Judgment of 1 October 2024

R e a s o n s :

A.

1

With their constitutional complaint, the complainants challenge provisions of the Act on the Federal Criminal Police Office and the Cooperation of the Federation and the Länder in Criminal Matters (Bundeskriminalamtgesetz – BKAG; hereinafter: the Act), as amended by the Act to Reorganise the Federal Criminal Police Office Act of 1 June 2017 (Federal Law Gazette, Bundesgesetzblatt – BGBl I p. 1354), which entered into force on 25 May 2018 (BGBl I p. 1354). Firstly, the complaint is directed against the powers of the Federal Criminal Police Office to use special methods of data collection to avert dangers from international terrorism, insofar as they allow the surveillance of contact persons (§ 45(1) first sentence no. 4 in conjunction with § 39(2) no. 2 of the Act). Secondly, the complaint is directed against provisions relating to the further processing of previously collected personal data in the Federal Criminal Police Office’s information system and in the police information network (§ 16(1) in conjunction with § 12(1) first sentence of the Act; § 18(1) nos. 1, 2 and 4, (2) nos. 1 and 3 and (5) in conjunction with § 13(3) and § 29 of the Act) and regarding [the further processing of] police information (§ 16(6) no. 2, including in conjunction with § 29(4) second sentence of the Act).

I.

2

The adoption of the Act to Reorganise the Federal Criminal Police Office Act of 1 June 2017 was intended to implement the requirements arising from the judgment of the Federal Constitutional Court of 20 April 2016 (Decisions of the Federal Constitutional Court, Entscheidungen des Bundesverfassungsgerichts – BVerfGE 141, 220) and from Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119 of 4 May 2016, pp. 89-131, hereinafter: Directive 2016/680/EU; cf. Bundestag document, Bundestagsdrucksache 18/11163, p. 1). This legislative reform was to restructure the Federal Criminal Police Office’s IT architecture, among other things, in order to improve the efficiency and effectiveness of criminal police work. In light of the experiences with the investigation of the series of murders committed in Germany by the National Socialist Underground in November 2011, having information technology foundations in place at all times for the necessary networking of all authorities involved in an investigation was deemed necessary. It was argued that there must be no repeat of a situation where time and energy are lost in linking different systems during an ongoing investigation. At the same time, the reform was intended to satisfy the data protection requirements (cf. BTDrucks 18/11163, p. 76).

3

The new provisions in the Federal Criminal Police Office Act regarding the establishment of a federal data platform (‘police information network’) are related to the necessary digital transformation of the police. […]

4

Prior to this amendment, a common IT architecture did exist in the context of the police’s federal information system. The predecessor of the new ‘police information network’ is the existing police information system (INPOL), which will continue to operate and be maintained until the phased implementation of the new components has been concluded ([…]). INPOL is a network system that is jointly used by the federal and Land police authorities. It contains databases for police searches and general information purposes (INPOL-Z). Data relevant to police cooperation from the casework systems for the analysis of complex facts is also stored (INPOL-Fall). This data is stored in different databases ([…]), for example, in databases concerning specific offences and phenomena, criminal file records, violent offender databases and police identification databases, as well as in the DNA analysis database and the detention database. […] As the different databases are not synced with one another, the system is unable to identify data matches or deviations (e.g. entry errors) ([…]). The legislative reform therefore opted to abandon this organisational structure by database for the data held by the Federal Criminal Police Office (cf. BTDrucks 18/11163, pp. 2 and 75 f.). This system is to be replaced by a police information network involving the federal and Land police authorities that reflects cooperative federalism. In technical terms, this system will be based on a uniform network of the Federal Criminal Police Office with differentiated labelling of the data concerned. Within this network, all participating police authorities will make data available to one another.

5

In addition, the Federal Criminal Police Office maintains an information system for its own data, with which – insofar as is provided by the law – it also takes part in the police information network. Thus, the legislator reorganised the data processing powers previously set out in various laws and laid them down in one central statutory framework. In doing so, it opted to use a uniform concept of further processing, on which the powers are based (cf. para. 120 below).

II.

6

The provisions relevant to the present proceedings are as follows:

7

1. § 45 of the Act sets out the special data collection powers of the Federal Criminal Police Office, including those provided for the purpose of averting dangers from international terrorism. It authorises the Federal Criminal Police Office to use the special means listed in section (2), for example, long-term observations or the use of confidential informants or undercover investigators, to collect personal data. The only provision challenged in this regard is § 45(1) first sentence no. 4 of the Act, which authorises the Federal Criminal Police Office to collect personal data of contact persons pursuant to § 39(2) no. 2 of the Act using such special means. For the majority of these measures, § 45(3) of the Act imposes a requirement of prior judicial authorisation. Pursuant to § 45(1) second sentence of the Act, a measure may be carried out even if this unavoidably results in third parties being affected.

8

§ 45 of the Act reads as follows:

§ 45 of the Federal Criminal Police Office Act – Special means of data collection

(1) ¹Using the special means listed in section (2), the Federal Criminal Police Office may collect personal data of

1. the persons responsible pursuant to § 17 or § 18 of the Act on the Federal Police or, in accordance with the terms of § 20(1) of the Act on the Federal Police, on the persons designated therein with a view to countering a danger to the existence or security of the Federation or any of the Länder, or to the life, limb or liberty of a person or to assets of substantial value the preservation of which is required in the public interest,

2. persons in respect of whom specific facts justify the assumption that they will commit an offence pursuant to § 5(1) second sentence in the foreseeable future and it is at least possible to determine the type of this offence,

3. persons whose individual conduct gives reason to assume a specific probability that they will commit an offence pursuant to § 5(1) second sentence in the foreseeable future, or

4. persons within the meaning of § 39(2) no. 2,

if averting the danger or preventing the offences in any other way is futile or considerably more difficult. ²The measure may be carried out even if this unavoidably results in third parties being affected.

(2) Special means of data collection are

1. the scheduled surveillance of a person that is intended to last continuously for more than 24 hours or to take place on more than two days (long-term observation),

2. the use of technical means outside homes in a way not detectable by the person concerned

a) in order to take or record images of persons or property items that are outside homes, or

b) in order to intercept or record private spoken communication outside homes,

3. other special technical means for surveillance purposes with a view to investigating the facts or to establishing the whereabouts of any of the persons referred to in section (1),

4. the use of private individuals whose cooperation with the Federal Criminal Police Office is not known to third parties (confidential informants), and

5. the use of police officers who have been given a long-lasting cover identity (undercover officers).

(3) to (8) (…)

9

[…]

10

§ 39 of the Act, which is referenced in § 45 of the Act, reads as follows:

§ 39 of the Federal Criminal Police Office Act – Collection of personal data

(1) (…)

(2) To prevent offences pursuant to §°5(1) second sentence, the collection of personal data shall be permitted only if facts justify the assumption that

1. the person concerned intends to commit an offence pursuant to § 5(1) second sentence and the data collected is required to prevent this offence, or

2. the person concerned is associated with a person specified in no. 1 not only by casual or coincidental contact and

a) is aware of an offence pursuant to § 5(1) second sentence being prepared,

b) could benefit from the exploitation of the offence or

c) the person specified in no. 1 could use the person concerned to commit the offence

and if the prevention of these offences in any other way is futile or considerably more difficult.

(3) (…)

11

2. § 16(1) of the Act authorises the Federal Criminal Police Office to further process personal data in its own information system insofar as is necessary to perform its tasks and insofar as the Federal Criminal Police Office Act does not impose other special requirements. The data processing is subject to § 12 of the Act, which is designed to implement the criterion of a hypothetical recollection of the data; it applies regardless of the weight of interference resulting from the original data collection (cf. BTDrucks 18/11163, p. 92).

12

Only one specific case from the broad scope of application of § 16(1) of the Act is relevant to the present proceedings. Complainants nos. 1) and 2) solely challenge the further processing of personal data collected by the Federal Criminal Police Office for the purpose of averting dangers to international terrorism (cf. § 5 of the Act) using particularly intrusive means, and solely if further processing serves to perform the same task, in accordance with § 12(1) first sentence of the Act.

13

§ 16 of the Act reads in relevant part as follows:

§ 16 of the Federal Criminal Police Office Act – Further processing of data in the information system

(1) The Federal Criminal Police Office may further process personal data in the information system in accordance with § 12 provided that this is necessary to accomplish its tasks and that this Act does not require additional special conditions.

(2) to (6) (…)

14

§ 12 of the Act, which is referenced by § 16(1) of the Act, reads as follows:

§ 12 of the Federal Criminal Police Office Act – Purpose limitation, principle of hypothetical recollection of data

(1) ¹The Federal Criminal Police Office may further process personal data it has collected itself

1. to accomplish the same task and

2. to protect the same interests or to prosecute or prevent the same offences. (…)

(2) ¹To accomplish its tasks, the Federal Criminal Police Office may further process personal data for purposes other than those for which they were originally collected if

1. at least

a) similarly serious offences shall be prevented, uncovered or prosecuted, or

b) similarly important interests shall be protected, and

2. in the individual case, there are specific investigative leads

a) to prevent, uncover or prosecute such offences, or

b) to counter risks to legally protected interests of at least similar importance which are imminent in the foreseeable future.

(3) to (5) (…)

15

3. § 18 of the Act authorises the Federal Criminal Police Office to further process specific personal data of certain groups of persons. Unlike § 16(1) of the Act, this not only covers internal further processing of data in the Federal Criminal Police Office’s own information system, but also the further processing of data by the Office in its capacity as a central agency.

16

Implementing Art. 6 of Directive 2016/680/EU, the legislator distinguishes between different categories of data subjects: persons convicted of a criminal offence, persons charged with a criminal offence, suspects and other potential parties to a criminal offence (cf. BTDrucks 18/11163, p. 99; […]). The present proceedings only concern the groups of convicted persons, persons charged with a criminal offence and other potential parties to a criminal offence.

17

Pursuant to § 18(2) no. 1 of the Act, only the following data can be further processed as personal data: (a) basic data and (b) where necessary, other characteristics suitable for identification purposes, (c) the designation of the police office responsible for the criminal file and the criminal file number, (d) the time and place of the offence(s) and (e) the charge(s), identified by stating the legal provisions and a precise designation of the offences. § 18(2) no. 3 of the Act, which is also challenged, allows the further processing of personal data, including the data of other potential parties to a criminal offence. Pursuant to § 20(1) of the Act, details on the type and scope of the data that may be further processed under the Act, in particular under § 18, are to be specified in an ordinance.

18

Under § 18(1) of the Act, the Federal Criminal Police Office is only authorised to further process the specific personal data described above to perform its tasks under § 2(1) through (3) of the Act. § 2(1) of the Act provides that the Federal Criminal Police Office, in its capacity as the central agency for police information and communications and for the criminal police, supports the federal and Land police forces in the prevention and prosecution of offences affecting more than one Land, offences of international significance or those of considerable importance. It is tasked with gathering and analysing all information necessary in this regard (§ 2(2) no. 1 of the Act), and advising the federal and Land law enforcement authorities of the information relevant to them and the links identified between offences without delay (§ 2(2) no. 2 of the Act). Moreover, in its capacity as the central agency, the Federal Criminal Police Office maintains a uniform police information network in accordance with the Federal Criminal Police Office Act (cf. § 2(3), § 29(1) of the Act). As the operator of the federal data platform, the Federal Criminal Police Office provides the IT infrastructure, which is based on standardised information technology (cf. BTDrucks 18/11163, p. 81). At the same time, it takes organisational and technical measures to ensure that the respective authorities can input and access data in the police information network only when authorised to do so (cf. § 29(4) first sentence of the Act). This is determined pursuant to access rights (§ 15 of the Act) and requires that data that has been further processed be labelled in accordance with § 14 of the Act. The Federal Criminal Police Office not only acts as a platform operator, it is also authorised to participate in the police information network (cf. § 29(3) first sentence of the Act). In accordance with §§ 29 and 30 of the Act, the Federal Criminal Police Office takes part in the police information network with its own information system pursuant to § 29 of the Act. § 29(4) second sentence of the Act provides that § 18(1), (2) and (4) of the Act, amongst others, apply accordingly to the participating authorities listed in § 29(3) of the Act that input and access data in the police information network. § 31(2) of the Act contains requirements for the police information network under data protection law, while § 31(3) of the Act sets out oversight under data protection law. In addition, chapter 9 of the Act (§§ 69 ff.) contains supplementary provisions on data protection and data security.

19

§ 18 of the Act reads in relevant part as follows:

§ 18 of the Federal Criminal Police Office Act – Data on convicted persons, persons charged, suspects and potential offenders

(1) To accomplish its tasks pursuant to § 2(1) to (3), the Federal Criminal Police Office may further process personal data of

1. convicted persons,

2. persons charged with a criminal offence,

3. persons suspected of an offence if further processing of the data is necessary since the nature or execution of the offence, the personality of the data subjects or any other information gives reason to assume that criminal proceedings will have to be conducted against them in the future, and

4. persons in respect of whom there are grounds for further processing of the data because factual indications exist that the persons concerned will commit considerable criminal offences in the near future (potential offenders).

