Certain powers of the Federal Criminal Police Office for data collection (§ 45(1) first sentence no. 4 of the Federal Criminal Police Office Act) and data retention (§ 18(1) no. 2 of the Federal Criminal Police Office Act) are unconstitutional in part

Press Release No. 83/2024 of 01 October 2024

Judgment of 1 October 2024
1 BvR 1160/19

In a judgment pronounced today, the First Senate of the Federal Constitutional Court held that § 18(1) no. 2 in conjunction with § 18(2) no. 1 of the Federal Criminal Police Office Act (Bundeskriminalamtgesetz – BKAG; hereinafter: the Act) is incompatible with the fundamental right to informational self-determination under Art. 2(1) in conjunction with Art. 1(1) of the Basic Law (Grundgesetz – GG), insofar as these provisions, in conjunction with § 13(3) and § 29 of the Act, authorise the Federal Criminal Police Office to store data in the police information network. The Court further held that § 45(1) first sentence no. 4 of the Act is also incompatible with this fundamental right. These provisions will continue to apply subject to certain conditions until the legislator has enacted a new framework, or until 31 July 2025 at the latest. The remainder of the constitutional complaint is unsuccessful.

The complainants, who include lawyers, a political activist and members of the organised football fan scene, challenge the Federal Criminal Police Office’s powers to conduct covert surveillance of persons who are not themselves suspected of terrorist activities, but who are linked to a person responsible for a danger (contact persons) for counter-terrorism purposes using special means (§ 45(1) first sentence no. 4 of the Act). The complainants also challenge the provisions regarding the further processing of previously collected personal data in the Federal Criminal Police Office’s information system (§ 16(1) in conjunction with § 12(1) first sentence of the Act) and in the police information network (§ 18(1) no. 2 and § 18(2) no. 1 of the Act). The police information network is a joint data platform of federal and Land police authorities for data sharing purposes.

§ 18(1) no. 2 and § 18(2) no. 1 of the Act lack an appropriate threshold for data retention and sufficient rules on retention periods, insofar as, in conjunction with § 13(3) and § 29 of the Act, they allow data to be stored in the police information network. The threshold for interference provided for in § 45(1) first sentence no. 4 of the Act does not satisfy the requirements of proportionality in the strict sense. By contrast, § 16(1) in conjunction with § 12(1) first sentence of the Act does satisfy the constitutional requirements when considered together with the statutory deletion requirements.

Facts of the case:

§ 16(1) of the Act authorises the Federal Criminal Police Office to further process personal data in its own information system insofar as is necessary to perform its tasks and insofar as the Federal Criminal Police Office Act does not impose other special requirements. The present proceedings solely concern the further processing of personal data that was collected by the Federal Criminal Police Office for counter-terrorism purposes using particularly intrusive means and which is further processed to perform the same task in accordance with § 12(1) first sentence of the Act.

§ 18(1) of the Act authorises the Federal Criminal Police Office to further process certain specified personal data of specific groups of persons in order to perform its tasks under § 2(1) through (3) of the Act. The Federal Criminal Police Office, in its capacity as the central agency for police information and communications and the criminal police, supports the federal and Land police forces in the prevention and prosecution of offences affecting more than one Land, offences of international significance or those of considerable importance. In this context, the Federal Criminal Police Office operates a data platform (the police information network) for the purpose of data sharing between the federal and Land police authorities. The Federal Criminal Police Office takes part in the police information network with its own information system (§ 13(3) and § 29 of the Act).

§ 45(1) first sentence no. 4 of the Act sets out special data collection powers of the Federal Criminal Police Office for the purpose of averting dangers from international terrorism. It authorises the Federal Criminal Police Office to carry out covert surveillance measures vis-à-vis persons who are not themselves suspected of terrorist activities, but who are linked to a person responsible for a danger (contact persons). It permits the use of the special means to obtain information listed in § 45(2) of the Act, such as long-term observations or the use of confidential informants or undercover investigators.

Key considerations of the Senate:

A. To the extent that it is admissible, the constitutional complaint is well-founded in part.

I. The challenged provisions interfere with the complainants’ fundamental right to informational self-determination as a manifestation of the general right of personality under Art. 2(1) in conjunction with Art. 1(1) of the Basic Law.

