Unsuccessful constitutional complaint against the obligation to share IP address data with law enforcement agencies

Press Release No. 7/2019 of 29 January 2019

Order of 20 December 2018
2 BvR 2377/16

In the context of telecommunications surveillance authorised in accordance with the applicable law, obliging email service providers to share with law enforcement agencies the Internet Protocol addresses (hereinafter: IP addresses) of subscribers accessing their accounts does not violate the Basic Law (Grundgesetz – GG), even where, due to data protection concerns, the relevant service provider operates its system in a manner that it does not log IP addresses. This is what the Third Chamber of the Second Senate of the Federal Constitutional Court decided in an order published today, not admitting for decision a constitutional complaint lodged by an email service provider. In its reasoning, the Court submitted that not least in consideration of Art. 12(1) GG, the endeavour to devise a business model that ensures highest data protection standards was, in principle, an interest meriting protection; this does not, however, exempt service providers from compliance with statutory obligations that give effect to the constitutional requirement of ensuring a functioning criminal justice system.

Facts of the case:

The complainant operates an email service that is committed to the principles of data security and data minimisation and promises a particularly effective protection of subscriber data. It collects and stores data only where it is necessary for technical reasons or – in the complainant’s view – legally required. The Stuttgart Public Prosecution Office investigated [a subscriber of this email service who was] suspected of violations of the Narcotics Act and the Military Weapons Act. At the request of the Prosecution Office, the Local Court (Amtsgericht) issued a warrant on 25 July 2016 and pursuant to §§ 100a, 100b of the Code of Criminal Procedure (Strafprozessordnung – StPO), in the version applicable at that time, for the securing, mirroring and sharing of all data relating to the suspected person’s email account that was electronically stored on its server as well as “all future data relating to this account”. The police notified the complainant about the surveillance measure, specifying the targeted account. Following this, the complainant implemented the telecommunications surveillance while submitting that its system did not “log” traffic data of subscribers so that such data, including IP addresses, was not available and could thus not be shared. The complainant provided an explanation on how its system operates, contesting the Public Prosecution Office’s assumption that the service provider disposed of IP address data. The complainant submitted that for security reasons, its internal network was strictly separated from the Internet by means of a so-called NAT (Network Address Translation) technique that automatically replaces the address information in data packets. Thus, the IP addresses of subscribers were already discarded at the external border of the network system and therefore not accessible to the complainant. By order of 9 August 2016, the Local Court imposed a fine of EUR 500, or, in case of non-payment, seven days of detention, on the complainant. The court held that, based on the order of 25 July 2016, the complainant was obliged to collect all future traffic data, especially IP addresses. On 1 September 2016, the complaint challenging the order of coercive measures was rejected as unfounded by the Regional Court (Landgericht). In November 2016, the police notified the complainant that the surveillance of the email account could be terminated. The fine was eventually paid. 

Key considerations of the Chamber:

To the extent that the constitutional complaint is directed against the Regional Court’s decision in the complaint proceedings, it is in any case unfounded. It is true that the order imposing a fine interferes with the complainant’s right to freely practise one’s occupation or profession as protected under Art. 12(1) second sentence GG. However, the reasoning of the Regional Court according to which the interference with the scope of protection of Art. 12(1) second sentence GG was justified in consideration of the applicable statutory framework is not objectionable under constitutional law.

Under Art. 12(1) second sentence GG, interferences with freedom of occupation require a statutory basis from which the scope and limits of the interference can be discerned. In this respect, the legislature must take all essential decisions itself to the extent that this is possible by means of legislation. The greater the interference with interests protected by fundamental rights, the clearer the legislature must set out its intent in the law. Based on these standards, a violation of fundamental rights is not ascertainable in the present case. The regular courts have applied the statutory framework governing the participation and data retention obligation of telecommunications service providers in a manner that is tenable under constitutional law. In finding that as from the date of the warrant, the complainant was obliged to ensure, in the operation of its service, that all external IP addresses in contact with the targeted account could be made available to the law enforcement authorities, the regular courts did not violate the constitutional guarantees. In this regard, the surveillance of telecommunications within the meaning of § 100a StPO covers not only the actual communication contents but also extends to the specific circumstances of telecommunications, including the respective IP addresses.

1. The statutory framework set out in § 100a StPO – which complies with constitutional standards – authorises the surveillance and recording of telecommunications. Based on a broad understanding of the term “telecommunications”, the interception of email communications is certainly covered by the scope of application of § 100a StPO, at least as far as the transmission of messages from a sending device via the sender’s server to the receiving server of the email provider and, subsequently, the accessing of the messages by the recipient is concerned.

The privacy of telecommunications under Art. 10(1) GG protects not only the actual contents but also the specific circumstances of telecommunications. In light of this, the surveillance of telecommunications pursuant to § 100a StPO also encompasses traffic data within the meaning of § 3 no. 3 of the Telecommunications Act (Telekommunikationsgesetz – TKG) to the extent such data is generated in the context of telecommunications that is subject to surveillance. In this regard, traffic data specifically includes all generated IP addresses. Accordingly, this data is listed in § 96(1) first sentence TKG as numerical information of the participating subscriber lines or devices. Thus, the scope of application of § 100a StPO in principle extends to dynamic and static IP addresses assigned to subscribers of email services when they access their email accounts from Internet-enabled devices.

