Wanted: A legal authority for data purchases by German security and intelligence agencies

When intelligence services purchase personal data from commercial vendors this raises important questions about the legality and proportionality of their access to and processing of such data. A recent legal assessment by the German Parliament’s Research Service finds no clear legal basis for the use of advertisement intelligence (ADINT) in the country’s legal framework for intelligence collection. While other European countries have started to tackle this growing practice through legislation and oversight, clear legal provisions for data purchases from commercial vendors have yet to be written into Germany’s intelligence law. Policymakers should seize the opportunity of the pending intelligence reform to hone-in on the public-private coproduction of intelligence and fill current regulatory gaps.

Just before Christmas, Bayerischer Rundfunk, netzpolitik.org, and tagesschau.de reported on a consequential assessment of the German Parliament’s Research Service^[1] whether or not the current German intelligence legislation provides a sufficient basis for data purchasing by national security services from commercial advertising databases.

The assessment has come at a particularly sensitive moment as Germany’s government is again preparing comprehensive reforms to the body of laws that regulate the powers of the three federal intelligence services. It has been reported by tagesschau.de and netzpolitik.org but thus far no draft bill has become public. The pending reform seeks, among other things, to expand the authority and competencies of the German foreign intelligence service (Bundesnachrichtendienst, BND), reflecting the belief that the service needs more surveillance powers to better respond to emerging threats to national security and the need to act more independently from the U.S. intelligence community.

As current media reporting on forthcoming draft legislation has not mentioned data purchases, it is likely that the next reform will still not tackle the burgeoning practice that is ripe for more regulation and oversight. It is with this in mind that the recent assessment by the Parliamentary Research Service is particularly noteworthy, as it provides a detailed elaboration on pressing and unresolved questions regarding the legal framework for public-private cooperations in intelligence in Germany.

Significance of commercially sourced data for intelligence work

While there are no reliable records about the frequency and scope of data purchases by state authorities in Germany, the assessment refers to evidence from other European countries and justifications provided by the German government in prior draft legislation to argue that this practice is becoming an increasingly significant component of intelligence work. The assessment points to the necessary differentiation between data obtained through commercial vendors versus data collected by monitoring not access-restricted online fora or websites, typically summed up as OSINT. While OSINT usually refers to the collection and processing of publicly available information, data stored in commercial databases originate from numerous different sources – many of which are not publicly accessible. Hence the differentiation between commercially available and publicly available data.

For intelligence services, the pooling of data from various sources gives particular value to information obtained from advertising: it often provides more granular information on individuals or trends. Another key incentive for intelligence services’ use of ADINT seems to be the fact that it enables them to obtain information that they presumably would not have been permitted to collect themselves. What is more, had they sought to do so, they would have faced an extensive authorization procedure, numerous restrictions on data use, and stricter oversight requirements.

The Parliamentary Research Service’s implicit finding: Current ADINT practice might be unconstitutional

Since the purchase of personal data from commercial advertising databases by intelligence services constitutes an interference with the fundamental right to the privacy of telecommunications (Article 10(1) GG) and the fundamental right to informational self-determination (Article 2(1) in conjunction with Article 1(1) GG), an explicit legal basis for those interferences is necessary. After a lengthy search of possible provisions that might constitute the required legal foundation, the Research Service reaches an assessment that is both concerning and inconclusive: None of the three existing norms that it discusses do unequivocally meet the standards set forth by the German Constitutional Court for the quality of the legal basis granting intelligence services surveillance powers that infringe upon fundamental rights. Put simply, the Research Service’s assessment did not find in the current German body of law a sufficient statutory basis for the intelligence services’ data purchases from commercial vendors. It also provides arguments for as to why the nearest suitable current provisions in the German intelligence law framework would most likely fail to meet the required constitutional standards of specificity and proportionality.

The growing problem of a missing specific legal framework

While the assessment only hints at possible constitutional incompatibilities, there are compelling arguments suggesting that the standards of specificity and proportionality required to legitimize interferences with fundamental rights are, in fact, not met by the relevant provisions in the existing German intelligence legislation.

