Data retention legislation

The issue of data storage is certainly a sensitive, which is always controversial discussed. With this article we want to show and explain what is exactly meant by the current legislation relating to data retention.

What is data retention?

As the name suggests, it’s all about the storage of your data. This includes your personal data such as your name and address, which are stored by public authorities. It is a data retention, since the data are currently not needed. It can be understand as a “storage on stock”, should they be needed once. Most often the term data retention refers to the telecommunication connection data, ie telephone numbers, locations, IP addresses, etc. The common term for this is “Call Data Records” or CDR. The CDR are stored by telecommunications service providers in order to prevent any crimes and allow for tracking by the governmental authorities within the legally accepted boundries.

How is Germany dealing with the data retention legislation?

The data retention legislation has a long history behind it. Since the early 1980s, data was already on computers to check itemized bills for example. This was an advantage for the customer who were able to defend themselves against unjustified invoices. The telecommunication provider could only store data for billing, but not location data, IP addresses, or data connection. Therefore, "minimum periods" for storing connection data were demanded by the Federal Council in 1996 due to the possible danger no data could be verified or traced to identify the perpetrators in case of offenses.

In 2005, the decision of a minimum storage period of data has been rejected by the German Bundestag, as it was considered unconstitutional. But in 2006 an EU guideline was placed on the retention in force, which should unify the national legislation of EU Member States for the storage of call data records. This directive stipulates that the personal data could be stored for a minimum of up to 6 months.

The directive was highly controversial since many saw the individual right to self-determination and privacy at risk.

It came to no surprise when this directive was annulled by the European Court invalidated a few years later in April 2014. According to the court, the directive was incompatible with the EU charter of fundamental rights.

Status as of today

In Germany the storage of data is not allowed without a specific suspicion or requirement in general. However, the government has adopted a new bill in June of this year, which is currently still pending with the federal court. It has already been adopted by the Bundestag, even if not every party agreed.

This design provides that data may be stored in Germany for ten weeks so that investigators can access it with crime or terrorist attacks.

What information exactly will be saved?

The new bill provides that telecommunications operators are allowed to store the IP addresses of computers and connection data of telephone calls a maximum of two months. Location data of mobile calls with the smartphone may be stored to a maximum of four weeks. Email data should be excluded from storage.

The mobile data retention includes your connection information (ie when you spoke on the phone with whom and for how long), the radio cell in which your phone is registered to during the call (= location data), as well as the time of sending and receiving SMS and MMS. The identification of cell phones, the so-called IMSI is stored. This allows the recovery of telephones if different SIM cards were used.

Recently It became known that not only location and connection data, but also contents of the messages are stored. It is technically quite complicated to store both separate from each other due to the nature and structure of the message and the technical infrastructure. But the contents were "masked", so that not every employee of a telecommunications company can view the messages. The police is allowed only to review the connection data, but not receive the contents on request. Otherwise, the provider would be culpable in disclosure of the contents.

The stored data may be used by the authorities only for the prosecution of certain serious crimes. This includes acts of terrorism or child pornography cases. In the data, the authorities permitted to access only after the approval of a judge.

How do we deal with your data?

If we obtain personal data such as name, address or email address from you on any of our sites, this is always done on a voluntary basis. These data will never be disclosed without your consent to third parties. We do only store the data that is required for billing and support purposes.

However, we point out that the Internet security vulnerabilities related to the data transfer may be present repeatedly. Unfortunately, there are many companies that do not comply with the current legislation and save customer data over a longer than allowed and/or required period. We would like to differentiate us clearly from these type of companies.

In the future, the data storage could change due to the envisaged law. Should we then be required to to store additional personal data from you, we put on notice as soon as possible.

Go back