Yet the finding that the surveillance of email communications authorised pursuant to § 100a StPO also covers the respective IP addresses does not necessarily mean that the complainant, in its capacity as operator of telecommunications facilities, were obliged to put in place measures for ensuring that specifically these IP addresses can be made available to law enforcement authorities. In this respect, § 100b(3) second sentence StPO (former version) refers to the provisions set out in the Telecommunications Act and the Telecommunications Surveillance Ordinance (Telekommunikationsüberwachungsverordnung – TKÜV).

According to § 110(1) first sentence no. 1 TKG, operators of publicly available telecommunications services have an obligation, from the time they commence operations and at their own expense, to provide the technical infrastructure necessary for carrying out telecommunications surveillance and to take the organisational measures necessary in this regard to ensure that surveillance can be implemented without undue delay. The Telecommunications Surveillance Ordinance, enacted based on the authorising statutory provision in § 110(2) TKG, sets out the basic technical requirements and the organisational features for implementing surveillance measures. According to this statutory framework, the complainant was obliged to take certain precautionary measures; in the present case, it has neither been contended, nor is it evident, that the exemptions laid down in § 3(2) TKÜV for certain types of telecommunications facilities were applicable. 

The scope of the data that must be made available is determined by § 5(1) and (2) in conjunction with § 7(1) TKÜV. According to § 5(1) TKÜV, telecommunications that can be subject to surveillance encompass – based on the broad understanding of the term telecommunications in § 100a StPO – both the contents and information on the specific circumstances of telecommunications. According to section (2) of this provision, operators are required to make available a complete copy of telecommunications conducted via their telecommunications facilities. According to § 7(1) first sentence nos. 2, 3 and 4 TKÜV, the operator must also make available, as part of this surveillance copy, all data they dispose of regarding any dialled telephone numbers or any other address information. Based on the wording used in the Telecommunications Act, it can readily be assumed that IP addresses generated in the course of telecommunications are covered by the term “other address information” given that this data serves address purposes, i.e. ensuring that specific Internet targets can be reached and found. Therefore, IP addresses are undoubtedly covered by the statutory definition in § 3 no. 13 TKG according to which numerical information, for the purposes of the Telecommunications Act, includes all character sequences that serve address functions in telecommunications networks.

Moreover, it is at least tenable under constitutional law to assume that the complainant disposes of the data in question within the meaning of § 7(1) TKÜV and that the complainant is required to make this data available as part of the complete copy of any telecommunications under surveillance that is conducted via its telecommunications facilities. It follows already from the system infrastructure as described by the complainant that the complainant necessarily stores the public IP addresses of subscribers at least for the duration of the communications in question; otherwise, the complainant would not be able to transmit the received data packets to the relevant subscribers. In any case, it follows that this data is generated when the targeted email account is accessed; that the data is at least temporarily registered by the complainant’s telecommunications facilities; and that it is also used to successfully establish communication with the subscriber accessing their account.

In contrast to the collection of traffic data pursuant to § 100g StPO, the surveillance of – future – telecommunications pursuant to § 100a StPO is not limited to such traffic data that may legally be collected by service providers in accordance with § 96(1) TKG.

The fact that the complainant cannot – presently – access external IP addresses does not merit a different conclusion. This is because the complainant’s inability in this regard does not result from a lack of available data but solely from the complainant’s decision to hide this data from its internal system and to refrain from recording it due to data protection concerns. Thus, the situation at hand was created solely by the business and system model that was deliberately chosen by the complainant. In principle, the complainant’s endeavour to provide a business model that ensures highest data protection standards, which makes the service attractive to subscribers, constitutes an interest meriting protection, not least in consideration of Art. 12(1) GG. This does not, however, exempt the complainant from obligations derived, by way of tenable interpretation, from the Telecommunications Act and the Telecommunications Surveillance Ordinance, which give effect to the constitutional requirement of ensuring a functioning criminal justice system.

This is not altered by the fact that according to the new provision of § 7(1) first sentence no. 9 TKÜV, introduced into the revised Telecommunications Surveillance Ordinance issued on 11 July 2017, the data to be made available now expressly includes any public IP addresses of participating subscribers that are registered by telecommunications facilities operated by service providers. The revised ordinance does not necessarily signify, for the purposes of constitutional review, that the IP addresses in question were previously excluded from the types of data to be made available. Rather, it is evident that the newly introduced § 7(1) first sentence no. 9 TKÜV was meant to clarify the applicable law.

2. Contrary to the view submitted by the complainant, § 100g(1) StPO does not supersede § 100a StPO as far as (real time) surveillance of future telecommunications is concerned.

3. There are also no objections to the imposition of a fine in the amount of EUR 500.