Archive

Archive

Company

Data retention:Trying to find that fine line

Yesterday, Germany's Federal Ministries of Justice and the Interior reached agreement on guidelines for future data retention and announced draft legislation shortly. This agreement was preceded by years of political and societal controversy about data retention. Some claim it is a major step toward a" big brother" state that places all citizens under general suspicion. Others insist it would be an indispensable law-enforcement tool in the battle against serious crime. In 2010, Germany's Federal Constitutional Court overturned the existing German provisions on data retention, and no data retention has been practiced since then. In 2014, the European Court of Justice then declared that the EU Data Retention Directive on which pertinent national laws had been based was "invalid."

And now the government has reached a compromise that opens the way to new provisions. Basically, the guidelines would require telecommunications companies to store telephone and Internet traffic data for a ten-week period. For the location data generated in mobile communications, a shorter storage period of only four weeks would be required. The retention requirements would apply only to connection data, and not to content data. In addition, e-mail traffic data would be completely exempted from retention requirements, and data on web pages visited would not be stored. Only law enforcement authorities would be able to access the data, and they would require the authorization of a judge for such access. Public prosecutors would not have any pertinent special authority even in urgent cases, i.e. they would have no powers of sole decision in such cases.

The proposed provisions would encroach to a lesser degree on civil rights and liberties than did the old German provisions on data retention, and than do provisions currently in force in other European countries. Most countries with data retention have set the minimum period for the data storage at six months. In general, it is right to reduce the quantities of data that have to be stored under data retention – and to considerably shorten the required storage periods. Nonetheless, the new legislation will meet with resistance. For example, Peter Schaar, formerly the German government's Federal Commissioner for Data Protection and as of this year, member of Deutsche Telekom's Data Privacy Advisory Council, has criticized the planned provisions and called for a policy in which data would be frozen instead, and thus preserved only in the face of concrete threats.

We cannot assess the extent to which law enforcement authorities now require access to the connection data at issue. It is up to them to convince the public of their need for such access and uphold full transparency. Lawmakers now have the sensitive task of trying to weigh civil liberties and personal rights against security requirements. As far as I am concerned, the decisive issue is that citizens must know that they can communicate freely – that their communications are not being monitored. This is an issue of public trust in the freedom of communication. Ultimately, the highest courts will probably again have to decide if lawmakers have found the right balance. Intentions to challenge the legislation in court have already been announced. What is more, any legislation at the national level might have to be adapted to new provisions passed at the European level.

If the data retention legislation comes about as planned, telecommunications companies will have the tasks of storing the data securely, preventing any abuse and deleting the data at the end of applicable storage periods. Deutsche Telekom will do all this very conscientiously. It is not clear why the planned legislation would not also apply to various other services providers, such as WhatsApp, Skype and Facebook. Furthermore, the provisions need to be readily implementable in actual practice. This applies to such issues as use of different retention periods and allowance of exceptions for persons entrusted with professional secrecy, such as doctors, lawyers and clergy. While the data they deal with are to be exempted, there are no databases covering those groups of persons. How then can such exemptions be implemented in practice? The industry must be supported in resolving this issue. And, needless to say, the public sector must bear the expenses tied to data retention. After all, data retention involves separate storage of data, solely for the purposes of law enforcement and public security.

As for Deutsche Telekom, we store only the data that we require for our business operations – such as the data we need for our invoices and for our efforts to combat spam. Wherever possible, we reduce the volume of data that we store. And all our data-storage periods are transparently displayed in the Internet, at www.telekom.com/dataprotection. We never forget that our customers entrust to us something that is very private: their personal data. We do everything in our power to protect their data.

FAQ