Berlin Proposes Three-Month Requirement to Store IP Addresses
On April 23, 2026, the German government announced its intention to reinstate a law requiring internet service providers (ISPs) to retain customer data, specifically IP addresses and port numbers, for a duration of three months. This latest effort follows a tumultuous history of previous attempts that grappled with issues of privacy and data security.
The proposal, which has already received cabinet approval, will soon face parliamentary scrutiny. The initiative aims to enhance law enforcement capabilities to investigate various online crimes, ranging from child abuse to digital fraud. Federal Minister of Justice Stefanie Hubig emphasized the necessity of such a measure, stating, "The digital space must not be a paradise for criminals. Too many crimes go unsolved because crucial clues, like IP addresses, are missing."
Historically, Germany’s attempts to enforce similar data retention laws have met with significant resistance and legal challenges. The first effort occurred between 2008 and 2010, driven by the implementation of the 2006 EU Data Retention Directive, which mandated that countries retain data for between six months and two years. This initial legislation encompassed a broad spectrum of data, including not only IP addresses but also metadata related to internet access, emails, and telecommunications.
However, the German Federal Constitutional Court intervened, overturning the law on the grounds that it conflicted with the right to telecommunications privacy. The court ruled that the measures were excessively invasive and failed to adequately protect collected data or limit its use by authorities.
In 2014, following similar concerns, the Court of Justice of the European Union (CJEU) abolishing the entire Data Retention Directive. This marked a significant setback for national governments wishing to impose such restrictions. Nevertheless, in the aftermath of the 2015 terrorist attack on the French satirical publication Charlie Hebdo, the German government made another attempt in 2016 to mandate data retention, this time proposing a retention period of 10 weeks and restricting access to investigations concerning only serious crimes. Even this scaled-down proposal faced major hurdles, ultimately stalling in mid-2017 due to court rulings deeming untargeted data retention unacceptable.
Despite previous failures, Hubig asserted that the current proposal represents a pivotal opportunity to resolve the longstanding debate over balancing freedom and security in the digital realm. The new legislative framework does not impose blanket measures on the retention of traffic or location data. Instead, it allows law enforcement agencies to request the retention of traffic metadata in specific cases where a crime is under investigation, while also enabling wider access to cell site location data for severe crimes.
Critics, however, have voiced strong opposition to the proposed legislation. Constanze Kurz, spokesperson for the Berlin-based Chaos Computer Club, Europe’s largest hacker association, described the proposal as a form of mass surveillance. She argued that it fails to adequately address potential misuse and cybersecurity risks, warning that the retention of data could become attractive targets for cybercriminals.
Rather than undermining individual privacy rights, Kurz advocates for a more evidence-based approach to data policy that prioritizes differentiated solutions over mass data retention. "Instead of putting all people under general suspicion, we need to focus on targeted measures that respect privacy while still allowing for effective crime prevention," she stressed.
Concerns also arise from the German internet industry, with Klaus Landefeld, a board member of the trade association Eco, stating that the draft fails to meet European Court standards and imposes indiscriminate data retention. He raised alarms about the burdens placed on ISPs to invest in secure storage infrastructures mandated by this law, calling it a source of legislative uncertainty with potentially high costs for businesses.
Notably, while some representatives from the telecommunications sector echoed these concerns, others felt that the cybersecurity measures proposed were satisfactory. The German Broadband Communications Association criticized the three-month retention requirement as excessive and burdensome but acknowledged that the security provisions were reasonable.
Across Europe, various countries have already implemented data retention laws, some of which surpass the measures proposed by Germany. For instance, Italy mandates the preservation of telephone and internet metadata for six years, despite ongoing concerns regarding compliance with court directives. Furthermore, future CJEU rulings may clarify the legality of retaining IP addresses, especially if they cannot be linked to identifiable personal data.
Anticipation builds as the European Commission is expected to announce a new data retention proposal that could potentially harmonize differing national laws and regulations. The outcome of this legislative journey in Germany and across Europe will no doubt shape the future landscape of digital privacy and data security. As the debate unfolds, the balance between protecting citizens and addressing crimes in the digital space remains a complex and deeply contested issue.