Update D: Data preservation - reforms at the turn of the year

The controversial data preservation act, which extends the duties of companies, enters into the second phase as of January 01, 2009. The duty to save data could now affect a significantly bigger portion of companies.

Since January 01, 2009, due to the abolition of the temporary regulations, Internet service providers are also obliged to save inventory data for e-mail accounts and Internet traffic data for a period of six months. Providers of Internet access services, electronic mail services and Internet telephony services are all affected by this.

It can not be precluded, that every company could generally become such a provider of Internet services, for example if it allows its employees to use their corporate e-mail accounts or internet access for personal purposes. With this, the affected company would also be subject to the requirements of the data preservation act and would, thus, be obliged to save the required data.

The data that would have to be saved in such a case would include information about when, for how long and with which IP address a user accessed the Internet. For e-mails, the addresses of the sender and the receiver of each message, their IP addresses, as well as the times at which the mail is sent and retrieved from the server, would have to be saved. In the context of Internet telephony, the telephone numbers as well as the times of the beginning and the end of phone calls would have to be registered, as it is already being done for land-line and mobile telephone calls since 2008. The duty to save data would not apply to the contents of phone calls and e-mails nor to the information about what websites the user has visited in the Internet.

The companies would have to store the data in such a way that inquiries from authorized entities can be answered immediately. Additionally, they would be obliged to ensure the deletion of the data collected in the context of the data preservation act within a period of one month after the expiration of the six months' saving period.

Since January 01, 2009, violations of the duty to save the mentioned data or for example the duty with regard to its deletion will be punished as an administrative offense according to Sec. 149 of the Telecommunications Act.

The duty to preserve data when private use of internet or email is allowed exists only, when the communication fulfills the attribute of being "publicly accessible". A predominant opinion in the juridical discussion denies just that. The employees of a company are a closed group, because the private use is only allowed for the present employees. Additionally, in principal it would not be possible to save the data separately for private und company use; the data would rather be saved together. The legislative history of the laws implementing the data preservation states that repeated storage of equivalent data should be avoided. The BITKOM, the Federal Network Agency, the Federal Privacy Commissioner among others represent this opinion.

The predominant opinion as cited above is obviously preferable for companies and their employees alike, as it does not call for data preservation. The opinion of the Federal Network Agency may not be completely authoritative and can not give companies final legal certainty, but a company that abides to that opinion can act on the assumption that they behave legitimately. A final authoritative decision can still only be made by the courts of law.

Companies should try to elude the application of the data preservation act even if only to avoid additional costs which can result from the duty to save data as well as the duties, related to the data's administration and deletion, but also to avoid the a different judgment of the legal status by a court. This can be achieved if the private use of all business communication systems, i.e. Internet, Internet telephony, e-mails, telephones and mobile phones, is prohibited. The duty to save data only applies to providers of “services usually rendered for money”, as already indicated above. If a company allows the private use, it renders a service for its employees. The service is part of the payment which the employees receive for their work performance (the salary) and with which they also pay for the private use of the mentioned communication services. The situation is different in the case of a purely operational use, as these services are not rendered to the employees for money.

Such a prohibition may at best be imposed in the context of an employment agreement concerning the use of IT systems, but it can also be added to an already existing IT safety guideline. In any case, it is necessary to take measures to make the prohibition known to all employees. It may also be practical e.g. to show a message box with the prohibition at the daily log-in to the workstation system which must be confirmed by the employee. With this, it would be possible to remind the employees of the prohibition every day.

After all, such a prohibition requires a regular control. This avoids the development of a habit by which the private use of the operational communication services may be permitted again despite the imposed prohibition with a possible knowledge and toleration of the principals. The regular control measures, related to the observance of the prohibition, should be pointed out when the prohibition is originally imposed as well as at the daily log-in. The control must not involve every employee; rather, a spot check of some randomly selected employees is sufficient.

By prohibiting the private use a company chooses the legally binding solution, because they elude the duty of data preservation, no matter how the juridical discussion is solved.