Try harder, Bundestag! Germany has to rewrite its foreign intelligence reform

Germany’s post-Snowden intelligence reform of 2016 lies in shatters. The recent Constitutional Court’s judgement is a slap in the face for those responsible. The list of additional safeguards that the Bundestag is now ordered to write into its foreign intelligence legislation by the end of 2021 is both long and ambitious. If done right, the reform may significantly contribute to the harmonisation of good SIGINT standards in Europe.

When conducting bulk collection against non-nationals outside of Germany, the foreign intelligence service BND must respect their fundamental right to privacy of telecommunications and the freedom of the press. Such is the recent ruling of the German Constitutional Court. It stipulates that these rights are universal in character under the German constitution. German state authorities are bound by it regardless of where they operate. In consequence, central provisions in the Act on the Federal Intelligence Service (BND Act), which restrict the territorial reach of these rights to nationals or people residing in Germany, are unconstitutional.

Thus, the BND Act, as amended in 2016, needs to be substantially rewritten. This concerns both the mandate and the accompanying procedures for the authorisation, administration, and oversight of strategic foreign-foreign telecommunication surveillance, including the provisions for automated data transfers and international Signals Intelligence (SIGINT) cooperation. For those not familiar with the terms used in Germany, the surveillance practice in question refers to the non-targeted, bundled collection of enormous quantities of communications data for foreign intelligence purposes against non-nationals located outside of Germany. Arguably, this is still the most important surveillance practice of the Bundesnachrichtendienst (BND). The agency can reportedly copy 1.2 trillion IP connections for further processing each day.

In this first review of some of the Court’s findings, I will elaborate on a few aspects that, I hope, are of particular interest to international readers. The Court has now helped cement bulk collection as a viable surveillance practice across Europe. However, this comes with an impressive list of safeguards that future legislation needs to incorporate, some of which have not been formulated this clearly elsewhere (at least not to my knowledge). This concerns in particular automated data transfers and international intelligence cooperation which now have to be placed on a much stronger legal footing. German overseers must be freed from the shackles of the so-called “Third Party Rule”. And the German oversight regime, whose fragmentation has become a laughing stock among European overseers, may see a comprehensive face-lift. It will be very interesting to watch how the Bundestag will implement the orders it received from the court, not just for those interested in German intelligence politics. If done right, this can contribute to a growing European acquis on good SIGINT standards.

Mass surveillance by German intelligence is here to stay

Despite declaring Germany’s foreign intelligence legislation by and large unconstitutional, the judgement also contains an inconvenient truth for the litigators. Bulk collection grew in the shadows of our democracies, but it is here to stay. Practically all European parliaments have expanded, rather than curtailed, surveillance powers in post-Snowden reforms. The European Court of Human Rights called bulk interception a “valuable means” of counterterrorism. The German Constitutional Court is now yet another court to argue in this direction. It does caution that it is “an exceptional power that must be restricted to the gathering of foreign intelligence conducted by an agency that itself has no operational powers”. Still, “if designed in accordance with the principle of proportionality, however, strategic telecommunications surveillance of foreigners in other countries is, in principle, compatible with the fundamental rights of the Basic Law”.

The judgement has thus cemented bulk collection as a very potent tool in the kit of the German foreign intelligence service. What a future reform needs to do much better, however, is to retrofit a whole range of important safeguards to the controversial practice.

Don’t dare to dodge these safeguards again!

While the German security establishment need not be worried about the future practice of bulk collection, the judgement adamantly reminds German lawmakers that they must try much harder to counterbalance this formidable surveillance tool with far more robust safeguards. Below are six noteworthy examples of the kind of safeguards which the Court demands to be put in place by the end of 2021:

“Restrictions on the volume of data to be taken from the respective transmission channels and on the geographical area covered by surveillance”.
“If foreign-foreign strategic surveillance is used for the mere purpose to help prepare decisions of the Federal Government, a change in purpose or the transfer of data to other entities must then generally be ruled out”.
“The power to store and retain traffic data in its entirety in the context of the gathering of foreign intelligence must be restricted with regard to the volume of data that can be collected; it may not be stored for more than six months”.
“Special requirements apply to the protection of professional groups or groups of persons whose communications call for increased confidentiality”.
“Intelligence relating to the highly personal domain may not be used and must be deleted immediately”.
“The key steps of data deletion must be documented insofar as this is sensible and necessary for independent oversight”.

Automated data transfers and international intelligence cooperation need an even stronger legal footing

Despite the fact that the 2016 reform of the BND Act included provisions on international intelligence cooperation (whereas some other democracies continue to operate in this space without any provisions in their respective intelligence laws), this clearly did not convince the judges. More specifically, the Court stipulated that the “transmission of data abroad requires, as a separate prerequisite, an assurance under the rule of law as to how the foreign authorities will handle the data transmitted to them” (para 233*). This requirement concerns:

(a) the respect of data protection guarantees;
(b) the respect of human rights in the use of the information by the recipient state;
(c) for both (a) and (b), clear regulations are needed which ensure that the Federal Intelligence Service is sufficiently assured; and,
(d) furthermore, the maintenance of transmission limits for the transmission of data from strategic monitoring must be ensured by obtaining robust assurances from the recipients.

