As mentioned a couple of weeks ago in the blog (10 January 2010 – Directive on data retention: now the floor goes to the German Constitutional Court) the German Constitutional Court was preparing to make a decision about the German internal application of the controversial Data Retention Directive (2006/24/EC), demanding telecommunication data retention from 6 months till 2 years. Some historical background is provided in the above mentioned blog. On March 2 the decision has arrived (1 BvR 256/08 , 1 BvR 263/08 , 1 BvR 586/08). And what a decision it is. It is of the same work as the famous decision in Marbury v. Madison presided over by John Marshall. The German Federal Constitutional Court (Bundesverfassungsgericht) avoided a direct conflict with the ECJ but showed once again that it will take its prerogatives very seriously regarding the protection of human rights and annulled the German provisions applying the Directive.
First, it analysed the question of the necessity to refer a preliminary question to the ECJ. It declined to do so on the basis of its understanding of the nature of Directive 2006/24/ES and the ECJ judgment of 10 February 2009 (C-301/06) that declined to annul the measure on the claim of a wrong legal basis (third pillar not first pillar). The German Constitutional Court said that the directive just demands the retention and did not provide rules regarding the access to data or their use by public authorities. So, it seems that something that was found to be a brilliant solution for some participants regarding the adoption of the Retention Directive under the former first pillar is now back firing regarding the limitation of the Directive and the huge margin of appreciation for national legislation and procedural safeguards. Although not directly, and somehow hidden the German Constitutional Court put some doubt on the legal basis used for the Retention Directive as it defined the telecommunication companies as helpers (Hilfspersonen) or better agents of the state regarding data gathering. Another contradiction with the Directive is the limitation of six months that the German Constitutional Court perceived as it seems a maximum limit not a minimum.
Further on the Court analysed the existing German provisions of the Telecommunication Law and the Criminal Procedural Law regarding the access to such data. In the light of Article 10 of the German Basic Law (Grundgesetz) it stated explicitly that “the protection of communication does not include only the content but also the secrecy of the circumstances of the communication, including especially if, when and how many times did some person… contact another or tried that”. Based on a test similar to the one the ECtHR is using for Article 8 (right to privacy) issues the Court analysed the questions of an existing legal basis, a legitimate aim and proportionality. It agreed, in principle, that a six-month retention period can be legitimate but only if recognised as an exception (“dass diese eine Ausnahme bleibt”). Such a measure “largely increases the risk of citizens to be the subject of further investigation, although they did not do anything wrong. It is enough to be at a wrong time … contacted by a certain person… to be under an obligation to provide justifications”, and further in the judgment that the preventive collection of data “can establish a filling of permanent control” and “diffuse danger” (“diffuse Bedrohlichkeit”).
It also stated – citing its judgment regarding the Lisbon Treaty (30 June 2009 – the identity retention principle – “Identitätsvorbehalt”) – that “the prohibition of totally …registering perception of freedom of citizens is a part of the constitutional legal identity of the Federal Republic of Germany…, and that for its protection the Federal Republic has to stand in at European and international level”. And it seems that the Court sends a message to the EU when saying “that the margin of appreciation of unsolicited data retention also through the EU is becoming extensively reduced”.
The main part of the Court’s evaluation was about the principle of proportionality based on four criteria: 1. data security, 2. scope of data use, 3. transparency and 4. safeguards.
It did not specify the level of data security but mentioned that it has to be a “very high level of security” that “takes into account all new findings”, and has to include supervision by an external authority, as well as an appropriate system of sanctions. It opposed the view that differentiates between data content and data information (place, hour, duration). It stated that “the evaluation of this data makes it possible to make conclusions about hidden layers of a person’s private life and gives under certain circumstances a picture of detailed personality and movement profiles; therefore it can not be in general concluded that the use of this data presents a less extensive intrusion as the control of the content of communications”.
Further, regarding the purpose it demanded: (a) a reasonable suspicion of a heavy criminal offence from a pre-written catalogue of such offences; (b) danger prevention (Gefahrenabwehr) based on protecting life or freedom of a person, survival or security of the state, or a common threat including real evidence of a concrete danger; (c) constitutional safeguards bind also the secret services; (d) limitations and safeguards regarding the further use of required data (e) limitation of transmitted data.
Transparency demands ex post information to the concerned person (or at least a judicial verification), but the Court distinguishes a separate category of bystanders (“Personen, deren Telekommunikationsverkehrsdaten nur zufällig miterfasst wurden”).
And finally, proper safeguards should include a judicial decision and parliamentary control (in the case of secret service activities), and a proper sanctions system in the event of misuse, including a possible exclusionary rule and damages. But one category – IP addresses – the court considered as special where less stringent requirements apply (no judicial decision), although a request must be based on pre-existing information (“eine Auskunft nicht ins Blaue hinein eingeholt werden… darf”) and can be applied also to heavy administrative-criminal violations.
The decision was not a unanimous one. There were two dissenting opinions voicing the concern of the effective use of law enforcement regarding certain criminal offences (for example, Cyber-mobbing). But anyway, the German Constitutional Court showed once again that is a powerful court that does not fear to take up EU topics, as it started more than a quarter century ago with the famous “so lange” case (Handelsgesellschaft v. Einfuhr und Vorratsstelle für Getreide und Futtermittel, BVerfGE 37, 271; 1974 2 CMLR 540). Its decision should no be perceived as opposition to EU law but much more as a second legal opinion on certain topics that sound fine in the large but not so much in detail. The decision has to be seen as well as a contra-reaction to the expansion of the Panoptikon principle (as it was first introduced by Jeremy Bentham in the prison context) where the society more and more controls the individual from the cradle till the grave, and thereby creating something called in German “der gläserne Bürger” (a fully visible citizen with no secrets from the state). In the time of PNR, SWIFT, satellite highway tolls and similar developments the decision is an important one.
By: Anze OR. EN