You are here:
H e a d n o t e s
to the Order of the First Senate of 10 November 2020
- 1 BvR 3214/15 -
(Counter-Terrorism Database Act II)
- Provisions that allow for data sharing between police authorities and intelligence services must meet the specific constitutional requirements deriving from the standard of a hypothetical re-collection of data (“principle of the separation of police and intelligence data”).
- The weight of interference of the collective use of a joint database for police authorities and intelligence services is further increased through “extended use” (data-mining).
- The extended use of a joint database for police authorities and intelligence services must be limited to the purpose of protecting particularly weighty legal interests and must be subject to sufficient thresholds for carrying out measures constituting interference that are set out in precisely defined and clear legal provisions.
- Extended use for intelligence analysis purposes must, in each individual case, be necessary for investigating a specific action or group that warrants surveillance by the intelligence services, requiring that the type and timeframe of the incident that might occur are sufficiently identifiable and foreseeable.
- Extended use for purposes of averting dangers to public security requires at least the existence of a sufficiently identifiable danger.
- Extended use for purposes of prosecuting criminal offences requires a suspicion based on specific facts that are supported by sufficiently concrete and tangible circumstances.
FEDERAL CONSTITUTIONAL COURT
- 1 BvR 3214/15 -
IN THE NAME OF THE PEOPLE
In the proceedings
on
the constitutional complaint
of Mr S…, |
against |
§ 6a of the Act on Establishing a Standardised Central Counter-Terrorism Database for Police Authorities and Intelligence Services of the Federation and the Länder (Gesetz zur Errichtung einer standardisierten zentralen Antiterrordatei von Polizeibehörden und Nachrichtendiensten von Bund und Ländern – Antiterrordateigesetz , Counter-Terrorism Database Act) of 22 December 2006 |
|
(Federal Law Gazette – Bundesgesetzblatt I p. 3409) as amended by the Act Amending the Counter-Terrorism Database Act and other Acts (Gesetz zur Änderung des Antiterrordateigesetzes und anderer Gesetze ) of 18 December 2014 (Federal Law Gazette I p. 2318) |
the Federal Constitutional Court − First Senate −
with the participation of Justices
President Harbarth,
Paulus,
Baer,
Britz,
Ott,
Christ,
Radtke
held on 10 November 2020:
- 1. § 6a(2) first sentence of the Act on Establishing a Standardised Central Counter-Terrorism Database for Police Authorities and Intelligence Services of the Federation and the Länder (Gesetz zur Errichtung einer standardisierten zentralen Antiterrordatei von Polizeibehörden und Nachrichtendiensten von Bund und Ländern − Antiterrordateigesetz , Counter-Terrorism Database Act) of 22 December 2006 (Federal Law Gazette I p. 3409) as amended by the Act Amending the Counter-Terrorism Database Act and other Acts (Gesetz zur Änderung des Antiterrordateigesetzes und anderer Gesetze ) of 18 December 2014 (Federal Law Gazette I p. 2318) is not compatible with Art. 2(1) in conjunction with Art. 1(1) of the Basic Law (Grundgesetz ) and is therefore void.
- 2. For the rest, the constitutional complaint is rejected.
- 3. The Federal Republic of Germany must reimburse the complainant half of his necessary expenses incurred in the constitutional complaint proceedings.
R e a s o n s:
A.
[Excerpt from Press Release No. 104/2020 of 11 December 2020
The counter-terrorism database is a joint database for police authorities and intelligence services of the Federation and the Länder that serves to combat international terrorism. For standard cases, § 5(1) no. 1(a) of the Counter-Terrorism Database Act (Antiterrordateigesetz – Counter-Terrorism Database Act, ATDG) only permits authorities entitled to submit requests to directly access the basic data stored in the counter-terrorism database to identify those persons who were the object of the request; such data includes name, sex and date of birth (§ 3(1) no. 1(a) ATDG). This access does not cover the extended data stored in the database (§ 3(1) no. 1(b) ATDG), which includes bank account details, marital status and ethnicity, unless an exception for urgent cases applies, and then only subject to strict conditions.
§ 6a ATDG was inserted into the Act by the Act Amending the Counter-Terrorism Database Act and other Acts (Gesetz zur Änderung des Antiterrordateigesetzes und anderer Gesetze ) of 18 December 2014 and entered into force on 1 January 2015. Under certain conditions and in the context of a “project”, the provision permits the extended use of the types of data stored in the database pursuant to § 3 ATDG. Hidden data reserved for qualified access pursuant to § 4 ATDG is excluded from such extended use. § 6a(1) to (3) ATDG distinguish between the different purposes of extended use: § 6a(1) ATDG permits extended use in the context of a specific project in the individual case to gather and analyse information on international terrorist activities, § 6a(2) first sentence ATDG permits such use for the prosecution of qualified criminal offences of international terrorism, and § 6a(3) first sentence ATDG permits such use for the prevention of such qualified criminal offences.
In § 6a(5) ATDG, the legislator defines the term ‘extended use’. It includes establishing connections between persons, groups of persons, institutions, objects and matters, excluding insignificant information and intelligence, associating incoming information with known facts and statistically analysing stored data (first sentence). In this context, the federal authorities involved may also request data by entering phonetic or incomplete data, searching across several data fields, linking persons, institutions, organisations or matters, or by limiting search criteria to a certain time period; they may also make use of territorial or other connections between persons and of links between persons, groups of persons, institutions, objects and matters as well as prioritise certain search criteria (second sentence). Thus, § 6a ATDG authorises the direct use of the counter-terrorism database to generate new intelligence from the relationships between stored data (so-called data-mining).
With his constitutional complaint, the complainant challenges only § 6a ATDG, claiming that his fundamental right to informational self-determination (Art. 2(1) in conjunction with Art. 1(1) of the Basic Law, Grundgesetz – GG) has been violated.
End of excerpt]
[…]
I.
[…]
II.
[…]
III.
Statements in respect of the constitutional complaint were submitted by the Federal Government, the then Federal Commissioner for Data Protection and Freedom of Information, the Bavarian Land Government and the Bavarian Data Protection Commissioner.
[…]
B.
The constitutional complaint, which is directed at § 6a ATDG in its entirety, is admissible. The complainant has standing to lodge a constitutional complaint (see I. below). The requirements of subsidiarity have been satisfied (see II. below). Lastly, the matter is not determined by EU law and may therefore be decided by the Federal Constitutional Court (see III. below).
I.
The complainant has standing to lodge a constitutional complaint (cf. Art. 93(1) no. 4a GG, § 90(1) of the Federal Constitutional Court Act, Bundesverfassungsgerichtsgesetz − BVerfGG). A violation of the fundamental right to informational self-determination under Art. 2(1) in conjunction with Art. 1(1) GG appears possible based on the complainant’s submissions (see 1. below). In light of the complainant’s lack of knowledge of the data included in the database and the indiscriminate effect of data use, the complainant is also directly, individually and presently affected (see 2. below).
