Design of data retention unconstitutional

The First Senate of the Federal Constitutional Court has ruled that the provisions of the TKG and the StPO on data retention are not compatible with Article 10 (1) of the Basic Law.

The constitutional complaints are directed against §§ 113a, 113b TKG and against § 100g StPO, insofar as this allows the collection of data stored according to § 113a TKG. The provisions were introduced by the Act on the Reorganisation of Telecommunications Surveillance of 21 December 2007.

§ Section 113a TKG stipulates that publicly accessible telecommunications service providers are obliged to store practically all traffic data of telephone services (fixed network, mobile telephony, fax, SMS, MMS), e-mail services and internet services as a precautionary measure. The obligation to store data essentially covers all information necessary to reconstruct who has communicated or attempted to communicate with whom from where, when and for how long. In contrast, the content of the communication and thus also which internet pages are called up by the users are not to be stored. After the storage obligation of six months has expired, the data must be deleted within one month.

§ Section 113b TKG regulates the possible purposes for which this data may be used. The provision sees itself as a hinge standard: it does not itself contain any authorisation for data retrieval, but only broadly describes generally possible purposes of use, which are to be specified by technical regulations of the Federation and the Länder. Sentence 1, half-sentence 1 lists the possible purposes for direct use of the data:

The prosecution of criminal offences, the prevention of significant threats to public safety and the fulfilment of intelligence tasks. The second half of the sentence also allows the indirect use of the data for information pursuant to Section 113 (1) TKG in the form of a right to information from the service providers for the identification of IP addresses. According to this, authorities can demand information on which subscriber this address was assigned to, if they already know an IP address, for example through a report or through their own investigations. The legislator allows this, regardless of more detailed restrictions for the prosecution of criminal offences and misdemeanours as well as for the prevention of danger; there is no provision for a judge's prerogative in this respect, nor is there any provision for notification obligations.

§ Section 100g StPO regulates - in concretisation of section 113b sentence 1 half-sentence 1 no. 1 TKG - the direct use of the precautionary stored data for criminal prosecution. Overall, the provision is more far-reaching and regulates access to telecommunications traffic data in general. It therefore also, and originally, only allows access to connection data that is stored by the service providers for other reasons (such as for business transactions). In this respect, the legislator decided not to distinguish between the use of data stored on a precautionary basis according to § 113a TKG and other traffic data. It also allows the use of retained data, irrespective of a conclusive catalogue of criminal offences, for the prosecution of criminal offences of considerable importance and, in addition, in general for the prosecution of criminal offences committed by means of telecommunications, subject to a case-by-case proportionality assessment. A prior judicial decision is required; the Code of Criminal Procedure also provides for notification obligations and retrospective legal protection.

The challenged provisions are to be understood as the implementation of Directive 2006/24/EC of the European Parliament and of the Council on data retention from 2006. According to this directive, providers of telecommunications services are to be obliged to store the data covered by § 113a TKG for a minimum of six months and a maximum of two years and to keep it available for the prosecution of serious criminal offences. The directive does not contain any more detailed regulations on the use of the data; data protection measures are also essentially left to the member states.

Based on the interim injunctions of the First Senate of the Federal Constitutional Court (press releases no. 37/2008 of 19 March 2008 and no. 92/2008 of 6 November 2008), the data stored under section 113a TKG for law enforcement purposes under section 113b sentence 1 no. 1 TKG, and the data for the prevention of danger stored in accordance with § 113a TKG (§ 113b sentence 1 no. 2 TKG) could only be transmitted by the telecommunications service providers to the requesting authority under restrictive conditions.

The complainants see the data retention as violating above all the secrecy of telecommunications and the right to informational self-determination. They consider the storage of all telecommunication connections without any reason to be disproportionate. In particular, they claim that personality and movement profiles could be created from the stored data. One complainant, who offers an internet anonymisation service, complains that the costs associated with the storage disproportionately affect the providers of telecommunications services in their freedom of profession.

The First Senate of the Federal Constitutional Court has ruled that the provisions of the TKG and the StPO on data retention are not compatible with Article 10 (1) of the Basic Law. It is true that an obligation to retain data to the extent provided for is not a priori

unconstitutional per se. However, there is a lack of a design that complies with the principle of proportionality. The challenged provisions neither guarantee sufficient data security nor a sufficient limitation of the purposes for which the data can be used. They also do not meet the constitutional requirements of transparency and legal protection in every respect. The regulation as a whole is therefore unconstitutional and void.

