Press release no. 66/2019 of 25 September 2019
CJEU to clarify compatibility of the German regulation on data retention with EU law
The Federal Administrative Court (BVerwG, Bundesverwaltungsgericht) in Leipzig has decided today to refer a question to the Court of Justice of the European Union (CJEU, hereinafter Court of Justice) on the interpretation of the Directive on privacy and electronic communications (Directive 2002/58/EC). The applicability of the regulations on data retention contained in the Telecommunications Act (TKG, Telekommunikationsgesetz) depends on the clarification of this question.
The claimants in the two main proceedings provide publicly available internet access services and/or telephone services to end-users. They object to the measures imposed on them by section 113a (1) in conjunction with section 113b TKG in the version of the Act of 10 December 2015 to retain telecommunications traffic data of their customers. The data to be stored for a period of ten weeks include, inter alia, the telephone numbers of the lines involved, the start and end of the connection or of internet use or the times of sending and receiving a short message, allocated Internet Protocol addresses and user IDs, and the IDs of the lines and terminal equipment. In addition, location data, i.e. essentially the designation of the radio cell used at the beginning of the call, must be stored for a period of four weeks. However, the content of the communication, data regarding the internet pages accessed, data from e-mail services as well as data underlying links to or from specific lines in social or ecclesiastical spheres may not be stored. With the exception of the Internet Protocol address, the retained data may only be used by the competent authorities to prosecute particularly serious criminal offences or to prevent a specific threat of loss of life or physical integrity or a person's freedom or to the continued existence of the Federation or of a federal state.
In response to the actions, the Administrative Court (Verwaltungsgericht) found that the claimants are not obliged to store the telecommunications traffic data of the customers to whom they provide internet access and/or access to public telephone services as specified in the Act. The Administrative Court held that the storage obligation breached EU law and was therefore inapplicable in the claimants' cases. The fundamental legal questions concerning the scope and substantive requirements of EU law relevant in the present context were clarified by the judgment of the Court of Justice of 21 December 2016 in Joined Cases C-203/15 (Tele2 Sverige) and C-698/15 (Watson). The defendant, represented by the Federal Network Agency (Bundesnetzagentur), filed a leapfrog appeal against the first-instance decisions.
The decision of the Federal Administrative Court depends on whether the interference with the confidentiality of electronic communications protected by article 5 (1) first sentence of Directive 2002/58/EC caused by the legal storage obligation is justified on the basis of the authorisation provision in article 15 (1) of the Directive. Admittedly, the CJEU finally made it clear that the Directive applies to national retention rules and that article 15 (1) of the Directive must be interpreted in light of articles 7, 8 and 11 and article 52 (1) of the Charter of Fundamental Rights of the European Union (CFR) as precluding national legislation that provides for general and indiscriminate retention, for the purposes of fighting criminal offences, of all traffic and location data of all subscribers and registered users with regard to all electronic means of communications.
However, there is still a need for clarification with regard to the question as to whether a national regulation which - like section 113a in conjunction with section 113b TKG - provides for an obligation to retain data without cause, can under no circumstances be based on article 15 (1) of the Directive. In this context, it should be considered that the range of means of communication covered by the storage obligation and the storage period are shorter compared to the Swedish and UK rules on which the CJEU had to rule. Furthermore, the German rules contain strict restrictions on the protection of and access to the stored data. Moreover, given the specific threat potential associated with the telecommunications means, a conflict exists between the fundamental rights to respect for private life and protection of personal data enshrined in articles 7 and 8 CFR on the one hand and the obligation of Member States to ensure the security of persons within their territory under article 6 CFR on the other. An absolute prohibition of data retention without cause would considerably restrict the national legislatures' scope for action in an area of criminal prosecution and public security, which, according to article 4 (2) third sentence of the Treaty on European Union (TEU), in any case, remains in principle the sole responsibility of the individual Member States, and hence also tends to move away from the more recent case-law of the European Court of Human Rights on article 8 of the European Convention on Human Rights. Finally, it results from various requests for a preliminary ruling from other Member States already pending before the Court of Justice that the referring courts have doubts, in particular, with regard to article 6 CFR and article 4 TEU, as to whether the Court of Justice's statements in the judgment of 21 December 2016 is to be understood as a general prohibition of data retention without cause, which cannot be overcome either in view of the serious nature of the threats to public security to be combated or in the context of "compensation" through restrictive access regulations and high security requirements.
If the proceedings for the request of a preliminary ruling lead to the conclusion that section 113a in conjunction with section 113b TKG breaches EU law, the claimants' rights are also violated. This is because the storage obligation represents an interference with the claimants' freedom to conduct business as guaranteed by article 16 CFR. If these regulations breach EU law, they may not be applied because of the principle of the primacy of EU law. This restriction of fundamental rights is then not "provided for by law" within the meaning of article 52 (1) first sentence CFR.
The Federal Administrative Court suspended the proceedings on appeal on points of law until the Court of Justice has given its ruling.
BVerwG 6 C 12.18 - decision of 25 September 2019
BVerwG 6 C 13.18 - decision of 25 September 2019
Decision of 25 September 2019 -
BVerwG 6 C 12.18ECLI:DE:BVerwG:2019:250919B6C12.18.0
Please note that the official language of proceedings brought before the Federal Administrative Court of Germany, including its rulings, is German. This translation is based on an edited version of the original ruling. It is provided for the reader’s convenience and information only. Please note that only the German version is authoritative. Page numbers in citations have been retained from the original and may not match the pagination in the English version of the cited text. Numbers of paragraphs that have completely been omitted in the edited version will not be shown.
