As mentioned a couple of weeks ago in the blog (10 January 2010 – Directive on data retention: now the floor goes to the German Constitutional Court) the German Constitutional Court was preparing to make a decision about the German internal application of the controversial Data Retention Directive (2006/24/EC), demanding telecommunication data retention from 6 months till 2 years. Some historical background is provided in the above mentioned blog. On March 2 the decision has arrived (1 BvR 256/08 , 1 BvR 263/08 , 1 BvR 586/08). And what a decision it is. It is of the same work as the famous decision in Marbury v. Madison presided over by John Marshall. The German Federal Constitutional Court (Bundesverfassungsgericht) avoided a direct conflict with the ECJ but showed once again that it will take its prerogatives very seriously regarding the protection of human rights and annulled the German provisions applying the Directive.
First, it analysed the question of the necessity to refer a preliminary question to the ECJ. It declined to do so on the basis of its understanding of the nature of Directive 2006/24/ES and the ECJ judgment of 10 February 2009 (C-301/06) that declined to annul the measure on the claim of a wrong legal basis (third pillar not first pillar). The German Constitutional Court said that the directive just demands the retention and did not provide rules regarding the access to data or their use by public authorities. So, it seems that something that was found to be a brilliant solution for some participants regarding the adoption of the Retention Directive under the former first pillar is now back firing regarding the limitation of the Directive and the huge margin of appreciation for national legislation and procedural safeguards. Although not directly, and somehow hidden the German Constitutional Court put some doubt on the legal basis used for the Retention Directive as it defined the telecommunication companies as helpers (Hilfspersonen) or better agents of the state regarding data gathering. Another contradiction with the Directive is the limitation of six months that the German Constitutional Court perceived as it seems a maximum limit not a minimum.
Further on the Court analysed the existing German provisions of the Telecommunication Law and the Criminal Procedural Law regarding the access to such data. In the light of Article 10 of the German Basic Law (Grundgesetz) it stated explicitly that “the protection of communication does not include only the content but also the secrecy of the circumstances of the communication, including especially if, when and how many times did some person… contact another or tried that”. Based on a test similar to the one the ECtHR is using for Article 8 (right to privacy) issues the Court analysed the questions of an existing legal basis, a legitimate aim and proportionality. It agreed, in principle, that a six-month retention period can be legitimate but only if recognised as an exception (“dass diese eine Ausnahme bleibt”). Such a measure “largely increases the risk of citizens to be the subject of further investigation, although they did not do anything wrong. It is enough to be at a wrong time … contacted by a certain person… to be under an obligation to provide justifications”, and further in the judgment that the preventive collection of data “can establish a filling of permanent control” and “diffuse danger” (“diffuse Bedrohlichkeit”).
It also stated – citing its judgment regarding the Lisbon Treaty (30 June 2009 – the identity retention principle – “Identitätsvorbehalt”) – that “the prohibition of totally …registering perception of freedom of citizens is a part of the constitutional legal identity of the Federal Republic of Germany…, and that for its protection the Federal Republic has to stand in at European and international level”. And it seems that the Court sends a message to the EU when saying “that the margin of appreciation of unsolicited data retention also through the EU is becoming extensively reduced”.
The main part of the Court’s evaluation was about the principle of proportionality based on four criteria: 1. data security, 2. scope of data use, 3. transparency and 4. safeguards.
It did not specify the level of data security but mentioned that it has to be a “very high level of security” that “takes into account all new findings”, and has to include supervision by an external authority, as well as an appropriate system of sanctions. It opposed the view that differentiates between data content and data information (place, hour, duration). It stated that “the evaluation of this data makes it possible to make conclusions about hidden layers of a person’s private life and gives under certain circumstances a picture of detailed personality and movement profiles; therefore it can not be in general concluded that the use of this data presents a less extensive intrusion as the control of the content of communications”.
Further, regarding the purpose it demanded: (a) a reasonable suspicion of a heavy criminal offence from a pre-written catalogue of such offences; (b) danger prevention (Gefahrenabwehr) based on protecting life or freedom of a person, survival or security of the state, or a common threat including real evidence of a concrete danger; (c) constitutional safeguards bind also the secret services; (d) limitations and safeguards regarding the further use of required data (e) limitation of transmitted data.
