BVGer (A‑4941/2014): The sto­rage and reten­ti­on of mar­gi­nal data wit­hout any rea­son, as pro­vi­ded for by the BÜPF, is constitutional

The Fede­ral Admi­ni­stra­ti­ve Court issued a 90-page ruling (available on the web­site of the Digi­tal Socie­ty, DG) dis­missed the Digi­tal Society’s com­plaint against the Post and Tele­com­mu­ni­ca­ti­ons Traf­fic Sur­veil­lan­ce Ser­vice (ÜPF) in con­nec­tion with the reten­ti­on of mar­gi­nal data on tele­com­mu­ni­ca­ti­ons com­mu­ni­ca­ti­ons. The Digi­tal Socie­ty (DG) had deman­ded that the ÜPF obli­ge tele­com­mu­ni­ca­ti­ons pro­vi­ders to dele­te cer­tain traf­fic and bil­ling data and not to release such data in the future. The DG argued that the legal basis for sto­ring the data in que­sti­on, Art. 15 para. 3 BÜPF, was not for­mu­la­ted with suf­fi­ci­ent pre­cis­i­on, and that the sto­rage of mar­gi­nal data wit­hout any rea­son vio­la­ted the prin­ci­ple of pro­por­tio­na­li­ty and the prin­ci­ples of data pro­tec­tion. The ÜPF had rejec­ted the cor­re­spon­ding requests of the DG. The FAC, on the other hand, con­clu­des that alt­hough the sto­rage of mar­gi­nal data repres­ents a serious encroach­ment on fun­da­men­tal rights, it is based on a suf­fi­ci­ent legal foun­da­ti­on, ser­ves a public inte­rest and is not disproportionate.

Juris­dic­tion­al issues

The FAC con­firms the rejec­tion by the FOP and dis­mis­ses the appeal of the DG. It first con­firms the Respon­si­bi­li­ty of the FOPH: The dis­pu­te was sub­ject to public law, so that the admi­ni­stra­ti­ve appeal pro­ce­du­re was open, and the pro­vi­ders, for their part, were not aut­ho­ri­zed to issue rulings. No other order of juris­dic­tion resul­ted from eit­her the DPA or the TCA.

Mar­gi­nal and stock data

The FAC then distin­gu­is­hes in con­nec­tion with the inter­pre­ta­ti­on of the Legal request bet­ween boun­da­ry data and inven­to­ry data:

  • Inven­to­ry data are data that inde­pen­dent of a par­ti­cu­lar tele­com­mu­ni­ca­ti­ons traf­fic are unch­an­ge­ab­ly pre­sent, for exam­p­le, the owner of a tele­com­mu­ni­ca­ti­ons connection;
  • Boun­da­ry data In con­trast, exter­nal data of the Com­mu­ni­ca­ti­on pro­cess, i.e., data rela­ting to a spe­ci­fic com­mu­ni­ca­ti­on pro­cess and show­ing with whom, when, for how long, and from whe­re a per­son has and has had con­nec­tions, as well as the tech­ni­cal cha­rac­te­ri­stics of the cor­re­spon­ding con­nec­tion (inclu­ding traf­fic and bil­ling data).

The BVGer sub­se­quent­ly explains in detail the Legal basis of the sur­veil­lan­ce of postal and tele­com­mu­ni­ca­ti­ons traf­fic, for exam­p­le the demar­ca­ti­on bet­ween the BÜPF and the StPO, and addres­ses the total revi­si­on of the BÜPF. Alt­hough the lat­ter was not appli­ca­ble in the pre­sent case (no pri­or effect), this does not pre­clude taking the mate­ri­als on the total­ly revi­sed BÜPF into account when inter­pre­ting the appli­ca­ble law in the sen­se of an inter­pre­ta­ti­on based on the time of application.

Scope of pro­tec­tion of the sec­re­cy of telecommunications

The Fede­ral Supre­me Court sub­se­quent­ly exami­nes in detail the con­tent of Artic­le 13 (1) of the Fede­ral Con­sti­tu­ti­on and in par­ti­cu­lar the pro­tec­ti­ve rights flowing from it (and from Artic­le 8 of the ECHR), in par­ti­cu­lar the right to respect for tele­com­mu­ni­ca­ti­ons and to pro­tec­tion against misu­se of per­so­nal data. In doing so, it sta­tes that at least all data pro­ce­s­sed by the pro­vi­ders in con­nec­tion with tele­com­mu­ni­ca­ti­ons com­mu­ni­ca­ti­ons. or are incur­red by them, fall within the scope of pro­tec­tion of the Sec­re­cy of tele­com­mu­ni­ca­ti­ons (for exam­p­le, the time of the com­mu­ni­ca­ti­on or data con­nec­tion, its dura­ti­on, type of data con­nec­tion, etc.). The pro­tec­tion of tele­com­mu­ni­ca­ti­ons sec­re­cy also covers other data asso­cia­ted with a tele­com­mu­ni­ca­ti­ons pro­cess, such as the Addres­sing ele­ments (tele­pho­ne num­bers, IP addres­ses, domain names, etc.), pro­vi­ded they are asso­cia­ted with a spe­ci­fic com­mu­ni­ca­ti­on pro­cess (out­side of such a pro­cess, they are inven­to­ry data). Howe­ver, the FAC lea­ves open whe­ther fur­ther tech­ni­cal data, such as infor­ma­ti­on on the per­so­nal unblocking key or on whe­ther and under which num­ber or with which SIM card a spe­ci­fic mobi­le device is ope­ra­ted with a spe­ci­fic pro­vi­der, fall within the scope of pro­tec­tion of tele­com­mu­ni­ca­ti­ons sec­re­cy, becau­se this data is not to be stored by the pro­vi­ders under Art. 15 BÜPF.

