Information Note on the Court’s case-law 236

January 2020

Breyer v. Germany - 50001/12

Judgment 30.1.2020 [Section V]

Article 8

Article 8-1

Respect for private life

Legal obligation on service providers to store personal data of users of pre-paid mobile-telephone SIM-cards and make them available to authorities upon request: no violation

Facts – In 2004 the Telecommunications Act imposed on service providers an o bligation to collect various personal details in respect of all their customers and store this data together with the telephone number attributed, even when not necessary for billing purposes or other contractual reasons.

Retrieval and transmission of the data could be requested by various public authorities without a court order or notification to the persons concerned being needed. Requests for data retrieval could under certain conditions be automated and result in lists based on mere similarity (partia l-data queries) in names or numbers. Such information requests were permissible where considered necessary “to prosecute criminal and administrative offences, to avert danger and to perform intelligence tasks”.

The applicants purchased pre-paid SIM-cards a nd were thus required to register with their respective service providers their names, addresses and dates of birth when activating those SIM cards. They appealed to the Federal Constitutional Court, but in vain.

To keep the same temporal scope of examina tion as the latter domestic court, this Court examined the impugned provision as in force on 1 January 2008.

Law – Article 8: The interference complained of consisted in the actual storage of the data, not in any subsequent use of it. Yet the Federal Cons titutional Court found that, in view of the possibilities of processing and combining, there was no item of personal data which was in itself insignificant.

The question of foreseeability and sufficient detail of the relevant provisions was in the present case closely related to the broader issues of whether the interference was necessary in a democratic society and proportionate.

In that latter connection, as there was no European consensus concerning collection and storage of information on pre-paid SIM-card owners, the member States had a certain margin of appreciation, which the Court found not to have been overstepped here, for the following reasons.

At th e outset, the Court acknowledged that the storage at issue was, from a general point of view, a suitable response to changes in communication behaviour and in the means of telecommunication:

– pre-registration of mobile-telephone subscribers strongly simp lified and accelerated investigation by law-enforcement agencies; it could thereby contribute to effective law enforcement and prevention of disorder or crime;

– the existence of possibilities to circumvent legal obligations could not be a reason to call into question their overall utility and effectiveness;

– besides the lack of consensus, the fact that national security concerns were at stake also justified a certain margin of appreciation.

The question remained whether the interference was proportionat e. A positive answer was arrived at as follows.

(a) Level of interference with private life – Unlike in cases previously examined by the Court, the data storage at issue did not include any highly personal information or allow the creation of personality profiles or the tracking of the movements of mobile-telephone subscribers. Moreover, no data concerning individual communication events was stored. While not trivial, the interference was thus rather limite d in nature.

(b) Safeguards – As to the data registration and storage per se , the Court noted that:

– the applicants had not alleged that this storage had been subject to any technical insecurities;

– the duration of the storage was limited to the calen dar year following the year in which the contractual relationship had ended; this did not appear excessive, given that investigations into criminal offences might take some time and extend beyond the end of the contractual relationship;

– the stored data had been limited to the information necessary to clearly identify the relevant subscriber.

However, regard must be had to the future possible access to and use of the data stored. In view of the following elements, there were sufficient safeguards in that respect.

(i) Competence for issuing information requests

Automated requests – Admittedly, the related provision involved very simplified data retrieval for the authorities. The centralised and automated procedure permitted a form of access which largely removed the practical difficulties of data collection and made the data available to the authorities at all times without delay.

However, the authorities which could request access were specifically listed. Even though the list appeared broad, all author ities mentioned therein were concerned with law enforcement or the protection of national security.

Manual requests – Admittedly, the authorities entitled to request access in accordance with the latter provision were identified with reference to the tasks they performed but were not explicitly enumerated.

While this description by task was less specific and more open to interpretation, the wording of the provision nonetheless was detailed enough to clearly set out which authorities were empowered to reques t information.

Also, as far as the intelligence services were concerned, the Federal Constitutional Court concluded that their wide-ranging legal powers to request information on a pre-emptive basis was justified, given that their activities were limited.

(ii) Purpose of information requests – The requesting authorities had to have an additional legal basis to retrieve the data – which the Federal Constitutional Court compared to a double-door system: the Telecommunications Act only allowed the Federal Net work Agency or the respective service provider to release the data; then a further provision was required to allow the specified authorities to request the information.

(iii) Extent of information requests – Retrieval was limited to necessary data (for e xample, in the context of prosecution of offences, there had to be at least an initial suspicion). The respective authorities retrieving the information were under a general obligation to erase any data they did not need without undue delay.

Besides, the requirement of “necessity” was not only inherent in the specific legal provisions subject to this complaint but also to German and European data-protection law.

While the thresholds for the manual procedure were lower than for the automated one, the oblig ation to submit a written request for information was likely to encourage the authorities to obtain the information only where it was definitely needed. In practice, manual retrievals seemed indeed to have been made in a much more limited number of cases c ompared with automated requests.

(iv) Review and supervision of information requests – Admittedly, since the telecommunications providers had no competence to review the admissibility of any request as long as the information was requested in written form with reference to a legal basis, the responsibility for the legality of the information request lay with the retrieving agencies themselves. However:

– the Federal Network Agency was competent to examine the admissibility of the transmission of data when it saw reasons to do so;

– each retrieval and the relevant information regarding the retrieval had to be recorded for the purpose of data-protection supervision, the latter being entrusted to independent authorities that could be appealed to by anyone a ffected;

– legal redress against information retrieval might also be sought under general rules – in particular, together with legal redress proceedings against the final decisions of the requesting authorities.

Given those avenues for review, the lack of notification of the retrieval procedure did not raise an issue under the Convention.

In any case, while important, the level of review and supervision could not be a decisive element in the proportionality assessment of the collection and storage of such a limited data set.

Conclusion : no violation (six votes to one).

(See also the Factsheets on Mass surveillance and Personal data protection )

© Council of Europe/European Court of Human Rights This summary by the Registry does not bind the Court.

Click here for the Case-Law Information Notes