Aspects where Germany's draft Federal Intelligence Services Act misses the mark

This article is a response to the following discussion prompt: 
To what extent does Germany's new BND draft bill provide a rights-based and modern framework for foreign intelligence?

A number of different contributions have addressed this 
question or will do so soon. See all of them here.

Germany’s Federal Commissioner for Data Protection & Freedom of Information analyses the upcoming draft to amend the Federal Intelligence Services Act (BNDG). He explains how — on numerous counts — the draft Act fails to meet the proportionality requirements previously outlined by the country’s Constitutional Court. In order to avoid the risk of further successful constitutional complaints, the draft’s current shortcomings should be remedied, plus more effective cooperation between the current and future supervisory bodies for the BND established.

As a consequence of the judgement by the Federal Constitutional Court of 19 May 2020 (BVerfG 1 BvR 2835/17) — where the Court held that the Federal Intelligence Service’s powers to conduct strategic surveillance of foreign telecommunications violate fundamental rights of the Basic Law and in particular the principle of proportionality — the Federal Government on 16 December 2020 adopted a draft for a revised Federal Intelligence Service Act (Gesetz über den Bundesnachrichtendienst – BNDG).

I have expressed substantive legal concerns on several aspects of the draft BNDG in three statements during the interministerial consultations. Despite some improvements, the draft by the Cabinet in my view still does not fully meet the criteria by the Federal Constitutional Court’s judgement of May 2020 and is therefore likely to be challenged by way of constitutional complaints again.

My predominantly remaining legal concerns relate to the provisions on transfers of data from strategic surveillance of foreign telecommunications by the BND to other domestic and foreign intelligence and law enforcement authorities, the processing of traffic data, the volume of affected internet traffic, the provisions on computer network exploitations – CNE (“hacking”) and the foreseen new structures of supervision over the BND.

1. Transfers of intelligence obtained by the BND for the purpose of political information of the Federal Government to other authorities

The draft BNDG permits the transfer of intelligence obtained by strategic surveillance for the purpose of political information of the Federal Government to other domestic intelligence and law enforcement authorities. This contradicts the Court’s findings according to which such data is strictly restricted for the purpose of information of the highest level of the Federal Government in order to prepare government decisions. Such data, according to the Court, may be transferred to other authorities with operative competences only under very restricted circumstances, inter alia a threat to life. Even the Federal Government itself is not allowed to transfer this information to subordinate agencies for other, in particular operational, purposes. The draft BNDG undermines this threshold by allowing the transfer of data restricted to political information of the Federal Government via other national intelligence and law enforcement authorities, including those of the Länder, thereby enabling them to become aware of data which, according to the Constitutional Court’s finding, they are not allowed to receive. This legal construction allows the assumption that those transfers are to take place primarily for the purpose of informing these authorities themselves, rather than the Federal Government.

Likewise the draft BNDG permits the transfer of data obtained through CNE for the purpose of political information of the Federal Government via these other authorities. Even though CNE was not an issue in the judgement of the Federal Constitutional Court (because the competence for CNE was introduced by the current draft BNDG and, therefore, was not subject of the ruling) the transfer requirements for CNE data must be at least subject to the same requirements which the Court set for transfers of data from strategic surveillance of foreign telecommunications, due to a greater interference with fundamental rights by obtaining and transferring CNE data.

2. Transfers of intelligence obtained by the BND for the purpose of early threat detection to other authorities

In addition, the draft BNDG neither meets the requirements by the Constitutional Court on transfers of data obtained through strategic surveillance of foreign telecommunications to national intelligence, police and law enforcement authorities for purposes of early threat detection (which is the second purpose besides political information justified by the Court to conduct strategic surveillance by the BND), nor does it meet the constitutional requirements for transfers of data obtained through CNE for this purpose.

According to the Court’s finding, the transfer of personal data from strategic surveillance of foreign telecommunications to “other bodies”, which includes national intelligence services and law enforcement authorities, are justified only to protect highly important legal interests and require as a threshold for transfers the presence of a “concretised threat” or, in the case of transfers for law enforcement purposes, a “sufficiently concretised suspicion of crime”. Contrary to these requirements, according to the draft BNDG, the existence of actual indications is not connected to the existence of the presence of a concretised threat to important legal interests, but rather solely to the “necessity” of protecting these legal interests. This is another example that the draft BNDG undermines the requirements set by the Constitutional Court in its judgment.

3. Processing of traffic data and machine-to-machine communication by the BND

Another problematic area of the draft BNDG which has been criticised not only by me, but also by several associations in the consultation, concerns the processing of traffic data obtained through strategic foreign surveillance by the BND. Generally, according to the draft BNDG, the processing of traffic data by German citizens and other domestic holders of fundamental rights is forbidden. As an exemption to this rule, the BNDG allows the processing of machine-to-machine communication and traffic data which has been rendered unrecognisable through hashing. Both exemptions are problematic: As regards machine-to-machine communication, the explanation to the draft BNDG trivialises this form of communication as “mere machine-to-machine communication”, even though this may well become the most frequent form of communication in the future, with the Internet of Things forming part of its expected scope of communication. In fact, every end device (e.g. synchronisation of a smartphone) contains significant elements of machine communication. In the process of machine-to-machine communication it allows intelligence opportunities which may even go beyond what can be generated by wiretapping human communication.

As regards the hashing of telecommunications identifiers, the hash values still represent identifiable persons, since the hash values for unique identifiers remain constant. It can therefore be assumed that the BND is able to re-personalise this data by simple coincidence analysis of less protected data from the same person’s device. The mere pseudonymisation of traffic data by hashing should therefore be replaced in the BNDG by an anonymisation obligation in order to prevent surveillance of domestic holders of fundamental rights.