(2) The Federal Criminal Police Office may further process:

1. if persons mentioned in subsection (1) nos. 1 to 4 are concerned

a) the basic data and

b) if necessary, other characteristics suitable for identification purposes,

c) the designation of the police office keeping the criminal file and the criminal file number,

d) the time and place of the offences,

e) the charges, by stating the legal provisions violated and the precise designation of the offences;

2. if persons mentioned in subsection (1) nos. 1 and 2 are concerned, further personal data if further processing of the data is necessary since the nature or execution of the offence, the personality of the data subject or any other information gives reason to assume that criminal proceedings will have to be conducted against them in the future;

3. if persons mentioned in subsection (1) nos. 3 to 4 are concerned further personal data.

(3) to (4) (...)

(5) Should the person charged be acquitted with final and binding effect, the opening of the trial against this person be rejected by non-appealable decision or the proceedings be discontinued not just temporarily, further processing shall not be permitted if the reasons for the decision imply that the data subject did not commit the act or did not commit it unlawfully.

20-21

[…]

22

4. § 16(6) no. 2 of the Act authorises the Federal Criminal Police Office to further process other information – specified in the Act – on persons in respect of whom data is already available [in the information system]. Under § 29(4) second sentence of the Act ([…]), this provision applies accordingly to the authorities participating in the police information network when they input and access data.

§ 16 of the Federal Criminal Police Office Act – Further processing of data in the information system

(1) to (5) (…)

(6) In cases where the Federal Criminal Police Office already holds data on a person, it may also further process, with regard to that person,

1. (…)

2. any other pieces of information which are suitable for protecting third parties or developing investigative leads.

23

5. There are also general requirements that are relevant for the challenged powers. Deletion requirements pertaining to the collected data are set out in § 79(1) of the Act, specifically in regard to data collected for counter-terrorism purposes, and, more generally, in § 77 of the Act in conjunction with § 75(2) of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). Under § 79(1) of the Act, data obtained in accordance with the subchapter on counter-terrorism must be deleted without delay if it is no longer required for the purpose on which the measure was based or for potential judicial review of the measure. The data is not deleted if ‘permissible’ further processing of the data takes place in accordance with the provisions in chapter 2, subchapter 2 – in particular in accordance with § 16(1) and § 18 of the Act. § 77(1) of the Act in conjunction with § 75(2) of the Federal Data Protection Act contains more general deletion requirements and therefore also extends to the Federal Criminal Police Office’s powers in its capacity as a central agency. In particular, personal data must be deleted without delay if it was processed impermissibly or knowledge of the data is no longer necessary to performance of tasks. The deletion requirements are complemented by deadlines to review whether the data must be deleted.

24-25

[…]

III.

26

The complainants lodged their constitutional complaint on 22 May 2019 and made an additional submission on 29 September 2022. Insofar as complainants nos. 1) and 2) initially challenged the Federal Criminal Police Office’s powers to conduct remote searches of IT systems (§ 49 of the Act) and source telecommunications surveillance (§ 51(2) of the Act), they withdrew this part of their constitutional complaint with their submission of 27 April 2022.

27

The complainants claim a violation of their fundamental right to informational self-determination (Art. 2(1) in conjunction with Art. 1(1) of the Basic Law, Grundgesetz – GG). Complainants nos. 1) and 2) challenge the powers of the Federal Criminal Police Office to collect data for the purpose of averting dangers from international terrorism (§ 45(1) first sentence no. 4 of the Act), insofar as they allow the surveillance of contact persons (§ 39(2) no. 2 of the Act). Their complaint is also directed at the Federal Criminal Police Office’s power to further process personal data obtained through such surveillance measures in its own information system (§ 16(1) in conjunction with § 12(1) first sentence of the Act). Complainants nos. 3) to 5) challenge the powers to further process data in § 18(1) nos. 1, 2 and 4, § 18(2) nos. 1 and 3 and § 18(5), including in conjunction with § 29(4) second sentence of the Act. All complainants challenge the power to add information that supports investigations to the information system and/or the information network (§ 16(6) no. 2, including in conjunction with § 29(4) second sentence of the Act).

28-39

[…] 

IV.

40

The Federal Government, the Public Prosecutor General at the Federal Court of Justice and the Federal Commissioner for Data Protection and Freedom of Information submitted statements on the constitutional complaint.

41-51

[…]

V.

52

The Federal Constitutional Court conducted an oral hearing on 20 December 2023. At the oral hearing, statements were made by the complainants and by the Federal Government. The Federal Commissioner for Data Protection and Freedom of Information was heard as an expert third party in accordance with § 27a of the Federal Constitutional Court Act (Bundesverfassungsgerichtsgesetz – BVerfGG).

B.

I.

53

The Federal Constitutional Court has jurisdiction to review the compatibility of the challenged provisions with the fundamental rights of the Basic Law, even though the challenged provisions are related to data protection provisions in legal acts of the European Union, in particular Directive 2016/680/EU. Yet the powers challenged here do not implement binding EU law. EU legislation does not contain any provisions that require the challenged powers, let alone provide an exhaustive legal framework (cf. in this regard BVerfGE 155, 119 <162 ff. para. 83 ff.> with further references; 156, 11 <35 ff. para. 63 ff.>; 158, 170 <183 para. 23> with further references). This does not affect the question – which need not be decided here – of whether additional legal requirements arise directly from secondary EU law and whether the challenged provisions are compatible with those (cf. BVerfGE 155, 119 <165 para. 88>; 163, 43 <76 f. para. 93> with further references).

II.

54

[…]

III.

55

The constitutional complaint is admissible for the most part. Insofar as complainants nos. 1) and 2) challenge § 45(1) first sentence no. 4 in conjunction with § 39(2) no. 2 and § 16(1) in conjunction with § 12(1) first sentence of the Act, the constitutional complaint is admissible. Yet insofar as complainants nos. 3) to 5) challenge the powers to further process data in § 18(1) nos. 1, 2 and 4, § 18(2) nos. 1 and 3 and § 18(5), including in conjunction with § 29(4) second sentence of the Act, it is only admissible in part. The constitutional complaint is inadmissible in respect of all complainants insofar as it is directed against § 16(6) no. 2 of the Act.

56

1. If a constitutional complaint is directed against legislation that authorises security authorities to carry out covert measures, as in the present case, special admissibility prerequisites apply with regard to standing and the subsidiarity of the constitutional complaint (cf. BVerfGE 162, 1 <51 ff. para. 93 ff.> – Bavarian Protection of the Constitution Act; 165, 1 <29 ff. para. 37 ff.> – Police powers under the Security and Public Order Act for Mecklenburg-Western Pomerania).

57

a) Pursuant to Art. 93(1) no. 4a of the Basic Law and § 90(1) of the Federal Constitutional Court Act, a constitutional complaint can only be admissible if the complainants assert that their fundamental rights – or rights equivalent to fundamental rights – have been violated by an act of public authority (standing; cf. BVerfGE 140, 42 <54 para. 47>; 162, 1 <51 f. para. 93>). They must demonstrate, in accordance with the substantiation requirements under § 23(1) second sentence and § 92 of the Federal Constitutional Court Act, that a violation of fundamental rights appears possible (see aa) below) and that they are individually, directly and presently affected (see bb) below) (cf. BVerfGE 125, 39 <73>; 159, 355 <375 para. 25> – Federal pandemic emergency brake II).

58

aa) […]

59

bb) Special prerequisites apply for demonstrating that complainants are individually, directly and presently affected when a constitutional complaint is directed against statutory powers to carry out covert measures.

60

(1) It is true that the provisions challenged here only take effect on the basis of additional acts of implementation that take the form of data collection or further processing. However, it must be assumed that complainants are directly affected by legislation that requires implementation if they cannot seek legal recourse because they have no way of knowing whether a measure was carried out, or when they may not be notified even though a requirement to notify the data subject ex post is applicable, given that it can be waived over long periods on the basis of extensive exceptions (cf. BVerfGE 155, 119 <159 para. 73> – Subscriber data II).

61

(2) In order to establish the possibility of being individually and presently affected by the statutory authorisation of covert measures which only gives rise to specific impairments once implemented and in respect of which the affected persons typically have no knowledge of any acts of implementation, it is sufficient that complainants demonstrate that it is likely that their fundamental rights are affected by measures taken on the basis of the legislation in question (cf. BVerfGE 155, 119 <160 para. 75>). A submission that the complainants are responsible for activities threatening security in order to demonstrate that they are individually affected is not necessary in this regard, nor are statements in which complainants would have to incriminate themselves (cf. BVerfGE 130, 151 <176 f.>; established case-law).

62

b) […]

63

2. The constitutional complaint satisfies these requirements for the most part.

64-79

[…]

C.

80

To the extent that it is admissible, the constitutional complaint is well-founded in part. The challenged provisions interfere with the complainants’ fundamental right to informational self-determination as a manifestation of the general right of personality under Art. 2(1) in conjunction with Art. 1(1) of the Basic Law (see I. below). While the provisions, to the extent under review here, are formally constitutional (see II. below), they do not satisfy the proportionality requirements (see III. below) in all respects. The specific design of § 45(1) first sentence no. 4 of the Act is incompatible with the Basic Law (see IV. below). By contrast, the challenges to § 16(1) in conjunction with § 12(1) first sentence of the Act are unsuccessful when the provisions are interpreted correctly (see V. below). § 18(1) no. 2 and § 18(2) no. 1 in conjunction with § 13(3) and § 29 of the Act do not satisfy the constitutional requirements (see VI. below).

I.

81

The challenged provisions interfere with the fundamental right to informational self-determination following from Art. 2(1) in conjunction with Art. 1(1) of the Basic Law, a violation of which is claimed by the complainants. According to established case-law, the fundamental right to informational self-determination is a distinct manifestation of the general right of personality (cf. BVerfGE 65, 1 <42> – Census; 78, 77 <84>; 118, 168 <184> 111; 152, 152 <188 para. 83> – Right to be forgotten I). In the context of modern data processing, the free development of one’s personality requires that the individual be protected against the unlimited collection, storage, use and sharing of their personal data. This fundamental right confers upon the individual the authority to, in principle, decide themselves on the disclosure and use of their personal data (cf. BVerfGE 65, 1 <42 and 43>; 120, 274 <312>; regarding the EU fundamental right to data protection as a manifestation of respect for private and family life under Art. 7 of the EU Charter of Fundamental Rights and of the protection of personal data under Art. 8 of the Charter cf. CJEU, Judgment of 8 April 2014, Digital Rights Ireland and Seitlinger and others, C-293/12 and C-594/12, EU:C:2014:238, paras. 35, 47 and 54 f.; Judgment of 9 November 2010, Volker und Markus Schecke and Eifert, C-92/09 and C-93/09, EU:C:2010:662, para. 47 and BVerfGE 152, 216 <254 para. 99 ff.> – Right to be forgotten II with further references). The scope of the right to informational self-determination goes beyond the protection of the private sphere. This right supplements and expands the fundamental rights protection of free conduct and private life, ensuring that this protection takes hold even against risks to one’s personality (cf. BVerfGE 120, 274 <312>).

82

In light of this, the powers of the Federal Criminal Police Office to covertly collect data under § 45(1) first sentence no. 4 of the Act amount to an interference with fundamental rights (cf. also BVerfGE 141, 220 <286 f. para. 147 ff.>; regarding the severity of interference see para. 99 below). The powers to further process previously collected personal data – § 16(1) in conjunction with § 12(1) first sentence of the Act and § 18(1) no. 2, § 18(2) no. 1 in conjunction with § 13(3) and § 29 of the Act – also give rise respectively to separate interferences with the fundamental right to informational self-determination with varying degrees of severity (cf. in particular BVerfGE 141, 220 <324 ff. para. 276 ff.>; 165, 363 <393 para. 61>).

II.

83

To the extent that they are admissibly challenged, the provisions at issue are compatible with the Constitution in formal terms. In particular, the Federation has the necessary legislative competence.