Transparency demands ex post information to the concerned person (or at least a judicial verification), but the Court distinguishes a separate category of bystanders (“Personen, deren Telekommunikationsverkehrsdaten nur zufällig miterfasst wurden”).
And finally, proper safeguards should include a judicial decision and parliamentary control (in the case of secret service activities), and a proper sanctions system in the event of misuse, including a possible exclusionary rule and damages. But one category – IP addresses – the court considered as special where less stringent requirements apply (no judicial decision), although a request must be based on pre-existing information (“eine Auskunft nicht ins Blaue hinein eingeholt werden… darf”) and can be applied also to heavy administrative-criminal violations.
The decision was not a unanimous one. There were two dissenting opinions voicing the concern of the effective use of law enforcement regarding certain criminal offences (for example, Cyber-mobbing). But anyway, the German Constitutional Court showed once again that is a powerful court that does not fear to take up EU topics, as it started more than a quarter century ago with the famous “so lange” case (Handelsgesellschaft v. Einfuhr und Vorratsstelle für Getreide und Futtermittel, BVerfGE 37, 271; 1974 2 CMLR 540). Its decision should no be perceived as opposition to EU law but much more as a second legal opinion on certain topics that sound fine in the large but not so much in detail. The decision has to be seen as well as a contra-reaction to the expansion of the Panoptikon principle (as it was first introduced by Jeremy Bentham in the prison context) where the society more and more controls the individual from the cradle till the grave, and thereby creating something called in German “der gläserne Bürger” (a fully visible citizen with no secrets from the state). In the time of PNR, SWIFT, satellite highway tolls and similar developments the decision is an important one.
By: Anze OR. EN
European Area of Freedom Security & Justice 
The recent ruling of the German Constitutional Court on the EU Directive on Data retention seems adressing only the German Bundestag.
In fact, after “Solange I”, “Solange II” and more recently the “Lissabon Urteil”, this is also an indirect message to the EU and its Judges and Legislators on the way how the German Cour…t consider that that fundamental rights should be protected also at european level.
One should remember that in the “Lissabon Urteil” it was made clear that Germany will not be bound by EU rules if it breaches “…the constitutional legal identity of the Federal Republic of Germany”.
Now, in the latest ruling on data retention the BGV has declared that even the “..perception of freedom of citizens is a part of Constitutional legal identity”; so, it follows that the EU legislator if want avoid a legal conflict with Germany should preserve thhis “perception of freedom” for all the EU citizens when it will revise (in the coming years) the data retention directive…
If so this will be a beneficial effect of the interaction between the EU and its Member States legal order.
Therefore it is not by hazard that the EU has mirrored in its new EU Charter particularly the protection of human dignity as it is the case for the German Constitution and has moreover a specific article on data protection (art.8)….
“The Bundestag will ( thus) need to analyze the decision carefully to make sure that a new and improved retention law will survive another court proceeding and pass constitutional muster. This debate has already started in Germany: For instance, the Bundestag could decide to cut down the retention time period (currently six months), impose stiffer requirements on who has access to the data, and for what purpose, etc.
Whatever the new law will look like, the fact is that a “new and improved” version of this law may be costly for the telecommunications industry. It is worth noting that the court intends to prevent the government from collecting the data in its own databases, but wants to keep them with the carriers and service providers. In other words, the court trusts that private companies remain the custodians of the data, rather than the government. In other words, these companies are recruited as the ‘Deputy Sheriffs.’ Some observers characterize this scheme as operating a data supermarket for law enforcement. The question is how much the prosecutors need to pay for it at the cash register and who will make sure that there is no shoplifting. Given that there will be high constitutional hurdles for such data storage under the court’s new decision, industry representatives already claim higher reimbursements are needed for the data retention safeguards that will become necessary under a revised law. Even the deletion of the data at the right point in time may be time-consuming and costly. In times of budgetary hardships everywhere, this dispute could become a serious obstacle for a new and improved version of the law.”
The full analysis available at:
http://www.aicgs.org/analysis/c/spies030410.aspx