Judicial Redress and Foreign Intelligence Surveillance: The German Approach

Judicial Redress and Foreign Intelligence Surveillance:

The German Approach

by Dr. Daniel Felz

Alston & Bird LLP

February 14, 2022

Introduction

In the Schrems II case, a central concern of the Court of Justice of the European Union (CJEU) concerned the lack of redress – the ability of an individual to invoke an effective remedy concerning foreign intelligence surveillance. The CJEU specifically stated that Article 47 of the EU Charter of Fundamental Rights, which requires an “effective remedy,” operates on “the premis[e] that data subjects must have the possibility of bringing legal action before an independent and impartial court.” In the negotiations between the EU and the U.S. for a new Privacy Shield, a key issue has been to determine what sort of legal action must be provided in the U.S. to provide an effective remedy.

This Article aims to facilitate the discussion by examining the law for bringing such actions in Germany. German law is relevant for two reasons. First, Germany’s Bundesnachrichtendienst (BND) conducts large-scale programmatic surveillance – i.e., the context in which the Schrems II decision required effective remedies to be provided. Second, Germany has significant case law arising from attempts to seek redress against the BND’s large-scale surveillance programs. This case law, along with statutory reforms it engendered, indicates how an EU nation has approached the issue of effective remedies, including rules for standing to bring legal action relating to programmatic foreign intelligence surveillance.

This Article suggests two broad conclusions:

• First, Germany has not passed a statute to provide non-Germans with standing rights to seek judicial redress against German foreign intelligence programs. Germany’s surveillance laws do not themselves provide standing rights by which German surveillance programs may be challenged in court. To the extent that German programmatic surveillance affects German persons, German statutes enable individuals to file complaints with a non-judicial agency, the G10 Commission. There are no published procedures for these complaints, the results are not reported, and statutes do not provide rights to appeal to the German courts. For Germany’s larger programs that programmatically surveil foreign-foreign communications, Germany’s Federal Constitutional Court recently considered whether to mandate statutory rights enabling individuals to initiate a lawfulness review by a “court-like” body. The Court held that Germany’s Constitution does not require such statutory standing rights, instead placing them in the discretion of the legislature. Following this decision, the legislature did not enact statutory standing rights when passing a major reform to Germany’s foreign-foreign surveillance authorities in April 2021. On the whole, this means standing to seek judicial redress against German programmatic surveillance is governed by Germany’s case law.
• Second, under German case law, it is unclear whether standing rights are generally available to individuals who wish to challenge programmatic surveillance in court. The German administrative courts have dismissed attempts to challenge BND surveillance programs on standing grounds. These courts required individuals, in order to proceed with the legal action, to show the BND had not just acquired and reviewed, but also retained their communications; this was generally impossible to show for secret surveillance programs (in the absence of leaks). More recently, the Federal Constitutional Court permitted Germany’s first-ever merits challenge to foreign-foreign programmatic surveillance. Its decision took a potentially broader view of standing rights. But, the Constitutional Court’s opinion leaves unclear whether it made standing rights to seek judicial redress against BND surveillance generally available, or whether standing remains cabined to a smaller group of potential plaintiffs. This means that for non-Germans, standing and redress rights remain dependent on divergent case law among different courts, which may well require further litigation to clarify.

To evaluate these issues, this Article proceeds as follows: Section A provides a brief overview of Germany’s statutory authorities for programmatic surveillance, while Section B describes how German surveillance programs work in practice. Section C outlines initial attempts at obtaining redress in German courts following the Snowden disclosures; these largely failed on standing grounds (unless leaks made details of a program public). Section D summarizes the aforementioned Constitutional Court case that potentially took a broader view of standing, although its effect on standing doctrine remains unclear. Section D also discusses the general overhaul to Germany’s foreign intelligence regime the Constitutional Court’s decision set in motion, and the fact that this reform did not provide statutory standing rights to seek judicial redress. Section E closes with an outlook for future cases.

This Article seeks to present an accurate discussion of the German case law, drawing on my own study in German data protection law in connection with obtaining a doctorate, rather than taking a position on possible reforms or changes to the law. In contrast to much of the existing literature, this Article approaches German foreign intelligence law from the perspective of a non-German, whose communications are generally subject to acquisition and review by the BND, to examine standing and redress rights that may be available to similar individuals.