The fol­lo­wing also fall within the scope of tele­com­mu­ni­ca­ti­ons sec­re­cy Loca­ti­on data and Sta­tus infor­ma­ti­on (infor­ma­ti­on on whe­ther the device is swit­ched on and rea­dy to recei­ve), if such data is gene­ra­ted in con­nec­tion with a tele­com­mu­ni­ca­ti­ons tran­sac­tion. The FAC was also able to lea­ve open whe­ther such data is also recor­ded if it is stored out­side of a com­mu­ni­ca­ti­on process.

Fun­da­men­tal rights assessment

Inter­fe­rence with fun­da­men­tal rights

The core of the pro­cess were con­sti­tu­tio­nal con­side­ra­ti­ons. The DG had argued that the sto­rage of mar­gi­nal data serious­ly vio­la­ted the right to respect for tele­com­mu­ni­ca­ti­ons and the sec­re­cy of tele­com­mu­ni­ca­ti­ons and to pro­tec­tion against misu­se of per­so­nal data, which is pro­tec­ted by fun­da­men­tal rights and inter­na­tio­nal law. In addi­ti­on, other fun­da­men­tal rights, such as free­dom of expres­si­on, media free­dom and free­dom of assem­bly, would be rest­ric­ted in that the sto­rage of mar­gi­nal data would give rise to a “sub­jec­ti­ve fee­ling of being under surveillance”.

In this regard, the FAC sta­tes that the mar­gi­nal data can be con­den­sed into per­so­na­li­ty pro­files over a lon­ger peri­od of time, even though it is only exter­nal data of the com­mu­ni­ca­ti­on. The sto­rage and reten­ti­on of such data con­sti­tu­tes a serious inter­fe­rence with the right to infor­ma­tio­nal self-deter­mi­na­ti­on and the right to con­fi­den­tia­li­ty of com­mu­ni­ca­ti­ons This is all the more so becau­se both gua­ran­tees are also of fun­da­men­tal importance for free­dom of expres­si­on and free­dom of assem­bly. It is irrele­vant whe­ther stored data is later used in cri­mi­nal pro­ce­e­dings, for exam­p­le. In this con­text, both fun­da­men­tal rights have an inde­pen­dent scope of appli­ca­ti­on, so that the encroach­ment must be exami­ned for con­sti­tu­tio­na­li­ty, taking both fun­da­men­tal rights into account. In con­trast, the fun­da­men­tal rights inte­rests of free­dom of expres­si­on and free­dom of assem­bly can be taken into account within the frame­work of the sec­re­cy of tele­com­mu­ni­ca­ti­ons, which requi­res that the importance of the con­fi­den­tia­li­ty of com­mu­ni­ca­ti­ons for the rea­lizati­on of free­dom of assem­bly as a cen­tral pre­re­qui­si­te for the demo­cra­tic for­ma­ti­on of will be suf­fi­ci­ent­ly taken into account.

Suf­fi­ci­ent­ly deter­mi­ned legal basis

Accor­din­gly, the Fede­ral Supre­me Court had to exami­ne the requi­re­ments for justi­fi­ed encroach­ments on fun­da­men­tal rights. After an in-depth ana­ly­sis, the Fede­ral Supre­me Court comes to the fol­lo­wing con­clu­si­on with refe­rence to the Requi­re­ment of the legal basis con­clu­ded that the legal basis, Art. 15 para. 3 BÜPF, Suf­fi­ci­ent­ly deter­mi­ned becau­se it can be seen from this that the pro­vi­ders syste­ma­ti­cal­ly store and retain exter­nal data of the com­mu­ni­ca­ti­on – as distinct from the con­tent of the com­mu­ni­ca­ti­on. As a result, the free­dom-rest­ric­ting con­se­quen­ces of the action, name­ly the sto­rage and reten­ti­on of data as a con­se­quence of the use of com­mu­ni­ca­ti­on ser­vices, can be fore­seen with suf­fi­ci­ent certainty.

