This article is a response to the following discussion prompt: 
To what extent does Germany's new BND draft bill provide a rights-based and modern framework for foreign intelligence?

A number of different contributions have addressed this 
question or will do so soon. See all of them here. 

German lawmakers are currently reviewing the legal framework of the country’s foreign intelligence service (BND Act), in response to numerous deficits the German Constitutional Court found with the current law. While amending the draft bill, greater attention ought to be paid to recent case law from the Court of Justice of the European Union (CJEU). More specifically, the remit of the new oversight body, the Independent Oversight Council (UKR), may not satisfy the CJEU’s criteria for effective review. Beyond legality tests, the UKR should also be empowered to conduct its own assessment as to whether or not a threat justifying bulk surveillance exists.


Thus far, Germany’s Constitutional Court’s landmark judgment on the BND Act has been the sole reference point in public discussions on the quality of the proposed reforms to Germany’s foreign intelligence legislation. In this article, we argue that the drafters of the BND bill did not pay sufficient attention to the Court of Justice of the European Union (CJEU)’s recent case law on the permissibility of national security measures providing for access and retention of personal data in the field of electronic communications. More specifically, we explore how key provisions of the draft reform might be incompatible with requirements set forth by the Luxembourg court and why this should be a matter of concern to lawmakers currently reviewing the bill in Berlin. 


Part I: Meanwhile in Luxembourg

Understandably, the Karlsruhe’s detailed verdict ought to be the premier reference point for German lawmakers’ take on the new bill. It was also the main yardstick for various critical positions that different associations voiced during the pre-legislative scrutiny proceeding in December 2020. Yet, Luxembourg has also spelled out important requirements for Member States’ intelligence legislation last year. Some of these, we argue, are of direct relevance to the current reform efforts in Germany. In order to make this case, we first introduce the relevant parts of the 6 October judgments by the CJEU before discussing how this relates to key provisions in the draft BND Act. 


Recent Grand Chamber Judgments

On 6 October 2020, the CJEU handed down two Grand Chamber judgments setting strict limits on permissibility of national security measures providing for access and retention to personal data in the field of electronic communications. These judgments (Case C-623/17 and the joined Cases C-511/18, C-512/18 and C-520/18) clarify a number of important issues regarding EU member states powers in this field. 

The starting place was the scope of the claimed national security exception, where the CJEU found that EU law does apply to measures taken on national security grounds ordering the retention and transition of electronic communications. This finding opened the door to a series of other findings, which will require many Member States to adjust their legislation on security services powers in the area. 

From that starting point, the CJEU held that the fundamental rights contained in the EU’s Charter, in particular the right to privacy and data protection, apply to any exceptional national security-based interference with electronic communications. Accordingly, this prohibits general and indiscriminate retention and sharing of traffic and location data as a preventive measure. However, the judgment does permit exceptions where a Member State is facing a serious threat to national security that proves to be genuine and present or foreseeable. This applies not only to retention of data, but also access to real time collection and sharing of traffic and location data, as well as automated analysis.


The CJEU’s requirements for effective review

*Note to the reader: This section introduces key criteria for modern intelligence legislation from recent CJEU case law. At the end of each subsection (where suitable) we insert  a simple ‘traffic light’ comment that alludes to the discussion in Part II on how the draft BND Act fares with regard to these criteria. Depending on how serious we deem a compatibility conflict between the CJEU case law and particular sections of the draft BND Act to be, we use a yellow or red colour. If the provisions are largely in keeping with CJEU case law we’ll use a green colour.  

This is not the first time the CJEU has had to determine the legality of state interception of electronic communications. In a series of judgments from 2014 onwards (Cases C-293/12, C-131/12, C-362/14, C-311/18, Opinion 1/15 [EU-Canada PNR Agreement], and others), it has carefully considered the claims of Member States regarding retention, access, and use of personal data collected and stored by the private sector. Not all of the judgments have been welcomed by some state authorities — security services in particular — which have been accustomed to a fairly free hand under national rules. In a number of Member States, these services do not have a history of strict external and independent control of their surveillance activities, including those in the electronic world. The 6 October judgments of the CJEU thus set out in substantial detail what kind of oversight, and with which powers, is necessary for Member State interference with the right to privacy through surveillance of electronic communications.

