More Protection for Victims Through Data Retention
On the Introduction of a Minimum Data Retention Period for IP Addresses After La Quadrature du Net II
“Goodbye data retention”, proclaimed former Federal Minister of Justice Sabine Leutheusser-Schnarrenberger on this blog, after the European Court of Justice (ECJ) upheld its restrictive jurisprudence on the storage and disclosure of telecommunication traffic data for national security purposes in its 2020 decision (Privacy International), despite vehement criticism from Member States. However, as the recent judgement by the ECJ (La Quadrature du Net II) shows, it is just not possible to make such apodictic statements in the field of legal policy. The threat level determines the proportionality of the means – both of which are subject to the perpetual flux of time.
The ECJ’s La Quadrature du Net II judgement
With its full court judgement of April 30, 2024, the ECJ has further developed its requirements for the “general and indiscriminate retention of data” of IP addresses: a legal obligation to retain data can not only be contemplated for “objectives of combating serious crime or preventing serious threats to public security” (paras. 77 and 95), but also, under certain circumstances, for “combating criminal offences in general” (paras. 92 and 103). Without access to IP addresses, the Court argues, there would be “a real risk of systemic impunity not only for criminal offences infringing copyright or related rights, but also for other types of criminal offences committed online or the commission or preparation of which is facilitated by the specific characteristics of the internet” (para. 119). The ECJ’s response to those who, at the mere mention of the words ‘data retention’ – a misleading term in my opinion1) – reflexively evoke the Orwellian surveillance state is that the storage of IP addresses “does not constitute a serious interference with the privacy of the holders of those addresses, since those data do not allow precise conclusions to be drawn about their private life” (para. 103).
The Charter of Fundamental Rights is not a “Super Police Act”
If the opponents of such a data retention obligation nevertheless complain that the judgement is a “misfortune”, a “disappointment” and a “sad reversal in the protection of privacy”, they fail to recognise that assesments of proportionality must necessarily adapt to changes of the state of security. The judgement was only a surprise for those who are of the opinion that the balancing of fundamental rights results in absolute standards, which the ECJ had created once and for all for the field of data retention with its landmark decision of 2014. However, this exceeds the competences of judicial legal interpretation. As the German Federal Constitutional Court (FCC) clarified, the “fundamental rights of the Basic Law, the guarantees of the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union are rooted primarily in common constitutional traditions of the Member States and are thus a manifestation of common European and universal values”, but they do not define the details of the investigative powers of law enforcement. Detailed and differentiated limits for interferences with fundamental rights, as, for example, prescribed in art. 13 (3-5) of the German Constitution (protecting the inviolability of the home), are the result of a particular and intense political controversy surrounding the “great eavesdropping offensive” – a similarly misleading framing from the same political camp – and an absolute exception. Comparatively, such detailed requirements for the purposes and limits for storing and accessing telecommunication traffic data do neither exist in the fundamental rights catalogues of the ECHR and the EU Charter of Fundamental Rights nor in other provisions of the German Constitutions.
On the contrary: the values protected by fundamental rights are actually in conflict. On the level of Union law, there are, on the one hand, the fundamental rights to the respect for privacy and personal data protection, arising from Arts. 7 and 8 of the EU Charter of Fundamental Rights, for those whose traffic data is stored and may, where applicable, be accessed. However, fundamental rights are not only rights of defence against state interventions, but also include duties to protect for those who are victims of crime. Thus, some have even argued that the complete abandonment of data retention obligations would be incompatible with fundamental rights (see here and here).
“Going dark” in the World Wide Web
There are innumerable dangers lurking in the Internet as worldwide communications network that connects everyone in virtually all areas of life in real time.
Not even the (now former) Federal Minister of Justice Buschmann disputes that serious crimes are being committed relentlessly via the Internet, such as the consumption and distribution of child sexual abuse material. Genuine suffering lies behind the vast majority of criminally relevant images and videos on the Internet. Almost every image uploaded online is created offline. In some cases, the production of such image material is even published as livestream of the abuse. Moreover, the Internet is used to obtain opportunities for committing such acts, including so-called cybergrooming. This refers to the targeted contacting of children on the Internet with the aim of initiating sexual contacts, in most cases anonymously or under a false name. Furthermore, the Internet is being increasingly used to disseminate hate speech, it is a platform for radicalisation, for exchanging discriminatory materials with like-minded persons and for planning and conducting terror attacks. But even crimes that may be considered less severe are developing extreme dimensions on the Internet. For instance, criminals attempt to obtain user login data using all kinds of phishing tactics, with the aim of conducting financial transactions for their own benefit, especially bank account transfers and product orders. Also, ransomware is used for means of digital extortion.
In the anonymity of the Darknet, IP addresses frequently represent the only indicators for investigation activities by the security services (see ECJ Judgement of 6.10.2020, paras. C-511/18, C-512/18 and C-520/18, para. 154). To use a figurative comparison, IP addresses are the number plates on the data highways, with the major difference that they are issued dynamically with each time somebody connects to the Internet, which means that they can only reveal whose accessing a service as long as the relevant data is stored by the telecommunications provider. If the IP address is no longer stored by the telecommunications provider at the time of the law enforcement agency’s request, or cannot be determined due to the lack of any stored port number, investigations usually fail due to a lack of further investigative approaches. After the failed Islamist terror attack involving the use of the poisons like ricin and cyanide in January 2023, hardly anyone can seriously doubt that the failure to store IP addresses creates security risks that can put people’s lives in danger. It was only the fortunate circumstance that one of the suspects was a customer of a telecommunications provider that stores IP addresses voluntarily for seven days that led the investigators to his home address in Castrop-Rauxel.
