Bundesverfassungsgericht

You are here:

Data retention in its present form is unconstitutional

Press Release No. 11/2010 of 02 March 2010

Order of 2 March 2010
1 BvR 256/08, 1 BvR 586/08, 1 BvR 263/08

The constitutional complaints are directed against §§ 113a and 113b of the Telecommunications Act (Telekommunikationsgesetz – TKG) and against § 100g of the Code of Criminal Procedure (Strafprozessordnung – StPO) to the extent that it permits the authorities to obtain data retained pursuant to § 113a TKG. The provisions were inserted into the respective laws by the Telecommunications Surveillance Revision Act of 21 December 2007.

§ 113a TKG obliges providers of publicly available telecommunications services to retain, for a period of six months and without specific grounds, virtually all traffic data regarding telecommunications (communications via landlines, mobile phones, telefax, transmission of text messages and multi-media messages), email communications and Internet access. This obligation to retain data essentially extends to all data that is necessary to determine who communicated, or attempted to communicate, with whom, for how long and from what location. By contrast, the contents of communication, including information on which websites users have accessed, are not to be retained. After the six-month retention period, the data must be deleted within one month.

§ 113b TKG sets out the purposes for which the retained data may potentially be used. In this respect, the provision only lays out a broad framework: the provision itself does not contain any authorisation to request data access, but only broadly sets out the purposes for which data may generally be used and which must be specified in greater detail in statutory provisions of the Federation and the Länder. § 113b first sentence, first half-sentence TKG lists the purposes for which traffic data may be used directly: prosecuting offences, averting dangers to public security and order and the tasks of the intelligence services. § 113b first sentence, second half-sentence TKG additionally allows the indirect use of traffic data by service providers to provide information pursuant to § 113(1) TKG to the authorities on the subscribers of IP addresses. Where the authorities already know an IP address – either through a complaint filed with the authority in question or through their own investigations – they can request that the providers disclose the subscriber to whom this IP address was assigned. The legislator allows such requests, without further restrictions, for the purposes of prosecuting criminal and administrative offences and for averting dangers to public security; they are not subject to prior judicial authorisation (Richtervorbehalt) or notification requirements.

§ 100g StPO governs the direct use of retained data for law enforcement purposes, specifying § 113b first sentence, first half-sentence no. 1 TKG. Overall, the provision is broader and governs access to telecommunications traffic data in general. It also allows access to traffic data that the providers store for other reasons (e.g. for contractual reasons); originally, allowing access to such data was its sole purpose. The legislator decided not to distinguish between the use of data retained pursuant to § 113a TKG and other traffic data. The legislator allows the use of retained data – without making such use conditional on an exhaustive catalogue of criminal offences – for the purpose of prosecuting considerable criminal offences and, additionally, subject to a proportionality assessment in the individual case, for the purpose of generally prosecuting any criminal offences committed by means of telecommunications. A prior judicial decision is necessary for such use; moreover, the Code of Criminal Procedure recognises the need for notification requirements and ex post legal protection in this regard.

The challenged provisions serve to transpose Directive 2006/24/EC of the European Parliament and of the Council on the retention of data from 2006. This directive imposes an obligation on Member States to ensure that telecommunications service providers retain the data set out in § 113a TKG for periods of no less than six months and no more than two years and to keep them for the prosecution of serious criminal offences. The directive does not contain detailed rules for the use of the data; ensuring data protection is in principle left to the Member States.

On the basis of the preliminary injunctions issued by the First Senate of the Federal Constitution-al Court (Press Release No. 37/2008 of 19 March 2008 and No. 92/2008 of 6 November 2008), transferring the data retained pursuant to § 113a TKG to the requesting authority for law enforcement purposes pursuant to § 113b first sentence no. 1 TKG was only permissible subject to the conditions set forth in the preliminary injunction, and transferring the data retained pursuant to § 113a TKG for public security purposes (§ 113b first sentence no. 2 TKG) was only permissible subject to restrictions.

