News

Data Retention: Bundesnetzagentur stops enforcement after ruling by Higher Administrative Court

29.06.2017

Germany’s Federal Networks Agency, Bundesnetzagentur, announced on 28 June 2017 that it would temporarily desist from taking measures to enforce data retention (section 113b German Telecommunications Act).

The decision is the regulator’s response to the previous week’s rapid decision by the Higher Administrative Court of North Rhine-Westphalia (OVG NRW) on 22 June 2017 (13 B 238/17), which had temporarily suspended the retention obligations of the complaining service provider.

In the view of Bundesnetzagentur, the court decision has an importance which transcends the individual case, which is why the enforcement of data retention is suspended until a final decision is made in the principal matter.

Context

All providers are required from 1 July 2017 to save their customers’ telecommunications transaction data listed in section 113b German Telecommunications Act for 4 weeks (location data) or 10 weeks. Breaches of the retention obligation are punishable by a fine. This provision is already the second attempt to anchor data retention in German law, after the old provision was held to be unconstitutional by Germany’s Federal Constitutional Court.

The complainant, SpaceNet AG, provides internet access services in Germany and had opposed the obligation of data retention in interim proceedings, as it considered its basic rights under Germany’s Basic Law and the EU Charter of Fundamental Rights infringed. Cologne Administrative Court had struck out this emergency appeal in the first instance (see our report).

The OVG’s ruling

Unlike the lower court, the OVG now agreed with the core of SpaceNet AG’s argument. The retention obligation mentioned is incompatible as a whole with EU law, the court said, and violates the freedom to conduct a business of SpaceNet AG under Art. 16 of the EU Charter of Fundamental Rights.

The decision of the OVG followed two fundamental decisions by the Court of Justice of the European Union (CJEU). Firstly, the judgment in the Digital Rights Ireland case of 8 April 2014 (C-293/12 and C-594/12) on the invalidity of the Data Retention Directive 2006/24/EC; secondly, the recent judgment of 21 December 2016 on Swedish data retention (C-203/15).

According to this case law of the CJEU, legal provisions on data retention are only admissible if they are reasonable, proportionate and necessary for the prevention or prosecution of serious criminal offences. The provisions are to be assessed in particular in light of the fundamental rights of the EU Charter.

In the OVG’s opinion, the German law does not meet these standards. In particular, no link has been made with combating serious criminal offences. The German Telecommunications Act instead demands undifferentiated storage without corresponding personal, geographical or time limits. The retention obligation, says the court, is the norm, although it ought to remain the exception according to the system created by the Data Protection Directive. The related technical effort and financial expense for service providers interferes with their entrepreneurial freedom. The OVG emphasises that there is no legitimate public interest in temporary enforcement of the provisions, given that they have objectively been found to contravene European Union law.