Data retention: Unlawful draft through the back door

SpaceNet CEO Sebastian v. Bomhard explains: "The duration of the storage of user data is particularly problematic. Although this is limited to three months in the draft law, this period must actually be regularly exceeded, as the law requires the storage of connection data at the start of its allocation and deletion after three months from the time the allocation ends. In fact, Internet connections are often disconnected and reassigned quite infrequently nowadays, so that in practice significantly longer recording periods of up to years result. However, in its judgement of 2024, the ECJ clearly pointed out that data retention must be as short as possible. The draft law therefore violates European law."

Data retention is similar to the rejected clear name obligation

SpaceNet also considers the reintroduction of data retention in combination with stricter rules on online violence to be particularly risky: "A current topic is being used here to address the issue of data retention through the back door, although this measure is hardly related to the other activities. The German government is right to reject a clear name obligation on the Internet, but the precautionary storage of IP addresses is ultimately no different," emphasises v. Bomhard.

It is clear that criminal offences on the Internet can now be concealed by simple means such as virtual private networks (VPNs), even by non-professionals. In order to solve serious criminal offences, targeted instruments that are protected by the rule of law are necessary. The quick freeze procedure envisaged in the coalition agreement of the previous government would have enabled a compromise in this respect, whereby traffic data could be frozen on urgent suspicion but only analysed following a court order. This approach strikes a balance between the interests of the investigation and the protection of fundamental rights. In addition, modern AI processes offer completely new possibilities for analysis, which are best made impossible by not storing data for such long periods of time without reasonable suspicion. Instead, the new draft law now consistently ignores existing judgements of the Federal Constitutional Court (2010) and the ECJ (2022 / 2024), and more data is to be stored for longer periods of time.

More costs and fewer civil rights

As a result, implementing the draft bill in accordance with EU law would also lead to massive costs for providers. Ultimately, it would be the consumers who would suffer, as they would have to expect higher costs for their network connections.

"In the form planned by the coalition, data retention remains a blanket encroachment on civil rights," says Sebastian von Bomhard. "Now, in addition to the storage period, the type of data to be stored is even being extended. The nature of this instrument ignores the valuable principle of the presumption of innocence and makes trust in German digital policy largely impossible." PRESS RELEASE Page 2 of 2

SpaceNet already took legal action against the data retention legislation at the time in 2016 - with success. The Federal Administrative Court confirmed the inadmissibility of the generalised data collection and thus set a legal milestone for data protection and also for corporate legal clarity. The storage obligation that has now been announced gives rise to fears that the former concept is to be enforced after repeated failed attempts in the wake of digital protection against violence - with a new label, of course, as always.