Last Tuesday, barely three weeks after the European Parliament voted to annul the EU-U.S. SWIFT agreement on bank data sharing, Germany’s Constitutional Court struck another major blow against counterterrorism efforts by overturning a law that required telecommunications firms and internet providers to retain basic communications data for a period of six months.
Indeed, the court did not merely overturn the requirement to retain the data. It ordered the data to be deleted, thus setting in motion what appears to be a frenzied process of data destruction at German telecommunications and IT firms.
The German data retention law served to implement the minimum data retention requirement laid out in a 2006 European Union directive. The directive was jointly approved by both the European Council, representing the EU member states, and the European Parliament. It was adopted in the aftermath of the July 2005 London transport bombings and in recognition of the major benefit that basic communications data provides to law enforcement agencies in connection with terror investigations, as well as investigations into organized crime. The directive notes, for instance, that
On 13 July 2005, the Council reaffirmed in its declaration condemning the terrorist attacks on London the need to adopt common measures on the retention of telecommunications data as soon as possible.
The data concerned is exclusively framework data that is “generated or processed in the course of the supply of communications services:” information such as calling phone number, called phone number, subscriber name, user ID, IP addresses, and so on. The directive only applies to electronic communications, whether by phone or e-mail. It does not apply to other internet usage data: for example, on surfing habits or consulted web pages. Moreover, the directive expressly prohibits the retention of the content of any communications.
The directive lays down a minimum retention period of six months and a maximum period of two years. After the end of the period established by each member state, the data in question must be destroyed. The establishment of the two-year maximum represents an obvious obstacle to long-term investigations into terror or organized crime. It is clear that it was a subject of controversy in EU negotiations, since the directive also lays down that member states may under particular circumstances apply for an extension.