The Data Retention Directive was enacted as a reaction to the 2004 and 2005 terrorist attacks in Europe in order to harmonize the investigation and prosecution mechanisms throughout the EU, especially with regards to organized crime and terrorism. This Directive required operators to hold on to certain types of data for periods which varied from 6 months to 2 years, and to make such data accessible to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism.
This Directive faced much criticism due to the fact that it did not include proper safeguards and there was no limit what the data could be used for. In fact, in 2014, the Court of Justice of the European Union ruled this Directive invalid – declaring it incompatible with the fundamental rights to respect for private and family life and to the protection of personal data, while also not meeting the principle of proportionality.
Nevertheless, Germany has started to promulgate its own data retention laws – preparations for which are well under way. Although storage periods have been reduced to 4-10 weeks, there are still many who oppose the enactment of this legislation. As yet, there has been no real evidence that data retention is actually an effective tool in detection and prosecution of serious crime and terrorism.
On Wednesday, 16th September 2015, the Commission issued a statement denying rumours that it is “threatening to take Germany to Court” over these laws. It reiterated its position: the option to promulgate data retention legislation is a national one:
“We are aware that data retention is often the subject of a very sensitive, ideological debate and that sometimes there can be a temptation to draw the European Commission into these debates. The European Commission is not ready to play this game.”
The Commission is very determined not to take a position on the issue, and clarified that enactment of data retention legislation is allowed under EU law as long as it does not go against basic EU principles, such as those found within the EPrivacy Directive. It remains unclear whether or not this law will actually be enacted, as there are many issues with the proposal that would need to be resolved – as it has been argued that this law goes against the German constitution. It is a distinct possibility that this law follows the ill fate of the German law that encouraged telecommunications providers to store electronic communications data in 2008. The latter was later declared null and void by the German Federal Constitutional Court. In the UK, data retention laws were hurriedly passed in 2014, and were subsequently held to be “incompatible with EU law” by the High Court on the 17th of July 2015.
Andrea Vosshoff, Germany’s Federal Commissioner for Data Protection and Freedom of Information, who was not consulted on the new laws, published her opinion on the matter deeming it “unconstitutional” and claimed that it is not capable of being passed in its current form, suggesting that it goes against both German and EU law. In her report, she states that currently, one in four government agencies in Germany break data protection laws.