Inter­fe­rence interest

In the next step, the Fede­ral Admi­ni­stra­ti­ve Court affirms that data reten­ti­on is a public inte­rest exists. The sto­rage of mar­gi­nal data enables the retro­s­pec­ti­ve moni­to­ring of tele­com­mu­ni­ca­ti­ons, which is a means of cri­mi­nal pro­se­cu­ti­on and ser­ves inter­na­tio­nal mutu­al legal assi­stance in cri­mi­nal mat­ters and the search and res­cue of miss­ing per­sons (Art. 1 BÜPF). Whe­ther the public inte­rest is of suf­fi­ci­ent weight is exami­ned in the con­text of proportionality.

Pro­por­tio­na­li­ty

The DG had argued that data reten­ti­on was not sui­ta­ble for making an effec­ti­ve con­tri­bu­ti­on to cri­mi­nal pro­se­cu­ti­on. Moreo­ver, the­re were other ways to enable retroac­ti­ve moni­to­ring. In addi­ti­on, the mea­su­re was unre­a­sonable becau­se the­re were no suf­fi­ci­ent­ly spe­ci­fic rules to ensu­re data secu­ri­ty, to dele­te the data after the reten­ti­on peri­od had expi­red, or to pro­vi­de effec­ti­ve moni­to­ring and appeal options.

The Fede­ral Admi­ni­stra­ti­ve Court first sta­tes that data reten­ti­on is sui­ta­ble is to rea­li­ze the afo­re­men­tio­ned public inte­rest. As the Fede­ral Supre­me Court has repea­ted­ly sta­ted, the result of a retroac­ti­ve mar­gi­nal data coll­ec­tion can be of essen­ti­al importance for the cla­ri­fi­ca­ti­on and legal qua­li­fi­ca­ti­on of an offen­se. The­r­e­fo­re, it can­not be denied that the sto­rage and reten­ti­on of mar­gi­nal data is sui­ta­ble to con­tri­bu­te to the cla­ri­fi­ca­ti­on of cri­mi­nal offenses.

The DG had also objec­ted that it was suf­fi­ci­ent to store mar­gi­nal data only when the­re was con­cre­te sus­pi­ci­on of a crime. The­re is the­r­e­fo­re a mil­der means befo­re. The FAC rejects this objec­tion becau­se this mea­su­re of the so-cal­led “quick free­ze” is not as effec­ti­ve as the sto­rage of mar­gi­nal data wit­hout any rea­son. It would be clo­ser to real-time monitoring.

Next, the reten­ti­on of data should be not unre­a­sonable. The FAC deals with this point in detail with refe­rence to the case law of the ECtHR and the Fede­ral Supre­me Court. Accor­ding to this case law, inter­ven­ti­ons in fun­da­men­tal rights for sur­veil­lan­ce are only per­mis­si­ble if suf­fi­ci­ent gua­ran­tees to pro­tect against misu­se in par­ti­cu­lar gua­ran­tees regar­ding the reten­ti­on peri­od, pro­tec­tion against unaut­ho­ri­zed access, pro­ce­s­sing and theft, regu­la­ti­on of the group of per­sons aut­ho­ri­zed to access the data, dele­ti­on of the stored data and ensu­ring the right to infor­ma­ti­on and inspec­tion. In the opi­ni­on of the SNB, the­se requi­re­ments are met here by the data pro­tec­tion legis­la­ti­on, in par­ti­cu­lar the pro­vi­si­ons on data secu­ri­ty. In this con­text, the Fede­ral Supre­me Court explains the data secu­ri­ty mea­su­res of the DSG and the VDSG, in par­ti­cu­lar for public bodies when data pro­ce­s­sing is trans­fer­red to third par­ties. In sum­ma­ry, the FAC con­clu­des that tele­com­mu­ni­ca­ti­ons law and, in par­ti­cu­lar, data pro­tec­tion law pro­vi­de suf­fi­ci­ent gua­ran­tees to pro­tect against misu­se when pro­ce­s­sing mar­gi­nal data.

Final­ly, the BVG asses­ses the abstract decis­i­on made by the legis­la­tor. Balan­ce bet­ween the affec­ted legal inte­rests as cor­rect. Against the back­ground of the afo­re­men­tio­ned gua­ran­tees and in view of an “obvious­ly par­ti­al­ly chan­ged social awa­re­ness in deal­ing with modern infor­ma­ti­on tech­no­lo­gy […], the pro­tec­ted legal posi­ti­ons of the pri­va­te indi­vi­du­als con­cer­ned do not car­ry the same weight as the inte­rest in effec­ti­ve pro­se­cu­ti­on of cri­mes and misdemeanors.

Pre­sump­ti­on of innocence

The DG had also argued that the reten­ti­on of data wit­hout any rea­son vio­la­tes the pre­sump­ti­on of inno­cence (Art. 32 BV). The FAC rejects this. The mere sto­rage and reten­ti­on of mar­gi­nal data does not lead to an accu­sa­ti­on in the sen­se of cri­mi­nal pro­ce­e­dings. An inad­mis­si­ble com­pul­si­on to incri­mi­na­te ones­elf (nemo tenetur) is also not evident.

Aut­ho­ri­ty

Area

Topics

Rela­ted articles

Sub­scri­be