When citing this ruling it is recommended to indicate the court, the date of the ruling, the case number and the paragraph: BVerwG, decision of 25 September 2019 - 6 C 12.18 - para. 16.
Request for a preliminary ruling in order to clarify whether the obligation to store telecommunications traffic data without cause is compatible with EU law
Headnotes
Clarification by the Court of Justice of the European Union is necessary with regard to whether or not the provisions of section 113a (1) first sentence in conjunction with section 133b TKG obliging providers of publicly available telecommunications services to retain specified traffic and location data for a period of ten or four weeks, respectively without cause can be based on article 15 (1) of Directive 2002/58/EC in view of the legal provisions on data security and data retrieval.
A preliminary ruling of the Court of Justice of the European Union is obtained on the following question: In the light of articles 7, 8 and 11 and article 52 (1) of the Charter of Fundamental Rights of the European Union, on the one hand, and of article 6 of the Charter of Fundamental Rights of the European Union and article 4 of the Treaty on European Union, on the other hand, is article 15 of Directive 2002/58/EC to be interpreted as precluding national legislation which obliges providers of publicly available electronic communications services to retain traffic and location data of end users of those services where
- that obligation does not require a specific cause in terms of location, time or region,
- the following data are the subject of the storage obligation in the provision of publicly available telephone services - including the transmission of short messages, multimedia messages or similar messages and unanswered or unsuccessful calls:
- the telephone number or other identifier of the calling and called lines as well as, in the case of call switching or forwarding, of every other line involved,
- the date and time of the start and end of the call or - in the case of the transmission of a short message, multimedia message or similar message - the times of dispatch and receipt of the message, and an indication of the relevant time zone,
- information regarding the service used, if different services can be used in the context of the telephone service,
- and also, in the case of mobile telephone services
- the International Mobile Subscriber Identity of the calling and called lines,
- the international identifier of the calling and called terminal equipment,
- in the case of pre-paid services, the date and time of the initial activation of the service, and an indication of the relevant time zone,
- the designations of the cells that were used by the calling and called lines at the beginning of the call,
- in the case of internet telephone services, the Internet Protocol addresses of the calling and the called lines and allocated user IDs,
- the following data are the subject of the storage obligation in the provision of publicly available internet access services:
- the Internet Protocol address allocated to the subscriber for internet use,
- a unique identifier of the line via which the internet use takes place, as well as an allocated user ID,
- the date and time of the start and end of the internet use at the allocated Internet Protocol address, and an indication of the relevant time zone,
- in the case of mobile use, the designation of the cell used at the start of the internet connection,
- the following data must not be stored:
- the content of the communication,
- data regarding the internet pages accessed,
- data from electronic mail services,
- data underlying links to or from specific lines of persons, authorities and organisations in social or ecclesiastical spheres,
- the retention period is four weeks for location data, that is to say, the designation of the cell used, and ten weeks for the other data,
- effective protection of retained data against risks of misuse and against any unlawful access to that data is ensured, and
- the retained data may be used only to prosecute particularly serious criminal offences and to prevent a specific threat of loss of life or physical integrity or a person's freedom or to the continued existence of the Federation or of a federal state, with the exception of the Internet Protocol address allocated to a subscriber for internet use, the use of which data is permissible in the context of the provision of inventory data information for the prosecution of any criminal offence, maintaining public order and security and carrying out the tasks of the intelligence services?
-
Sources of law
Treaty on European Union (TEU) article 4 Treaty on the Functioning of the European Union (TFEU) article 267 Charter of Fundamental Rights of the European Union (CFR) articles 6, 7, 8, 16, 52 Directive 2002/58/EC articles 5 (1), 6 (1), 9 (1), 15 (1) European Convention on Human Rights (ECHR) article 8 Code of Criminal Procedure StPO, Strafprozessordnung sections 53, 100g, 101a Telecommunications Act TKG, Telekommunikationsgesetz sections 99 (2), 113, 113a, 113b, 113c, 113d, 113e, 113f
Reasons
I
1 The claimant provides publicly available internet access services. It opposes the obligation imposed on it by section 113a (1) in conjunction with section 113b of the Telecommunications Act (TKG, Telekommunikationsgesetz), as amended by the Act of 10 December 2015, to retain telecommunications traffic data of its customers as from 1 July 2017.
2 In its judgment of 20 April 2018, the Administrative Court (Verwaltungsgericht) stated in response to the action that the claimant is not obliged to store telecommunications traffic data as listed in section 113b (3) TKG of customers to whom it provides internet access. The judgment states that the storage obligation breached EU law and was therefore inapplicable in the claimant's case. The fundamental legal questions concerning the scope and substantive requirements of EU law relevant in the present context were clarified by the judgment of the Court of Justice of the European Union (CJEU, hereinafter Court of Justice) of 21 December 2016 in Joined Cases C-203/15 (Tele2 Sverige) and C-698/15 (Watson et al.) [ECLI:EU:C:2016:970].
3 The defendant filed a(n) (leapfrog) appeal on points of law against the decision of first instance as allowed by the Administrative Court. The defendant requests that the contested judgment of the Administrative Court be revised and the action dismissed.
II
4 The proceedings must be suspended and referred for a preliminary ruling as their outcome depends on a decision to be obtained from the Court of Justice of the European Union on the interpretation of the Treaties (article 267 of the Treaty on the Functioning of the European Union (TFEU)).