The complainants assert that data retention primarily violates the privacy of telecommunications and the right to informational self-determination. They consider the precautionary retention of telecommunications traffic data without specific grounds to be disproportionate. In particular, they claim that the retained data may make it possible to create personality and movement profiles. One complainant, who offers Internet anonymisation services, asserts that the costs related to data retention amount to a disproportionate impairment of the telecommunications providers’ occupational freedom.

The First Senate of the Federal Constitutional Court held that the provisions on data retention in the Telecommunications Act and in the Code of Criminal Procedure are incompatible with Art. 10(1) of the Basic Law (Grundgesetz – GG). While an obligation to retain data on the scale provided for is not unconstitutional from the outset, its design is not in accordance with the principle of proportionality. The challenged provisions do not ensure sufficient data security, nor do they sufficiently restrict the purposes for which the data may be used. Moreover, they do not fully satisfy the constitutional requirements regarding transparency and legal protection. Thus, the entire statutory framework for data retention is unconstitutional and void.

In essence, the decision is based on the following considerations:

Regarding admissibility:

The constitutional complaints are not inadmissible insofar as the challenged provisions were enacted to transpose Directive 2006/24/EC into German law. The complainants – although they could not pursue this avenue before the ordinary courts given that their complaints only directly challenge the act implementing the directive – hope to achieve a referral by the Federal Constitutional Court to the Court of Justice of the European Union. Their aim is for the Court of Justice to decide in a preliminary ruling pursuant to Art. 267 TFEU (previously Art. 234 EC) that the directive is void, thus paving the way for a review of the challenged provisions against the standard of German fundamental rights. It is not ruled out from the outset that, at least in the present case, the challenged provisions may be reviewed on the basis of the fundamental rights of the Basic Law as sought by the complainants.

Regarding the merits:

1. No request for a preliminary ruling from the Court of Justice of the European Union

There is no reason to request a preliminary ruling from the Court of Justice of the European Union, since the possible precedence of Community law is not relevant in the present proceedings. The validity of Directive 2006/24/EC and the precedence of community law over German fundamental rights that might result from it are not decisive in this case. The directive leaves broad latitude to the Federal Republic of Germany. It is essentially limited to setting out the obligation to retain data and determining its scope; it does not specify how data can be accessed and used by the authorities of the Member States. In view of these contents, the directive can be transposed without violating the fundamental rights of the Basic Law. The Basic Law does not prohibit such retention in all circumstances.

2. Scope of protection of Art. 10(1) GG

The challenged provisions interfere with the privacy of telecommunications (Art. 10(1) GG), including where the retention of Internet login data and the authorisation to provide information pursuant to § 113b first sentence, second half-sentence TKG are concerned. Nothing is changed by the fact that retention is carried out by private service providers, given that the state merely uses these service providers as agents assisting in the exercise of state functions.

3. Possibility of retention of telecommunications traffic data not based on specific grounds

The six-month retention of telecommunications traffic data not based on specific grounds, as required under §§ 113a and 113b TKG, serving qualified uses in the domains of law enforcement, public security and the tasks of the intelligence services, is not per se incompatible with Art. 10 GG. Provided that the statutory framework is designed in a way that sufficiently reflects the particular weight of the resulting interference, the retention of telecommunications traffic data without specific grounds is not necessarily subject to the strict prohibition of gathering and storing data for further retention as set out in the caselaw of the Federal Constitutional Court. Where such data retention is based on a statutory design that adequately reflects the resulting interference, it may satisfy the proportionality requirements.


