Bundesverfassungsgericht - Decisions - Data retention unconstitutional in its present form
14.08.20, 10:44
In the statements in the oral hearing and in the written submissions to the present proceedings, experts 223
referred to a broad spectrum of instruments to increase data security. For example, there was reference to
separate storage of the data to be stored under § 113a TKG on computers which are also physically
separate from each other and not connected to the Internet; an asymmetrical cryptographic encryption
with keys stored separately; the requirement of the four-eyes principle for access to the data, combined
with progressive methods of authentication for access to the keys; revision-proof recording of the access
to the data and their deletion; and the use of automated error-correction and plausibility procedures.
Supplementing such technologically oriented instruments, reference was also made to the creation of
duties to provide information in the case of violations of data protection; the introduction of no-fault liability;
or a strengthening of the claims to compensation for intangible damage, in order in this way to create an
incentive to implement effective data protection.
The Basic Law does not lay down in detail what specific security measures are required. Ultimately, 224
however, a standard must be guaranteed which, specifically taking into account the special features of the
data pools created by precautionary storage of telecommunications traffic data, guarantees a particularly
high degree of security. In this connection, it must be ensured that this standard – for example by recourse
to legal concepts of non-constitutional law such as the state of the art (see Heibey, in: Roßnagel,
Handbuch Datenschutzrecht , 2003, p. 575, marginal no. 19, p. 598, marginal no. 145;
Tinnefeld/Ehrmann/Gerling, Einführung in das Datenschutzrecht , 4th ed. 2005, p. 628) – is oriented to the
state of development of the discussion between specialists and constantly absorbs new knowledge and
insights. It must therefore be provided that the enterprises with a duty of storage must adapt their
measures to this in a verifiable manner, for example on the basis of security policies which are to be
renewed periodically. By reason of the potential danger that follows from the data pools in question, it is
not possible to subject the security requirements described to a free weighing of interests against general
business considerations. If the legislature provides for comprehensive storage of telecommunications
traffic data without exceptions, it is part of the necessary requirements that the providers affected can not
only perform their duty of storage, but also comply with the corresponding data security requirements.
Taking up the expert opinions, it is natural to conclude that in the present state of discussion, it is in
principle necessary for the data to be stored separately, and for there to be sophisticated encryption, a
secured access regime, using, for example, the four-eyes principle, and revision-proof recording, in order
to adequately guarantee the security of the data under constitutional law.
There is a need for statutory provisions which lay down such a particularly high security standard in a 225
qualified manner and are at all events fundamentally well-defined and legally binding. In this connection
the legislature is free to entrust a regulatory agency with the technicalities of putting the prescribed
standard into concrete terms. In this process, however, the legislature must ensure that the decision as to
the nature and degree of the protective precautions to be taken does not ultimately lie without supervision
in the hands of the respective telecommunications providers. The requirements to be made must either be
laid down in sophisticated technical provisions – possibly graduated on various levels of legislation – or in
a general manner and then be put in specific terms in a transparent manner by a binding individual
decision of the regulatory authorities addressed to the individual enterprise. In addition, there is also a
constitutional requirement of monitoring which is comprehensible to the public and which involves the
independent data protection officer (see BVerfGE 65, 1 (46)) and a balanced system of sanctions which
also attaches reasonable weight to violations of data security.
2. Storage of telecommunications traffic data as provided by § 113a TKG also requires statutory 226
provisions on the use of these data. The drafting of these provisions on use, in a manner that is not
disproportionate, thus not only decides on the constitutionality of these provisions, which in themselves
constitute an encroachment, but also has an effect on the constitutionality of the storage as such. Under
the case-law of the Federal Constitutional Court, the greater is the weight of the encroachment constituted
by the storage, the more narrowly the requirements for the use of data and their extent must be defined in
the relevant basic statutory provisions. The occasion, purpose and extent of the given encroachment and
https://www.bundesverfassungsgericht.de/SharedDocs/Entscheidungen/EN/2010/03/rs20100302_1bvr025608en.html
Seite 26 von 53