Germany has passed a law which amends several existing laws, including the Telecommunications Act, clarifying in particular the obligations of telecommunications providers to disclose customer data to law enforcement authorities. The existing disclosure obligations relate to “customer data”, which is data of subscribers collected for the purpose of establishing, regulating the contents of, modifying or terminating a contract for telecommunications services; customer data includes the name or address of the customer, telephone numbers as well as PIN, PUK and passwords.
This new law was required following a ruling by Germany’s Supreme Court last year. The Court had declared some of the existing provisions as unconstitutional and only allowed their continued application until the end of June 2013. The new law will enter into force on 1 July 2013, just in time before the expiry of this transitional period.
The new law has stirred opposition from several stakeholders, including journalists, judges and data protection authorities, although most of the criticism relates in fact to elements which already form part of the existing law. Major amendments include the following:
- The new law clarifies that disclosure requests could also cover dynamic IP addresses when allocated at a particular point in time.
- The new law now expressly provides that data which is protected by the German constitutional right of telecommunications secrecy (such as content or connection data) may only be accessed in accordance with the provisions of the laws authorizing such access.
- The new law creates an express authorization for a number of federal law enforcement agencies to request disclosure of such customer data from telecommunications providers (such express authorization was missing so far). Similar express statutory authorizations still need to be established at the level of the sixteen German Länder for Länder law enforcement authorities. The new law specifies that the responsibility for the lawfulness of the disclosure request lies with the requesting law enforcement authority (rather than the telecommunications providers).
- The new law expressly prohibits the disclosure of the data to other public or private organizations.
- The law prohibits telecommunication providers to disclose, whether to the individuals concerned or third parties, the fact that a request has been made or that such a request has been answered. The law enforcement agency must in principle inform the individuals concerned however, save in exceptional cases.
- In principle, all disclosure requests require an advance court order which can be requested by the public prosecutor; in certain limited cases the court order may be sought subsequently.
The new law has also been heavily criticized for the fact that disclosure requests are no longer limited to certain acts of terrorism and the most serious crimes but now could also be made in case of petty crimes. Critics expect an unprecedented rise in the number of disclosure requests. In comparison, in 2011, customer data were analyzed in more than 6,000 cases for suspected drug offences and only in 50 cases for security purposes.