5 1. The defendant's appeal on points of law against the Administrative Court's declaratory judgment only has merits if the provision in section 113a (1) first sentence, section 113b TKG is compatible with the provisions of EU law which have primacy. Otherwise, the appeal on points of law must be dismissed. If the provision in section 113a (1) first sentence in conjunction with section 113b TKG obliging the providers of publicly available telecommunications services to retain telecommunications traffic data breaches EU law, the appeal on points of law cannot be successful even if no rights of the claimant are breached (see section 113 (1) first sentence of the Code of Administrative Court Procedure (VwGO, Verwaltungsgerichtsordnung)). It is irrelevant here whether the claimant, in its capacity as a telecommunications company - and hence not as a subscriber, but merely as a transmitter of communications - can also rely on the fundamental rights to respect for private life and protection of personal data as enshrined in articles 7 and 8 of the Charter of Fundamental Rights of the European Union (CFR). In view of the technical and financial effort involved, the storage obligation in any event constitutes an encroachment upon the claimant's freedom to conduct a business guaranteed by article 16 CFR. If the provision in section 113a (1) first sentence, section 113b TKG is not compatible with EU law, it must not be applied - since an interpretation in conformity with EU law is ruled out - due to the principle of the primacy of EU law (established case-law of the Court of Justice of the European Union, see CJEU, judgments of 9 March 1978 - 106/77 [ECLI:EU:C:1978:49], Simmenthal - para. 24, of 3 May 2005 - C-387/02, C-391/02 and C-403/02 [ECLI:EU:C:2005:270], Berlusconi et al. - para. 72, of 22 June 2010 - C-188/10 and C-189/10 [ECLI:EU:C:2010:363], Melki and Abdeli - para. 43, and of 18 September 2014 - C-487/12 [ECLI:EU:C:2014:2232], Vueling Airlines - para. 48). If the provision is not applicable, the restriction of fundamental rights is not "provided for by law" within the meaning of article 52 (1) first sentence CFR.
6 Admittedly, the appeal on points of law would also have to be dismissed if the legal provisions had been compatible with EU law, but breached basic rights under the Basic Law (GG, Grundgesetz) and were therefore invalid. In this case, the Administrative Court's decision would be correct for other reasons (section 144 (4) VwGO). However, this possibility can be disregarded here. The reason being that, if section 113a (1) first sentence and section 113b TKG were found to be invalid, this would require the Senate to suspend the proceedings and submit the question of compatibility with the basic rights of the Basic Law to the Federal Constitutional Court (BVerfG, Bundesverfassungsgericht) for a decision in accordance with article 100 (1) GG. The resultant delay in clarifying the compatibility of the legal provision with EU law, which - also from the point of view of the parties involved - is the main issue in the present proceedings would be contrary to the judicial economy. Moreover, a national procedural rule cannot call into question the discretion enjoyed by national courts to make a reference to the Court of Justice for a preliminary ruling where they have doubts as to the interpretation of EU law (CJEU, judgment of 4 June 2015 - C-5/14 [ECLI:EU:C:2015:354], Kernkraftwerke Lippe-Ems - para. 37 with further references).
7 2. The obligation of telecommunications providers to store certain traffic data for a limited period of time has been newly regulated by the Act on the Introduction of a Storage Obligation and a Maximum Storage Period for Traffic Data (Gesetz zur Einführung einer Speicherpflicht und einer Höchstspeicherfrist für Verkehrsdaten) of 10 December 2015 (Federal Law Gazette (BGBI., Bundesgesetzblatt) I p. 2218 et seqq.), after the Federal Constitutional Court ruled that sections 113a and 113b TKG as well as section 100g (1) first sentence of the Code of Criminal Procedure (StPO, Strafprozessordnung), in the version of the Act of 21 December 2007 (BGBl. I, p. 3198) are invalid in as far as traffic data may be collected thereunder pursuant to section 113a TKG, because of a breach of article 10 (1) GG (BVerfG, judgment of 2 March 2010 - 1 BvR 256, 263, 586/08 [ECLI:DE:BVerfG:2010:rs20100302.1bvr025608] - Rulings of the Federal Constitutional Court (BVerfGE, Entscheidungen des Bundesverfassungsgerichts) 125, 260). The new provisions were also preceded by the judgment of the Court of Justice of the European Union of 8 April 2014 declaring the basis of the Act of 21 December 2007, i.e. Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC to be invalid (CJEU, judgment of 8 April 2014 - C-293/12 and C-594/12 [ECLI:EU:C:2014:238], Digital Rights Ireland Ltd et al. -). The Act of 10 December 2015 is designed to close gaps in criminal prosecution and in threat prevention, while at the same time taking into account the constitutional and EU law requirements resulting from the above-mentioned court decisions (see Bundestag printed paper (BT-Drs., Bundestagsdrucksache) 18/5088 p. 1, 21 et seqq.). It contains, inter alia, the following amended provisions of the Telecommunications Act and the Code of Criminal Procedure:
8
Section 113a (1) first sentence TKG reads as follows:
The obligations regarding the storage of traffic data, the use of data and data security under sections 113b to 113g apply to providers of publicly available telecommunications services for end users.
9
Section 113b TKG reads as follows:
(1) The providers referred to in section 113a (1) are obliged to store data domestically as follows:
1. data as contemplated in subsections 2 and 3 for ten weeks,
2. location data as contemplated in section 4 for four weeks.
(2) Providers of publicly available telephone services must store
1.the telephone number or other identifier of the calling and called lines as well as, in the case of call switching or forwarding, of every other line involved,
2. the date and time of the start and end of the call and an indication of the relevant time zone,
3. information regarding the service used, if different services can be used in the context of the telephone service,
4. and also, in the case of mobile telephone services
a) the International Mobile Subscriber Identity of the calling and called lines,
b) the international identifier of the calling and called terminal equipment,
c) in the case of pre-paid services, the date and time of the initial activation of the service, and an indication of the relevant time zone,
5. in the case of internet telephone services, the Internet Protocol addresses of the calling and called lines and allocated user IDs.