II. Interferences with this fundamental right require a statutory basis that pursues a legitimate purpose in the interest of the common good and is suitable, necessary and proportionate in the strict sense to achieve the purpose pursued. In this regard, special requirements arise from the principle of proportionality in the strict sense. How stringent these requirements are in the individual case depends on the severity of interference that results from the respective power to collect or further handle personal data. Thus, when specifying the requirements for justification of an interference, distinctions must be made between the different fundamental rights interferences, which are distinct in principle, but are nevertheless interrelated. In the present case, data collection – which is governed by separate provisions – must be distinguished from the retention and further use of personal data, for which the rules are set out under the general heading of ‘further processing’. The use of previously collected data for purposes other than those for which it was originally collected gives rise to a new interference with fundamental rights and must be separately justified under constitutional law.

III. The specific design of § 45(1) first sentence no. 4 of the Act does not satisfy these constitutional requirements.

1. This provision authorises the Federal Criminal Police Office to conduct covert surveillance of contact persons for counter-terrorism purposes using special means. The interference with the fundamental right to informational self-determination permitted by the provision can be considerable. In particular, when surveillance measures are used in combination with the aim of registering and audio-visually recording as many of the target person’s statements and movements as possible, they can reach deep into the private sphere and thus give rise to interferences of particular severity.

2. § 45(1) first sentence no. 4 of the Act does not satisfy the constitutional requirements corresponding to this severity of interference. The provision is incompatible with the special requirements arising from the principle of proportionality in the strict sense regarding the justification of covert surveillance measures conducted by the police.

a) These requirements are determined based on both the legal interest to be protected and the threshold for interference, that is, the grounds for the surveillance measure. The latter is the only aspect challenged in the present proceedings. Even with regard to a person responsible for a danger, the use of intrusive covert surveillance powers such as the ones in the present case requires at least a sufficiently identifiable danger (konkretisierte Gefahr) to a legal interest of sufficient weight. If surveillance using such means is conducted on contact persons associated with the responsible person, then there must additionally exist a specific and individual link between the persons affected and the danger to be investigated. In any event, the surveillance of contact persons necessarily requires that surveillance of the person responsible for a danger using similar means be permissible in the first place. Otherwise, there is no sufficient danger to investigate.

b) § 45(1) first sentence no. 4 of the Act does not satisfy these requirements for the threshold for interference, as the provision does not include the necessary link between the person affected and the danger associated with the person responsible referenced therein. Thus, there is no basis for surveillance of contact persons who are not responsible for the danger.

The provision permits data collection regarding a contact person (§ 39(2) no. 2 of the Act) if the contact person has a specific link to a person responsible for a danger and averting the danger or preventing the crime would otherwise be futile or considerably more difficult. § 39(2) no. 2 of the Act thus makes reference to a responsible person within the meaning of § 39(2) no. 1 of the Act. Under § 39(2) no. 1 of the Act, the collection of personal data is permitted if there are facts that give rise to the assumption that this person ‘intends to commit an offence pursuant to § 5(1) second sentence and the collected data is necessary to prevent this offence’. This falls far short of the requirements laid down in § 45(1) first sentence nos. 1 through 3 of the Act relating to data collection by special means to be used against persons responsible for a danger. According to the legislative approach, § 39(2) no. 1 and no  2 of the Act are only designed to apply to less intrusive forms of data collection.

c) It is not possible to derive a threshold for interference that would be sufficient for such intrusive measures from § 45(1) first sentence no. 4 of the Act by way of an interpretation in conformity with the Constitution.

IV. To the extent that the constitutional complaint challenges § 16(1) of the Act, there are ultimately no constitutional concerns regarding this provision.

1. § 16(1) of the Act authorises the Federal Criminal Police Office to further process personal data in its own information system. The constitutional complaint solely concerns the further processing of personal data that was previously collected by the Federal Criminal Police Office using particularly intrusive means (§ 45(2) of the Act) which is processed by the Federal Criminal Police Office to perform its counter-terrorism tasks (§ 5 of the Act). Only the further processing of data for the purposes for which it was originally collected (cf. § 12(1) first sentence of the Act) is challenged here. In this regard, § 16(1) of the Act authorises considerable interferences with the fundamental right to informational self-determination. That the processed data was previously collected using intrusive surveillance methods adds to the severity of the interference. Yet the severity is also limited by the fact that the provision only allows further processing of the data in line with the purposes for which it was originally collected.

