German telecom and Internet operators could once again be forced to store customer traffic and location metadata for police investigation purposes, five years after a previous data retention law was declared unconstitutional.
The draft data retention law unveiled on Wednesday would oblige providers to store call and Internet traffic metadata for a maximum of 10 weeks while location data would have to be stored for four weeks, the German government said.
The measure is meant to help law enforcement agencies in their fight against terrorism and serious crime. According to the government, it strikes the right balance between freedom and security in the digital world.
However, plans to retain metadata for these purposes are controversial in Germany and the draft law was immediately heavily criticized.
Germany hasn't had a data retention law since 2010, when the German Federal Constitutional Court ruled the previous law unconstitutional.
The earlier law was based on the European Union's Data Retention Directive, which was itself overturned a year ago by the Court of Justice of the European Union (CJEU), because it violated fundamental privacy rights.
The government's new data retention proposal still violates the European right to privacy and the right to personal data, said Volker Tripp, advocacy manager at the German digital rights group Digitale Gesellschaft, who added that the government has failed to prove data retention is needed to fight serious crime and terrorism.
According to Federal Minister of Justice and Consumer Protection Heiko Maas, though, things are different this time. The current draft law cannot be compared to the old law, which obliged providers to store data for six months, he said.
Privacy will protected under the current proposal as the retained data has to be deleted immediately, he said. What's more, content will not be retained and the right to have private conversations will remain, while it is not allowed to build motion profiles and retention periods are far shorter than before, he added.
Not everyone's data will have to be retained. The proposed law has a provision that excludes people and organizations that have to keep secrets by profession from the retention requirement. This includes social institutions and churches, according to the draft.
Data will be retained though from people in other professions who under German law are allowed to keep professional secrets including lawyers, doctors, pharmacists, members of parliament and journalists. However, authorities are not allowed to use that data.
"So they are saving it to not use it later. Does that make sense? No it doesn't," said Tripp, who added that this part of the proposal also goes against the German legal principle of non-discrimination.
Despite the criticism, it is likely that the law will pass through the Bundestag quickly, as the government coalition has about an 80 percent majority, said Tripp.
"The government is obviously trying to push the law through parliament," he said. It only took a couple of months to prepare this draft while a normal legislative process takes several months or maybe years, he said, adding that the law could be approved before the parliament's summer recess starts at the end of June. By fast-tracking the legislation process, the government is trying to avoid a public debate, Tripp said.
A spokeswoman for the Ministry of Justice and Consumer Protection declined to comment on timing and said the process is now in the hands of the Bundestag.
Germany is not the only country struggling with data retention. In the Netherlands, where the national data retention law was scrapped by a court because it was found to violate fundamental privacy rights, the government is looking to introduce a new one as soon as possible.
The Swedish government meanwhile maintains that its data retention law can still be applied, while in the U.K. a new data retention law was rushed through by the U.K. government after the CJEU ruling. That law will be reviewed by the country's High Court to determine if it violates human rights.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to firstname.lastname@example.org