84

1. […] Under Art. 73(1) no. 9a of the Basic Law, the Federation has exclusive legislative competence for public security measures by the Federal Criminal Police Office to avert the dangers of international terrorism when a threat transcends the boundaries of one Land, when responsibility is not clearly assignable to the police authorities of any particular Land or when the highest authority of an individual Land requests the assumption of federal responsibility. With regard to competences, the term ‘public security’ includes the prevention of crime ([…]).[…]

85

2. […]

86

a) Insofar as the challenged provisions govern the sharing of information between the Federal Criminal Police Office, the Land Criminal Police Offices, other Land police authorities and the units charged with tax fraud investigations of the Land tax authorities, the Federation has legislative competence under Art. 73(1) no. 10(a) of the Basic Law (cooperation between the Federation and the Länder concerning criminal police work) (cf. BVerfGE 133, 277 <317 para. 97>). […]

87

[…]

88

b) Insofar as the Federal Police, customs authorities and the police of the German Bundestag participate in the information network as additional authorities, the Federation’s legislative competence derives from Art. 73(1) no. 5 of the Basic Law and from the nature of the matter. […]

89

c) Art. 91c(2) of the Basic Law provides that the Federation and the Länder can agree to specify the standards and security requirements necessary for exchanges between their information technology systems; it does not contain a specific rule that would rule out a legislative competence of the Federation for the challenged provisions. Art. 91c of the Basic Law merely constitutes a special provision for exchanges between IT systems of the Federation and the Länder so as to ensure the efficient, swift and safe sharing of data without the need to switch systems or media. ([…]).

III.

90

1. a) Interferences with the fundamental right to informational self-determination require a statutory basis that pursues a legitimate purpose in the interest of the common good and is suitable, necessary and proportionate in the strict sense to achieve the purpose pursued (cf. BVerfGE 65, 1 <44>; 100, 313 <359 f.>; 155, 119 <176 para. 123>; established case-law). Special requirements arise from the principle of proportionality in the strict sense. How stringent these requirements are in each case depends on the severity of interference resulting from the respective power to collect or further handle personal data (cf. BVerfGE 141, 220 <269 para. 105>; 165, 363 <389 f. para. 54>; established case-law). When specifying the requirements for justification of an interference, distinctions must be made between the different fundamental rights interferences, which are distinct in principle, but are nevertheless interrelated. In the present case, data collection – which is governed by separate provisions – must be distinguished from the provisions on retention and further use of personal data (cf. BVerfGE 65, 1 <43> – Census; 120, 351 <361> – Data collection regarding foreign fiscal relations; and BVerfGE 155, 119 <167 para. 92 f.> – Subscriber data II), which are set out uniformly under the general heading of ‘further processing’. The use of previously collected data for purposes other than those for which it was originally collected gives rise to a new interference with fundamental rights and must be separately justified under constitutional law in accordance with the principle of purpose limitation (cf. BVerfGE 141, 220 <324 para. 277, 327 para. 285>). The principle of proportionality gives rise to requirements regarding transparency, individual legal protection and administrative oversight (cf. BVerfGE 141, 220 <282 para. 134> with further references; established case-law), which need not be reviewed here, as these were not challenged. Data security must also be guaranteed (cf. BVerfGE 155, 119 <182 para. 135>).

91

b) When assessing proportionality in the strict sense (criterion of appropriateness), it must be considered that it falls to the legislator to reconcile the severity of the interferences with the fundamental right to informational self-determination of potentially affected person under review and the state’s duty to protect the fundamental rights of others (cf. BVerfGE 141, 220 <267 para. 98>). On the one hand, the legislator must take into account the severity of interference resulting from the challenged powers to collect and further process personal data, which can be considerable. Some data collection measures can intrude deeply into the private sphere. Further processing of such data can create knowledge about individuals that, in temporal terms, goes beyond the original purpose for which the data was collected and allow for the linking of data. This may result in sensitive circumstances relating to the right of personality being affected; the great severity of interference arising therefrom must be taken into account in the balancing of interests. On the other hand, the legislator must ensure the effective protection of [other] fundamental rights and the legal interests of citizens. In this regard, it must be taken into account that the constitutional order, the existence and security of the Federation and of the Länder, and life, limb and liberty of the person are protected legal interests of significant constitutional weight. The security of the state, as a constituted power of peace and order, as well as the security of the citizens it is bound to protect – while respecting the dignity and the intrinsic value of the individual – are legal interests that are accorded special significance under constitutional law (cf. BVerfGE 154, 152 <249 para. 163>); they are equal to other constitutional values of high standing. In view of this, the state has a duty to protect the life, physical integrity and liberty of the individual, which means in particular that the state must ensure protection against unlawful interferences by others (cf. BVerfGE 141, 220 <267 f. para. 100>; established case-law; regarding the relationship between freedom and security cf. BVerfGE 154, 152 <226 para. 108>).

92

2. Furthermore, all challenged powers must be measured against the principle of specificity and legal clarity, which serves to make interferences foreseeable for citizens, to effectively limit public authorities’ powers and to enable effective judicial review (cf. BVerfGE113, 348 <375 ff.>; 156, 11 <44 para. 85>; 162, 1 <95 para. 199>; established case-law).

93

The requirement of specificity mainly serves to ensure that the law subjects the government and administration to standards that direct and limit their actions, and that the lawfulness of those actions can be effectively reviewed by the courts. The legislator must draft laws as specifically as possible, taking account of the particular nature of the underlying subject matter and the purposes pursued (cf. BVerfGE 145, 20 <69 f. para. 125> with further references). It is sufficient that, when interpreting the relevant provision in line with the accepted rules of interpretation, it is possible to determine whether the actual conditions that trigger the legal consequence laid down in the provision have been met. Any remaining uncertainties must not be so great that the predictability and justiciability of the actions taken by the public authorities that have been granted powers by the legal provision are at risk (cf. BVerfGE 134, 141 <184 para. 126>; 156, 11 <44 f. para. 85 ff.> with further references).

94

With regard to legal clarity, the primary focus is on the substantive comprehensibility of legislation, in particular so as to allow citizens to adapt to the possibility of onerous measures being taken against them (cf. BVerfGE 145, 20 <69 f. para. 125>). Because the administrative authorities, police and intelligence services restrict fundamental rights in this context without citizens having knowledge thereof and often without them having access to judicial review, it must be possible for the content of an individual provision to be determined in a comprehensible manner and without any major difficulty by way of interpretation. While it may be possible to determine a provision’s substance by interpreting it, or while the provision may be open to an interpretation in conformity with the Constitution, and the provision may therefore be specific in constitutional terms, this does not necessarily mean that it is clear to its addressees (cf. BVerfGE 162, 43 <83 para. 111>; 165, 1 <54 f. para. 97>; established case-law).

95

When data is collected and processed covertly, particularly strict requirements of specificity and legal clarity apply. The requirements vary depending on the severity of interference in each case and are thus closely linked to the respective substantive requirements of proportionality (cf. BVerfGE 141, 220 <265 para. 94>; 155, 119 <181 para. 133>; 162, 1 <95 para. 200, 125 f. para. 273> each with further references; established case-law). For covert measures capable of reaching deep into the private sphere, the specificity requirements are strict (cf. BVerfGE 162, 1 <95 para. 200>). This reflects the fact that protection can only be effectively guaranteed against data collection and processing activities by the state if the underlying legislative framework is sufficiently specific. Affected persons are typically unaware that they are being targeted by covert surveillance measures and are thus seldom able to take legal action to defend themselves. As a result, the contents of the relevant legislation can only be specified to a limited degree through the interplay of practical application and judicial review, and the legislator must compensate for this by ensuring that the provisions in question are sufficiently specific (cf. BVerfGE 162, 1 <95 para. 200, 125 f. para. 273> with further references).

IV.

96

The specific design of § 45(1) first sentence no. 4 of the Act does not satisfy these constitutional requirements.

97

The provision authorises the Federal Criminal Police Office to carry out covert surveillance measures vis-à-vis persons who are not themselves suspected of terrorist activities, but who are linked to a person responsible for a danger (contact persons). It permits the use of the special means listed in § 45(2) of the Act, such as long-term observations or the use of confidential informants or undercover investigators. § 45(1) first sentence no. 4 of the Act makes reference to § 39(2) no. 2 of the Act for the detailed requirements applicable to such surveillance measures. That provision sets out criteria for the link between the contact person and the person responsible; with regard to the latter, it makes reference to § 39(2) no. 1 of the Act.

98

The interferences with the fundamental right to informational self-determination (Art. 2(1) in conjunction with Art. 1(1) of the Basic Law) permitted by the provision can be considerable (see 1. below). In principle, the use of special means of data collection, including vis-à-vis contact persons, may be constitutionally justified when undertaken to avert sufficiently serious dangers. However, the threshold for interference provided for in § 45(1) first sentence no. 4 of the Act ultimately does not satisfy the requirements of proportionality in the strict sense (see 2. below).

99

1. § 45(1) first sentence no. 4 and § 45(2) of the Act authorise the Federal Criminal Police Office to engage in interferences with the fundamental right to informational self-determination (Art. 2(1) in conjunction with Art. 1(1) of the Basic Law) that vary in severity. While the interference resulting from the taking of isolated photographs or simple observation for a limited period might be less severe, measures such as the long-term covert audio and video recording of a person typically constitute interferences of considerable severity (cf. BVerfGE 141, 220 <290 para. 160>; 165, 1 <48 para. 88>). Particularly when the measures permitted by § 45(2) of the Act are used in combination with the aim of registering and recording audio and video of as many of the target person’s statements and movements as possible, they can reach deep into the private sphere and thus give rise to interferences of particular severity (cf. BVerfGE 141, 220 <286 f. para. 149 ff.>; 162, 1 <160 f. para. 357>). The use of confidential informants and undercover investigators can also be very serious, including in view of its associated exploitation of trust (cf. BVerfGE 141, 220 <289 f. para. 160>; 162, 1 <153 f. para. 340 f., 158 para. 351>). The severity of interference is mitigated by the fact that the surveillance powers under § 45 of the Act are subject to a time limit. § 45(5) third sentence of the Act provides for a time limit of a maximum of one or three months for judicial warrants issued under § 45(3) of the Act. While the warrants can be extended an unlimited number of times, this requires a separate judicial authorisation in each case (§ 45(5) third sentence of the Act).

100

2. § 45(1) first sentence no. 4 of the Act does not satisfy the constitutional requirements corresponding to this severity of interference. The provision does serve a legitimate aim and is suitable and necessary for achieving this aim (see a) below). However, it is incompatible with the special requirements arising from the principle of proportionality in the strict sense regarding the necessary threshold for interference (see b) below). This cannot be remedied through an interpretation in conformity with the Constitution (see c) below). This assessment is not altered by the requirement of prior judicial authorisation (see d) below).

101

a) The power set out in § 45(1) first sentence no. 4 of the Act serves a legitimate aim. It provides the Federal Criminal Police Office with the possibility of conducting surveillance measures in order to perform its task of averting dangers from international terrorism. The term ‘international terrorism’ is defined by means of the description laid down in § 5(1) second sentence of the Act and by means of that provision’s reference to § 129a(1) and (2) of the Criminal Code (Strafgesetzbuch – StGB); it is limited to specifically defined criminal offences of particular weight in keeping with the Constitution-amending legislator’s intent underpinning the insertion of Art. 73(1) no. 9a into the Basic Law (cf. BTDrucks 16/813, p. 12). Crimes that qualify as terrorism in this sense aim to destabilise society and, to this end, comprise attacks on the life and limb of third parties in a ruthless instrumentalisation of others. They are directed against the pillars of the constitutional order and society as a whole (cf. BVerfGE 141, 220 <266 f. para. 96 f.>). Providing effective surveillance measures for averting terrorist dangers constitutes a legitimate aim and is of great significance for the free democratic order (cf. BVerfGE 133, 277 <333 f. para. 133>).

102

The surveillance power challenged here is suitable for achieving this aim. It provides the Federal Criminal Police Office with the possibility of conducting surveillance measures that can be conducive to countering the dangers posed by international terrorism. The power is also necessary. It is not ascertainable that there are less restrictive means that could provide equally effective protection against international terrorism. At the same time, it must be ensured, in each individual case, that these powers only be exercised in accordance with the principle of suitability and necessity (cf. BVerfGE 141, 220 <266 f. para. 97>).

103

b) § 45(1) first sentence no. 4 of the Act is nevertheless incompatible with the special requirements arising from the principle of proportionality in the strict sense regarding the justification of covert surveillance measures conducted by the police. Even the threshold for interference for persons responsible under police law provided for in § 39(2) no. 1 of the Act could not justify covert surveillance using the especially intrusive means set out in § 45(2) of the Act. Thus, there is no basis whatsoever for the use of such intrusive surveillance methods on contact persons, who are not themselves responsible for the danger, but only have a link to a responsible person.

104

aa) The requirements of proportionality in the strict sense corresponding to the severity of interference resulting from the covert surveillance powers concern both the legal interest to be protected by the surveillance and the so-called threshold for interference, i.e. the grounds for the surveillance (cf. also BVerfGE 141, 220 <269 para. 104, 270 f. para. 106 ff., 271 ff. para. 109 ff.>; 162, 1 <84 f. para. 174>), which is the only aspect challenged in the present proceedings. Even when used with regard to a person responsible for a danger, the exercise of an intrusive covert surveillance power such as the one challenged here requires at least a sufficiently identifiable danger (konkretisierte Gefahr) to a legal interest of sufficient weight (see (1) below). If surveillance using such means is conducted on contact persons associated with the responsible person, then there must additionally exist a specific and individual link between the persons affected and the danger to be investigated (see (2) below).

