Federal Administrative Court Refers German Data Retention Law to European Court of Justice
On 25 September 2019, the German Federal Administrative Court (Bundesverwaltungsgericht) decided to refer to the European Court of Justice in order to clarify whether the German data retention law is compatible with Union law.
The German Federal Administrative Court now has to decide on the lawsuits of an Internet provider and a telephone provider who are opposing their obligation to retain the telecommunication traffic data of their users as laid down in Sections 113a, 113b of the Telecommunications Act. According to these provisions, introduced in the new German data retention law of 2015 (the first national law implementing the Data Retention Directive 2006/24/EC having been declared unconstitutional by the German Federal Constitutional Court − FCC), telecommunications providers are obliged to retain the traffic data of their users for a period of 10 weeks and location data for four weeks in order to be able to provide them to the law enforcement authorities, if necessary. The retained data may only be used by the authorities for the prosecution of serious criminal offences or for the prevention of danger to the life, body, or freedom of a person or of threats to the existence of the Federation or a Land (§ 113c Telecommunications Act).
In the previous instance, the Administrative Court (Verwaltungsgericht) of Cologne had stated that the applicants were not obliged to retain the telecommunication traffic data, arguing that this obligation set by the German data retention law contravenes European Union Law. As a result of a previous, very similar decision by the Higher Administrative Court of Münster (cf. eucrim, 2/2017, p. 71), the Federal Network Agency (Bundesnetzagentur) has already decided not to enforce the retention obligations for telecommunications and Internet providers for the time being.
The Administrative Court of Cologne and the Higher Regional Court of Münster both referred to the judgment of the CJEU of 21 December 2016, in cases C-203/15 and C-698/15, Tele 2 Sverige et al. (cf. eucrim 4/2016, p. 164), which established very narrow conditions for national laws to maintain data retention rules. This decision has led to serious doubts on whether there is a general prohibition of blanket retention systems that can be justified neither by the gravity of threats to public security nor by stringent security and access requirements.
The CJEU found in its judgment that the British and Swedish legislations on data retention were not compatible with Union law. Compared to the British and Swedish legislation, however, the German provisions are more restrictive (e.g., in terms of the period of retention) and set strict security and access rules in order to protect the data. The German Federal Administrative Court therefore decided not to simply take over the findings of the 2016 judgment, but to make reference for a preliminary ruling to the CJEU.
The judges in Luxembourg now have to deal with the question of whether a national law (and the German data retention law in particular), providing a blanket retention measure that clearly interferes with Art. 5 of Directive 2002/58/EC, can be justified under Art. 15 of the same directive or whether it is generally forbidden by Union law. If the Court finds that the German data retention law contravenes Union Law, it will not be applicable anymore due to the primacy of Union law.
There is also a complaint against the current German data retention law pending before the FCC. The Constitutional Court has repeatedly dismissed motions for a temporary injunction, arguing that, even after the CJEU 2016 decision, questions still remain that are not suitable for clarification within summary proceedings. It is uncertain whether a final Constitutional Court decision can be expected soon.
In addition to the reference from Germany, courts in Belgium, France, and Estonia referred questions to the CJEU regarding the compatibility of their countries’ data retention legislation with EU law, notably Art. 15 of Directive 2002/58/EC (“the e-privacy Directive”) – see pending cases C-520/18; C-511/18; and C-746/18; see also eucrim 1/2019, p. 26). The Investigatory Powers Tribunal, London, posed the question on applicability of the “Tele2 Sverige/Watson requirements” in the national security field (Case C-623/17).