The German Bundestag (parliament) has passed a controversial law requiring telecoms and Internet companies to store customers' metadata and to make it available to law enforcement agencies investigating "severe crimes." Specifically, "phone providers will now have to retain phone numbers, the date and time of phone calls and text messages, and, in the case of mobile phones, location (approximated through the identification of cell phone towers)." In addition, "Internet providers are required to save the IP addresses of users as well as the date and time of connections made," a post on the Lawfare blog explains.

This is the second attempt to bring in data retention in Germany. The first, dating to 2007, was struck down by Germany's constitutional court in 2010 on the grounds that it was disproportionate and that data storage was not secure enough. The new law attempts to address both issues. According to Lawfare: "The content of communications, websites accessed and metadata of e-mail traffic have been explicitly excluded." As Ars suggested would be the case back in May, the retention period has been reduced from the original six months to ten weeks, and the law specifies that data must be retained within Germany, a localisation requirement that has caused some raised eyebrows. Moreover, "the data must be saved on air-gapped servers, must be encrypted, and can only be accessed if two authorized individuals are present."

The Lawfare blog notes that the German data retention bill still has a number of hurdles to clear: "Once the law has passed the parliament’s upper house in a few weeks—a vote seen as all but assured—the bill will be presented to the German president Joachim Gauck for signature. If he believes the law is unconstitutional, he could either decline to sign it or sign it, but at the same time ask the German constitutional court to verify its compliance with German Basic Law."

After that, it could still face a challenge at the European level. Last year, the Court of Justice of the European Union threw out the entire EU data retention directive on the grounds that it was not "limited to what is strictly necessary." Germany's new law will have to meet that requirement too, as must the UK's revamped snooper's charter, which is expected to be announced soon.