Legal provisions on providing and obtaining information on subscriber data are unconstitutional

Press Release No. 61/2020 of 17 July 2020

Order of 27 May 2020 - 1 BvR 1873/13, 1 BvR 2618/13 (Subscriber data II)

In an order published today, the First Senate of the Federal Constitutional Court declared unconstitutional § 113 of the Telecommunications Act (Telekommunikationsgesetz – TKG) and several ordinary federal laws, which govern the manual procedure for obtaining subscriber data. They violate the complainants’ right to informational self-determination and their right to the privacy of telecommunications (Art. 10(1) of the Basic Law, Grundgesetz – GG). The complainants are subscribers of telecommunications and Internet services. The manual procedure for obtaining subscriber data enables security authorities to obtain information from telecommunications enterprises, in particular, information on subscribers of telecommunications services or an IP address assigned at a certain time. The information that is provided includes personal customer data that is stored in relation to the conclusion or performance of a contract (so-called subscriber data). Data that relates to the use of telecommunications services (so-called traffic data) or to the actual contents of telecommunications is not provided.

In principle, providing information on subscriber data is permissible under constitutional law. Yet, similar to the image of a double door, the legislator must create a proportionate legal basis for both the transfer of subscriber data by telecommunications providers and the access to such data by the authorities. Provisions governing the transfer of and access to data must sufficiently limit the purposes for which the data may be used, particularly by establishing thresholds for the use of powers as part of the constituent elements of the provisions and by tying them to the protection of sufficiently weighty legal interests. The First Senate clarified that, despite the moderate weight of interference, using the general powers to transfer and access subscriber data in principle requires the existence of a specific danger (konkrete Gefahr) in the individual case in the context of maintaining public security and the activities of intelligence services, and an initial suspicion of criminal conduct (Anfangsverdacht) in the context of law enforcement. Where dynamic IP addresses are matched to individual subscribers, this must additionally serve to protect or defend legal interests of at least considerable weight given the greater weight of interference. Where, for the purposes of maintaining public security or activities of intelligence services, the thresholds for the use of powers require less than a specific danger, this must be compensated for by stricter requirements for the weight of the legal interests to be protected. For the most part, the challenged provisions did not satisfy these requirements. Moreover, the First Senate again held that information on login data may be provided only if the statutory requirements for its use are met.

Facts of the case:

§ 113 TKG permits the transfer of subscriber data by telecommunications providers through a manual procedure for providing and obtaining such data. The other challenged provisions govern access to such data by various federal security authorities, including the Federal Criminal Police Office (Bundeskriminalamt), the Federal Police (Bundespolizei) and the Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz). All of the challenged provisions were aimed at implementing the Federal Constitutional Court’s decision of 24 January 2012 (Subscriber data I), in which the Court had declared § 113 TKG, as it stood then, to be in part unconstitutional, finding that the statutory framework lacked provisions on data access in the laws governing the respective authorities.

Telecommunications providers must provide information pursuant to § 113 TKG at the request of one of the security authorities listed in that provision. Pursuant to § 113(1) first sentence TKG, the information that must be provided includes subscriber data that providers must store such as the subscriber’s name, date of birth and phone number as well as customer data which, pursuant to § 95 TKG, is stored voluntarily by the telecommunications providers for operational purposes. This typically includes the subscriber’s address, the type of the contractual service used and other data such as their bank details.

Pursuant to § 113(1) second sentence TKG, information must also be provided on login data like personal identification numbers (PIN) assigned by the telecommunications provider. However, passwords that users have created themselves are usually only stored in an encrypted format by the providers. Thus, they cannot provide information thereon.

Pursuant to § 113(1) third sentence TKG, subscriber data may also be determined on the basis of an IP address that has been assigned at a specific time (dynamic IP address). The information provided is the identity of the specific subscriber matching the IP address, which is also part of the subscriber data. Such matching is only possible where telecommunications providers analyse previously retained traffic data in order to identify the subscriber to whom the IP address in question was assigned at the time specified in the request.

