Headnotes

to the Order of the First Senate of 27 May 2020

- 1 BvR 1873/13 -

- 1 BvR 2618/13 -

(Subscriber data II)

1. When establishing a procedure for providing and obtaining information on the basis of its legislative competences, the respective legislator must create statutory bases that are proportionate as such, both for data transfer and data access.

1. Provisions governing the transfer of and access to subscriber data must sufficiently limit the purposes for which the data may be used, which means that data use must be tied to specific purposes, to thresholds for the use of powers as part of the constituent elements of these provisions and to the protection of sufficiently weighty legal interests.

2. It falls to the legislator enacting provisions governing data transfer to clearly limit the purposes for which the data may be used. It is only permissible to leave the limitation of these purposes to be set out in the provisions governing data access if the provisions on data transfer concern matters that are solely within the Federation’s competences and both types of provisions, when read together, contain a clear and definitive determination of the purposes for which the data may be used.

3. The powers to access data must not only be proportionate in themselves, they must also be tied to the limited purposes set out in the provisions on data transfer, including for the sake of legal clarity. Yet the legislator enacting provisions on data access is free to set stricter requirements for such access.

4. Despite their moderate weight of interference, the general powers to transfer and access subscriber data require the existence of a specific danger in the individual case where the powers are used for the purposes of averting dangers to public security or for the purposes of intelligence activities, and the existence of an initial suspicion of criminal conduct where they are used for law enforcement purposes.

2. Given the greater weight of interference resulting from the matching of dynamic IP addresses to individual subscribers, such matching must additionally serve to protect or defend legal interests of increased weight. Moreover, the basis upon which such matching is carried out must be documented in a manner that is comprehensible and lends itself to review.

3. The existence of an identifiable danger (konkretisierte Gefahr ) can be a sufficient threshold for the use of powers in the context of averting dangers to public security and carrying out intelligence activities, insofar as the measures in question serve to protect legal interests or prevent criminal acts of at least considerable weight (obtaining general subscriber data) or of particular weight (matching of dynamic IP addresses to individual subscribers).

FEDERAL CONSTITUTIONAL COURT

- 1 BvR 1873/13 -

- 1 BvR 2618/13 -

IN THE NAME OF THE PEOPLE

In the proceedings
on
the constitutional complaints of

- 1 BvR 1873/13 -,

- 1 BvR 2618/13 -

the Federal Constitutional Court – First Senate –

with the participation of Justices

Vice-President Harbarth,

Masing,

Paulus

Baer,

Britz,

Ott,

Christ,

Radtke

held on 27 May 2020:

1. 1. a) § 113 of the Telecommunications Act,

2. b) § 22a(1) first sentence, insofar as it does not refer to § 21(2) no. 2, and § 22a(2) of the Federal Police Act,

3. c) § 7(5) first sentence and § 7(6), § 15(2) first sentence and § 15(3) of the Act on the Central Office of the German Customs Investigation Service and the Customs Investigation Offices (Customs Investigation Service Act),

4. d) § 8d(1) first sentence and § 8d(2) first sentence of the Act on the Cooperation between the Federation and the Länder in matters of protection of the Constitution and on the Federal Office for the Protection of the Constitution,

5. e) § 2b first sentence of the Federal Intelligence Service Act and § 4b first sentence of the Act on the Military Counter-Intelligence Service, insofar as they refer to § 8d(1) first sentence and § 8d(2) first sentence of the Federal Protection of the Constitution Act,

6. all in the version of the Act Amending the Telecommunications Act and Revising the Law on Providing and Obtaining Subscriber Data of 20 June 2013 (Federal Law Gazette I page 1602) as well as

7. f) § 4 first sentence of the Federal Intelligence Service Act, insofar as it refers to § 8d(1) first sentence and § 8d(2) first sentence of the Federal Protection of the Constitution Act, in the version of the Act on the Surveillance of Foreign Telecommunications by the Federal Intelligence Service of 23 December 2016 (Federal Law Gazette I page 3346) and

8. g) § 10(1) first sentence and § 10(2) and § 40(1) first sentence, insofar as it does not refer to § 39(2) no. 2, and § 40(2) of the Act on the Federal Criminal Police Office and the Cooperation of the Federation and the Länder in Criminal Matters (Federal Criminal Police Office Act), as amended by the Act Reorganising the Federal Criminal Police Office Act of 1 June 2017 (Federal Law Gazette I page 1354)

9. are incompatible with Article 2(1) in conjunction with Article 1(1) and Article 10(1) of the Basic Law (Grundgesetz ) as set forth in the reasons to this order.

10. 2. The provisions that have been declared incompatible with the Basic Law continue to apply, as set forth in the reasons, until new provisions have been enacted, or until 31 December 2021 at the latest.

11. 3. For the rest, the constitutional complaints are rejected.

12. 4. The Federal Republic of Germany must reimburse the complainants’ necessary expenses incurred in the constitutional complaint proceedings.

R e a s o n s :

A.

The constitutional complaints challenge § 113 of the Telecommunications Act (Telekommunikationsgesetz – TKG) and several ordinary federal laws which govern the manual procedure for providing and obtaining subscriber data.

[Excerpt from Press Release No. 61 of 17 July 2020

§ 113 TKG permits the transfer of subscriber data by telecommunications providers through the manual procedure for providing and obtaining such data. The other challenged provisions govern access to such data by various federal security authorities, including the Federal Criminal Police Office (Bundeskriminalamt ), the Federal Police (Bundespolizei ) and the Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz ). All of the challenged provisions were aimed at implementing the decision of the Federal Constitutional Court of 24 January 2012 (Subscriber data I), in which the Court had declared § 113 TKG, as it stood then, to be in part unconstitutional, finding that the statutory framework lacked provisions on data access in the laws governing the respective authorities.

Telecommunications service providers must provide the information laid down in § 113 TKG at the request of one of the security authorities listed in that provision. Pursuant to § 113(1) first sentence TKG, the information that must be provided includes subscriber data that providers must store such as the subscriber’s name, date of birth and phone number as well as customer data which, pursuant to § 95 TKG, is stored voluntarily by the telecommunications providers for operational purposes. This typically includes the subscriber’s address, the type of the contractual service used and other data such as their bank details.

Pursuant to § 113(1) second sentence TKG, information must also be provided on login data like personal identification numbers (PIN) assigned by the telecommunications provider. However, passwords that users have created themselves are usually only stored in an encrypted format by the providers. Thus, they cannot provide information thereon.

Pursuant to § 113(1) third sentence TKG, subscriber data may also be determined on the basis of an IP address that has been assigned at a specific time (dynamic IP address). The information provided is the identity of the specific subscriber matching the IP address, which is also part of the subscriber data. Such matching is only possible if telecommunications providers analyse previously retained traffic data in order to identify the subscriber to whom the IP address in question was assigned at the time specified in the request.

Pursuant to § 113(2) first sentence TKG, information may be provided only if one of the authorities listed in § 113(3) TKG requests such information for the purposes of the investigation and prosecution of criminal or administrative offences, of averting dangers to public security and order or of performing the statutory tasks of the intelligence services. In its request, the authority must state the provision that authorises data access.

According to the federal provisions on data access challenged in the constitutional complaints, security authorities may obtain subscriber data from telecommunications service providers. In essence, the provisions require only that the authorities need the information for the performance of their tasks. In respect of login data, the provisions require that the statutory requirements for the use of such data are met. The provisions also permit access to subscriber data that is determined on the basis of a dynamic IP address. The Federal Criminal Police Office, the Federal Police, the Customs Criminal Investigations Office (Zollkriminalamt ) and the federal intelligence services are authorised to access data.

End of excerpt ]

[…]

I.

[…]

II.

The complainants are registered users of landlines and mobile phone lines and use Internet access services provided by various service providers. They claim that the challenged provisions violate their fundamental rights under Art. 10(1) of the Basic Law (Grundgesetz – GG) as well as under Art. 2(1) in conjunction with Art. 1(1) GG.

III.

The Federal Government and the Federal Commissioner for Data Protection and Freedom of Information submitted statements on the constitutional complaints.

[…]

B.

The constitutional complaints are, for the most part, admissible.

I.

[…]

II.

[…]

III.

[…]

IV.

In part, the challenged provisions pertain to data protection rules set out in directives and regulations of the European Union. Nevertheless, given that the provisions do not implement binding EU law, the Federal Constitutional Court is competent to review the challenged provisions and the constitutional complaints are admissible.

1. However, the Federal Constitutional Court generally does not review ordinary EU law or apply the standard of the fundamental rights of the Basic Law to ordinary EU law as long as the EU fundamental rights guarantee effective protection of fundamental rights in general that is essentially equivalent to the fundamental rights protection that is regarded as indispensable under the Basic Law, and as long as EU fundamental rights guarantee the essence (Wesensgehalt ) of the fundamental rights in general; this examination of equivalence of the level of protection must be made on the basis of a general assessment of the respective fundamental right of the Basic Law in question (cf. Decisions of the Federal Constitutional Court, Entscheidungen des Bundesverfassungsgerichts – BVerfGE 73, 339 <387>; 102, 147 <162 f.>; 125, 260 <306>; 152, 216 <236, end of para. 47> – Right to be forgotten II). According to the case-law of the Federal Constitutional Court, these principles also apply when reviewing domestic law transposing binding EU standards into German law (cf. BVerfGE 118, 79 <95 ff.>; 153, 310 <337 para. 65>). Constitutional complaints challenging ordinary EU law that is binding in this regard are thus generally inadmissible (cf. BVerfGE 118, 79 <95>; 121, 1 <15>; 125, 260 <306>; see, however, regarding Federal Constitutional Court review against the standard of EU fundamental rights for reviewing the application of binding EU legislation and the application of domestic provisions transposing binding EU legislation, BVerfGE 152, 216 <237, para. 52>; without a decision on the possibility of Federal Constitutional Court review against the standard of EU fundamental rights in cases of judicial review BVerfGE 152, 216 <237, end of para. 51>.; 153, 74 <142 para. 116> – Unified Patent Court).

2. In light of the foregoing, the challenged provisions can be reviewed as to their conformity with the Basic Law as they are not based on binding standards of EU law. They do not implement fully harmonised EU law. This applies insofar as the challenged provisions could fall within the scope of application of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications, OJ EU, L 201 of 31 July 2002, p. 37, hereinafter: Directive 2002/58/EC) or Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ EU, L 119 of 4 May 2016, p. 89, hereinafter: Directive 2016/680/EU). These EU legal acts serve to protect personal data. Yet they do not contain any provisions compelling the Member States to create rules regarding access to subscriber data or otherwise setting definitive standards in that regard. Rather, these EU legal acts either contain opening clauses with different levels of restrictions, which generally give Member States the possibility of creating such rules, but do not require them to do so (see, e.g., Art. 15(1) of Directive 2002/58/EC; cf. CJEU, Judgment of 29 January 2008, Promusicae, C-275/06, EU:C:2008:54, para. 50), or they do not go beyond the obligation to adhere to general data protection principles from the outset (see, e.g., Chapter II of Directive 2016/680/EU).

The same applies accordingly insofar as some of the provisions might fall within the scope of application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, OJ L 119 of 4 May 2016, p. 1; hereinafter: GDPR). It is true that, in principle, the General Data Protection Regulation aims to harmonise data protection under EU law. However, this does not mean that all individual rules are harmonised throughout the EU. In respect of the rules in question here, Art. 6(2) and (3) GDPR in particular leave considerable leeway to Member States (cf. Kühling/Martini and Others, Die Datenschutz-Grundverordnung und das nationale Recht, 2016, p. 28; a different assessment is made for the legal situation in that case in BVerfGE 152, 216 <229 ff., para. 33 ff.>).