However, such data retention constitutes a particularly serious interference, with indiscriminate effects that are unprecedented in our legal system. Even though the retention does not extend to the contents of communications, retained data may yield conclusions about the contents of communications, including contents that fall within the intimate sphere. Where longterm monitoring takes place in respect of the participants, date, time and location of phone conversations, detailed conclusions can be drawn by linking data; these conclusions may concern social or political affiliations as well as personal preferences, interests and weaknesses of the affected persons. Depending on telecommunications practices, such data retention may make it possible to create conclusive personality and movement profiles of virtually all citizens. Such retention also increases the risk that citizens become the subject of further investigation even where they themselves did not provide cause for any investigation. In addition, the considerable burden for the persons concerned is aggravated by the potential for abuse arising from such data collection. Given that affected persons are not immediately aware that their data has been retained and used, the retention of telecommunications traffic data without specific grounds is capable of leaving citizens with the diffuse and alarming feeling of being watched, which can, in many areas, impair the exercise of fundamental rights without worry or fear.


These considerations notwithstanding, data retention may be compatible with Art. 10(1) GG subject to certain conditions. Firstly, it is relevant that the envisaged retention of telecommunications traffic data is not directly carried out by the state; rather, an obligation to retain the relevant data is imposed on private service providers. Therefore, the data is not centrally pooled at the time of retention. Instead, it is held separately by many individual companies, and is not immediately made available to the state in its entirety. Nor does the six-month retention of telecommunications traffic data amount to a measure aimed at the total registration of the entire communications or activities of all citizens. Instead, the measure remains limited in scope, is informed by the special significance of telecommunications in the modern world, and reacts to the particular potential for dangers that may arise in this context. Tracing back telecommunications traffic is of considerable importance for effective law enforcement and effective public security measures.


For the precautionary retention of telecommunications traffic data without specific grounds to be unobjectionable under constitutional law, such retention must remain the exception. It is an integral part of the constitutional identity of the Federal Republic of Germany that the state may not record and register the exercise of freedoms by individual persons in its entirety; it is incumbent upon the Federal Republic of Germany to promote adherence to this identity within the European and within international contexts. With the precautionary retention of telecommunications traffic data in place, there is considerably less leeway for allowing other types of data gathering not based on specific grounds, including for measures originating at the EU level.

4. Proportionality of the statutory design (standards)

In light of the particular weight of the precautionary retention of telecommunications traffic data, this practice is only compatible with Art. 10(1) GG if its design satisfies particular constitutional requirements. These include sufficiently stringent and clear statutory provisions regarding data security, limits to data use, transparency and legal protection.

Requirements regarding data security:
In view of the scope and the potential informative value of the data sets compiled by means of retention, data security is of great significance for the proportionality of the challenged provsions. It is necessary to enact a statutory framework that outlines at least the basic features of a particularly high standard of data security in a clear and binding manner. In doing so, the legislator may entrust a regulatory agency with the technical details of the required standard. However, the legislator itself must ensure that the decision as to the type and scope of the necessary data security measures is not ultimately left to the respective telecommunications providers in an unchecked manner.

Requirements regarding direct data use:
Given the weight of data retention, the data may only be used if its use serves to protect excep-tionally significant legal interests.


In the domain of law enforcement, this means that requests for data access require at least the suspicion, based on specific facts, of a criminal offence that is serious in the individual case. When imposing the obligation to retain data, the legislator itself must already determine definitively which criminal offences should qualify as serious in this sense.


In the domain of public security, it follows from the principle of proportionality that requests for access to retained telecommunications traffic data may only be authorised if there are sufficient indications of a specific danger (konkrete Gefahr) to life, limb or liberty of the person or to the existence or security of the Federation or a Land, or of a danger to the general public. These requirements also apply to the use of retained data by the intelligence services, since these also have the task of averting dangers. It is evident that, as a result of these requirements, the intelligence services will likely be excluded from using retained telecommunications traffic data in many cases. Yet this follows from the nature of their tasks, which inherently concern precautionary intelli-gence operations; it does not, however, constitute an acceptable reason under constitutional law for relaxing the requirements deriving from the principle of proportionality for interferences of this type.