The decision is essentially based on the following considerations:

On admissibility:

The constitutional complaints are not inadmissible to the extent that the challenged provisions were enacted in transposition of Directive 2006/24/EC. The complainants seek, without being able to assert this before the specialised courts in view of their constitutional complaints directly directed against the transposition law, a referral by the Federal Constitutional Court to the European Court of Justice so that the latter declares the Directive null and void by way of a preliminary ruling pursuant to Article 267 TFEU (formerly Article 234 EC) and thus clears the way for a review of the challenged provisions on the basis of German fundamental rights. At least in this way, a review of the challenged provisions on the basis of the fundamental rights of the Basic Law is not excluded from the outset according to the complainants' request.

On the merits:

1. no preliminary ruling procedure before the European Court of Justice

A referral to the European Court of Justice is out of the question, since a possible precedence of Community law is not relevant. The effectiveness of Directive 2006/24/EC and a possible precedence of Community law over German fundamental rights resulting therefrom are not relevant to the decision. The content of the Directive leaves the Federal Republic of Germany a wide margin of discretion. Its provisions are essentially limited to the obligation to store data and its scope and do not regulate access to the data or their use by the authorities of the Member States. With this content, the Directive can be implemented without violating the fundamental rights of the Basic Law. The Basic Law does not prohibit such storage in all circumstances.

2. scope of protection of Art. 10 para. 1 GG

The challenged provisions also encroach on the scope of protection of Article 10(1) of the Basic Law (telecommunications secrecy) as far as the storage of internet access data and the authorisation to provide information pursuant to § 113b sentence 1 half sentence 2 of the Telecommunications Act are concerned. The fact that the storage is carried out by private service providers does not preclude this, since they are used solely as auxiliaries for the fulfilment of tasks by state authorities.

3. the possibility of storing telecommunication traffic data without any reason.

A six-month storage of telecommunications traffic data without a reason for qualified uses in the context of criminal prosecution, the prevention of danger and the tasks of the intelligence services, as provided for in §§ 113a, 113b TKG, is not per se incompatible with Article 10 GG. If it is designed in a way that sufficiently takes into account the particular weight of the intrusion, the storage of telecommunications traffic data without any reason is not in itself subject to the strict prohibition of data retention within the meaning of the case law of the Federal Constitutional Court. Incorporated into a legal formulation that is adequate for the encroachment, it can satisfy the requirements of proportionality.

However, such storage is a particularly serious intrusion with a scope that has not been known in the legal system before. Even if the storage does not extend to the content of the communication, it is possible to draw conclusions about the content from this data, even into the sphere of privacy. The addressees, dates, times and places of telephone conversations, if observed over a longer period of time, in combination allow detailed conclusions to be drawn about social or political affiliations as well as personal preferences, inclinations and weaknesses. Depending on the use of telecommunications, such storage can enable the creation of meaningful personality and movement profiles of virtually every citizen. It also increases the risk of citizens being subjected to further investigations without having given cause to do so themselves. Furthermore, the possibilities of abuse associated with such data collection intensify its incriminating effect. Particularly since the storage and use of data are not noticed, the storage of telecommunication traffic data without any reason is likely to cause a diffuse threatening feeling of being watched, which can impair an unbiased perception of fundamental rights in many areas.

Nevertheless, such storage can be compatible with Article 10 (1) of the Basic Law under certain conditions. First of all, it is decisive that the planned storage of telecommunications traffic data is not realised directly by the state, but through an obligation of the private service providers. The data is thus not yet merged during the storage itself, but remains distributed among many individual companies and is not directly available to the state as a whole. The storage of telecommunication traffic data for six months is also not a measure that would be designed for a total recording of the communication or activities of citizens as a whole. Rather, it ties in with the special significance of telecommunications in the modern world in a way that remains limited and reacts to the specific potential danger associated with it. A reconstruction of telecommunications connections is therefore of particular importance for effective law enforcement and danger prevention.

The constitutional harmlessness of a precautionary storage of telecommunication traffic data without any reason presupposes that this remains an exception. It is part of the constitutional identity of the Federal Republic of Germany that the citizens' perception of freedom may not be totally recorded and registered, and the Federal Republic of Germany must stand up for this in European and international contexts. The precautionary storage of telecommunication traffic data considerably reduces the scope for further collection of data without any reason, also via the European Union.