“Quick Freeze” is not an alternative
The “quick freeze” procedure proposed by the former Federal Minister of Justice is not able to fill the protection gap caused by the omission to store IP addresses. Here, data from the period before the judicial order was issued can only be gathered if it has been stored voluntarily by the provider, for example for commercial purposes. Due to the unavoidable delay until a security service is notified of an offence, the quick freeze procedure is unsuitable, in particular when it comes to combating child sexual abuse. It is also important to note that after a certain period of time, providers are legally obliged by data protection law to irreversibly delete data that they have stored and no longer require. The quick freeze procedure only allows for data to be frozen which is still available at the time of the court’s decision. Even in the best cases, providers currently only store IP addresses between four and seven days. Sometimes they store the data only for one day or a few hours, so that the quick freeze procedure is in most cases no longer capable of securing any relevant data.
Proportionality depends on context and time
As with all national security matters, proportionality is a decisive factor when it comes to the question of the legality of storing traffic data. The aim is to create an appropriate balance for the conflicting fundamental rights. This consideration falls within the primary competence of the democratically legitimate legislature. The objectivity of law inevitably reaches a certain limit here, since the question of what is proportionate is always to a certain degree in the eye of the beholder and depends on the latter’s values and convictions. In other words, the balancing of the impacts certain measures have on fundamental rights with the purposes pursued by the law, in particular when they are aiming at protecting citizens’ fundamental rights, is at its core a political decision, which is determined by the democratically elected majority. The outcome of this balancing exercise can change when democratic majorities change. For example, a social-liberal government might evaluate the proportionality of a limited retention of IP addresses differently than a Christian-conservative government. The primacy of politics makes it impossible to derive absolute judicial standards from the principle of proportionality that bind the legislature forever.
There is no doubt that one of the great achievements of the rule of law is that independent courts, which, like the ECJ and the Federal Constitutional Court, have the power to review legislation, ensure that the political majority does not lose sight of what is reasonable. However, this does not legitimise any kind of judicial “super legislature.” The requirement of judicial self-restraint is to a considerable degree immanent to the test of proportionality. It is not always the case that this is observed as consistently by the courts as it was by the German Constitutional Court during the COVID pandemic. Here, the Court made the following clarification:
“When assessing whether a measure is appropriate, too, the legislator in principle has a margin of appreciation […]. In this respect, the Federal Constitutional Court reviews whether the legislator has taken tenable decisions within its margin of appreciation.”
However, the more the judiciary take the test of proportionality out of the hands of the legislature, the more politicized it becomes. If every problem had only one proportional solution, the Bundestag would be out of a job by now, after 75 years of vigorous legislation. The fact that this is not the case has one simple reason: the world is in a state of constant change. Not only do some values and convictions change in the course of time but also – and particularly – the political and social framework. This applies above all in “insecure times”, when crises and international conflicts render the world in a state of unrest. As a result of this, “there is no ‘final word’ in democracy” (Lepsius JZ 2019, 793 [801]). With democracy, it is therefore as with communicating vessels: any change on one side always leads to a change on the other. As a relative principle, proportionality is an inherently unsuitable instrument to develop absolute standards for eternity.
If the threat changes, the proportionality of countermeasures changes accordingly
In terms of security law, a change in the threat situation requires a response from of the legislature. It must put the security services in a position that enables them to react adequately to the new threat situation. If a court decision has conducted a proportionality review to a great extent in the place of the legislature, the change in the threat situation can force the court to re-evaluate its assessment. A judgement is always bound to its concrete context and thus limited in its effects, especially when proportionality considerations were at the core of the decision. A different context can and must result in a different decision. This is quite self-evident, and is now perceived with particular clarity in the more decisionistic case law of the ECJ. Such re-evaluations can also be found, however, in the case law of the German Constitutional Court, which is oriented more towards continuity. This is evident in the judgment from 2020 regarding the strategic foreign telecommunications surveillance of the German Federal Intelligence Service (BND): here, the Court on the one hand emphasized the higher intensity of the interference with fundamental rights considering the “disproportionately broader access” compared to its decision from 1999, but at the same time, it contrasted it with the “higher potential for danger“ that had resulted from the development of communications technology, the tighter cross-border integration of the living conditions in general, and the considerable increase in threats from abroad.
The same principles must apply when it comes to data retention. Since the precedent-setting judgements of the German Constitutional Court in 2007 and the ECJ in 2014, the security situation in Germany and Europe has changed profoundly. The global political landscape is considerably less stable in the wake of the war in Ukraine and the conflicts in the Middle East, and also due to the impact of climate change and the COVID pandemic. Also domestic security is endangered to a degree that would have been unimaginable only a few years ago. We are being overrun almost daily with cyberattacks and disinformation campaigns by foreign powers, while their espionage and sabotage are meanwhile exceeding Cold War levels. At the same time, global insecurity is fuelling extremist efforts of all kinds, as well as crude conspiracy theories, and anti-democratic propaganda. Unbridled hate and agitation are proliferati