The Court provides extensive (and binding) guidance on what kind of oversight is obligatory, by what kind of body and with which powers. It also addresses the question of a priori and ex post oversight and which applies to what decisions. In particular, it stipulated how an oversight body must authorise, a priori, any decision for real time traffic and location data retention and sharing; and ex post, at the very least, any decision to providers of electronic communications to carry out general and indiscriminate retention of data, traffic and location data, automated analysis and any national rules authorising automated analysis. 

In the QdN judgment, the CJEU requires an effective review by a court or by an independent administrative body. This language is close to that of the European Court of Human Rights, the decisions of which must be taken into account by EU courts when determining the scope of rights which appear in both the EU Charter and the European Convention on Human Rights. The Human Rights Court has frequently been required to determine the characteristics necessary for an effective review. It has avoided accepting the title given by states to bodies charged with reviewing security services in favour of a functional definition based on the body’s composition, powers, and scope of action. 

Whether an entity is called a court or an independent administrative body, is not determinative of its status. Instead, independence is a key requirement which means both independence from the executive and independence from the parties (Zand v Austria 1978). It must be impartial, which denotes the absence of prejudice or bias (Piersack v Belgium 1982). Key to determining whether a body is independent is the manner of appointment of its members, their terms of office, the existence of guarantees against outside pressures and the question whether the body presents an appearance of independence. Lack of independence is apparent where the role or duties of the members make them vulnerable to outside pressure, whether there are insufficient legal guarantees of their independence and if they can be removed or their terms ended, or their tasks and duties changed substantially by the body which appointed them (Lukas v Romania 2009).

*The competences of Germany’s new Unabhängige Kontrollrat (Independent Control Council, UKR) meet many of these criteria. See the discussion below though for some concerns.*

Aside from these essential elements of independence, the Court also assigned significant duties to the court or independent administrative body regarding decisions of national security agencies, to require electronic services providers to retain, share, and analyse electronic communication data. The Court is very clear about what it requires from this court or body: it is an effective examination of whether the state is actually facing a serious threat to national security that proves to be genuine and present or foreseeable

Hence, it is for the court or body to require evidence from the security services that there is such a threat. The first element is whether the threat is serious – this requires the services to prove that this is not a marginal or insignificant matter. There is no indication of what the standard of proof should be, but it must at least be that of administrative or civil law, a balance of probabilities. The threat must be to national security, which means that that term must be defined in law and justiciable. Most importantly, the threat must be genuine and present or foreseeable. 

As far as genuine is concerned, this means the threat must not be vague or imaginary. There must be real elements which the security services can show to the court or body to convince it of the reality of the threat. As regards present or foreseeable, this is less easily determined. On the one hand, a present threat has an immediate temporality, the threat must in the here-and-now – something which could happen in the current time. The word foreseeable is less clearly definable as something in the future can be foreseeable but not necessarily imminent. The field in which this word has been subject to the most discussion and judicial consideration is climate change. It may be foreseeable but is it present? It will be for the court or independent administrative body to determine the parameters of foreseeability, but always with the option of referring the question to the Court if it is in doubt of what the correct meaning should be. 

Most importantly, the court or independent administrative body must determine whether there is a sufficiently important threat to justify the surveillance measures sought or implemented. Its job is not to check whether the request for a decision, or the determination of an appeal against a decision, of surveillance is in accordance with national law – which is a simple legality test. It must have the power to order the provision of evidence on the reality and nature of the threat itself. This means the court or body needs substantive powers to investigate the nature of the threat, not simply legal verification powers to check that the procedures by which the security services’ decision was made are in accordance with national law. 

*Our discussion below argues that the envisaged institutional design of the UKR does not meet all of these requirements.*

According to the QdN judgment, there are six main categories of decisions of security services which must be subject to the court or administrative body’s jurisdiction. These are:

  • A decision that requires an information service provider to transmit all user data (paragraph 52);
  • A decision giving an instruction to providers of electronic communication services to carry out general and indiscriminate retention of data (paragraph 139);
  • Decisions on national security grounds requiring services to retain (and share) general and indiscriminate traffic and location data (paragraph 168);
  • Decisions authorising automated analysis (paragraph 179);
  • The sharing of real time traffic and location data (paragraph 189);
  • National rules which authorise automated analysis (paragraph 192). 

*Our discussion below draws attention to some provisions in the draft BND Act that seem incompatible with the requirements the CJEU has set forth in both the PI can QdN cases.* 

Two types of decisions must be subject to an a priori review by a court of independent administrative body. The first is access to real time traffic and location data. Here the court or body must ensure that this data is limited to that of persons with a link to terrorism on the basis of objective and non-discriminatory criteria. This means the court must examine the strength of evidence that the targeted person in fact has a link with terrorism sufficiently evidenced by the security services to justify the measure. 