Where, like in the present case, the provisions in question are not areas of law fully determined by EU law, but domestic provisions that are not fully harmonised under EU law, the Federal Constitutional Court reviews the challenged provisions as to their conformity with the fundamental rights of the Basic Law. In principle, this applies regardless of whether and to what extent the challenged provisions, according to the case-law of the Court of Justice of the European Union, can also be considered as implementing EU law within the meaning of Art. 51(1) first sentence of the Charter of Fundamental Rights of the European Union (cf. regarding Directive 2002/58/EC CJEU, Judgment of 21 December 2016, Tele2 Sverige and Watson and Others, C-203/15 inter alia, EU:C:2016:970, para. 78 ff.; Judgment of 2 October 2018, Ministerio Fiscal, C-207/16, EU:C:2018:788, para. 29 ff.) and therefore the EU fundamental rights may also lay claim to applicability (cf. in this respect BVerfGE 152, 152 <168, para. 39> – Right to be forgotten I; for more details see para. 261 below).

3. This does not have any bearing on the question whether further legal requirements directly follow from secondary EU law, in particular from Art. 15(1) of Directive 2002/58/EC with regard to the extent of the obligations imposed on telecommunications providers. It is not for the Federal Constitutional Court to interpret and apply ordinary EU legislation; this task is incumbent upon the ordinary courts in cooperation with the Court of Justice of the European Union (cf. Federal Constitutional Court (BVerfG), Judgment of the First Senate of 19 May 2020 - 1 BvR 2835/17 -, para. 85 with further references – Federal Intelligence Service – surveillance of foreign telecommunications).

C.

The constitutional complaints are, for the most part, well-founded. The challenged provisions largely do not satisfy the requirements of proportionality.

I.

The provisions on transfer of and access to subscriber data interfere with the right to informational self-determination deriving from Art. 2(1) in conjunction with Art. 1(1) GG. To the extent that the provisions also authorise the transfer of and access to subscriber data determined on the basis of dynamic IP addresses, they amount to an interference with the more specific fundamental right to the privacy of telecommunications in Art. 10(1) GG.

1. § 113(1) first and second sentence TKG and the corresponding provisions on data access in the laws governing the respective authorities (§ 10(1) first and second sentence and § 40(1) first and second sentence of the Federal Criminal Police Office Act, Bundeskriminalamtgesetz – BKAG, § 22a(1) first and second sentence of the Federal Police Act, Bundespolizeigesetz – BPolG, § 7(5) first and second sentence and § 15(2) first and second sentence of the Customs Investigation Service Act, Zollfahndungsdienstgesetz – ZFdG, § 8d(1) first and second sentence of the Federal Protection of the Constitution Act, Bundesverfassungsschutzgesetz – BVerfSchG as well as § 2b first sentence of the Federal Intelligence Service Act, Gesetz über den Bundesnachrichtendienst – BNDG and § 4b first sentence of the Military Counter-Intelligence Service Act, Gesetz über den Militärischen Abschirmdienst – MADG, insofar as they refer to § 8d(1) first and second sentence BVerfSchG) interfere with the right to informational self-determination.

a) The right to informational self-determination addresses risks to and violations of an individual’s personality resulting from information-related measures in the context of modern data processing (cf. BVerfGE 65, 1 <42>; 120, 378 <397>). The free development of one’s personality requires that the individual be protected against the unlimited collection, storage, use and sharing of their personal data. This protection is part of the fundamental right under Art. 2(1) in conjunction with Art. 1(1) GG. The fundamental right confers upon the individual the authority to, in principle, decide themselves on the disclosure and use of their personal data (BVerfGE 113, 29 <46> with further references). This becomes particularly relevant where state authorities use and link personal information in a manner which the affected person can neither foresee nor control, thus jeopardising the development of their personality (cf. BVerfGE 118, 168 <184>). This also concerns personal information relating to the terms and conditions under which telecommunications are provided (cf. BVerfGE 130, 151 <184>; cf. also CJEU, Judgment of 2 October 2018, Ministerio Fiscal, C-207/16, EU:C:2018:788, para. 51).

Provisions authorising state authorities to handle personal data generally result in various interferences that build upon one another. In this respect, a distinction must be made between the collection, storage and use of data (cf. BVerfGE 100, 313 <366 and 367>; 120, 378 <400 and 401>; 125, 260 <310>; cf. also ECtHR (GC), S. and Marper v. the United Kingdom, Judgment of 4 December 2008, no. 30562/04 inter alia, § 67; CJEU, Judgment of 8 April 2014, Digital Rights Ireland and Seitlinger and Others, C-293/12 inter alia, EU:C:2014:238, para. 34 ff.). In addition, when providing for data sharing for the exercise of state functions, a distinction must be made between data transfer by the body providing information and data access by the body requesting information. Data sharing is carried out through data access and data transfer, which are corresponding interferences that require their own statutory basis respectively. Metaphorically speaking, the legislator is not only required to open the door for data transfer, but also the door for data access. The two statutory bases must work together, similar to the image of a double door; only when both statutory bases are read together do they authorise the sharing of personal data (BVerfGE 130, 151 <184>).

b) The challenged provisions interfere with the right to informational self-determination.

§ 113(1) first and second sentence TKG already amounts to an interference with fundamental rights given that it imposes an obligation on service providers to provide the data they store pursuant to §§ 95 and 111 TKG at the request of an authority that may access this data (cf. BVerfGE 130, 151 <185>). These provisions alone do not authorise data sharing. Rather, similar to the image of a double door, accessing the data requires a separate statutory basis (cf. BVerfGE 125, 260 <312>; 130, 151 <185>; 150, 244 <278 para. 80>; 150, 309 <335 para. 68>). Yet even though § 113 TKG requires that the requesting authority itself must have the powers to collect the data in question, § 113(1) first and second sentence TKG in itself, as the statutory basis for data transfer, amounts to an interference (cf. BVerfGE 130, 151 <185>). The provision already qualifies as an interference given that it determines the purposes for which the data may be used and sets out the powers to transfer the data in question as part of the rules on data use. In this respect, it is irrelevant that § 113 TKG concerns the transfer of data by private telecommunications providers (cf. BVerfGE 125, 260 <312>).

The legislation on data access by federal authorities, which corresponds to § 113(1) first and second sentence TKG and governs data access by the relevant authorities as required by the constituent elements of § 113 TKG, amounts to a separate interference that must be distinguished from the interference resulting from § 113(1) first and second sentence TKG (cf. BVerfGE 130, 151 <185>).

2. § 113(1) third sentence TKG and the corresponding provisions on data access in the laws governing the respective authorities (§ 10(2) and § 40(2) BKAG, § 22a(2) BPolG, § 7(6) and § 15(3) ZFdG, § 8d(2) first sentence BVerfSchG as well as § 2b first sentence BNDG and § 4b first sentence MADG, insofar as they refer to § 8d(2) first sentence BVerfSchG), which authorise the matching of dynamic IP addresses, interfere with Art. 10(1) GG.

a) Art. 10(1) GG guarantees the privacy of telecommunications, which protects the non-physical transmission of information to individual recipients by way of telecommunications traffic against public authorities obtaining knowledge thereof. The protection afforded by Art. 10(1) GG is not limited to the actual communication contents. It also extends to the confidentiality of the specific circumstances of a communication, which include in particular whether, when and how often telecommunications traffic occurred or was attempted between whom or between which devices (cf. BVerfGE 125, 260 <309> with further references; established case-law). Yet Art. 10(1) GG solely protects the confidentiality of specific telecommunications activities; it does not protect, as such, against the mere matching of a phone number or a static IP address to a specific subscriber. These numbers, which are not part of ongoing telecommunications, only provide abstract information regarding which means of communication are available to whom and who can be reached through them, yet they are not directly linked to a specific telecommunication. This does not, in itself, call into question the confidentiality of individual communication activities (cf. BVerfGE 130, 151 <180 and 181>).

The situation is different in cases where dynamic IP addresses are matched to a subscriber. Such matching falls within the scope of protection of Art. 10(1) GG (cf. BVerfGE 130, 151 <181>; cf. also ECtHR, Benedik v. Slovenia, Judgment of 24 April 2018, no. 62357/14, §§ 130 ff.; according to this judgment, such measures affect the right to respect for private life under Art. 8(1) ECHR). However, this does not already follow from the fact that the matching of a dynamic IP address necessarily always relates to a specific telecommunication, and that it thus also provides information on this communication. This is because the information only concerns abstract data assigned to a registered subscriber. Rather, Art. 10(1) GG is affected in this context because, as an interim step, the telecommunications providers screen their customers’ traffic data and must access specific telecommunications activities in this context in order to identify a subscriber on the basis of a dynamic IP address. These telecommunications activities stored by the providers are protected by the privacy of telecommunications, regardless of whether the providers store them on the basis of their contracts with customers (cf. § 96 TKG; cf. BVerfGE 130, 151 <181 ff.>) or whether they are under a legal obligation to retain them (cf. §§ 113a and 113b TKG; cf. BVerfGE 125, 260 <312>). Art. 10(1) GG is the applicable standard for reviewing the obligation imposed by the state to use the traffic data even if the data itself is not handed over [to state authorities] (cf. BVerfGE 130, 151 <182 f.>).

The right to informational self-determination following from Art. 2(1) in conjunction with Art. 1(1) GG is not applicable in addition to Art. 10 GG since, in the context of telecommunications, Art. 10 GG contains a specific guarantee that supersedes the aforementioned general guarantee and that gives rise to special requirements for data obtained through interferences with the privacy of telecommunications. However, the requirements that the Federal Constitutional Court derived from Art. 2(1) in conjunction with Art. 1(1) GG can largely be applied to the more specific guarantee of Art. 10 GG, too (cf. BVerfGE 100, 313 <358 f.>; 125, 260 <310>).

b) Based on these standards, § 113(1) third sentence TKG interferes with the fundamental right under Art. 10(1) GG as it authorises the matching of dynamic IP addresses to the respective subscriber. It is true that the information merely concerns the identity of the subscriber of the respective IP address, which is part of subscriber data. However, insofar as telecommunications providers are required to provide this information, they must first access and analyse the traffic data stored by them and, where applicable, further internal data (cf. § 113(1) fourth sentence TKG), which may also constitute traffic data. To the extent that § 113(1) third sentence TKG authorises the use of traffic data retained on the basis of data retention rules, the provision must already be measured against Art. 10(1) GG because it permits further use of data that was initially collected through an interference with Art. 10(1) GG (cf. BVerfGE 125, 260 <312 f.>).

c) The challenged provisions on data access in the laws governing the respective authorities amount to a separate interference with Art. 10(1) GG insofar as they authorise access to certain subscriber data determined on the basis of dynamic IP addresses by the relevant authorities.

II.

Formally, the challenged provisions are constitutional. In particular, the Federation has legislative competence for enacting § 113 TKG and the provisions on data access in the laws governing the respective authorities.

[…]

III.

Substantively, the challenged powers to transfer data under § 113 TKG do not satisfy the constitutional requirements that follow from Art. 2(1) in conjunction with Art. 1(1) GG and from Art. 10(1) GG.

1. Like any other fundamental rights restriction, interferences with the right to informational self-determination and with the privacy of telecommunications require a statutory basis that serves a legitimate purpose in the interest of the common good and observes the principle of proportionality (cf. BVerfGE 65, 1 <44>; 100, 313 <359 f.>; established case-law). Thus, they must have a legitimate purpose, and must be suitable, necessary and proportionate in the strict sense for achieving that purpose (cf. BVerfGE 141, 220 <265 para. 93>; established case-law). They require a statutory basis that sufficiently limits data use to specific purposes. Moreover, all challenged provisions must be measured against the principle of legal clarity and specificity, which serves to make interferences foreseeable for citizens, to effectively limit administrative powers and to enable effective judicial review (BVerfGE 141, 220 <265 para. 94>; cf. also CJEU, Judgment of 6 October 2015, Schrems, C-362/14, EU:C:2015:650, para. 91; ECtHR (GC), S. and Marper v. the United Kingdom, Judgment of 4 December 2008, no. 30562/04 inter alia, § 99).

