German court finds telecoms storage law is not compatible with EU

Under the new law, which comes into effect on 1 July, traffic data should be stored for 10 weeks and location data for four weeks, and made available if necessary to German authorities. However, this is not compatible with the law of the European Union, the higher administrative court of North Rhine-Westphalia has said (link in German).

An IT company from Munich had asked the Cologne Administrative Court for an injunction to allow it to avoid the data storage obligation until a decision is made at an EU level. The Cologne court rejected the request, and it was passed to the North Rhine Westphalia court on appeal.

The North Rhine Westphalia court based its decision based on a ruling by the Court of Justice of the European Union (CJEU) in December 2016 which said that EU countries could not impose blanket data retention requirements. 

The incoming German obligation "covers the traffic and location data of almost all users of telephone and internet services", whereas the CJEU provisions "are limited to cases where there is at least an indirect link with the prosecution of serious offenses or the defense of serious threats to public security", it said.

Data protection expert Kristina Holt of Pinsent Masons, the law firm behind Out-Law.com said: "From a UK perspective this raises the issue once more about the extent to which the recent Intelligence Powers Act 2017 complies with EU law, as it also provides for retention of communications data."

"In addition, in the context of Brexit the UK would become a third country. For the purposes of transferring data, in order to allow the free flow of data to continue the UK would be seeking a decision from the EU that the protection of personal data in the UK would meet 'adequate' standards. There has always been a concern that the UK’s position in relation to such topics as data retention for law enforcement purposes, often framed n the context of counter-terrorism, would put any UK adequacy decision at risk. One scenario that has been raised in that context is that of a German data protection agency challenging any decision by the EU that the UK would be adequate. This scenario tends to support the potential for such a future conflict," Holt said.