query based on a general balancing within a proportionality test. With this regulation, data stored under § 113a TKG becomes practically usable for all criminal offenses. Its use thus loses its exceptional character given the increasing importance of telecommunication in everyday life. The legislator here no longer limits itself to using data for prosecuting serious offenses but goes far beyond this and thus also beyond the objectives of data storage prescribed by European law.
§ 100g StPO also fails to meet constitutional requirements insofar as it permits data retrieval not only for individual cases to be judicially confirmed but also, in principle, without the knowledge of the data subject (§ 100g para. 1 sentence 1 StPO).
In contrast, judicial control of data queries and data usage, as well as the regulation of notification obligations, are largely guaranteed in a manner consistent with constitutional requirements. The collection of data stored under § 113a TKG requires a judicial order in accordance with § 100g para. 2 sentence 1, § 100b para. 1 sentence 1 StPO. Furthermore, differentiated notification obligations exist under § 101 StPO, as well as the possibility of subsequently initiating a judicial review of the legality of the measure. It is not apparent that these provisions fail to ensure effective legal protection overall. However, the absence of judicial control for waiving notification under § 101 para. 4 StPO is constitutionally objectionable. Direct use of data for hazard prevention and for the tasks of intelligence services:
§ 113b sentence 1 nos. 2 and 3 TKG does not meet the requirements for a sufficient limitation of purposes of use, even in its design. The federal legislator merely outlines, in a generalizing manner, the areas of responsibility for which data retrieval should be possible according to later legislation, particularly that of the federal states. Thus, it fails to fulfill its responsibility for the constitutionally required limitation of purposes of use. Instead, by obliging service providers to proactively store all telecommunication traffic data, combined with the simultaneous release of this data for use by the police and intelligence services within the scope of almost their entire range of tasks, the federal legislator creates an open data pool for diverse and unlimited uses. This pool can be accessed by federal and state legislators, each based on their own decisions, but only with broad objectives. The provision of such an open data pool, by its very purpose, severs the necessary connection between storage and the purpose of storage and is incompatible with the constitution.
The design of the use of data stored under § 113a TKG is also disproportionate insofar as no protection for confidential relationships is provided for its transmission. Such protection is fundamentally required at least for a narrow circle of telecommunication connections that rely on particular confidentiality.
Indirect use of data for information from service providers:
§ 113b sentence 1 half-sentence 2 TKG also does not meet constitutional requirements in all respects. While it raises no concerns that, according to this provision, disclosures are permissible irrespective of a catalog of offenses or legal interests, it is incompatible with the constitution that such disclosures are also generally permitted for the prosecution of administrative offenses without further limitation. Furthermore, there is a lack of notification obligations following such disclosures.
6. Compatibility with Article 12 of the Basic Law
In contrast, the challenged provisions, with regard to Article 12 para. 1 of the Basic Law, are not subject to constitutional concerns insofar as this procedure is to decide on them. The imposition of the storage obligation typically does not impose an excessive burden on the affected service providers. The storage obligation is not disproportionate, in particular, with regard to the financial burdens incurred by companies due to the storage obligation under § 113a TKG and the associated consequential obligations, such as ensuring data security. The legislator, within its broad discretion in this regard, is not limited to engaging private entities only when their professional activity can directly trigger dangers or when they are directly at fault with respect to these dangers. Rather, a sufficient factual and responsibility proximity between the professional activity and the imposed obligation is sufficient. Consequently, there are no fundamental objections to the cost burdens incurred by those subject to storage obligations. In this way, the legislator shifts the costs associated with storage into the market, in line with the overall privatization of the telecommunications sector. Just as telecommunication companies can exploit the new opportunities of telecommunication technology for profit, they must also bear the costs for containing the new security risks associated with telecommunication and incorporate them into their prices.