Moreover, in certain cases, as a result of the principle of proportionality, it is necessary under constitutional law to recognise an absolute prohibition on granting data access to authorities, at least with respect to a narrowly-defined group of telecommunications that merit special confidentiality protection. These might include, for example, telecommunications with persons, public authorities and organisations involved in social or church work that offer counselling in emotional or social crisis situations, exclusively or predominantly over the phone, to callers who generally remain anonymous, where these organisations or their staff are themselves already bound by confidentiality obligations.

Requirements regarding the transparency of data transfer:
The legislator must counteract the diffuse sense of threat that data retention and use may instil in citizens, who are not aware that their data is retained and used, by providing for an effective transparency regime. This includes the principle of the overtness of the collection and use of personal data. Under constitutional law, the use of personal data without the knowledge of affected persons is only permissible if the purpose of the inquiry for which data access is requested would otherwise be frustrated. The legislator may in principle assume that this is the case where the pursued purpose relates to public security or the tasks of the intelligence services. By contrast, in the domain of law enforcement, it should generally be feasible to collect and use personal data by means of overt measures. Retained data may only be used covertly for law enforcement if it is necessary in the individual case and authorised by a judge. To the extent that the data is used covertly, the legislator must provide for a requirement to at least notify the affected person ex post. In this regard, it must be ensured that the persons whose data was directly targeted must in principle be notified, at least after the measure has been carried out. Exceptions must be subject to judicial authorisation.

Requirements regarding legal protection and sanctions:
Any transfer and use of the retained data in principle requires prior judicial authorisation. Where affected persons did not have the opportunity to challenge the use of their telecommunications traffic data in court before the measure was carried out, they must be allowed the possibility of ex post judicial review.


Moreover, the design of the statutory framework is only proportionate if it sets out effective sanc-tions for rights violations. If serious violations of the privacy of telecommunications were to ulti-mately remain without sanction, the protection of the right of personality would be eroded, given that it is non-material in nature; this would run counter to the duty of the state to ensure that in-dividuals can freely develop their personality and to protect individuals against risks to the right of personality originating from third parties. However, in this context the legislator has broad lati-tude. The legislator may take into account that, as the law currently stands, serious violations of the right of personality may already give rise both to the prohibition, upon a balancing of inter-ests, to use the data thus obtained as well as to liability for non-material damage. The legislator may thus choose to first monitor the currently applicable legislative framework; it can then deter-mine whether, as the law stands, courts already give due consideration to the particular severity of the violations of the right of personality that typically result from unauthorised access to or use of retained data.

Requirements regarding indirect data use to identify IP addresses:
Less stringent constitutional requirements apply if the retained data is merely used indirectly, as in where the authorities are allowed to request information from the service providers on subscribers of certain IP addresses already known to the authorities. It is significant in this respect, firstly, that the authorities do not obtain knowledge of the retained data as such. The authorities do not access this data themselves, but merely obtain personal information on the subscriber of a specific subscriber line, as determined by service providers by using retained data. Such infor-mation alone does not allow for systematic investigations over a longer time period nor the creation of personality or movement profiles. It is also significant that the data used for providing information on IP addresses is only a small predetermined subset of data, the storage of which gives rise to an interference of less weight and could therefore be ordered subject to considerably less strict requirements.


However, allowing authorities to request the identification of IP addresses must also be accorded significant weight. In this respect, the legislator does influence the conditions of Internet commu-nication and restricts anonymity. The combination of access to such information and the system-atic storage of Internet login data in relation to previously identified IP addresses makes it possi-ble to determine the identity of Internet users to a considerable extent.


