German Minister Risks €300,000 Daily Fines By Delaying EU Data Retention Directive

It is a complex tale. The Data Retention Directive instructs European member states to implement national laws forcing telecommunications companies to retain customer communications metadata for up to two years, and to provide access to that data for government and law enforcement agencies. It was introduced as an anti-terrorism measure following the Madrid bombing in 2004 and the London bombing in 2005; but it is fiercely opposed by privacy groups who consider it to be an invasion of personal privacy.

However, it is also believed that Germany was instrumental in developing the law in the first place. A proposed similar data retention law in Germany predating the directive was rejected by the German parliament, and the then justice minister Brigitte Zypries is believed to have subsequently pressed Brussels to devise EU-wide legislation.

Germany implemented the ensuing directive – but it was thrown out by the German constitutional court in 2010. In May 2012 the European Commission referred Germany to the Court of Justice over failure to fulfill its legal obligation to implement the directive, and asked the court to impose a fine of €315,036.54 for each day it remains in breach. The court is due to reach its decision later this month.

Meanwhile, the justice minister (a member of  centre-left SPD party, a minority member of the ruling coalition) has said he will await that decision, while the primary parties (Chancellor Angela Merkel’s centre-right Christian Democratic Union, CDU, faction and its sister party, the Bavarian Christian Social Union, CSU) both want to transpose the directive immediately.

EU Observer reports, "A spokesperson at AK Vorrat, a German NGO against data retention, described the CDU/CSU stance as a tactic to outmanoeuvre the court whatever the outcome." If data retention is already law in Germany, rejection of data retention by the European court will have no effect in Germany. 

The whole issue gets further complicated by last month's non-binding 'opinion' from the court's advocate General, Pedro Cruz Villalón. In a separate case against the directive brought by Digital Rights Ireland he concluded that the directive "is as a whole incompatible with Article 52(1) of the Charter of Fundamental Rights of the European Union."

Civil rights groups were delighted. Germany's Green MEP Jan Philipp Albrecht declared, "Data retention now has to be stopped in all of Europe." But the majority German conservatives disagree. EurActiv reports, "According to the Conservatives, the opinion of the ECJ's advocate general largely fits with the German constitutional court's ruling, and does not state that data retention in itself is contradictory with fundamental rights. The ECJ, they point out, will probably conclude that data retention as such is acceptable in some circumstances."

Germany is not the only European country not to have implemented the directive. "Austria, Belgium and Sweden have also been accused by the European Commission of refusing to comply with the directive," says EurActiv, "but Germany remains the only member state still in legal proceedings. If the directive stands, Germany could face fines of around €315,000 per day." If it falls, then the reluctance of Austria, Belgium and Sweden will be vindicated.

To a degree, then, the future of European data retention is back where it started eight years ago – in the debating halls of Germany.

What’s Hot on Infosecurity Magazine?