105

(1) When it comes to public security measures, the collection of data by means of covert surveillance using particularly intrusive means is generally only proportionate in the strict sense if there is a sufficiently specific and foreseeable danger to the legal interests to be protected in the individual case and if the person targeted by these measures appears, from the perspective of a reasonable observer examining the objective circumstances, to be involved therein (cf. BVerfGE 141, 220 <271 para. 109>). To be justified under constitutional law, such measures require either a specific danger (konkrete Gefahr) or at least a sufficiently identifiable danger to a legal interest of sufficient weight (cf. in this regard BVerfGE 141, 220 <271 ff. para. 111 ff.>).

106

In order for a sufficiently identifiable danger to be present, there must be at least factual indications that a specific danger to the protected legal interests may arise. Assumptions based on general experience alone are not sufficient to justify an interference. Rather, specific facts must be established that, in the individual case, support the prognosis that a chain of events leading to a violation of one of the protected legal interests will occur and that the violation can be attributed to the person responsible. A sufficiently identifiable danger in this sense may already exist even where the causal chain leading to the damage is not yet foreseeable with sufficient probability, provided that there are specific facts indicating an impending danger to an exceptionally significant legal interest in the individual case (BVerfGE 141, 220 <272 f. para. 112>; 165, 1 <49 ff. para. 90 ff.>; established case-law).

107

Two conditions must generally be met in this regard: Firstly, it must at least be possible to determine, based on the facts, the type of incident that might occur, and that it will occur within a foreseeable timeframe; secondly, the facts must indicate the involvement of specific persons whose identity is known at least to such an extent that the surveillance measure can be targeted at and, for the most part, limited to such persons (BVerfGE 141, 220 <272 f. para. 112> with further references). Terrorist crimes in particular are often planned far in advance and carried out by individual actors who have no criminal record, and it is often not foreseeable where and how they will be carried out; consequently, the requirements regarding the ability to identify possible incidents can be reduced, provided that there is more precise information regarding the persons involved. In this context, surveillance measures may be authorised even in cases where it is not possible to determine the specific type of incident or the timeframe in which it might occur, but the individual conduct of a person establishes the specific probability that they will commit some form of terrorist act in the not so distant future (cf. BVerfGE 141, 220 <272 f. para. 112>; 165, 1 <50 f. para. 91>). For example, this might be the case where a person enters the Federal Republic of Germany after having attended a terrorist training camp abroad (BVerfGE 141, 220 <272 f. para. 112>).

108

By contrast, the severity of interference resulting from covert police surveillance is not sufficiently taken into account where statutory provisions authorise the measure on grounds so precautionary in nature that it is no longer necessary that the existence of a specific danger to the protected legal interests be foreseeable at all, even with regard to its basic characteristics. Given the severity of interference, shifting the statutory threshold for interference to a purely precautionary stage is incompatible with the Constitution if it means that such measures could be carried out merely on vague indications of possible dangers. At that stage, the meaning of individual pieces of information is often ambiguous. The situation may remain harmless, or it may be the start of a process that results in a specific danger or even a violation of protected legal interests. Such an ambiguous situation does not provide sufficient grounds for conducting intrusive covert surveillance measures (cf. BVerfGE 141, 220 <273 para. 113>; 165, 1 <51 para. 92>).

109

(2) Special additional requirements apply with regard to the covert surveillance of contact persons, who are not themselves responsible for a danger under police law. While intrusive surveillance measures that directly target contact persons such as the ones challenged here are not ruled out completely, they are subject to strict proportionality requirements and require that those affected have a specific and individual link to the danger that serves to justify the surveillance of those responsible (cf. BVerfGE 141, 220 <273 f. para. 114 ff., 291 ff. para. 167 ff.>).

110

Notwithstanding the criterion of a specific and individual link, which is not challenged in the present proceedings, the surveillance of contact persons requires that comparable surveillance of the person responsible for the danger in question would be permissible. Otherwise, there is no sufficient danger to investigate. Thus, if even responsible persons would not be subject to intrusive surveillance measures, there is no basis whatsoever for such surveillance to be directed at contact persons.

111

bb) § 45(1) first sentence no. 4 of the Act does not satisfy these requirements for the threshold for interference, as it lacks the necessary link to the danger of the person responsible referenced therein; there is therefore no basis whatsoever for surveillance directed at contact persons who are not responsible for the danger.

112

The provision permits data collection regarding a contact person within the meaning of § 39(2) no. 2 of the Act if the contact person has a specific link to a person responsible for a danger and averting the danger or preventing the crime would otherwise be futile or considerably more difficult. § 39(2) no. 2 of the Act thus makes reference to a responsible person within the meaning of § 39(2) no. 1 of the Act. Under the latter provision, the collection of personal data is permitted if there are facts that give rise to the assumption that this person ‘intends to commit an offence pursuant to § 5(1) second sentence and the collected data is necessary to prevent this offence’. These requirements, which even according to the legislative approach were only intended to apply to less intrusive forms of data collection, fall far short of the requirements laid down in § 45(1) first sentence nos. 1 through 3 of the Act relating to data collection by special means to be used against persons responsible for a danger. In particular, with regard to the person responsible within the meaning of § 39(2) no. 1 of the Act – as compared to the person responsible within the meaning of § 45(1) first sentence of the Act, there is no requirement that ‘specific facts must give rise to the assumption that they [the person in question] will, in the not so distant future, commit a criminal offence within the meaning of § 5(1) second sentence of the Act and it is at least possible to determine the type of this act’ (no. 2), nor is there a requirement that ‘their individual conduct establishes the specific probability that they will commit a criminal offence within the meaning of § 5(1) second sentence in the not so distant future’ (no. 3).

113

c) It is not possible to derive a threshold for interference that would be sufficient for such intrusive measures from § 45(1) first sentence no. 4 of the Act by way of an interpretation in conformity with the Constitution (regarding the general prerequisites and limits of such an interpretation BVerfGE 122, 39 <60 ff.>). In particular, the reference in § 45(1) first sentence no. 4 of the Act cannot, contrary to the Federal Government’s view, be interpreted to the effect that the provision relates to a person responsible for a danger within the meaning of § 45(1) nos. 1 to 3 of the Act and only adopts the criteria for a link to the offence as set out in § 39(2) no. 2(a) to (c) of the Act. In order to make such an interpretation, all constitutional requirements would need to be fulfilled. This includes the requirement that a constitutional threshold for interference can be derived from the provision in accordance with the principle of specificity and legal clarity.

114

aa) The unequivocal wording of the provision is itself sufficient to preclude the derivation of such a threshold for interference. A systematic interpretation does not lead to a different conclusion. That the groups of addressees of § 45(1) first sentence nos. 1 to 4 of the Act are linked through a common constituent element (‘if averting the danger or preventing the offences in any other way is futile or considerably more difficult’) does not merit the conclusion that no. 4, as one group of addressees, is also intended to refer to the other groups of addressees in nos. 1 to 3. Nor can such a connection be established by the systematic link between § 39 of the Act, as a general power to collect personal data, and § 45 of the Act, as a specific provision governing special means of data collection. This applies all the more so given that, in other provisions of the Federal Criminal Police Office Act, the legislator clearly set out the link to the person responsible (cf., e.g., § 47(2) no. 3 of the Act, § 65(1) no. 3 and § 19(1) first sentence no. 3 of the Act).

115

The legislative intent – which was only to make editorial changes compared to the old version (cf. BTDrucks 18/11163, p. 113 f.) – is therefore not sufficiently reflected in the provision ([…]).It may be true that the limited significance of the reference is known to the Federal Criminal Police Office and the provision is applied in practice in keeping with this limitation. However, the constitutional assessment must be based on the scope of the power as set out in the law, not on the authority’s (current) administrative practice (cf. also BVerfGE 162, 1 <147 para. 326>). Under constitutional law, the exercise of surveillance powers that significantly affect fundamental rights requires a sufficient link to statutory requirements determined in a democratic legislative process (cf. BVerfGE 154, 152 <238 f. para. 139>; 162, 1 <97 para. 203 f.; 144 f. para. 322>).

116

bb) Deriving a constitutional threshold for interference from the provision by way of interpretation would be incompatible with the principle of specificity and legal clarity that applies to covert surveillance measures. Since § 45(1) first sentence no. 4 of the Act allows covert data collection measures that can reach deep into the private sphere, particularly strict requirements apply in this regard. As affected persons are typically unaware that they are being targeted by covert surveillance measures and such measures are therefore seldom challenged, the contents of the relevant legislation can only be specified to a limited degree through the interplay of practical application and judicial review, and the legislator must compensate for this by ensuring that the provisions in question are sufficiently specific (cf. BVerfGE 162, 1 <126 para. 273>; see para. 95 above). An interpretation that would correct the wording of the provision in question would not satisfy this requirement.

117

d) The requirement of prior judicial authorisation, laid down in § 45(3) of the Act for most constellations, is not capable of compensating for the deficiencies arising from a threshold for interference that is too unspecific or too low (cf. BVerfGE 110, 33 <67 f.>; 120, 274 <331 f.>).

V.

118

Insofar as the constitutional complaint challenges § 16(1) of the Act, there are ultimately no constitutional concerns regarding this provision.

119

§ 16(1) of the Act authorises the Federal Criminal Police Office to further process personal data in its own information system, insofar as is necessary to perform its tasks and insofar as the Federal Criminal Police Office Act does not impose other special requirements.

120

Unlike the term ‘processing’ (cf. § 46(2) of the Federal Data Protection Act and Art. 3 no. 2 of Directive 2016/680/EU), the term ‘further processing’ has no statutory definition in the Federal Criminal Police Office Act or in the general data protection framework. In relation to general data processing powers (chapter 2), the Federal Criminal Police Office Act distinguishes between data collection (§ 9 through § 11 of the Act), further processing of data (§ 12 through § 24 of the Act) and data sharing (§ 25 through § 28 of the Act). According to the wording and systematic approach of the Act, the term ‘further processing’ does not encompass data collection and data sharing, which have separate provisions ([…]). This systematic concept is also reflected in the explanatory memorandum to the draft act. […]

121

Further processing under § 16(1) of the Act is subject to the standard in § 12 of the Act. The challenge solely concerns the further processing of personal data that was previously collected by the Federal Criminal Police Office using particularly intrusive means within the meaning of § 45 of the Act and is processed by the Federal Criminal Police Office to perform its task of averting dangers from international terrorism under § 5 of the Act. The complainants only challenge the further processing of data that is subject to § 12(1) of the Act – that is, the further processing of data for the purposes for which it was originally collected.

122

In this regard, the power authorises considerable interferences with the fundamental right to informational self-determination (Art. 2(1) in conjunction with Art. 1(1) of the Basic Law). Nevertheless, it satisfies the constitutional requirements of proportionality in the strict sense applicable to the further use of data.

123

1. § 16(1) of the Act, to the extent it has been challenged, does increase the severity of interference, in that the processed data was previously collected using intrusive surveillance methods as listed in § 45(2) of the Act (see a) below). Yet the severity of interference is not further increased by any use of particularly intrusive processing methods, such as automated data analysis based on algorithms; rather, the severity of interference is reduced, as the present proceedings only concern processing in line with the original purpose that is subject to § 12(1) of the Act (see b) below).

124

a) The severity of interference resulting from powers for the further processing of data depends, firstly, on the severity of the interferences resulting from the data collection measures preceding them (cf. BVerfGE 165, 363 <390 para. 54>). The severity of interference becomes greater, the more intrusive the underlying data collection measure (regarding differentiations based on the severity of interference cf. BVerfGE 141, 220 <269 f. 105 ff.>). In the present case, the severity of interference is increased by the fact that the Federal Criminal Police Office initially collected the personal data using covert measures, which can reach deep into the private sphere and affect legitimate expectations of confidentiality. While the severity of interference resulting from the various data collection powers varies, it is generally at least considerable (cf. BVerfGE 141, 220 <264 f. para. 92>; cf. in this regard para. 99 above).

125

b) A further significant aspect for determining the severity of interference is the question how the data is used, particularly the ways in which the personal information obtained is subject to further use and the potential consequences for those affected (cf. BVerfGE 65, 1 <45 f.>; 155, 119 <178 f. para. 129>; 165, 363 <407 f. para. 99> with further references). In this respect, the severity of interference resulting from § 16(1) in conjunction with § 12(1) of the Act is limited by the fact that the provision only allows further processing of the data in line with the purposes for which it was originally collected.

