When the news broke a few days ago that the U.S. Senate had finally approved the USA Freedom Act, German commenters received it with satisfaction. However, there are various differences between the USA Freedom Act and data retention laws in Europe, in particular the recent German bill on bulk traffic (i.e., metadata) data collection (Vorratsdatenspeicherung). In many respects, the mandatory storage requirements in Germany will go beyond what the USA Freedom Act demands from the industry in the United States.
For many Germans, the United States is a dystopia of almost unlimited bulk data collection by the “data octopus” (the German nickname for the NSA) under the Patriot Act. In this vein, German commentators were pleased to tell the public last week that the United States has adopted an “EU-style” data retention regime with the USA Freedom Act. Bulk traffic data for law enforcement or intelligence purposes will be stored with the companies and no longer with the NSA, FBI, or whoever needs the information to chase down terrorists or prosecute serious criminal acts. These commentators discount that the USA Freedom Act only covers traffic data for communication to and from the U.S. They also overlook that the data retention laws in Europe are in many respects more burdensome for the IT industry than the USA Freedom Act.
To rewind the protracted story, the EU had tried for almost ten years to come up with valid EU-wide rules to cover this sector, since law enforcement increasingly relies on traffic data. EU-wide rules also make a lot of sense as it is difficult, if not impossible, for an electronic communications service provider (a traditional carrier, Voice-over IP provider, public data service provider, etc.) to comply with 28 different data retention regimes in the EU. A cell phone user in London may be in Paris or Palermo tomorrow. This is why the EU, in the aftermath of the terrorist attacks in Madrid in 2004 and London in 2005, adopted a Data Retention Directive to harmonize the EU efforts in the investigation and prosecution of the most serious crimes such as, in particular, organized crime and terrorism. This Directive required operators and public service providers to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years. They were required to make them available, upon request, to law enforcement authorities for the purposes of investigating, detecting, and prosecuting serious crimes and terrorism. However, on 8 April 2014, the EU Court of Justice (ECJ) declared the Directive null and void, arguing that it did not meet the principle of proportionality and should have provided various safeguards to protect the fundamental rights of respect for private life and the protection of personal data. With the ball thus thrown back to the member states, some of them have adopted or apply their own laws (such as France and the UK), whereas others stayed away from a bulk data collection that would stigmatize ordinary citizens as “potential criminals,” as civil right activists and some politicians have argued for many years.
Proponents of the data retention law argue that the ECJ didn’t entirely rule out bulk data collection as long as it is required by clear and precise conditions. It must serve a legitimate and significant general interest, such as the fight against serious crime and the protection of public security. After the terrorist attacks on the French magazine Charlie Hebdo, the German government has come under tremendous pressure from law enforcement to adopt a new data retention law to allow a bulk collection of traffic data. The German Cabinet adopted a bill on May 27. After a very short consultation period, the German government plans to push this new law through the Parliament, arguing that it is necessary to prosecute criminals and terrorists. It states that it will not require carriers and internet service providers (ISPs) to store the content of the traffic (calls, emails) but only the so-called traffic and location data, such as who called whom and when, location data of cell towers, etc., for a mandatory retention period of ten weeks for traffic data and four weeks for location data.
Since approximately 1,000 companies in Germany will be affected by the new legislative measures, the German telecom industry is already up in arms against it, because the carriers and ISPs are concerned about the costs and the legality of these measures. In 2010, the German Federal Constitutional Court in Karlsruhe struck down an earlier mandatory data retention law from 2007 on the basis that it violated various human rights and other provisions in the German Basic Law. The implementation of the law from 2007 would have required investments of at least €75 million, according to a serious estimate at the time. However, the German government believes that its new bill will pass muster and is proportionate, although it is likely that it will end up in the German court system again, with all the uncertainties that come along with such a step. In 2015 alone, the Netherlands, Bulgaria, and Slovakia saw their national data retention laws annulled. The same happened in Austria, Romania, and Slovenia in 2014, while further court proceedings in some other member states remain pending.
Without going too much into the details of the new German law, it is already clear that the aforementioned distinction between the retention periods for traffic and location data will be very difficult to implement. Many carriers have flat rates and don’t store the traffic information anymore. Location data will only be collected by a carrier if communications actually take place (e.g., a mobile call) and thus are stored together with the other traffic data in a data set. Therefore, different data retention periods for both categories will augment the complexity of the implementation tremendously. New hardware and software may become necessary for these companies, while the government has no intention to pay for it. Mandatorily stored data sets that are not relevant for billing are not needed by companies for their own purposes. Service providers, for instance, usually receive no location data from the network operator because they either don’t need them or are not allowed to acquire them under the strict German data protection rules. Moreover, it will be expensive to safeguard and protect these data sets—a treasure trove for hackers and foreign intelligence agencies. There are no exemptions in the bill for smaller providers. On top of that, the government wants the traffic data be stored in Germany, which will exclude centralized databases on a larger geographical scale.
The USA Freedom Act’s obligations don’t even come close to the European laws, in particular to the German data retention bill. The USA Freedom Act doesn’t contain storage obligations that go beyond the retention requirements already imposed and enforced by the FCC rules and related laws. In other words, U.S. carriers don’t need to store more traffic data than they are already required. If the government demands access to specific data sets, on the basis of a FISA court order or a special authorization of the Attorney General, the carriers must provide this information on a daily basis for up to 180 days and are reimbursed for these services. Unlike the German bill, the USA Freedom Act expressly does not cover the “cell site location or global positioning system information.”
It is ironic that the German government, which is usually not shy of praising the advantages of the German data protection regime as the global “gold standard,” now promotes and sponsors a data retention regime that goes beyond what the USA Freedom Act demands from the industry. Once this national law is put into action, the German police and secret service will only be the first institutions that will try to gain access to the data. Copyright defenders, foreign intelligence authorities, litigators, and prosecutors will try to push their shopping carts through the door—if the new law survives in the German and European court system.