(Note to the reader: some hyperlinked information in this post is in the German language.)
The German Bundestag will soon vote on an intelligence surveillance bill entitled Draft Law on Foreign-Foreign Communications Intelligence of the Federal Intelligence Service (official version). This will amend the statute that provides a legal basis for the Federal Intelligence Service (BND), which is responsible for foreign intelligence operations. Among other things, the amendments will permit the BND to surveil foreigners’ communications from within Germany. (This differs from the domestic surveillance normally conducted by the Federal Office for the Protection of the Constitution). Currently this practice is arguably illegal, as the relevant language in the statute is ambiguous.
This bill is problematic, because it is inconsistent with requirements for nondiscrimination, foreseeability, and oversight in constitutional, European, and international human rights law.
Section 6 of the bill establishes three tiers of protection of communications that vary according to whether the communication involves a German national, a non-German European Union citizen, or anyone else. If either the sender or recipient is a German national or resident, the BND may not (intentionally) obtain the person’s communications from within Germany or by compelling German communication service providers to make a disclosure. (If a German person’s communication is collected and not immediately deleted, the G 10 Commission must notify that person). Information pertaining to EU citizens may be collected when necessary for specified purposes. Non-EU foreigners’ data may be collected as long as they are necessary to combat domestic or foreign security risks at an early stage; these purposes are broader than those associated with EU citizens.
There is no small irony here: In the wake of the Snowden disclosures, there was much criticism emanating from Germany that US intelligence surveillance was discriminatory because it provided almost no protection to non-US persons outside the US and much stronger protections to US persons. It appears that the Bundestag is about to adopt a statutory scheme with a similar dichotomy, with the twist that non-German EU citizens get a middle level of protection.
While governments sometimes afford greater privacy protections to nationals than foreigners, there is good reason to think that doing so may be unlawful under international human rights law. The UN High Commissioner for Human Rights, among others, has argued that a state exercises effective control of (i.e. jurisdiction over) telecommunications infrastructures through digital surveillance; therefore, that state must provide the same privacy protections for all people affected by its surveillance, regardless of nationality, in order to comply with the International Covenant on Civil and Political Rights. Article 26 of the Covenant prohibits discrimination on the basis of national origin, among other things.
Overly-Broad Permissible Purposes of Surveillance
Another problem is that the bill uses overly broad and vague terminology to describe the permissible purposes of intelligence surveillance.
For example, “guarantee[ing] the Federal Republic of Germany’s capacity to act” and “gain[ing] intelligence, important from a foreign policy or security policy standpoint” are justifications for surveillance on German soil.
As CDT and others have explained in evidence for the UK Investigatory Powers Bill, this type of broad purpose specification for intelligence surveillance does not satisfy the requirements of clarity, specificity, and foreseeability in European human rights law.
The European Court of Human Rights (ECtHR), for example, recently stated that “discretion granted to the executive in the sphere of national security [cannot] be expressed in terms of unfettered power. Consequently, the law must indicate the scope of any such discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity, having regard to the legitimate aim of the measure in question, to give the individual adequate protection against arbitrary interference.” In this case, the use of broad, undefined terms, including national, military, economic, and ecological security, “creat[ed] possibilities for abuse.”
The German Federal Constitutional Court discussed similar requirements in a recent judgment. According to the court, electronic surveillance and data collection must be justified by evidence of a concrete danger, with a specific timeframe, to an important legal interest. A provision of an antiterrorism statute failed this test when it permitted surveillance “to avert a danger to the existence or security of the State or to the life, limb, or liberty of a person or property of significant value,” when the “facts justify the assumption that the criminal offense will be committed.” This left the authorities and courts with a “disproportionately wide” room for interpretation.
Phrases like “important from a foreign policy or security policy standpoint” are similarly broad and vague, and create “disproportionately wide” room for interpretation.
Absence of Judicial Authorization
Another problem with the proposed surveillance regime is a lack of independent authorization. The BND, with the approval of the Federal Chancellery, will issue a regulation to a service provider that requires the provider to collect communications relevant to specified search terms. Both the BND and Federal Chancellery are arms of the executive branch. An earlier proposal to have the G10 Commission approve each surveillance selector was not adopted. (On the bright side, an Independent Regulation Committee, composed of federal judges and attorneys, will receive a notification for each regulation issued by the BND, and will have the power to cancel a regulation if the Committee finds it unlawful or unnecessary).
This is another topic the Federal Constitutional Court and ECtHR have recently addressed. The omission of a requirement that an authorizing judge independently assess the reasonableness of suspicion contributed to a determination by the ECtHR that a surveillance statute violated an applicant’s privacy rights. Similarly, the Federal Constitutional Court stated that “prior control by an independent body, such as . . . a judicial arrangement,” is required when intrusive surveillance measures are likely to reveal highly personal information. In part, this requires the decision-maker to “form an opinion autonomously.” The bill plainly fails to satisfy this requirement.
The BND bill could better protect human rights and the rule of law if it is amended to ensure independent authorization, greater clarity and specificity in the definition of the scope of the BND’s power, and stronger privacy protections for foreigners.