Within the scope of the latitude afforded it, the legislator may allow the authorities to request information on IP addresses for the purposes of law enforcement, public security and the tasks of the intelligence services, where the authorities exercise general investigatory powers conferred by other legislation authorising interferences; it is not necessary for such information requests to be subject to narrowly-defined catalogues of criminal offences or protected legal interests. However, the applicable statutory thresholds for exercising these powers must exclude purely speculative requests for information; it must be ensured that information requests be based on a sufficient initial suspicion of criminal conduct (Anfangsverdacht) or on sufficient facts indicating a specific danger in the individual case. It is not necessary to make such requests for information subject to prior judicial authorisation, but affected persons must be notified that such information on them has been accessed. It is not permissible to allow such information requests in general and without any restriction, including for the purpose of prosecuting or preventing any type of administrative offence. Lifting Internet anonymity is only permissible where a protected legal interest is impaired and the legal order attaches increased weight to that interest, not just in relation to the measure at issue but also in other contexts. This does not completely rule out that information may be requested for the purposes of prosecuting or preventing administrative offences. Yet the relevant offences must not only be expressly specified by the legislator, they must also be of particular weight – including in the individual case.

Competence for the statutory framework:
The constitutionally required guarantees of data security and of clearly defined purpose limitations on data use that satisfy proportionality requirements are inseparable elements of any statutory framework imposing obligations to retain data; it is therefore incumbent upon the federal legislator according to Art. 73(1) no. 7 GG to enact such guarantees. In addition to rules ensuring the security of stored data, this also concerns rules ensuring the security of data transfers, including the protection of relationships of trust. It is also incumbent upon the federal legislator to limit, with sufficient precision and in accordance with the constitutional requirements, the purposes for which the retained data may be used. By contrast, the legislative competence for provisions governing requests for data access by the authorities, and for specifying the applicable transparency and legal protection regime, lies with the legislator competent to legislate on the respective underlying subject matter. Thus, in the domains of public security and the tasks of the intelligence services, this competence lies for the most part with the Länder.

5. Application of the above standards to the challenged provisions

The challenged provisions do not satisfy the aforementioned requirements. § 113a TKG is not unconstitutional because the scope of the data retention obligations was disproportionate from the outset. Rather, the rules on data security, on the purposes and transparency of data use, and on legal protection do not meet the constitutional requirements. In consequence, the design of the statutory framework as a whole fails to adhere to the principle of proportionality. §§ 113a and 113b TKG, and § 100g StPO, to the extent that it authorises requests for access to data retained pursuant to § 113a TKG, are therefore incompatible with Art. 10(1) GG.

Data security:
The required particularly high standards of data security have not been put in place. The statutory framework essentially only refers to the general duty of care applicable in the telecommunications sector (§ 113a(10) TKG) and allows for a curtailing of security requirements– without specifying further details – in individual cases for general commercial considerations (§ 109(2) fourth sentence TKG). Further determination of the measures is left to the telecommunications service providers, which, in offering their services, also face competition and cost pressure. The legislation in question neither provides for enforceable mechanisms, as recommended by the experts in the present proceedings, to ensure data security in relation to the companies obliged to retain data (such as separate storage, asymmetric encryption, the four-eyes principle in connection with advanced procedures for the authentication of access to the keys, and tamper-proof documentation of access and deletion), nor can a comparable level of security be guaranteed otherwise. The frame-work also lacks a balanced sanctions regime that accords at least as much weight to non-compliance with data security standards as to non-compliance with the obligation to retain data.

Direct use of retained data for law enforcement purposes:
The provisions on the use of retained data for law enforcement purposes are also incompatible with the constitutional standards derived from the principle of proportionality. § 100g(1) first sentence no. 1 StPO fails to ensure, both in general and in the individual case, that only serious criminal offences constitute sufficient grounds for obtaining the relevant data; it merely states – without providing an exhaustive catalogue of relevant offences – that generally any considerable criminal act provides sufficient grounds. § 100g(1) first sentence no. 2, second sentence StPO is even less in line with constitutional law: it recognises any criminal act committed by means of telecommunications, regardless of its seriousness and subject only to a general assessment of pro-portionality, as possible grounds for requesting data access. Under this provision, data retained pursuant to § 113a TKG could be used in relation to virtually any criminal act. Given the increasing importance of telecommunications in everyday life, the use of retained data would then no longer remain the exception. The legislator thus no longer limits the use of retained data to the prosecution of serious criminal offences but greatly extends its scope beyond these grounds, thus also exceeding EU law’s data retention objective.