Now, given that assurances are one thing and cooperation practice with several hundred intelligence services worldwide may well be another, the Court rightly stressed that “ensuring that the required level of protection is maintained is a decision that is not subject to free political disposition. It must be based on substantial, realistic and up-to-date information. It must be documented and accessible to independent control. In the case of particularly important transmission processes or those which are difficult to assess in terms of the legal requirements, further procedural precautions may be necessary, (…) such as a court-like preliminary judicial review for the transmission of information about journalists or lawyers worthy of protection” (para 241*). I find it particularly important to highlight here that the Court explicitly calls for documentation and an active involvement of independent control. This may give this safeguard additional clout. On how to address the need for documentation, German lawmakers may want to consult with their Dutch colleagues about the implementation of “weighting notes” on foreign intelligence partners.

The Court also clarified that future provisions on international cooperation must offer a better protection against the inherent danger of what may be called collusive delegation, in this context: delegating state powers that traditionally constituted a bastion of national sovereignty to international partners as a means to circumvent domestic constraints, such as oversight and pesky safeguards. In order to rule this out even better in the future, the court reiterated that “the German state must protect persons who are subject to the protection of its legal system in Germany from surveillance measures of other states that are contrary to fundamental rights” (para 249*). It then called for new regulation to better accommodate “the potential inherent in such practices for circumventing domestic obligations and the specific threats to fundamental rights that may arise through cooperation. In particular, the extent to which the Federal Intelligence Service can receive and use personal information from foreign services within the framework of cooperation for which there are indications that it was obtained by monitoring German domestic communications must be regulated” (para 250*).

The Court also ordered new safeguards for the transfer of metadata to foreign intelligence partners. Here it clarified that “an entire transmission of metadata cannot be permitted on a continuous basis and may not be solely instructed, but requires a qualified need for collection on the basis of a specifically concrete danger situation. In this respect, beyond the existence of general danger situations, there must be a reason to counteract specific threats. This must be recorded in the formal definition of the measure and the evaluation by the foreign service must be limited to this objective. The determination of such a measure must be accessible to a court-like control” (paras 262-263*).

Here it is noteworthy how the court underlines the importance of metadata also in the context of foreign intelligence and how it emphasises the potential involvement of court-like controls in a process that has far too long been done without any independent review.

Actions on shared information must be subjected to effective oversight

The oral hearing before the Court in January this year brought the same frustrations to the fore that the more proactive members of inquiry committees have time and again experienced in the Bundestag: Often, when they tried to assess the legality and proportionality of the German government’s various actions in the realm of foreign intelligence, the government managed to successfully evade accountability by referring to the “Third Party Rule”. Typically, this is where the buck has always stopped. The message from intelligence agencies to oversight bodies, in a nutshell, boiled down to the following: “As much as we may wish to share these lists of search terms or the assurances we received from our foreign intelligence partner as regards the future use of the data we shared, we regret to inform you that you oversight folks are not a party to our international intelligence cooperation agreement and it is not in our power to grant you access to information that we received as a result of our trusted relationship with foreign intelligence partners”.

The Court rightly had enough of this and has now ordered that “it must be ensured that oversight is not hindered by the ‘Third Party Rule’”. How exactly the Bundestag can ensure that its fragmented oversight landscape (consisting of the G10-Commission, the Parliamentary Intelligence Oversight Panel, the Trust Committee, the G13-Commission tied to the Bundestag, the Independent Committee in Karlsruhe and the Federal Data Protection Authority in Bonn) is sufficiently protected against future stonewalling by the executive in this regard is a matter that will keep legislators quite busy. I will say more about the realistic prospect of a comprehensive overhaul of German intelligence oversight further below. As regards the “Third Party Rule”, much can be learned from the Netherlands, Norway, and Denmark as they have already less stringent rules in place (see Figure 1).

Figure 1: Different interpretations of the “Third Party Rule”
*Source*

Even more importantly, Germany now needs to promote European standards on the governance of intelligence cooperation. One first step to take in this regard would be to formally join the European Intelligence Oversight Working Group that seeks to “support effective oversight of international cooperation between intelligence and security services”. For this to happen, however, the European partners would need to know which of the many different German oversight bodies they should work with.

Germany dearly needs professional end-to-end oversight

On the issue of oversight, the Court’s judgement entails a fierce blow to the German government and those responsible for the BND reform 1.0 in 2016. To strengthen parliamentary oversight then was a good thing to do, but the Court strongly rejected their shrewd attempt to avoid the creation of proper judicial oversight and independent reviews of the data handling. Rightly, the Court has found that “the challenged provisions do not satisfy the requirements for an extensive independent oversight regime”. What must follow from this now is nothing but a complete redesign of the fragmented and inefficient intelligence accountability mechanisms and oversight institutions in Germany. Back to you, Bundestag!