1. […]
2. The challenged provision affects the complainant directly, individually and presently. His complaint also meets the specific requirements applicable to constitutional complaints directly challenging statutory provisions.
a) A complainant is only directly affected by a statutory provision if it interferes with the complainant’s rights without requiring any further implementation measures. If execution of a statutory provision requires – either by law or based only on the practice of the authorities – a specific implementation measure that is contingent upon an intentional decision by the executing authority, complainants must generally challenge this implementation measure first and exhaust all available legal remedies before lodging a constitutional complaint (cf. Decisions of the Federal Constitutional Court, Entscheidungen des Bundesverfassungsgerichts – BVerfGE 1, 97 <101 ff.>; 109, 279 <306>; established case-law). However, it must be assumed that complainants are directly affected by a legal provision that requires implementation where seeking legal recourse is not possible because they have no way of knowing whether a measure was carried out or where, even though a requirement to notify the data subject ex post is applicable, this can be disregarded, given that it can be waived even over longer periods on the basis of extensive exceptions (cf. BVerfGE 150, 309 <324 para. 35>; established case-law). In this case, by requesting information on the storage of his data pursuant to § 10(3) ATDG from the Federal Criminal Police Office (Bundeskriminalamt ) or other authority involved, the complainant will not obtain reliable information about the data stored in respect of his person or information about its extended use (cf. also BVerfGE 133, 277 <312 para. 84>; 150, 309 <324 f. para. 36>).
b) The complainant is also individually affected by the challenged provision. Given that he cannot obtain reliable information about the implementing measures, it suffices to submit that he will, with some degree of probability, be affected by them. He has done so sufficiently here. Statements in which complainants would have to incriminate themselves are not required to prove individual affectedness, neither is a submission that the complainant is responsible for activities that threaten public security or are of interest to the intelligence services (cf. BVerfGE 130, 151 <176 f.>; 133, 277 <312 para. 86>; Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 75 − Subscriber data II).
c) The complainant is also presently affected by the challenged provision (cf. also BVerfGE 64, 301 <319>), although apparently § 6a ATDG has not yet been applied in practice. The Federal Government did not state that it would no longer use the powers set out in § 6a ATDG but only that no projects have been initiated or implemented to date. The technical prerequisites can, however, be put into place at any time without the public or the complainant becoming aware of this or of any storage or extended project-related use of this data pursuant to § 6a(1) to (3) ATDG. Therefore, the fact that the challenged provision has not been applied to date does not preclude admitting the constitutional complaint.
II.
The constitutional complaint satisfies the requirements of subsidiarity (§ 90(2) BVerfGG). Before lodging a constitutional complaint against a statutory provision, a complainant must generally exhaust all available means to remedy the asserted violation of fundamental rights. Reasonable legal remedies may include lodging an action for a declaratory judgment or an action for an injunction, which allow the ordinary courts to clarify those facts or legal issues of ordinary (non-constitutional) law that have a bearing on the decision (cf. BVerfGE 150, 309 <326 ff. para. 41 ff.>; established case-law). It is a different matter, however, where only the constitutionally mandated limits on judicial interpretation are concerned. Where the assessment of a provision raises only specific questions of constitutional law that are for the Federal Constitutional Court to answer, without any improved basis for decision-making to be expected from a prior examination carried out by an ordinary court, there is no need for such prior decision (cf. BVerfGE 123, 148 <172 f.>; 143, 246 <322 para. 211>; 150, 309 <326 f. para. 44>; established case-law). An obligation to bring an action before the ordinary courts may also be unreasonable (unzumutbar ) for other reasons (cf. BVerfGE 150, 309 <327 f. para. 45>).
According to the above, the complainant did not have to seek legal protection against the challenged provision before the ordinary courts. The constitutional complaint, directed exclusively against § 6a ATDG, in essence only raises specific questions of constitutional law that are for the Federal Constitutional Court to answer, without any improved basis for decision-making to be expected from a prior examination by an ordinary (non-constitutional) court. Given the statutory definition of “project” in § 6a(4) ATDG, no further clarification is to be expected from an ordinary court in that regard either.
The fact that the complainant could request information on the storage of his data pursuant to § 10(3) ATDG and then challenge the storage before the courts does not contravene the principle of subsidiarity either. This is because, on such a basis, the complainant could only challenge the fact that his data was actually stored at a certain time; however, he would still not be able to challenge the fact that such data storage can occur at any time, beyond his control and without him knowing about it. The option of bringing a constitutional complaint directly against a legal provision that allows covert measures to be carried out usually only lapses where data subjects are protected by ex post notification of the measure through an active notification requirement on the part of the state which is guaranteed by law (cf. BVerfGE 133, 277 <312 para. 84>). However, the Counter-Terrorism Database Act does not contain such a notification obligation, neither with regard to the storage of data nor use thereof on the basis of § 6a ATDG.
III.
The Federal Constitutional Court has jurisdiction to review the challenged provision against the standard of fundamental rights laid down in the Basic Law given that § 6a ATDG does not transpose any mandatory EU legislation into German law (cf. already BVerfGE 133, 277 <313 ff. para. 88 ff.>). EU law does not contain any provisions that require, let alone lay down exhaustive rules on, the establishment of a counter-terrorism database for police authorities and intelligence services.
1. The constitutional complaint would only be inadmissible if the provisions to be examined were fully determined by EU law. In principle, the Federal Constitutional Court does not review ordinary EU legislation and does not apply the fundamental rights laid down in the Basic Law to ordinary EU law as long as the EU’s fundamental rights guarantee effective protection of rights in general that is essentially equivalent to the protection of fundamental rights that is regarded as indispensable under the Basic Law, and as long as EU fundamental rights guarantee the essence (Wesensgehalt ) of the fundamental rights in general; in this respect, the examination of equivalence of the level of protection must be made on the basis of a general assessment of the respective fundamental right of the Basic Law in question (cf. BVerfGE 73, 339 <387>; 102, 147 <162 f.>; 125, 260 <306>; 152, 216 <235 f. para. 47 fine >; Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 84 − Subscriber data II). These principles also apply to the review of national legislation transposing binding standards into German law (cf. BVerfGE 118, 79 <95 ff.>; Federal Constitutional Court, Order of the Second Senate of 11 March 2020 - 2 BvL 5/17 -, para. 65). Constitutional complaints directed against ordinary EU law that is binding in this regard are thus generally inadmissible (cf. BVerfGE 118, 79 <95>; 152, 216 <237 para. 51>; Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 84 − Subscriber data II).
Where, however, like in the present case, the provisions concerned are domestic provisions from areas of the law that have not, or not fully, been harmonised, the Federal Constitutional Court reviews the challenged provisions against the standard of the fundamental rights of the Basic Law. This applies regardless of whether and to what extent the challenged provisions might, in accordance with the case-law of the Court of Justice of the European Union, also be regarded as implementing EU law within the meaning of Art. 51(2) first sentence of the Charter of Fundamental Rights of the European Union (cf., however, in that regard BVerfGE 133, 277 <315 para. 90>) and therefore the EU fundamental rights may also apply (cf. BVerfGE 152, 152 <168 para. 39>; Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 und 1 BvR 2618/13 -, para. 87, 261 − Subscriber data II).