4. proportionality of the legal form of the regulation (standards)

In view of the special weight of precautionary telecommunications traffic data retention, it is only compatible with Article 10 (1) of the Basic Law if its design meets special constitutional requirements. In this respect, sufficiently demanding and normatively clear regulations on data security, on limiting the use of data, on transparency and on legal protection are required.

Data security requirements:

In view of the scope and the potential informative value of the data created with such storage, data security is of great importance for the proportionality of the challenged regulations. Legal regulations are required that specify a particularly high level of security in a clear and binding manner, at least in principle. In this context, the legislator is free to entrust the technical concretisation of the specified standard to a supervisory authority. However, the legislator must ensure that the decision on the type and extent of the protective measures to be taken does not ultimately lie uncontrolled in the hands of the respective telecommunications providers.

Requirements for the direct use of data:

In view of the weight of the data storage, a use of the data can only be considered for overridingly important tasks of the protection of legal interests.

For law enforcement, it follows from this that a retrieval of data requires at least the suspicion of a serious criminal offence, even in individual cases, based on certain facts. Which criminal offences are to be covered by this has been finally determined by the legislator with the obligation to store data.

For the prevention of danger, it follows from the principle of proportionality that a retrieval of the precautionary stored telecommunications traffic data may only be permitted if there is a concrete danger to the life, limb or freedom of a person, to the existence or security of the Federation or a Land, or to avert a general danger, which is sufficiently substantiated by certain facts. These requirements apply equally to the use of data by the intelligence services, as this is also a form of danger prevention. The use of the data by the intelligence services should therefore be ruled out in many cases. However, this is due to the nature of their tasks as advance reconnaissance and does not constitute a constitutionally acceptable reason to mitigate the requirements for an intervention of this kind resulting from the principle of proportionality.

Moreover, it is constitutionally required, as a consequence of the principle of proportionality, to provide for a fundamental prohibition of transmission at least for a narrow circle of telecommunications connections that depend on special confidentiality. One could think here of connections to persons, authorities and organisations in social or ecclesiastical areas, which in principle offer anonymous callers wholly or predominantly telephone counselling in mental or social distress and which themselves or their employees are subject to other obligations of confidentiality in this respect.

Requirements for the transparency of data transmission:

Legislators must address the diffuse threat that data storage and use, imperceptible as such, can pose to citizens through effective transparency rules. This includes the principle of openness in the collection and use of personal data. The use of data without the knowledge of the data subject is constitutionally permissible only if the purpose of the investigation served by the data retrieval is otherwise frustrated. For the prevention of danger and the performance of the tasks of the intelligence services, the legislature may in principle assume this. In contrast, in the context of criminal prosecution, an open collection and use of data is also possible. Secret use of the data may only be provided for here if it is necessary in the individual case and ordered by a court. If the data is used secretly, the legislature must provide for the obligation of at least subsequent notification. This must ensure that those to whom a data query directly relates must at least be informed retrospectively. Exceptions to this must be subject to judicial review.

Requirements for legal protection and sanctions:

The transmission and use of stored data must always be subject to judicial review. If a data subject did not have the opportunity to defend himself or herself before the courts against the use of his or her telecommunication traffic data before the measure was carried out, he or she must be given the opportunity of judicial review after the fact.

A proportionate design also requires effective sanctions in the event of violations of the law. If even serious violations of telecommunications secrecy were to remain sanctionless with the result that the protection of the right of personality would wither away in view of the immaterial nature of this right, this would contradict the obligation of state power to enable the individual to develop his or her personality and to protect him or her from threats to the right of personality by third parties. The legislature, however, has a wide scope of action in this regard. In this respect, it may also take into account that in the case of serious violations of the right of personality, both prohibitions of exploitation on the basis of a balancing test and liability for non-material damage may already be justified under the current legal situation, and thus first observe whether the particular seriousness of the violation of personality, which regularly lies in the unauthorised acquisition or use of the data in question here, is possibly already sufficiently taken into account on the basis of the current law.

