An Article by Axel Petri, Senior Vice President Group Security Governance at Deutsche Telekom AG
The countdown is on for data retention in Germany: Telecommunications providers have until July 1, 2017 to make sure they comply fully with the retention rules. These require data on who has communicated with whom and when to be stored for a period of ten weeks. In terms of Internet use, this relates to the IP address and the time and duration of the connection. For mobile communications, location data collected during telephone calls and Internet use is subject to a four-week retention period. As a general rule, the prosecution authorities can access this data with a judicial order.
The issue of data retention has been fiercely debated for many years, and time and again subject of legal disputes. After all, it concerns a significant encroachment on civil liberties and personality rights. Deutsche Telekom has always expressly stated that it is down to the policy-makers to decide how heavily these rights are to be restricted for the work of the security authorities. We have always advocated the use of moderate regulation in this regard. Furthermore, it is crucial that telecommunications providers have absolute legal certainty in the context of implementation. It has become apparent that uncertainties still exist, which we have been unable to clarify with the Federal Network Agency in administrative proceedings. Until now, we have refrained from filing an action. However, we now feel forced to take this step in order to establish full legal certainty for implementation.
What is it all about? As the competent supervisory authority, it is the task of the Federal Network Agency to lay down the precise implementation of the law on data retention. Dissent exists between Deutsche Telekom and the Agency regarding the storage of IP addresses. To date, we have been unable to clarify this matter. The rule is that only public IP addresses can be stored, but no private addresses or the user's port. This rule does not give rise to any problem in relation to fixed-network lines, since in such cases public IP addresses can generally be assigned to a particular individual line. But in case of mobile connections or connections made via a public WLAN, no public IP address is assigned to the relevant user. The address is simply allocated to a component on the network (an NAPT device), which allows an allocation to be made to a particular user only after the addition of extra data. This procedure is not stored. In fact, that would be unlawful in the absence of a legal basis for doing so. For this reason, where data is stored for more than ten weeks, no reference can be made to any concrete line holder. As a result, the Federal Network Agency's expectation regarding the provision of specific user names cannot be met. Nevertheless, the Federal Network Agency insists that public IP addresses must be stored even for Internet access via the mobile network or a public WLAN. We would therefore like to ask the courts to clarify whether or not the obligation to save such data actually exists.
To reiterate: We are not questioning the general need for data retention. That is something on which we cannot and will not comment. We are therefore not taking this action against the overall obligation to retain telecommunication data, but merely against its detailed implementation.