Germany Tries, Tries Again With ISP Data Retention Mandate

Data Privacy , Data Security , Geo-Specific Germany Tries, Tries Again With ISP Data Retention Mandate Berlin Proposes 3 Month Requirement to Store IP Addresses David Meyer • April 23, 2026     Credit Eligible Get Permission Image: Larysa Aleksieieva/Shutterstock The German government says it's unlocked the secret to passing a law that would require internet service providers to keep customer data without running afoul of privacy and security concerns that sunk earlier attempts. Critics say that's impossible. The national cabinet approved Wednesday a draft law - it still needs parliamentary approval - that would force internet service providers to store customers' IP addresses and port numbers for three months as a "precautionary measure," to aid the investigation of online crimes. "The digital space must not be a paradise for criminals. Too many crimes - whether child abuse, online fraud, or digital violence - go unsolved because crucial clues like IP addresses are missing," said Federal Minister of Justice Stefanie Hubig. The first time Germany forced ISPs to hang onto customer data in this way - between 2008 and 2010 - it was trying to implement the 2006 EU Data Retention Directive, which obliged countries to mandate retention times of between six months and two years. The covered data was extensive in nature, covering IP addresses as well as metadata relating to internet access, emails and telecommunications. The German Federal Constitutional Court overturned that law due to a conflict with the country's fundamental right to telecommunications privacy. The court concluded the law was too heavy-handed for what were essentially precautionary aims, that it didn't sufficiently limit what authorities could do with the data that had been collected and that it didn't set out enough data security requirements. In 2014, the Court of Justice of the European Union - the bloc's highest legal authority - scrapped the entire Data Retention Directive over similar concerns. But the next year, following the terrorist attack on satirical publication Charlie Hebdo in France, the German government tried again. For its second attempt, the German government still wanted ISPs to collect metadata and location data alongside IP addresses, but reduced the retention time to 10 weeks and limited database access to investigation of "severe" crimes. The data would also have to be encrypted and stored on air-gapped servers, with a court order required for access. Just before the planned implementation of that law in mid-2017, a complaining service provider won a temporary suspension of the retention requirements in a regional court. By that point, the CJEU published another ruling stating that untargeted data retention was unacceptable. Telecoms regulator the German Federal Networks Agency said it wouldn't go ahead with enforcement. The second German law was never unsuspended and was finally killed off in 2022 by yet another CJEU ruling. Hubig said on Wednesday that this new German attempt presented "the opportunity to bring a 20 year debate about freedom and security online to a sensible conclusion." This time, there will be no blanket requirement to store traffic or location data - though law enforcement agencies would be able to demand the retention traffic metadata in specific cases when a crime is suspected and to request cell site location data for a broader range of serious crime investigations than is currently allowed. "Fundamental rights will be protected, while we simultaneously strengthen law enforcement online," said the minister. Skeptics are unimpressed. "This proposal for data retention is a mass surveillance law and does not take into account the massive potential for misuse and the high IT security risks," said Constanze Kurz, spokeswoman for the Berlin-based Chaos Computer Club, Europe's biggest hacker association. She told ISMG on Thursday that the stored information would be "attractive to all kinds of data criminals," creating "attack points for cybercrime." "Instead of putting all people under general suspicion and introducing a disproportionate and unjustified forced storage of all IP addresses and other accompanying data, we need evidence-based policies that pursue differentiated solutions," Kurz added. Eco, the German internet industry trade association, is also concerned about the new legislative proposal. Board member Klaus Landefeld said in a statement that the draft "fails to meet the requirements of the European Court of Justice and once again creates indiscriminate data retention without demonstrable added value for law enforcement." Landefeld argued that there would be too much burden placed on internet providers who would need to set up complex and highly secure storage infrastructures. "Companies are once again being asked to invest in an infrastructure whose legal status is questionable. This creates planning uncertainty, incurs high costs and weakens Germany's position as a digital business location." Not all telecommunications industry representatives are as concerned about the cybersecurity-related implications of the draft law. The German Broadband Communications Association criticized the proposal's three-month retention time as being disproportionate, and said storing IP addresses and port data "poses a significant risk of massive technical and economic burdens." But a spokesman told ISMG on Thursday that the association views the draft law's cybersecurity provisions "as sufficient." Many European countries already have data retention laws in place. Some of them go far further than what Germany has ever proposed. Italy mandates the storage of telephone and internet metadata for six years, despite the mandate appearing to contradict the CJEU's regularly repeated insistence on only storing data as long as is strictly necessary. Another CJEU data retention ruling in 2024 regarding a case in France suggested that retaining IP addresses is acceptable as long as they generally cannot be linked to identity-related stored data. The European Commission is expected to propose a new data retention proposal in the coming months, which might clear up the messy disparity between different countries' laws.