126

Conversely, the provision does not authorise particularly intrusive processing methods that could increase the severity of interference. It is true that based on the wording, the term ‘further processing’ alone does not, from the outset, rule out particularly intrusive methods of analysis. Nor does the legislator’s notion of the extent of a conferred power determine the severity of the resulting interference (cf. BVerfGE 162, 1 <147 para. 326>). That said, the legislator clearly worded § 16(1) of the Act as a general power (cf. BTDrucks 18/11163, p. 97: ‘fundamental provision’, Grundnorm; […]), the applicability of which is expressly limited by its last half-sentence, which provides that where specific powers for the further processing of data exist, these take precedence; such specific powers in turn can be subject to, and restricted by, separate requirements. This legislative technique is common in general police law with regard to openly worded general powers under police and disciplinary law; its basic premise is not objectionable under constitutional law.

127

However, such an openly worded general clause generally may not be the basis for interferences of increased severity, which require the conferral of a specific statutory power. For instance, measures of automated data analysis and interpretation are measures that require the conferral of a specific statutory power in view of the special justification requirements under constitutional law, as they give rise to separate interferences of great severity (cf. BVerfGE 165, 363 <389 f. para. 54, 395 para. 66 ff., 400 para. 77>). This is because automated data analysis and interpretation can generate broader and deeper personal information, it may be prone to errors and discrimination and make it difficult to scrutinise the connections made by the software (regarding the risks and potential BVerfGE 165, 363 <400 ff. para. 77 ff.>). It must therefore be assumed that § 16(1) of the Act does not encompass methods of data processing that give rise to separate fundamental rights interferences of such severity.

128

2. When construed in this manner, § 16(1) in conjunction with § 12(1) first sentence of the Act satisfies the constitutional requirements. The power serves a legitimate aim and is suitable and necessary for achieving this aim (see a) below). It is also compatible with the requirements of proportionality in the strict sense applicable to the further processing of personal data in line with the original purpose (see b) below).

129

a) § 16(1) in conjunction with § 12(1) first sentence of the Act serves a legitimate aim. The provision authorises the Federal Criminal Police Office to use personal data it has collected to avert dangers posed by international terrorism, within the meaning of § 5(1) second sentence of the Act, to perform the same task. Just like the providing of effective means of investigation, the possibility of further processing data, too, constitutes a legitimate aim and is of great significance for the free democratic order (see para. 101 f. above; cf. BVerfGE 133, 277 <333 f. para. 133>).

130

The power is also suitable as it can help effectively address the dangers posed by international terrorism by allowing for the use of the intelligence obtained as a starting point for further investigations. Moreover, the power is necessary given that the further processing of data in line with its original purpose can generate relevant intelligence to avert international terrorism that could not be obtained by other, less intrusive means.

131

b) § 16(1) in conjunction with § 12(1) first sentence of the Act is also compatible with the principle of proportionality in the strict sense. The severity of interference for affected individuals must be balanced against the significant public interest in the effective further processing of data to investigate and combat international terrorism.

132

The requirements regarding the constitutional justification of further processing arising from its severity of interference are determined, as a starting point, by the severity of interference associated with the original collection of data; in this respect, the principles of purpose limitation and change in purpose apply (cf. BVerfGE 141, 220 <324 para. 276>; 165, 363 <390 para. 54>). This generally ensures that the fundamental rights interference resulting from the further processing of previously collected data is proportionate in the strict sense (cf. BVerfGE 165, 363 <397 para. 70>). In the present case, there are no additional justification requirements, which would be warranted if particularly intrusive processing powers were involved (cf. BVerfGE 165, 363 <389 f. para. 54, 395 f. para. 66 ff.>).

133

aa) If the legislator permits the use of data beyond the specific grounds that prompted and justified the original data collection, it must create a separate statutory basis to that end (cf. BVerfGE 141, 220 <324 para. 277>; established case-law). In particular, it can then permit the further use of the data in line with the purpose for which it was originally collected. Such further data use can be based on the reasons justifying the data collection in the first place and is then not subject to the constitutional requirements applicable to a change in purpose, but merely to those applicable to further use in line with the original purpose (cf. BVerfGE 141, 220 <324 ff. para. 278 ff.> with further references; 162, 1 <107 para. 227>; 165, 363 <390 f. para. 57>).

134

The permissible scope of such use depends on the statutory authorisation for the original data collection. The respective statutory basis determines the authority that is authorised to collect the data, as well as the purposes and conditions of data collection, thereby defining the permissible scope of use. Thus, the use of the resulting information is not just limited to certain abstractly defined public tasks, it is actually subject to a purpose limitation determined by the collection purpose set out in the relevant statutory basis authorising the respective data collection. For that reason, further use of the data within the scope of the purpose for which the data was originally collected is only permissible if the data is used by the same authority in relation to the same task and for the protection of the same legal interests as was the case with regard to the data collection. If the original authorisation to collect data is restricted to the purpose of protecting specified legal interests or preventing specified criminal offences, this purpose limits both the scope of immediate data use and the scope of further data uses, even if the data is still handled by the same authority. Other uses are only permissible if there is a separate statutory basis authorising such a change in purpose (cf. BVerfGE 141, 220 <324 f. para. 279>; 165, 363 <390 f. para. 57>).

135

In principle, the purpose limitations that must be observed by the same authority whenever it makes further use of collected data while acting within the same remit for the protection of the same legal interests and for the prosecution or prevention of the same criminal offences do not include the relevant thresholds for interference – this holds true for the threshold of a sufficiently identifiable danger as is required for public security measures, and the threshold of a qualified suspicion of criminal conduct (qualifizierter Tatverdacht) as is required in the context of law enforcement. While the requirement of a sufficiently identifiable danger or a qualified suspicion of criminal conduct determines the permissible grounds of data collection, it does not determine the purposes for which the collected data may be used (cf. BVerfGE 141, 220 <325 para. 280>). For that reason, it does not from the outset run counter to the principle that data be used only in accordance with the purpose for which it was originally collected if the authority in question is allowed to use the data for the same task when it provides leads for further investigations (Spurenansatz), without having to fulfil additional statutory requirements. The authority may use the information thus obtained – either by itself or in combination with other available information – as a starting point for further investigations to protect the same legal interests in the context of the same task, independent of specific dangers or specific leads. This takes account of the fact that the generation of knowledge – not least when aiming to understand terrorist structures – cannot be reduced to an exercise of merely adding up isolated data points, with formal legal criteria determining which items may be considered and which ought to be disregarded. It does not create an opening for purely speculative uses of data, because using the data to provide leads for further investigations is still sufficiently linked to the tasks decisive for the original data collection and to the requirements concerning the legal interests to be protected. There is no need for the legislator to provide for further restrictions in this regard (cf. BVerfGE 141, 220 <325 f. para. 281>; 165, 363 <391 para. 58>). Compliance with the constitutional principle of purpose limitation ensures that there are sufficient grounds for interference (cf. BVerfGE 165, 363 <412 para. 108>). While the use of data as leads for further investigations can be allowed even if there is merely potential information to be obtained (cf. BVerfGE 141, 220 <337 para. 313>), it must always be based on a case-by-case assessment and may not serve to generate entirely new factual indications of future criminal offences on a purely speculative basis (cf. BVerfGE 165, 363 <432 para. 158>). These requirements are necessary, but generally also sufficient, to legitimise further use of the data in accordance with the principle of purpose limitation (BVerfGE 141, 220 <326 para. 282>).

136

Although not at issue here due to the limited challenge in the present proceedings, the principle of purpose limitation does give rise to more stringent requirements with regard to data obtained from the surveillance of private homes and remote searches of information technology systems. Any further use of such data, including by the same authority acting within the same remit for the protection of the same legal interests and for the prosecution or prevention of the same criminal offences, only satisfies the purpose limitation requirements if this further use is necessary to avert an acute danger (dringende Gefahr) (cf. in this regard BVerfGE 162, 1 <134 para. 297> with further references) or at least a sufficiently identifiable danger in the individual case (cf. in this regard BVerfGE 141, 220 <272 f. para. 112>), in keeping with the prerequisites applicable to the original collection of such data (cf. BVerfGE 141, 220 <326 para. 282>; 165, 363 <392 para. 59>).

137

bb) The legislator may also permit further uses of data for purposes other than those for which it was originally collected (change in purpose). Since this amounts to an authorisation to use the data for new purposes, it is subject to the constitutional requirements that apply to the further use of data for changed purposes as formulated in the Federal Constitutional Court’s judgment of 20 April 2016 (cf. BVerfGE 141, 220 <326 ff. para. 284 ff.> with further references; see also BVerfGE 165, 363 <392 ff. para. 60 ff.>).

138

Information obtained from measures constituting particularly intrusive interferences may only be used for particularly weighty purposes. In such cases, the principle of a hypothetical recollection of the data is the applicable standard for the proportionality assessment. According to this principle, the decisive question for data obtained from intrusive surveillance and investigation measures is whether it would hypothetically be permissible, under constitutional law, to collect the relevant data again for the changed purpose using comparably intrusive methods. Thus, a change in purpose requires that the new use of the data serves to protect legal interests or detect criminal offences of such weight that it would be justified under constitutional law to collect the data again using comparably intrusive methods as the original data collection. However, in terms of the degree of specificity required for establishing the existence of a danger or the suspicion of criminal conduct, i.e. in terms of the threshold for interference, the requirements applicable to a change in purpose are not always the same as the requirements applicable to the original data collection. Under constitutional law, it is necessary, but generally also sufficient, that the data provides a specific basis for further investigations (cf. BVerfGE 141, 220 <327 ff. para. 284 ff.>; 165, 363 <393 para. 61 f.>).

139

A specific basis for further investigations (konkreter Ermittlungsansatz) in this sense is a factual basis for a conclusion in the individual case which must arise from the data – either by itself or in combination with other information available to the authority in question (cf. BVerfGE 141, 220 <328 f. para. 289, 336 f. para. 313>). General criminological considerations or experiences by themselves are not sufficient. Rather, the information must yield sufficient factual indications that a criminal offence will be committed or can be exposed (cf. BVerfGE 141, 220 <349 para. 348>). Fact-based leads for further investigations must be sufficiently specific to allow for conclusions regarding a criminal offence of comparable weight as the one for which the data was originally collected, since otherwise compliance with the principles applicable to a change in purpose could not be ensured (cf. BVerfGE 141, 220 <328 f. paras. 289, 336 f. para. 313>). For law enforcement, this requirement essentially corresponds to the criterion of an initial suspicion (Anfangsverdacht) under the law of criminal procedure (cf. BVerfGE 155, 119 <190 para. 153>; […]). For public security, the information must support the assumption of an impending danger (drohende Gefahr) in the individual case, at least in the medium term (cf. BVerfGE 141, 220 <329 para. 289 f.>; […]). But like with the further processing of data for purposes in line with the original purpose, this does not apply to information obtained from the surveillance of private homes or from covert access to IT systems (see para. 136 above; cf. BVerfGE 165, 363 <394 para. 64>).

140

cc) The deletion requirements set by the legislator to ensure that the powers for the further processing of data are used in accordance with the principle of purpose limitation are of particular significance. Providing for deletion requirements forms part of the general proportionality requirements. These serve to ensure that the use of personal data remains limited to the purposes justifying the data processing measures, and that data can no longer be used once these purposes have been achieved (cf. BVerfGE 141, 220 <285 para. 144>). In principle, the collected data must be deleted as soon as it is no longer needed for the specified purposes or for judicial protection of affected persons (BVerfGE 150, 1 <108 para. 222>). The deletion of the data must be documented to ensure transparency and oversight (cf. BVerfGE 141, 220 <285 para. 144>; 154, 152 <264 f. para. 208>).

141

Data that is further processed in line with the purpose for which it was originally collected, too, must in principle be deleted once the specific case for which it was collected has been concluded and the specific purpose underlying the data collection has thus been achieved. Subsequent processing in line with the original purpose is not permissible. This is guaranteed by rules on deletion. It is only possible to refrain from deleting the data upon conclusion of the specific case for which it was collected if the data – either by itself or in combination with other information available to the authority – has in the meantime provided a specific basis for further investigations (cf. BVerfGE 141, 220 <322 f. para. 270>), i.e. if the prerequisites for a change in purpose have been met (see para. 137 ff. above; regarding the exception for precautionary data retention under strict conditions see para. 152 ff.).

142

3. Based on the standards set out above, the processing of personal data previously collected through the particularly intrusive means set out in § 45(2) of the Act in line with the original purpose (‘further use’) under § 16(1) in conjunction with § 12(1) first sentence of the Act satisfies the constitutional requirements when considered together with the statutory deletion requirements.

143

a) The power in question complies with the constitutional requirements regarding data use in line with the original purpose. Insofar as the further processing of personal data that was previously collected under § 45 of the Act is being challenged, the requirements of § 12(1) first sentence of the Act guarantee that the authority that both collects and processes the data is the Federal Criminal Police Office and that further processing is only done to perform the same task (§ 5(1) first and third sentence of the Act) and for the protection of the same legal interests or the prosecution and prevention of the same crimes (§ 5(1) second sentence of the Act).

