Germany's Blanket Data Retention Law Is Illegal, EU Top Court Says

An anonymous reader quotes a report from Reuters: Germany's general data retention law violates EU law, Europe's top court ruled on Tuesday, dealing a blow to member states banking on blanket data collection to fight crime and safeguard national security. The law may only be applied in circumstances where there is a serious threat to national security defined under very strict terms, the Court of Justice of the European Union (CJEU) said. The ruling comes after major attacks by Islamist militants in France, Belgium and Britain in recent years. Governments argue that access to data, especially that collected by telecoms operators, can help prevent such incidents, while operators and civil rights activists oppose such access.

The latest case was triggered after Deutsche Telekom unit Telekom Deutschland and internet service provider SpaceNet AG challenged Germany's data retention law arguing it breached EU rules. The German court subsequently sought the advice of the CJEU which said such data retention can only be allowed under very strict conditions. "The Court of Justice confirms that EU law precludes the general and indiscriminate retention of traffic and location data, except in the case of a serious threat to national security," the judges said. "However, in order to combat serious crime, the member states may, in strict compliance with the principle of proportionality, provide for, inter alia, the targeted or expedited retention of such data and the general and indiscriminate retention of IP addresses," they said.

When a Ruling, isn't.

[geekmux]

"However, in order to combat serious crime, the member states may, in strict compliance with the principle of proportionality, provide for, inter alia, the targeted or expedited retention of such data and the general and indiscriminate retention of IP addresses,"

Ah, so this is a bullshit ruling then, since no one is going to put an exact definition of "serious" when it comes to crime. Therefore all crime will be considered "serious" and companies will need to engage in "general retention" (a.k.a. blanket surveillance) in order to be ready at all times to combat "serious" crime.

Right back to square one with a loophole so big you could drive a trucking company through it.

Re: When a Ruling, isn't.

[ISayWeOnlyToBePolite]

Interesting. My view is quite the opposite, to me it reads like the court decided that certain words have meaning and that they overruled the national legislation who now as a consequence have to adapt the courts view. I don't see how you could seemingly jump to the conclusion that words are now without meaning and consequence when the court explicitly decided that in this case they are the arbiter.

Re:

[geekmux]

Interesting. My view is quite the opposite, to me it reads like the court decided that certain words have meaning and that they overruled the national legislation who now as a consequence have to adapt the courts view. I don't see how you could seemingly jump to the conclusion that words are now without meaning and consequence when the court explicitly decided that in this case they are the arbiter.

Tell the arbiter to legally define "serious" and I might have a different view on an obvious loophole. It appears they purposely added verbiage that has zero legal clarity or constraint. Most likely in order to abuse it later.

Then maybe review the opposing arguments. When civil rights groups oppose and Government supports, needless to say citizens should question.

Re: When a Ruling, isn't.

[test321]

It's not a loophole, you may have missed that the EU works by publishing meta-laws that are worded in generic terms. Each State is responsible to ensure that its national law is compatible with the specification. Here the EU law (Directive 2002/58/EC and Directive 2009/136/EC) says that one can define serious crime, for which targeted retention of data may be allowed. OTOH Germany had a law that defined that for the purpose of fighting crime, BLANKET data retention was possible. The Court said, Germany, you cannot do that, the EU law says that when you write a data retention law to fight certain crimes, you need to make it a TARGETED retention towards some individuals, geolocation and period of time, not a BLANKET one where you just store the data of everyone, so please make a new law.

This is exactly the extent of the powers of this court. Anything else like defining what a serious crime is would require additional EU legislation, not a court ruling.

Tell the arbiter to legally define "serious"

It's not within the powers of this court to define serious crime, it's the implementation of the data retention law of Germany that should define which crimes it wants to fight. The Court might be called one day to check that those crimes are indeed serious enough to be compatible with the intentions of the EU law in question, but this was not at all the question that was asked to the court.

Re:

[ISayWeOnlyToBePolite]

Thanks! Can't mod you up because commented so: +1 Informative AF.