The first sentence applies mutatis mutandis
1. to transmissions of a short message, multimedia message or similar message; in this case, the information as contemplated in the first sentence, no. 2, is replaced by the times of dispatch and receipt of the message;
2. to unanswered calls or calls which are unsuccessful due to network management intervention, provided that the provider of publicly available telephone services stores or records the traffic data as contemplated in the first sentence for the purposes specified in section 96 (1) second sentence.
(3) Providers of publicly available internet access services store
1. the Internet Protocol address allocated to the subscriber for internet use,
2. a unique identifier of the line via which the internet use takes place, as well as an allocated user ID,
3. the date and time of the start and end of the internet use at the allocated Internet Protocol address, and an indication of the relevant time zone.
(4) In the case of use of mobile telephone services, the designation of the radio cells used by the calling and called lines at the beginning of the call must be stored. In the case of publicly available internet access services used by mobile devices, the designation of the radio cell used at the beginning of the internet connection must be stored. The data permitting the geographical position and the main radiation directions of the radio antennas supplying the respective radio cell to be determined must also be stored.
(5) Storage of the content of the communication, data concerning websites accessed and data from electronic mail services is not permitted under this provision.
(6) Storage of data underlying the connections as contemplated in section 99 (2) is not permitted under this provision. This applies mutatis mutandis to telephone connections originating from the organisations contemplated in section 99 (2). Section 99 (2) second to seventh sentence applies mutatis mutandis.
(...)
10 The connections mentioned in section 99 (2) TKG, to which section 113b (6) TKG refers, are connections to lines of individuals, authorities and organisations in social or ecclesiastical contexts which, in principle, offer entirely or predominantly telephone assistance in mental or social emergencies to callers who remain anonymous and who themselves or their employees are subject to special obligations of secrecy in this respect. Pursuant to section 99 (2) second and fourth sentences TKG, the prerequisite for exception is that the Federal Network Agency (Bundesnetzagentur) has upon request included the called lines in a list after the owners of the lines have proven their duties by submitting a certificate from an authority or corporation, institution or foundation under public law.
11
Section 113c TKG reads as follows:
(1) The data stored on the basis of section 113b may be
1. transmitted to a prosecuting authority if the latter requires the transmission with reference to a legal provision which allows it to capture the data contemplated in section 113b for the prosecution of particularly serious criminal offences;
2. transmitted to a threat prevention authority of the federal states if the latter requires the transmission with reference to a legal provision which allows it to capture the data contemplated in section 113b for the purpose of preventing a specific threat of loss of life or physical integrity or a person's freedom or to the existence of the Federation or of a federal state;
3. used by the provider of publicly available telecommunications services to provide information in accordance with section 113 (1) third sentence.
(2) The providers obliged under section 113a (1) may not use the data stored on the basis of section 113b for any purposes other than those referred to in subsection 1.
(...)
12 Pursuant to the provision of section 113c (1) no. 3 TKG as referred to in section 113 (1) third sentence TKG, the (inventory) data to be included in information to be provided to one of the organisations contemplated in section 113 (3) TKG may also be determined on the basis of an Internet Protocol address allocated at a certain point in time; for this purpose, traffic data may also be evaluated automatically. Pursuant to section 113 (2) first sentence TKG, the information may only be provided if an organisation as contemplated in subsection 3 requests this in text form in the individual case for the purpose of prosecuting criminal or administrative offences, for preventing threats to public security or order or for fulfilling the legal tasks of the organisations mentioned in subsection 3 no. 3 (authorities for the protection of the constitution (Verfassungsschutzbehörden) of the Federation and the federal states, Military Counterintelligence Service (Militärischer Abschirmdienst) and Federal Intelligence Service (Bundesnachrichtendienst)), stating a legal provision which allows it to capture the data referred to in subsection 1.
13
Section 113d TKG reads as follows:
The provider obliged under section 113a (1) must implement technical and organisational measures in accordance with the state of the art in order to ensure that the data stored on the basis of the storage obligation under section 113b (1) are protected against unauthorised access and use. The measures include, in particular
1. the use of a particularly secure encryption method,
2. the storage in separate storage facilities separate from those used for normal operational tasks,
3. the storage with a high level of protection against access from the internet on data processing systems decoupled from the internet,
4. the restriction of access to the data processing facilities to persons specifically authorised by the providers obliged, and
5. the necessary cooperation of at least two persons who have been specifically authorised to access the data by the provider obliged.
14
Section 113e TKG reads as follows:
(1) The provider obliged under section 113a (1) must ensure that for the purposes of data protection control, any access, in particular, reading, copying, changing, deleting and blocking of data stored on the basis of the storage obligation under section 113b (1) is recorded. The following must be recorded:
1. the time of access,
2. the persons accessing the data,
3. the purpose and nature of the access.
(2) Log data may not be used for purposes other than data protection control.
(3) The provider obliged under section 113a (1) must ensure that the log data are deleted after one year.
15 In order to ensure a particularly high standard of data security and data quality, the Federal Network Agency draws up a catalogue of requirements in accordance with section 113f (1) TKG, which is to be continuously reviewed and, if necessary, adapted (section 113f (2) TKG). Section 113g TKG requires the integration of specific protective measures in the security concept to be submitted by the provider obliged.
16
Section 100g StPO reads as follows:
(...)