2. The challenged provisions on data transfer pursue a legitimate purpose and are suitable and necessary for achieving that purpose.

a) In particular, the provisions enable security authorities to match subscriber lines and dynamic IP addresses with individual subscribers and to request login data for user devices and storage media. The provisions serve to support the exercise of state functions by making law enforcement and the averting of dangers to public security more effective and ensuring that the intelligence services can perform their tasks. These are legitimate purposes that can in principle justify an interference with both the right to informational self-determination and the privacy of telecommunications (cf. BVerfGE 125, 260 <316 f.>; 130, 151 <187, 205>; cf. also CJEU, Judgment of 2 October 2018, Ministerio Fiscal, C-207/16, EU:C:2018:788, para. 57).

b) The powers to transfer data set out in § 113 TKG are also suitable for achieving these purposes. They create investigation possibilities that, given the increasing relevance of telecommunications, also for preparing or committing criminal acts, are promising in many cases and that would not exist otherwise. Even though the manual procedure for providing and obtaining data cannot ensure that subscriber data can be provided with certainty because (potential) offenders and other targets might use public hotspots, Internet cafés or subscriber lines registered under an assumed name or hide the IP address assigned to them through the use of special software, the procedure is at least conducive to achieving the purpose of the law. The various powers are also necessary for achieving this purpose. It is not ascertainable that less intrusive means are available that would allow for similarly comprehensive investigation possibilities for security authorities.

3. The provisions on data transfer are only compatible with the requirements of proportionality in its strict sense if they themselves limit the purposes for which these powers may be used with sufficient legal clarity in view of the weight of interference resulting from them (see a) below). The challenged powers to transfer general subscriber data (see b) below), to transfer login data (see c) below) and to transfer subscriber data determined on the basis of dynamic IP addresses (see d) below) do not satisfy these requirements. By contrast, the provisions on data security are not objectionable (see e) below).

a) The provisions on data transfer satisfy the requirement of proportionality in its strict sense if the purpose pursued and the probability that they will achieve their purpose are not disproportionate to the weight of interference (cf. BVerfGE 141, 220 <267 para. 98>; 148, 40 <57 f. para. 49>). The weight of interference depends on the type, scope and possible uses of the data as well as on risks of abuse (see aa) below). The legislator enacting provisions on data transfer must limit the purposes for which the data may be used; these limitations must be proportionate and clear in themselves (see bb) below). Moreover, data security, which is required under constitutional law, must be guaranteed when the data is transferred (see cc) below).

aa) The weight of interference primarily depends on the type, scope and possible uses of the data as well as on risks of abuse (cf. BVerfGE 65, 1 <45 f.>). In this regard, it is significant how many holders of fundamental rights are affected by impairments, how intense these impairments are and on what basis they occur, in particular whether the affected persons have prompted them. Thus, relevant criteria include the number of persons affected and the severity of the impairments (cf. BVerfGE 100, 313 <376>), which primarily hinge on the informative value of the data and the possibilities of using it. Where state measures are carried out covertly, they result in more intrusive interferences (cf. BVerfGE 115, 320 <353>; 141, 220 <265 para. 94>; cf. also CJEU, Judgment of 21 December 2016, Tele2 Sverige and Watson and Others, C-203/15 inter alia, EU:C:2016:970, para. 100).

bb) If the legislator imposes an obligation to store data and allows for the use of such data for purposes other than their primary purpose – as is the case here for data stored by private enterprises that can be used for the exercise of state functions –, it is incumbent upon the legislator to make binding determinations regarding the purposes and thresholds for the use of such data, which are required to justify such data use under constitutional law; where necessary, the legislator must then also enact follow-up rules to ensure adherence to purpose limitations (principle of purpose limitation, cf. BVerfGE 118, 168 <187>; 120, 378 <408>; 125, 260 <344 f., 355>; cf. also CJEU, Judgment of 8 April 2014, Digital Rights Ireland and Seitlinger and Others, C-293/12 inter alia, EU:C:2014:238, para. 57 ff.; Judgment of 6 October 2015, Schrems, C-362/14, EU:C:2015:650, para. 93). The constitutional burden of justification for such determinations of purpose and changes in purpose must already be met in the provisions on data transfer that impose an obligation to store the data and authorise its use for purposes relating to the exercise of state functions. Even though they are only the first door in the double door image, the provisions on data transfer themselves must already sufficiently limit the purposes for which the data may be used (cf. BVerfGE 125, 260 <344 f., 355>); they must tie data use to specific purposes, to thresholds as part of the constituent elements of the provisions and to the protection of sufficiently weighty legal interests. The legislator enacting provisions on data access – the second door in the double door image – is free to set (even) stricter requirements for such access. However, it is impermissible to create a data pool independent of such purpose limitations and to let various state authorities make subsequent decisions on the use of such a data pool based on their needs and political discretion (cf. BVerfGE 65, 1 <46>; 100, 313 <360>; 125, 260 <345>; 130, 151 <187>; cf. also CJEU, Judgment of 6 October 2015, Schrems, C-362/14, EU:C:2015:650, para. 93 f.).

(1) Firstly, this applies where the legislator provides a basis for access to data that is stored based on an obligation imposed by the legislator itself. The imposition of such an obligation to store data cannot be justified in abstract terms, but only insofar as it serves sufficiently weighty purposes that are specifically determined (cf. BVerfGE 65, 1 <46>; 118, 168 <187 f.>; 125, 260 <327, 345 f.>). […]

(2) The same applies where the legislator provides a basis for access to private data for purposes relating to the exercise of state functions. […]

(3) Where a legal provision authorises an interference with the right to informational self-determination or with the privacy of telecommunications, the principle of legal clarity and specificity also serves the specific function of ensuring a sufficiently precise definition of the purpose for which the data in question may be used (cf. BVerfGE 118, 168 <187>; 125, 260 <345>). This serves to strengthen the constitutional principle of purpose limitation of the obtained data (cf. BVerfGE 130, 151 <202> with further references). Therefore, the legislator must specify precisely and clearly, for each subject matter, the grounds, purposes and scope of the respective interference (cf. BVerfGE 65, 1 <44 ff.>; 100, 313 <359 f.>; 125, 260 <328>; 130, 151 <202>; established case-law). The detailed requirements differ depending on the weight of interference and are thus closely linked to the respective substantive requirements of proportionality (BVerfGE 141, 220 <265 para. 94> with reference to BVerfGE 110, 33 <55>).

(4) Such qualified requirements for the use of data for the purposes of law enforcement, averting dangers to public security or the performance of the tasks of the intelligence services must already be determined by the Federation as the legislator of the provisions on data transfer (cf. BVerfGE 125, 260 <346>). The Federation must not leave the determination of such requirements to subsequent legislation – in particular legislation enacted by the Länder (cf. BVerfGE 125, 260 <355 f.>). It must completely fulfil its responsibility to determine the requirements already when it enacts the provisions on data transfer, and must design these provisions in such a way that they are proportionate in themselves. For the sake of legal clarity, this applies not only where the federal legislator provides a basis for the transfer of data in matters in which the Länder have the legislative competence to enact provisions on data access, but also where the Federation itself is competent to enact such provisions on data access. […]

cc) Finally, data security must be guaranteed under constitutional law. Insofar as the challenged provisions on data transfer are concerned, this includes rules that serve to ensure a secure data transfer.

b) The powers to obtain general subscriber data set out in § 113(1) first sentence TKG do not satisfy these requirements. Given the lack of thresholds limiting the use of these powers, their scope is disproportionate.

aa) As the provision governing how data collected pursuant to §§ 95 and 111 TKG may be used, § 113(1) first sentence TKG authorises the telecommunications service providers to transfer this data. To satisfy the principle of legal clarity, the provision is now designed as a mere opening clause (cf. BVerfGE 130, 151 <202>), which only imposes an obligation on service providers to transfer data when a body listed in § 113(3) TKG requests them to do so on the basis of the provisions on data access in the law governing that body, and provides specific reasons for this request. Such data transfer thus requires statutory provisions specifically authorising access to the data collected pursuant to §§ 95 and 111 TKG (cf. § 113(2) first sentence TKG). The legislator thus made it sufficiently clear that requests for data access require a qualified statutory basis (cf. Bundestag document, Bundestagsdrucksache – BTDrucks 17/12034, p. 12) that goes beyond the mere power to collect data; it also unequivocally and exhaustively determined the authorities that may make such requests in § 113(3) TKG (cf. also BVerfGE 130, 151 <202>).

bb) § 113(1) first sentence TKG provides the basis for providing general subscriber data; this amounts to an interference with the right to informational self-determination that has a certain, albeit not great, weight.

(1) However, the provision gives rise to interferences of quite considerable weight given that retained data on an almost unlimited scale may be accessed for the purposes of providing information pursuant to § 111 TKG; thus, it is possible to identify practically any phone number or registered subscriber and to provide information on them. This information can also include data that serves to identify a person, such as their date of birth or address (cf. BVerfGE 130, 151 <188>), and data collected pursuant to § 95 TKG, which may include, depending on the contract, bank details, occupation or the names of family members or partners of subscribers (cf. BVerfGE 130, 151 <206 f.>). Moreover, the covert nature of the providing of information increases its weight of interference.

(2) Nevertheless, the interference resulting from § 113(1) first sentence TKG is not of great weight (cf. also CJEU, Judgment of 2 October 2018, Ministerio Fiscal, C-207/16, EU:C:2018:788, para. 61). The information only concerns data that, in terms of its contents, is strictly limited, does not include highly personal information or allow the creation of personality or movement profiles (cf. BVerfGE 130, 151 <189 f.>; cf. also ECtHR, Breyer v. Germany, Judgment of 30 January 2020, no. 50001/12, § 92 (not final)). Even though sensitive information can be derived from this data in specific contexts of data collection, the informative value of the information as such remains limited and is dependent on further investigations, the lawfulness of which must be assessed according to other provisions (BVerfGE 130, 151 <197>). The competent authorities do not obtain information on circumstances and contents of telecommunications; insofar as they request data concerning subscribers, the authorities already know the circumstances or contents. Furthermore, the weight of interference is lowered by the fact that at least in respect of the data collected pursuant to § 95 TKG, service providers are under no obligation to store it and the extent of information that can be provided depends on whether and to what extent the respective service provider created a data pool that goes beyond § 111 TKG at all. However, it will typically be unavoidable for users to disclose this data to obtain essential telecommunications services.

(a) The matching of static IP addresses identifying subscribers does not increase the weight of interference […].

(b) The weight of interference is limited by the fact that information may only be provided if a body listed in § 113(3) TKG requests this information in writing for the performance of its tasks in the individual case (cf. § 113(2) first sentence TKG). The provisions on data transfer thus expressly authorise solely the providing of information related to an authority’s tasks in the individual case. […]

(c) The manual procedure for obtaining data implies certain procedural obstacles for the requesting authority which should help ensure that the authority will only request such data if there is sufficient need for it or the required data has a certain significance (cf. regarding the previous provision BVerfGE 130, 151 <206>). […]

cc) Despite their moderate weight of interference, the powers to transfer data are disproportionate given that their scope is not limited by any thresholds.

(1) Even if the relatively low weight of interference resulting from the powers to transfer data set out in § 113(1) first sentence TKG and their significance for the exercise of state functions in the domains of public security, law enforcement and the intelligence services are taken into account, specific thresholds that limit the use of these powers are required. While the informative value and possibilities of use of the data are very limited, purely speculative requests for such data are still impermissible (cf. BVerfGE 130, 151 <205>). It is not sufficient that the information may only be provided in the individual case and for a defined purpose. Rather, thresholds that limit the use of these powers are required; these thresholds must ensure that information can only be obtained if factual indications provide specific grounds for the use of these powers. It is impermissible to create an open data pool for various uses not limited by specific grounds and within the entire remit of an authority (cf. on this BVerfGE 125, 260 <355 f.>).

(a) Thus, in relation to public security, a specific danger (konkrete Gefahr ) in the individual case within the meaning of the general clauses in police law is required. This threshold also encompasses the suspicion of such danger. It does not limit the obtaining of information to persons posing a danger to public security within the meaning of general police law and the law on maintaining public security and order. However, this does not mean that this threshold is devoid of limits to such a degree that it would be disproportionate in light of the moderate weight of interference. In particular, this threshold does not open up the possibility of obtaining information as a general administrative method, but requires that the task in question be related to security law in the individual case (cf. BVerfGE 130, 151 <206>). In relation to law enforcement, the existence of an initial suspicion of criminal conduct (Anfangsverdacht ) is a sufficient threshold (cf. BVerfGE 130, 151 <206>). The general requirement that there be at least factual indications that a specific danger may emerge applies to the intelligence services just as it applies to any other authority responsible for averting dangers to public security and order (cf. BVerfGE 125, 260 <343 f.>). Where a provision contains such qualified thresholds, the legal interests that the measures serve to protect do not have to be specifically more weighty in order to ensure the proportionality of data transfers, given the moderate weight of interference of providing and obtaining general subscriber data and its great significance for the effective performance of tasks.