 A.  German Foreign Intelligence Authorities[1]

Germany’s BND has statutory authorities to conduct large-scale programmatic surveillance.  The primary authorities that permit the BND to operate such surveillance programs are:

1. BND Law Authorities: As the basis for its larger programs, Germany programmatically collects foreign-foreign communications as they traverse German soil; this occurs on the basis of Germany’s Law on the Bundesnachrichtendienst (“BND Law”).[2] BND Law programs had no statutory framework or ex ante oversight for decades, until this was formalized in 2016 amendments to the BND Law. The BND Law was again reformed in 2021 following a Constitutional Court decision discussed below. Under these amendments, the BND monitors entire “telecommunications networks” for foreign-foreign communications that provide information with relevance to German security or foreign policy. The BND is not required to notify non-German individuals that their communications have been acquired as a result of BND Law surveillance.

Primary oversight over BND Law surveillance is not exercised by a court. The German Constitution permits surveillance oversight to be placed in the hands of “auxiliary agencies” instead of courts.[3] From 2017 to 2022, oversight of BND Law surveillance was exercised by an “Independent Panel.” In January 2022, oversight transferred to an “Independent Oversight Council” (Unabhängiger Kontrollrat). By statute, the Oversight Council is an independent federal agency entitled to exercise jurisdiction over enumerated aspects of BND foreign surveillance. It consists of up to six judges from Germany’s Federal Supreme Court or Federal Supreme Administrative Court. The Oversight Council is designed to operate akin to a court, with the German government obligated to present enumerated matters for prior approval. Only the government is represented in proceedings, and the Oversight Council’s decisions are not published. The BND Law does not authorize individuals to lodge complaints with the Oversight Council regarding BND surveillance. The Oversight Council operates in secret and will not issue public transparency reporting.  Instead, it reports to Germany’s Parliamentary Oversight Panel (“parlamentarisches Kontrollgremium”).

2. G10 Law Authorities: The BND can also programmatically acquire Germany-to-foreign (and foreign-to-Germany) communications under Germany’s “G10 Law”[4] as they are transmitted into or out of Germany. The G10 Law lets the BND monitor entire “telecommunications channels”[5] for communications relevant to statutorily-enumerated “threat areas.” Generally, individuals whose data has been retained through G10 Law surveillance must be notified irrespective of their nationality. But exceptions exist, and in practice notice can be withheld.

Primary oversight over G10 surveillance is exercised by the “G10 Commission.” The G10 Commission is not a court, but instead an agency within the executive branch. By statute, it is independent and has authority to oversee all collection, processing, and use of personal data under G10 Law authorities. The G10 Commission is structured like a court: it has up to five members, and its presiding officer must be a fully-qualified lawyer. It primarily operates like a court, with the German government presenting applications for approval. Again, only the government is represented at these proceedings, and decisions are not published. The G10 Law authorizes individuals to lodge complaints relating to BND surveillance with the G10 Commission, although decisions are not published, and the G10 Law does not provide for appeal rights to courts. The G10 Commission operates in secret, with Germany’s Parliamentary Oversight Panel issuing limited transparency reporting on G10 Law surveillance.

B. German Foreign Intelligence Programs in Practice

In practice, the BND Law and G10 Law authorities do not appear to operate separately. Instead, the BND appears to obtain single raw streams of data from communications providers, and apply the G10 Law and BND Law authorities in parallel to extract data it is permitted to acquire.  The result is programmatic surveillance that can be described as a bulk, “upstream” surveillance program.

• German programmatic surveillance is “upstream” because the BND compels providers of Internet backbone hardware – like Internet exchange points – to capture raw communications data as it traverses their physical infrastructure, and provide it to the BND for intelligence analysis. This technique is often referred to as “upstreaming” because it acquires communications data while it is “upstream” from its ultimate destination, versus collecting it “downstream” from companies that hold communications once they reach their endpoint (like email providers).
• German programmatic surveillance is “bulk” because the BND compels Internet backbone companies to provide raw, unfiltered streams of communications data that traverse their Internet infrastructure – in the words of the German government, a “complete copy.”[6]

Once this raw, bulk data stream is received, the BND applies filters to remove purely German (i.e., Germany-to-Germany) communications. The resulting data set can be queried, analyzed and retained under BND Law authorities (for foreign-to-foreign communications) and under G10 Law authorities (for Germany-to-foreign/foreign-to-Germany communications).

• German surveillance law does not yet appear to treat this data stream as collected by the BND. Instead, the BND may query and analyze the raw data using “search terms.” German law permits the BND to use not just selectors (referred to as “formal search terms”), but also broad keywords (“content-based search terms”).[7] This lets the BND cast a potentially wide net within raw data streams to search communications for threats or policy priorities recognized in German statutes and intelligence priorities frameworks. For example, the BND could search foreign-foreign communications for a content-based keyword like “bomb.” Then, it could use a formal selector to search for communications to and from a specific non-German IP address.
• BND analysts must promptly review all “hits” returned by search terms from raw data streams for relevance to intelligence activities. As long as the BND promptly deletes hits that are found irrelevant upon review, those communications are not reported as collected. Instead, only communications that the BND retains as relevant to intelligence activities are reported. Accordingly, reported BND communications acquisition rates appear low, at times materially lower than the number of search terms the BND used.[8] This grants the BND authority to “temporarily acquire” communications in bulk and review them, without formally “collecting” them. As discussed below, this practice has played a significant role in German standing cases.

