On May 27, 2020, the German Federal Constitutional Court invalidated section 113 of the German Telecommunications Act (TKG) and several accompanying federal law provisions for non-compliance with the German Constitution (case nos. 1 BvR 1873/13 and 1 BvR 2618/13). On July 17, 2020, the Federal Constitutional Court published the fully reasoned judgment as well as a press release outlining the Federal Constitutional Court’s key considerations (press release no. 61/2020 of July 17, 2020, available in German and English).
Section 113 TKG enables German security authorities to request from providers of telecommunications services access to personal customer data linked to the conclusion or performance of a telecommunication services contract (Subscriber Data). Subscriber Data includes information such as a subscriber’s name, date of birth, telephone number, address, bank details, login data, or an IP-address assigned at a certain point of time. By contrast, data relating to the use of telecommunications services (so-called traffic data) is not covered by section 113 TKG.
In the view of the Federal Constitutional Court, section 113 TKG violates the fundamental right to informational self-determination and the fundamental right to privacy of telecommunications of users of telecommunications services. While the German Constitution does not per se prohibit any security authorities’ access to Subscriber Data, the legislator must create a proportionate legal basis for both the transfer of Subscriber Data by telecommunications providers, and the retrieval of such data by the relevant security authorities. The Federal Constitutional Court emphasized that “provisions on transferring and retrieving data must adequately limit the purposes of the utilization of data, particularly by establishing thresholds for the use of powers as part of the constituent elements of the provision and by providing for sufficiently meaningful protection of legal interests.”
Notwithstanding, the Federal Constitutional Court granted a grace period during which the invalidated provisions – despite their unconstitutionality – may still be applied. This grace period ends on December 31, 2021 at the latest.
The German legislator is now asked to amend the German law provisions that have been invalidated by the Federal Constitutional Court. In this regard, the Federal Constitutional Court outlines the following requirements from a constitutional law perspective:
“[U]sing the general powers to transfer and retrieve subscriber data in the context of maintaining public security and the activities of intelligence services requires there to be a specific danger in the individual case, and an initial suspicion of criminal conduct (Anfangsverdacht) in the context of the investigation and prosecution of offences. Where dynamic IP addresses are matched, this must additionally serve to protect or legally reinforce legal interests of at least considerable weight given the increased weight of the interference. Where, with regard to maintaining public security or activities of intelligence services, the thresholds for the use of powers require less than a specific danger, this must be compensated for by establishing stricter requirements for the weight of the legal interests meriting protection.”
In the light of Directive (EU) 2018/1972 establishing the European Electronic Communications Code, German telecommunications laws are subject to a comprehensive revisions anyway. Germany has to transpose the European Electronic Communications Code into national law until December 21, 2020. It remains to be seen whether the legislator will seize this opportunity to also implement a sufficiently transparent and proportionate legal basis for Subscriber Data access requests from German security authorities, as outlined by the Federal Constitutional Court.