7. Nullity of the challenged provisions
The violation of the fundamental right to protection of telecommunications secrecy under Article 10 para. 1 of the Basic Law leads to the nullity of §§ 113a and 113b TKG, as well as § 100g para. 1 sentence 1 StPO, insofar as traffic data may be collected thereunder in accordance with § 113a TKG. The challenged norms are therefore to be declared null and void, with the finding of a fundamental rights violation (cf. § 95 para. 1 sentence 1 and § 95 para. 3 sentence 1 BVerfGG). The decision was unanimous with regard to questions of European law, formal constitutionality, and the fundamental compatibility of proactive telecommunication traffic data storage with the Constitution. With regard to the assessment of §§ 113a and 113b TKG as unconstitutional, the result was 7:1 votes, and with regard to further substantive legal questions, as far as discernible from the separate opinions, it was 6:2 votes.
The Senate decided by a 4:4 vote that the provisions are to be declared null and void under § 95 para. 3 sentence 1 BVerfGG, and not merely incompatible with the Basic Law. Consequently, the provisions cannot continue to be applied provisionally to a limited extent, but rather the statutory regular consequence of nullification remains.
Separate Opinion of Judge Schluckebier:
1. The storage of traffic data for a period of six months by service providers does not constitute an infringement of the fundamental right under Article 10 para. 1 of the Basic Law of such gravity that it could be classified as “particularly severe” and thus equivalent to direct access by public authorities to communication content. Traffic data remains within the sphere of private service providers, where it accrues for operational reasons, and from whom individual telecommunication subscribers can expect, due to contractual obligations, that it will be treated with strict confidentiality and protected within their sphere. If state-of-the-art data security is guaranteed, there is therefore no objectifiable basis for assuming a storage-induced chilling effect on citizens. The storage does not extend to the content of telecommunication. When weighing the infringement, a perceptible distance must therefore be maintained from such particularly severe infringements as those involving acoustic surveillance of living spaces, content-based telecommunication surveillance, or the so-called online search of IT systems through direct access by state organs, where there is a particular risk that the absolutely protected core area of private life will be affected. Therefore, it is not already the storage of traffic data by the service provider that is particularly intrusive, but rather the retrieval and use of traffic data by state authorities in individual cases according to the existing legal bases; these, as well as the judicial order for traffic data collection, are themselves subject to the strict requirements of proportionality.
2. The challenged regulations are, in principle, not unreasonable, are acceptable to those affected, and are thus proportionate in the narrower sense. The legislator has adhered to its constitutionally granted scope of discretion with the obligation to store telecommunication traffic data for a period of six months, a regulation on purposes of use, and the criminal procedural regulation on data collection. The state's duty to protect its citizens includes the task of taking appropriate measures to prevent or investigate violations of legal interests and to assign responsibility for such violations. In this sense, ensuring the protection of citizens and their fundamental rights, as well as the foundations of the community, and preventing and investigating significant crimes, are simultaneously prerequisites for peaceful coexistence and the unrestricted exercise of fundamental rights by citizens. Effective investigation of crimes and effective prevention of dangers are therefore not per se a threat to the freedom of citizens. In the tension between the state's duty to protect legal interests and the individual's interest in preserving their constitutionally guaranteed rights, it is primarily the legislator's task to achieve a balance of conflicting interests in an abstract manner. The legislator has a margin of assessment and discretion in this regard. The legislator's goal here was to address the undeniable needs of effective, rule-of-law-based criminal justice in view of a fundamental change in communication possibilities and human communication behavior in recent years. This goal fundamentally presupposes the ascertainability of the facts necessary for investigation. The legislator assumed that, due to technical developments towards flat rates, telecommunication traffic data is often either not stored at all or is already deleted before a judicial order for disclosure can be obtained or even before the information required for such an application has been determined. While the Senate majority considers the fact that electronic or digital communication means have penetrated almost all areas of life and therefore complicate criminal prosecution and hazard prevention in certain areas when examining the suitability and necessity of traffic data storage, it does not adequately weigh this in the proportionality test in the narrower sense under the aspect of appropriateness and reasonableness.