2. According to the above, the challenged provision must be reviewed against the standard of the Basic Law because, from the outset, it was not enacted to implement EU law. Its determination by EU law can neither be inferred from the ePrivacy Directive nor from the JHA Data Protection Directive nor from the Directive on combating terrorism.
Notwithstanding the question of its general applicability to security authorities and intelligence services in the light of Art. 4(2) third sentence TEU, according to its Art. 1(1), the Directive on privacy and electronic communications (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, “ePrivacy” Directive [OJ L 201 of 31 July 2002, p. 37]) only applies to the processing of personal data in the electronic communications sector and the free movement of such data and of electronic communication equipment and services in the EU and thus not to the state’s use of data stored by security authorities (cf. CJEU, Judgment of 6 October 2020, Privacy International, C-623/17, EU:C:2020:790, para. 48; Judgment of 6 October 2020, La Quadrature du Net, C-511/18, C-512/18 and C-520/18, EU:C:2020:791, para. 103).
Art. 1(1) of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119 of 4 May 2016, p. 89, hereinafter: JHA Data Protection Directive) lays down the rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and prevention of threats to public security. Art. 8 of the JHA Data Protection Directive requires data processing to be necessary for the performance of a task carried out by a competent authority for the purposes of prosecuting criminal offences and preventing threats in accordance with Art.1(1) of the JHA Data Protection Directive. Art. 11 of the JHA Data Protection Directive prohibits adverse effects of automated data processing except if authorised by law and if the rights and freedoms of the data subjects are safeguarded, Art. 12 ff. of the JHA Data Protection Directive lay down the rights of the data subject, Art. 19 ff. of the JHA Data Protection Directive lay down the obligations of controllers and processors. § 6a ATDG is clearly not meant to implement these provisions, which, moreover, do not contain any specifics on how to establish or structure a counter-terrorism database and process such data (cf. already BVerfGE 133, 277 <315 para. 90>).
According to its Art. 1(1), the Directive on combating terrorism [Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88 of 31 March 2017, p. 6), hereinafter: Directive on combating terrorism] establishes “minimum rules concerning the definition of criminal offences and sanctions in the area of terrorist offences, offences related to a terrorist group and offences related to terrorist activities, as well as measures of protection of, and support and assistance to, victims of terrorism.” Neither of the provisions directly concerns the prevention of threats to public security or the prosecution of criminal offences as such. Art. 20 of the Directive on combating terrorism merely states that the Member States shall take the necessary measures to ensure that effective investigative tools are available. Art. 2 of Council Decision 2005/671/JHA of 20 September 2005 on the exchange of information and cooperation concerning terrorist offences (OJ L 253 of 29 September 2005, p. 22 in the version of the Directive on combating terrorism) provides that Member States shall, in accordance with national law, send all relevant information concerning and resulting from criminal investigations conducted by their law enforcement authorities with respect to terrorist offences to Eurojust, Europol and the other Member States. The Decision does not oblige the Member States to set up counter-terrorism databases or to lay out rules with regard to them or their processing, nor does it impose any other final requirements on the Member States in this regard.
C.
The constitutional complaint is in part well-founded. Extended project-related data use under § 6a ATDG interferes with the complainant’s right to informational self-determination under Art. 2(1) in conjunction with Art. 1(1) GG (see I. below). While this provision is formally constitutional (see II. below), the specifics of subsection 2 first sentence are disproportionate (see III. below).
I.
The right to informational self-determination addresses risks to and violations of an individual’s personality resulting from information-related measures in the context of modern data processing (cf. BVerfGE 65, 1 <42 f.>; established case-law). The right to the free development of one’s personality requires that the individual be protected against the unlimited collection, storage, use and sharing of their personal data. This protection is part of the fundamental right under Art. 2(1) in conjunction with Art. 1(1) GG. This fundamental right confers upon individuals the authority to, in principle, decide themselves on the disclosure and use of their personal data. This becomes particularly relevant where state authorities use and link personal information in a manner which the affected person can neither foresee nor control, thus jeopardising the development of their personality (cf. BVerfGE 118, 168 <184>; Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 92 with further references − Subscriber data II).
§ 6a(1) to (3) ATDG interferes with the right to informational self-determination under Art. 2(1) in conjunction with Art. 1(1) GG by allowing the authorities involved extended project-related use of the types of data stored in the database pursuant to § 3 ATDG (on how further use of data amounts to interference, BVerfGE 133, 277 <317 para. 95>; established case-law).
The interference here lies not only in the further use of previously separate data but also in the expanded access that “extended use” renders possible. § 6a(5) first sentence ATDG describes this as “the establishment of links between persons, groups of persons, institutions, objects and matters, the exclusion of insignificant information and intelligence, the matching of incoming information with known facts and statistical analysis of stored data”. This enables the authorities involved to generate far-reaching intelligence from the available data using practically all available IT methods (cf. § 6a(5) second sentence ATDG) and to deduce new connections by way of data analysis. Linking data makes it possible to carry out multi-level analyses, from which new suspicions may arise as well as further steps in the analysis or operational measures following therefrom. The disadvantages faced by data subjects as a result of a measure carried out pursuant to § 6a ATDG can therefore be considerable and significantly increase the weight of the negative impact on the individual (cf. on electronic profiling, which is comparable in this respect, BVerfGE 115, 320 <347, 351 ff.>).
“Extended project-related use” as laid down in § 6a ATDG thus constitutes a typical case of data-mining. According to a definition provided by the Federal Government, data-mining involves the use of processes and methods “with which large volumes of pre-existing data, mostly based on statistical mathematical methods, are independently analysed for links in order to generate ‘new intelligence’” (response of the Federal Government to the Minor Interpellation posed by members of the Bundestag Jelpke et al., and by the parliamentary group DIE LINKE, Bundestag document, Bundestagsdrucksache – BTDrucks 17/11582, p. 3). Prior to the insertion of § 6a ATDG, such extended use was not permitted. The Counter-Terrorism Database Act definitely did not permit profiling, bulk searches or searches for general links between persons by combining data fields (cf. BVerfGE 133, 277 <361 para. 194>). Furthermore, the use of the counter-terrorism database was limited to facilitating inter-agency requests for information. Only in urgent cases did § 5(2), § 6(2) ATDG allow access to (extended) basic data and its use even in respect of operational measures.
II.
Fundamental rights may only be interfered with on the basis of a law that is fully in conformity with the Constitution (cf. BVerfGE 6, 32 <37 ff.>; 80, 137 <153>; established case-law). This includes formal constitutionality, in particular the legislative competence of the Federation. The Federation was competent to enact § 6a ATDG pursuant to Art. 73(1) no. 10 GG […] and Art. 73(1) nos. 1 and 5 GG […].
[…]
III.
The specific set-up of extended project-related use of data in the context of the counter-terrorism database does not, however, fully satisfy in substantive terms the requirements under Art. 2(1) in conjunction with Art. 1(1) GG. The resulting interference with fundamental rights by authorities that have not entered this data in the database themselves is not in accordance with the principle of proportionality given that the necessary thresholds for carrying out measures constituting interference have not been set out in § 6a(2) ATDG. The intended limitation of extended use of data to a project within the meaning of § 6a(4) ATDG does not have the effect of rendering the interference with the right to informational self-determination proportionate; nor do the provisions laid down in subsections 6 to 8 change this fact.
