Unsuccessful constitutional complaint against obligation to transmit IP addresses

It does not violate the German Basic Law that the provider of an e-mail service is obliged, in the context of a duly ordered telecommunications surveillance, to provide the investigating authorities with the Internet protocol addresses (hereinafter: IP addresses) of the customers accessing their account even if, for data protection reasons, it has organized its service in such a way that it does not log them. This was the decision of the 3rd Chamber of the Second Senate in a resolution published today and the constitutional complaint of such a service provider was not accepted for decision. In support of its claim, it argued that this would also be unacceptable from the point of view of Art. 12 para. 1 of the German Basic Law (GG), which is fundamentally worthy of protection, cannot release the company from its obligation to comply with the legal requirements that take into account the constitutional requirement of a functioning administration of criminal justice.

Facts:

The complainant operates an e-mail service that advertises particularly effective protection of customer data and is committed to the principles of data security and data economy. It only collects and stores data if this is necessary for technical reasons or – in its view – is required by law. The Stuttgart public prosecutor’s office conducted a preliminary investigation on suspicion of violations of the Narcotics Act and the War Weapons Control Act. In an order dated July 25, 2016, the local court, at the request of the public prosecutor’s office pursuant to Sections 100a, 100b of the German Code of Criminal Procedure (StPO) as amended at that time, ordered the backup, mirroring and surrender of all data electronically stored on the Service’s servers with respect to the e-mail account in question “as well as all data accruing in the future with respect to this account.” The State Criminal Police Office notified the complainant of the ordered monitoring measure and the account to be monitored. In response, the complainant set up telecommunications monitoring, but pointed out that traffic data of users was not “logged” and such data, including IP addresses, could therefore not be provided, they were not available. The complainant contradicted the public prosecutor’s assumption that the IP addresses were available at the provider’s premises, outlining its system structure. For security reasons, it strictly separates its internal network from the Internet using a so-called NAT (Network Address Translation) process, in which the address information in data packets is automatically replaced by other information. The IP addresses of the customers were therefore already discarded at the outer limits of the system and were removed from the complainant’s access. By order of August 9, 2016, the Local Court imposed an administrative fine of 500 euros, or seven days’ administrative detention, on the complainant. Based on the decision of July 25, 2016, the complainant was obliged to collect the traffic data and in particular the IP addresses in the future. The Regional Court dismissed the appeal against this as unfounded by order of September 1, 2016. In November 2016, the State Criminal Police Office informed the complainant that the monitoring of the connection could be switched off. The fine was eventually paid.

The Board’s main considerations are:

Insofar as the constitutional complaint is directed against the appeal decision, it is in any case unfounded. It is true that the imposition of the administrative fine interferes with the rights guaranteed by Art. 12 para. 1 sentence 2 of the German Basic Law (GG) interferes with the complainant’s freedom to exercise his profession. The assumption of the Regional Court that the encroachment on the scope of protection of Art. 12 para. 1 sentence 2 GG is justified in accordance with the relevant statutory provisions, but does not meet with any constitutional objections.

Art. Section 1 sentence 2 of the German Basic Law permits interference with the freedom of occupation only on the basis of a statutory regulation that indicates the scope and limits of the interference. In this context, the legislature itself must make all essential decisions insofar as they are amenable to statutory regulation. The greater the encroachment on areas protected by fundamental rights, the more clearly the legislative intent must be expressed. Accordingly, a violation of fundamental rights is not evident. The specialized courts have interpreted the provisions on the obligations of telecommunications service providers to cooperate and withhold information in a constitutionally defensible manner. They were allowed to assume, without violating the constitution, that the complainant was obligated to design its operation in such a way that it could provide the investigating authorities with the external IP addresses accruing at the monitored account from the time of the order. This is because the interception of telecommunications within the meaning of Section 100a of the Code of Criminal Procedure covers not only the contents of communications, but also the more detailed circumstances of the telecommunications, including the IP addresses in question.

(1) The provision of Section 100a of the Code of Criminal Procedure – which is in conformity with the Constitution – authorizes the interception and recording of telecommunications. Against the backdrop of the “broad” concept of telecommunications, access to e-mail communication, at least insofar as it involves the transmission of the message from the sender’s device via the sender’s mail server to the e-mail provider’s mail server and the subsequent retrieval of the message by the recipient, indisputably falls within the scope of Section 100a of the Code of Criminal Procedure.

From the protection of the secrecy of telecommunications according to Art. 10 para. 1 GG, however, covers not only the content of the communication, but also the detailed circumstances of the telecommunication. Against this background, the interception of telecommunications pursuant to Section 100a of the Code of Criminal Procedure also concerns traffic data within the meaning of Section 3 No. 30 of the Telecommunications Act (TKG), insofar as this data is generated in the course of the telecommunications to be intercepted. Traffic data in this sense also and especially includes the IP addresses that are generated. Accordingly, these are set out in § 96 para. 1 sentence 1 TKG are listed as numbers of the lines or facilities involved. Dynamic or static IP addresses used by the customers of a provider of e-mail services to access their e-mail account with their Internet-capable end devices are therefore in principle subject to the scope of Section 100a of the Code of Criminal Procedure.