Pursuant to § 113(2) first sentence TKG, information may be provided only if one of the authorities listed in § 113(3) TKG requests such information for the purpose of the investigation and prosecution of criminal or administrative offences, of averting dangers to public security and order, or of performing the statutory tasks of the intelligence services. In its request, the authority must state the provision that authorises data access.

According to the federal provisions on data access challenged in the constitutional complaints, security authorities may obtain subscriber data from telecommunications providers. In essence, the provisions require only that the authorities need the information for the performance of their tasks. In respect of login data, the provisions require that the statutory requirements for the use of such data are met. The provisions also permit access to subscriber data that is determined on the basis of a dynamic IP address. The Federal Criminal Police Office, the Federal Police, the Customs Criminal Investigations Office (Zollkriminalamt) and the federal intelligence services are authorised to make such requests.

Key considerations of the Senate:

I. In substantive terms, the challenged powers to transfer data under § 113 TKG do not satisfy the constitutional requirements that follow from the general right of personality deriving from Art. 2(1) in conjunction with Art. 1(1) GG and the privacy of telecommunications guaranteed by Art. 10(1) GG. It is true that these powers serve legitimate purposes – increasing the effectiveness of investigating and prosecuting offences, of maintaining public security, and of performing the tasks of the intelligence services. However, the provisions on the transfer of data are only compatible with the requirements of proportionality in its strict sense if they limit the purposes for which these powers may be used with sufficient legal clarity.

1. The powers laid down in § 113(1) first sentence TKG to provide general subscriber data do not satisfy these requirements.

a) § 113(1) first sentence TKG permits the providing of general subscriber data; this amounts to an interference with the right to informational self-determination. Even though the weight of interference is relatively low, the challenged powers to transfer data are disproportionate because of their scope. Purely speculative requests for data are impermissible, even if the informative value and possibilities of use of such data are very limited. Thus, thresholds that limit the use of these powers are required; these thresholds must ensure that information can only be obtained if factual indications provide specific grounds for the use of these powers. It is impermissible to provide information without specific grounds, solely to facilitate the performance of the authority’s tasks in general. The provisions on data transfer themselves must already set out thresholds for the use of these powers – this is the first door in the double door image. In the context of maintaining public security and the activities of intelligence services, the existence of a specific danger in the individual case is required. In the context of law enforcement, an initial suspicion of criminal conduct is required.

However, constitutional law does not per se prevent the legislator from recognising grounds for interferences that differ from the traditional concepts of security law focussed on averting specific, immediate or present dangers (konkrete, unmittelbar bevorstehende oder gegenwärtige Gefahren). Rather, under special circumstances, the legislator may subject state action to less stringent limits by lowering the standard of foreseeability regarding the causal chain. The statutory basis authorising interferences must typically require at least the existence of a sufficiently identifiable danger (hinreichend konkretisierte Gefahr). In accordance with the principle of proportionality, such lowering of the thresholds for the use of powers necessarily entails stricter requirements for the protection of specific legal interests; in this respect, the weight of interference resulting from the respective measure must always be taken into account. Thus, less serious interferences, such as those resulting from obtaining general subscriber data, may already be justified if an identifiable danger exists, provided that they serve to protect legal interest of at least considerable weight.

In principle, these constitutional requirements apply to any authorisation to use powers preventively. Thus, they also apply to the use of data by intelligence services. In this context, it may already be sufficient that the information is needed in the individual case for investigating a certain action or group that warrants surveillance by intelligence services, since this requires that it is at least possible to determine the type of incident that might occur and that it will occur within a foreseeable timeframe.

By contrast, in relation to law enforcement, thresholds for the use of powers that de facto require less than an initial suspicion of criminal conduct are insufficient where the use of such powers affects fundamental rights.

b) § 113(1) first sentence TKG does not satisfy these constitutional requirements. The provision on data transfer allows for very broad use of the manual procedure for providing information by generally permitting requests for information for the purpose of maintaining public security, for investigating and prosecuting criminal or administrative offences and for performing the tasks of the intelligence services, and without establishing a threshold that limits their scope. Rather, the provision already authorises the providing of information in the individual case where this information merely serves to perform these tasks in general.

