The Federal Administrative Court issued a 90-page ruling (available on the website of the Digital Society, DG) dismissed the Digital Society’s complaint against the Post and Telecommunications Traffic Surveillance Service (ÜPF) in connection with the retention of marginal data on telecommunications communications. The Digital Society (DG) had demanded that the ÜPF oblige telecommunications providers to delete certain traffic and billing data and not to release such data in the future. The DG argued that the legal basis for storing the data in question, Art. 15 para. 3 BÜPF, was not formulated with sufficient precision, and that the storage of marginal data without any reason violated the principle of proportionality and the principles of data protection. The ÜPF had rejected the corresponding requests of the DG. The FAC, on the other hand, concludes that although the storage of marginal data represents a serious encroachment on fundamental rights, it is based on a sufficient legal foundation, serves a public interest and is not disproportionate.
Jurisdictional issues
The FAC confirms the rejection by the FOP and dismisses the appeal of the DG. It first confirms the Responsibility of the FOPH: The dispute was subject to public law, so that the administrative appeal procedure was open, and the providers, for their part, were not authorized to issue rulings. No other order of jurisdiction resulted from either the DPA or the TCA.
Marginal and stock data
The FAC then distinguishes in connection with the interpretation of the Legal request between boundary data and inventory data:
- Inventory data are data that independent of a particular telecommunications traffic are unchangeably present, for example, the owner of a telecommunications connection;
- Boundary data In contrast, external data of the Communication process, i.e., data relating to a specific communication process and showing with whom, when, for how long, and from where a person has and has had connections, as well as the technical characteristics of the corresponding connection (including traffic and billing data).
The BVGer subsequently explains in detail the Legal basis of the surveillance of postal and telecommunications traffic, for example the demarcation between the BÜPF and the StPO, and addresses the total revision of the BÜPF. Although the latter was not applicable in the present case (no prior effect), this does not preclude taking the materials on the totally revised BÜPF into account when interpreting the applicable law in the sense of an interpretation based on the time of application.
Scope of protection of the secrecy of telecommunications
The Federal Supreme Court subsequently examines in detail the content of Article 13 (1) of the Federal Constitution and in particular the protective rights flowing from it (and from Article 8 of the ECHR), in particular the right to respect for telecommunications and to protection against misuse of personal data. In doing so, it states that at least all data processed by the providers in connection with telecommunications communications. or are incurred by them, fall within the scope of protection of the Secrecy of telecommunications (for example, the time of the communication or data connection, its duration, type of data connection, etc.). The protection of telecommunications secrecy also covers other data associated with a telecommunications process, such as the Addressing elements (telephone numbers, IP addresses, domain names, etc.), provided they are associated with a specific communication process (outside of such a process, they are inventory data). However, the FAC leaves open whether further technical data, such as information on the personal unblocking key or on whether and under which number or with which SIM card a specific mobile device is operated with a specific provider, fall within the scope of protection of telecommunications secrecy, because this data is not to be stored by the providers under Art. 15 BÜPF.
The following also fall within the scope of telecommunications secrecy Location data and Status information (information on whether the device is switched on and ready to receive), if such data is generated in connection with a telecommunications transaction. The FAC was also able to leave open whether such data is also recorded if it is stored outside of a communication process.
Fundamental rights assessment
Interference with fundamental rights
The core of the process were constitutional considerations. The DG had argued that the storage of marginal data seriously violated the right to respect for telecommunications and the secrecy of telecommunications and to protection against misuse of personal data, which is protected by fundamental rights and international law. In addition, other fundamental rights, such as freedom of expression, media freedom and freedom of assembly, would be restricted in that the storage of marginal data would give rise to a “subjective feeling of being under surveillance”.