Metadata acquisition also occurs on a bulk basis, including as part of the raw data streams German Internet backbone providers hand to the BND. Under BND Law authorities, all (non-German) metadata in raw data streams can be stored by the BND without needing to relate to any BND search terms.[9] Metadata is retained in BND databases for contact-chaining and other uses; as discussed below, one is a telephony metadata database called “VerAS” (Verkehrsanalysesystem, or “Traffic Analysis System”).

This “bulk upstreaming” approach to programmatic surveillance plays to Germany’s home-field advantage. The world’s largest Internet exchange points in terms of traffic volume is located in Frankfurt, operated by DE-CIX Management GmbH.[10] The BND can thus tap into a significant portion of the world’s communications without leaving Germany. As discussed below, DE-CIX has been served with production orders under both the G10 Law and the BND Law, and has sought to challenge them in court.^[11]

C. Standing Decisions in Cases Seeking Judicial Redress against German Foreign Intelligence Programs

The Snowden disclosures prompted a number of attempts to obtain judicial redress concerning Germany’s programmatic German foreign intelligence surveillance.  These generally failed on standing grounds, unless leaks publicized information that showed the plaintiff had been personally affected.  This section briefly describes the main challenges to BND programmatic surveillance that were resolved at least in part on standing grounds.

1. Härting v. Germany – No Standing:[12] In 2013, following the Snowden disclosures, a civil-rights attorney (Niko Härting) sued the German government in Germany’s Supreme Administrative Court (Bundesverwaltungsgericht),[13] claiming G10 Law surveillance violated his constitutional privacy rights. He argued two theories of standing, but the Court rejected both theories and dismissed the case. As a brief summary of each theory and its outcome:

• • Probability of Collection: The attorney cited parliamentary statistical reporting on BND-conducted surveillance[14] to claim there was “some probability” that his emails had been collected by the BND. The Court rejected this theory of standing.  It indicated that it would need to find with “substantial certainty” that the plaintiff’s communications had been retained by the BND as relevant to intelligence activities. Instead of this, the plaintiff had only plead a “mere possibility” that such collection had occurred.[15]
  • “Temporary Acquisition” and Review: The plaintiff further sought to plead standing by referring to the BND’s practice of acquiring entire raw telecommunications data streams from German Internet backbone providers, querying them with search terms, and reviewing hits for intelligence relevance (even if irrelevant communications are promptly deleted). The plaintiff argued that if any of his emails contained BND search terms, they would have been analyzed by BND staff, thus granting him standing to challenge BND surveillance.

The Court rejected this theory of standing. It conceded it could not rule out the possibility that the plaintiff’s emails had been at least temporarily acquired through G10  Law surveillance.  But, it reasoned that G10 Law surveillance only covers certain communications channels, and can only monitor a percentage of their capacity, meaning that there was not a “preponderant” possibility the plaintiff’s emails had been reviewed by the BND. The court also stated that even if the BND was routinely reviewing communications for intelligence relevance, German constitutional rights to judicial redress did not require lowering standing thresholds to permit the plaintiff to sue – since this would effectively create an actio popularis (i.e., grant everyone standing to sue the BND).  Instead, the Court held the G10 Commission’s ongoing oversight over G10 Law surveillance provided “compensatory” protection for fundamental privacy rights.

2. RWB v. Germany – No Standing:[16] In 2015, Reporters without Borders (RWB) sued the German government before the Supreme Administrative Court, claiming G10 Law surveillance had violated their constitutional rights. RWB reformulated the same theories of standing as above, but with refinements to make them more robust. Again, however, the Court rejected RWB’s standing theories and dismissed the case. To briefly summarize each theory and its outcome:

• • Probability of Retention: RWB stated its members had sent over 280,000 emails in 2013, including emails to areas of intelligence interest like the Middle East. Citing parliamentary statistical reporting on BND surveillance,[17] RWB argued it was “probable” the BND had retained RWB emails.  The BND responded that it may have searched RWB emails, but had not retained any. The Court then rejected this standing theory. It stated that without any evidence the BND had retained RWB emails, no “legal relationship” between the BND and RWB had been plead that would support the court’s rendering a judgment.
  • “Bulk Acquisition” and Review: Second, RWB argued it was likely that, as part of the BND’s querying of raw data streams with search terms, the BND had reviewed RWB emails for intelligence relevance. RWB conceded the BND had likely deleted any RWB emails it had reviewed, but RWB nonetheless argued that (a) if the BND was reviewing communications from raw data streams, it was obligated to notify RWB that its emails had been acquired (even if only temporarily), thus justifying a standing claim; and (b) RWB’s fundamental right to a judicial remedy under the German Constitution required the Court to hear its challenge to the BND’s temporary-acquisition practice.

