Bundesverfassungsgericht - Decisions - Data retention unconstitutional in its present form
14.08.20, 10:44
Nor is it ensured by statutory orders or by orders of the regulatory authorities that these standards are 272
put into specific terms. In particular, § 110 TKG does not guarantee that adequate security standards
apply. Admittedly, the delegated legislation to be passed under this statute (see § 110.2 and 3 TKG) may
include aspects of data security. However, this statute – which is primarily determined by technical
objectives – neither contains substantive standards, nor does it otherwise take up the aspect of data
security. Apart from this, even two years after the duty of storage of § 113a TKG entered into force, the
Telecommunications Interception Order (Telekommunikationsüberwachungsverordnung – TKÜV) has not
been adapted to take account of the reform of the law. Correspondingly, under § 110.3 TKG, the Technical
Guideline for the Implementation of Statutory Measures to Monitor Telecommunications and for Requests
for Information for Traffic Data (technische Richtlinie zur Umsetzung gesetzlicher Maßnahmen zur
Überwachung der Telekommunikation und zum Auskunftsersuchen für Verkehrsdaten – TR-TKÜV) –
published in December 2009 under § 110.3 sentence 3 TKG on the website of the Federal Network
Agency (see Federal Network Agency, Amtsblatt 2009, p. 4706) – will come into effect only one year after
this adaptation (see Inhaltsangabe 1 (Regelungsbereich) TR-TKÜV; Teil B 1 (Grundsätzliches) TR-TKÜV).
Nor does § 109.3 TKG guarantee sufficient data security. Admittedly, the statute provides that operators 273
of telecommunications equipment must appoint security officers and prepare a security policy, which must
be submitted to the Federal Network Agency. In addition, the policy must be adjusted and resubmitted
later if the “circumstances” on which it is based are changed. However, this does not reliably guarantee a
particular high security standard. Thus, for example, the provision only applies to equipment operators, but
not to all the persons targeted by § 113a TKG, which also applies to other service providers. In addition, §
109.3 TKG refers substantively only to the insufficient requirements of § 109.1 and 109.2 TKG. Nor is a
continuing and verifiable adaptation of the security standard to the state of the art in technology
guaranteed by well-defined provisions. In this connection, it is not clear whether § 109.3 sentence 4 TKG
also requires an adaptation to the technological development of protective measures and to developing
legal security standards. At all events, there is no obligation for a periodical updating of the security policy
which could enable effective supervision in this respect.
Nor can § 9 of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) in conjunction with 274
the relevant schedule compensate for the absence of adequate security standards in the
Telecommunications Act. Notwithstanding its high standards, some of which are abstract, this provision,
which in any case may only be applied in the alternative (see Fetzer, in: Arndt/Fetzer/Scherer, TKG , 2008,
before § 91, marginal no. 10; Klesczewski, in: Säcker, Berliner Kommentar zum TKG , 2nd ed. 2009, § 91
marginal no. 15), is too general to ensure in a sufficiently specific and reliable manner the particularly high
security standards with regard to the data to be stored under § 113a TKG.
All in all, therefore, there is no guarantee in a binding form and in well-defined provisions of a particularly 275
high security standard for the data to be stored under § 113a TKG. Neither are the instruments cited by
the experts in the present proceedings as central elements (separate storage, asymmetric encryption, the
four-eyes principle in conjunction with advanced authentication procedures for access to the keys,
revision-proof recording of access and deletion) imposed on the persons with a duty of storage in an
enforceable manner, nor are other precautions which guarantee a comparable level of security imposed
on them. Nor is there a balanced system of sanctions that attributes no less weight to violations of data
security than to violations of the duties of storage themselves. The range of administrative fines for noncompliance with the duties of storage is markedly broader than that for the violation of data security (see §
149.2 sentence 1 in conjunction with § 149.1 nos. 36 and 38 TKG). The current legal situation therefore
does not satisfy the constitutional requirements of the security of a data pool as is created by § 113a TKG.
3. The provisions on transmission and use of the data under § 113b sentence 1 half-sentence 1 TKG do 276
not satisfy the constitutional requirements.
a) Firstly, the provisions on the use of the data for criminal prosecution are incompatible with the 277
standards developed from the principle of proportionality.
https://www.bundesverfassungsgericht.de/SharedDocs/Entscheidungen/EN/2010/03/rs20100302_1bvr025608en.html
Seite 37 von 53