New Data Retention Law Threatens Privacy of German Citizens
By Paul Liu
Friday, March 10th, 2017
A new data retention law is threatening to undermine the privacy of millions of ordinary German citizens. The law was proposed in mid-2015 and was approved by both the houses of German parliament towards the end of last year. As per the provisions stated in the law, all the telephone and Internet Service providers within Germany must log the metadata of their customers’ communications starting from 1st July 2017. While the law is at odds with EU’s regulations and can still be challenged in the courts, it looks like it is a done deal.
This is not the first time Germany has tried to enact a data retention law within the country. Back in 2007, the German Parliament passed a law which directed telecom companies as well as ISPs to retain all communications data for a period of six months. The law came into effect on 1st January’ 2008 and was valid until 2nd March 2010 when it was deemed as unconstitutional by the German Constitutional Court. As per the order given by the court, the law violated Article 10 of German law which guarantees privacy of telecommunications, posts and correspondence to all citizens.
In order to address the concerns raised by the Court, the new law mandates German telecom providers to store the metadata (and not the actual content) of all communications for a period of ten weeks. As a result, phone companies would need to store phone numbers, location and date/time of all phone calls while ISPs would need to capture IP addresses and date/time of all online connections. Due to technical issues associated with how text messages are sent and received, SMS messages would be captured and stored in full. However, email traffic has been excluded from data retention while located based information would be stored for period of just 4 weeks. Also, the law mandates that all metadata must be stored on air-gapped servers and must be encrypted.
To prevent the misuse of the Data Retention Act, the law also states under what circumstances the stored data can be accessed by the authorities. As per the provisions defined by the Act, metadata stored by telecom companies can only be retrieved with a search warrant and judicial order. The Act also defines a list of “severe crimes” that would permit access to the stored metadata. As such, people suspected of carrying out sensational crimes like murder, kidnapping and terrorism would essentially be granting permission to the authorities to search their data.
The new law has invited criticism from several different stakeholders. While privacy activists have denounced the law as unconstitutional, the police has complained that 10 weeks is too short a window to conduct in-depth investigations. The law is also at odds with European Union’s single market regulations and is likely to face opposition from citizen activist groups.
While the new data retention law is definitely a big blow to the privacy of German citizens, there are ways to bypass it. Security experts recommend making use of encrypted phone and email services as well as logless VPN services in order to avoid leaving footprints for the authorities.