Further, this real time collection must be authorised only within the limits of what is strictly necessary to counter the threat that has been established as genuine and present, or foreseeable. 

*Our discussion below finds that some provisions in the draft BND Act seem incompatible with this requirement.* 

Secondly, the use of automated analysis, both decisions and rules, must be subject to an a priori review by the court or body. This review must verify whether this analysis is justified in light of the situation, in particular the national security threat, and whether it is strictly necessary.

Finally, all decisions of the court or body must be binding on the national authorities. They are not advisory.


Part II: Does the BND Reform 2.0 meet the CJEU criteria for “effective review”? 

Before we dissect the draft legislation, we ought to clarify a few important things. First, the draft BND Act — and more importantly, the provisions on the UKR’s oversight remit — focus primarily on what probably remains the BND’s single most important surveillance activity: the collection against non-nationals located outside of Germany. In German, that surveillance is called Ausland-Ausland-Fernmeldeaufklärung, which translates roughly to strategic foreign-foreign (meaning foreign persons on foreign soil) communications data surveillance. In Germany, strategic surveillance refers to the non-targeted, bundled collection of large quantities of communications data for foreign intelligence purposes. That surveillance power is distinct from surveillance activity directed at an individual suspect and his or her contacts in Germany, or by means of strategic foreign-domestic communication, which is codified in the Art. 10-Law. (This is also subject to ongoing reform tied to the current reform of Germany’s legislation for its domestic intelligence agency, the Bundesverfassungsschutzgesetz, BVerfSchG). 

Thus, with our text we jump right into the discussion of Germany’s new judicial review institution, the UKR without commenting on the complex and fragmented wider German oversight landscape (including internal control, executive oversight, parliamentary oversight, quasi-judicial review by the G10-Commission, and independent data protection audits and financial control). This certainly merits detailed analysis but goes beyond the scope of this article.

Similarly, we merely allude readers to the fact that the draft legislation includes important provisions on computer network exploitation, which were not directly called for by the Constitutional Court. (Interested readers are advised to consult this about:intel contribution, the comprehensive justification text that the Chancellery provided alongside the actual legal provisions in the draft law, as well as the pre-legislative scrutiny statements).

Second, we focus particularly on provisions in the draft BND Act which, we think, would benefit from revision due to their apparent incompatibility with CJEU case law. This said, we note that the draft bill entails a number of laudable provisions that might provide helpful guidance to other democracies grappling with the complex challenge of writing adequate safeguards into their intelligence laws. This concerns, for example, some new and more rigorous safeguards for the protection of personal data prior, during, and after (automated) data transfers with national and international partner agencies. In line with Karlsruhe’s dictum, the draft reform also ensures that the pursuit of the UKR’s oversight remit is not unduly hampered by a restrictive interpretation of the Third Party Rule. 

Third, we caution that this is merely an exploration rather than a full-blown CJEU compatibility review of each provision of the draft law. Still, we hope that those interested in knowing whether the BND draft law meets CJEU case law standards might find our discussion of some use. 

Following the list of criteria mentioned above, we first turn to the sections in the draft law that give us ground to assess the UKR’s likely independence. Next we focus on its envisaged general oversight remit and its investigatory powers so as to assess whether this satisfies the CJEU’s “effective review” criteria. Third, we explore whether some provisions on the BND’s real time collection satisfy the requirement that this needs to be authorised within the limits of what is strictly necessary. 


The UKR’s (Independent Control Council’s) independence and the binding nature of its decisions

Some readers will find this sentence taken from the lengthier explanatory memorandum of the draft law peculiar: With regard to the institutional design of the UKR it states, “the specific conditions of an intelligence service are taken into account in the form of comprehensive legal control in the sphere of the executive” (BT-Drucksache 19/26103, p. 112, 76). Now, if the UKR is in the sphere of the executive, how independent will it be? 