1. a) Like any limitation of fundamental rights, an interference with the right to informational self-determination must be based on a statutory provision that pursues a legitimate purpose in the interest of the common good and, in addition, observes the principle of proportionality (cf. BVerfGE 65, 1 <44>; 100, 313 <359 f.>; Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 123 − Subscriber data II; established case-law). It must have a legitimate purpose, and must be suitable, necessary and proportionate in the strict sense for achieving that purpose (cf. BVerfGE 141, 220 <265 para. 93>; established case-law). It requires a statutory basis that sufficiently limits the data use to specific purposes (Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 123 – Subscriber data II; established case-law).
b) Moreover, all challenged powers must be measured against the principle of specificity and legal clarity, which serves to make interferences foreseeable for citizens, to effectively limit administrative powers and to ensure effective judicial review (cf. BVerfGE 113, 348 <375 ff.>; 120, 378 <407 f.>; 133, 277 <336 f. para. 140>; 141, 220 <265 para. 94>; Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 123 − Subscriber data II; cf. also CJEU, Judgment of 6 October 2015, Schrems, C-362/14, EU:C:2015:650, para. 91; ECHR (GC), S. and Marper v. the United Kingdom, Judgment of 4 December 2008, no. 30562/04 and others, § 99).
aa) The requirement of specificity mainly serves to ensure that the law subjects the government and administration to standards that direct and limit their actions, and that the courts can effectively review the lawfulness of their actions. The legislator must draft laws as specifically as possible, taking account of the particular nature of the underlying subject matter and the purposes pursued (BVerfGE 145, 20 <69 f. para. 125> with further references). It is sufficient if, when interpreting the relevant provision in line with the accepted rules of interpretation, it is possible to determine whether the actual conditions for the legal consequence laid down in the legal provision have been met. Any remaining uncertainties may not be so great that the predictability and justiciability of the actions taken by the public authorities granted power by the legal provision are called into question (cf. BVerfGE 134, 141 <184 para. 126>; 145, 20 <69 f. para. 125> with further references). The requirement of specificity is satisfied if problems of interpretation can be overcome by applying established legal methodology (BVerfGE 134, 141 <184 f. para. 127> with further references).
bb) In respect of legal clarity, the primary focus is on substantive comprehensibility of legislation, in particular so as to allow citizens to adapt to possible onerous measures (cf. BVerfGE 145, 20 <69 f. para. 125>). It imposes particularly strict requirements with regard to the covert collection and processing of data, as these can profoundly affect an individual’s private sphere. Since data subjects are usually not aware of the data processing and cannot defend themselves against it, its substance can be substantiated only to a very limited extent in the interplay of practical application and judicial review. Individually, however, the requirements do differ significantly depending on the weight of interference and are thus closely linked to the respective substantive requirements of proportionality (BVerfGE 141, 220 <265 para. 94>; Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 133 − Subscriber data II; each with further references; established case-law).
Because the administrative authorities, police and intelligence services limit fundamental rights here without citizens having knowledge thereof and often without access to judicial review, it must be possible, through interpretation, for the content of an individual provision to be determined in a comprehensible manner and without any major difficulty. While it may be possible to determine a rule’s substance by interpreting it, or while it may be specific in constitutional terms because it can be interpreted in conformity with the Constitution, this does not necessarily mean that it is clear to its addressees. In its case-law, the Federal Constitutional Court has, for example, considered long and non-transparent chains of references to constitute a violation of the principle of legal clarity (cf. BVerfGE 110, 33 <57, 62 f.>; Federal Constitutional Court, Judgment of the First Senate of 19 May 2020 - 1 BvR 2835/17 -, para. 215).
c) In addition, specific requirements regarding transparency, legal protection and supervisory oversight follow from the principle of proportionality in the field of data protection (cf. BVerfGE 125, 260 <344 ff.>; 150, 244 <285 para. 101>; Federal Constitutional Court, Judgment of the First Senate of 19 May 2020 - 1 BvR 2835/17 -, para. 265; Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 203 − Subscriber data II; established case-law), which are determined by the weight of interference of the provisions in each case. Legal protection and supervisory oversight can only ensure compliance with proportionate requirements, but they cannot replace such requirements. Workable provisions on the use and deletion of the data must also be guaranteed under constitutional law (cf. BVerfGE 65, 1 <46>; 150, 244 <285 para. 101>).
2. Extended data use pursuant to § 6a ATDG does pursue a legitimate aim (see a) below) and is suitable and necessary for achieving this aim (see b) below). However, in view of the considerable weight of the interference with the right to informational self-determination associated with extended data use, § 6a(2) first sentence ATDG does not meet the requirements of appropriateness (see c) below).
a) The counter-terrorism database pursues a legitimate aim (BVerfGE 133, 277 <321 para. 106>). The same applies to extended use pursuant to § 6a ATDG. The aim of the provision is to effectively combat terrorism (see in that regard BTDrucks 18/1565, p. 19) and thus to protect the continued existence and security of the state as well as life, limb and liberty of the population (cf. also BVerfGE 133, 277 <321 para. 106, 333 f. para. 133>; 141, 220 <266 para. 96>). Criminal acts that qualify as terrorism aim to destabilise society and, to this end, comprise attacks on the life and limb of random third parties through the ruthless instrumentalisation of others. They are directed against the pillars of the constitutional order and society as a whole. Providing effective means of gathering intelligence in order to combat terrorism is a legitimate aim and is of great significance for the free and democratic order (cf. BVerfGE 115, 320 <357 f.>; 120, 274 <319>; 133, 277 <333 f. para. 133>; 141, 220 <266 para. 96> with further references).
b) § 6a ATDG is also suitable for achieving this aim. By establishing links between persons, groups of persons, institutions, objects and matters, by excluding insignificant information and intelligence, by linking incoming information with known facts as well as statistically analysing the data stored in the counter-terrorism database by police and intelligence services, the extended use of data in § 6a ATDG makes it possible to establish previously unknown connections between different persons stored in the counter-terrorism database and their data (data-mining), which can facilitate law enforcement and maintaining public security as well as the further investigation of certain structures by the intelligence services.
The provision is also necessary. Less intrusive means which would be equally effective in establishing such connections have neither been presented by the parties nor are they discernible. Using the counter-terrorism database solely as an index file not only slows down the establishment of such connections, it is likely to prevent them altogether, for example, if contacts are stored separately from the person considered to pose a threat.
c) § 6a(2) first sentence ATDG does not, however, satisfy constitutional requirements with regard to appropriateness.
aa) The principle of proportionality in the strict sense requires, in particular, that the curtailing of freedoms protected by fundamental rights not be disproportionate to the purposes in the interest of the common good invoked to justify such curtailment. The legislator must strike an appropriate balance between the interests of the individual and the general public. In doing so, the prohibition of excessive measures (Übermaßverbot ) must be adhered to: the extent and weight of interference must be balanced against the significance of the provision in enabling the state to effectively exercise its functions. The principle of proportionality in the strict sense requires that the legislator maintain a balance between the nature and intensity of the fundamental rights impairment, on the one hand, and the statutory prerequisites for carrying out the measures constituting an interference, on the other; the latter include the threshold for interference, the required factual basis and the weight of the protected legal interests (cf. BVerfGE 100, 313 <392 ff.>; 115, 320 <360>; 141, 220 <270 ff. para. 106 ff.>; 150, 244 <281 para. 91>; Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 130 with further references − Subscriber data II; established case-law).
