On April 22, 2026, Germany's federal Cabinet approved a bill requiring every internet service provider in the country to store the IP addresses and port numbers of all customers for three months — no suspicion required, no court order necessary to trigger retention. When the Bundesrat took up the legislation on June 12, its legal committee didn't push back on the concept. It pushed for more: a doubling of the retention period to six months and an expansion of access rights to state police and intelligence agencies across all sixteen German states. Germany's leading internet industry association, eco, called the upper house's position "a blueprint for digital mass surveillance." They are not wrong — but the deeper problem is that Germany has been here before, twice, and the legal landscape since 2022 gives this third attempt a narrower path to survival than proponents admit.
The Government's Case
Justice Minister Stefanie Hubig has been consistent in her framing: IP addresses are often "the only lead" investigators have when tracking child exploitation, online fraud, and digital violence. Several European peers — France, the Netherlands, the Czech Republic — maintain some form of IP logging requirement. Crucially, the European Court of Justice's April 2024 ruling in La Quadratura du Net (C-470/21) cracked open a narrow legal window: IP-address-only retention may be permissible under EU law, the court held, provided there is a genuinely watertight separation between IP data and content, and provided access is subject to prior judicial review rather than subsequent notification. This is the legal hook on which the current bill hangs. The case for some targeted IP retention is not absurd.
Why This Bill Misses the Target
The problem is that the draft legislation fails to implement the conditional safeguards the CJEU attached to that permission.
First, judicial oversight. The 2024 La Quadratura ruling explicitly requires prior review by a court or independent administrative body before investigators access retained data. Germany's bill shifts that to subsequent notification — a mechanism eco warns "cannot ensure effective legal protection to the same extent." This is not a technicality. It is precisely what the court identified as the distinction between a proportionate measure and a dragnet.
Second, the stated retention period is a fiction on modern infrastructure. Under the bill's current drafting, the three-month clock starts when a connection terminates — not when it begins. On fibre networks, where sessions commonly persist for ten months or more without forced disconnection, the arithmetic is damning: mobile operators told the Bundestag that a connection lasting approximately ten months results in a total storage duration of thirteen months. Germany's Federal Bar Association (BRAK) noted that even the nominal three-month window lacks empirical justification. A BKA official previously suggested that two to three weeks of retention would already constitute "a significant gain" for investigators. Thirteen months of population-wide storage to obtain what targeted two-week preservation might provide is not proportionality.
A Pattern the Courts Have Already Adjudicated
This is Germany's third attempt at mandatory data retention. The Federal Constitutional Court (BVerfG) struck down the 2007 law in March 2010, finding it lacked adequate data protection safeguards under Article 10 of the Basic Law. The 2015 attempt — a ten-week retention window for connection data and four weeks for location data — was effectively frozen by the CJEU's September 2022 ruling in SpaceNet AG, which found German legislation mandating "indiscriminate retention" incompatible with EU law. That decision built on the court's 2016 Tele2/Watson judgment: bulk collection without individualised suspicion allows authorities to draw "very precise conclusions about the private lives" of entire populations, not just suspects.
The current bill tries to thread the needle the court left open in 2024. But the Bundesrat's June 12 amendments — doubling retention and widening access to sixteen state-level security architectures simultaneously — move every parameter in exactly the wrong direction.
The Surveillance Infrastructure Problem
eco's "blueprint for digital mass surveillance" warning is analytically accurate even if rhetorically pointed. The significance of the bill is not only its direct effect on ISP logs. It is about what retention infrastructure enables downstream. Once data is stored at population scale, the question of who can access it — and under what legal threshold — tends to expand over time. The Bundesrat's proposal to extend access to all state police forces illustrates this dynamic precisely: a federal bill drafted for specific investigative purposes becomes, within weeks, a system designed to feed sixteen different security architectures.
VPN users in Germany face a compounding exposure. Their ISP still holds the IP address assigned before the VPN tunnel is established, meaning even encrypted connections do not eliminate the retention footprint that investigators could later map. The bill effectively treats every German internet user as a potential subject of future investigation from the moment they go online.
What a Proportionate Alternative Looks Like
Both BRAK and eco have pointed toward an answer the government has declined to adopt: targeted preservation orders. Under a quick-freeze model, an ISP stores traffic data for a specific subscriber only after a court issues an order tied to a specific investigation. No suspicion, no storage. This satisfies the CJEU's prior-review requirement, avoids the mass-collection architecture, and does not require ISPs to build and secure databases that are themselves high-value targets for breach or misuse. Several EU member states operate functional quick-freeze regimes today.
Germany Cannot Afford Another Strike
eco has also flagged a less visible casualty: Germany's competitiveness as a digital business location. Internet providers face significant compliance costs building storage infrastructure whose legal status may be invalidated for the third time by the BVerfG or the CJEU. Investment in surveillance-compliance systems that courts will likely strike down is not regulatory proportionality — it is regulatory churn. Berlin cannot lead on AI and digital infrastructure while forcing ISPs to run data-retention regimes its own courts have already twice found incompatible with fundamental rights. The Bundesrat's amendments make the legal challenge easier to mount, not harder. That should read as a signal, not an opportunity.