The court conceded it could not exclude that the BND may have temporarily acquired and analyzed RWB emails. But it still rejected both of RWB’s standing theories.

• • First, the Court held the BND’s review of emails from raw data streams did not trigger notice obligations to RWB. The Court viewed the “large quantity of acquisitions” and the fact that much of the material “proves to be irrelevant” as militating against notice. It noted BND search terms cast a wide net and result in acquisitions that are not “targeted at individual persons,” but rather are “primarily factual” – and that when BND analysts review communications, the “affected individuals stay to a certain extent hidden in the background.” The Court also noted that, to provide notice, the BND would have to retain data longer, and collect further information about individuals. The Court thus held notice obligations would only be triggered if BND decided to retain RWB emails it had reviewed. Since there was no evidence the BND had retained RWB emails, this theory of standing was rejected.
  • Second, the Court rejected RWB’s argument that it had a constitutional right to challenge BND temporary-acquisition practices under the G10 Law in court. The Court candidly stated that its interpretation of the G10 Law created a “hindrance of individual judicial redress” (Erschwerung des Individualrechtsschutzes). But it again held the G10 Commission’s oversight over programmatic G10 Law surveillance provided “compensatory” fundamental rights protection.  The Court noted that the G10 Commission’s jurisdiction extended over “the entire collection, processing, and use” of personal data acquired under the G10 Law, suggesting that this “compensatory” protection covered the BND’s review (if any) of RWB emails and obviated the need for judicial redress.

3. RWB v. Germany II – No Standing:[18] RWB used the Supreme Administrative Court’s denial of its claims as the basis for a constitutional complaint to Germany’s Federal Constitutional Court (Bundesverfassungsgericht). RWB argued the Supreme Administrative Court had failed to protect its constitutional privacy rights against invasion by the BND.  But the Constitutional Court dismissed RWB’s complaint in summary order, with a reasoned opinion only two sentences long. The Court stated RWB had not “plead with sufficient particularity” that RWB was “itself affected by” a certain statutory provision of G10 Law surveillance.  Although it was unclear what violation of the G10 Law the Court believed to be at issue,[19] the Court’s language – stating RWB had not plead it was “affected by” BND action – indicated it was dismissing RWB’s complaint on standing grounds.

4. RWB & Härting v. Germany – Standing Found in Part:[20] As the RWB case was ongoing, leaks concerning Germany’s parliamentary inquiry into the Snowden disclosures showed the BND maintained a telephony metadata database called “VerAS.” VerAS reportedly ingested all telephony metadata from raw data flows acquired under both the G10 Law and BND Law programs, albeit with purely domestic (i.e., purely German) metadata “X’d” out.[21] This led both the above attorney-plaintiff and RWB to reformulate their claims against the German government. They sought injunctions barring the BND from collecting their metadata, and requiring their data to be removed from VerAS.

• The Supreme Administrative Court found standing had been plead in regard to telephony metadata in VerAS because metadata was ingested on a bulk basis, “independent of any restrictions” that normally limit the BND’s collection. The Court granted standing even though the plaintiffs could not point to their telephony metadata within VerAS (their inability arose from the fact that the BND anonymized-out domestic metadata from VerAS.)  The Court instead noted that “the practice of” the BND,” i.e., acquiring all telephony metadata on a bulk basis, meant the BND would likely acquire the plaintiffs’ metadata “in the foreseeable future.”  The Court did not see it as appropriate to require the plaintiffs to “constantly make new access requests” with the BND to see if their data had been acquired, then “according to the results” seek ex post redress.
• Notably, however, the Court declined to find that standing had been plead in regard to BND ingestion of non-telephony metadata (like email or Internet activity) because (a) the leaks had only shown blanket collection of telephony metadata in VerAS, and (b) the BND had stated to the Court that email and Internet activity metadata were not in VerAS.  It thus denied standing for any claims that went beyond telephony metadata in VerAS.[22]

5. DE-CIX v. Germany – Providers Cannot Assert Third-Party Privacy Rights:[23] DE-CIX Management GmbH (“DE-CIX”) operates one of the world’s largest Internet exchange points in Frankfurt.[24] The BND served DE-CIX with production orders under the G10 Law and BND Law. These required DE-CIX to transmit communications data traversing its Internet exchange point to BND systems. DE-CIX filed suit against the BND’s orders in the Supreme Administrative Court, arguing in part that they violated the constitutional privacy rights of communications participants.