The weight of interference is primarily determined by the type, scope and possible uses of the data as well by the risk of its misuse (cf. BVerfGE 65, 1 <45 f.>; Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 129 − Subscriber data II). In this regard it is important, among other things, how many holders of fundamental rights are affected by impairments, how intense these impairments are, and on what basis they occur, in particular whether the affected persons have prompted them. The design of the thresholds for interference, the number of persons affected as well as the intensity of the individual impairments are therefore decisive. The weight of the individual impairment depends on whether the affected persons remain anonymous, what personal information is collected and what disadvantages the holders of fundamental rights face, or have reason to fear on account of the measures (BVerfGE 115, 320 <347> with further references). Covert measures by the state result in more intrusive interferences (cf. Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 129 with further references − Subscriber data II), as do the denial in practice of ex ante legal recourse and the difficulty in seeking ex post legal recourse if it can be obtained at all (cf. BVerfGE 113, 348 <383 f.>; 118, 168 <197 f.>; 120, 378 <403>).
(1) Where a body that has not collected the data itself permits the extended use of existing data sets, proportionality in the strict sense is determined in accordance with the requirements deriving from the standard of a hypothetical re-collection of data (cf. BVerfGE 141, 220 <327 f. para. 287>).
(a) If the legislator permits further use of existing data, the rules for use must be proportionate. The legislator must make the re-use subject to the protection of significantly weighty legal interests (cf. BVerfGE 141, 220 <270 f. para. 106 ff.>; established case-law) as well as subject to sufficient thresholds for interference (cf. BVerfGE 141, 220 <271 ff. para. 109 ff.>; established case-law) (cf. most recently Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 130 − Subscriber data II). The conditions for and the scope of the data use laid down in the respective legal bases must be all the more limited, the more serious the interference involved is when the data is first collected. The legislator must specify precisely and clearly, for each subject matter, the grounds, purposes and scope of the respective interference (cf. BVerfGE 125, 260 <328>; Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 133 − Subscriber data II; each with further references).
In doing so, the legislator must ensure that the weight of interference resulting from the data collection is also taken into account when the data is used for new purposes or by other bodies (cf. BVerfGE 100, 313 <389 f.>; 109, 279 <377>; 120, 351 <369>; 130, 1 <33 f.>; 133, 277 <372 f. para. 225>; 141, 220 <326 f. para. 284>). Constitutional requirements for collecting, storing and processing data must not be circumvented by allowing authorities which, within their remit, are subject to less stringent requirements to share data with authorities that are subject to more stringent requirements (BVerfGE 133, 277 <323 f. para. 114>). Thus, in accordance with the principle of a hypothetical re-collection of data, it is decisive whether it would be permissible under constitutional law to also collect the data in question for the changed purpose (cf. BVerfGE 125, 260 <333>; 133, 277 <373 ff. para. 225 f.>; 141, 220 <327 ff. para. 287 ff.>; Federal Constitutional Court, Judgment of the First Senate of 19 May 2020 - 1 BvR 2835/17 -, para. 216).
The principle of a hypothetical re-collection of data is not applied rigidly in a schematic manner and does not preclude the possibility that further aspects may be taken into consideration. For example, the fact that, given its remit, the authority receiving the transferred data is not entitled to collect certain data that the initial authority is entitled to transfer does not generally preclude the sharing of data. Moreover, aspects of simplification and practicality when creating rules regarding data transfer may justify the fact that not all individual requirements for data collection apply in equal detail to the sharing of data. This does not, however, affect the requirement of equivalence applicable to the new use (BVerfGE 141, 220 <327 f. para. 287> with further references). Where information is obtained through the surveillance of private homes or by accessing IT systems remotely, the requirements applicable to a change in purpose need not necessarily be identical to those applicable to the original data collection as regards the degree of specificity required for establishing the existence of a danger or the suspicion of criminal conduct (cf. BVerfGE 141, 220 <328 f. paras. 289 and 291>).
(b) Provisions that permit the sharing of data between police authorities and intelligence services are subject to particular constitutional requirements (cf. BVerfGE 133, 277 <329 para. 123>; Federal Constitutional Court, Judgment of the First Senate of 19 May 2020 - 1 BvR 2835/17-, para. 218 f.; “principle of the separation of police and intelligence data”).
(aa) More stringent constitutional requirements apply in relation to provisions that allow police and security authorities to use information obtained by the intelligence services. The task of police and security authorities to prevent, avert and prosecute criminal offences, and to avert dangers to public security and order, is characterised by an operational responsibility and the power to enforce certain measures against individuals, if necessary by force. Therefore, such powers must be narrowly and precisely defined. In principle, data processing requires specific grounds such as indications of a suspicion of criminal conduct or a danger (cf. BVerfGE 133, 277 <327 f. para. 120>).
By contrast, the primary task of intelligence services is to provide information to policy-makers. In accordance with their task of carrying out purely precautionary measures in order to gather political intelligence, they have far-reaching powers to collect data, which are subject only to low thresholds for interference (cf. BVerfGE 133, 277 <325 f. para. 117>; Federal Constitutional Court, Judgment of the First Senate of 19 May 2020 - 1 BvR 2835/17 -, para. 150 ff.).
The broad scope of the data collection powers of the intelligence services is generally compensated for by the fact that they do not have any operational tasks beyond purely precautionary measures for gathering intelligence (cf. BVerfGE 133, 277 <326 f. para. 118 f.>). However, intelligence services are not strictly limited to carrying out purely precautionary measures to gather intelligence for political purposes. The Federal Intelligence Service (Bundesnachrichtendienst ), for instance, increasingly assumes responsibility for the early detection of dangers with an international dimension arising from abroad (cf. Federal Constitutional Court, Judgment of the First Senate of 19 May 2020 - 1 BvR 2835/17 -, para. 128) and for the sharing of information from the early detection of dangers with police and security authorities (cf. §§ 24 f. of the Federal Intelligence Service Act – Bundesnachrichtendienstgesetz ; § 19 of the Federal Act for the Protection of the Constitution – Bundesverfassungsschutzgesetz ; § 11 of the Military Counterintelligence Service Act – Gesetz über den militärischen Abschirmdienst ). This may reduce the gap between the intelligence services and police authorities ([…]). But this does not alter the fact that intelligence services have relatively far-reaching data collection powers for the early detection of dangers at their disposal such as purely precautionary measures for gathering intelligence for political purposes and that, in return, they do not have operational powers.
The differences in terms of tasks and the resulting risk of undermining specific requirements for the collection and processing of data makes necessary more stringent constitutional requirements for provisions permitting the use, by police and security authorities, of information gathered by intelligence services. This satisfies the requirement of an exceptionally significant public interest and sufficiently specific and qualified thresholds for data sharing (cf. BVerfGE 133, 277 <329 para. 123>; Federal Constitutional Court, Judgment of the First Senate of 19 May 2020 - 1 BvR 2835/17 -, para. 218 f.).
