German Data Retention Law Ruled Unconstitutional

mseeger writes "The German Federal Constitutional Court has ruled the country's current data retention law unconstitutional. All stored telephone and email communication data, previously kept for six months in case it was needed by law enforcement, now must be deleted as soon as possible. The court criticized the lack of data security and insufficient restrictions for access to the data. The president of the court said continuing to retain the data would 'cause a diffusely threatening feeling of being under observation that can diminish an unprejudiced perception of one's basic rights in many areas.' While it doesn't disallow data retention in general, the imposed restriction demands a complete reworking of the law." An anonymous reader contributes the Court's press release and more information on the ruling, both in German.

A great victory

[saibot834]

In my story submission [slashdot.org], I included a few more details. 35,000 citizens filed a class-action against this law and now after two years we finally see this law voided.

The "Bundesverfassungsgericht [wikipedia.org]" has once again proven that is the most significant institution in Germany that protects citizens' constitutional rights - in this case the right of informational self-determination [wikipedia.org].

All hail the Chaos Computer Club

[Denial93]

Although this ruling is what us IT guys would expect from any reasonable court, the fact of the matter is that judges know shit. The Chaos Computer Club [www.ccc.de] worked their asses off providing expertise to the court, while also mobilizing the German IT scene and putting out pressure on opposing (governmental) parties. This is their success and I salute them. Guess I should get around to finally apply for membership myself...

Re:Pyrrhic victory?

[Mindcontrolled]

Well, at least they demand some serious restrictions - asymmetric encryption with separately stored keys, no central storage of the data under direct government control, no access without a judge's order, no access without a well-founded and substantiated suspicion, access only for prosecution of serious crimes (exceptions for simple lookup of dynamic IPs), severe penalties for illegitime access. This is way better than what we had before.

That aside, thank the FSM for our constitutional court. They basically struck down every security-theatre related law in the last couple of years. I am starting to think about a three-strikes law for politicians - vote for three unconstitutional laws and you are out. Loss of eligibility for any political office for 4 years at last. Ahh, well, a man can dream...

Re:Pyrrhic victory?

[saibot834]

One of the restrictions the Federal Constitutional Court has imposed is that such data may only be saved decentralized. Additionally they have to be stored securely and must only be used for very severe crimes. The court is very careful: Technical possibilities change very quickly and they want the verdict to be still useful in 10 or 20 years. That's why they avoid saying "such data cannot be stored securely, therefore data retention is for all times unconstitutional".

In another verdict the court has ruled that e-voting is not principally unconstitutional. However, it imposed rules that no e-voting system in the near future is able to fulfill: Every citizen must be able to verify the correctness of the vote without specific technical knowledge. Not even open source e-voting systems meet this requirement.

I doubt that a new data retention law will be passed any time soon. Most parties have realized by now that data retention sucks and I don't think they can pull together a majority for this.

Re:Domestic spying unconstitutional?

[Anonymous Coward]

IMHO it would be difficult, since the ruling is based on the concept of "informational self-determination", which the constitutional court established based on specially protected fundamental rights in the German constitution. Plus, it is quite unlikely that they would find the necessary support for a change of the constitution in the parliament. Several parties are against the law (at least in current form), including the Liberal party (FDP) which is the junior partner in the coalition government right now. In fact, the current minister for justice (FDP) was one of the persons suing against the law at the constitutional court (the law was passed by the previous government).

Re:Great Precedent

[ahaubold]

At least the new EU commisioner for justice Viviane Reding announced an enquiry of the EU Directive which was one of the main reasons for making that law in the first place.

Re:All hail the Chaos Computer Club

[chrismeidinger]

You don't have to apply for membership in CCC. Just join.
If you come to the Congress - http://en.wikipedia.org/wiki/Chaos_Communication_Congress [wikipedia.org] - you can join right at the door, and get your ticket discounted immediately.

Re:Unenviable comparison

[Hasai]

"How messed up is the US when we have to take cues on privacy laws from, of all people, the Germans?"

Actually, the Germans, "of all people," have the advantage of knowing precisely just how bad things can get.

Re:ACTA

[Asic Eng]

Well the German law was already an implementation of a EU directive. However while the constitutional court has rejected the implementation, it did not declare the EU directive illegal. So it's still possible (actually mandatory under EU law) to implement a revised data storage law.

Lame.

[DarthVain]

All this means is that the standard for corporations and government are even farther apart.

Sure it protects personal privacy, but this protects corporations from lawsuits, and their bottom line even more.

I was having a conversation with a consultant on Risk/Threat assessment of an IMS project we are working on. The difference in retention is amazing. Because I work in government, we are expected to keep stuff around for YEARS, usually 5 to 7 locally, and then maybe decades in an archive. This is for transparency, and to keep records of exactly of what was done, when, by whom. We get sued, and this material gets dredged up and used against us in court. However in the private sector, the retention is measured in Days, usually 5 to 7, and then Deleted/Destroyed. This is for liability, so people cannot use this information against them in court.

So next time you are thinking of making fun about how much waste is in government, or how much more it costs, or how much longer it takes to develop in government, understand this is but ONE of many differences of extra things we HAVE to do by LAW for ALL of our systems, and the reason behind it is accountability. Government is accountable for their actions and people have a right to know about it. Corporations have to be accountable to their shareholders in that they must produce as much profit in the least time possible. The two are radically different enviroments and so it should be no surprise that the procedures used to do anything are vastly different also.

That said, there is waste in government, just like there is in corporations. Much of ours seems to be based on past actions being penalized. Basically some arm of the government many years ago, will have done something bad. Rather than punish directly those involved, they punish everyone else by subjecting them to policies that will supposedly "prevent this from happening in the future". Thus we end up with standards about how many foundation documents above and beyond reason, and when looking for vendors, you have to go through a long process, etc... And while it might prevent people from wasting money, it generally makes the project twice as long and twice as expensive, which essentially means you are sort of wasting money and time anyway, and limits the kinds of projects you can do, as some are just too expensive now.

Anyway that is my government/corporate rant including retention.... Vent!

Re:Wish List

[Anonymous Coward]

You know what is ironic? This constitution came into existence, because the US and their British and French allies issued an order in July 1948 to get one written.

So the German people elected 65 members of a parliament board. These 65 (only four women among them) drafted what became the equivalent of the German constitution.

Re:Great Precedent

[V for Vendetta]

To be honest, we weren't the first ones. The Constitutinal Courts of Romania and Bulgaria (not sure of the second country) already ruled the EU data retention law unconstitutional.

Re:All hail the Chaos Computer Club

[TiloB]

The court is not supposed to know shit

I think you are arguing from the perspective of Common law which does not apply in Germany. Here, judges and courts in general have much more freedom in discovering the truth during trials, they may ask questions, they may ask for more information. And we are happy they do so.