144

It is not objectionable that § 12(1) first sentence of the Act does not expressly make reference to the use of the data as leads for further investigations or ties data use to another threshold as a minimum requirement. This is because § 16(1) of the Act requires that further processing must be ‘necessary’, which guarantees that the data cannot be used below the threshold of a lead with a sufficient link to the investigation (cf. also BVerfGE 165, 363 <432 para. 158>). The limits to further processing in line with the original purpose laid down in § 12(1) first sentence of the Act also ensure that no purely speculative use of the data is permitted (cf. BVerfGE 141, 220 <325 para. 281>; 165, 363 <412 para. 108>).

145

It is also in line with the constitutional requirements that the Federal Criminal Police Office may continue to further process personal data collected to avert dangers from international terrorism in accordance with these statutory requirements and in line with its original purpose as long as the specific public security case underlying the data collection has not been concluded (cf. regarding the specific deletion requirements para. 148 ff. below). This serves to meet the significant need for effective counter-terrorism measures through the proper determination of the purpose of the measures.

146

The specific purpose can be determined depending on the respective task, the status of the investigation and the degree to which the procedures can be delimited. For terrorist dangers, the purpose of a public security case need not be limited to a criminal offence within the meaning of criminal procedural law (cf. §§ 155 and 264 Code of Criminal Procedure, Strafprozessordnung – StPO), but can also consist of the combating of complex criminal structures – such as the dismantling of a specific terrorist group. That said, such a purpose must always satisfy the requirements laid down in the statutory basis authorising the data collection.

147

According to the results of the oral hearing and the written statements, public security cases are initiated and concluded through formal acts. An ongoing case in the context of the averting of dangers from international terrorism under § 5 of the Act can encompass complex circumstances and continue over a certain period of time, given the particular features of terrorist structures and the practical need to investigate them (cf. BVerfGE 141, 220 <325 f. para. 281>). During an ongoing public security case, the information obtained can serve as the basis for further investigations to protect the same legal interests in relation to the same tasks, which can in particular result in a specific basis for further investigations for the opening of a new security case that satisfies the requirements applicable to further processing for a changed purpose under § 12(2) of the Act.

148

b) By providing for deletion requirements, the legislator has ensured that any further processing pursuant to § 16(1) in conjunction with § 12(1) first sentence of the Act complies with the principle of purpose limitation.

149

The requirements regarding the deletion of personal data pursuant to § 1(1) no. 1, § 1(2) first sentence and § 2 of the Federal Data Protection Act that relate to the challenged provision directly follow from § 75(2) of the Federal Data Protection Act, which is supplemented and specified by § 77 of the Federal Criminal Police Office Act (cf. BTDrucks 18/11163, p. 131). In addition, § 79 of the Federal Criminal Police Office Act has a specific catch-all function for personal data obtained through measures averting dangers from international terrorism or comparable measures ([…]). § 77 of the Federal Criminal Police Office Act and § 75 of the Federal Data Protection Act are national versions of the principles of data minimisation and storage limitation under data protection law, which are set out at EU level in Art. 4(1)(c) and (d) and Art. 16 of Directive 2016/680/EU (cf. BTDrucks 18/11325, p. 119; […]).

150

Under § 77(1) first sentence of the Federal Criminal Police Office Act, § 75(2) of the Federal Data Protection Act and § 79(1) first sentence of the Federal Criminal Police Office Act, personal data must be deleted without delay as soon as it is no longer needed to perform the tasks in question or achieve the purpose underlying the data collection measure. These provisions implement the constitutional principle of purpose limitation and satisfy constitutional requirements (cf. BVerfGE 141, 220 <322 f. para. 270>; 155, 119 <231 f. para. 258 f.>). Accordingly, § 77(1) first sentence of the Act provides for an assessment of necessity on a case-by-case basis, which occurs at the latest periodically in line with deadlines to review whether the data must be deleted (cf. in this regard BVerfGE 141, 220 <323 para. 270>), adherence to which must be ensured through technical measures (§ 77(1) third sentence of the Act).

151

The principle of purpose limitation is sufficiently safeguarded by the latter part of § 79(1) first sentence of the Act. This provision expressly states that data must only be deleted insofar as it is not further processed under the provisions of chapter 2, subchapter 2, of which § 16(1) of the Act forms part. The addition specifies that data is not deleted upon conclusion of the case for which it was collected in case of ‘permissible further processing’ (BTDrucks 18/11163, p. 132; […]), such as further processing in accordance with the requirements applicable to further processing for a changed purpose under § 16(1) in conjunction with § 12(2) of the Act (regarding § 20v(6) first sentence of the Act, old version, cf. BVerfGE 141, 220 <322 f. para. 270>; cf. BTDrucks 18/11163, p. 132). With regard to further use of the data in line with the original purpose under § 16(1) in conjunction with § 12(1) first sentence of the Act, once the specific purpose underlying the data collection has been achieved, it is only possible to refrain from deleting the data if the data gives rise to a specific basis for further investigations for averting dangers from international terrorism (cf. BVerfGE 141, 220 <323 f. para. 270>).

VI.

152

By contrast, § 18(1) no. 2 and § 18(2) no. 1, in conjunction with § 13(3) and § 29 of the Act, insofar as they allow the Federal Criminal Police Office to store previously collected basic personal data in the police information network, do not satisfy constitutional requirements.

153

§ 18(1) and (2) in conjunction with § 13(3) and § 29 of the Act allow the further processing (regarding the term cf. para. 120) of specified personal data of various categories of persons by the Federal Criminal Police Office to perform its tasks in the police information network under § 2(1) to (3) of the Act. The only aspect under review here is the provision of data to the police information network and not access to such data under § 29(4) second sentence of the Act. § 2(1) to (3) of the Act provide that the Federal Criminal Police Office, in its capacity as the central agency for police information and communications and for the criminal police, supports the federal and Land police forces in the prevention and prosecution of offences affecting more than one Land, offences of international significance or of considerable importance and that it maintains a uniform police information network, in its capacity as a central agency, that serves as a basis for the further processing of data (cf. para. 18 above).

154

Notwithstanding the broad scope of application of § 18(1) no. 2 and § 18(2) no. 1 in conjunction with § 13(3) and § 29 of the Act, the review in the present case is limited. The present proceedings do not concern the further processing of personal data obtained by surveillance of private homes or remote searches of information technology systems. To what extent such processing adheres to the constitutional requirements regarding the use of personal data following its storage cannot be decided here, given that this was not an admissible challenge in the present proceedings.

155

The retention powers in § 18(1) no. 2 and § 18(2) no. 1 of the Act give rise to interferences with the fundamental right to informational self-determination that can be considerable (see 1. below). The precautionary data retention permitted by this provision can be justified under strict conditions, including a sufficient threshold for data retention. However, in this case, it does not satisfy the constitutional requirements of proportionality in the strict sense (see 2. below).

156

1. § 18(1) no. 2 and § 18(2) no. 1 in conjunction with § 13(3) and § 29 of the Act authorise the further processing of data that was previously collected or obtained in other ways in the police information network; it thereby gives rise to considerable interferences with the fundamental right to informational self-determination (Art. 2(1) in conjunction with Art. 1(1) of the Basic Law).

157

a) In general, the severity of an interference with the right to informational self-determination primarily depends on the type, scope and possible uses of the data, as well as the risks of abuse. In this regard, it is important how many holders of fundamental rights are affected by impairments, how intense these impairments are, and on what basis they occur, particularly whether the persons concerned have prompted them. The relevant criteria thus include the number of persons affected and the severity of the individual impairments. The severity of individual impairments depends on whether affected persons remain anonymous, what personal information is recorded, and what disadvantages the holders of fundamental rights might face or have reason to fear on account of the measures. Covert measures by the state result in interferences of greater severity, as does the de facto denial of ex ante legal protection and difficulties, or even the impossibility, of obtaining ex post legal protection (cf. BVerfGE 55, 119 <178 para. 129>; 165, 363 <399 para. 76> with further references; established case-law).

158

These general criteria are also significant for determining the severity of interference of the powers to retain personal data on a precautionary basis that are at issue here; in part, they take on a specific form with regard to these powers. Data retention is precautionary in nature, given that the data is not stored for its original collection or generation purposes, and that these purposes are not replaced by a new purpose limitation that would lead to direct further use of the data. The new purposes [of the data retention at issue] are making the data available in case it may be needed for specific purposes in the future. The special feature of this change in purpose is the lack of a direct, specific and use-based purpose at the time of data retention. At the same time, precautionary data retention is characterised by the general feature of any data storage, which is that the affected data has become part of the state sphere prior to its storage, through data collection or in some other way.

159

The severity of interference resulting from the precautionary retention of personal data also depends firstly on the severity of interference resulting from the previous data collection, and thus from the source of the data. The severity of interference becomes greater, the more intrusive the underlying data collection measure (regarding differentiations based on the severity of interference cf. BVerfGE 141, 220 <269 f. 105 ff.>).

160

Secondly, the severity of interference is determined by the type and scope of retained data. The type of data is significant because the use of different kinds of data can, either directly or indirectly, affect personality rights to varying degrees (regarding a differentiation of special categories of personal data cf., e.g. Art. 10 of Directive 2016/680/EU). The less the data to be retained is subject to restrictions in terms of its type and scope, the greater the data volume subject to processing and the greater the severity of interference tends to be (cf. BVerfGE 156, 11, <48 para. 96>; 165, 363 <401 para . 78>;in parallel CJEU, Judgment of 30 January 2024, Direktor na Glavna direktsia ‘Natsionalna politsia’ pri MVR - Sofia, C-118/22, EU:C:2024:97, para. 63; ECtHR (GC), S. and Marper v. the United Kingdom, Judgment of 4 December 2008, no. 30562/04 inter alia, § 103 f.).

161

The grounds on which the data of affected persons is retained make a significant difference (cf. BVerfGE 165, 363 <399 f. para. 76, 403 para. 84>). If, for instance, information on (potential) unlawful conduct is stored, it must be considered what connection affected persons objectively have to specific wrongdoing and whether and to what extent their own conduct has prompted the interference (cf. BVerfGE 165, 363 <400 para. 77> with further references). The severity of interference resulting from data retention varies if the affected persons have been convicted of a criminal offence, or if they have merely been charged with or suspected of a criminal offence (regarding a distinction between different categories of persons cf., e.g., Art. 6(a) and (b) of Directive 2016/680/EU; with regard to the aspect of disadvantaging cf. also ECtHR (GC), S. and Marper v. the United Kingdom, Judgment of 4 December 2008, no. 30562/04 inter alia, § 122; Peruzzo and Martens v. Germany, Decision of 4 June 2013, Vth Chamber, nos. 7841/08 and 57900/12, § 43 f.).

162

How the personal data obtained is further used and the consequences this can have for those affected is also significant for the severity of interference (cf. BVerfGE 65, 1 <45 f.>; 155, 119 <178 f. para. 129>; 165, 363 <407 f. para. 99> with further references). In case of precautionary data retention, it must be taken into account how the data can potentially be used in the future and how many and which fundamental rights holders are affected by impairments, how intense these impairments are and on what basis they occur. In addition, the special features of precautionary data retention must be considered. Precautionary data retention creates a data pool that is not in itself limited to specific purposes, allows for the linking of data and can point to security-related links in relation to specific persons. This can lead to the creation of comprehensive personality profiles, increasing the likelihood of affected persons being addressed by measures taken by the security authorities. Therefore, the [legislative] regulationof the purposes of data retention influences the severity of interference. The more specific the purposes for which data is retained (retention purposes), the lower the severity of interference.

163

With regard to federal police databases used by various authorities, it must be taken into account which actors are involved, how many are involved and what the prerequisites for access to the data are (cf. BVerfGE 133, 277 <323 para. 112 f.>; 165, 363 <404 para. 89>; ECtHR, Gardel v. France, Judgment of 17 December 2009, Vth Chamber, no. 16428/05, § 70). Retaining the data in an information network which many actors can access increases the severity of interference.

164

Another key factor in determining the severity of interference is the retention period. The longer personal data is retained, and the longer the possibility to use it therefore remains, the greater the severity of the interference with the fundamental right to informational self-determination (cf. BVerfGE 125, 260 <322>).

165

b) Based on these standards, the severity of interference resulting from the retention of personal data under § 18(1) no. 2 and § 18(2) no. 1 in conjunction with § 13(3) and § 29 of the Act is considerable; in cases where retention and use are not limited, the interference is serious.

166

The fact that precautionary data retention under § 18(1) no. 2 and § 18(2) no. 1 of the Act typically constitutes further processing for a changed purpose increases the severity of interference. This is because in most cases personal data originally collected for other purposes – for the most part by other authorities or by third parties – will be retained for the purpose of preventing and prosecuting criminal offences (regarding the Federal Criminal Police Office’s data collection powers in this regard cf. §§ 9 ff. of the Act). Thus, it increases the severity of interference that data is retained for future, as yet unspecified purposes independent of the original specific purpose underlying the data collection.