Furthermore, § 100g StPO fails to satisfy the constitutional requirements in that it does not limit requests for data access without the knowledge of the affected person to individual cases confirmed by a judge, but permits such requests in general (§ 100g(1) first sentence StPO).


In contrast, the challenged provisions essentially ensure possibilities of judicial review regarding requests for data access and data use and set out notification requirements in line with the constitutional requirements. In accordance with § 100g(2) first sentence and § 100b(1) first sentence StPO, obtaining the data retained pursuant to § 113a TKG requires a warrant issued by a judge. Furthermore, § 101 StPO provides for differentiated notification requirements and the possibility of seeking an ex post review with regard to the lawfulness of the measure. There is no evidence that these provisions, when taken together, do not ensure effective legal protection. However, it is objectionable under constitutional law that no judicial authorisation is required in cases where the authorities refrain from notification pursuant to § 101(4) StPO.

Direct use of retained data for public security purposes and the tasks of the intelligence services:
From the outset, the basic concept of § 113b first sentence nos. 2 and 3 TKG does not satisfy the requirements for sufficient purpose limitations on data use. In this provision, the federal legislator merely outlines, in generalised terms, the areas of state action in respect of which data access may be requested subject to subsequent legislation, including in particular legislation by the Länder. This is not in keeping with the federal legislator’s responsibility under constitutional law to limit the purposes for which data may be used. Rather, by obliging service providers to retain all telecommunications traffic data while allowing the police and intelligence services to use this data in the context of almost all of their tasks, the legislator creates a data pool that is open to varied and unlimited uses. As the data pool is not subject to limitations other than vaguely defined objectives, the federal and Land legislators could independently and freely grant access to this data. The establishment of such an open data pool without specific purpose limitations breaks the required link between the storage of data and the purpose for which the data is stored; this is incompatible with the Constitution.


The design of the provisions governing the use of data retained pursuant to § 113a TKG is also disproportionate in that it provides absolutely no protection against the transfer of retained data relating to relationships of trust. In principle, such protection must be provided at least for a narrowly-defined group of telecommunications connections that merit special confidentiality protection.

Indirect use of retained data by the service providers to provide information to the authorities:
§ 113b(1) first sentence, second half-sentence TKG does not fully satisfy constitutional requirements. It is not objectionable that this provision does not make the providing of information contingent upon a statutory catalogue of criminal offences or protected legal interests. However, it is not compatible with the Constitution that such information may also be provided, without further restrictions, for the prosecution of administrative offences. Moreover, the provision fails to set out notification requirements following the providing of information.

6. Compatibility with Art. 12 GG

By contrast, within the scope of the present proceedings, the challenged provisions are not objectionable under constitutional law with regard to [occupational freedom under] Art. 12(1) GG. A retention obligation for service providers typically does not impose excessive burdens on these providers. In particular, the retention obligation is not disproportionate with regard to the financial burdens that a retention obligation pursuant to § 113a TKG and the resulting subsequent obligations, such as the obligation to ensure data security, places on the affected companies. Within its latitude, which is broad in this context, the legislator is not limited to only imposing obligations on private actors if their professional activities can directly result in dangers or if they can directly be blamed for such dangers. Rather, in this respect, a sufficient proximity between professional activities and the obligation, in terms of their subject matter and responsibilities, suffices. Therefore, there are no general objections to the financial burdens arising for companies obliged to retain data. The legislator shifts the costs associated with data retention to the market, which is in line with the overall privatisation of the telecommunications sector. Just as the telecommunications service providers can use the new opportunities created by telecommunications technology to generate profits, they must also bear the costs for containing the novel security risks arising from telecommunications and reflect them in their pricing.