The Court found DE-CIX had standing to challenge whether the BND’s G10 production orders satisfied formal administrative law requirements. But it also held DE-CIX could not assert alleged violations of constitutional privacy rights because (a) these rights are held exclusively by the senders and receivers of communications, and (b) there is no reason to add a “telecommunications intermediary” like DE-CIX to the group of persons entitled to assert constitutional privacy rights.[25]

D. Recent Constitutional Court Jurisprudence and BND Law Amendments

More recently, Germany’s Federal Constitutional Court clarified its standing doctrines accommodated a facial challenge to the BND Law’s foreign-foreign surveillance authorities. This resulted in an overhaul of the BND Law, but the amendments did not provide statutory recognition for judicial redress.

a. The RWB Constitutional Case

In 2017, RWB and seven of its members filed a new constitutional complaint against the 2016 amendments to the BND Law.  RWB used a statistical argument to argue it had standing to claim BND foreign-foreign surveillance acquired its communications, and thus violated its constitutional privacy rights. Summarized briefly, RWB argued that, over the course of three years, there was a 99% chance that RWB’s emails would be acquired by the BND, while each RWB member would have a 65% chance their emails would be acquired.[26]

Far from issuing a cryptic dismissal as in prior RWB litigation, the Constitutional Court this time held RWB had standing to challenge the BND Law, applying standing criteria different than those applied by the administrative courts.[27] The Court found RWB and its members had plead “sufficient probability” they were “presently and personally” affected by foreign-foreign BND surveillance because:

• RWB members repeatedly communicate with anonymous sources who are of interest to the BND;
• Contacts between RWB activity and BND surveillance are “not far-fetched” because the BND Law enables a wide range of surveillance measures, and can be flexibly modified to meet foreign-policy needs;
• As non-Germans, RWB members receive no notice of any surveillance affecting them, meaning that “it cannot be demanded of them” that they further substantiate their claim to have standing.[28]

In contrast to the administrative courts, the Constitutional Court did not distinguish between whether the BND retained RWB’s emails versus whether the BND’s queried and reviewed RWB emails within raw communications data. Further – and also unlike the administrative courts – the Court did not discuss whether it would be granting standing to every individual around the world whose communications the BND happened to review to challenge Germany’s programmatic surveillance.

This leaves the precise scope of the Court’s holding unclear. One can read the decision as finding the BND’s querying and review of raw communications data gives rise to standing; this would indicate an intent to broadly expand standing rights. But one could also read the Court as stating that if an organization communicates with “sources of interest to the BND,” its emails will likely be retained by the BND. Under this reading, the Court’s opinion would not be as restrictive as prior administrative court jurisprudence, but still more of an incremental step forward than a broad rewriting of standing standards under the administrative court case law.

b. Reforms to German’s BND Law Authorities – but No New Redress Rights

Having found standing, the Constitutional Court evaluated the constitutionality of German foreign-foreign surveillance on the merits.  It held BND surveillance as conducted under the 2016 BND Law amendments was unconstitutional in a number of respects. This led to a general overhaul of the BND Law, which the German legislature passed on April 19, 2021.[29]

However, the 2021 BND Law reforms did not address judicial redress. In doing so, the legislature may have understood this approach as being approved by the Constitutional Court. The Court held surveillance programs must be subject to “oversight resembling judicial review,” which has since led to the creation of the Independent Oversight Counsel as the primary ex ante oversight body for BND Law surveillance. The Court also addressed whether the Constitution requires German statutes to provide individuals with a “right to initiate” what it called “court-like” review by the Oversight Council, to adjudicate whether BND surveillance affecting them was lawful. It held such standing and redress rights were not constitutionally required; instead, it held the legislature should “assess” whether “persons who can plausibly demonstrate that they may have been affected by surveillance measures” should be granted standing rights to initiate “court-like” oversight.[30] Further, the Court held that although German constitutional privacy rights protect both Germans and non-Germans, surveillance more seriously interferes with the rights of Germans, meaning “the statutory bases authorizing” surveillance can be less stringent for non-Germans.[31]

As a result, the 2021 BND Law reforms contained no provisions on judicial redress, leaving the issue to be governed by the existing case law outlined in this Article. The state of the law thus remains as summarized by German think tank Stiftung Neue Verantwortung:

[T]he BND Act does not provide effective redress options for foreigners against its bulk collection program … There is no legally defined path for foreign individuals, such as journalists abroad, who want to find out if their communications have been collected in SIGINT operations and, if so, to verify whether the collection and processing of their data was lawful. What is more, the legislators opted to explicitly waive notification rights for foreigners regarding the bulk collection of their personal data.[32]

E. Looking Forward: Differing Standing Standards

Going forward, German standing standards may differ between the administrative courts and the Constitutional Court. The administrative courts will likely continue to require plausible allegations that BND retained communications as a result of programmatic surveillance. The administrative courts, based on their decisions to date, seem unlikely to modify their position that merely alleging BND analysts have queried and reviewed one’s communications is insufficient to plead standing.

