Court extends fundamental rights of freedom from German surveillance to all foreigners across the globe, forcing BND to scrap telecommunications surveillance strategies
In 2016, German lawmakers approved a highly controversial espionage law that effectively authorized unlimited surveillance on non-Germans. At the time, the law was widely criticized. “The most controversial section of the law is a clause allowing the Bundesnachrichtendienst (BND) to intercept communications of foreign entities and individuals on German soil and abroad which pass through a major internet exchange point in Frankfurt.” The BND is transparent in its voraciousness, explaining on its website, “the BND uses intelligence resources at its disposal to collect information unobtainable by any other means.” In 2017, it amended the law to legalize additional practices of the BND.
On May 19, 2020, the German Constitutional Court struck down significant parts of the law. The Court held that under Art. 1(3) GG German state authority is bound by the fundamental rights of the Basic Law which affords protection against telecommunications surveillance as rights against state interference for both domestic German citizens and for foreigners in other countries. This is the first time that the protections against surveillance and eavesdropping under the German constitutional or Basic Law have been extended to foreigners outside the country’s borders.
As reported by Deutsche Welle, “the BND had considered foreign nationals living outside Germany essentially fair game, as they assumed they were not protected by Germany’s constitution.”
The ruling applies without regard to the location of the spying.
Under German law, the law was required to take into account fundamental rights (Zitiergebot) as required under Art. 10(1) GG. The law also failed to satisfy the key requirements set by fundamental rights in substantive terms. As the ruling was explained by the Court: “In particular, the surveillance is not restricted to sufficiently specific purposes and thereby structured in a way that allows for oversight and control; various safeguards are lacking as well, for example with respect to the protection of journalists or lawyers.”
The ruling will be a blow to efforts by the U.S. to implement new bilateral agreements under the CLOUD Act. As described in a recent blog post by Dean Susan Stephan:
“Under the Act, (1) US government and law enforcement officials may direct an overseas company to produce customer communications data pertaining to a US person; and (2) non-US law enforcement officials may gain access to data stored in the US, but only in conjunction with investigations involving “serious crime, including terrorism” and only when an “executive agreement” is in place between the US and the relevant non-US governments prior to a release of access to the requested data.
The decision of the German Constitutional Court does not ban data gathering or data sharing, but it instead requires that the law be revised to provide much narrower constraints on the information being collected and require greater specificity in the needs for the data. It also requires safeguards for journalists, lawyers, and others who could be targeted as a result of information collected and shared by the BND.
The decision highlighted the concerns that were triggered by the revelations by Edward Snowden in 2013 and the role of the NSA in tapping Chancellor Angela Merkel’s own cell phone. The decision chastised the open-ended nature of the legislation.
[T]he exceptionally broad scope and the indiscriminate effect of strategic telecommunications surveillance is particularly aggravating. Such surveillance can be used against anyone without specific grounds; objective thresholds for the use of these powers are not required, neither with regard to the situations that can give rise to surveillance measures nor to the individuals that may be affected by them. Yet such powers have an exceptional reach, particularly given the possibilities of modern information technology and its significance for communication relations. It must be taken into account that – unlike in previous decisions of the Court on telecommunications surveillance – they allow for targeted surveillance of specific individuals and open up the possibility of retention and holistic analysis of unselected traffic data. Today, this tool allows for the analysis and collection of highly private and spontaneous communication processes reaching far into everyday life as well as the identification of interests, desires and preferences reflected in Internet usage.
The decision provides clear guidance on what the minimum requires will be for revised legislation. The demands by the Constitutional Court require a fundamental rethinking of the broad-based surveillance in use by the BND and its partners in the NSA and other international data collection agencies. The list of changes include the following admonitions:
Strategic surveillance must be designed in line with the tasks of gathering foreign intelligence and on this basis be restricted in accordance with the principle of proportionality. For the most part, the challenged provisions do not satisfy this requirement.
a) The Basic Law does not allow for global and general surveillance, not even for the purpose of gathering foreign intelligence. Therefore, the legislator must impose restrictions on the volume of data to be taken from the respective transmission channels and on the geographical area covered by surveillance.
b) The law must clearly provide that prior to a manual analysis domestic communications and, as the case may be, communications involving Germans or persons within Germany on at least one side be separated from the other data as far as scientifically and technically possible. It must be ensured that for any case where this is not successful, the respective data is immediately deleted when manually examined. There may only be very limited exceptions, which must be provided for by law.
c) The legislator must determine the purposes of surveillance with sufficient precision and legal clarity. If strategic surveillance serves to identify dangers, it must be substantially restricted to limited and specific purposes of great weight. Insofar as surveillance is only intended to help prepare decisions of the Federal Government, the law can allow it within the entire remit of the Federal Intelligence Service. However, a change in purpose or the transfer of data to other entities must then generally be ruled out.
d) To compensate for the lack of objective thresholds for the use of powers, surveillance measures must be broken down into formally determined and sufficiently specific categories. Procedural safeguards must ensure that surveillance measures are based on specific purposes and thus allow for oversight. The legislator itself must set out the essential framework for the analysis of collected data. This includes the requirement to analyse data without undue delay, the applicability of the requirement of proportionality to the selection of keywords, provisions governing intrusive methods of data analysis, and adherence to specific prohibitions of discrimination.
e) The power to store and retain traffic data in its entirety in the context of the gathering of foreign intelligence must be restricted with regard to the volume of data that can be collected; it may not be stored for more than six months.
f) In relation to foreigners, targeted surveillance of the communications of specific individuals, for example on the basis of an identifier, is not generally impermissible. Nonetheless, restrictions are required that take into account the affected persons’ need for protection. In any case, the law must definitively set out the reasons and aspects subject to which strategic surveillance measures may target specific individuals. In this respect, the legislator must create a separate mechanism for protection of individuals that could be of direct interest to the Intelligence Service, either because they might cause danger or because of follow-up measures to be taken against them.
g) In addition to this, special requirements apply to the protection of professional groups or groups of persons whose communications call for increased confidentiality. The targeted intrusion into such relationships of trust meriting confidentiality protection, for example involving lawyers or journalists, cannot be justified simply because the desired information might be of use to intelligence services. Rather, targeted surveillance of such groups must be tied to qualified thresholds for the use of powers. If it only becomes apparent during analysis that data concerning relationships of trust meriting particular confidentiality protection has been collected, an additional balancing is required to determine whether the respective communications may be analysed and used. Which relationships merit protection, is determined on the basis of the decisions on values enshrined in the fundamental rights of the Basic Law.
h) Furthermore, the legislator must take into account the core of private life. Analysis must cease as soon as it becomes apparent that surveillance is encroaching on the core of private life; even where mere doubts arise, the measure may only be continued in the form of recordings that are examined by an independent body prior to analysis. Intelligence relating to the highly personal domain may not be used and must be deleted immediately.
i) Finally, the principle of proportionality calls for deletion requirements. The legislator must ensure that data does not remain stored without justification by creating duties to monitor data storage at sufficiently short intervals. The key steps of data deletion must be documented insofar as this is sensible and necessary for independent oversight.
It will take both governments time and coordination to bring the new legislation through the German parliamentary process and then to craft a bilateral agreement under the CLOUD Act. Nonetheless, given the high level of coordination between the BND and the NSA, this work will likely be prioritized in the coming months.