(b) However, constitutional law does not per se prevent the legislator from recognising grounds for interferences that, depending on the type of task in question, differ from the traditional concepts of security law focussed on averting specific, immediate (konkrete, unmittelbar bevorstehende Gefahren ) or present dangers (gegenwärtige Gefahren ). Rather, under special circumstances the legislator may subject state action to less stringent limits by lowering the standard of foreseeability regarding the causal chain (cf. BVerfGE 141, 220 <272 para. 112>). However, it must always be ensured that assumptions and conclusions be based on specific facts (BVerfGE 113, 348 <386>). The greater the weight of the legal interest under threat and the more far-reaching the impairments of this interest that could result from the suspected conduct, the more acceptable it becomes to lower the degree of probability required for establishing a risk of a violation of the respective legal interest, and to lower the degree of certainty of the facts that result in the assumption that the legal interest is under threat (cf. BVerfGE 100, 313 <392>; see also BVerfGE 110, 33 <55, 60>). By contrast, the lower the weight of the legal interest under threat, the stricter the requirements for the degree of certainty become, both with regard to the level of threat and with regard to its intensity (cf. BVerfGE 113, 348 <386>).

Thus, a statutory basis authorising interferences must typically require at least the existence of a sufficiently identifiable danger (hinreichend konkretisierte Gefahr ). A sufficiently identifiable danger in this sense may already exist even where the causal chain leading to the damage is not yet foreseeable with sufficient probability, provided that there are already specific facts indicating an impending danger (drohende Gefahr ) in the individual case. Firstly, it must at least be possible to determine, based on these facts, the type of incident that might occur, and that it will occur within a foreseeable timeframe; secondly, the facts must indicate the involvement of specific persons whose identity is known at least to such an extent that the surveillance measure can be targeted at and largely limited to them (BVerfGE 141, 220 <272 para. 112> with reference to BVerfGE 120, 274 <328 f.> and 125, 260 <330 f.>). In accordance with the principle of proportionality, such lowering of the thresholds for the use of powers necessarily entails stricter requirements for the protection of specific legal interests (cf. BVerfGE 141, 220 <272 para. 112>).

In order to protect significant legal interests, for example to prevent terrorist acts, the requirements of foreseeability of an incident may be lowered further, as set out above, and interferences may be permitted if – while it is not yet possible to determine what type of incident might occur nor to determine the timeframe in which it will occur – the individual conduct of a person establishes the specific probability that they will commit such acts in the not so distant future (cf. BVerfGE 141, 220 <272 f. para. 112, 291 para. 164>). In this respect, the weight of interference resulting from a specific measure must always be taken into account. While the Constitution sets strict limits to the lowering of statutory thresholds applicable to measures that amount to particularly intrusive interferences with the private sphere, the Constitution affords broader leeway for less serious interferences (cf. BVerfGE 141, 220 <269 para. 104>).

Therefore, less serious interferences – such as those resulting from obtaining general subscriber data – may already be justified if an identifiable danger exists, provided that they serve to protect legal interests of at least considerable weight (cf. on this BVerfGE 150, 244 <284 para. 99>; 150, 309 <336 para. 73>), such as the prevention of criminal acts that are at least considerable (cf. on this BVerfGE 141, 220 <270 para. 107> with further references). By contrast, high-ranking, exceptionally significant or particularly weighty legal interests (cf. BVerfGE 115, 320 <346>; 120, 274 <328>; 141, 220 <270 para. 108>) are only necessary if the threshold is even lower than an identifiable danger or the powers in question result in particularly intrusive interferences with the private sphere.

(c) In principle, these constitutional requirements apply to any authorisation to use powers preventively. Thus, they also apply to the use of data by the intelligence services (cf. BVerfGE 125, 260 <331>). For the work of the intelligence services, too, statutory provisions authorising interferences satisfy the constitutional requirements if they require the existence of an identifiable danger (see para. 148 f. above). Factual indications are always necessary in this regard, too (cf. BVerfGE 120, 274 <330>). However, in respect of interferences with the private sphere that are less intrusive and generally less serious, it may be sufficient that the information is needed in the individual case for investigating a specific act or group that warrants surveillance by the intelligence services (cf. on this BVerfGE 130, 151 <206>) since this requires that it is at least possible to determine the type of incident that might occur and that it will occur within a foreseeable timeframe. Given that the remit of the intelligence services as such is characterised by their function of protecting particularly weighty legal interests (cf. BVerfGE 141, 220 <339 para. 320>; cf. also BVerfGE 133, 277 <326 para. 118>), no stricter requirements regarding the protection of legal interests are needed.

(d) By contrast, in relation to law enforcement, thresholds for the use of powers that de facto require less than an initial suspicion of criminal conduct are insufficient where the use of such powers affects fundamental rights. While less strict limits can be defined for preventive measures in certain domains through the lowering of the requirements of the foreseeability regarding the causal chain (see para. 147 above), such measures require a factual basis in every case. The thresholds of ‘identifiable danger’ and ‘impending danger’ shift the threshold to a purely precautionary stage, before a danger to a legal interest actually arises; even these thresholds, which are recognised in public security law, require factual indications that a specific danger might emerge (cf. BVerfGE 141, 220 <272 para. 112>). The same applies accordingly to law enforcement measures. At a purely precautionary stage, too, these can only be considered if there are factual indications [of criminal conduct] (cf. BVerfGE 113, 348 <386>; 117, 244 <263>). Vague indications or mere assumptions are not sufficient (cf. BVerfGE 115, 166 <197 f.>; 124, 43 <66 f.>).

In light of the above, a threshold that is lower than an initial suspicion of criminal conduct is not sufficient for law enforcement measures. An initial suspicion merely requires sufficient factual indications of criminal conduct ([…]). In terms of their significance, such factual indications are even below the “specific facts” required for some investigation measures; therefore, an initial suspicion is already the level of suspicion with the lowest factual requirements in the Code of Criminal Procedure (cf. BVerfGE 109, 279 <350>; 129, 208 <268>). If the requirements were lowered even further, only vague indications would be necessary.

(2) § 113(1) first sentence TKG does not satisfy these constitutional requirements. The provision on data transfer allows for very broad use of the manual procedure for providing information by authorising requests for the purposes of public security, for the prosecution of criminal or administrative offences and for the performance of the tasks of the intelligence services (§ 113(2) first sentence TKG), without containing a threshold that further limits the scope of the transfer (cf. BVerfGE 130, 151 <205>). Rather, the provision already authorises the providing of information in the individual case where this information merely serves to perform these tasks.

(a) Despite the limited informative value of the data in question as such, the narrow possibilities of use of this data and their great significance for the effective performance of the tasks of the relevant authorities, the purposes for which the data may be used are not sufficiently limited. It is true that the purposes defined in the law are key security tasks. Given the increasing relevance of electronic communications and given people’s communication behaviour in all areas of life, the authorities are reliant on the possibility of individually matching telecommunications identifiers. Yet even when the moderate weight of interference is taken into account, the challenged provision is too broad given that information can already be provided if there is any link to the exercise of state functions and to the individual case, without requiring any factual indications providing grounds for interference. This allows for various possibilities of use that are not limited in any way.

(b) The necessary thresholds for the use of powers also cannot be inferred from § 113 TKG through interpretation, as had been the case for the former version of that provision.

While the former version of § 113 TKG, which had essentially the same wording, also did not contain any thresholds limiting the use of powers, the Federal Constitutional Court could determine such thresholds through interpretation in respect of the former version. The Court based this interpretation primarily on the limits set by the constituent elements of the provision, according to which information could only be requested in the individual case and only if it was necessary for performing the tasks [of the respective authorities]. In light of this, the Federal Constitutional Court interpreted the provision to the effect that, in the domain of public security, providing information required a ‘specific danger’, while in the domain of the intelligence services, the information had to be necessary to investigate a specific act or group warranting surveillance in the individual case. Insofar as information was used for the prosecution of criminal and administrative offences, the Court derived from the requirement of necessity in the individual case that at least an initial suspicion of criminal conduct was required (cf. BVerfGE 130, 151 <205 f.>).

It is not possible to adopt a corresponding reasonable interpretation of the challenged provision in the proceedings at hand. Both its wording and the legislative intent, which is clearly ascertainable, rule out such an interpretation. Unlike the former version, the current version of § 113(2) first sentence TKG, which sets out the detailed requirements of data transfers authorised by § 113(1) first sentence TKG, does not require that the information provided must be “necessary” for the performance of the tasks of the authorities that may make requests. Yet this was what the interpretation of the former version of the provision by the Federal Constitutional Court was based on, in addition to the provision’s link to the individual case. It was precisely the requirement of necessity in the individual case that led the Court to infer thresholds for the use of powers – even though these were low – from the former version of § 113 TKG. In the current provision, the legislator again only set out the purposes for which data may be used without determining thresholds limiting the use of powers. It also dispensed with the requirement that providing the information must be necessary for the performance of tasks. In light of its previous decision, the Federal Constitutional Court cannot just disregard these shortcomings in its interpretation in the case at hand. This would also not correspond to the legislative intent. The draft law introduced by the Federal Government initially did not provide for any restriction of the providing of information related to the respective tasks of the requesting authority (cf. BTDrucks 17/12034, p. 5). According to the Federal Government’s submission in response to objections raised by the Bundesrat (cf. Bundesrat document, Bundesratsdrucksache – BRDrucks 664/12 [Decision], p. 1 f.; BTDrucks 17/12034, p. 17), the necessary restrictions in relation to the respective tasks could no longer be set out in § 113 TKG itself, given the new dual structure of the law mandated by the decision of the Federal Constitutional Court. The Federal Government posited that this restriction did not concern the powers to transfer data granted to the telecommunications providers, but the powers to obtain data granted to the authorities. Therefore, the draft sets out that the prerequisites of providing information must be enshrined in the laws governing the respective authorities only (cf. BTDrucks 17/12034, p. 20). This view is based on a misunderstanding of the Federal Constitutional Court’s case-law (cf. BVerfGE 125, 260 <344 f., 355>; 130, 151 <184 f.; 202 f., 207 ff.>). Ultimately, the legislator did not fully implement this proposal. It at least inserted a restriction, according to which the providing of information must be limited to the individual case, and determined the purposes for which information may be provided. This was meant to clarify the substantive limits of the powers applicable to the respective authorities (cf. BTDrucks 17/12879, p. 10). Yet it is clear that the legislator did not want to set further-reaching limits. This can also be inferred from the provisions on data access in the laws governing the respective authorities, which were enacted at the same time. For the most part, these do not contain any thresholds limiting the use of powers; in particular, they do not require a specific danger (see para. 206 ff. below).

c) § 113(1) second sentence TKG, which authorises the transfer of login data, is incompatible with Art. 2(1) in conjunction with Art. 1(1) GG.

aa) § 113(1) second sentence TKG authorises the providing of data that allows access to user devices or external storage media (login data). The provision permits the providing of this data regardless of the prerequisites for data use; in this respect, despite the changed wording, its content corresponds to § 113(1) second sentence TKG in the version of the Telecommunications Act of 22 June 2004, which the Federal Constitutional Court declared incompatible with Art. 2(1) in conjunction with Art. 1(1) GG in its order of 24 January 2012 (cf. BVerfGE 130, 151 <152>). In that decision, the Court held that the provisions were disproportionate because authorities, without apparent reason, could access login data regardless of the prerequisites for the use of such data, and thus, as the case may be, subject to less strict requirements. The Court found that collecting login data was only necessary in light of the purposes pursued if the prerequisites for its use were met (cf. BVerfGE 130, 151 <209>).