In contrast, the Constitutional Court permitted RWB to establish standing on what can be described as a reasonable-likelihood-of-acquisition theory. Having now applied this standard in a major foreign intelligence case, it seems likely the Constitutional Court will follow it in similar future cases. With that said, as noted above, the precise scope of the Court’s holding remains unclear. It is difficult to discern solely from the Court’s opinion who can claim standing in future cases. For instance, the Court in part found RWB had plead standing because RWB was likely to communicate with sources of interest to the BND – i.e., with intelligence targets.  Would an individual engaged in ordinary-course personal or professional communications be able to make a similar argument, and if not, would standing still exist? This seems something that only future litigation can reveal.

Of course, the Constitutional Court is not obligated to align its jurisprudence with that of the administrative courts.  The Constitutional Court’s remit is to adjudicate alleged constitutional violations, so it could be that the Court wishes to enable more challenges to surveillance programs. But, the Constitutional Court did not expressly indicate whether it intends to become the world’s complaints tribunal for BND programmatic surveillance. Potentially, the Court could be calibrating a more strategic standing doctrine – narrow enough to not “open the floodgates,” but open enough for the Court to intervene if it believes a constitutional corrective is needed for German foreign intelligence programs. It also remains to be seen whether the 2021 amendments to the BND Law, such as the new “court-like” oversight of foreign-foreign surveillance by the Oversight Panel, may influence the Constitutional Court’s eagerness to take on future surveillance challenges. Since the German legislature has left standing questions to the courts, German law may continue to see diverging standing jurisprudence depending on the court in which foreign intelligence challenges are brought. Non-German individuals will likely need to litigate further to ascertain whether standing is generally available to seek redress from German programmatic surveillance.

 

[1] For a general English-language overview of German foreign intelligence authorities and programs, see Kilian Vieth-Ditlmann & Thorsten Wetzling, Caught in the Act? An Analysis of Germany’s New SIGINT Reform, Stiftung Neue Verantwortung (Nov. 25, 2021), https://www.stiftung-nv.de/de/publikation/caught-act-analysis-germanys-new-sigint-reform; and Thorsten Wetzling, New Rules for SIGINT Collection in Germany: A Look at the Recent Reform, LawFare (June 23, 2017), https://www.lawfareblog.com/new-rules-sigint-collection-germany-look-recent-reform.

[2] See Gesetz über den Bundesnachrichtendienst [Law on the Federal Intelligence Service], available (in German) at https://www.gesetze-im-internet.de/bndg/.

[3] Article 10 of the German Constitution permits the legislature to remove judicial review for telecommunications surveillance that “serves to protect the free democratic basic order or the existence or security of” Germany.  In in its place, the legislature may institute “review by agencies or auxiliary agencies.”  See Art. 10 German Constitution, https://www.gesetze-im-internet.de/englisch_gg/englisch_gg.html#p0058.

[4] See Gesetz zur Beschränkung des Brief-, Post- und Fernmeldegeheimnisses [Act for the Restriction of Letter, Postal, and Telecommunications Secrecy], available (in German) at https://www.gesetze-im-internet.de/g10_2001/.

[5] The BND is formally limited to searching only 20% of a telecommunication channel’s capacity.  But, since communications infrastructure is built with significant excess capacity, actual communications volume is often well below 20% of the total capacity of communications channels.  Thus, this restriction appears to play little role in practice. See Prof. Dr. Matthias Bäcker, Stellungnahme zur Anhörung des NSA-Untersuchungsausschusses am 22. Mai 2014 [Testimony for Hearing of the Parliamentary NSA Investigatory Committee on May 22, 2014] at 13-14 (May 16, 2014), https://www.bundestag.de/blob/280844/35ec929cf03c4f60bc70fc8ef404c5cc/mat_a_sv-2-3-pdf-data.pdf.

