At the start of July, Germany's internet service providers are supposed to start storing records of their customers' internet usage, under a 2015 law that is now coming into effect. However, a regional court reckons the law is illegal under EU rules.
On Thursday, little more than a week before the data-retention regime is due to begin, the higher administrative court of North Rhine-Westphalia issued a temporary injunction allowing a small Munich ISP called SpaceNet to avoid having to store its customers' traffic and location data.
In doing so, the Münster court overturned an earlier ruling by a Cologne administrative court, which rejected SpaceNet's challenge to the data-retention law.
The key to the higher court's non-appealable decision was last December's landmark ruling by the Court of Justice of the European Union (CJEU), which said EU countries could not have blanket data-retention requirements.
Under EU privacy legislation dating back to 2002, it is possible for states to tell their communications providers to store traffic and location data in a targeted way, to fight serious crime, and as long as there are safeguards to make sure the data isn't misused.
The CJEU said just before Christmas that the UK and Sweden were flouting the EU law by demanding indiscriminate data retention in their national laws, without the proper safeguards.
The Münster court took that as a cue for its decision. Noting that the German data-retention law "covers the traffic and location data of almost all users of telephone and internet services", it said the storage of the data would only be justified where the people involved have "at least an indirect link with the prosecution of serious crimes".
To be legitimate, the law should limit retention by criteria such as identity, time or place, it said. Importantly, the court noted that it's not enough to limit the authorities' access to the data after it's been stored.
For now, this is specifically a victory for SpaceNet, a B2B ISP with about 1,000 customers. It doesn't let other providers off the hook just yet.
SpaceNet spokesman Joachim Gartz told ZDNet that his company is happy "on a political and economic level". Implementing the data-retention requirement would have cost SpaceNet hundreds of thousands of euros. He said the firm is also "on a liberal level".
"We don't think it's right to do this retention thing, at least in the way the government has planned it," Gartz said.
"You could say maybe this is the beginning of the end of data retention, but I wouldn't go so far. I personally think in the end, in some way or another, data retention will come. The government will modify certain things. But if it comes, it can be done in a more intelligent way and in a way that is easier for the providers to realise."
Oliver Süme, policy chief at the German internet trade body Eco, which backed SpaceNet in its challenge said the court's decision is the first step in the right direction.
"But now it is time for a precedent-making decision to permanently stop data retention, otherwise companies are in danger of implementing a bill which is contrary to European law and the German constitution, thus [wasting money]," he said.
More on Germany and technology
- Privacy-keen Germans push back against plans to 'duplicate the US data chaos'
- Facebook privacy: Court backs blocking parents from dead girl's account
- 'Ultrasecure' Samsung Galaxy S8 iris scanner can be easily tricked, say hackers
- Expanded state hacking powers make a stealthy return to German agenda
- Can Google News use articles for free? Court wrangles take new twist