German court rules against data retention policy

Court strikes down law that required data from phone calls and e-mail to be retained by service providers for six months for use by law enforcement officials.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
2 min read

The highest court in Germany has suspended a controversial law in Europe requiring phone and e-mail providers to hold customer data for six months in case it's needed by law enforcement.

Germany's Federal Constitution Court called the law "inadmissable" and ruled that changes would be needed to limit its scope, according to a story in Spiegel Online. The court felt that the data was not properly secured or protected and that its use had not been made clear.

The legislation to retain customer records for e-mail as well as mobile and landline calls was first proposed in 2004 to help in the fight against terrorism following the Madrid train bombings. The European Union passed the legislation in 2005 and gave final approval in 2006. But individuals and civil rights groups have since protested the directive, criticizing it as violating civil liberties in Europe.

The German court found that the law, as implemented, went beyond the intent of the original directive and has ordered all customer data to be removed immediately. The new ruling suspends the directive but doesn't knock it down permanently. The German court indicated that tighter controls would be needed to ensure the security of the data as well as a clear intention and control over what the data would be used for.

The battle over retention of customer records has generated its share of controversy, not just in Europe but around the world. Government and law enforcement officials have argued that such data retention is needed to help combat terrorism. But privacy advocates have counterargued that data retention laws infringe on personal privacy and leave customer information exposed and vulnerable without proper security in place.