12.06.2015

Data Retention: Draft Law Proposes Retention to Never-Before-Seen Extent

  • eco suggests exclusion of Internet services
  • Modification of the technical requirements for retention as baseline solution
  • At least 2,500 companies affected: The state must cover the costs

Implementing the reintroduction of Blanket Data Retention, agreed upon by the German Federal Government on 27 May, will mean that providers are required to retain substantially more data than during the last period of Blanket Data Retention. This is the conclusion of the newly worked-out position of eco – Association of the German Internet Industry e. V. The reason for this increase is largely due to the changed technical reality. In contrast to ten years ago, the IP address alone is no longer sufficient to identify a particular connection today. Providers must instead build an enormous database which saves information about not only the IP address, but also the port, which in turn determines and records the service used, even including the exact time stamp – which ideally records the use of a service down to the millisecond. This threatens to result in a complete documentation of the behavior of all users in the Internet. “Many of the intended technical requirements are not manageable in practice, and at the same time they will lead to serious conflicts with basic rights,” says Oliver Süme, eco Director for Policy and Law. “The Federal Government could avoid some of these conflicts if the Internet services were excluded from the obligation to retain data.

Modification of the technical requirements for retention as baseline solution

If the Federal Government, despite the serious constitutional and technical concerns, maintain their plan of retention on such a massive scale, then the draft law urgently needs to be amended.  In particular, eco sees the need to revise the provisions for the technical specifications for the retention of data, and the associated security regulations.

It is, for example, unclear how the requirement that the data be saved on a data processing system which is not connected to the Internet can work in practice, and how mass queries can be realized using the asymmetrical encryption technique proposed by the German Constitutional Court.

At least 2,500 companies affected: The state must cover the costs

The planned law represents a great financial risk for the affected companies, as it demands a large investment, but at the same time in its current form will most likely not be deemed admissible in the German Constitutional Court or in the European Court of Justice. The German implementation law, which the German Constitutional Court declared invalid in 2010, itself led to unnecessary expenses in the millions for German telecommunications and Internet companies. With the planned new law, costs of implementation of mandatory storage will be even higher in comparison to the old regulation, because companies will need to develop completely new storage infrastructure. An initial estimate undertaken by eco of the costs suggests that they could reach 600 million Euros for the entire industry. “Law enforcement has always been a state responsibility. It is not acceptable that the Federal Government passes the complete costs on to the private economy. We call for a reimbursement that goes considerably further than the narrow compensation conditions envisaged in the draft law,” says Oliver SĂĽme. In contrast to the Federal Government, which – for some incomprehensible reason – assumes a mere 1,000 companies will be affected, eco estimates that 2,500 companies will be required to implement this regulation.

More information on the draft law can be found here.