Requirements for the indirect use of data to identify IP addresses:

Less strict constitutional requirements apply to an only indirect use of the precautionary stored data in the form of claims for information by the authorities against the service providers with regard to the connection owners of certain, already known IP addresses. It is important to note that the authorities themselves do not obtain knowledge of the data to be stored as a precaution. In the context of such information claims, the authorities do not themselves retrieve the data stored as a precautionary measure, but only receive personal information about the owner of a certain connection, who was determined by the service providers with recourse to this data. Systematic investigations over a longer period of time or the creation of personality and movement profiles cannot be realised on the basis of such information alone. On the other hand, it is decisive that for such information only a small section of the data is used, which is determined from the outset, and the storage of which in itself has a lower intrusive weight and could thus be ordered under significantly lower conditions.

However, the justification of claims for information by public authorities to identify IP addresses also carries considerable weight. With it, the legislator affects the conditions of communication on the internet and limits the scope of their anonymity. On its basis, in conjunction with the systematic storage of internet access data with regard to previously determined IP addresses, the identity of internet users can be determined to a wide extent.

Within the scope of its discretionary powers, the legislature may also permit such information independently of limiting offences or catalogues of legal interests for the prosecution of criminal offences, for the prevention of danger and the performance of tasks by the intelligence services on the basis of the general powers of intervention under specialised law. With regard to the thresholds for intervention, however, it must be ensured that information is not obtained out of the blue, but only on the basis of sufficient initial suspicion or a concrete danger on a case-by-case basis. It is not necessary to reserve the right to obtain such information to a judge; however, the persons concerned must be informed of the request for such information. Nor can such information be generally and unrestrictedly permitted for the prosecution or prevention of any administrative offence. The abolition of anonymity on the internet requires at least an impairment of a legal interest, which is also given a prominent weight by the legal system in other respects. This does not completely exclude corresponding information for the prosecution or prevention of administrative offences. However, the offences in question must also be particularly weighty in the individual case, and the legislature must explicitly name them.

Responsibility for the design of the regulations:

The constitutionally required guarantee of data security as well as a normative limitation of data use that meets the requirements of proportionality is an inseparable part of the order to store data and is therefore the responsibility of the federal legislature pursuant to Article 73 (1) no. 7 of the Basic Law. In addition to the regulations on the security of the stored data, this also includes the regulations on the security of the transmission of the data and, in this context, the guarantee of the protection of confidential relationships. Furthermore, the Federal Government is also responsible for ensuring that the purposes for which the data are stored are limited with sufficient precision and in accordance with constitutional requirements. In contrast, the responsibility for the creation of the retrieval regulations themselves as well as for the design of transparency and legal protection provisions depends on the respective competences. In the area of security and the tasks of the intelligence services, responsibility thus lies largely with the Länder.

5. the provisions in detail (application of the standards)

The challenged provisions do not meet these requirements. It is true that § 113a TKG is not unconstitutional simply because the scope of the obligation to store data would be disproportionate from the outset. However, the provisions on data security, on the purposes and transparency of the use of data as well as on legal protection do not meet the constitutional requirements. Thus, the regulation as a whole is not designed in accordance with the principle of proportionality. §§ Sections 113a, 113b TKG and Section 100g StPO, insofar as the latter permits the retrieval of data to be stored pursuant to Section 113a TKG, are therefore not compatible with Article 10 (1) GG.

Data security:

The required guarantee of a particularly high standard of data security is already lacking. The law essentially only refers to the care generally required in the field of telecommunications (section 113a (10) TKG) and relativises the security requirements in a way that remains vague by general considerations of economic efficiency in individual cases (section 109 (2) sentence 4 TKG). The more detailed specification of the measures is left to the individual telecommunications service providers, who for their part must offer the services under the conditions of competition and cost pressure. In this respect, the instruments for guaranteeing data security suggested by the experts in the present proceedings (separate storage, asymmetric encryption, dual control principle combined with advanced procedures for authentication for access to the keys, audit-proof logging of access and deletion) are neither enforceably prescribed for the parties obliged to store data, nor is a comparable level of security guaranteed elsewhere. There is also a lack of a balanced system of sanctions that does not give less weight to breaches of data security than to breaches of the storage obligations themselves.

