German court says EU phone, e-mail data retention policy must be changed

The highest court in Germany has suspended a controversial law in Europe requiring phone and e-mail providers to hold customer data for six months in case the data is needed by law enforcement. Germany’s Federal Constitution Court called the law “inadmissible” and ruled that changes would be needed to limit its scope, according to a story in Spiegel Online.. The court felt that the data is not properly secured or protected and that its use had not been made clear.

Lance Whitney writes that the legislation to retain customer records for e-mail as well as mobile and landline calls was first proposed in 2004 to help in the fight against terrorism following the Madrid train bombings. The European Union passed the legislation in 2005 and gave final approval in 2006. (for the status of the issue in the United States, see “FBI Wants Two Year Retention for ISP Data,” 9 February 2010 HSNW).

Individuals and civil rights groups have since protested the directive, criticizing it as violating civil liberties in Europe.

The German court found that the law, as implemented, went beyond the intent of the original directive and has ordered all customer data to be removed immediately. Whitney writes that the new ruling suspends the directive but does not knock it down permanently. The German court indicated that tighter controls would be needed to ensure the security of the data as well as a clear intention and control over what the data would be used for.

The battle over retention of customer records has generated its share of controversy, not just in Europe but around the world. Government and law enforcement officials have argued that such data retention is needed to help combat terrorism, but privacy advocates have argued in response that data retention laws infringe on personal privacy and leave customer information exposed and vulnerable without proper security in place.