4. Volume of intercepted internet traffic

During the interministerial consultations, the volume of strategic foreign surveillance has been limited from initially 50% to nominally 30% of “existing telecommunications networks”. However, an actual limitation, as required by Constitutional Court ruling, has not been achieved. In the explanation to the draft BNDG, the inherently vague term of “existing telecommunications networks” is defined in terms of capacity of all worldwide telecommunications networks and not of the effective data rate of the telecommunications networks that the BND can access and intercept in practice. In this respect, it must be borne in mind that a significant proportion of capacity — an estimated 50% — in the respective network is reserved, for example to cover peak loads. The nominal limitation thus refers to the overall capacity of all telecommunications networks worldwide. The telecommunications networks which can be accessed and intercepted by the BND can thus be offset against those which are out of its reach in practice. The 30% limit of global network capacity is more likely to be a 100% interception permit for effective data flows in the available telecommunications networks.

5. Computer network exploitation – CNE (“hacking”)

The draft BNDG introduces new and particularly severe interferences with fundamental rights by allowing CNE, including source telecommunications surveillance and subsequent transfers of data to other authorities.

In order to avoid a possible breach of the constitution, it is advisable to raise the threshold for carrying out CNE for the purpose of early threat detection, at least to a similar level to that required by the Federal Constitutional Court in its rulings on access to information technology systems (e.g. BVerfG 1 BvR 966/09). Without referring to the foreign context, those intense interferences may only be justified if factual indications for a specific impending threat to an exceptionally significant legal interest are present in the individual case. The Federal Constitutional Court expressly referred to this judgment in its decision on strategic surveillance of foreign telecommunications by clarifying that the judgments on access to information technology systems also apply to the intelligence services.

The corresponding provisions on transfers of data obtained through CNE to national intelligence and law enforcement authorities might be a possible breach of the constitution too, because they allow transfers to these authorities under almost the same conditions than for transfers of data from strategic surveillance of foreign telecommunications – although CNE is to be regarded as a much more intrusive measure.

6. Cooperation between supervisory bodies

Another point of criticism concerns the provision on cooperation between supervisory bodies. This provision does not allow the current supervisory bodies for the BND, including my authority, and the new “Independent Oversight Council” (Unabhängiger Kontrollrat) — introduced by the draft BNDG in order to supervise the BND in the field of its technical intelligence (including strategic foreign surveillance and CNE) — to fully cooperate with each other. The draft BNDG foresees an exchange between these bodies only on “general matters” of supervisory activities. This is insufficient and against the finding of the Court in the BNDG judgment that “open and direct exchange between the oversight bodies must be guaranteed”. The supervisory bodies must therefore be able to discuss specific content-related intelligence data and coordinate their supervisory activities in order to avoid gaps or duplication of work in supervision. Allowing an exchange only on “general matters” reduces the effectiveness and comprehensiveness of oversight, which the Court called for in its judgement on the BNDG, and makes it difficult to achieve synergies.

7. Insufficient distance between the Independent Oversight Council and the BND / the Federal Chancellery

The Federal Constitutional Court had emphasised in its ruling that a sufficient distance to the Federal Intelligence Service must be ensured to guarantee the independence required for the oversight bodies. This necessary distance between the Independent Oversight Council and the BND could be impeded by the Federal Chancellery’s intervention possibilities foreseen by the draft BNDG. According to the draft, the Federal Chancellery is to be consulted before the Rules of Procedure of the Independent Oversight Council are adopted. In addition, it remains unclear whether the Oversight Council is to have its headquarters or offices on the premises of the BND, thereby de facto undermining the necessary working distance. The Federal Chancellery is to be heard before a report to the Bundestag without reference to a specific case is published. The Independent Oversight Council may also delegate the administration and management of its personnel to the Federal Chancellery and thus to the superior authority of the BND. It can be assumed that the Independent Oversight Council will have no choice but to accept this offer, given the challenge of establishing court-like supervision from scratch in the shortest possible time.

During the interministerial coordination, I have pledged to take over the task of the administrative oversight on the BND. The judgement called for the establishment of a court-like judicial oversight with the power to make final decisions on the one hand, and an administrative oversight on the other side, by a body that can conduct randomised oversight of the legality of the entire surveillance process on its own initiative. As regards the administrative oversight, the Court in its judgment explicitly stated that this task could be carried out — as an alternative to a new body — by the Federal Commissioner for Data Protection and Freedom of Information. I regret that the Federal Government has not elaborated on this option, given that my authority is the only independent federal data protection supervisory authority with longstanding experience in the oversight of federal intelligence, police and law enforcement authorities.

Conclusion

The draft BNDG on many aspects does not meet the proportionality requirements set by the Federal Constitutional Court for strategic foreign surveillance of telecommunications and transfers of data obtained through it to other domestic and foreign intelligence and law enforcement authorities. Likewise it is doubtful whether the provisions for CNE-data collection and transfers introduced by the current BNDG draft meet the requirements set in precedences by Federal Constitutional Court, in particular its rulings on access to information technology systems by intelligence and law enforcement authorities. In order to avoid the risk of further successful constitutional complaints, the mentioned shortcomings of the draft BND should be remedied. In addition, the supervision needs to be strengthened in a way which allows for an unrestricted content related and effective cooperation between the current and future supervisory bodies for the BND.

Aspects where Germany's draft Federal Intelligence Services Act misses the mark

Add comment

Other articles

The Pegasus scandal in Poland – between old problems with state surveillance and the current rule of law crisis

Finnish intelligence overseers’ right of access supersedes Originator Control

Cyber defence operations require a dedicated legal framework

Stalemates in Dutch intelligence oversight

Obfuscation as a strategy to pass mass surveillance powers