Privacy & Cybersecurity Law Blog

On May 28, 2015, the German government adopted a draft law that would require telecommunications and Internet service providers to retain Internet and telephone usage data. The initiative comes more than a year after the European Court of Justice declared the EU Data Retention Directive invalid, which had been implemented previously by German law. The German law implementing the EU Data Protection Directive had been declared unconstitutional by the German Federal Constitutional Court five years ago.

Retention Periods

Under the draft law, telecommunications and Internet service providers would have to retain various Internet and telephone usage data, including phone numbers, times called, IP addresses, and the international identifiers of mobile users (if applicable) for both the calling and called port for a period of 10 weeks. Furthermore, user location data in the context of mobile phone services would have to be retained for a period of four weeks. The draft law also requires the data to be deleted without undue delay after the expiration of the relevant retention period, and in any event, within one week following the expiration of the retention period.

Security and Localization Requirements

Telecommunications and Internet service providers also would be required to ensure that (1) data is stored in accordance with the highest possible levels of security, (2) data is stored within Germany, and (3) measures are in place to protect data from unauthorized inspection and use.

Administrative Offense and Fines

Non-compliance with the data retention requirements would constitute an administrative offense that would be punishable by a maximum fine of 500,000 EUR.

The draft law must be approved by Parliament before becoming law. The law has generated significant criticism by leading telecommunications industry associations.