Germany’s proposed digital violence law hides illegal mass surveillance, SpaceNet AG warns.
A new draft bill from the German federal government is raising legal alarms. The proposed “Act to Strengthen Civil and Criminal Protection against Digital Violence,” scheduled for cabinet debate today, contains regulations that are likely unlawful in key sections — at least according to Munich-based managed IT provider SpaceNet AG, which successfully challenged Germany’s previous data retention law in court back in 2016. The company sees the draft as yet another — barely disguised — attempt to sneak mass data retention in through the side door.
A Three-Month Cap That Isn’t
At first glance, the draft’s data retention period looks reasonable: a maximum of three months. But the details tell a different story. SpaceNet CEO Sebastian von Bomhard explains the flaw:
„The problem is above all the duration of data storage. While the draft limits it to three months, this period will regularly be exceeded in practice, because the law requires storage to begin when a connection is assigned and deletion to occur three months after the assignment ends. In reality, internet connections today are rarely disconnected and reassigned, meaning retention periods can stretch into years.“
That, says von Bomhard, puts the bill in direct conflict with the European Court of Justice’s (ECJ) 2024 ruling, which requires that data be stored for the shortest possible time. What looks like a modest three-month ceiling on paper could translate into years of logging real internet activity.
Using Online Abuse as Cover?
SpaceNet’s criticism goes beyond the technical. The company sees a structural problem in the use of a socially important issue — protecting people from online harassment and violence — to legitimize an unrelated and widely contested measure.
Von Bomhard draws a sharp comparison: the German government rightly opposes a real-name requirement for the internet. Yet proactively storing IP addresses amounts to the same thing — universal, suspicionless identification of all users.
The underlying technical reality is well known: serious online crimes can easily be concealed using commercially available VPN services, even by non-technical users. Mass retention of IP data does nothing to solve this problem. Instead, it burdens the overwhelming majority of law-abiding internet users.
Quick-Freeze Would Have Offered a Compromise
According to SpaceNet, the “quick-freeze” approach — enshrined in the previous coalition’s governing agreement — would have provided a workable middle ground. Under this model, traffic data would only be frozen on the basis of urgent suspicion and could only be accessed following a judicial order. This balances effective law enforcement with the protection of fundamental rights, and stays within the boundaries set by Germany’s Federal Constitutional Court (2010) and the ECJ (2022, 2024).
Modern AI-based analysis tools also offer new capabilities for criminal investigation. But this potential is undermined when authorities rely on bulk data collected without cause rather than targeted, legally sound instruments.
The Bill’s Cost Will Hit Consumers
The draft would also have concrete economic consequences. An EU-compliant implementation of the proposed storage requirements would impose massive costs on internet service providers — costs that would inevitably be passed on to end users. Higher prices for internet access could be the result for millions of consumers.
An Old Idea in New Clothes
SpaceNet has a long legal history with German data retention legislation: in 2016, the company challenged the then-applicable law in court and won. The Federal Administrative Court confirmed that blanket data collection was unlawful — a landmark decision for privacy rights and legal certainty in the tech sector.
Now, nearly a decade later, SpaceNet finds itself facing what looks like the same policy repackaged under the banner of digital violence protection. Von Bomhard is unequivocal:
„In the form planned by the coalition, data retention remains a blanket intrusion into civil liberties. Now, on top of extending the storage duration, the types of data to be stored are being expanded. This instrument fundamentally ignores the presumption of innocence and makes trust in German digital policy nearly impossible.“
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de