On April 22, 2026, Germany's federal cabinet approved a draft bill — the Gesetzentwurf zur vorsorglichen Sicherung von IP-Adressen — that would require every internet access provider to store each customer's IP addresses and port numbers for three months, without cause or individual suspicion. Justice Minister Stefanie Hubig framed it narrowly: providers must keep IP and port data only, while "Standortdaten und andere Verkehrsdaten" — location data and records of which websites were visited — are explicitly excluded. The government's core argument is that "IP-Adressen sind oft der einzige Ansatzpunkt, um Täter bei internetbezogener Kriminalität zu identifizieren" — IP addresses are often the only lead for identifying perpetrators in internet-related crime.
This is Germany's third attempt at telecom data retention. The previous two — a 2008 mandate and a 2015 successor — were struck down, first by the Federal Constitutional Court and later neutralized after the Court of Justice of the European Union (CJEU) ruled untargeted retention incompatible with EU law. The political instinct to try again is understandable, and the steelman is real.
The strongest case for the bill
Law enforcement's frustration is not invented. For crimes that leave almost no physical trace — distribution of child sexual abuse material, account takeovers, online extortion — an IP address logged at a moment in time is frequently the single thread investigators can pull. Today, German providers retain those logs only for a few days for billing and operational reasons, so by the time a complaint reaches a prosecutor and a court issues an order, the record is already gone. Hubig's bill also imports a genuinely proportionate tool from the opposition's own playbook: a Sicherungsanordnung, or quick-freeze order, letting investigators command a provider to preserve specific data for up to three months (extendable once with judicial sign-off) when a suspicion already exists. On its face, three months of IP-only retention is a far lighter footprint than the location-and-metadata dragnets of the past.
The legal bet — and its limits
The bill is engineered around a specific opening. In its April 30, 2024 judgment in Case C-470/21 (La Quadrature du Net), the CJEU partly reversed its earlier stance and held that general and indiscriminate retention of IP addresses does not necessarily constitute a serious interference with fundamental rights — but only where national law guarantees a "genuinely watertight separation" between IP addresses and civil-identity data, so that retention cannot be used to draw precise conclusions about a person's private life. Where it can, access must be subject to prior review by a court or independent body.
That is a narrow gate, not an open door. The industry association eco argues the draft walks straight past it. Board member Klaus Landefeld calls the result "indiscriminate data retention without demonstrable added value for law enforcement," and warns the bill shifts oversight "from a prior judicial review to subsequent notifications" — precisely the procedural safeguard the CJEU said must come before access in sensitive cases, not after. eco's chairman Oliver Süme has been blunter still, calling it a clear breach of European law with no real investigative benefit. When a government builds an entire surveillance mandate on one favorable paragraph of a single ruling, it is taking a litigation bet, not establishing settled law.
The 13-month problem
The most damaging critique is not legal but engineering. The "three months" in the statute measures from when an IP address is de-assigned — but modern fiber connections rarely drop. The forced 24-hour reconnect of old DSL lines is gone; on fiber, a single session can persist for weeks or months. As netzpolitik.org documented, if a connection stays up for ten months, the assigned IP remains identifiable for that entire session plus the three-month statutory window — roughly 13 months of de facto retention. The legal label says three; the lived reality on Germany's fastest infrastructure says something closer to a year. eco makes the same point in operational terms: "a statutory deadline only has an effect if it can also be reliably adhered to in day-to-day operations," and in "modern network architectures with long-lasting or persistent connections" the limit is circumvented in practice. A retention ceiling that quietly quadruples on exactly the connections Germany is subsidizing nationwide is not a proportionate measure — it is an unbounded one wearing a proportionate label.
A better path exists
The honest objection to this bill is not "never collect IP data." It is that a suspicionless three-month mandate — that becomes 13 months on fiber, rests on contested legal ground, and creates a standing target that the Chaos Computer Club rightly notes would be "attractive to all kinds of data criminals" — is the wrong instrument when a sharper one is already in the same bill. The quick-freeze Sicherungsanordnung preserves data when suspicion arises, under judicial control, without conscripting every law-abiding subscriber's connection record into a permanent database. That is the model the CJEU's reasoning actually favors and the one eco has repeatedly endorsed.
Germany has now lost this argument in court twice. The Bundestag's task is not to find a cleverer way to retain everyone's data, but to fund and operationalize the targeted tool that survives constitutional scrutiny. Proportionate regulation means matching the intrusion to the suspicion — and on that test, quick-freeze wins and the blanket mandate fails.