167

In the present case, data retention results in interferences of increased severity in view of the source of the personal data concerned, insofar as this data was previously collected using particularly intrusive surveillance measures. While a majority of the data listed in § 18(2) of the Act could also be obtained without intrusive measures, it is not necessarily obtained in such a way.

168

With regard to the type and scope of the personal data to be retained, the severity of interference is limited by the parameters in § 18(2) no. 1 of the Act. Within the scope of the present proceedings, the only data that can be retained from persons charged with a criminal offence is basic data and information concerning the police office keeping the criminal file, the criminal file number, the time and place of the offences and the charges, stating the legal provisions and the precise designation of the offences. The basic data serves identification purposes and therefore includes the name, sex, date of birth, place of birth, nationality and address of affected persons (cf. § 20 second sentence no. 1 of the Act). The retention of this data can affect someone’s personality rights in a not inconsiderable manner, but its impact remains limited.

169

§ 18(1) of the Act also limits the group of persons affected by data retention and distinguishes, at least as a starting point, between different categories of persons. Someone is typically categorised as a person charged with a criminal offence within the meaning of § 18(1) no. 2 of the Act when a law enforcement authority has formally initiated investigations under criminal law against the person concerned, in line with criminal procedural law. Yet a person can also be categorised as charged with a criminal offence based on another act of intent of the law enforcement authorities ([…]). By contrast, the term ‘convicted person’ in § 18(1) no. 1 of the Act is based on Art. 6(b) of Directive 2016/680/EU and corresponds to the convictions governed by § 4 of the Federal Central Criminal Register Act (Bundeszentralregistergesetz), which require that a court has established wrongdoing. Based thereon, it increases the severity of interference resulting from § 18(1) no. 2 of the Act that data concerning persons charged with a criminal offence may, unlike data concerning convicted persons, lack grounds for retention established by a court. In addition, persons charged with a criminal offence may have a considerable information deficit, as they do not necessarily know that data concerning them is collected and further used and that they have been charged with a criminal offence (cf. § 170(2) second sentence Code of Criminal Procedure).

170

Given that precautionary data retention measures are carried out covertly, the possibilities of obtaining ex post legal protection are considerably limited, which increases the severity of interference.

171

Moreover, the far-reaching possibilities of allowing a wide range of authorities to use the retained data must be taken into account when assessing the severity of interference (cf. § 29(3) of the Act). The Federal Criminal Police Office in its capacity as a central agency is essentially limited to a coordinating role (cf. BVerfGE 110, 33 <51>). In this respect, it has not been conferred any public security and law enforcement tasks of the police; rather, the Federal Criminal Police Office merely coordinates these tasks and structures information (cf. BVerfGE 155, 119 <212 para. 209>). Further processing can mean that the Federal Criminal Police Office, in its capacity as a central agency (cf. § 2 no. 1 of the Act) analyses the data and on this basis provides information to law enforcement authorities (cf. § 2 no. 2 of the Act); however, further processing can also be directed at cooperation in the framework of the police information network. In the context of such data sharing, in which the Federal Criminal Police Office takes part in accordance with §§ 29 and 30 of the Act (§ 13(3) of the Act), other security authorities obtain access to what may be a considerable portion of the personal data, subject to the requirements of § 29(4) second sentence of the Act – in particular specific labelling obligations (§ 14 of the Act) and access authorisations (§ 15 of the Act). In this regard, the relaxed access conditions for participating authorities increase the severity of interference. Under § 29(3) of the Act, the following authorities in addition to the Federal Criminal Police Office and the Criminal Police Offices of the Länder can take part in the police information network: other police authorities of the Länder, the Federal Police, the police of the German Bundestag, customs administration authorities charged with border police tasks, the Customs Investigation Offices, the Central Office of the Customs Investigation Service and the units charged with tax fraud investigations of the Land tax authorities. The intelligence services are not authorised to participate.

172

In this framework, even the mere storage of the basic data of a person charged with a criminal offence in the police information network can have adverse consequences for those affected. The storage of this data can be aimed at the direct sharing of information, and such entries can point participating authorities to security-related connections. Thus, such data storage can ultimately lead to operational measures, or at least significantly increase the likelihood of measures being carried out by security authorities against affected persons.

173

Moreover, the specific design of the statutory framework increases the severity of interference, in that the legislator did not provide for differentiated time limits regarding retention periods beyond the general deletion requirements, even though the purpose of retention is the future prevention and prosecution of specific criminal offences. Thus, data can in some cases be retained for very long periods, without a clear differentiation based on the significance of the criminal offences to be prevented or investigated.

174

2. In view of this considerable severity of interference, § 18(1) no. 2 and § 18(2) no. 1 in conjunction with § 13(3) and § 29 of the Act do not satisfy constitutional requirements. The provisions do serve a legitimate aim and are suitable and necessary for achieving this aim (see a) below). Under strict conditions, the precautionary retention of the data covered by the provisions in the police information network can be justified. However, the provisions’ specific design is incompatible with the requirements of proportionality in the strict sense, given that a sufficient threshold for data retention and the necessary rules on retention periods are lacking (see b) below).

175

a) Precautionary data retention must serve a legitimate aim and be suitable and necessary for achieving this aim (cf. para 90).

176

§ 18(1) no. 2 and § 18(2) no. 1 of the Act do serve a legitimate aim. This power allows the Federal Criminal Police Office to duly perform its tasks as a central agency under § 2(1) to (3) of the Act, which are aimed at ensuring effective and swift law enforcement and public security measures by the security authorities (cf. also BTDrucks 18/11163, pp. 2, 76). In the context of these tasks as a central agency, the Federal Criminal Police Office supports police authorities in preventing and prosecuting criminal offences affecting more than one Land, of international significance or of considerable importance (§ 2(1) of the Act). To perform this task, the Federal Criminal Police Office must gather and analyse all information necessary in this regard (§ 2(2) no. 1 of the Act), and advise the federal and Land law enforcement authorities without delay of the information relevant to them and the links identified between offences (§ 2(2) no. 2 of the Act). At the same time, as a central agency it maintains the uniform police information network and takes part in it in accordance with §§ 29 and 30 of the Act (§ 13(3) of the Act). The creation of an information network of federal and Land police forces ensures that information between the security authorities can be shared in a targeted and swift manner (cf. also BTDrucks 18/11163, pp. 2, 76). Within the scope of this purpose, precautionary data retention serves to create the possibility of identifying links between the criminal offences set out in § 2(1) of the Act when they occur over time.

177

The power to further process data under § 18(1) no. 2 and § 18(2) no. 1 of the Act is also suitable and necessary to achieve this legitimate purpose. The provision is suitable for achieving its purpose, given that the prevention and prosecution of criminal offences is facilitated when data and information can be gathered, consolidated and shared effectively among the security authorities that have been granted access. This can address gaps in information that, in a federalised state, cannot and should not be fully resolved at the coordinating level, while still upholding the required organisational framework (cf. BVerfGE 133, 277 <332 f. para. 131>). The precautionary retention of the basic data concerning persons charged with a criminal offence is crucial for the unambiguous, swift and effective identification of the persons concerned (cf. BTDrucks 18/11163, p. 99). The power is also necessary as the cooperation of federal and Land police forces on the basis of the further processing of the data by the Federal Criminal Police Office in its capacity as a central agency could not be achieved equally effectively by other, less intrusive means. In particular, no less restrictive means that is as suitable as the police information network is ascertainable. Data sharing in the individual case, which is also permitted under the statutory framework, or access to other partial databases (such as the Federal Central Criminal Register) are not equally effective. Above all, it is necessary that participating authorities have their own access and processing rights to ensure the quick availability of the data and thereby an effective fight against crime. Since criminal offences affecting more than one Land, of international significance or of considerable importance are sometimes especially difficult to uncover due to the complex circumstances under which they occur, the effective performance of the security authorities’ tasks depends in particular on important information held by one authority being made available to other authorities and on combining and matching various data from vague individual findings to generate meaningful information and situation reports (cf. BVerfGE 133, 277 <333 para. 132>).

178

b) Nevertheless, the specific design of data retention under § 18(1) no. 2 and § 18(2) no. 1 in conjunction with § 13(3) and § 29 of the Act is incompatible with the requirements of proportionality in the strict sense.

179

aa) The principle of proportionality in the strict sense requires that, in an overall assessment, the severity of legislative fundamental rights restrictions not be disproportionate to the weight of the reasons invoked to justify such restrictions (cf. BVerfGE 141, 220 <267 para. 98>; 148, 40 <57 f. para. 49>). In this respect, an appropriate balance must be struck between the severity of interference resulting from the statutory provisions and the legislative aim pursued, and between the conflicting interests of the individual and the general public (cf. BVerfGE 100, 313 <375 f.>; 133, 277 <322 para. 109>; established case-law). The design of the provisions must be such that it takes sufficient account of the severity of interference in a differentiated manner.

180

Precautionary data retention constitutes a change in purpose (see (1) below). It must be tied to a clearly recognisable purpose (see (2) below). Further, the thresholds for interference, in this case in the form of thresholds for data retention, must meet certain requirements (see (3) below). The retention periods must be subject to specific limits in view of the broad aims of data retention. Finally, the legislator must provide clear rules for data use and differentiated organisational and procedural safeguards as well as sufficient possibilities for review.

181

(1) Precautionary data retention constitutes a change in purpose. As an interference with fundamental rights, it requires constitutional justification and, in particular, a statutory basis (cf. BVerfGE 141, 220 <324 para. 277>). A change in purpose may not lead to a circumvention of the constitutional requirements for data sharing, which is subject to the principles of a hypothetical recollection of the data.

182

In order to justify precautionary data retention under constitutional law, the statutory framework must, at a minimum, specify appropriate purposes and thresholds for retention and appropriate retention periods.

183

(2) Decoupling precautionary data retention from the specific purposes underlying data collection and subsequent specific use (para. 158) requires that sufficiently weighty and specified purposes be determined for data retention itself. These purposes must set a fixed framework for future data use. The state may not retain all data that has been lawfully collected or created beyond its primary purpose on the grounds that the data could be needed at some point in the future and that the required protection could be granted by the framework governing permissible future use. It would therefore be impermissible to create a data pool independent of purpose limitations and to let various state authorities make subsequent decisions on the use of such a data pool based on their needs and political discretion. The establishment of such an open data pool without specific purpose limitations would break the required link between data retention and the purpose for which the data is retained, and thus circumvent any purpose limitations, which are the key guarantees of freedom under data protection law. Moreover, citizens would not be able to foresee the scope of such data retention (cf. BVerfGE 125, 260 <345, 355 f.>; 155, 119 <180 para. 131>).

184

(3) In determining the threshold for data retention, the legislator must take into account the source, type and scope of the data; in particular, it must ensure that, in each individual case, data retention is based on the statutory retention purposes. The threshold must ensure, in accordance with the principle of proportionality, that the precautionary retention of personal data is linked to achieving the retention purpose; it must also appropriately address the specific risks of precautionary data retention.

185

When determining this threshold, the source of the data – for example the collection methods used – and the type and scope of the data must be taken into account and considered in relation to the purposes ultimately pursued by data retention. When assessing the appropriateness of the threshold, the particular features of precautionary data retention must be taken into account. In particular, such retention requires a sufficient probability that the retained data will be needed to achieve the purposes ultimately pursued by data retention.

186

For personal data retained for the purposes of preventing and prosecuting criminal offences covered by the retention purpose, this prerequisite is only met if the affected persons are sufficiently likely to be connected to potential crimes in a manner relevant under criminal law and if it is precisely the specific data retained that can make a reasonable contribution to the prevention and prosecution of such crimes. This prognosis must be based on sufficient factual indications. Suitable criteria for prognosis include, in particular, the nature and seriousness of the previous offence and the way it was committed, the personality of the affected person and their previous criminal conduct. Given the general scientific knowledge regarding prognoses for predicting future criminal conduct, it will typically be relevant whether the person concerned has offended repeatedly and how serious the offences were. The time period during which the person concerned was not (or no longer) the object of criminal proceedings will also be relevant (cf. also ECtHR, P. N. v Germany, Judgment of 11 June 2020, Vth Chamber, no. 74440/17, inter alia §§ 76 ff.; CJEU, Judgment of 30 January 2024, Direktor na Glavna direktsia ‘Natsionalna politsia’ pri MVR - Sofia, C-118/22, EU:C:2024:97, paras. 60 f., 67). Probabilities can be established in relation to the person concerned, to relevant phenomena, or to the offences committed. They could be based on groups of offences or phenomena, such as terrorism, organised crime, smuggling, human trafficking, exploitation, firearms and explosives crime, violent offences/offences constituting a public danger, drug-related crime, cybercrime, crime against property, sexual offences, pharmaceutical crime, counterfeit money crime, money laundering, corruption, economic and environmental crime and politically motivated crime.

187

(4) Moreover, in order for the precautionary retention of personal data to be constitutionally justified, the law must set out an appropriate retention period.