In its judgement, the Court indicates what needs to be changed. It amounts to what lawyer Graham Smith (Cyberleagle) has called “end to end oversight”. “On the one hand, it must be ensured that the key procedural steps of strategic surveillance — partially also ex ante — are subject to an oversight regime that resembles judicial review and entails the power to make final decisions. On the other hand, the measures must be subject to an administrative oversight regime that can conduct randomised oversight of the legality of the entire surveillance process on its own initiative”. Notice that the Court also demands that “the effectiveness of both the controls in practice and the legal regulations must be evaluated at regular intervals“ (para 299*).

Further, it is noteworthy that the Court sees the new oversight structures it now demands to be implemented to be of at least the same magnitude as those that the BND Act of 2016 created to strengthen parliamentary oversight (para 288*). That is to say, at the very least, the Bundestag should now create up to 35-40 new positions to ensure that the requested quasi-judicial ex-ante and administrative data handling oversight is sufficiently staffed. But staffing, obviously, is only one thing. The Court also specified that the “material resources must have a scope that also allows, for example, effective control of the filter processes for separating the communications of Germans and nationals and for the protection of confidential relations and, if necessary, to develop separate files and control programs for this purpose” (para 288*).

Notice that if a redesigned federal oversight regime were to come at the modest price of roughly one percent of the federal budget for intelligence, Germany would need to invest roughly 14 million Euro per year in oversight. At present, the combined annual budgets available to Germany’s fragmented intelligence oversight community is far below that. More investments in technical expertise and supervisory technology are urgently needed, I’ve argued in a recent paper with my colleague Kilian Vieth, so as to go from 20th century paper-driven oversight to 21st century data-driven end-to-end oversight.

New international high water marks in the making?

The Bundestag’s future work on intelligence reform — which will soon also include amendments to the domestic intelligence law (Bundesverfassungschutzgesetz) now that a second bill is finished and currently reviewed by various German ministries — will keep legislators and interested commentators quite busy given the substantial changes the court has now ordered. As indicated, this includes the identification and codification of new safeguards regarding automated data transfers but also viable measures to facilitate professional oversight of German contributions to intelligence cooperation. This, of course, is a challenge that many countries face and democracies should collectively race to the top and exchange views on best practice.

Among the many other relevant findings in the judgement there is another one that stands out from an international perspective. The German Constitution, it reads, “does not allow for global and general surveillance, not even for the purpose of gathering foreign intelligence. Therefore, the legislator must impose restrictions on the volume of data to be taken from the respective transmission channels and on the geographical area covered by surveillance”. The German Constitutional Court is thereby pushing the Bundestag, in effect, to set new high water marks for foreign intelligence collection. By international comparison, this may be seen as tantamount to the US Supreme Court requesting a significant upgrade of the US Presidential Policy Directive 28, which thus far speaks only of the “privacy interests” of foreigners and not their fundamental rights. It would also be analogous to a request to trim US Executive Order 12333. On top of that, the German Court did not accept a mere reliance on directives and decrees but wants these matters to be written into actual intelligence laws passed by parliament, thus becoming “the embodiment of the people’s will” and possessing greater legitimacy.

Conclusion

The drafters of the 2016 intelligence reform took a significant risk and have rightfully lost. They knew that if their interpretation of the limited territorial reach of Art. 10 of the Basic Law failed to convince the Constitutional Court, they will have to revise almost the entire Act. The Court’s ruling has now made this the arduous but very important task for the 19th Bundestag.

If and how the German parliament will manage to do all this will captivate interested observers for a while. Given the lengthy list of legislative to-dos and the fact that major political actors have thus far displayed a reluctance to touch the issue of judicial oversight, this judgement surely will take a while to sink in. As its 332 paragraphs make clear, mere cosmetic changes will not suffice. The challenge is very timely though and should resonate with other lawmakers across Europe. This is because to strengthen not just the de jure but also the de facto protection of non-nationals in the context of global, widespread electronic surveillance takes far more than a single legislative reform in one country. As the court has cautioned, it is indeed too easy for national protections to be circumvented through international cooperation. Thus, I hope, that other stakeholders (governments, lawmakers, oversight bodies, but also intelligence services) will engage constructively with German lawmakers on how to move European standards on SIGINT forward. There is a growing European acquis in the making if the political will can be mustered, not just in Berlin. Up until now, this remains a caveat the size of Brazil.

* These quotations have been translated from the judgement “1 BvR 2835/17” by the author and should not be regarded as a formally authorised English version of the judgement.

Try harder, Bundestag! Germany has to rewrite its foreign intelligence reform

Add comment

Other articles

The Pegasus scandal in Poland – between old problems with state surveillance and the current rule of law crisis

Finnish intelligence overseers’ right of access supersedes Originator Control

Cyber defence operations require a dedicated legal framework

Stalemates in Dutch intelligence oversight

Obfuscation as a strategy to pass mass surveillance powers