This needs further unpacking. Unlike some alternative design models suggested, the drafters did not entrust the Federal Data Protection Officer with the independent administrative control of objective legality. This, they argued, would be detrimental to international intelligence sharing because of significant reservations and concerns voiced by Germany’s main intelligence partners. While the third party rule, as demanded by Karlsruhe, would not be applicable to the newly created oversight body UKR, it meant that this body ought to be more insulated from parliament and the data protection agency, the BfDI

Now, apart from this, the setup of the UKR, as a supreme federal authority (section 41) looks rather solid with regards to the composition of the quasi-judicial oversight body and the election of its members  (section 43). We also believe that UKR’s decisions are binding and thus in sync with this CJEU requirement. We regret, however, that the draft law does not foresee an adversarial proceeding. It also seems that the envisaged process by which the UKR may issue an objection with respect to potential irregularities concerning the BND is rather cumbersome (see section 52, and the discussion, in German, here). 


Would the UKR be fit enough to meet the CJEU’s “effective review” criteria?

We now point readers to the sections 23, 42, and 51 of the draft BND Act. These provisions, in particular, speak to the mandate, powers, and scope of action of the envisaged UKR. Notice that the UKR would consist of two separate branches, one for the judicial authorisation and related decisions (see sections 42-49) and another for the administrative review of data processing and other activities (see sections 50-52). Following the judgment of the German Constitutional Court, both entities of the UKR are designed to perform “legality control” (Rechtskontrolle), something Karlsruhe found significantly underwhelming and partly absent in the current legislation. (Interested readers can find more information on the various stages of post-Snowden German intelligence reform and the avoidance of proper judicial review here).

From the outset, it is thus noteworthy that the UKR’s remit focuses solely on legal control and not on the propriety of how the BND exercises its functions. For example, according to section 27 of the draft bill, it is the task of the internal review authority within the BND — and not that of the independent control body — to “examine the necessity of the content data collected on the basis of search terms pursuant to section 19 (5) … Once the necessity of the data has been established, it must be subjected to a new necessity test at intervals of no more than 7 years” (see BT-Drucksache 19/26103, p. 76). 

By contrast, the mandate of the UKR and its separate mandatory evaluation of the effectiveness of its control activities (see section 61) pertain exclusively to legal control (Rechtmäßigkeit). This is in line with Karlsruhe’ dictum, which stated that the “quasi-judicial or administrative (legal control) is directed towards the examination of objective legality. The decision on the technically expedient exercise of the powers within the framework of the legal regulations remains unaffected by this (BVerfG, loc. cit., paragraph 279)”. According to the German government, this restriction of the UKR’s remit “takes into account the principle of protecting the core area of executive responsibility (BVerfG, 2 BvE 2/15, paragraph 119). 

This begs the question though, whether this is also in line with Luxembourg’s requirements for “effective review”? Put differently, does the setup of UKR satisfy CJEU criteria that the review body must be competent and sufficiently authorised to administer an “effective examination of whether the state is actually facing a serious threat to national security that proves to be genuine and present or foreseeable”?

According to the CJEU case law, an independent body’s review can be regarded as effective if, amongst other things, it has sufficient access to information to arrive at its own assessment whether a particular threat — against which the collection of personal data is ordered and justified — is serious and affects national security, is genuine, and whether it is either present or at least foreseeable. Regarding the list of permissible threats, it is noteworthy that Karlsruhe took issue with the current § 6 BND Act because the definitions provided for bulk collection there “are not limited to precisely defined and weighty purposes. The broad and openly worded purposes listed in § 6(1) first sentence BNDG, which, according to the explanatory memorandum to the draft act, are not intended to narrow down the Federal Intelligence Service’s tasks in any way (cf. BTDrucks 18/ 9041, p. 22), clearly fail to meet this requirement” (paragraph 305 of the BVerfG judgment). As a consequence, the draft law now features a range of more precise definitions and distinguishes between bulk collection for the sake of the “political briefing of the Federal Government or of a Land government” and “early detection of foreign threats of international significance” (section 19 (1) draft BND Act). This is of significance because different safeguards and purpose limitations apply to either collection variant. 

Now, as regards collection for the purpose of “early detection of foreign threats of international significance”, section 19 (4) states that such measures shall be “permissible only if they serve to obtain information from abroad which is of foreign and security policy significance for the Federal Republic of Germany and for the surveillance of which the Federal Chancellery has issued an order to the Federal Intelligence Service, and there is actual evidence to suggest that information can be obtained”. (Note of caution: We would translate “tatsächliche Anhaltspunkte” differently, probably replacing evidence with “actual indication”). **Note, all “sections” hereafter refer to the draft law unless explicitly mentioned.