(2) If certain facts give rise to the suspicion that someone has, as an offender or participant, committed one of the particularly serious criminal offence designated in the second sentence or, in cases where there is criminal liability for attempt, has attempted to commit such a criminal offence and the act weighs particularly heavily in the individual case as well, then traffic data stored in accordance with section 113b of the Telecommunications Act may be captured insofar as establishing the facts or determining the accused's whereabouts would be considerably difficult in some other way or would be futile and the data capture stands in appropriate relation to the importance of the matter.
(...)
(4) Traffic data capture pursuant to subsection 2, also in conjunction with subsection 3 second sentence, which is directed against one of the persons referred to in section 53 (1) first sentence no. 1 to 5 and which will presumably produce findings about which that person is likely to be able to refuse to give evidence shall be impermissible. (...)
17 Section 101a (1) StPO provides for the need for a judicial order as well as requirements for the content of the judicial operative part of the decision for the capture of traffic data under section 100g StPO by reference to section 100b (1) StPO (now section 100e (1) StPO in the version of the Act of 17 August 2017 <BGBl. I p. 3202>). Pursuant to section 101a (2) StPO, the reasons for the decision must set out the essential considerations regarding the necessity and appropriateness of the measure in each individual case. Section 101a (6) StPO provides for an obligation to notify the parties involved in the telecommunications concerned.
18 3. Whether the Administrative Court's legal proposition underlying its decision, i.e. that the storage obligation imposed by section 113a (1) in conjunction with section 113b TKG breaches EU law, is compatible with the law that is subject to an appeal on points of law depends on the interpretation of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201 p. 37) and cannot be conclusively answered without a preliminary ruling from the Court of Justice of the European Union. The considerations of the deciding Senate are as follows:
19 a) The Administrative Court rightly considered Directive 2002/58/EC to be applicable and therefore used it as a standard of review for the provisions of section 113a (1) first sentence in conjunction with section 113b TKG. The Court of Justice has conclusively clarified that national rules on the retention of traffic and location data and access by national authorities in principle fall within the scope of this Directive (CJEU, judgment of 21 December 2016 - C-203/15 and C-698/15 - para. 65 et seqq., 81).
20 b) The obligation to store telecommunications traffic data pursuant to section 113a (1) first sentence in conjunction with section 113b TKG restricts the rights under articles 5 (1), 6 (1) and 9 (1) of Directive 2002/58/EC. It constitutes an interference with the confidentiality of electronic communications protected by article 5 (1) first sentence of the Directive and is contrary to the principle that, without the user's consent, any person other than the user is in principle prohibited from storing traffic data relating to electronic communications. This obligation also fails to comply with the requirement laid down in article 6 of the Directive that traffic data may be processed and stored only for the purpose of billing the services, marketing them and providing value added services to the extent and for the duration necessary for that purpose. Where location data other than traffic data, relating to users or subscribers of public communications networks or publicly available electronic communications services, can be processed, article 9 (1) first sentence of Directive 2002/58/EC provides that such data may only be processed to the extent necessary for the provision of value added services and for the period of time necessary for that purpose, if they have been rendered anonymous or if the users or subscribers have given their consent. The legal provision also deviates from this requirement in as far as section 113b (1) no. 2 in conjunction with subsection 4 TKG also requires the storage of the location data mentioned therein.
21 c) The restriction of the rights under articles 5 (1), 6 (1) and 9 (1) of Directive 2002/58/EC is justified only if the provision of article 113a (1) first sentence in conjunction with section 113b TKG can be based on the authorisation contained in article 15 (1) of Directive 2002/58/EC. It provides that Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in articles 5, 6, 8 (1), (2), (3) and (4) and article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. state security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in article 13 (1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this subsection. All the measures referred to in this subsection shall be in accordance with the general principles of EC law, including those referred to in article 6 (1) and (2) of the Treaty on European Union (article 15 (1) second sentence of Directive 2002/58/EC).
22 aa) According to the above-mentioned decision of the Court of Justice of 21 December 2016, article 15 (1) of Directive 2002/58/EC is to be interpreted in light of articles 7, 8 and 11 as well as article 52 (1) CFR as precluding national legislation that provides for general and indiscriminate retention, for the purposes of fighting criminal offences, of all traffic and location data of all subscribers and registered users with regard to all electronic means of communication (CJEU, judgment of 21 December 2016 - C-203/15 and C-698/15 - para. 82 et seqq.).
23 In the above-mentioned decision, which concerns the data retention rules in Sweden and the United Kingdom based on Directive 2006/24/EC, the Court of Justice also set out requirements for the permissibility of national legislation based on article 15 (1) of Directive 2002/58/EC (CJEU, judgment of 21 December 2016 - C-203/15 and C-698/15 - para. 108 et seqq.). According to that, article 15 (1) of Directive 2002/58/EC, read in the light of articles 7, 8 and 11 as well as article 52 (1) CFR, does not prevent a Member State from adopting legislation permitting, as a preventive measure, the targeted retention of traffic and location data, for the purpose of fighting serious criminal offences, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary. However, in order to satisfy these requirements, the national legislation in question must, first, lay down clear and precise rules regarding the scope and application of such a data retention measure and lay down minimum requirements, so that the persons whose data have been retained have sufficient guarantees to ensure effective protection of their personal data against the risk of misuse. It must, in particular, specify the circumstances and conditions under which a data retention measure, as a preventive measure, be adopted thereby ensuring that such a measure is limited to what is strictly necessary. Second, as regards the substantive conditions which must be satisfied by national legislation that authorises, in the context of fighting criminal offences, the retention, as a preventive measure, of traffic and location data, if it is to be ensured that data retention is limited to what is strictly necessary, it must be observed that, while those conditions may vary according to the nature of the measures taken for the purposes of prevention, investigation, detection and prosecution of serious criminal offences, the retention of data must continue nonetheless to meet objective criteria, that establish a connection between the data to be retained and the objective pursued. In particular, such conditions must be shown to be such as actually to circumscribe, in practice, the extent of that measure and, thus, the public affected. As regard the setting of limits on such a measure with respect to the public and the situations that may potentially be affected, the national legislation must be based on objective evidence which makes it possible to identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences, and to contribute in one way or another to fighting serious crime or to preventing a serious threat to public security. Such limits may be set by using a geographical criterion where the competent national authorities consider, on the basis of objective evidence, that there exists, in one or more geographical areas, a high risk of preparation for or commission of such offences.