When the Court declares a provision unconstitutional, this does not bar the legislator from enacting a new provision that has the same content as the provision that was declared unconstitutional (cf. BVerfGE 77, 84 <103 f.>). However, the legislator may not disregard the reasons for which the Federal Constitutional Court found the original law to be unconstitutional. Repeating a provision requires special reasons, which may primarily result from significant changes in the factual or legal circumstances relevant for constitutional assessment or in the views on which such assessment is based. If there are no such reasons, the Federal Constitutional Court is not required to again discuss the questions of constitutional law that it already decided [in its earlier decision] (BVerfGE 96, 260 <263>).

bb) Such special reasons are not ascertainable in this case. The new version of § 113(1) second sentence TKG does not contain the restriction that would have been necessary for reasons of proportionality; this is due to the fact that the legislator assumed that it would be sufficient for satisfying the requirements set out by the Federal Constitutional Court if it provided for this restriction in the newly created provisions on data access in the federal laws applicable to the respective authorities (cf. BTDrucks 17/12034, pp. 13 and 20). This is based on an incorrect understanding of the responsibility of the Federation, following from fundamental rights, to determine requirements for data use. Already when authorising the use of data for the exercise of state functions, the legislator must provide for clear restrictions of subsequent data use (cf. BVerfGE 125, 260 <344 f., 355>; see para. 130 above). In this regard, the Federal Constitutional Court declared the former version of the provision unconstitutional – provisions on data access to be enacted by the Federation and the Länder notwithstanding – on the grounds that it did not sufficiently restrict possible data use (cf. BVerfGE 130, 151 <207 ff.>). Deficits regarding the first door [provisions on data transfer] cannot be compensated through a “strengthening” of the second door [provisions on data access], which the legislator undertook in this case ([…]).

d) The newly created powers in § 113(1) third sentence TKG to transfer certain subscriber data that is determined on the basis of dynamic IP addresses do not satisfy the requirements of proportionality and therefore violate Art. 10(1) GG.

aa) § 113(1) third sentence TKG sets out in a sufficiently clear manner that information may also be provided on subscriber data that is determined on the basis of dynamic IP addresses. The provision also specifies that traffic data may be analysed to prepare the providing of information. With this provision, the legislator also sets out a separate rule for the use of traffic data collected for operational purposes pursuant to § 96 TKG (cf. BTDrucks 17/12034, p. 12) by authorising its analysis for the sole purpose of preparing the providing of information and thus for the exercise of state functions (see para. 132 above). Even though, when the new version of § 113(1) third sentence TKG was enacted in 2013, service providers only collected traffic data on the basis of § 96 TKG, the generally worded authorisation to analyse traffic data that is not limited further now de facto also covers – at least according to the provision’s wording – the traffic data that must be stored by providers of publicly accessible telecommunications services pursuant to §§ 113a and 113b TKG since 1 July 2017 ([…]). Yet as the use of this data for providing information pursuant to § 113(1) third sentence TKG is expressly laid down in § 113c(1) no. 3 TKG, there are no concerns with regard to the required legal clarity of § 113(1) third sentence TKG when both provisions are read together.

bb) Compared to the providing and obtaining of general subscriber data, § 113(1) third sentence TKG results in interferences of greater weight. The provision gives rise to an interference with Art. 10(1) GG and affects an individual’s personality to a significantly greater extent, both with regard to the informative value and possibilities of use of the subscriber data provided and with regard to the traffic data analysed by the service providers to determine this subscriber data.

(1) The creation of rights of state authorities to obtain information on matches between dynamic IP addresses and subscribers is of considerable weight given the informative value and possibilities of use of the subscriber data provided. The legislator thus influences the conditions of Internet communication and restricts anonymity. Combining the possibility of matching dynamic IP addresses to specific subscribers with systematic storage, without specific grounds, of Internet login data pursuant to § 113b(3) TKG makes it possible to determine the identity of Internet users on a large scale (cf. BVerfGE 125, 260 <341 f.>). This statutory concept is in principle not altered by the fact that enforcement of the obligation to store this data is currently suspended ([…]).

While the matching of a dynamic IP address is in some ways similar to the identification of a phone number, obtaining information on the user of a phone number does not in itself yield information on specific telecommunications. By contrast, information about the subscriber of a dynamic IP address necessarily also contains the information that this IP address was used at a certain time and from which subscriber line. Given that website contents are electronically registered and can be retrieved for a longer period of time, the act of matching an IP address to an individual subscriber also provides information about the content of specific telecommunications. Such matching of IP addresses affects an individual’s personality to a significantly greater extent than the identification of a phone number, already in terms of its scale, but above all in terms of the contents of telecommunications on which it can provide information; therefore, these two acts cannot be considered to be equivalent (cf. BVerfGE 130, 151 <204> with reference to BVerfGE 125, 260 <341 ff.>).

(2) Furthermore, it increases the weight of interference that, in order to determine which data is provided, service providers also analyse traffic data, which, from the outset, is of greater significance for an individual’s personality than mere subscriber data. It is true that traffic data is only communications data, which does not cover the contents of communications. Yet when it is collected and analysed on a large scale, traffic data can in principle yield conclusive personality and movement profiles (cf. BVerfGE 125, 260 <319>).

However, the weight of interference is lowered by the fact that the requesting authorities do not obtain knowledge of the traffic data in question when dynamic IP addresses are matched to individual subscribers. The authorities do not access this data themselves, but merely obtain personal information on the subscriber of a specific subscriber line, which was determined by service providers on the basis of traffic data and, where applicable, other data (e.g. the source port number, […]). The informative value of the subscriber data they obtain remains very limited. The use of traffic data merely leads to the information which subscriber was logged on to the Internet at a certain time with an IP address that is already known to the security authorities (cf. BVerfGE 125, 260 <341>). Its informative value remains fragmented. Such information alone does not allow for systematic investigations over a longer time period or the creation of personality or movement profiles (cf. BVerfGE 125, 260 <341>).

(a) This applies, firstly, to the traffic data collected pursuant to § 96 TKG. This concerns traffic data which service providers, pursuant to § 96 TKG, may store to a limited extent, subject to their operational requirements, and the storage of which can in part be avoided by individuals depending on their contract (cf. BVerfGE 125, 260 <352>). Thus, traffic data, including IP addresses, is neither stored fully nor systematically. Rather, whether and how this data is stored in practice differs considerably according to service provider, individual contract and services used. […]

(b) However, to match a dynamic IP address to a subscriber, service providers can not only analyse the traffic data collected pursuant to § 96 TKG, but also, in principle, the traffic data systematically retained for ten weeks (§ 113b(1) no. 1 TKG) without specific grounds by providers of publicly available telecommunications services (cf. BVerfGE 125, 260 <328, 352>; […]). This generally results in a considerably greater weight of interference. It must be taken into account that this data itself is not part of the information provided, and that the data used for matching an IP address to an individual subscriber is only a pre-determined small subset of data the storage of which could, as such, be ordered subject to considerably less strict requirements. The storage of solely the Internet login data that is necessary for providing information that identifies subscribers by matching dynamic IP addresses would be of significantly lower weight than the almost complete storage of all telecommunications data (cf. BVerfGE 125, 260 <341>). Therefore, the particularly strict requirements that are otherwise applicable to the use of traffic data retained as a precautionary measure do not apply in this case (cf. BVerfGE 125, 260 <340>).

(c) To the extent that § 113(1) fourth sentence TKG additionally requires that service providers take into consideration all internal data sources for providing information on the basis of dynamic IP addresses, this does not increase the weight of interference. The provision reflects that it is not for the service providers to freely choose or restrict the data necessary for identifying IP addresses ([…]). In this respect, the provision’s wording is merely open to the use of different technologies, yet – contrary to the complainants’ view – it does not provide a basis for the use of data that was stored unlawfully to match dynamic IP addresses.

(d) § 113(1) third sentence TKG also does not give rise to specific risks of abuse. In particular, it does not authorise the use of traffic data beyond the purpose expressly set out in the provision. In enacting § 113(1) third sentence TKG, the legislator made it sufficiently clear that information on IP addresses obtained through the use of traffic data may only be provided in relation to specific IP addresses that are already known to the authorities (cf. also BTDrucks 17/12034, pp. 10 and 12). […]

cc) Given that its weight of interference is increased nonetheless, § 113(1) third sentence TKG does not satisfy the requirements arising from the principle of proportionality regarding a sufficient limitation of the purposes for which the data may be used.

(1) Insofar as service providers may not only use the data collected pursuant to § 96 TKG to match IP addresses, but also traffic data retained as a precautionary measure, adherence to the particularly strict requirements applicable to the direct use of the entire retained traffic data is not required under constitutional law (cf. BVerfGE 125, 260 <340>). However, the increased weight of interference must be reflected by a sufficient limitation of the purposes for which the data may be used. In principle, thresholds for the use of powers that further limit the scope of § 113(1) third sentence TKG are necessary; moreover, the provision must be restricted to the protection and defence of legal interests of increased weight.

(a) Just as the providing and obtaining of general subscriber data, the matching of dynamic IP addresses to individual subscribers requires thresholds limiting the use of these powers and ensuring that requests for such information are not purely speculative. Therefore, qualified thresholds are in principle necessary that require an initial suspicion of criminal conduct or a specific danger supported by the facts of the individual case. The latter requirement applies both to intelligence services and to all authorities responsible for averting dangers to public security and order (cf. BVerfGE 125, 260 <343 f.>).

(b) Moreover, the prohibition of excessive measures (Übermaßverbot ) requires that the providing of subscriber data set out in § 113(1) third sentence TKG must be justified by the protection of sufficiently weighty legal interests when measured against the resulting interference with fundamental rights. In principle, no narrowly defined statutory catalogues of legal interests or criminal offences are required. However, as the weight of interference is significantly increased given the type, scope and possibilities of use of the processed data, it is not permissible to allow such requests in general and without any restrictions to avert any kind of danger and to prosecute and prevent any administrative offence. It is true that there is great interest in having the possibility of attributing online communications to a user to protect legal interests or uphold the legal order and that the growing significance of the Internet for diverse areas of everyday life increases the risk that the Internet is used for committing various crimes and breaches of the law. However, lifting Internet anonymity is only permissible if a protected legal interest is impaired and the legal order attaches at least increased weight to the impairment, not just in relation to the measure at issue but also in other contexts. This does not completely rule out that information may be obtained for the purposes of prosecuting or preventing administrative offences. Yet the relevant offences must not only be expressly specified in the law, they must also be of particular weight – including in the individual case (cf. BVerfGE 125, 260 <344>). In the domain of public security, not any danger to a legal interest constitutes a sufficient threshold (cf. BVerfGE 150, 244 <286 para. 106>). Otherwise, any breach of the law could give rise to the matching of IP addresses, in view of the scope of public security law, which protects the inviolability of the entire legal order.

Therefore, in line with the weight of interference resulting from the matching of dynamic IP addresses to an individual subscriber, this practice can only be justified if it is based on reasons serving the protection or defence of legal interests of increased weight (cf. BVerfGE 125, 260 <344>). Yet such matching does not have to serve the protection or defence of legal interests of considerable weight, which would go beyond the requirement of increased weight, given that online communications are only matched to an individual subscriber based on specific grounds and on an ad hoc basis. In any case, legal interests of increased weight include the legal interests protected by criminal law. Yet the legislator can also permit the providing of subscriber data for the prosecution or prevention of other sufficiently weighty offences in respect of which the matching of IP addresses is important; this may also include particularly significant administrative offences (cf. on this BVerfGE 125, 260 <344>; 150, 244 <284 para. 99>).

(c) Given that the statutory determination of the threshold and of the protected legal interest are interrelated, the powers to match IP addresses do not always require the existence of a specific danger in the traditional sense. Thus, such powers may also satisfy the requirements of proportionality if the thresholds are lowered. In principle, the existence of an identifiable danger can suffice in this respect (see para. 148 f. above). Depending on the weight of the protected legal interests, it may be sufficient that it is possible to determine the type of incident that might occur, and that it will occur within a foreseeable timeframe, or, alternatively, that the individual conduct of a person establishes the specific probability that they will commit certain criminal acts in the not so distant future (cf. BVerfGE 141, 220 <272 f. para. 112, 291 para. 164 f., 305 para. 213>). This applies both to general public security and to the intelligence services.