The fact that section 19 (4) Nr. 1 now lists a more detailed and specific catalogue of individual threats and legally protected interests is a remedy to many deficits in the current law. However, we note that according to section 23 (2) these measures require a written order (by the BND’s President or a designated representative) that must include a “justification”. A crucial question in this assessment of the compatibility of the UKR’s remit with the CJEU case law relates to the “justification” part. Thus, aside from the important questions of access (see section 56 (3) and whether the new definitions provide sufficient legal clarity, it ought to be the case that the UKR is both de facto and de jure sufficiently authorised to determine on its own accord whether the justification provided is convincing. 

Yet, how do the members of the UKR come to an assessment whether to accept or to reject the government’s justification? Let us emphasise again that according to the CJEU case law, the job of the court or administrative body in charge of effective review is not to check whether the request for a decision or the determination of an appeal against a decision of surveillance is in accordance with national law. Rather than such a simple legality test, what is actually required is that the UKR must have substantive powers to investigate the nature of the threat and not simply the legal verification powers to check that the procedures by which the security services’ decision was made are in accordance with national law. 

And it is in this regard we caution lawmakers that, in our opinion, the currently envisaged set-up of the UKR might not meet this standard because the mandate of the UKR (as phrased in section 23 (4) and read in conjunction with section 42 (1) do not seem to allow the UKR to arrive at is own assessment as regards the very existence of a threat. Again, this is our assessment and we welcome critical feedback. Yet, looking at the clarifications provided by the German government, section 23 (4) creates an ex ante duty for the UKR to assess the legality of orders for this type of bulk collection. Following the requirements set forth by the Constitutional Court, the draft law establishes “a body resembling a court” and its proceedings must also “allow for a review in the individual case which is equivalent to judicial review both in substantive and in procedural terms and is at least as effective, too” (para 275, Constitutional Court decision on BND Act). Yet, the way the relevant provisions in the draft BND Act are currently drafted does not suggest that the UKR can arrive at a separate assessment on the existence of the threat. For this, there needed to be a much clearer starting place that the UKR’s job is to determine that a genuinely serious threat to national security exists (para 139 QdN) and this should also be reflected in the scope of the UKR’s mandatory evaluation (section 61). 

Unfortunately, this is not the case. Rather, at present, the drafters envisage that “the subject of the evaluation pertains exclusively to sections 40 to 58. … The criterion for evaluating the effectiveness of the control is, in particular, the practicability of the regulations, which is to be examined with regard to avoidable compliance costs. This includes the bundling of tasks, their distribution and the administrative channels, for example with regard to complaints pursuant to section 52” (BT-Drucksache 19/26103, p. 116). Once the UKR would have determined the seriousness of a threat it would then have to determine whether the proposed measures are necessary and proportionate but consistent with the finding on how serious the threat is (paras 179 et seq and the finding indent 2 QdN).

Unfortunately, in this regard, the German draft law does not seem keen to replicate the good experiences that some other democracies (UK, New Zealand, and the Netherlands in particular) have made with the creation of advisory councils to help oversight bodies arrive at sound assessments. 


A priori review for automated analysis? 

According to CJEU case law, the use of automated analysis, both decisions and rules, must be subject to an a priori review by the court or body. This review must verify whether this analysis is justified in light of the situation, in particular the national security threat, and whether it is strictly necessary. The CJEU specifically demands that the aim of an independent review must be to “verify that a situation justifying that measure exists and that the conditions and safeguards that must be laid down are observed” (para. 179). The authorisation competences of the UK, which are outlined in § 42 of the draft BND Act, do not provide for this kind of substantial ex-ante verification. The mandate for a priori authorisations is limited to relatively broadly phrased warrants for bulk collection measures in that they only have to name strategic goals, but not specific selectors or information about types of data processing. According to the draft BND law, neither must the warrants include any details about foreseen data use, nor must the collected data be tagged with metadata that indicates the permissible types of data analysis. The intelligence frameworks of the United Kingdom and of New Zealand both introduced such independent judicial approval before selecting content for examination.


All collection within the limits of what is strictly necessary? 

With regard to the CJEU criteria that real time collection must be authorised only within the limits of what is strictly necessary to counter the threat which has been established as genuine and present or foreseeable, we want to focus now on section 24 (4) of the draft law and the envisaged “suitability tests”. 

With section 24 the German government aims to secure the “cold-start” ability of its foreign intelligence service. More specifically, contrary to the rule stipulated in section 19 (5), the service would be given permission to collect personal data even without prior use of search terms. Unlike current practice in other democracies, e.g New Zealand (see section 91 in New Zealand’s 2017 Intelligence and Security Act), the draft BND Act does not foresee a role for independent oversight, let alone warrants to govern such “suitability tests”. Therein lies a grave threat to civil liberties because this might lead to excessive data collection. 