24 According to the wording of the Court of Justice's statements quoted, the permissibility of a national data retention scheme under article 15 (1) of Directive 2002/58/EC hence requires sufficient cause to exist that only those persons will be covered where there is an indication of a link with serious criminal offences, that the data will be limited to the region, the period and the means of communication relevant to the cause, and that only that data will be recorded which is indispensable for the investigation of the criminal offences in question. The defendants' view that the mere fact of using internet access or telephone services should be regarded as sufficient cause for retention is obviously not in line with these requirements. The assumption expressed in the Court of Justice's statements that any retention of data without cause is generally contrary to EU law is not called into question by the defendants' reference to the Court of Justice's opinion of 26 July 2017 - delivered subsequently - on the agreement between Canada and the European Union on the transfer of passenger name record data. It is true that the Court of Justice has emphasised, in the context of the necessity of the agreement's interference with the fundamental rights to respect for private life (article 7 CFR) and to protection of personal data (article 8 CFR), that the so-called PNR (Passenger Name Record) data will be transferred to Canada regardless of whether there is objective evidence permitting the inference that the passengers are liable to present a threat to public security in Canada (CJEU, opinion of 26 July 2017 - 1/15 [ECLI:EU:C:2017:592] - para. 186). However, this does not constitute data retention without cause because the storage and transmission is related to border controls to which all passengers who wish to enter or depart from Canada are subject under the provisions of Canadian law in force (CJEU, opinion of 26 July 2017 - 1/15 - para. 188). When passengers depart from the country, this cause for storage does no longer exist. As can be seen from no. 3 (d) of the operative part of the opinion, continued storage after that date hence requires - as a new cause - that objective indications exist that the passengers concerned might pose a threat in terms of the fight against terrorism and serious transnational crime.
25 bb) If the case-law of the Court of Justice is to be understood as meaning that the retention of data without cause is under no circumstances compatible with EU law, the defendants' appeal on points of law against the judgment of the Administrative Court cannot succeed. For just like the Swedish and UK data retention rules, which were the subject of the Court of Justice's judgment of 21 December 2016, section 113a (1) first sentence in conjunction with section 113b TKG does not require a cause for the storage - beyond the mere use of internet access or telephone services - nor a connection between the stored data and a criminal offence or a threat to public security. Instead, the provision dictates the storage of a large part of all relevant telecommunications traffic data without any cause, nationwide and undifferentiated in terms of persons, time and geography.
26 cc) However, notwithstanding the wording of the above-mentioned judgment of the Court of Justice of 21 December 2016, the Senate does not consider it to be ruled out that the obligation to retain telecommunications traffic data without cause pursuant to section 113a (1) first sentence in conjunction with section113b TKG can be based on article 15 (1) of Directive 2002/58/EC. This assessment is based on the following considerations:
27 (1) First, it should be noted that the provision of section 113a (1) first sentence in conjunction with section 113b TKG does not require the storage of all telecommunications traffic data of all subscribers and registered users in relation to all electronic means of communication within the meaning of the case-law of the Court of Justice based on the previous Directive 2006/24/EC and the Swedish and UK rules based thereon. It is not only the content of the communication that is exempt from the storage obligation, but also data regarding the internet pages accessed, data from e-mail services as well as data underlying the connections to or from specific lines in social or ecclesiastical areas may not be stored (see section 113b (5) and (6) TKG). The opinion of the Administrative Court that the differences between the Swedish and UK rules, which were the subject of the aforementioned decision of the Court of Justice of 21 December 2016, were not of decisive importance in view of the requirements set out by the Court of Justice regarding the permissibility of national provisions on the retention of telecommunications traffic data, cannot be easily followed by the deciding Senate. In fact, the Court of Justice has stressed as reasons for its decision that the retention of all traffic and location data of all subscribers and registered users, in respect of all electronic communications, in a general and indiscriminate manner, allows very precise conclusions to be drawn concerning the private life of the persons whose data have been retained, such as everyday habits, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them. This hence enables the creation of a profile of the persons concerned, information that is no less sensitive, having regard to the right to respect for private life, than the actual content of communications (CJEU, judgment of 21 December 2016 - C-203/15 and C-698/15 - para. 99). If, in particular, certain means of communication or categories of data are exempted from the storage obligation, this may not eliminate, but at least significantly reduce, the risk of creating a comprehensive profile of the persons concerned.