7. Declaration of voidness

The violation of the fundamental right to the protection of the privacy of telecommunications under Art. 10(1) GG renders void §§ 113a and 113b TKG, as well as § 100g(1) first sentence StPO, to the extent that these provisions allow the authorities to obtain traffic data retained pursuant to § 113a of the Telecommunications Act. The challenged provisions, found to violate fundamental rights, must therefore be declared void (cf. § 95(1) first sentence and § 95(3) first sentence of the Federal Constitutional Court Act, Bundesverfassungsgerichtsgesetz – BVerfGG).


The decision is unanimous with regard to the questions of European law, the formal constitution-ality of the challenged provisions, and the question whether the precautionary retention of telecommunications traffic data can as such be compatible with the Constitution. With regard to the finding that §§ 113a and 113b TKG are unconstitutional, the decision was taken with 7:1 votes, and with regard to other questions of substantive constitutional law, as indicated in the dissenting opinions, it was taken with 6:2 votes.


The Court decided with 4:4 votes that the provisions must be declared void pursuant to § 95(3) first sentence BVerfGG, and not merely incompatible with the Basic Law. Thus, the general rule, as laid down in the law, on the legal consequences attached to a declaration of voidness prevails, namely that the provisions may not continue to apply, not even on a transitional basis or with a limited scope.

Dissenting opinion of Justice Schluckebier

1. The retention of traffic data by service providers for a period of six months does not amount to an interference with the fundamental right under Art. 10(1) GG that must be classified as “particularly serious” and must thus be considered as equivalent to state measures directly targeting the contents of communications. The traffic data remains exclusively in the sphere controlled by the private service providers, where it is collected for technical and contractual reasons; in this type of contractual relationship, the party using the telecommunications services trusts that their contractual provider will treat such data with strict confidentiality and ensure data protection in this regard. If an appropriate level of data security is guaranteed based on what is technologically feasible, there is no objective basis for assuming that such data retention might have a chilling effect on citizens. Data retention does not extend to the contents of telecommunications. Therefore, when weighing the interference, one must still make a noticeable distinction between this type of interference and the particularly serious interferences that arise in connection with the acoustic surveillance of private homes, the content-related surveillance of telecommunications or remote searches of information technology systems; those cases – in contrast to the measures at hand – present a particularly high risk that the absolutely protected core of private life could be affected. Thus, it is not the retention of traffic data by the service providers that is particularly intrusive, but merely the access and use of traffic data by state authorities in the individual case pursuant to existing statutory bases; such access and use, as well as the judicial warrant authorising requests for traffic data, are themselves subject to the strict requirements of proportionality.

2. In principle, the challenged provisions are not inappropriate; the burdens they impose on affected persons are reasonable (zumutbar) and the provisions are proportionate in the strict sense. The legislator kept within the leeway afforded by the Constitution with regard to designing the obligation to retain telecommunications traffic data for a period of six months, the statutory provisions specifying the purposes for which retained data may be used and the provisions permitting authorities to obtain such data in criminal proceedings. The state’s duty to protect its citizens requires the state to take suitable measures to prevent violations of legal interests, to investigate when violations occur and to attribute liability for a violation of legal interests. In this sense, ensuring the protection of citizens and their fundamental rights and of the foundations of society, and the prevention and investigation of considerable criminal offences, are also prerequisites for peaceful coexistence and the carefree enjoyment of fundamental rights by citizens. Measures for effectively investigating criminal offences, and effectively averting dangers to public security, are therefore not per se a threat to the freedom of citizens.

With regard to the tension between the state’s duty to guarantee the protection of legal interests and the interest of the individual in upholding their constitutionally guaranteed rights, it is primarily incumbent on the legislator to achieve an abstract balance between the conflicting interests. The legislator is afforded a margin of appreciation and leeway in this regard. The legislative aim was to reflect the imperative need for an effective criminal justice system based on the rule of law in light of the profound changes regarding the possibilities of communication and communication behaviour in recent years. To achieve this aim, it must be possible for the authorities to obtain the facts necessary for investigations. In this regard, the legislator assumed that telecommunications traffic data is either not stored at all, or deleted before a judicial warrant authorising requests for data access can be obtained or even before the information necessary for seeking such a warrant has been ascertained; this is in part attributed to technical advances resulting in the proliferation of flatrate contracts. When assessing the suitability and necessity of traffic data retention, the Senate majority does take into account the fact that the increased use of electronic or digital means of communication and their growing effect on virtually all areas of life creates new obstacles in certain areas of law enforcement and public security. However, it does not accord suffi-cient weight to this fact in the context of its assessment of proportionality in the strict sense with regard to appropriateness and reasonableness.

