Bundesverfassungsgericht - Decisions - Data retention unconstitutional in its present form
14.08.20, 10:44
and events of everyday life, the danger increases that it will be used for criminal offences and violations of
rights of many kinds. In a state under the rule of law, even the Internet may not be a legal vacuum. It is
therefore a legitimate concern for the legislature, where relatively serious violations of rights occur, to be
able to relate Internet contacts to individuals. To the extent that telecommunications traffic data must be
analysed by the service providers in order to give such information in the current technological conditions,
in which IP addresses are predominantly allocated only for an individual session (“dynamically”), this
therefore encounters no fundamental objections. In addition, in order to guarantee reliable attribution of
these addresses for a certain period of time, the legislature may provide for the relevant data to be
retained or for comprehensive recourse to be permitted to data retained in this way by the service
providers. In this connection, the legislature has legislative discretion.
c) Accordingly, the legislature may permit such information, even independently of restrictive lists of legal 261
interests or criminal offences, for the prosecution of criminal offences, for warding off danger and for the
intelligence services to carry out their duties, on the basis of general authorisations to encroach provided
by specific branches of law. (see Bock, in: Geppert/Piepenbrock/Schütz/Schuster, Beck’scher Kommentar
zum TKG , 3rd ed. 2006, § 113 , marginal no. 7; Graulich, in: Arndt/Fetzer/Scherer, TKG , 2008, § 113 ,
marginal no. 8). Admittedly, with regard to the thresholds of encroachment, it must be ensured that
information may not be obtained at random, but only on the basis of a sufficient initial suspicion or of a
concrete danger on the basis of facts relating to the individual case. In this connection, the requirement of
a concrete danger based on factual evidence applies to the intelligence services just as to all authorities
competent to ward off danger to public security and order. The legal and factual basis of such requests for
information must be placed on the record. For information of this kind, however, it is not necessary to
provide for a requirement of judicial authority.
But the substantial weight of the encroachment made by such information does not permit it to be made 262
available generally and without restrictions to prosecute or prevent every regulatory offence whatsoever.
For anonymity in the Internet to be lifted, there must at least be an adverse effect on a legal interest, and
the legal system must accord particular significance to this adverse effect in other contexts too. This does
not completely exclude such information being given to prosecute or prevent regulatory offences. But they
must be regulatory offences that are particularly serious – even in the individual case – and they must be
expressly named by the legislature.
Nor is there any reason to revoke the principle of transparency (see C V 3 above) for the identification of 263
IP addresses. The person affected, who may as a rule assume that he or she is using the Internet
anonymously, has, in principle, the right to learn that this anonymity has been removed, and why.
Accordingly, the legislature must at all events provide for duties of notification, insofar as and as soon as
this does not frustrate the purpose of the information or other predominant interests of third parties or of
the persons affected themselves do not conflict with this. Where, in exceptional cases, in accordance with
statutory provisions to this effect, there is no notification, the reason for this must be put on record.
However, in this case there is no need for judicial confirmation of the failure to notify.
5. The constitutionally required guarantee of data security and of a restriction of the use of data, in well- 264
defined Federal provisions, which satisfies the requirements of proportionality, is an inseparable element
of legislation creating a duty of data storage, and it is therefore the responsibility of the Federal legislature,
which imposes the duty. In contrast, the responsibility for creating the retrieval provisions themselves and
for drafting the provisions on transparency and legal protection depends on the legislative competence for
the respective subject-matter.
a) Under Article 73.1 no. 7 GG, where questions of data security need to be decided in connection with 265
the duty of the service providers to store telecommunications traffic data by way of precaution without
cause, this, as an immediate component of the duty of storage and of the consequences legally
associated with this, is the responsibility of the Federation. This includes not only the provisions on the
security of the stored data, but also the provisions on the security of the transmission of the data, and in
this connection the guarantee of protection of confidential relationships (see above C V 1 and C V 2 e).
https://www.bundesverfassungsgericht.de/SharedDocs/Entscheidungen/EN/2010/03/rs20100302_1bvr025608en.html
Seite 34 von 53