28 (2) An even more important difference between the provision of section 113a (1) first sentence in conjunction with section 113b TKG on the one hand and the previous Directive 2006/24/EC on the other hand, on which the Swedish and UK data retention rules were based, is that the retention period of six months to two years (see article 6 of Directive 2006/24/EC) is significantly reduced to four or ten weeks, respectively, in accordance with section 113b (1) TKG. However, the shorter the periods of time during which traffic data are retained, the lower the risk of creating a comprehensive profile of the persons concerned, as highlighted by the Court of Justice. Only the aggregation of the various data over a longer period of time makes it possible, in accordance with the case-law of the Court of Justice, to draw sufficiently reliable conclusions about the habits, places of residence, movements, activities carried out, social relationships and social environment of the persons concerned. The shorter the storage period, the less complete the personality profile inevitably becomes and the lower the intensity of encroachment upon basic rights.
29 (3) It should also be noted that the rules introduced by the Act of 10 December 2015 contain strict restrictions on the protection of and access to the stored data. On the one hand, the provisions of sections 113d et seqq. TKG ensure effective protection of the retained data against the risk of misuse and unauthorised access. On the other hand, section 113c (1) TKG provides that the retained data may only be used to combat serious criminal offences or to prevent a specific threat of loss of life or physical integrity or a person's freedom or to the continued existence of the Federation or of a federal state. Pursuant to section 100g (2) StPO, the capture of traffic data for criminal prosecution purposes requires suspicion of one of the particularly serious criminal offences conclusively described in that provision, that the offence weighs particularly heavily even in the individual case, that the establishing of the facts or the determination of the accused's whereabouts would be considerably more difficult in some other way or would be futile, and that the data capture stands in appropriate relation to the importance of the matter. The capture or use of traffic data of the professional secrecy holders mentioned in section 53 (1) first sentence no. 1 to 5 StPO, which include, for example, lawyers, doctors or journalists, is not permitted under section 100g (4) StPO. Section 101a (1) StPO also provides for the need for a judicial order for the capture of traffic data under section 100g StPO as well as special requirements for the content of the judicial operative part of the decision. Pursuant to section 101a (2) StPO, the reasons for the decision must set out the essential considerations regarding the necessity and appropriateness of the measure in each individual case. Section 101a (6) StPO provides for an obligation to notify the parties involved in the telecommunications concerned.
30 These restrictive access regulations do not apply to the Internet Protocol address allocated to the subscriber for internet use; pursuant to section 113c (1) no. 3 TKG, this address may also be used in the context of the provision of inventory data information for the prosecution of any criminal offence, maintaining public order and security and generally carrying out the tasks of the intelligence services. However, it must be assumed that the information as to what owner was logged on to the internet with regard to an already known Internet Protocol address does not permit to create personality profiles and mobility profiles (see BVerfG, judgment of 2 March 2010 - 1 BvR 256, 263, 586/08 - BVerfGE 125, 260 <340 et seqq.>). Even assuming that the claimant is right in claiming that technical procedures are increasingly being used in which an Internet Protocol address can no longer be clearly attributed to a specific telecommunications line, but only to a larger group of lines, and inventory data information has therefore become a measure with a considerable scattering effect, the intensity of interference of such inventory data information still falls far short of that which exists in the retrieval and use of telecommunications traffic data itself.
31 (4) The assumption that the obligation under section 113a (1) first sentence in conjunction with section 113b TKG, i.e. to retain telecommunications traffic data without cause, can be based on article 15 (1) of Directive 2002/58/EC in view of the described restrictions is supported within the scope of an overall assessment not just by the restricting regulations concerning the means of communication, data categories and storage times as well as the strict data security and data retrieval provisions, but also by the fact that the national legislature has thereby fulfilled the obligations to act which arise for Member States from the right to security guaranteed by article 6 CFR.
32 In its judgment of 8 April 2014 on the validity of Directive 2006/24/EC, the Court of Justice expressly referred to article 6 CFR and, in this context, with reference to its case-law, pointed out that the fight against international terrorism in order to maintain international peace and security constitutes an objective of general interest of the European Union and that the same applies to the fight against serious crime in order to ensure public security (CJEU, judgment of 8 April 2014 - C-293/12 and C-594/12 - para. 42). The Court of Justice went on to state that, although the fight against serious crime, in particular against organised crime and terrorism, is of the utmost importance in order to ensure public security and that its effectiveness may depend to a great extent on the use of modern investigation techniques. Nevertheless, such an objective of public interest, however fundamental it may be, did not, in itself, justify a retention measure such as that established by Directive 2006/24/EC being considered to be necessary for the purpose of that fight (CJEU, judgments of 8 April 2014 - C-293/12 and C-594/12 - para. 51, 60 and of 21 December 2016 - C-203/15 and C-698/15 - para. 102 et seq.).
33 With regard to the obligation of the Member States to act arising from article 6 CFR, the deciding Senate has doubts as to whether this statement of the Court of Justice must be understood in such a way that data retention without cause cannot be based only in the concrete form defined in Directive 2006/24/EC and the Swedish and UK rules based on it, but generally not on article 15 (1) of Directive 2002/58/EC. This is because the basic concept of data retention can hardly be reconciled with the Court of Justice's unrestrictedly formulated demand to differentiate the data to be retained according to persons, periods of time and geographical regions (see, accordingly, the opinion of Advocate General Saugmandsgaard Øe of 19 July 2016 in the Joined Cases C-203/15 and C-698/15 [ECLI:EU:C:2016:572] - para. 213 et seqq.). By its very nature, such a differentiation can only be made for the future in as far as findings are already available. However, the purpose of data retention is precisely the reconstruction of past events on the basis of telecommunications traffic data that already exist at the time of the cause. This purpose is unlikely to be achieved if, for example, a distinction has to be made according to which persons are suspected of committing serious criminal offences - for instance, on the basis of observations of communication behaviour in social networks - or if only those radio cells are to be covered geographically in which facilities are located which, on the basis of concrete findings, have an increased risk of attack or a high damage potential. For example, a geographical restriction is hardly appropriate, especially for criminal offences committed by means of electronic telecommunications services.