The Senate majority’s decision effectively amounts to an almost complete reduction of the margin of appreciation and leeway afforded the legislator for enacting appropriate and reasonable statu-tory provisions in the domains of law enforcement and public security that serve to protect the population. In deciding this way, the Senate majority also fails to sufficiently take into account the requirement of judicial self-restraint incumbent upon Constitutional Court Justices in relation to conceptual decisions taken by the democratically legitimated legislator. According to the judgment, a retention period of six months – the minimum period required by the EC Directive – is the maximum that can be justified under constitutional law. The judgment provides that the legislator must ensure that the provisions specifying the purposes for which retained data may be used also set out what requirements must be met for accessing the data; it limits the legislator to providing for a catalogue of criminal offences, rules out the possibility of using traffic data to investigate crimes committed by means of telecommunications that are difficult to investigate and provides specific instructions for extending notification requirements. Thus, it does not afford the legislator as the politically responsible body any margin of manoeuvre for finding a solution.

In particular, the Senate majority denies the legislator the possibility of allowing requests for access to traffic data in investigations of criminal offences that are not listed in the current catalogue laid down in § 100a(2) StPO but that, based on the circumstances of the individual case, constitute considerable criminal acts, and of criminal acts committed by means of telecommunications (§ 100g(1) first sentence nos.1 and 2 StPO). With regard to the latter offences, the Senate majority fails to sufficiently take into account the legislator’s assumption that these offences would otherwise be difficult to investigate. Since it is incumbent upon the legislator to guarantee effective law enforcement and to ensure that there are no substantial gaps in protection, the legislator must not be barred from granting the authorities access to traffic data also in cases where criminal acts that, while not necessarily constituting particularly serious offences, still violate legal interests of particular weight, if the legislator considers this the only way to prevent the creation of de facto legal vacuums where criminal investigations would largely be pointless. In addition, the legislator based its design of the powers to access traffic data under criminal procedural law on criteria approved by the Court in its judgment of 12 March 2003 (BVerfGE 107, 299 <322>) concerning the sharing of telecommunications traffic data.

3. As regards the legal consequences of the Court’s decision, it would have made sense – also based on the constitutional assessment of the Senate majority and established case-law of the Federal Constitutional Court – to set a time limit for the legislator to enact new provisions and to order that the existing provisions remain applicable for a transitional period in accordance with the preliminary injunctions issued by the Court so as to prevent longterm shortcomings in particular with regard to the investigation of crime, but also with regard to public security.

Dissenting opinion of Justice Eichberger:

The dissenting opinion essentially concurs with the criticism expressed by Justice Schluckebier with regard to the Senate majority’s assessment of the weight of the interference with Art. 10(1) GG resulting from the retention of telecommunications traffic data. The legislative design of §§ 113a and 113b TKG, which divides up the legislative responsibility for imposing obligations to retain data on the one hand and for authorising requests for data access on the other, is, in principle, compatible with the Constitution. This applies in particular to the use of the data retained pursuant to § 113a TKG for law enforcement purposes, which is governed by § 100g StPO. The legislator does not have to assess the proportionality of provisions governing requests for access exclusively on the basis of the greatest possible interference that might occur, namely that the data will be accessed with the ultimate aim of creating movement profiles of the affected citizens or of profiling their social relations; rather, the legislator may take into account that many requests for data access carry much less weight and it is for the competent judge to decide whether they are reasonable in the individual case.