If such an identifiable danger is to serve as grounds for the use of the powers in question, the information may only be provided for the purposes of protecting at least particularly weighty legal interests, given the increased weight of interference of the matching of IP addresses, which mainly results from the type, scope and possibilities of use of the subscriber data to be provided and the traffic data to be used for this purpose (cf. on this BVerfGE 141, 220 <270 para. 108> with further references). When enacting provisions on data transfer, the legislator must either specifically determine the legal interests of particular weight, or at least set out the necessary weight in clear provisions.

Insofar as averting dangers to public security relates to the prevention of crime, at least serious criminal offences are required (cf. also BVerfGE 125, 260 <328 f.>). When allowing access to subscriber data, the legislator itself must already determine definitively which criminal offences should qualify as serious. The legislator may either refer to existing catalogues of offences or draw up a new catalogue, for example to include criminal offences for which the matching of IP addresses is particularly relevant. However, the classification of the relevant criminal offence as serious must be objectively reflected in the definition of the crime in the underlying provision of criminal law, in particular by the specified range of punishment (cf. BVerfGE 109, 279 <343 ff., in particular 347 f.>). A blanket clause or mere reference to criminal offences that are not precisely defined is not sufficient (cf. also BVerfGE 125, 260 <329>).

In relation to the intelligence services, expressly setting out such a restriction to specific legal interests is not necessary as their activities serve to protect particularly weighty legal interests within that meaning from the outset (cf. BVerfGE 141, 220 <339 para. 320>; cf. also BVerfGE 133, 277 <326 para. 118>); in this respect, already the threshold of an identifiable danger ensures that the measures in question only concern legal interests that are sufficiently weighty in the individual case.

(2) § 113(1) third sentence TKG does not satisfy these requirements. The matching of dynamic IP addresses to individual subscribers is not tied to thresholds limiting the use of this power, and is therefore disproportionate.

(a) § 113(2) first sentence TKG sets out the detailed requirements for data transfer and determines the purposes for which data obtained through the matching of dynamic IP addresses may be used; yet the provision requires neither an initial suspicion of criminal conduct nor factual indications of a specific danger.

In relation to general public security measures, the provision also lacks a restriction to the protection of sufficiently weighty legal interests, which is necessary, including when the powers [to transfer data] are based on thresholds qualified in this manner. Insofar as the legislator authorises the matching of an IP address for the purposes of averting a danger to public security and order (§ 113(2) first sentence TKG), this concerns the inviolability of the entire legal order, and the weight of the legal interests in question is not assessed (cf. BVerfGE 150, 244 <286 para. 106>). The provision lacks a restriction to the purpose of averting dangers to legal interests of increased weight.

The same applies to law enforcement, insofar as § 113(2) first sentence TKG authorises the providing of information to prosecute any criminal offence. The provision lacks the necessary restriction to particularly weighty administrative offences. § 46(3) first sentence of the Act on Administrative Offences (Ordnungswidrigkeitengesetz – OWiG) also does not contain a sufficiently clear restriction. That provision prohibits the prosecution of administrative offences in administrative fining proceedings in general – and is thus even further-reaching – if such measures affect the privacy of telecommunications; therefore, it should de facto rule out that information obtained through the matching of IP addresses is used to prosecute administrative offences. Setting out definitive rules on data use in several different provisions is compatible with the Constitution overall (cf. BVerfGE 125, 260 <351 f.>) if data transfer and access concern matters for which the Federation has the sole legislative competence, as is the case here ([…]). However, this requires that the provisions, when read together, define the purpose for which the data may be used in a sufficiently precise and clear manner so as to ensure that the entire data transfer satisfies the constitutional requirements. Yet there is an irresolvable contradiction concerning permissible data use between § 46(3) first sentence OWiG on the one hand and the challenged provision on data transfer on the other, without these two provisions even making reference to one another.

(b) Nor does § 113(2) first sentence TKG limit the powers to match IP addresses through – even lowered – thresholds for the use of these powers. In particular, it does not require the existence of an identifiable danger, neither for general public security measures nor for the tasks of the intelligence services. Insofar as information pursuant to § 113(1) third sentence TKG [obtained through the matching of IP addresses] is concerned, § 113(2) first sentence TKG does not require that it is at least possible to determine the type of incident that might occur and that it will occur within a foreseeable timeframe, nor does it require, alternatively, that the individual conduct of a person establishes the specific probability that they will commit a criminal act in the not so distant future. In relation to general public security measures, the provision also lacks a limitation to the protection of at least particularly weighty legal interests, which would be necessary for such a lowering of the thresholds, and – insofar as the prevention of crime is concerned – it lacks a limitation to the prevention of at least serious criminal offences.

e) By contrast, the challenged provisions on data transfer do not raise concerns with regard to the level of data security required under constitutional law. The guarantee of data security, and of clearly defined purpose limitations on data use that satisfy the constitutional requirements, are inseparable elements of any statutory framework imposing obligations to store data and authorising access to private data records (cf. regarding the obligation to retain data BVerfGE 125, 260 <344>). In addition to rules ensuring the security of stored data, this also concerns rules ensuring the security of data transfers (cf. BVerfGE 125, 260 <345>). […]

IV.

Substantively, the challenged provisions governing data access, which correspond to § 113 TKG, largely do not satisfy the constitutional requirements that follow from Art. 2(1) in conjunction with Art. 1(1) GG and from Art. 10(1) GG.

1. Given that the transfer of and access to personal data each constitute a separate interference with fundamental rights, the respective provisions on data access must satisfy the requirements of proportionality, of legal clarity and of specificity in relation to the affected fundamental right and the respective weight of interference resulting from the provisions. The relevant constitutional requirements primarily follow from the principle of proportionality in its strict sense, which requires that the provisions on data access have their own, sufficiently specific statutory basis that sufficiently limits data use to specific purposes.

2. Like § 113 TKG (see para. 124 ff. above), the challenged provisions on data access pursue a legitimate purpose and are suitable and necessary for achieving that purpose.

In particular, access to login data does not require a subsidiarity clause, as deemed necessary by the complainants, according to which login data may only be accessed if the data to be collected in this manner cannot be collected by another method, in particular by directly requiring the service providers to provide content data. Directly requiring service providers to provide content data is not equally suitable for achieving the aim pursued with regard to contents protected by login data that are stored on user devices and external storage media that can be accessed through these devices. Service providers are typically not in possession of the user devices; even if they do know the PIN and PUK codes of a SIM card and the user device is not protected by personal access codes, service providers do not have access to the data either stored on or accessible from the user device, such as photos, contacts or email accounts with other service providers.

Access to login data serves to retrieve the contents of external storage media. Insofar as external storage media are within the scope of the Telecommunications Act, as is the case for voice mailboxes or email accounts (cf., however, regarding web-based email services, CJEU, Judgment of 13 June 2019, Gmail, C-193/18, EU:C:2019:498), access to content data can, by contrast, also be achieved by directly requiring service providers to hand over data (search, securing and seizure) or to monitor ongoing communications (telecommunications surveillance, remote searches) (cf. BVerfGE 124, 43 <55>). In accordance with the principle of proportionality, such measures must typically be limited to a certain time period (e.g. in § 100a, § 100e(1) fourth and fifth sentence of the Code of Criminal Procedure, Strafprozessordnung – StPO, § 100b, § 100e(2) fourth and fifth sentence StPO) or to certain contents that can be determined based on the time at which they occur or otherwise (regarding the seizure of data BVerfGE 113, 29 <55 f.>; 124, 43 <68>); in this respect, these measures provide more limited information than access to storage media obtained through the transfer of a passcode (cf. also BTDrucks 19/17741, p. 38). These considerations notwithstanding, the use of the powers to access login data must adhere to the principle of necessity in the individual case to ensure that login data cannot be requested without having regard to the requirements for its use, and thus potentially under less strict conditions (cf. in this respect BVerfGE 130, 151 <208 f.>). Accordingly, the use of login data can also be restricted to certain time periods or to certain contents that can be determined otherwise. In this respect, a limited prohibition to collect data is in place.

3. The provisions on data access are only compatible with the principle of proportionality in its strict sense if the individual powers to access data are sufficiently limited and adherence to the necessary general requirements regarding transparency, legal protection and oversight is ensured (see a) below). The challenged powers to generally access subscriber data (see b) below) largely do not satisfy these requirements, whereas the powers to access login data (see c) below) do. The powers to access specific subscriber data determined on the basis of dynamic IP addresses are also largely not sufficiently limited (see d) below); moreover, they do not satisfy the constitutional requirements regarding procedural safeguards (see e) below).

a) The provisions on data access satisfy the requirement of proportionality in its strict sense if the purpose pursued is not disproportionate to the weight of interference. The challenged provisions must constitute a qualified legal basis authorising data access that is sufficiently clear and specific (see aa) below). They must contain rules on data use that are sufficient in light of their weight of interference and the purposes pursued; in this respect, they must be proportionate in themselves (see bb) below). For the sake of legal clarity, the powers to access data must also be limited to the purposes set out in the provisions on data transfer (see cc) below). Moreover, all provisions on data access are subject to the principle of proportionality, which gives rise to certain general requirements regarding transparency, individual legal protection and administrative oversight as well as to rules on data use and deletion (see dd) below).

aa) The principle of legal clarity, which is of special significance in respect of interferences with the right to informational self-determination and the privacy of telecommunications, requires an unequivocal statutory basis for data access in the form of requests for information directly addressed to private third parties; this statutory basis must in itself lay down an obligation on the part of service providers to provide information. Sufficiently qualified provisions on data access are necessary that go beyond mere powers to collect data and clearly determine to which authorities the service providers’ obligation to transfer data applies (cf. BVerfGE 130, 151 <202 f.>).

bb) In line with the standards developed for the use of private data, provisions on data access must sufficiently limit the purposes for which the data may be used. To this end, in respect of data access, too, the legislator must specify precisely and clearly, for each subject matter, the grounds, purposes and scope of the respective interference (cf. BVerfGE 130, 151 <202>). For data access, too, thresholds that limit the use of the powers in question are required; these thresholds must ensure that information can only be obtained if factual indications provide specific grounds for the use of these powers. Data access for various and unlimited uses within the entire remit of an authority is impermissible (cf. BVerfGE 125, 260 <355 f.>). The thresholds can be lowered, in consideration of the weight of interference, (see para. 147 ff.) if it is ensured that the powers are only used for the protection of sufficiently weighty legal interests.

cc) The powers to access data must not only be proportionate in themselves; for the sake of legal clarity, they must also be limited to the purposes set out in the provisions on data transfer. This also applies where these purpose limitations are not required under constitutional law.

(1) [...]

(2) […]

In line with the image of a double door, the legislator that is competent in the respective scenario must not only open the door for data transfer, but also the door for data access (cf. BVerfGE 130, 151 <184>). The legislator enacting the provisions on data transfer must already fulfil its legislative responsibility to determine, clearly and definitively, for which purposes and subject to which limitations it opens the first door (cf. BVerfGE 125, 260 <355>). Even the legislator enacting provisions to open the second door cannot open the first door any further. Rather, it is bound by the rules for data use laid down in the provisions on data transfer ([…]). The legislator enacting provisions on data access is free to set stricter requirements for data access by the relevant authorities by providing for narrower purposes, stricter thresholds or by only allowing data access to protect or defend even weightier legal interests ([…]). However, even if the legislator enacting provisions on data transfer is also the legislator enacting provisions on data access – as in the present case – it must not, for the sake of legal clarity, circumvent the purpose limitations set out in the provisions on data transfer by authorising the authorities to access data for other, further-reaching purposes or by providing for lower thresholds or the protection of less weighty legal interests. While provisions on data access containing such less strict rules on data use could allow the respective authorities to access data – within the limits of what is constitutionally permissible –, the service providers would be neither authorised nor obliged to provide information (cf. § 113(2) first sentence TKG). Therefore, such provisions on data access would contain a legal stipulation that is, from the outset, incompatible with the provisions on data transfer. Yet it is precisely the interaction of the provisions on data transfer and the provisions on data access, read together, that must clearly limit the purposes for which the transferred data may be used. A situation where an authority appears to be allowed to access data without having to comply with the rules on data use set out in the provisions on data transfer must be avoided. This could open up possibilities of data access that could be abused or used in unforeseeable ways.

