Constitutional complaint challenging the sharing of personal data collected by domestic intelligence services through covert methods successful

Press Release No. 85/2022 of 03 November 2022

Order of 28 September 2022
1 BvR 2354/13

In an order published today, the First Senate of the Federal Constitutional Court held that the data sharing powers of domestic intelligence services under the Federal Protection of the Constitution Act (Bundesverfassungsschutzgesetz – BVerfSchG) are not compatible with the fundamental right to informational self-determination under Art. 2(1) in conjunction with Art. 1(1) of the Basic Law (Grundgesetz – GG). Specifically, this ruling is directed at provisions permitting the sharing of personal data that was obtained by the domestic intelligence services through covert methods. These provisions violate the principles of legal clarity and proportionality. They also lack sufficiently specific documentation requirements. The challenged provisions will remain in force – subject to restrictions to protect the fundamental rights concerned – until 31 December 2023.

Facts of the case:

§ 20(1) first sentence BVerfSchG requires the federal domestic intelligence service, the Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz), to share personal data and information with police authorities and public prosecution offices when there are factual indications that the sharing of information is necessary for the prevention or prosecution of offences against state security. § 20(1) second sentence BVerfSchG defines offences against state security as, inter alia, those offences set forth in §§ 74a and 120 of the Courts Constitution Act (Gerichtsverfassungsgesetz – GVG), as well as certain other offences that are directed against the legal interests listed in Art. 73(1) no. 10(b) and (c) GG. Under § 21(1) first sentence BVerfSchG, domestic intelligence services of the Länder have the same powers and obligations to share data as the Federal Office for the Protection of the Constitution under § 20(1) first and second sentence BVerfSchG. These data sharing provisions are also used as a point of reference in the Act Establishing the Standardised Central Database to Combat Violent Right-Wing Extremism (Rechtsextremismus-Datei-Gesetz). The right-wing extremism database is a joint database for police authorities and intelligence services of the Federation and the Länder that serves to facilitate inter-agency requests for information. The database also contains personal data, which may be saved in the database when such data is necessary to combat violent right-wing extremism. The complainant, who was convicted in criminal proceedings relating to the National Socialist Underground, challenges the data sharing powers of the domestic intelligence services and asserts a violation of the fundamental right to informational self-determination.

Key considerations of the Senate:

A. The constitutional complaint is admissible to the extent that it is directed at the data sharing provisions in § 20(1) first and second sentence BVerfSchG and § 21(1) first sentence in conjunction with § 20(1) first and second sentence BVerfSchG. The complainant’s objections concerning data sharing are limited to the sharing of personal data obtained by intelligence services through covert methods.

To the extent that the complainant challenges the general authority of the Federal Office for the Protection of the Constitution set out in § 19(1) first sentence BVerfSchG in the version of 5 January 2007, the constitutional complaint is inadmissible. As this provision is no longer in force following an amendment of the law in 2015, there is no longer any recognised legal interest supporting a constitutional complaint. The complainant failed to timely amend his constitutional complaint to address the current version of this provision.

B. To the extent that the constitutional complaint is admissible, it is well-founded.

I. The sharing of personal data authorised by the challenged provisions directly affects the general right of personality under Art. 2(1) in conjunction with Art. 1(1) GG in its manifestation as the fundamental right to informational self-determination. When a state authority collects personal data and then makes it available to another authority, the sharing of the personal data constitutes a separate interference with fundamental rights independent of the original data collection.

II. Formally, the challenged provisions are compatible with the Constitution. The Federation has the necessary legislative competence. The legislative competence of the Federation under Art. 73(1) no. 10 GG extends not only to cooperation between the Federation and the Länder, but also to cooperation between the Länder themselves. However, that competence does not encompass legislation concerning cooperation between authorities within the same Land.

III. The challenged provisions on data sharing do not meet constitutional requirements of legal clarity and proportionality and lack sufficient safeguards for the documentation of the sharing of data.

1. a) The legislator’s use of multiple chains of statutory reference in the challenged provisions does not, by itself, violate the principle of legal clarity. While the principle of legal clarity sets limits on the use of chains of references in legislation, it does not prohibit them. The decisive factor is whether the substantive content of the provision remains comprehensible for those who are affected by the law. In establishing the legal basis for data processing by security authorities, it can in fact be useful to make references to already-existing ordinary law, for which questions of interpretation – unlike in the case of covert measures – can be resolved through the interplay of practical application and judicial review. Whether a statutory reference is compatible with the principle of legal clarity depends on an overall assessment, including a consideration of possible alternative means of specifying the normative content of the provision. Chains of statutory reference can in fact simplify the understanding of the content of a law when the provisions adopted in the law by reference are set out in full.