Direct use of the data for law enforcement:

The regulations on the use of data for criminal prosecution are also incompatible with the standards developed from the principle of proportionality. § Section 100g, paragraph 1, sentence 1, no. 1 of the Code of Criminal Procedure does not ensure that in general and also in individual cases only serious criminal offences may be the reason for collecting the corresponding data, but rather, irrespective of an exhaustive catalogue, generally allows criminal offences of considerable importance to suffice. Section 100g, paragraph 1, sentence 1, no. 2, sentence 2 of the Code of Criminal Procedure (StPO) falls short of the constitutional requirements by allowing any criminal offence committed by means of telecommunication to be sufficient as a possible trigger for a data search, irrespective of its seriousness, according to a general weighing in the context of a proportionality test. With this regulation, the data stored according to § 113a TKG can practically be used for all criminal offences. Their use thus loses its exceptional character in view of the increasing importance of telecommunications in everyday life. The legislature no longer limits itself to the use of data for the prosecution of serious criminal offences, but goes far beyond this and thus also beyond the objective of data retention prescribed by European law.

Section 100g of the Code of Criminal Procedure also does not meet the constitutional requirements insofar as it allows data retrieval not only for individual cases to be confirmed by a judge, but in principle also without the knowledge of the person concerned (section 100g (1) sentence 1 of the Code of Criminal Procedure).

In contrast, judicial control of data retrieval and data use as well as the regulation of notification obligations are essentially guaranteed in a manner that meets constitutional requirements. The collection of data stored pursuant to section 113a TKG requires an order by the judge pursuant to section 100g (2) sentence 1, section 100b (1) sentence 1 StPO. Furthermore, according to section 101 of the Code of Criminal Procedure, there are differentiated notification obligations as well as the possibility to subsequently bring about a judicial review of the lawfulness of the measure. It is not evident that these provisions do not guarantee effective legal protection as a whole. What is constitutionally objectionable, however, is the lack of judicial review for refraining from notification pursuant to section 101 (4) of the Code of Criminal Procedure. Direct use of data for the prevention of danger and for the tasks of the intelligence services:

§ Section 113b sentence 1 nos. 2 and 3 TKG does not meet the requirements for a sufficient limitation of the purposes of use already according to its annex. The federal legislature is content here with merely outlining in a generalised manner the fields of activity for which data retrieval is to be possible in accordance with subsequent legislation, in particular also by the Länder. In doing so, it does not fulfil its responsibility for the constitutionally required limitation of the purposes of use. Rather, by obliging service providers to store all telecommunications traffic data as a precautionary measure, combined with the release of this data for use by the police and intelligence services within the framework of approximately their entire remit, the federal legislature is creating a data pool that is open to diverse and unlimited uses, which can only be accessed, limited by broad objectives, on the basis of decisions taken by the federal and state legislatures themselves. The provision of such a data pool, which is open in terms of its purpose, removes the necessary connection between storage and the purpose of storage and is not compatible with the constitution.

The design of the use of the data stored under § 113a TKG is also disproportionate insofar as no protection of confidential relationships is provided for the transmission. At least for a narrow circle of telecommunication connections that depend on special confidentiality, such protection is basically required.

Indirect use of the data for information of the service providers:

Section 113b sentence 1 half-sentence 2 TKG also does not meet the constitutional requirements in every respect. There are no objections to the fact that according to this provision, information is permissible irrespective of a list of criminal offences or legal interests. On the other hand, it is not compatible with the constitution that such information is also generally permitted for the prosecution of administrative offences without further limitation. There is also a lack of notification obligations following such information.

6 Compatibility with Art. 12 GG

In contrast, the challenged provisions are not subject to constitutional objections with regard to Article 12 (1) of the Basic Law, insofar as this is to be decided in these proceedings. The imposition of the obligation to store data does not typically have an excessively burdensome effect on the service providers concerned. In particular, the obligation to retain data is not disproportionate with regard to the financial burdens imposed on the companies by the obligation to retain data pursuant to Section 113a TKG and the consequential obligations attached to it, such as the guarantee of data security. The legislature is not limited, within its broad scope of discretion, to only employing private persons if their professional activity can directly trigger dangers or if they are directly at fault with regard to these dangers. Rather, sufficient factual proximity and responsibility between the professional activity and the imposed obligation is sufficient in this respect. Accordingly, there are no fundamental objections to the cost burdens arising for those obliged to store data. In this way, the legislature shifts the costs associated with storage to the market, in line with the privatisation of the telecommunications sector as a whole. Just as the telecommunications companies can use the new opportunities of telecommunications technology to make a profit, they must also assume the costs of containing the new security risks associated with telecommunications and process them in their prices.