188

In principle, personal data must be deleted as soon as it is no longer needed for the specified purposes or for judicial protection of affected persons (cf. para. 140 f. above). As a starting point, this guarantees that the data is not retained longer than is necessary for the purposes for which it was stored (cf. also CJEU, Judgment of 30 January 2024, Direktor na Glavna direktsia ‘Natsionalna politsia’ pri MVR - Sofia, C-118/22, EU:C:2020:791, para. 43; Art. 4(1)(e) of Directive 2016/680/EU; ECtHR (GC), S. and Marper v. the United Kingdom, Judgment of 4 December 2008, no. 30562/04 inter alia, § 107) and that retention of the data is limited to a time period that is constitutionally permissible.

189

Permissible retention periods are to be determined primarily by the severity of interference (para. 157 ff.), the strength of the prognosis over time and other aspects arising from the principle of proportionality. In principle, a prognosis becomes less persuasive over time unless new relevant circumstances arise (cf. also CJEU, Judgment of 30 January 2024, Direktor na Glavna direktsia ‘Natsionalna politsia’ pri MVR - Sofia, C-118/22, EU:C:2024:97, para. 60 f.; ECtHR, Catt v. the United Kingdom, Judgment of 24 January 2019, Vth Chamber, no. 43514/15, §§ 119 f.). Constitutional law requires that powers for precautionary data retention be limited as a compensatory mechanism. Therefore, such powers must be based on a legislative concept that specifies differentiated time limits for assessment and removal of data in accordance with these aspects. Further, precautionary data retention must generally be subject to time limits.

190

It falls to the legislator to enact rules in this regard, including the necessary procedural safeguards, in consideration of its powers to delegate (cf. BVerfGE 150, 1 <96 ff. para. 190 ff.>).

191

(5) For the retention powers to be constitutional, it is essential that they are subject to clear rules on data use (cf. BVerfGE 155, 119 <179 f. para. 130 f.>; 125, 260 <327 f.>), which must comply with the constitutional requirements that apply to the further use of personal data for changed purposes as formulated in the Federal Constitutional Court’s judgment of 20 April 2016 (cf. BVerfGE 141, 220 <326 ff. para. 284 ff.> with further references).

192

Moreover, the principle of proportionality gives rise to requirements regarding transparency, individual legal protection and administrative oversight (see para. 90 above; cf. BVerfGE 141, 220 <282 para. 134> with further references; established case-law) and regarding data security (cf. BVerfGE 155, 119 <182 para. 135>), in particular when it comes to the storage of personal data. For precautionary retention in the police information network, these include clear access rules that ensure that only the police officers responsible for the purpose for which the data was retained have access (cf. in this regard, e.g., § 15(3) second and third sentence of the Act, BTDrucks 18/11163, p. 97).

193

bb) § 18(1) no. 2 and § 18(2) no. 1 in conjunction with § 13(3) and § 29 of the Act do not satisfy these constitutional requirements. The powers are incompatible with the principle of proportionality in the strict sense. They lack a sufficient threshold for data retention and the required limits on retention periods. There is no need to decide here whether the risks of precautionary retention of personal data collected through particularly intrusive methods have been sufficiently addressed (cf. BVerfGE 141, 220 <323 para. 274>; 133, 277 <373 f. para. 226>).

194

(1) § 18(1) no. 2 and § 18(2) no. 1 in conjunction with § 13(3) and § 29 of the Act authorise the precautionary retention of personal data without requiring that such retention be limited to its previous purpose. The provisions are a statutory basis for the change in purpose this entails. Insofar as data retention is concerned, this statutory basis in itself does not circumvent the requirements arising from the principle of a hypothetical recollection of data; there is no need to review other types of further processing here.

195

(2) § 18(1) no. 2 and § 18(2) no. 1 in conjunction with § 13(3) and § 29 of the Act lack a sufficient threshold for the retention of personal data for the purposes of preventing and prosecuting future criminal offences. Under these provisions, merely charging the affected individual with a criminal offence is sufficient to allow for precautionary data retention. In particular, the law does not require that there be an unfavourable prognosis (Negativprognose) regarding the affected person. As uncertainties necessarily exist with regard to the link between the affected person and the criminal offence with which they are being charged, even in cases not covered by § 18(5) of the Act, such status certainly cannot, in and of itself, give rise to a reliable conclusion as to the sufficient probability of a relevant link to future criminal offences that must be prosecuted or prevented.

196

It is true that the legislator has taken into account individual aspects of such a prognosis both for the basic data of suspects and other potential parties to a criminal offence within the meaning of § 18(1) nos. 3 and 4 of the Act and, pursuant to § 18(2) no. 2 of the Act, for further personal data of persons charged with a criminal offence. However, using this threshold for data retention in the present case is ruled out by the legislative intent reflected in the unequivocal wording of the provisions (cf. in this regard Federal Constitutional Court, Order of the First Senate of 21 November 2023 - 1 BvL 6/21 -, para. 67 ff.). Although the Federal Criminal Police Office does consider elements of prognosis prior to conducting data retention in its administrative practice, the constitutional assessment must be based on the scope of the power as set out in the law and not on the authority’s administrative practice (cf. BVerfGE 162, 1 <147 para. 326>).

197

(a) The fact that data retention under § 18(1) no. 2 and § 18(2) no. 1 of the Act requires that its necessity be assessed in the individual case is also not sufficient to satisfy constitutional requirements. Such an assessment is required by § 47 no. 3 of the Federal Data Protection Act, according to which personal data must be necessary, among other criteria, to achieve the purpose of data processing. The assessment of necessity in the individual case forms part of the general principles for the processing of personal data set out in § 47 of the Federal Data Protection Act, which the Federal Criminal Police Office must observe when it further processes personal data, including when it retains such data. […]

198

However, the assessment of necessity in the individual case, which is required in accordance with the aforementioned statutory provisions, cannot sufficiently guarantee that the requirements for an unfavourable prognosis regarding the specific case are observed, given the lack of specific statutory requirements. An assessment of necessity that is not subject to further requirements is too open and does not satisfy the degree of differentiation required under constitutional law.

199

(b) A sufficient threshold for data retention under § 18(1) no. 2 and § 18(2) no. 1 of the Act also cannot be derived from the requirements set out in § 12(2) of the Act. This is because it cannot be inferred from the Act, in line with established methods of interpretation, that the requirements of § 12(2) of the Act apply with regard to the data retention at issue. In contrast to the wording of § 16(1) of the Act, further processing under § 18(1) no. 2 and § 18(2) no. 1 of the Act, in particular the retention of previously collected personal data, is not expressly subject to ‘the requirements of § 12’ of the Act. Nor do systematic considerations suggest that § 12 of the Act is applicable in this case. Moreover, § 12 of the Act is not mentioned in the explanatory memorandum regarding § 18 of the Act (cf. BTDrucks 18/11163, p. 95 ff.). Nor does the claim that the criterion of a hypothetical recollection of the data laid down in § 12(2) of the Act amounts to a general principle which the Federal Criminal Police Office must observe for any type of data processing – regardless of the severity of interference resulting from the original data collection (cf. BTDrucks 18/11163, p. 92) – merit a different conclusion. In particular, it cannot be ascertained that, in the context of the Federal Criminal Police Office’s tasks as a central agency, the legislator intended to make any kind of retention of personal data for a changed purpose contingent on the requirement that a specific basis for further investigations exist.

200

(3) Moreover, the statutory framework lacks a sufficiently detailed legislative concept regarding retention periods. The existing provisions in § 75(2) and (4) of the Federal Data Protection Act and § 77(1) of the Federal Criminal Police Office Act do not satisfy these requirements. Under § 75(2) of the Federal Data Protection Act, personal data must be deleted without delay if its processing is unlawful, if deletion is necessary to comply with a legal obligation, or if knowledge of the data is no longer necessary to perform the tasks in question. Moreover, § 75(4) of the Federal Data Protection Act contains an obligation to provide for appropriate time limits and procedural safeguards to ensure compliance with these time limits. The question of whether retained personal data must be deleted is primarily reviewed by the Federal Criminal Police Office on a case-by-case basis that is not sufficiently guided by the law or by an ordinance.

201

Any rules set out in the Federal Criminal Police Office’s guidelines for a deletion framework, which are classified as for official use only and were not submitted in the present proceedings, cannot alter this deficiency.

202

§ 77(1) first sentence of the Act does provide for deadlines to review deletion requirements. These limits for reviewing whether data must be deleted may not exceed ten years for data concerning adults, with differentiations based on the purpose of retention and the type and severity of the case (cf. § 77(1) second sentence of the Act).

203

However, this alone does not satisfy the requirements for a legislative concept designed by the legislator. It is instead left to the Federal Criminal Police Office to specify the deadlines for assessment and removal of data through its own internal rules. It therefore need not be decided whether the constitutional criteria for determining the limits (cf. para. 189) have been duly reflected.

D.

I.

204

Ultimately, the provisions that were admissibly challenged do not entirely satisfy the constitutional requirements. In this respect, the constitutional complaint is well-founded.

205

Insofar as § 18(1) no. 2 and § 18(2) no. 1 of the Act, in conjunction with § 13(3) and § 29 of the Act, allow the Federal Criminal Police Office, as a central agency, to store data, they are unconstitutional as they lack an appropriate threshold for data retention and sufficient rules on retention periods.

206

§ 45(1) first sentence no. 4 of the Act is unconstitutional as the threshold for interference provided for therein does not satisfy the requirements of proportionality in the strict sense.

II.

207

1. The finding that a statutory provision is unconstitutional in principle results in that provision being declared void. However, pursuant to § 31(2) second and third sentence of the Federal Constitutional Court Act, the Federal Constitutional Court may limit its decision to declaring that an unconstitutional provision is merely incompatible with the Constitution. It then merely objects to the unconstitutional provision without declaring it void. The Court may combine the declaration of incompatibility with a temporary order to continue to apply the unconstitutional provisions. This may be considered in cases where the immediate invalidity of the objectionable provision would eliminate the statutory basis for protecting exceptionally significant interests of the common good, and if a balancing of these interests against the affected fundamental rights requires that the interference be tolerated for a transitional period. During the transitional period, the Federal Constitutional Court may issue interim orders to reduce the powers of the authorities, in line with what appears necessary in light of its balancing, until a situation of constitutional conformity has been established (BVerfGE 141, 220 <351 para. 355> with further references; established case-law).

208

2. a) Based on these standards, § 18(1) no. 2 and § 18(2) no. 1 of the Act are, insofar as, in conjunction with § 13(3) and § 29 of the Act, they allow data to be stored by the Federal Criminal Police Office as a central agency, and § 45(1) first sentence no. 4 of the Act, merely declared incompatible with the Constitution. The grounds for the unconstitutionality of the provisions do not affect the core of the powers granted through the provisions, but merely touch upon individual aspects of their design in light of the rule of law. Under such circumstances, the legislator is given the opportunity to remedy the constitutional concerns and thereby achieve the core of the objectives pursued by the provisions.

209

The declaration that the provisions are incompatible with the Constitution is combined with the order that they are nonetheless to stay in effect on an interim basis until 31 July 2025 at the latest. Given the significance that the legislator may accord to § 18(1) no. 2 and § 18(2) no. 1 in conjunction with § 13(3) and § 29 of the Act for the exercise of state tasks and given their significance for the prevention and prosecution of certain criminal offences by the security authorities, the provisions shall temporarily continue to apply. The same applies to § 45(1) first sentence no. 4 of the Act in view of the great significance of effectively combating international terrorism for a free and democratic state (cf. BVerfGE 141, 220 <352 para. 357>).

210

b) However, in ordering the continued applicability of the provisions, it is necessary to impose certain restrictions. § 45(1) first sentence no. 4 of the Act continues to apply, subject to the condition that it will only be applied if the person who is – not merely temporarily or accidentally – associated with the [contact] person affected by the measure pursuant to § 45(1) first sentence of the Act (§ 39(2) no. 2 of the Act) meets one of the requirements set out in § 45(1) first sentence nos. 2 to 3 of the Act.

211

§ 18(1) no. 2 and § 18(2) no. 1 in conjunction with § 13(3) and § 29 of the Act continue to apply, subject to the condition that the retention of personal data under the provisions is only permitted if a specific unfavourable prognosis has been made that affected persons are sufficiently likely to be connected to potential crimes in a manner relevant under criminal law and if it is precisely the retained data that can make a reasonable contribution to the prevention and prosecution of such crimes. This prognosis must be based on sufficient factual indications.

212

The unfavourable prognosis and the facts on which it is based must be documented by the Federal Criminal Police Office. As the provisions continue to apply for a limited time period, there is no need for a transitional framework setting out appropriate time limits for data retention on the basis of § 18(1) no. 2 and § 18(2) no. 1 in conjunction with § 13(3) and § 29 of the Act.

213

The continued applicability of the provisions for a transitional period does not predetermine how the legislator should design the new statutory framework.

III.

214

[…]