Bundesverfassungsgericht - Decisions - Data retention unconstitutional in its present form
14.08.20, 10:44
1. § 113a TKG is not unconstitutional merely because of its scope. The legislature may deem the duty of 270
storage created by § 113a TKG, which under § 113a.1 to § 113a.7 extends without cause to virtually all
traffic data of publicly accessible telecommunications services, to be suitable, necessary and
proportionate in the narrow sense to increase the effectiveness of criminal prosecution and the prevention
of danger (see above C IV). Despite its scope, the provision is still sufficiently restricted with regard to the
extent of the data covered. As § 113.8 TKG expressly states, the contents of telephone conversations,
faxes and emails may not be stored, nor may the websites or service providers which a user has
contacted on the Internet. In addition, in § 113a.1, 11 TKG the legislature has provided for a period of
storage which is still constitutionally acceptable, given a duration of six months and a period of one month
for deletion immediately following this. Similarly, at the present time it cannot be determined that the
provision, in combination with other provisions, aims at or results in the creation of a general
comprehensive data pool for the greatest possible reconstruction of all activities whatsoever of the
citizens. In this connection, importance attaches to the application of the principle of data economy, which
in other respects pervades data protection law, and to a large number of duties of deletion, with which the
legislature fundamentally endeavours to prevent the creation of avoidable data pools. In this connection,
the relevant factors for this assessment are in particular, for example, §§ 11 et seq. of the Telemedia Act
(Telemediengesetz – TMG), which fundamentally subject services providers under the Telemedia Act to an
obligation to delete data which are not necessary for the statement of costs (see § 13.4 no. 2, § 15 TMG)
and in this way, against private-sector incentives too prevent the contents of the use of the Internet from
being recorded in general commercial data pools and thus remaining reconstructible. § 113a TKG can
therefore not be understood as the expression of a general public provision of data for the future for
purposes of criminal prosecution and prevention of danger, but despite its breadth remains a limited
exception which attempts to take account of the particular challenges of modern telecommunications for
criminal prosecution and prevention of danger.
2. In contrast, the guarantee of a particularly high standard of security, which is constitutionally 271
necessary for such a data pool, is missing. In this respect, § 113a.10 TKG only provides the duty, which
remains undefined, to ensure by technical and organisational measures that access to the stored data is
possible solely for persons who are specially authorised, and apart from this refers only to the care which
is necessary in general in the area of telecommunications. There is therefore no provision which takes
account of the particularly strict standards required of the security of the extensive and informative data
pool under § 113a TKG. §§ 88 and 109 TKG, which are referred to with regard to their contents, do not
guarantee such a particularly high security standard, but permit a wide range of relative degrees,
corresponding to their wide area of application. This applies in particular to § 109 TKG. Thus, for example,
under § 109.1 TKG every service provider must take appropriate technical precautions or other measures
to protect the secrecy of telecommunications and the telecommunications and data processing systems
against unauthorised access. In this connection, in order to determine the appropriateness, § 109.2
sentence 4 TKG is referred to (see Klesczewski, in: Säcker, Berliner Kommentar zum TKG , 2nd ed. 2009,
§ 109 , marginal no. 12). This provides that the measures are appropriate if the technical effort and
economic expense are in an appropriate proportion to the importance of the rights to be protected. Taking
as a basis the standards developed above, these do not sufficiently guarantee the specific requirements of
the protection of the data stored under § 113a TKG. The standard laid down by statute of “appropriate
technical precautions or other measures” merely requires that “account should be taken” of the state of
technological development (see § 109.2 sentence 2 TKG; Klesczewski, in: Säcker, Berliner Kommentar
zum TKG , 2nd ed. 2009, § 109 , marginal no. 13), and in doing so qualifies the security requirements in a
way that remains undefined by introducing general considerations of economic adequacy in the individual
case. In addition, putting this standard in more specific terms is left to the individual telecommunications
service providers, which in turn have to offer their services subject to the conditions of competition and
cost pressure.
https://www.bundesverfassungsgericht.de/SharedDocs/Entscheidungen/EN/2010/03/rs20100302_1bvr025608en.html
Seite 36 von 53