The Supreme Court in Germany has ruled that internet service providers (ISPs) must delete all customer logs when asked to by a user. The decision threatens to undermine entertainment industry and law enforcement attempts to urge ISPs to keep records.
The Supreme Court ruled in a case involving German citizen Holger Voss, a 33 year old man who wished to have his internet usage records deleted. Voss had been sued over comments he made in an internet forum in 2002 but that suit was unsuccessful.
Voss took a separate case against his ISP, T-Online, alleging that its retention of his dynamic IP address and the company's handing over of information about the address and its use to German authorities were illegal.
Voss had been accused of glorifying a criminal act, in this case the terrorist attacks in the US of 11th September 2001, but he said that his comments were heavily sarcastic.
The ruling means that German ISPs will have to delete internet usage records, called IP logs, when a customer requests it. Elsewhere, including in the UK, governments have been moving to force ISPs to keep logs for longer than previously for law enforcement reasons.
Governments and security agencies are keen that ISPs keep records for as long as possible so that the activities of users are recorded and retrievable for use as evidence. The records kept relate only to the time of communications and the identity of the caller, not the content of communications.
The European Commission was behind a Data Retention Directive which was approved by the European Parliament last February. The Directive asks member states to pass laws ordering ISPs and phone companies to keep information for a period between six months and two years, with each country choosing its own time period.
Germany has not yet passed the Directive into law, so there is no conflict between national legislation and the Directive. According to Rosemary Jay, of Pinsent Masons, the law firm behind OUT-LAW, a law based on the Directive will take precedence over old laws.
"If the law says you have to keep the data for six months, then even if someone asks for it to be deleted then the company can tell the person to go away because they have a legal obligation to keep it," said Jay. "After that six months they can delete the information because there is no legal obligation."
ISPs have traditionally opposed the keeping of IP logs for longer than is necessary for billing because of the extra cost and administrative burden of keeping data for up to two years. Amongst the uses of the IP log data has been as evidence in file sharing cases brought by entertainment companies against suspected unauthorised sharers of protected works.