In our view, the section might also be difficult to reconcile with recent European case law. For this, consider section 24 (4) of the draft law which would allow the BND to compel service providers to hand over automated data for “suitability testing”. It should be noted that the collection of data in the context of the suitability test is not subject to strict limits, both in terms of time and the volume of data collected (see section 24 (2)). If one applies the CJEU’s reasoning in paragraphs 78-81 below to section 24 (4) in the draft BND Act, one would, in our opinion, have to come to a similar conclusion that such a provision would amount to a general and indiscriminate transmission that appears to us equally “unjustified because it exceeds the limits of what is absolutely necessary in a democratic society”.

[…] “national legislation governing access to traffic data and location data must rely on objective criteria in order to define the circumstances and conditions under which the competent national authorities are to be granted access to the data at issue (see, to that effect, judgment of 21 December 2016, Tele2, C‑203/15 and C‑698/15, EU:C:2016:970, paragraph 119 and the case-law cited).

Those requirements apply, a fortiori, to a legislative measure, such as that at issue in the main proceedings, on the basis of which the competent national authority may require providers of electronic communications services to disclose traffic data and location data to the security and intelligence agencies by means of general and indiscriminate transmission. Such transmission has the effect of making that data available to the public authorities (see, by analogy, Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017, EU:C:2017:592, paragraph 212).

Given that the transmission of traffic data and location data is carried out in a general and indiscriminate way, it is comprehensive in that it affects all persons using electronic communications services. It therefore applies even to persons for whom there is no evidence to suggest that their conduct might have a link, even an indirect or remote one, with the objective of safeguarding national security and, in particular, without any relationship being established between the data which is to be transmitted and a threat to national security (see, to that effect, judgments of 8 April 2014, Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraphs 57 and 58, and of 21 December 2016, Tele2, C‑203/15 and C‑698/15, EU:C:2016:970, paragraph 105). Having regard to the fact that the transmission of such data to public authorities is equivalent, in accordance with the finding in paragraph 79 above, to access, it must be held that legislation which permits the general and indiscriminate transmission of data to public authorities entails general access.

It follows that national legislation requiring providers of electronic communications services to disclose traffic data and location data to the security and intelligence agencies by means of general and indiscriminate transmission exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society, as required by Article 15(1) of Directive 2002/58, read in the light of Article 4(2) TEU and Articles 7, 8 and 11 and Article 52(1) of the Charter.

Summing up, in light of the CJEU’s findings in its 06 October 2020 judgement in the Privacy International case, we caution lawmakers to revisit and amend section 24 (4) of the BND draft law.


Conclusion

The judgments of the CJEU are binding on all Member States. The finding of the Court in personal injury (the first of the two 6 October 2020 judgments) that national security comes within the scope of EU at least for the purposes of EU regulation of data protection, means that Member States can no longer argue that their actions in respect of national security in this field are outside EU competence. The very detailed rules set out in the second of the 6 October judgments, Quadrature du Net, of the requirements Member States must fulfil when they claim national security (or a serious threat of terrorism) in order to derogate from the EU’s strict data protection rules must be complied with by all Member States. These rules are not optional, they are obligatory wherever Member States seek access to personal data in the context of a serious threat to national security or terrorism where that access is not consistent with data protection.

For this reason, it is extremely important Germany ensures that its new law, currently under discussion in parliament, is fully consistent with both CJEU judgments. To adopt legislation which is not compliant with the Court’s judgments so quickly after their publication would be harmful for Germany’s reputation (and duty) as a faithful and law abiding member of the EU. It would constitute political disrespect and incur legal consequences. The European Commission, in its role as guardian of the Treaties, might be obliged to take infringement proceedings against Germany if it sought to pass a law which was inconsistent with decisions of the CJEU. No one would like to see a repeat of the furore which followed the decision of the German Constitutional Court on 5 May 2020 to ‘overrule’ the CJEU on the bailout package and to find that the European Central Bank had acted beyond its mandate (which has brought a European Commission infringement procedure against Germany). Now is the time to ensure that German law is fully compliant with EU data protection rules, including in the field of personal data protection and national security.

While the reform of Germany’s foreign intelligence includes significant improvements from the current unconstitutional status quo, our analysis of the new draft legislation also points to several sections that may not meet the CJEU’s effective review criteria.