However, the fact that the monitoring of e-mail traffic in the context of an order under Section 100a of the Code of Criminal Procedure also includes the designated IP addresses does not necessarily mean that the complainant, as the operator of a telecommunications system, is already obliged to take precautions to make these IP addresses also and precisely available to the investigating authorities. § 100b para. 3 sentence 2 StPO old refers in this respect to the provisions of the TKG and the TKÜV.

According to § 110 para. 1 sentence 1 no. 1 TKG, operators of publicly available telecommunications services are required to maintain, at their own expense, technical facilities for implementing telecommunications monitoring from the time they commence operations and to take the appropriate organizational precautions for its immediate implementation. The basic technical requirements and organizational key points for the implementation of the monitoring measures are governed by the authorization in Section 110 (1) of the German Data Protection Act. 2 TKG enacted TKÜV. According to this, the complainant is also subject to the obligation to produce evidence; the fact that the provisions of Section 3 para. The fact that the exceptions provided for in Section 2 of the TKÜV apply to certain types of telecommunications equipment has neither been presented nor is it apparent.

The scope of the data to be provided is determined in accordance with § 5 para. 1 and 2 in connection with § 7 para. 1 TKÜV. According to § 5 para. 1 TKÜV, the telecommunications to be monitored consist – in accordance with the broad definition of telecommunications in Section 100a of the Code of Criminal Procedure – of the content and the data on the detailed circumstances of the telecommunications. Pursuant to paragraph 2 of the provision, the obligated party shall provide a complete copy of the telecommunications that are handled through its telecommunications equipment. As part of this monitoring copy, the obligated party shall, pursuant to § 7 para. 1 sentence 1 nos. 2, 3 and 4 of the TKÜV must also provide the data it holds on a dialed telephone number or other addressing information. According to the language used in the TKG, IP addresses that are generated in the course of telecommunications fall under the term “other addressing information” without further ado, because they are used precisely for addressing, i.e., for reaching or locating a specific destination on the Internet. For example, IP addresses are indisputably subject to the legal definition of § 3 No. 13 TKG, according to which numbers within the meaning of the TKG are strings of characters that serve addressing purposes in telecommunications networks.

It is also at any rate constitutionally justifiable to assume that the data are available to the complainant within the meaning of Section 7 para. 1 sentence 1 TKÜV and to be provided by the latter as part of the complete copy of the monitored telecommunications handled via its telecommunications system. It already follows from the system structure described by him that the complainant must store the public IP addresses of its customers at least for the duration of the communication, as otherwise it would not be able to send the retrieved data packets to its customers at all. In any case, the data accrues when accessing the monitored e-mail account, is known to the complainant’s telecommunications system at least at times, and is also used by it to establish successful communication with the requesting customer.

The monitoring of – future – telecommunications pursuant to Section 100a of the Code of Criminal Procedure is – unlike the collection of traffic data pursuant to Section 100g of the Code of Criminal Procedure – also not limited to the traffic data that is collected pursuant to Section 96 para. 1 TKG may be permissibly collected by the service provider.

The fact that the complainant cannot access the external IP addresses – at present – does not prevent this. This is because this is not because the data itself is not available, but solely because the complainant has chosen to hide it from its internal systems and not log it for data protection reasons. However, this is solely due to the business and system model deliberately chosen by the complainant. It is true that the complainant’s concern to offer a business model that optimizes data protection and is therefore attractive to many users also appears to be justified from the point of view of Art. 12 Par. 1 GG is in principle well worth protecting. However, this cannot release him from the requirements of the TKG and the TKÜV, which are obtained within the framework of a reasonable interpretation and which take into account the constitutional requirement of a functioning administration of criminal justice.

Finally, this result is not precluded by the fact that the data to be provided is defined in accordance with the new provision in Section 7 (1) of the TKÜV, which was added as part of the new announcement of July 11, 2017. 1 Sentence 1 No. 9 TKÜV now explicitly extend to the public IP addresses of the users involved that are known to the telecommunications system of the obligated party. In any case, this new provision does not permit a constitutionally compelling conclusion that the IP addresses in question had previously been excluded from the group of data to be provided. Rather, the newly inserted Section 7 para. 1 sentence 1 no. 9 TKÜV obviously has a clarifying function.

2 Contrary to the complainant’s view, Section 100g para. 1 StPO, as far as the (real-time) interception of future telecommunications is concerned, the provision of Section 100a StPO does not apply.

(3) In the specific case, there is likewise nothing to be recalled on constitutional grounds against the setting of the administrative fine in the amount of 500 euros.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.