The Senate majority thus almost completely restricts the legislator's scope for assessment and design in the field of crime investigation and hazard prevention to establish appropriate and reasonable regulations for the protection of people. In doing so, it also fails to adequately account for the principle of constitutional judicial restraint (“judicial self-restraint”) regarding conceptual decisions by the democratically legitimate legislator. The judgment stipulates a storage period of six months, the minimum required by the EC Directive, as being at the upper limit and constitutionally justifiable at best; it technically prescribes to the legislator that the purpose-of-use regulation must simultaneously contain the access requirements; it restricts the legislator to a catalog-based offense technique in criminal law; it excludes the possibility of using traffic data for the investigation of difficult-to-solve crimes committed via telecommunication means; and it expands notification obligations in a specific manner. Consequently, the legislator retains no significant leeway for shaping policies under its own political responsibility.
Der Senat verwehrt dem Gesetzgeber insbesondere die Abrufbarkeit der nach § 113a TKG gespeicherten Verkehrsdaten für die Aufklärung von Straftaten, die nicht im derzeitigen Katalog des § 100a Abs. 2 StPO bezeichnet, aber im Einzelfall von erheblicher Bedeutung sind, sowie von solchen Taten, die mittels Telekommunikation begangen sind (§ 100g Abs. 1 Satz 1 Nr. 1 und 2 StPO). Hinsichtlich der letztgenannten Taten wird nicht genügend gewichtet, dass der Gesetzgeber hier von erheblichen Aufklärungsschwierigkeiten ausgeht. Da es Sache des Gesetzgebers ist, eine wirksame Strafverfolgung zu gewährleisten und keine beträchtlichen Schutzlücken entstehen zu lassen, kann es ihm nicht versagt sein, auch bei Straftaten, die zwar nicht besonders schwer sind, aber Rechtsgüter von Gewicht schädigen den Zugriff auf die Verkehrsdaten zu eröffnen, weil nach seiner Einschätzung nur so das Entstehen faktisch weitgehend rechtsfreier Räume und ein weitgehendes Leerlaufen der Aufklärung ausgeschlossen werden kann. Hinzu kommt, dass sich der Gesetzgeber bei der Gestaltung der strafprozessualen Zugriffsbefugnis an Kriterien orientiert hat, die der Senat in seinem Urteil vom 12. März 2003 (BVerfGE 107, 299 <322>) zur Herausgabe von Verbindungsdaten der Telekommunikation gebilligt hat.
3. In the ruling on legal consequences, even based on the constitutional assessment of the Senate majority, and drawing on established jurisprudence of the Federal Constitutional Court, it would have been appropriate to set a deadline for the legislator to enact new regulations and to declare the existing provisions provisionally applicable, in line with the requirements of the interim injunctions issued by the Senate, in order to avoid persistent deficiencies, particularly in the investigation of crimes, but also in hazard prevention.
Separate Opinion of Judge Eichberger:
The separate opinion largely concurs with Judge Schluckebier's criticism regarding the assessment of the intensity of interference from the storage of telecommunication traffic data as an infringement of Article 10 para. 1 of the Basic Law. The legislative concept underlying §§ 113a, 113b TKG, which involves a staggered legislative responsibility for the storage order on the one hand and data retrieval on the other, is fundamentally in conformity with the Constitution. This applies in particular to the use of data stored under § 113a TKG for purposes of criminal prosecution, as regulated in § 100g StPO. The legislator is not compelled to measure the proportionality of the retrieval regulation exclusively by the greatest possible interference of a comprehensive data retrieval ultimately aiming at a movement or social profile of the affected citizen; instead, it may consider that a multitude of data queries have significantly less weight, and the competent judge must decide on their reasonableness in individual cases.
Judgment of the Federal Constitutional Court of March 2, 2010 – 1 BvR 256/08, 1 BvR 263/08, 1 BvR 586/08 –
Source: Press release of the Federal Constitutional Court No. 11/2010 of March 2, 2010
Goldberg Rechtsanwälte
Lawyer Michael Ullrich, LL. M. (Information Law)
Specialist Lawyer for Information Technology Law (IT Law)
E-mail: m.ullrich@goldberg.de