2. The starting point for determining the constitutional requirements to justify further processing is the severity of interference associated with the original collection of the data; in this respect, the principles of purpose limitation and change in purpose apply. The authority that is authorised to collect the data is determined by the respective statutory basis, which also defines the purposes and conditions of the data collection and therefore the permissible scope of use. The scope of the purpose of the data collection in the authorising statute thus determines the purpose limitation for the information thereby collected. For that reason, the further use of data within the scope of the purpose for which it was originally collected is only permissible if the data is used by the same authority in relation to the same task and for the protection of the same legal interests as was the case with regard to the data collection.

In principle, data that is further processed in line with the purpose for which it was originally collected must be deleted once the underlying case has been concluded, i.e. when the specific purpose underlying the data collection has been achieved. Only when the data – either by itself or in combination with other information available to the authority – has in the meantime provided a specific basis for further investigations, thus meeting the prerequisites for a change in purpose, is it permissible to refrain from deleting the data upon conclusion of the underlying case for which it was collected.

3. The processing of personal data previously collected through the particularly intrusive means set out in § 45(2) of the Act in line with the original purpose (‘further use’) under § 16(1) in conjunction with § 12(1) first sentence of the Act satisfies the constitutional requirements when considered together with the statutory deletion requirements.

a) The power in question complies with the constitutional requirements regarding data use in line with the original purpose. The requirements of § 12(1) first sentence of the Act guarantee that the authority that both collects and processes the data is the Federal Criminal Police Office and that further processing is only done to perform the same task and for the protection of the same legal interests, or the prosecution and prevention of the same crimes.

The constitutional requirements are also satisfied insofar as the Federal Criminal Police Office is authorised to further process personal data collected for counter-terrorism purposes in line with its original purpose in accordance with statutory requirements as long as specific public security measures underlying the data collection have not been concluded. This serves to meet the significant need for effective counter-terrorism measures through the proper determination of the purpose of the measures.

b) By providing for deletion requirements, the legislator has ensured that any further processing pursuant to § 16(1) in conjunction with § 12(1) first sentence of the Act adheres to the principle of purpose limitation. As soon as personal data is no longer needed to perform the specific tasks or achieve the purpose underlying the data collection measure, it must be deleted without delay (cf. § 77(1) first sentence of the Federal Criminal Police Office Act, § 75(2) of the Federal Data Protection Act and § 79(1) first sentence of the Federal Criminal Police Office Act). This satisfies constitutional requirements.

The principle of purpose limitation is sufficiently safeguarded by § 79(1) first sentence of the Act. This provision expressly states that data must only be deleted insofar as it is not further processed under the provisions of chapter 2, subchapter 2, which includes § 16(1) of the Act. With regard to further use of the data in line with the original purpose, once the specific purpose underlying the data collection has been achieved, it is only possible to refrain from deleting the data if the data gives rise to a specific basis for further investigations for averting dangers from international terrorism.

V. Insofar as § 18(1) no. 2 and § 18(2) no.  1, in conjunction with § 13(3) and § 29 of the Act, allow the Federal Criminal Police Office to store previously collected basic personal data in the police information network, they do not satisfy constitutional requirements.

1. The only aspect under review here is the provision of data to the police information network and not access to such data. The present proceedings also do not concern the further processing of personal data obtained through the surveillance of private homes or remote searches of information technology systems.

The retention powers in § 18(1) no. 2 and § 18(2) no. 1 of the Act give rise to considerable interference with the fundamental right to informational self-determination. They have the effect of increasing the severity of interference, as precautionary data retention typically constitutes further processing of data for a changed purpose. In most cases, personal data originally collected for other purposes will be retained for the purpose of preventing and prosecuting criminal offences.

In the present case, data retention results in interferences of increased severity in view of the source of the personal data concerned, insofar as this data was previously collected using particularly intrusive surveillance measures. Given that precautionary data retention measures are carried out covertly, the possibilities of obtaining ex post legal protection are considerably limited, which increases the severity of interference.

With regard to the type and scope of the personal data to be retained, the severity of interference is limited by the parameters in § 18(2) no. 1 of the Act. Within the scope of the present proceedings, the only data that can be retained from persons charged with a criminal offence is basic data (in particular name, sex, date of birth, place of birth, nationality and address) and certain information relating to the charge. The retention of this data can affect an individual’s personality rights in a not inconsiderable manner, but its impact remains limited.

In addition, in assessing the severity of the interference, the far-reaching possibilities available to a wide range of authorities to use the retained data must be taken into account (cf. § 29(3) of the Act). Beyond the analysis of data by the Federal Criminal Police Office and providing information to law enforcement authorities, further processing can also occur as part of cooperation in the framework of the police information network. In the context of such data sharing, other security authorities receive access to what can be considerable portions of the personal data. The relaxed conditions for access to the data increase the severity of interference.