(bb) The same does not apply to the use by the intelligence services of data from police and security authorities. This data has already been collected in accordance with the more stringent requirements applicable to authorities that have operational powers and have the power to impose coercive measures on individuals. This means that these requirements are not circumvented when the data is used by intelligence services. Furthermore, intelligence services, who are tasked with carrying out purely precautionary measures for gathering intelligence, cannot use this data for operational purposes to impose coercive measures against individuals (for the requirements resulting therefrom, see para. 119 below).
(2) The specific impact on fundamental rights of a power determines the detailed requirements, deriving from the principle of a hypothetical re-collection of data, which must be met with regard to the protection of legal interests and the threshold for interference. Extended use of a joint database by both intelligence services and police authorities pursuant to § 6a(5) ATDG entails an increased impact on fundamental rights, particularly in comparison with simple use pursuant to § 5 ATDG (cf. in that regard BVerfGE 133, 277 <322 ff. para. 110 ff.>).
(a) Same as with the simple use of a joint database, as provided for in § 5 ATDG, the impact on fundamental rights initially derives from the fact that police and security authorities gain access to data obtained by intelligence services. The powers of extended use of data by police and security authorities pursuant to § 6a(2) and (3) ATDG − with the exception of data stored in a hidden manner pursuant to § 4 ATDG − comprises all data types stored in the counter-terrorism database pursuant to § 3 ATDG and thus also data collected by the intelligence services using the means available to them for purposes of gathering purely precautionary intelligence. Therefore, in order to avoid the undermining of the qualified thresholds for interference to which police and security authorities are subject, more stringent constitutional requirements apply to extended use by these authorities.
(b) In addition, both when data is used by police and security authorities and when it is used by intelligence services, the possibility of carrying out data-mining increases the weight of interference. Where data from various intelligence and police sources is stored in a database and where the database is used to link data in order to generate new intelligence and connections (extended use), this generally results in an increased impact on fundamental rights.
(aa) The weight of interference of the counter-terrorism database was originally reduced in that it constituted a joint database (Verbunddatei ), which at its core was limited to facilitating requests for information and only permitted the use of the data for operational tasks in exceptional cases of urgency (cf. BVerfGE 133, 277 <329 para. 124>). By contrast, extended project-related use as is currently provided for in § 6a(5) ATDG and which is carried out covertly by all authorities with access to the counter-terrorism database not only enables facilitating requests for information subject to applicable specific legislation but, as a result of automated linking and analysis of the data fed into the counter-terrorism database by various authorities, it also enables generating new intelligence and connections (data-mining), which can significantly affect a person’s personality rights (cf. with regard to electronic profiling BVerfGE 115, 320 <350 f.>).
Where such new intelligence and connections are generated by police and security authorities pursuant to § 6a(2) and (3) ATDG, the weight of interference is further increased by the fact that this new intelligence can be used directly for operational purposes.
(bb) This is not the case if the intelligence services, which themselves do not have operational powers, use the counter-terrorism database for data-mining pursuant to § 6a(1) ATDG. In such a case the newly generated intelligence is merely used as part of the gathering of further purely precautionary intelligence. However, in this case it must still be taken into account that the intelligence services can generate their own intelligence and connections by way of extended use, with potentially significant effects on a person’s personality rights (cf. with regard to electronic profiling BVerfGE 115, 320 <350 f.>). This could create a feeling of being monitored without any means of control and create lasting chilling effects on the exercise of freedoms (cf. BVerfGE 125, 260 <332>) as, without individuals becoming aware of this, data of different origins and weight stored in the databases can be combined for different purposes.
(cc) However, the weight of interference is reduced insofar as pursuant to § 6a(1) to (3) ATDG in conjunction with § 4(3) ATDG the intelligence services and security authorities cannot access data stored in a hidden manner that was obtained through particularly weighty interferences with the privacy of telecommunications and the fundamental right to the inviolability of the home (in particular by means of surveillance of telecommunications or private homes) as well as with the fundamental right to protection of the confidentiality and integrity of information technology systems under Art. 2(1) in conjunction with Art. 1(1) GG (through means such as remote searches). Such data may only be collected subject to strict conditions (cf. BVerfGE 133, 277 <372 ff. para. 224 ff.> with further references).
Even if this ‘hidden data’ (§ 4 ATDG) is not included in extended use, the data stored in the database pursuant to § 3 ATDG, in particular the extended basic data within the meaning of § 3(1) no. 1(b) ATDG, is of considerable significance nonetheless. The informative value of the extended basic data pursuant to § 3(1) no. 1(b) ATDG is extensive, and can include highly personal information as well as data that pieces together the biographical background of the data subjects (BVerfGE 133, 277 <363 f. para. 199>).
(3) Now that the impact on fundamental rights has been set out, the specific requirements with regard to the legal interests involved and the thresholds for interference with fundamental rights can be determined in accordance with the principle of a hypothetical re-collection of data.
(a) Given the weight of interference, the generation of new intelligence and connections by linking data from different intelligence and police sources stored in a database must serve an exceptionally significant public interest (cf. BVerfGE 133, 277 <329 para. 123>) and is therefore only permissible for the protection of particularly weighty legal interests such as life, limb and liberty of the person as well as the continued existence or security of the Federation or a Land (cf. also BVerfGE 133, 277 <365 para. 203>; 141, 220 <270 f. para. 108; 328 ff. para. 288, 292>; Federal Constitutional Court, Judgment of the First Senate of 19 May 2020 - 1 BvR 2835/17 -, para. 221).
(b) Interference in the form of extended use must be subject to sufficiently specific thresholds for interference for purposes of public security, law enforcement and the performance of non-operational tasks by authorities such as the intelligence services on the basis of clear legislation (cf. BVerfGE 133, 277 <329 para. 123>; BVerfG; Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 197 – Subscriber data II).
(aa) Given the impact on fundamental rights set out above, the extended use of the counter-terrorism database for public security purposes requires a danger that is at least sufficiently identifiable (hinreichend konkretisierte Gefahr ) in the sense that there must at least be factual indications that a specific danger might emerge (cf. BVerfGE 141, 220 <271 f. para. 111 f.>; Federal Constitutional Court, Judgment of the First Senate of 19 May 2020 - 1 BvR 2835/17 -, para. 222; on the less stringent requirements for simple access pursuant to § 5(1) ATDG cf. BVerfGE 133, 277 <360 ff. para. 193 ff.>). Insofar as particularly weighty legal interests such as life, limb and liberty of the person as well as the continued existence or security of the Federation or a Land are concerned, as in the case of terrorist offences, an identifiable danger suffices as a threshold for interference (cf. BVerfGE 141, 220 <270 f. para. 108, 272 f. para. 112>; Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 147 f. − Subscriber data II; cf. already BVerfGE 115, 320 <364 f.> with regard to electronic profiling).