7. invalidity of the challenged provisions

The violation of the fundamental right to protection of the secrecy of telecommunications under Article 10.1 of the Basic Law leads to the nullity of §§ 113a and 113b of the Telecommunications Act as well as of § 100g.1 sentence 1 of the Code of Criminal Procedure, insofar as traffic data may be collected pursuant to § 113a of the Telecommunications Act. The challenged provisions must therefore be declared null and void and the violation of fundamental rights must be established (cf. § 95.1 sentence 1 and § 95.3 sentence 1 BVerfGG). The decision is unanimous with regard to the questions of European law, the formal constitutionality and the fundamental compatibility of the precautionary retention of telecommunications traffic data with the constitution. With regard to the assessment of §§ 113a and 113b TKG as unconstitutional, the decision was reached by a vote of 7:1 and with regard to other substantive issues, as far as can be seen from the special votes, by a vote of 6:2.

The Senate decided by a vote of 4:4 that the provisions are to be declared null and void pursuant to § 95.3 sentence 1 of the BVerfGG and not merely incompatible with the Basic Law. Accordingly, the provisions cannot continue to be applied to a limited extent on a transitional basis, but rather the statutory rule of the declaration of nullity remains in force.

Special vote by Judge Schluckebier:

(1) The storage of traffic data for a period of six months at the service providers does not constitute an encroachment on the fundamental right under Article 10 (1) of the Basic Law of such weight that it could be classified as "particularly severe" and thus equally as severe as direct access by public authorities to communication content. The traffic data remains in the sphere of the private service providers, where it accrues for operational reasons and from which the individual telecommunications subscriber can expect, on the basis of the contractual obligation, that they will treat it strictly confidentially and protect it in their sphere. If the data security possible according to the state of the art is guaranteed, there is therefore also no objectifiable basis for the assumption of a storage-related intimidation effect on the citizen. The storage does not extend to the content of telecommunications. In the weighting of the encroachment, a perceptible distance must therefore be maintained from such particularly severe encroachments, as are present in the case of acoustic surveillance of living space, surveillance of the content of telecommunications or the so-called online search of information technology systems through direct access by state organs, and where there is a particular risk that the absolutely protected core area of private life is affected. Accordingly, it is not the storage of traffic data at the service provider's that is particularly intrusive, but only the retrieval and use of traffic data by state authorities in individual cases according to the existing legal bases for this; these, as well as the judicial order to collect traffic data, are in turn subject to the strict requirements of proportionality.

(2) The challenged provisions are in principle not unreasonable, reasonable for the persons concerned and thus proportionate in the narrower sense. With the obligation to store telecommunications traffic data for a period of six months, a regulation on the purpose of use and the regulation on the collection of data under criminal procedure law, the legislature has kept within the scope of its constitutional right. The state's duty to protect its citizens includes the task of taking appropriate measures to prevent the violation of legal interests or to clarify them and to assign responsibility for violations of legal interests. In this sense, guaranteeing the protection of citizens and their fundamental rights as well as the foundations of the community and the prevention as well as the investigation of significant criminal offences are at the same time among the prerequisites for peaceful coexistence and the carefree use of fundamental rights by citizens. Effective investigation of criminal offences and effective prevention of danger are therefore not per se a threat to the freedom of citizens. In the tension between the state's duty to protect legal rights and the individual's interest in safeguarding his or her rights guaranteed by the constitution, it is first of all the task of the legislature to achieve a balance of the conflicting interests in an abstract manner. In doing so, the legislature has the leeway to assess and shape the situation. The aim of the legislature here was to take into account the indispensable needs of an effective administration of criminal justice under the rule of law in view of a fundamental change in the possibilities of communication and in people's communication behaviour in recent years. This goal basically presupposes the ascertainability of the facts necessary for clarification. In this context, the legislature has assumed that, due to the technical development towards flat rates, telecommunications traffic data in particular are often either not stored at all or have already been deleted before a court order to provide information can be obtained or even before the information required for a corresponding application has been determined. Although the majority of the Senate takes into account the fact that electronic or digital means of communication have penetrated almost all areas of life and therefore make criminal prosecution and the prevention of danger more difficult in certain areas when examining the suitability and necessity of traffic data retention, it does not give it the necessary weight in the examination of proportionality in the narrower sense under the aspect of appropriateness and reasonableness.