Re:

[Pf0tzenpfritz]

Unfortunately it is also plain wrong.

Re:

[ISayWeOnlyToBePolite]

Are you referring to your other comment https://slashdot.org/comments.... [slashdot.org] (which also would get +1 informative from me), then I don't agree that the parent is "plain wrong", or is there something else I've missed?

Re:

[Pf0tzenpfritz]

Yes, I do. Admitted, I was reading the comments before logging in and did not quite see the differences in the comment I replied to and the one on top of the thread which clearly stated there was no definition of serious. Nevertheless I don't completely agree with this one either. As I said, serious crimes are well defined by German law. In that light it's conclusion turns from pretty diffuse to incorrect.

Re: When a Ruling, isn't.

[subspawn]

So the next step for Germany is to rewrite the law as per the example earlier in Belgium where a previously mass data retention law was also destroyed in local court in April 2021 only to be reshaped to collect data only from areas with heightened crime numbers and threat level and then was successfully adopted. It just turns out this covers >95% of the country according to these calculations: https://www.patrick-breyer.de/... [patrick-breyer.de]

Re:

[AmiMoJo]

Thanks, great explanation. I'd add that this is how the EU works. There are no "EU laws" as such, only directives that as test321 says are implemented by each country in their local laws. Then the EU has a body that monitors member states for compliance, and in cases where they think the law is not compliant and the state refuses to change it, they can use the EU courts to resolve the matter. It is also possible for individual citizens to use the EU courts if they feel that a particular law is non-compliant

Re:

[bemymonkey]

Replying to undo wrong moderation... whoops. This entire thread is quite insightful and I accidentally hit redundant :(

Re:

[gweihir]

Member states may do that. And then they may get another ruling telling them to stop. Because "serious crime" will have to be clearly defined in order for this to be compliant with fundamental legal principles. The retention of IP addresses only means DHCP mappings at a specific time. If you are doing something criminal on the Internet, you should use a proxy of some kind anyways. The whole reason why that is in there is that IP addresses are considered personally identifiable data and the general take is t

Re:

[test321]

Therefore all crime will be considered "serious" and companies will

The purpose of the CJEU is to evaluate the compatibility of national law (here of Germany) with respect to EU law. These rulings do not apply to companies but to governments. Here it reads that Member States can define a set of serious crime they intends to fight, for which they may legislate "targeted retention of traffic and location data", and that German law was excessive in legislating the indiscriminate retention (not targeted). It's now the business of Germany to rewrite its law so to better define w

Re:

[Pf0tzenpfritz]

Serious crime is well defined by German law. "Well defined" not meaning the definition to be very reasonable but at least there is a clear definition. Serious means anything punished by at least one year of prison.

No Justification to Keep Dossier On People!

[BrendaEM]

Don't care how much money telcos and websites have, there is no justification to keep a dossier on people.

Re:

[bill_mcgonigle]

"National Security" means "continuance of the regime currently in power."

Just use the right dictionary and it all makes sense.

Damn Brussels

[The Evil Atheist]

Damn them for trying to keep the delicate balance between human rights.

I remember...

[Anonymous Coward]

... when Germany had a telephone billing system that didn't collect the numbers you called. I was told that was a deliberate choice, made because they remembered the Nazis. ... and I remember being told that in Germany, if you got mail addressed to "Franz Huber, Your Company", as opposed to "Your Company, attn: Franz Huber", and Franz didn't work for you any more, you were not legally allowed to open the mail, because it was meant for a specific person, and they were that opposed to snooping.

How the mighty

Re:

[Pf0tzenpfritz]

West Germany was already in the 1980 the western country with the highest rate of tapped phones per capita. You got told nonsense, it seems. Same goes to the mail-address story. You're pretty much allowed to open whatever is in your mailbox unless it was obviously falsely delivered to you.

Why do they want to know about blankies?

[remoteshell]

I mean, if I want to snuggle up with a blankie, who has been harmed? What's next - Duvets?