In an order published today, the First Senate of the Federal Constitutional Court held that the Federal Intelligence Service’s powers to conduct strategic surveillance of international telecommunications for the purpose of detecting cyber threats under § 5(1) third sentence no. 8 of the Act Restricting the Privacy of Mail, Post and Telecommunications (hereinafter: Article 10 Act, Artikel 10-Gesetz – G 10) are incompatible with the privacy of telecommunications protected by Art. 10(1) of the Basic Law (Grundgesetz – GG). This provision will continue to apply, subject to certain conditions, until the legislator has enacted new provisions, or until 31 December 2026 at the latest.
§ 5(1) third sentence no. 8 of the Article 10 Act authorises the Federal Intelligence Service to collect and further process personal data in the context of covert strategic surveillance of international telecommunications [i.e. those in which one communicating party is located in Germany and at least one other party is located abroad] in relation to cyber threats. Cyber threats are mainly cyberattacks in the form of cyber espionage or cyber sabotage.
In principle, the powers to conduct strategic surveillance of international telecommunications are compatible with Art. 10(1) of the Basic Law despite the severity of the resulting interference, due to the exceptional public interest in gathering intelligence on international cyber threats to protect high-ranking interests of the common good. However, they must be designed proportionately. Sufficient rules for the removal of data from purely domestic telecommunications traffic are currently lacking. The protection of the core of private life of persons located in other countries in § 5(2) third sentence in conjunction with § 5(2) second sentence no. 2 of the Article 10 Act is insufficient. The retention period for documentation of completed strategic telecommunications surveillance, which is set out in § 5(2) sixth sentence of the Article 10 Act, is too short. The independent oversight by the Article 10 Committee (G 10-Kommission) provided for in § 15 of the Article 10 Act is inadequate in its current form.
Facts of the case:
The complainants are German and foreign nationals who use email, phone and messaging services to maintain professional and private contacts in other countries from Germany, or maintain such contacts in Germany from other countries. One of the complainants is a lawyer working in data protection and IT law. Another complainant is the German branch of an international human rights organisation. Several other complainants are working to protect human rights in other countries.
The two constitutional complaints are directed against the statutory authorisation of the Federal Intelligence Service to conduct strategic surveillance of international telecommunications in relation to cyber threats under § 5(1) third sentence no. 8 of the Article 10 Act, which was inserted into the Article 10 Act in November 2015. These powers relate to the threat of international criminal or terrorist attacks, or attacks by foreign states, on the confidentiality, integrity or availability of IT technology systems and networks, using malware or similar malicious IT, in serious cases affecting the Federal Republic of Germany. The constitutional complaints also challenge several previously-enacted provisions that supplement these powers. These provisions authorise the collection and storage of raw telecommunications data from certain transmission routes, the analysis of this raw data by automatically cross-checking it against search terms, the manual analysis of the data thereby obtained and the further use of that part of the data which has been categorised as relevant to the intelligence services.
Strategic surveillance of international telecommunications is to be distinguished from strategic surveillance of foreign telecommunications under the Federal Intelligence Service Act. The latter concerns telecommunications traffic between foreign nationals located outside of Germany. The Federal Intelligence Service is generally barred from using strategic surveillance to intercept telecommunications traffic between German nationals or persons located in Germany.
Key considerations of the Senate:
I. Insofar as the constitutional complaints are admissible, they are well-founded for the most part. The authorisation to collect and further process data in the context of strategic surveillance of international telecommunications under § 5(1) third sentence no. 8 of the Article 10 Act violates the privacy of telecommunications protected by Art. 10(1) of the Basic Law, as it does not fully comply with the principle of proportionality.
1. The challenged powers in § 5(1) third sentence no. 8 of the Article 10 Act implicate the scope of protection of Art. 10(1) of the Basic Law (privacy of telecommunications). The constitutional protection afforded by Art. 10(1) of the Basic Law has historically sought to prevent a situation in which remote exchanges of opinions or information cease altogether, or the content or means of communication is altered, because of the expectation that state authorities will intercept communications and thereby obtain knowledge of the relevant content and circumstances of the communications. The privacy of telecommunications counters both old and new risks to one’s personality arising from the increased significance of information technology for the personal development of the individual. The privacy of telecommunications under Art. 10(1) of the Basic Law first and foremost protects the content of communications.
2. Strategic telecommunications surveillance is an instrument resulting in interferences of particular severity, especially given that such surveillance can be used against anyone without requiring specific grounds and is only restricted by the specific purposes pursued by the surveillance. Given the current realities of communication technology and the significance of its effect on communications, it has an exceptional reach. The severity of interference resulting from the powers at issue significantly exceeds that of the powers which the Federal Constitutional Court addressed in 1999 in its decision concerning strategic surveillance measures targeting international communications (Decisions of the Federal Constitutional Court, Entscheidungen des Bundesverfassungsgerichts – BVerfGE 100, 313). At the same time, the possibilities for analysis available to intelligence services have expanded. As it is now possible to use formal search terms, strategic telecommunications surveillance more closely resembles targeted telecommunications surveillance of individuals.