34 The Senate is also of the opinion that the assumption that the storage of traffic data without cause is per se incompatible with the Charter of Fundamental Rights is also contradicted by the need to strike a balance between the obligation of Member States to ensure the security of persons within their territory on the one hand and observance of the fundamental rights to respect for private life and protection of personal data enshrined in articles 7 and 8 CFR on the other hand (see opinions of Advocate General Saugmandsgaard Øe of 19 July 2016 in Joined Cases C-203/15 and C-698/15 - para. 5, 163). The Senate is therefore unable to infer clearly from the case-law of the Court of Justice that national legislatures should no longer have the possibility, on the basis of an overall assessment, to introduce data retention without cause - possibly supplemented by strict access regulations - in order to address the specific threat potential associated with the new means of telecommunications (see BVerfG, judgment of 2 March 2010 - 1 BvR 256, 263, 586/08 - BVerfGE 125, 260 <322 et seq.>).
35 (5) If the above-mentioned case-law of the Court of Justice were to be understood as meaning that the retention of data without cause cannot generally be based on article 15 (1) of Directive 2002/58/EC and that the specific regulations regarding the means of communication covered, the categories of data to be retained, the duration of retention, the conditions of access to the data retained and protection against the risk of misuse are therefore irrelevant, the national legislatures' scope for action in an area of criminal prosecution and public security, for which article 4 (2) third sentence TEU at least in principle still foresees the sole responsibility of the individual Member States, would be limited to a significant extent. In this area, national legislatures have - as stated above - the task of striking a balance between the fundamental rights to respect for private life and protection of personal data on the one hand and the duty of Member States to ensure the security of the population on the other. The deciding Senate is unable to interpret the decision of the Court of Justice of 21 December 2016 with sufficient certainty that the democratically legitimised legislatures of the Member States are to be completely deprived of the possibility to introduce an investigation technique considered necessary in the field of criminal prosecution and public security on the basis of article 15 (1) of Directive 2002/58/EC, such as the retention of data without cause, irrespective of the nature of the threat situation and the concrete design of the rules.
36 (6) Also against the background of the more recent case-law of the European Court of Human Rights (ECtHR), the Senate does not believe that it has been conclusively clarified whether the statements of the Court of Justice in its judgment of 21 December 2016 are to be understood as a prohibition addressed to the Member States to base the introduction of an obligation to retain telecommunications traffic data without cause on article 15 (1) of Directive 2002/58/EC. This is because the European Court of Human Rights recently decided in its judgment of 19 June 2018 that the Swedish legislation on bulk interception of cross-border data traffic complies with article 8 of the European Convention on Human Rights (ECHR). In view of the threats currently facing states, including the scourge of global terrorism and other serious crime, such as drug trafficking, human trafficking, sexual exploitation of children and cybercrime, advancements in technology which have made it easier for terrorists and criminals to evade detection on the internet, and the unpredictability of the routes via which electronic communications are transmitted, the decision to operate a bulk interception regime in order to identify hitherto unknown threats to national security was one which continues to fall within states' margin of appreciation (ECtHR, judgment of 19 June 2018 - Application no. 35252/08 [ECLI:CE:ECHR:2018:0619JUD003525208], Centrum för Rättvisa/Sweden - para. 112). In as far as the European Court of Human Rights refers to the unpredictability of the transmission routes of electronic data and the technical progress which made it easier for terrorists and criminals to avoid their discovery on the internet, it emphasises more strongly than the Court of Justice of the European Union the specific threat potential associated with the new means of telecommunication.
37 The deciding Senate is of the opinion that the differently accentuated case-law of the European Court of Human Rights cannot be disregarded here. On the one hand, recital 11 of Directive 2002/58/EC emphasises that measures under article 15 (1) of the Directive must be taken in accordance with the ECHR as interpreted by the judgments of the European Court of Human Rights. On the other hand, the Court of Justice of the European Union repeatedly pointed out that article 52 (3) of the Charter of Fundamental Rights of the European Union, in so far as it contains rights which correspond to those rights guaranteed by the ECHR, seeks to ensure the necessary consistency between the rights contained in the Charter and the corresponding rights guaranteed by the ECHR, without thereby adversely affecting the autonomy of EU law and that of the Court of Justice of the European Union (see CJEU, judgment of 29 July 2019 - C-469/17 [ECLI:EU:C:2019:623], Funke Medien NRW GmbH - para. 73 and the case-law cited there).
38 (7) Finally, it results from various requests for a preliminary ruling from other Member States already pending before the Court of Justice that the referring courts have doubts, in particular, with regard to article 6 CFR and article 4 TEU, as to whether the Court of Justice's statements in the judgment of 21 December 2016 is to be understood as a general prohibition of data retention without cause, which cannot be overcome either in view of the serious nature of the threats to public security to be combated or in the context of "compensation" through restrictive access regulations and high security requirements. In this respect, the deciding Senate refers to the request for a preliminary ruling from the Investigatory Powers Tribunal - London (United Kingdom), which is pending before the Court of Justice as Case C-623/17 (OJ C 22 of 22 January 2018, p. 29), the two requests for a preliminary ruling from the Conseil d'État (France), pending as Cases C-511/18 and C-512/18 (OJ C 392 p. 7 et seq.), and the request for a preliminary ruling from the Belgian Constitutional Court, pending as Case C-520/18 (OJ C 408 p. 39).