A contradiction between provisions on data transfer and less strict provisions on data access could also not be resolved by providing that data may only be shared subject to the stricter requirements of the provisions on data transfer. The service providers cannot verify adherence to these stricter requirements in substantive terms, nor are they authorised to do so. Rather, the authorities that may access data are responsible for ensuring such adherence (cf. § 113(2) fourth sentence TKG), and only these authorities can reliably verify that the requirements are met. However, the provisions on data access in the laws governing the respective authorities would authorise further-reaching data access by those authorities without guaranteeing internal supervision on the basis of the standards set out in the provision on data transfer. In this respect, too, such a framework would open up access possibilities that could no longer be circumscribed in accordance with the rule of law and that would be unforeseeable ([…]).

dd) In addition, the principle of proportionality gives rise to certain general requirements regarding transparency, legal protection and administrative oversight that depend on the respective competence for the underlying subject matter and must be laid down in the provisions on data access (cf. BVerfGE 125, 260 <344 ff.>; 150, 244 <285 para. 101>; established case-law). These requirements are determined by the weight of interference resulting from the individual provisions. Moreover, tenable provisions on data use and deletion are required under constitutional law (cf. BVerfGE 65, 1 <46>; 150, 244 <285 para. 101>).

b) The provisions in the laws governing the respective authorities that generally authorise access to subscriber data largely do not satisfy these constitutional requirements. The provisions do, however, satisfy the general procedural requirements (see e) below, para. 244 ff.).

aa) Nevertheless, the provisions on data access create sufficiently specific and clear statutory bases authorising access to the data in respect of which transfer is permissible under § 113 TKG. In addition to allowing authorities to request data, the provisions impose obligations on private third parties and thus create specific statutory bases that, in themselves, give rise to an obligation of service providers to provide information. All provisions designate the respective authority that may access data and expressly refer to the “data collected pursuant to §§ 95 and 111 TKG”.

bb) However, given their weight of interference, which primarily depends on the type, scope and possibilities of use of the affected data, the challenged provisions are for the most part not proportionate. Almost none of the provisions requires thresholds limiting the use of the powers in question or provides for such restrictions through clear references to other provisions.

(1) § 10(1) second sentence BKAG, § 7(5) first sentence and § 15(2) first sentence ZFdG, § 8d(1) first sentence BVerfSchG as well as § 2b first sentence BNDG and § 4b first sentence MADG, insofar as they refer to § 8d(1) first sentence BVerfSchG, are not sufficiently limited and therefore unconstitutional.

(a) § 10(1) first sentence no. 1 BKAG authorises the Federal Criminal Police Office, as the central office for police information and communications and for the criminal police, to access subscriber data. The provision only requires that the data be necessary to perform one of the tasks incumbent upon the Federal Criminal Police Office pursuant to § 2(2) no. 1 or § 2(6) BKAG; it does not set out thresholds limiting the use of this power.

[…]

(b) § 10(1) first sentence nos. 2 and 3 BKAG authorise the Federal Criminal Police Office to access data for the purposes of protecting constitutional organs and its own executive board (§ 6 BKAG) as well as for witness protection purposes, insofar as the data is necessary to perform these tasks. This provision is also not sufficiently limited. Neither the provision as such nor §§ 6 and 7 BKAG, which set out the tasks of the Federal Criminal Police Office and to which the provision refers, require specific grounds for the use of these powers. […]

(c) The powers to access subscriber data set out in § 15(2) first sentence and § 7(5) first sentence ZFdG are also not sufficiently limited and disproportionate for this reason. Thus, there is no need to decide whether the legislative approach chosen for both provisions that uses references and chains of reference satisfies the requirements regarding sufficient legal clarity (cf. BVerfGE 110, 33 <57 f., 61 ff.>; BVerfG, Judgment of the First Senate of 19 May 2020 - 1 BvR 2835/17 -, para. 215).

(aa) § 15(2) first sentence ZFdG authorises the Customs Criminal Investigations Office to access subscriber data for the performance of its tasks set out in § 4(2) to (4) ZFdG. The provision merely authorises data access if it is necessary to perform the tasks of the Customs Criminal Investigations Office when monitoring foreign trade, cross-border movement of goods and combatting internationally organised money laundering. However, the mere performance of the various tasks does not require grounds for the use of these powers ([…]).

[…]

(bb) The considerations regarding § 10(1) first sentence no. 1 BKAG and § 15(2) first sentence ZFdG largely also apply to § 7(5) first sentence ZFdG, which authorises the Customs Criminal Investigations Office to access subscriber data for the performance of its tasks as a central office pursuant to § 3 ZFdG. […]

(d) § 8d(1) first sentence BVerfSchG as well as § 2b first sentence BNDG and § 4b first sentence MADG, insofar as they refer to § 8d(1) first sentence BVerfSchG, also do not satisfy the requirements of proportionality in its strict sense. The provisions neither provide for thresholds limiting the use of the powers in question nor do they contain restrictions to the individual case; rather, they only require that data access must be necessary to perform the tasks of the respective authority. […]

(2) § 40(1) first sentence BKAG generally authorises the Federal Criminal Police Office to access subscriber data, insofar as this is necessary to investigate the facts of a case or to determine the whereabouts of a person, subject to the conditions set out in § 39(1) and (2) BKAG. This provision satisfies the requirements of proportionality only in part.

(a) § 40(1) first sentence BKAG is not proportionate in the strict sense insofar as it refers to § 39(1) BKAG. […] Neither § 40 BKAG nor § 39 BKAG provide for thresholds limiting the use of the powers in question, nor do they require that the data is necessary in the individual case. Rather, they already authorise data access if the data may generally serve to counter dangers arising from international terrorism.

[…]

The further constituent element of § 40(1) first sentence BKAG, which requires that data access must be necessary to investigate the facts of a case or to determine the whereabouts of a person, does not sufficiently limit the provision on data access. The meaning of this addition, which is common in criminal procedural law (cf., e.g., § 100a(1) first sentence no. 3, § 100f(1) StPO), in the context of public security measures is unclear.

(b) Insofar as § 40(1) first sentence BKAG refers to § 39(2) no. 1 BKAG, thresholds that sufficiently limit the use of the powers in question are lacking.

[…]

[…] Pursuant to § 39(2) no. 1 BKAG, data access is contingent upon the possibility that terrorist acts may be committed and requires factual indications to this effect. However, the provision does not require that it is at least possible to determine the type of incident that might occur and that it will occur within a foreseeable timeframe, nor does it require, alternatively, that the individual conduct of a person establishes the specific probability that they will commit a criminal act in the not so distant future (cf. BVerfGE 141, 220 <291 para. 165>). Thus, it does not contain any restrictions regarding the foreseeability of the causal chain.

(c) By contrast, § 40(1) first sentence BKAG, insofar as it refers to § 39(2) no. 2 BKAG, does not raise any constitutional concerns.

[…]

(3) § 22a(1) first sentence BPolG authorises the Federal Police to access subscriber data, insofar as this is necessary to investigate the facts of a case or to determine the whereabouts of a person, subject to the conditions set out in § 21(1) and (2) BPolG. This provision satisfies the requirements of proportionality only in part.

(a) § 22a(1) first sentence BPolG is disproportionate insofar as it refers to § 21(1) BPolG. § 21(1) BPolG […] merely requires that data access is necessary for the performance of one of the tasks incumbent upon the Federal Police. […] Neither § 22a(1) first sentence BPolG nor § 21(1) BPolG provide for thresholds limiting their scope, nor do they limit data access to the individual case ([…]). […].

(b) § 22a(1) first sentence BPolG is also not sufficiently limited insofar as it refers to § 21(2) no. 1 BPolG. The powers to collect personal data set out in § 21(2) BPolG are more specific than the powers set out in § 21(1) BPolG in that the former provision allows such collection for the purposes of preventing crime. […] Yet § 21(2) no. 1 BPolG does not […] contain sufficient requirements regarding the prognosis [that a criminal act will be committed] (cf. BVerfGE 141, 220 <291 para. 165>).

(c) By contrast, § 22a(1) first sentence BPolG in itself satisfies the constitutional requirements, insofar as it refers to § 21(2) no. 2 BPolG. […]

[…]

c) The challenged powers to access login data (cf. § 10(1) second sentence and § 40(1) second sentence BKAG,§ 22a(1) second sentence BPolG, § 7(5) second sentence and § 15(2) second sentence ZFdG, § 8d(1) second sentence BVerfSchG as well as § 2b first sentence BNDG and § 4b first sentence MADG, insofar as they refer to § 8d(1) first sentence BVerfSchG) are, in themselves, sufficiently limited and proportionate. They also satisfy the general procedural requirements (cf. e) below, para. 244 ff.).

All provisions governing data access require, in the same wording, that data may only be requested if the statutory requirements for the use of the data are met. Thus, the provisions ensure that login data cannot be accessed without having regard to the requirements for its use and thus potentially subject to less strict conditions (cf. BVerfGE 130, 151 <208 f.>). […]

[…]

d) The provisions governing access to subscriber data determined on the basis of dynamic IP addresses (§ 10(2) and § 40(2) BKAG, § 22a(2) BPolG, § 7(6) and § 15(3) ZFdG, § 8d(2) first sentence BVerfSchG as well as § 2b first sentence BNDG and § 4b first sentence MADG, insofar as they refer to § 8d(1) first sentence BVerfSchG) are, for the most part, not sufficiently limited and disproportionate for this reason alone. Only § 40(2) BKAG, insofar as it refers to § 39(2) no. 2 BKAG, satisfies the constitutional requirements in this respect; however, it does not satisfy the general procedural requirements (cf. e) below, para. 244 ff.).

The principle of proportionality does not require that access to subscriber data determined on the basis of dynamic IP addresses be subject to higher thresholds than access to general subscriber data (see paras. 176 and 179 above). Yet such data access must be necessary for the protection of sufficiently weighty legal interests, which is linked to the respective threshold. Even if the thresholds laid down for the matching of IP addresses require a specific danger for the purposes of averting danger to public security and an initial suspicion of criminal conduct for the purposes of law enforcement, such matching still requires that the powers to carry it out be limited to the protection of legal interests of increased weight (see para. 177 f. above). If, by contrast, the thresholds are lowered and, according to the legislative intent, a sufficient purpose for matching dynamic IP addresses is the averting of identifiable dangers, the powers must be restricted to particularly weighty legal interests in light of the specific weight of interference resulting from the matching of dynamic IP addresses (see para. 180 above). For the most part, the challenged provisions do not satisfy these constitutional requirements; moreover, thresholds limiting the use of these powers are mostly lacking.

aa) The provisions governing data access (§ 10(2) BKAG, § 40(2) in conjunction with § 39(1) and (2) no. 1 BKAG, § 22a(2) in conjunction with § 21(1) and (2) no. 1 BPolG, § 7(6) and § 15(3) ZFdG, § 8d(2) first sentence BVerfSchG as well as § 2b first sentence BNDG and § 4b first sentence MADG, insofar as they refer to § 8d(2) first sentence BVerfSchG) are based solely on the requirements for the powers to generally access subscriber data, which are also disproportionate (see para. 206 ff. above), and therefore do not provide for thresholds for the matching of IP addresses, or, in any event, do not provide for thresholds sufficiently limiting these powers. For this reason alone, they do not satisfy the constitutional requirements and are disproportionate.