2. In light of the considerable severity of the resulting interference, § 18(1) no. 2 and § 18(2) no. 1 in conjunction with § 13(3) and § 29 of the Act do not satisfy the constitutional requirements. They lack a sufficient threshold for data retention and requirements on retention periods.

a) Precautionary data retention constitutes a change in purpose. In order to justify such a change in purpose under constitutional law, the statutory framework must, at a minimum, specify appropriate purposes and thresholds for retention and appropriate retention periods. In determining the threshold for data retention, the legislator must take into account the source, type and scope of the data; in particular, it must ensure that, in each individual case, data retention is based on the statutory purpose for retention. The threshold must ensure, in accordance with the principle of proportionality, that the precautionary retention of personal data is linked to achieving the purpose of retention; it must also appropriately address the specific risks of precautionary data retention. For data retained for the purposes of preventing and prosecuting criminal offences covered by the retention purpose, this prerequisite is only met if it is sufficiently likely that the affected persons will be connected to potential crimes in a manner relevant under criminal law and if it is precisely the specific data retained that can make a reasonable contribution to the prevention and prosecution of such crimes. This prognosis must be based on sufficient factual indications.

Moreover, in order for the precautionary retention of personal data to be constitutionally justified, the law must set out an appropriate retention period. The appropriate retention period is to be determined primarily by the severity of interference, the strength of the aforementioned prognosis over time and other aspects arising from the principle of proportionality. In principle, a prognosis becomes less persuasive over time unless new relevant circumstances arise.

b) § 18(1) no. 2 and § 18(2) no. 1 in conjunction with § 13(3) and § 29 of the Act are incompatible with the principle of proportionality in the strict sense.

These provisions lack a sufficient threshold for the retention of personal data for the purposes of preventing and prosecuting future criminal offences. Under these provisions, merely charging the affected individual with a criminal offence is sufficient to allow for precautionary data retention. In particular, the law does not require that there be an unfavourable prognosis regarding the affected person. As uncertainties necessarily exist with regard to the link between the affected person and the criminal offence with which they are currently charged, such status certainly cannot, in and of itself, give rise to a reliable conclusion as to the sufficient probability of a relevant link to future criminal offences that must be prosecuted or prevented.

Although the Federal Criminal Police Office does consider elements of prognosis prior to conducting data retention in its administrative practice, the constitutional assessment must be based on the scope of the power as set out in the law and not on the authority’s administrative practice.

The fact that data retention under § 18(1) no. 2 and § 18(2) no. 1 of the Act requires that its necessity be assessed in the individual case is also not sufficient to satisfy constitutional requirements. Given the lack of specific statutory requirements, the provision is too open and does not satisfy the degree of differentiation required under constitutional law.

Moreover, the statutory framework lacks a sufficiently detailed legislative concept regarding retention periods. Under § 75(2) of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), personal data must be deleted without delay if its processing is unlawful, if deletion is necessary to comply with a legal obligation, or if knowledge of the data is no longer necessary to perform the tasks in question. § 75(4) of the Federal Data Protection Act contains a further obligation to provide for appropriate time limits and procedural safeguards to ensure compliance with these time limits. The question of whether retained personal data must be deleted is primarily reviewed by the Federal Criminal Police Office on a case-by-case basis that is not sufficiently guided by the law or by an ordinance. While § 77(1) first sentence of the Act does provide for time limits for reviewing deletion requirements, this alone does not satisfy the requirements for a legislative concept designed by the legislator. It is instead left to the Federal Criminal Police Office to specify the time limits for assessment and removal of data through its own internal rules.

B. § 45(1) first sentence no. 4 of the Act will continue to apply subject to the condition that the person who is associated with the ‘contact person’ affected by the measure (§ 39(2) no. 2 of the Act) meets one of the requirements set out in § 45(1) first sentence nos. 2 to 3 of the Act.

§ 18(1) no. 2 and § 18(2) no. 1 in conjunction with § 13(3) and § 29 of the Act will continue to apply subject to the condition that the retention of personal data is only permitted if a specific unfavourable prognosis has been made that the affected person is sufficiently likely to be connected to potential crimes in a manner relevant under criminal law and if it is precisely the specific data retained that can make a reasonable contribution to the prevention and prosecution of such crimes. This prognosis must be based on sufficient factual indications.