As such, at least some of the multi-level chains of statutory reference in § 20(1) second sentence BVerfSchG are not objectionable.

b) Nevertheless, the prerequisites for data sharing as set out in § 20(1) second sentence BVerfSchG are not sufficiently clear. When a provision uses statutory references that address different legal situations and concerns, its legal meaning can become ambiguous and it may be overly difficult to apply in practice. Both of these risks are present in the blanket reference to § 120(2) GVG, which is used to enumerate the offences for which data sharing is permitted. Under § 120(2) GVG, the Higher Regional Court has jurisdiction for a case involving one of the specific offences listed in that provision only when the Federal Public Prosecutor takes over the prosecution due to the special significance of the case. As it is not evident whether and to what extent this element must be met with regard to data sharing – in particular, data sharing for public security purposes – § 20(1) second sentence BVerfSchG in conjunction with § 120(2) GVG is not sufficiently clear.

2. The data sharing provisions in § 20(1) first and second sentence BVerfSchG violate the principle of proportionality.

a) These provisions do serve a legitimate aim in combatting offences against state security, and are effective in the furtherance of that aim; thus serving to protect the continued existence and security of the state as well as life, limb and liberty. That the challenged provisions are both necessary and suitable under a constitutional analysis is not subject to dispute.

b) Nevertheless, they are not fully compatible with the requirements of the principle of proportionality in the strict sense.

aa) In the case of sharing personal data by domestic intelligence services, which do not have operational follow-up powers, with police authorities, which do have such powers, the principle of proportionality in the strict sense gives rise to a principle of separation of police and intelligence data (informationelles Trennungsprinzip). Given the broad surveillance powers of domestic intelligence services, a higher legal standard must be met to justify data sharing in this case. When personal data or information is collected by intelligence services through covert methods, the sharing of such data must be assessed according to the standard of a hypothetical recollection of the data. Based on this standard, whether the receiving authority may receive such data depends upon whether, for that particular purpose, the receiving authority could have been permitted to collect the same data and information using comparably intrusive means as the original surveillance by the domestic intelligence service.

(1) Data sharing with a public security authority must serve to protect a particularly weighty legal interest for which there is at least a sufficiently identifiable danger (hinreichend konkretisierte Gefahr). In principle, when establishing the prerequisites for data sharing, the legislator need not specifically identify each such legal interest, but can instead link them to those criminal offences that harm such interests. The threshold necessary to justify data sharing can also be defined as the risk of committing such criminal offences, including those which become punishable at the point of preparatory acts or offences that constitute a mere threat to legal interests. However, the legislator must then ensure that, for each individual situation, the requisite specific danger or sufficiently identifiable danger to a legal interest protected by the referenced offences actually exists. Such danger might not necessarily result from the danger of the actual realisation of the offence itself.

(2) Data sharing with a law enforcement authority can only be considered for the purpose of prosecuting particularly serious criminal offences and requires a suspicion based on specific facts that is supported by sufficiently concrete and tangible circumstances.

bb) The challenged provisions do not satisfy these requirements. In the case of data obtained by a domestic intelligence service by covert methods, § 20(1) first sentence BVerfSchG does not specifically identify legal interests for which data sharing is necessary to avert dangers to public security, but instead – as permitted in principle – links the threshold to the prosecution of criminal offences by incorporating the offences listed in § 20(1) second sentence BVerfSchG. However, not all of the criminal offences listed in §§ 74a and 120 GVG can be classified as particularly serious offences. The same applies to the broadly-worded element of § 20(1) first sentence BVerfSchG which provides that any other offence may provide grounds for data sharing solely on the basis of its aims or the offender’s motive.

The general prohibition on “disproportionate” data sharing set out in § 23 no. 1 BVerfSchG does not cure these deficiencies. Despite the fact that the constitutional requirements for data sharing have been articulated in constitutional case-law in the years following the enactment of the law, the general prohibition in § 23 no. 1 BVerfSchG, at least when considered together with the obligation to share data set out in § 20(1) first sentence BVerfSchG, does not provide for a balancing process in which it can be ensured that data sharing will only occur in those cases where the necessary constitutional requirements are met.

The constitutionally required threshold for data sharing is also lacking. The challenged provisions authorise data sharing when there are factual indications that it is necessary for the prevention or prosecution of offences against state security. They thus allow data sharing independent of a sufficiently identifiable danger or factual indications giving rise to a suspicion.

3. Finally, the provisions do not contain sufficiently specific obligations to document the data sharing and to specify the statutory basis for data sharing, as is required under constitutional law.