CHAPTER 14: EXPLANATIONS
My interlocutors spoke frankly, knowing that I would not attribute views to them or to
their organisations in this report. But in summary, I took away the following:
(a)
There is some non-compelled data retention: the criminal code allows data
which have been retained for business purposes to be made available to the
police. German CSPs currently keep data for up to 90 days in some cases,
though generally much less. It was suggested to me by opponents of data
retention that the utility of retained data falls off sharply after three months or
so.15
(b)
German law enforcement told me that a compulsory data retention requirement
would be useful, particularly but not exclusively in relation to internet fraud and
child pornography cases which they were increasingly unable to tackle. They
continue to log examples of cases that they cannot pursue because retained
data were not available.
(c)
The enactment of a compulsory data retention law was however (since Digital
Rights Ireland) off the political agenda.
(d)
Public opinion (particularly in the west of the country) is strongly pro-privacy,
partly because of 20th century historical experience and partly because there is
little current exposure to terrorism, limited consciousness of cyber-crime and
because people generally feel secure (or as one official put it to me, “take
security for granted”).
(e)
Data preservation proposals (the so-called “quick freeze”, under which
preservation orders would be served only once a suspicion arises) were not
being pursued. They are not considered an adequate alternative to data
retention by German law enforcement, despite the apparent encouragement of
the CJEU (5.68(c) above), and are considered technically problematic by some
CSPs, which also had concerns about reimbursement.16
14.19. I put to my German interlocutors the very striking example given in the impact
assessment that accompanied the DRIP Bill in 201417 of Operation Rescue, a major
recent Europol investigation into international online child sexual exploitation. In the
words of the impact assessment:
“Of 371 suspects identified in the UK, 240 cases were investigated and 121
arrests or convictions were possible. In contrast of 377 suspects identified in
Germany, which has no such data retention arrangements, only seven could
be investigated and no arrests could be made.”
Those familiar with the example did not deny the essential truth of this account, though
a senior German academic commented that “Most of these guys were only going to
15
16
17
See however the UK police survey prepared for the JCDCDB, which found that 28% of all requests
made by 62 UK law enforcement agencies over a two-week period in June 2012 were for data over
three months old.
In the 2012 UK police survey referred to at 7.50(a) above, 28% of all data requests concerned people
who were not suspects: 18% were victims.
Data Retention Legislation, IA No. HO0126, June 2014.
262