(bb) In principle, these constitutional requirements apply to any authorisation to use powers preventively, i.e. also for the use of this data by intelligence services. Thus factual indications are also required as a basis for actions taken by intelligence services (as regards the particularities of the intelligence services’ powers to conduct surveillance of foreign telecommunications cf., however, Federal Constitutional Court, Judgment of the First Senate of 19 May 2020 - 1 BvR 2835/17 -, para. 155 ff.). However, in respect of interferences that do not intrude deeply into a person’s private sphere and are generally less weighty, it may be sufficient that in the individual case the access to information is needed for investigating a specific action or group that warrants surveillance by the intelligence services because that would at least satisfy the requirement that it be possible to determine the type of incident that might occur and that it will occur within a foreseeable timeframe (cf. Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 151 with further references − Subscriber data II). These requirements, which were laid down in respect of subscriber data, also apply to extended use of the counter-terrorism database by intelligence services. Firstly, the intelligence services are already tasked with protecting particularly weighty legal interests (cf. BVerfGE 141, 220 <339 f. para. 320>; cf. also BVerfGE 133, 277 <326 para. 118>). Secondly, while the interferences at issue are not ones that “do not intrude deeply into a person’s private sphere and are generally less weighty” (as regards the threshold for interference of extended use, see para. 109 ff. above), what is decisive in this case is that when police authorities initially collect data, the threshold for interference for operational actions taken by the police had to be met and that it does not apply again to a future use of the collected data (cf. in this respect BVerfGE 141, 220 <328 f. para. 289>).
(cc) In respect of the extended use of data for law enforcement purposes, the requirements laid down in § 152(2) of the Code of Criminal Procedure (Strafprozessordnung – StPO) with regard to instituting criminal prosecution proceedings (sufficient factual indications) are insufficient. The legislator must instead lay down a threshold for interference that requires the existence of specific facts giving rise to a suspicion. This means that specific circumstances that must have taken concrete shape to some extent must exist and support such a suspicion (cf. Federal Constitutional Court, Judgment of the First Senate of 19 May 2020 - 1 BvR 2835/17 -, para. 222 with further references).
bb) § 6a ATDG does not fully meet these specifically defined requirements. § 6a ATDG does satisfy the requirements in respect of the protection of legal interests, in that it only allows extended use for the protection of particularly weighty legal interests such as life, limb and liberty of the person as well as the continued existence or security of the Federation or of a Land ; however, the powers under § 6a(2) first sentence ATDG lack a sufficiently qualified threshold for interference.
The legislator sought to take into account the constitutional requirements by setting out that data connections and data-mining in the individual case must be carried out within projects relating to the gathering and analysis of intelligence, to law enforcement and to public security in the context of investigating and combating international terrorism (§ 6a(1), (2) and (3) ATDG). Although investigating and combating international terrorism with a link to the Federal Republic of Germany (§ 1(1) ATDG) is an exceptionally significant public interest (see para. 91 above), the absence of a sufficiently qualified threshold for interference in § 6a(2) ATDG violates the prohibition of excessive measures. Even in relation to a project within the meaning of § 6a(4) ATDG, extended use of data has not been made subject to the necessary thresholds for interference. The suspicion that must have taken concrete shape, as required for use in respect of law enforcement purposes (§ 6a(2) ATDG), is not defined clearly enough in the provision. The provision on supervisory oversight (§ 6a(7) ATDG) and legal oversight (§ 6a(8) ATDG) cannot replace substantive requirements.
(1) § 6a(1) ATDG is, however, constitutional insofar as it allows, subject to certain conditions that are to be interpreted in accordance with constitutional requirements, federal authorities and in particular intelligence services access to the data in the counter-terrorism database that has not been stored in a hidden manner for collecting and analysing intelligence on international terrorist endeavours. The provision also states sufficiently precisely and clearly that it is only applicable to authorities engaged in gathering intelligence while not having operational powers themselves, i.e. in particular to intelligence services but also, for example, to the Federal Criminal Police Office as a central office (§ 2 of the Act on the Federal Criminal Police Office and the Collaboration of the Federation and the Länder in Criminal Police Matters – Gesetz über das Bundeskriminalamt und die Zusammenarbeit des Bundes und der Länder in kriminalpolizeilichen Angelegenheiten , Bundeskriminalamtgesetz , BKAG) (see (a) below). The provision is also sufficient in respect of the specific threshold for interference (see (b) below).
(a) The scope of § 6a(1) ATDG covers − in addition to making the data accessible for use by the authorised Land authorities (cf. § 6a(11) ATDG) − all “federal authorities involved” pursuant to § 1 ATDG provided that they act “in the discharge of their statutorily assigned tasks”. In accordance with the purpose of the project, the task requiring use of the counter-terrorism database must consist in the “collection and analysis of intelligence” relating to an international terrorist endeavour. This is particularly true of intelligence services whose primary task is to collect, analyse and share intelligence. The provision is not, however, restricted to intelligence services.
In response to criticism of the legal specificity of the Federal Government’s draft, the “three groups of cases, which had previously been summarised in subsection 1 of the draft, were divided into three subsections” (BTDrucks 18/2902, p. 12; cf. also the evaluation of the Act on Establishing a Standardised Central Database for Police Authorities and Intelligence Services of the Federation and the Länder to Combat Violent Right-Wing Extremism – Gesetz zur Errichtung einer standardisierten zentralen Datei von Polizeibehörden und Nachrichtendiensten von Bund und Ländern zur Bekämpfung des gewaltbezogenen Rechtsextremismus, Rechtsextremismus-Datei-Gesetz , BTDrucks 18/8060, p. 113, 119). However, subsection 1 was not restricted to intelligence services by way of clarification. § 6a(1) ATDG thus also covers, for example, the Federal Criminal Police Office insofar as it is authorised, in its capacity as the central office for the police information network, to collect and analyse all information necessary to support the police forces of the Federation and the Länder in the prevention and prosecution of criminal offences with an international dimension, that affect more than one Land , or that are of considerable significance (§ 2(1), (2) no. 1, §§ 29 ff. BKAG). However, according to the wording of the statute, the task requiring use of the counter-terrorism database must consist in the “collection and analysis of information” relating to an international terrorist endeavour. It must not be an operational task. This follows from the structure of § 6a ATDG, which distinguishes between extended use for the purpose of collecting and analysing information (subsection 1), for the purpose of law enforcement (subsection 2) and for the purpose of public security (subsection 3). Extended use for the purposes of law enforcement and public security is not based on § 6a(1) ATDG but on § 6a(2) and (3) ATDG. Extended use in the context of powers relating to law enforcement and combating international terrorism on the basis of subsection 1 is therefore ruled out.
(b) The provision of § 6a(1) ATDG can be interpreted as containing a sufficiently clear threshold for interference which meets constitutional requirements (see para. 118 f. above). § 6a(1) ATDG requires that extended use within the meaning of § 6a(5) ATDG be necessary in individual cases for the collection and analysis of intelligence on an international terrorist endeavour by the intelligence services with the purpose of investigating further facts of the individual case where certain facts justify the assumption that international terrorist offences under §§ 129a, 129b and 211 of the Criminal Code (Strafgesetzbuch ) will be committed, thus posing a danger to life, limb or liberty of the person. The condition that the investigation of further facts of the individual case be necessary entails that there must be a need for the use of data for purposes of investigating a specific action or group that must be placed under observation by the intelligence services (cf. in that regard BVerfGE 130, 151 <206>). This covers the required element of necessity in the individual case. This meets the requirements applicable to a threshold for interference relating to the mere collection and analysis of intelligence without an operational component (cf. para. 118 above); where agencies other than intelligence agencies also do not have operational powers, this applies accordingly.