[6] In response to a parliamentary inquiry, the German government stated it requires certain telecommunications providers to provide a “complete copy of the telecommunications” transmitted over their transmission channels.  See Deutscher Bundestag [German Lower House of Parliament], Antwort der Bundesregierung auf die Kleine Anfrage der Abgeordneten Andrej Hunko, Jan van Aken, weiterer Abgeordneter und der Fraktion DIE LINKE [The Federal Government’s Response to a Parliamentary Interrogatory from MPs Andrej Hunko, Jan van Aken, Further MPs and the Party “The Left”], BT-Drs. 17/9640 at 4 (May 15, 2012), http://dipbt.bundestag.de/dip21/btd/17/096/1709640.pdf.   German scholars also describe the BND’s acquisitions as “bulk.”  See, e.g., Ditlmann & Wetzling, Caught in the Act? at 12 (“The central norm that regulates the BND’s mandate to collect foreign communications in bulk is … the BND Act”) (emphasis added).

[7] For a discussion of “content-based” versus “formal” search terms, see Prof. Dr. Hans-Jürgen Papier, Beschränkungen der Telekommunikationsfreiheit durch den BND an Datenaustauschpunkten [Restrictions on Telecommunications Freedom by the BND at Data Exchange Points], 15 Neue Zeitschrift für Verwaltungsrecht [New Journal of Administrative Law] 2016, at 2 (Aug. 1, 2016).

[8] As an example, the 2016 transparency report for G10 Law surveillance states the BND tasked 2,307 search terms relating to “international terrorism.” The BND determined that 34 communications returned by these search terms were relevant to intelligence activity. Unterrichtung durch das Parlementarische Kontrollgremium [Report by the Parliamentary Oversight Panel], BT-Drs. 19/163 at 8 (Dec. 5, 2017), available (in German) at https://dserver.bundestag.de/btd/19/001/1900163.pdf.

[9] See, e.g., Ditlmann & Wetzling, Caught in the Act? at 13: “[T]he collection and processing of metadata, including traffic data, are subject to separate and far less stringent requirements … . Most importantly, the collection and processing of foreign metadata is exempt from most legal restrictions.”

[10] “DE-CIX in Frankfurt is the worldwide largest Internet exchange point, with a data throughput [volume] of more than 9.1 terabytes per second.”  Stellungnahme der DE-CIX Management GmbH zum Urteil des BVerfG am 19. Mai 2020 [DE-CIX Management GmbH’s Position on the Federal Constitutional Court’s Decision on 19 May 2020], De-Cix.net, available (in German) at https://www.de-cix.net/de/unternehmen/medien/pressemitteilungen/stellungnahme-der-de-cix-management-gmb-h-zum-urteil-des-bundesverfassungsgerichts-am-19-mai-2020-bnd-gesetz.

[11] See DE-CIX, Statement from DE-CIX Management GmbH on the Verdict of German Constitutional Court 19 May 2020 – BND Act, www.De-Cix.net (May 19, 2020), https://www.de-cix.net/en/about-de-cix/media/press-releases/statement-from-de-cix-management-gmbh-19-may-2020 (“DE-CIX Management GmbH is a recipient of official orders from the BND …, with these orders based in alternation on the G10 Act … and the BND Act”).

[12] See Bundesverwaltungsgericht [Federal Supreme Administrative Court], Judgment of 28 May 2014, File No. 6 A 1.13, available (in German) at https://www.bverwg.de/280514U6A1.13.0.

[13] Under German administrative law, the federal Supreme Administrative Court has original jurisdiction over cases based on matters within the BND’s sphere of responsibility, which it decides as the first and last instance. See § 50(4) Verwaltungsgerichtsordnung [German Code of Administrative Procedure].  The cases discussed in this Article as brought before the administrative courts were filed directly with, and decided by, the Supreme Administrative Court.

[14] For the 2010 report cited by the attorney-plaintiff in this case, see Unterrichtung durch das Parlementarische Kontrollgremium [Report by the Parliamentary Oversight Panel], BT-Drs. 17/8639 (10 Feb. 2012), available (in German) at https://dip21.bundestag.de/dip21/btd/17/086/1708639.pdf.

[15] See Judgment of 28 May 2014, supra note 2, ¶ 21.

[16] See Bundesverwaltungsgericht [Federal Supreme Administrative Court], Judgment of 14 Dec. 2016, File No. 6 A 2.15, available (in German) at https://www.bverwg.de/141216U6A2.15.0.

[17] See Unterrichtung [des Bundestages] durch das Parlementarische Kontrollgremium [Report to Parliament by the Parliamentary Control Panel], Bundes-Drucksache 18/3709 (8 Jan. 2015), available (in German) at https://dip21.bundestag.de/dip21/btd/18/037/1803709.pdf.