2. § 113(1) second sentence TKG, which authorises the transfer of login data, is incompatible with Art. 2(1) in conjunction with Art. 1(1) GG. § 113(1) second sentence TKG permits the providing of data that allows access to user devices or external storage media (login data). The provision authorises the providing of such data regardless of the prerequisites for their use; in this respect, its content corresponds to that of the version that was declared unconstitutional by the Federal Constitutional Court in the proceedings “Subscriber data I”. While the legislator is not barred from enacting an equivalent provision again, this requires special reasons, which may primarily result from significant changes in the relevant circumstances. Such reasons are not discernible in this case.

3. The newly created powers in § 113(1) third sentence TKG to transfer certain subscriber data that is determined on the basis of a dynamic IP address do not satisfy the requirements of proportionality and therefore violate Art. 10(1) GG.

a) Compared to the providing of general subscriber data, § 113(1) third sentence TKG results in interferences of greater weight. It affects an individual’s personality to a significantly greater extent given the informative value of a matched dynamic IP address that allows for tracing back the Internet use of an individual at a specific time and given that the telecommunications providers use traffic data to match IP addresses. Furthermore, the provision results in an interference with the privacy of telecommunications under Art. 10(1) GG. The greater weight of interference must be reflected by restricting the authorisation to the protection or defence of legal interests that are of at least increased weight. It is therefore impermissible to use the matching of dynamic IP addresses to investigate minor administrative offences. Where an identifiable danger is to be sufficient as a threshold for the use of powers, the obtaining of information must be limited to the protection of particularly weighty legal interests. This includes the prevention of criminal offences that are at least serious.

b) § 113(1) third sentence TKG does not satisfy these requirements. It permits matching dynamic IP addresses under the same conditions as obtaining general subscriber data. Thus, it is neither tied to thresholds that further limit the scope of such matching nor does it contain requirements as to the weight of the legal interests to be protected. Therefore, the provision is disproportionate.

II. For the most part, the provisions on data access laid down in the Federal Criminal Police Office Act (Bundeskriminalamtgesetz), the Federal Police Act (Bundespolizeigesetz), the Customs Investigation Service Act (Zollfahndungsdienstgesetz), the Federal Protection of the Constitution Act (Bundesverfassungsschutzgesetz), the Federal Intelligence Service Act (BND-Gesetz) as well as Military Counter-Intelligence Service Act (MAD-Gesetz) that correspond to § 113 TKG and are the second door in the double door image do not satisfy the constitutional requirements either.

1. Given that the transfer of and access to personal data each constitute a separate interference with fundamental rights, the individual provisions on data access must have a separate statutory basis and must satisfy the requirements of proportionality, of legal clarity and of specificity.

2. a) The provisions on data access each create a sufficiently specific and clear legal basis. However, given their weight of interference, they are for the most part not proportionate. Almost none of the provisions that authorise the obtaining of general subscriber data  require thresholds limiting data access or provide for such restrictions through clear references to other provisions. Instead, like the provision on data transfer, they permit the obtaining of subscriber data for the performance of the tasks of the authorities in general. Only parts of the provisions laid down in the Federal Police Act and the Federal Criminal Police Office Act are an exception to this.

b) The challenged powers to access login data are, in themselves, sufficiently limited and proportionate. The provisions ensure that login data cannot be accessed without having regard to the requirements for its use and thus potentially subject to less strict conditions.

c) Provisions on data access that authorise access to subscriber data determined on the basis of dynamic IP addresses must impose requirements to document, in a comprehensible manner that lends itself to review, the basis upon which decisions on data retrieval are made. The challenged provisions do not satisfy these requirements. For the most part, they are already disproportionate because they do not require thresholds that limit the use of these powers. Furthermore, they do not provide for an obligation to document the basis upon which decisions on data access are made.