(2) The provision of § 6a(2) first sentence ATDG, however, lacks the necessary thresholds for interference or suspicion. § 6a(2) ATDG applies to the performance of repressive tasks. Its scope of application therefore typically covers the law enforcement authorities involved but not the intelligence services. Extended use, by the law enforcement authorities, of data entered into the counter-terrorism database by the intelligence services makes qualified thresholds for interference necessary (cf. para. 120 above). Specific facts giving rise to a suspicion are required. This is lacking in § 6a(2) ATDG.
With regard to qualified criminal offences, § 6a(2) first sentence ATDG does not require any justified suspicion for extended use, but merely requires necessity in the individual case for purposes of investigating “further facts of the individual case”. The statutory requirement of necessity in the individual case might be taken to mean that there must at least be sufficient factual indications within the meaning of § 152(2) StPO (cf. in that regard BVerfGE 130, 151 <206>). But this, too, did not suffice as a threshold for interference for an extended use of data for criminal prosecution purposes. § 6a(2) ATDG does not require, in the necessary clear manner, a ‘sufficiently tangible suspicion in respect of a criminal offence,’ which differs from the initial suspicion (sufficient factual indications) required under criminal procedural law (see para. 120 above). This is true despite any required relation to a project pursuant to § 6a(4) ATDG (see para. 132 ff. for more detail).
(3) § 6a(3) ATDG proves to be proportionate when interpreted in the light of the Constitution. The provision is aimed at participating police authorities, who are allowed an extended use of data entered in the counter-terrorism database by the intelligence services, inter alia with the aim of preventing qualified international terrorist offences. In this respect, qualified thresholds for interference are also required. This means that there must be a danger that is at least sufficiently identifiable (see para. 118 above).
§ 6a(3) ATDG allows extended use of the counter-terrorism database by authorities for the purpose of preventing qualified international terrorist offences where facts justify the assumption that such an offence is going to be committed. The requirements regarding the existence of an identifiable danger have not been met if the legal provision only requires the existence of facts that justify the assumption that an offence will be committed as this does not prevent the authorities from working with a prognosis based solely on experience (cf. BVerfGE 141, 220 <291 para. 165>; Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 225 f. − Subscriber data II). The power afforded by § 6a(3) ATDG is more narrow, however, in that extended use of the counter-terrorism database must be necessary to clarify further circumstances of the individual case. On the basis of an interpretation of § 6a(3) ATDG in conformity with the Constitution, which is not precluded by the principle of legal clarity, this must be understood to mean that further use of the database is only permitted if the authority can at least determine the type of identifiable and foreseeable incident that might occur or if the authority recognises that the individual conduct of a person establishes the specific probability that they will commit terrorist offences in the not so distant future (cf. BVerfGE 141, 220 <272 f. para. 112, 290 f. para. 164>; Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 226 − Subscriber data II). Extended use therefore requires a danger that is identifiable as set out above and the further investigation of which must sufficiently clearly require such use.
The provision’s constituent element “with the purpose of investigating further facts of the individual case” does not mean that the provision allows extended use for a mere precautionary investigation or background investigation without reference to an at least identifiable danger (see para. 118 above). If § 6a(3) ATDG were to be interpreted that way, it would be unconstitutional.
(4) The required relation to a project within the meaning of § 6a(4) ATDG does not alter the inadequacy under constitutional law of the prerequisites for interference referred to in § 6a(2) ATDG.
(a) According to § 6a(4) ATDG, a project is an objectively definable task related to certain periods of time which is of particular significance due to the danger or the risk of damage, the individuals involved in the matter, the objective of the task or its consequences. This statutory definition in § 6a(4) ATDG reveals the legislator’s legitimate objective of providing the parties involved, by way of an openly worded definition of ‘project’, with a wide margin of discretion in order to effectively combat international terrorism and to also be able to react to changes, unexpected events and uncertainties. This does not, however, exempt the legislator from the constitutional requirements to set out a sufficient threshold for interference for the powers laid down in subsection 2. The establishment of a project, too, is not subject to a threshold for interference in subsection 4.
(b) The fact that the absence of a sufficient threshold for interference is objectionable under constitutional law is not altered by the restrictions laid down in § 6a(6) second sentence ATDG in terms of personal scope and a time limit totalling four years.
(5) The requirements for individual legal protection and supervisory oversight laid down in § 6a(7) and (8) ATDG satisfy the requirements that follow from the principle of proportionality in the area of informational self-determination (cf. BVerfGE 133, 277 <365 ff. para. 204 ff.> with further references). Supervisory oversight and oversight resembling judicial review complement each other (cf. BVerfGE 133, 277 <369 para. 213>; Federal Constitutional Court, Judgment of the First Senate of 19 May 2020 - 1 BvR 2835/17 -, para. 274). However, in this context, ex ante legal oversight does not appear to be strictly necessary, in particular with respect to urgent cases (cf. BVerfGE 133, 277 <369 para. 213>; Federal Constitutional Court, Order of the First Senate of 27 May 2020 - 1 BvR 1873/13 and 1 BvR 2618/13 -, para. 254 − Subscriber data II). The nuanced oversight procedure, which combines supervisory oversight (subsection 7) and the generally ex ante legal oversight by the German oversight body for surveillance measures − the Article 10 Commission (G 10-Kommission ) − (subsection 8), which may be carried out ex post in cases of imminent danger (Gefahr im Verzug ), is therefore unobjectionable under constitutional law. Mere oversight cannot, however, replace the absence of restrictive substantive criteria applicable to extended data use pursuant to § 6a(2) ATDG because compliance with the limits of a project and the powers for interference can only be reviewed on the basis of substantive provisions (cf. in that regard also BVerfGE 110, 33 <67 f.>; 120, 274 <331>).
D.
I.
According to the above, § 6a(2) first sentence ATDG violates the fundamental right to informational self-determination under Art. 2(1) in conjunction with Art. 1(1) GG. In principle, a violation of the Constitution means that the respective provision is declared void (§ 95(3) BVerfGG; cf. BVerfGE 65, 325 <357>; 114, 316 <338>). In exceptional cases, the Federal Constitutional Court can declare a legal provision incompatible with the Basic Law (unconstitutionality) (cf. § 31(2) second sentence, § 79(1) BVerfGG). However, in the present case there is no apparent reason why the legal provision should continue to apply provisionally.
II.
[…]
III.
In accordance with § 4(4), § 15(3) first sentence BVerfGG, this decision was rendered by the First Senate of the Federal Constitutional Court sitting with seven Justices.
Harbarth | Paulus | Baer | |||||||||
Britz | Ott | Christ | |||||||||
Radtke |