[18] See Bundesverfassungsgericht [Federal Constitutional Court], Order of 26 Apr. 2017, File No. 1 BvR 456/17 and 458/17, available (in German) at https://www.bundesverfassungsgericht.de/SharedDocs/Entscheidungen/DE/2017/04/rk20170426_1bvr045817.html.

[19] The Court stated that RWB had failed to plead it was affected by § 6(1), 5th sentence, G10 Law. This provision relates to how the BND must document its deletion of search “hits” from raw data streams it determines are irrelevant to foreign intelligence activities. The BND must (a) promptly delete such irrelevant communications, (b) create records of the deletion of irrelevant communications, and (c) annually purge the records showing that irrelevant communications were deleted.  Section 6(1), 5th sentence G10 Law relates to requirement (c), i.e., the BND must annually purge the records showing it deleted communications it determined were irrelevant. In short, the Court seems to have suggested RWB needed to plead that the BND was not complying with its recordkeeping and annual-purge requirements.  However, due to the laconic nature of the Court’s opinion, it is difficult to determine whether the Court was exclusively focusing on recordkeeping requirements, or on any of the other theories that RWB put forth in the underlying litigation.

[20] Bundesverwaltungsgericht [Federal Supreme Administrative Court], Judgment of 13 Dec. 2017, File No. 6 A 6.16, available (in German) at https://www.bverwg.de/131217U6A6.16.0.

[21] Internal BND papers relating to VerAS were published by Wikileaks, after which VerAS was discussed by the parliamentary inquiry. For an overview of VerAS, see an audit report from an on-site visit of Germany’s Federal Data Protection Commissioner to the BND’s Technical Department, published by civil-rights organization Netzpolitik: Andre Meister, Der BND bricht dutzendfach Gesetz und Verfassung – allein in Bad Aibling [The BND is Breaking the Law and the Constitution in a Dozen Ways – and that’s just in Bad Aibling], NetzPolitik.org (1 Sept. 2019), available (in German) at https://netzpolitik.org/2016/geheimer-pruefbericht-der-bnd-bricht-dutzendfach-gesetz-und-verfassung-allein-in-bad-aibling.

[22] See Judgment of 13 Dec. 2017, supra note 9, ¶ 10, 13.

[23] See Bundesverwaltungsgericht [Federal Supreme Administrative Court], Judgment of 30 May 2018, File No. 6 A 2.15, available (in German) at https://www.bverwg.de/300518U6A3.16.0.

[24] See About DE-CIX, DE-Cix.net (last accessed June 14, 2021), available in English at https://www.de-cix.net/en/about-de-cix (“Founded in 1995, DE-CIX’s Internet Exchange in Frankfurt is the world’s leading interconnection platform, managing more than 10 Terabits per second peak traffic.”)

[25] DE-CIX has filed a complaint with the Constitutional Court challenging the decision of the Supreme Administrative Court.  The complaint remains pending.

[26] See Verfassungsbeschwerde [Constitutional Complaint], Reporters without Borders et al. v. Named Provisions of the BND Law (filed 19 Dec. 2017) (copy on file with author).  In this complaint, RWB plead standing via a statistical argument: if all RWB members sent each other 10 communications per day, RWB would have a 99% chance of the BND acquiring its communications, while members would each have a 30% chance, which would increase to 65% as three years passed.

[27] See Bundesverfassungsgericht [Federal Constitutional Court], Judgment of 19 May 2020, File No. 1 BvR 2835/17, available (in German) at https://www.bundesverfassungsgericht.de/e/rs20200519_1bvr283517.html; select portions of judgment available in English at https://www.bundesverfassungsgericht.de/SharedDocs/Entscheidungen/ EN/2020/05/rs20200519_1bvr283517en.html.

[28] Id. ¶ 71-74.

[29] See Gesetz zur Änderung des BND-Gesetzes zur Umsetzung der Vorgaben  des Bundesverfassungsgerichts sowie des Bundesverwaltungsgerichts [Act to Amend the BND Law and Implement the Requirements of the Federal Constitutional Court and Federal Supreme Administrative Court], BGBl. I p. 771 (Nr. 17) (19 Apr. 2021), available (in German) at https://www.bgbl.de/xaver/bgbl/start.xav#__bgbl__//*%5B@attr_id=%27bgbl121s0771.pdf%27%5D.

[30] Bundesverfassungsgericht [Federal Constitutional Court], Judgment of 19 May 2020 at ¶ 280.

[31] Id. ¶ 186.  The Court’s reasoning was that “German citizens are within the reach of German authorities to a far greater extent and can thus more easily be subjected to follow-up measures.”

[32] Ditlmann & Wetzling, Caught in the Act?, at 63.

 

These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.