Caught in the Act? An analysis of Germany’s new SIGINT reform

In May 2020, the German Constitutional Court obliged the Bundestag to reform the current legal framework for foreign intelligence collection. It held that future legislation must extend key fundamental rights protections under the Basic Law to non-nationals. It also called an end to Germany’s evasion of independent judicial oversight.

The Bundestag responded to the clear call for constitutionality in March 2021. Yet, instead of seizing the moment to align the German legal framework on foreign intelligence collection with international standards and European jurisprudence on proportionate government access to personal data, the reform of the BND Act added deficits to the democratic governance of foreign intelligence.

The new research report authored by Kilian Vieth-Ditlmann and Thorsten Wetzling analyses the new legislation and calls upon the next government to prepare a more comprehensive and rights-based intelligence reform.

Executive Summary

When the German parliament amended the legal framework for Germany’s foreign intelligence service in March 2021, it had a unique chance to set the pace among liberal democracies for better legal standards on proportionate government access to data and the protection of fundamental rights. Recent European jurisprudence such as the Schrems II ruling by the European Court of Justice and the Big Brother Watch and Centrum för Rättvisa decisions by the European Court of Human Rights brought additional momentum to the international quest for better standards in legislation and oversight practice.

Unfortunately, the Bundestag did not seize the moment. Despite laudable progress in some areas, there is a pressing need for future legislative work to align the German legal framework on foreign intelligence collection with international standards and to better meet the German Constitutional Court’s minimal requirements. This report thus calls for a comprehensive intelligence reform to improve the quality of the legal framework and to guarantee more robust fundamental rights protections and to overcome the undue fragmentation of oversight and authorization processes.

Regarding the quality of the legal framework, lawmakers should

  • establish a clear and consolidated legal framework for investigatory powers across the German intelligence and security sector. This should include a single judicial authorization mechanism that eliminates inefficient duplications.
  • regulate bulk data access more transparently, including provisions on commercial data purchases, suitability tests, and interception of machine-to-machine communications.

Regarding fundamental rights protection, lawmakers should

  • create an effective judicial remedy mechanism for ex post facto review of foreign surveillance, as required by European jurisprudence.
  • apply the same standards and safeguards that pertain to the collection of personal content data also to the collection of metadata. This is in line with the recent ECtHR Grand Chamber judgement which deemed both data types as equally worthy of protection.

Regarding the oversight and authorization process, lawmakers should

  • expand the independent approval powers to cover bulk data analysis (examination warrants), suitability tests (testing and training warrants), and commercial data buying (data acquisition warrants).
  • include systematic points of friction in the judicial authorization process by allowing for adversarial counsel in the assessment of bulk warrants, as well as by providing direct access for the oversight body to bearers of communications in order to verify adherence to warrant criteria, as is common practice in the Swedish foreign intelligence framework.
  • define a concrete ex post control mandate that enables data-driven oversight of the BND’s data handling, including the independent analysis of the selectors used.
  • introduce binding enforcement powers for the independent oversight body, including the power to prohibit certain data collection and to require data destruction.
  • codify comprehensive public reporting obligations for the oversight body.

Read the full research report in PDF here.