In this regard, the FAC states that the marginal data can be condensed into personality profiles over a longer period of time, even though it is only external data of the communication. The storage and retention of such data constitutes a serious interference with the right to informational self-determination and the right to confidentiality of communications This is all the more so because both guarantees are also of fundamental importance for freedom of expression and freedom of assembly. It is irrelevant whether stored data is later used in criminal proceedings, for example. In this context, both fundamental rights have an independent scope of application, so that the encroachment must be examined for constitutionality, taking both fundamental rights into account. In contrast, the fundamental rights interests of freedom of expression and freedom of assembly can be taken into account within the framework of the secrecy of telecommunications, which requires that the importance of the confidentiality of communications for the realization of freedom of assembly as a central prerequisite for the democratic formation of will be sufficiently taken into account.
Sufficiently determined legal basis
Accordingly, the Federal Supreme Court had to examine the requirements for justified encroachments on fundamental rights. After an in-depth analysis, the Federal Supreme Court comes to the following conclusion with reference to the Requirement of the legal basis concluded that the legal basis, Art. 15 para. 3 BÜPF, Sufficiently determined because it can be seen from this that the providers systematically store and retain external data of the communication – as distinct from the content of the communication. As a result, the freedom-restricting consequences of the action, namely the storage and retention of data as a consequence of the use of communication services, can be foreseen with sufficient certainty.
Interference interest
In the next step, the Federal Administrative Court affirms that data retention is a public interest exists. The storage of marginal data enables the retrospective monitoring of telecommunications, which is a means of criminal prosecution and serves international mutual legal assistance in criminal matters and the search and rescue of missing persons (Art. 1 BÜPF). Whether the public interest is of sufficient weight is examined in the context of proportionality.
Proportionality
The DG had argued that data retention was not suitable for making an effective contribution to criminal prosecution. Moreover, there were other ways to enable retroactive monitoring. In addition, the measure was unreasonable because there were no sufficiently specific rules to ensure data security, to delete the data after the retention period had expired, or to provide effective monitoring and appeal options.
The Federal Administrative Court first states that data retention is suitable is to realize the aforementioned public interest. As the Federal Supreme Court has repeatedly stated, the result of a retroactive marginal data collection can be of essential importance for the clarification and legal qualification of an offense. Therefore, it cannot be denied that the storage and retention of marginal data is suitable to contribute to the clarification of criminal offenses.
The DG had also objected that it was sufficient to store marginal data only when there was concrete suspicion of a crime. There is therefore a milder means before. The FAC rejects this objection because this measure of the so-called “quick freeze” is not as effective as the storage of marginal data without any reason. It would be closer to real-time monitoring.
Next, the retention of data should be not unreasonable. The FAC deals with this point in detail with reference to the case law of the ECtHR and the Federal Supreme Court. According to this case law, interventions in fundamental rights for surveillance are only permissible if sufficient guarantees to protect against misuse in particular guarantees regarding the retention period, protection against unauthorized access, processing and theft, regulation of the group of persons authorized to access the data, deletion of the stored data and ensuring the right to information and inspection. In the opinion of the SNB, these requirements are met here by the data protection legislation, in particular the provisions on data security. In this context, the Federal Supreme Court explains the data security measures of the DSG and the VDSG, in particular for public bodies when data processing is transferred to third parties. In summary, the FAC concludes that telecommunications law and, in particular, data protection law provide sufficient guarantees to protect against misuse when processing marginal data.
Finally, the BVG assesses the abstract decision made by the legislator. Balance between the affected legal interests as correct. Against the background of the aforementioned guarantees and in view of an “obviously partially changed social awareness in dealing with modern information technology […], the protected legal positions of the private individuals concerned do not carry the same weight as the interest in effective prosecution of crimes and misdemeanors.
Presumption of innocence
The DG had also argued that the retention of data without any reason violates the presumption of innocence (Art. 32 BV). The FAC rejects this. The mere storage and retention of marginal data does not lead to an accusation in the sense of criminal proceedings. An inadmissible compulsion to incriminate oneself (nemo tenetur) is also not evident.