At the same time, the majority of the Senate almost completely restricts the legislature's scope for assessment and design to make appropriate and reasonable regulations for the protection of people in the field of crime investigation and danger prevention. In this way, it does not sufficiently take into account the requirement of judicial self-restraint vis-à-vis conceptual decisions of the democratically legitimised legislature. The ruling specifies a storage period of six months, i.e. the minimum required by the EC Directive, as being at the upper limit and at best justifiable under constitutional law, prescribes to the legislature in terms of regulation that the regulation of the purpose of use must at the same time contain the conditions for access, restricts it to a catalogue offence technique in criminal law, excludes the possibility of using the traffic data also to solve crimes committed by means of telecommunications that are difficult to solve, and extends the notification obligations in a certain way. After that, the legislature no longer has any significant leeway for shaping the law in its own political responsibility.

Der Senat verwehrt dem Gesetzgeber insbesondere die Abrufbarkeit der nach § 113a TKG gespeicherten Verkehrsdaten für die Aufklärung von Straftaten, die nicht im derzeitigen Katalog des § 100a Abs. 2 StPO bezeichnet, aber im Einzelfall von erheblicher Bedeutung sind, sowie von solchen Taten, die mittels Telekommunikation begangen sind (§ 100g Abs. 1 Satz 1 Nr. 1 und 2 StPO). Hinsichtlich der letztgenannten Taten wird nicht genügend gewichtet, dass der Gesetzgeber hier von erheblichen Aufklärungsschwierigkeiten ausgeht. Da es Sache des Gesetzgebers ist, eine wirksame Strafverfolgung zu gewährleisten und keine beträchtlichen Schutzlücken entstehen zu lassen, kann es ihm nicht versagt sein, auch bei Straftaten, die zwar nicht besonders schwer sind, aber Rechtsgüter von Gewicht schädigen den Zugriff auf die Verkehrsdaten zu eröffnen, weil nach seiner Einschätzung nur so das Entstehen faktisch weitgehend rechtsfreier Räume und ein weitgehendes Leerlaufen der Aufklärung ausgeschlossen werden kann. Hinzu kommt, dass sich der Gesetzgeber bei der Gestaltung der strafprozessualen Zugriffsbefugnis an Kriterien orientiert hat, die der Senat in seinem Urteil vom 12. März 2003 (BVerfGE 107, 299 <322>) zur Herausgabe von Verbindungsdaten der Telekommunikation gebilligt hat.

(3) In the ruling on the legal consequences, it would have been obvious, also on the basis of the constitutional assessment of the majority of the Senate, with recourse to the established case law of the Federal Constitutional Court, to set the legislature a deadline for a new regulation and to declare the existing provisions to continue to be temporarily applicable in accordance with the requirements of the temporary injunctions issued by the Senate, in order to avoid lasting deficits, in particular in the investigation of criminal offences, but also in the prevention of danger.

Special vote Judge Eichberger:

The special opinion essentially agrees with Judge Schluckebier's criticism of the assessment of the intensity of encroachment of the retention of telecommunications traffic data as an encroachment on Article 10.1 of the Basic Law. The legislative concept underlying §§ 113a, 113b TKG of a graduated legislative responsibility for the storage order on the one hand and the data retrieval on the other hand is in principle consistent with the constitution. This applies in particular to the use of the data stored under section 113a TKG for the purposes of criminal prosecution, which is regulated in section 100g StPO. The legislature is not forced to measure the proportionality of the retrieval regulation exclusively against the greatest possible intrusion of a comprehensive data retrieval ultimately aimed at a movement or social profile of the citizen concerned, but may take into account that a large number of data retrievals have far less weight, the reasonableness of which must be decided in each individual case by the judge appointed for this purpose.


Judgment of the Federal Constitutional Court of 2 March 2010 - 1 BvR 256/08, 1 BvR 263/08, 1 BvR 586/08 -


Source: Press release of the Federal Constitutional Court No. 11/2010 of 2 March 2010


Goldberg Attorneys at Law

Lawyer Michael Ullrich, LL. M. (Information Law)

Specialist lawyer for information technology law (IT law)