GERMANY—New Rules for Government Access to Telco User Data
By Flemming Moos
On May 3, the German Federal Council (Bundesrat) passed a new bill that allows certain government agencies access to telecom user data. The bill does not—as is the case for the hotly debated telecoms data retention—affect the traffic data but rather the user data such as name, address, date of birth, telephone number and e-mail address as well as access codes to e-mail accounts and cloud services, PINs and PUKs. For the first time, the German government shall be given an express authorization to also request information as to which user was assigned with a specific dynamic IP address for a specified point of time. In order to facilitate the data access, the service provider shall set up for the relevant government agencies an electronic interface to their IT systems.
In practice, government agencies have already been granted access to this kind of data in the past; however a clear statutory basis was missing until now so that the Federal Constitutional Court had declared the data access as unconstitutional.
According to the revised Sec. 113 para. 2 German Telecommunications Act, the data may in future be communicated in case a government agency—as further defined in the act—requires this in text form and for the purpose of prosecuting a criminal or administrative offence, preventing a threat to public safety and order or fulfilling a statutory obligation. Access to PINs, PUKs and passwords is subject to judicial authorization. The user must be informed of the data access afterwards, unless the information would render the data access ineffective.
It is not clear whether these new provisions are in line with the constitutional requirements. German Data Protection Officer Peter Schaar has criticized that even administrative and other minor offences can justify a data access request. Further, it is argued that the Federal Office of Criminal Investigations is granted too far-reaching competencies in the field of crime prevention. For these reasons, some privacy advocates have already announced that they will seek a review of the new data access rules by the German Constitutional Court again.
Flemming Moos is a partner at Norton Rose in Germany and a certified specialist for information technology law. He chairs the IAPP KnowledgeNet in Hamburg and can be reached at firstname.lastname@example.org.