3. This particularly serious interference must be balanced against the exceptionally significant public interest in effective surveillance of international telecommunications. The weight accorded to this public interest is determined by circumstances that cannot be compared with the realities at the time of the Federal Constitutional Court’s decision in 1999, both in view of the fundamental changes in the foreign and security policy situation and the considerably expanded technological possibilities that can be used against the national interests of the Federal Republic of Germany.
There is an exceptionally significant public interest in the early detection of cyber threats originating from other countries that are of significance to the Federal Republic of Germany in terms of foreign and security policy, as well as an exceptionally significant public interest in the protection of critical digital infrastructure or equally important IT systems. The rate of international cyberattacks on IT systems in Germany is high and continues to increase. The potential damage caused by international cyberattacks can be exceedingly great. Given the digital transformation of society, the economy, administration and politics, almost all aspects of life are increasingly dependent on properly functioning and secure digital infrastructure. Constitutional organs and other necessary elements of the constitutional order are also increasingly reliant on the use of IT systems to perform their tasks. International cyberattacks on critical digital infrastructure or equally important IT systems are aimed at destabilising society and can jeopardise the constitutional order, the existence and security of the Federation or the Länder and life, limb and liberty. Given the digital transformation of society, the danger of international cyberattacks against the IT infrastructure of key and vital areas – such as water and energy supply and transport and healthcare – can reach a level comparable to that of an armed attack, which has always been recognised as legitimate grounds for strategic telecommunications surveillance in § 5(1) third sentence no. 1 of the Article 10 Act.
4. In principle, due to the exceptionally significant public interests involved, the powers to conduct strategic surveillance of international telecommunications are compatible with Art. 10(1) of the Basic Law despite the severity of the resulting interference, provided that they are designed proportionately. § 5(1) third sentence no. 8 of the Article 10 Act does not fully comply with the requirements regarding the limits and structure of strategic surveillance of international telecommunications.
a) A sufficiently specific and clear provision regarding the removal of data stemming from domestic telecommunications involving only German nationals or persons located in Germany is lacking. It is true that § 5(1) third sentence no. 8 of the Article 10 Act limits surveillance to international telecommunications. However, carrying out such surveillance inevitably results in the collection of data from domestic telecommunications traffic. This is the case with packet-switched telecommunications, which in practice make up the largest share of international telecommunications (including all communication occurring via the Internet). The Article 10 Act does not contain any rules on how such incidentally collected data from domestic telecommunications is to be handled.
b) The safeguards protecting the core of private life are likewise not fully adequate. The free development of one’s personality within the core of private life encompasses the possibility of expressing internal thought processes, reflections, views and experiences of a highly personal nature. Protection is afforded in particular to non-public communications between persons enjoying the highest level of personal trust that are conducted with the reasonable expectation that no surveillance is taking place. The targeted interception of data from the core of private life is impermissible including with respect to persons located in other countries. This means that search terms concerning the core of private life may not be used against such persons. § 5(2) third sentence in conjunction with § 5(2) second sentence no. 2 of the Article 10 Act is not sufficiently specific and clear in this regard when it comes to persons located in other countries.
c) Further, the retention period for the documentation regarding strategic surveillance of international telecommunications is too short. § 5(2) sixth sentence of the Article 10 Act provides that the documentation must be deleted at the end of the calendar year following the year in which it was logged.
This period is too short to allow those affected to obtain effective legal protection. The rigid time limit is not linked in any way to the provisions governing notification of those affected. Notification only takes place once the respective measure has been permanently ended. At that point, there is no assurance that the log data still exists.
d) Finally, the independent oversight to be carried out by the Article 10 Committee does not fully satisfy the particularly strict requirements applicable in this regard. Independent oversight must, among other things, compensate for the de facto lack of possibilities to obtain legal protection in individual cases, which is a result of the limited information and notification obligations associated with strategic telecommunications surveillance. Thus, competent and professionalised oversight resembling judicial review must be ensured, which must be equal to review by a court both in substantive and procedural terms and, in particular, must be at least equally effective. It is not sufficient that the members of the Article 10 Committee perform their functions in an auxiliary capacity rather than as their primary office, as would be required under constitutional law. Moreover, the Article 10 Act fails to ensure that the Article 10 Committee includes members with judicial experience.
II. § 5(1) third sentence no. 3 of the Article 10 Act is declared incompatible with the Basic Law; however, it continues to apply on an interim basis. The powers at issue, though constitutionally objectionable, could have significant importance for the security of the Federal Republic of Germany, and this development could take place on extremely short notice, especially when taking into account the potential threat dynamics in light of the realities of information technology. To ensure respect for the privacy of telecommunications, its continued application is subject to the obligation, amongst others, to remove data stemming from domestic telecommunications traffic. Furthermore, no search terms concerning the core of private life may be used, including with respect to persons located in other countries.