The Research Service’s assessment highlights the provisions governing the use of intelligence-gathering methods for covert information collection in the laws regulating the domestic intelligence service (§§ 8(2), 9 BVerfSchG), the foreign intelligence service (§ 5 BNDG), and the military intelligence service (§ 4(1), 5 MADG) as the norms that could potentially serve as a legal basis for data purchases. However, since the purchase of personal data from advertising databases is not explicitly mentioned in the provisions, the infringement of fundamental rights is hardly foreseeable for those affected, thereby calling into question the fulfilment of the decisive proportionality criterion. Furthermore, the secrecy of state action and the presumed comprehensive scope of intelligence services’ data purchases exacerbate the fundamental rights interference with reference to the standard of specificity. Following the Federal Constitutional Court’s landmark judgement on the foreign intelligence service act, which established minimum requirements for statutory authorization (1 BvR 2835/17, BVerfG decision May 19, 2020), it is doubtful that the lack of specificity of the legal provisions and the absence of safeguards for core areas of private life could be compensated for by referring solely to classified internal regulations. A further challenge is closely linked to what currently makes data purchases particularly attractive for intelligence services. Intelligence services benefit from commercial vendors aggregating data from multiple sources, allowing them to obtain extensive and detailed information about individuals. At the same time, those affected can hardly anticipate the scope and nature of potential interferences with their fundamental rights. This raises serious doubts about whether data purchases by state authorities meet the requirements of specificity and proportionality.

Additionally, another highly sensitive issue arising from intelligence services’ data purchase from advertising databases not mentioned by the assessment is the subsequent processing of the data. It is uncertain how further fundamental rights interferences – likely to arise from storing the data, matching it with additional information, analysing, filtering, and transmitting it – could be justified in the absence of a clear legal basis.

Apart from the possible infringement of fundamental rights, we note that commercial data purchases also pose significant risks to national security due to the peculiar nature of public-private cooperations. Since the acquisition of such data may reveal services’ intelligence interests or lead to the leakage of sensitive information, it does not only threaten fundamental rights but can also undermine the effectiveness of intelligence work. Moreover, relying on commercially available datasets increases the risk of using manipulated or inaccurate data. Legal regulation and oversight over commercial data purchases are thus not only needed to ensure the safeguarding of fundamental rights, but also to prevent the exploitation of security vulnerabilities in public-private partnerships.

What German lawmakers can learn from other European countries

While no draft bill of the forthcoming German intelligence law reform has become public yet, initial media reporting has not focused on data purchases despite the enormous paradigm shift in intelligence collection that this practice embodies. While the Research Service’s assessment only focuses on the German situation, a look at other European countries shows how intelligence services’ data purchases from advertisement databases can be addressed more thoroughly through legislation, oversight practices, and public debate. A forthcoming interface paper that will spell out some of these and other nascent regulatory and oversight practices on ADINT in further detail, consider just these three examples for further inspiration:

To ensure the protection of particularly sensitive data, the Norwegian oversight body EOS can extend its review to private sector organisations contracted by state security and intelligence services. The EOS-Committee can summon actors from the private sector for a hearing as part of its investigative work.

In the Netherlands, the debate on ADINT is conducted more transparently than in Germany. For example, the Dutch oversight body CTIVD has warned in a public letter to the Dutch Ministry of Defence that the structured partnership between intelligence services and private-sector providers is not sufficiently reflected in the Dutch legal framework.

In 2024, the United Kingdom amended the Investigatory Powers Act and introduced a provision governing British intelligence services’ access to datasets held by commercial providers. It acknowledges that the purchase of intelligence data may also mean that services buy access to such data without integrating it into their own systems, for a variety of reasons and risks.

Lawmakers in Germany should seize the opportunity of the upcoming intelligence law reform to not only to adapt intelligence services’ capacities to the evolving threat landscape, but also to close existing regulatory gaps concerning possible cooperations between private and public entities. In order to address the discrepancies and inconsistencies in the body of law for intelligence gathering, the legal framework and mandates of oversight bodies should be adjusted to adequately encompass ADINT practices. Additionally, oversight bodies should have access to the contracts and agreements between the intelligence services and private providers in the data market.

^[1]The German Bundestag’s Research Service is a non-partisan research unit that provides members of parliament with independent analyses and expert reports. Its researchers prepare background studies on legal, political, economic and social issues to support informed decision-making.

Wanted: A legal authority for data purchases by German security and intelligence agencies

Add comment

Other articles

Intelligence – an extension of diplomacy?

Legal and Oversight Gaps in Germany’s Military Intelligence

Update on the implications of the Dutch Temporary Cyber Operations Act

Why and how German judicial intelligence oversight needs empowerment

The Pegasus scandal in Poland – between old problems with state surveillance and the current rule of law crisis