[…]

bb) By contrast, both § 22a(2) in conjunction with § 21(2) no. 2 BPolG and § 40(2) in conjunction with § 39(2) no. 2 BKAG contain sufficiently limited thresholds (see paras. 227 f. and 232 above). Yet only § 40(2) BKAG satisfies the requirements regarding the protection of legal interests that arise in light of the weight of interference resulting from the matching of dynamic IP addresses. According to these requirements, where the threshold is lowered – as in the present case –, the matching of dynamic IP addresses for the prevention of crime must serve to prevent at least serious criminal offences (see para. 181 above). § 22a(2) in conjunction with § 21(2) no. 2 BPolG, which authorises the matching of dynamic IP addresses even for the prevention of considerable criminal offences, does not satisfy these requirements.

e) For the most part, the challenged provisions satisfy the general requirements regarding transparency, individual legal protection and administrative oversight that follow from the principle of proportionality. They also contain tenable rules on data use and deletion. However, it is objectionable under constitutional law that the statutory framework does not impose documentation requirements on the authorities when they access data determined on the basis of dynamic IP addresses.

aa) In contrast to covert measures, which give rise to interferences of higher intensity (cf. BVerfGE 141, 220 <269 para. 105, 282 f. para. 134 ff.>), obtaining general subscriber data, which gives rise to interferences of comparably low intensity, does not entail notification requirements (cf. BVerfGE 130, 151 <210>; cf. also ECtHR, Breyer v. Germany, Judgment of 30 January 2020, no. 50001/12, § 107 (not final); CJEU, Judgment of 2 October 2018, Ministerio Fiscal, C-207/16, EU:C:2018:788, para. 60 f.). Rather, in accordance with the principle of proportionality, it is sufficient that affected persons are informed that their subscriber data has been provided to the authorities only if follow-up measures are taken against them and that they may then have the lawfulness of the measures reviewed by the ordinary courts (cf. BVerfGE 150, 244 <302 para. 154>).

With regard to the providing of information that gives rise to interferences of higher intensity, such as the matching of IP addresses to individual subscribers and – potentially – the providing of login data, the provisions on data access in the laws governing the respective authorities in principle provide for ex post notification of affected persons. The provisions satisfy the constitutional requirements, even though affected persons are only notified if such notification does not obstruct the purpose pursued by the measure, but they are not notified if this is precluded by overriding protected interests of others or of the affected persons themselves (cf. BVerfGE 125, 260 <344>; 129, 208 <250 f.>). The obligation imposed on the authorities to document the reasons for refraining from notification ensures that it is possible to review whether the requirements are still met after a reasonable period of time. Judicial confirmation of the decision to refrain from notification is not required (cf. BVerfGE 125, 260 <344>). Yet where login data is accessed, stricter requirements can derive from the statutory bases authorising the use of the data.

bb) The statutory framework provides for administrative oversight, as required under constitutional law (cf. BVerfGE 65, 1 <46>; 133, 277 <369 para. 214>; 141, 220 <284 f. para. 141>; established case-law). In addition to technical administrative oversight, oversight under data protection law is ensured by the Federal Data Protection Commissioner (cf., e.g., §§ 8 ff. of the Federal Data Protection Act, Bundesdatenschutzgesetz – BDSG, § 69 BKAG, § 26a(2) and (3) BVerfSchG, § 32 BNDG and § 12a MADG) and by data protection officers within the respective authorities (cf., e.g., § 70 BKAG). […]

cc) By contrast, it is not compatible with the proportionality requirements that the statutory framework does not provide for an obligation to document the basis on which a decision to access subscriber data determined on the basis of dynamic IP addresses was taken.

Given the low intensity of interference resulting from access to general subscriber data, it is not necessary to document the basis on which a decision to access such data was taken, even though the measure is typically carried out covertly and affected persons are not notified of such access, not even ex post. Such documentation is also not required on the grounds that the decision whether to access subscriber data is taken within an authority (regarding this BVerfGE 150, 244 <303 para. 157>). It is true that only the relevant authorities can ensure that the substantive requirements for data access are met. However, such access does not remain an internal process within the respective authority insofar as authorities must address a written request for information to the service providers citing the applicable statutory basis (cf. § 113(2) first sentence TKG).

By contrast, given its increased weight of interference, the matching of dynamic IP addresses can only be considered proportionate if the basis for the decision to carry out such a measure is documented in a comprehensible and verifiable manner. The legal and factual basis justifying the respective request for information must be documented in the relevant files (BVerfGE 125, 260 <344>). Firstly, having to account for the basis of its decisions rationalises and moderates the decision taken by the authority concerned. Secondly, only such documentation allows for oversight by data protection officers. Finally, the documentation of such measures facilitates review by administrative courts (cf. BVerfGE 150, 244 <303 para. 157>). However, no general documentation requirements must be provided for in respect of access to login data. Insofar as such documentation is mandated in light of the weight of interference in the individual case, these requirements typically derive from the respective statutory bases governing the use of such data.

dd) Reporting obligations vis-à-vis Parliament and the public do not have to be set out in the statutory framework. Reporting obligations vis-à-vis Parliament serve to ensure oversight and scrutiny that is directly democratically legitimated. For proportionality reasons, such obligations are only necessary in respect of investigatory and surveillance powers that result in particularly intrusive interferences with the private sphere and that pose risks to fundamental rights specifically affecting a large number of persons (cf. BVerfGE 141, 220 <268 f. para. 103, 285 para. 142 f.> with further references). Contrary to the complainants’ view, such parliamentary oversight and scrutiny is not required in respect of measures that are not particularly intrusive, like in the present case.

ee) The constitutional principle of proportionality does not require prior review by an independent body, for example in the form of a warrant issued by a court. Therefore, it does not raise any concerns that the statutory provisions on data access only require prior judicial authorisation (Richtervorbehalt ) in respect of access to login data or, with regard to the intelligence services, require prior examination by the Article 10 Commission (G 10-Kommission ); likewise, there are no concerns regarding the various exemptions from the requirement of prior judicial authorisation applicable to access to login data.

(1) Where statutory provisions authorise covert measures taken by an authority vis-à-vis the person concerned that affect specially protected domains of private life or result in particularly intrusive interferences, they require suitable procedural safeguards in view of the weight of the interference with fundamental rights, in particular, a prior review by an independent body, for example in the form of a warrant issued by a court (cf. BVerfGE 120, 274 <331>; 141, 220 <275 para. 117>; cf. also ECtHR, Szabó and Vissy v. Hungary, Judgment of 12 January 2016, no. 37138/14, § 77). Such safeguards are required if the measures in question are taken covertly and are expected to concern highly private information (cf. BVerfGE 141, 220 <275 para. 117>; cf. also CJEU, Judgment of 21 December 2016, Tele2 Sverige and Watson and Others, C-203/15 inter alia, EU:C:2016:970, paras. 99, 120, 125). In respect of a decision on taking such covert measures, prior review can be a significant element of effective fundamental rights protection, ensuring that the interests of affected persons are sufficiently taken into account if they cannot defend their own interests before the measures are carried out given their covert nature (cf. BVerfGE 120, 274 <331 f.>).

(2) In respect of access to certain subscriber data determined on the basis of dynamic IP addresses, which requires both the analysis of traffic data stored on the basis of customer contracts and of traffic data retained as a precautionary measure, no prior judicial authorisation is required, despite the increased weight of interference compared to obtaining general subscriber data (cf. BVerfGE 125, 260 <344>). In contrast to provisions on data access allowing for access to the retained traffic data in its entirety, for which prior judicial authorisation is in principle required (cf. BVerfGE 125, 260 <337 f.>; cf. CJEU, Judgment of 21 December 2016, Tele2 Sverige and Watson and Others, C-203/15 inter alia, EU:C:2016:970, paras. 120, 125), no additional safeguards in the form of preventive and independent review are required in respect of data obtained on a registered subscriber that was only determined through the ad hoc and indirect use of traffic data.

(3) The same applies in principle to the authorisation to access login data, which is subject to conditions for the use of such data. It is true that access to login data as such qualifies as a separate interference, regardless of the planned use of the data, given that it obstructs the informational self-protection of affected persons and thus frustrates their expectations that their communications will remain private. However, the weight of interference depends primarily on the use of the login data; the conditions of such use therefore also govern the procedural rules on access to this data.

Thus, proportionality does not require that the collection of login data as such must be subject to separate conditions and must always require prior judicial authorisation. Under the rule of law, it is only required that information provided on login data is tied to the same conditions – both in substantive and in procedural terms – that must be met with regard to data access in respect of the purpose for which this data is to be used (cf. BVerfGE 130, 151 <208 f.>). These conditions are based on separate legal bases; they differ according to the nature and weight of the interference, both in formal and in substantive terms. Given that any access to login data also requires that the conditions for its use be met, prior judicial review is ensured without any restrictions where it is required under constitutional law because data use amounts to a particularly intrusive interference ([…]).

[…]

ff) The provisions on data security, further data use and deletion by the requesting authorities satisfy the constitutional requirements.

[…]

D.

No further requirements derive from the fundamental rights of the European Union, notwithstanding the question to what extent such review would fall to the Federal Constitutional Court. Even if, in light of Art. 15 of Directive 2002/58/EC or Art. 6 GDPR (cf. paras. 85-87 above), the challenged provisions were in part to be considered to be implementing EU law within the meaning of Art. 51(1) first sentence of the Charter of Fundamental Rights of the European Union, there would be no specific and sufficient indication that, in the case under review here, the fundamental rights of the Basic Law, in the interpretation set out here, do not simultaneously ensure the level of protection of the Charter according to the CJEU’s case-law (cf. BVerfGE 152, 152 <180 ff., para. 67 ff.>). In particular, such indication does not follow from the CJEU’s decisions concerning the Data Retention Directive (CJEU, Judgment of 8 April 2014, Digital Rights Ireland and Seitlinger and Others, C-293/12 inter alia, C-594/12, EU:C:2014:238) and concerning data retention powers of the Member States (CJEU, Judgment of 21 December 2016, Tele2 Sverige and Watson and Others, C-203/15 inter alia, EU:C:2016:970). Those decisions concerned the domestic interception of all telecommunications traffic data, which makes it possible to compile almost complete personality profiles of individual communicating parties. This differs fundamentally from the mere indirect and ad hoc use of traffic data for the matching of dynamic IP addresses. Nor does the decision of the Court of Justice of the European Union in the case Ministerio Fiscal (CJEU, Judgment of 2 October 2018, Ministerio Fiscal, C-207/16, EU:C:2018:788) give rise to indications that the Charter’s level of protection goes beyond the level of protection afforded by the fundamental rights of the Basic Law in this constellation. Rather, this decision clarified that the access of public authorities to subscriber data stored by service providers cannot be considered an interference with fundamental rights that is sufficiently serious to entail that access must be limited to the objective of fighting serious crime (cf. CJEU, Judgment of 2 October 2018, Ministerio Fiscal, C-207/16, EU:C:2018:788, para. 63; cf. also ECtHR, Breyer v. Germany, Judgment of 30 January 2020, no. 50001/12, §§ 95, 101 (not final)). In the context of a European regime of fundamental rights protection that seeks to accommodate diversity, it is not ascertainable in the present case that the fundamental rights of the Basic Law do not simultaneously ensure the level of protection of the Charter of Fundamental Rights of the European Union (cf. also BVerfG, Judgment of the First Senate of 19 May 2020 - 1 BvR 2835/17 -, para. 326).

E.

For the most part, the challenged provisions must be declared incompatible with Art. 2(1) in conjunction with Art. 1(1) GG and with Art. 10(1) GG.

I.

1. The finding that a statutory provision is unconstitutional generally results in a declaration of voidness (§ 95(2) first sentence of the Federal Constitutional Court Act, Bundesverfassungsgerichtsgesetz – BVerfGG; cf. BVerfGE 101, 397 <409>). However, pursuant to § 31(2) second and third sentence BVerfGG, the Federal Constitutional Court can limit its decision to declaring that an unconstitutional provision is merely incompatible with the Basic Law (cf. BVerfGE 109, 190 <235>). The Court may combine the declaration of incompatibility with a temporary order to continue to apply the unconstitutional provisions. This may be considered in cases where the immediate invalidity of the objectionable provision would eliminate the basis for the protection of exceptionally significant interests of the common good and if the outcome of a balancing of these interests against the affected fundamental rights suggests that the interference must be tolerated for a transitional period (BVerfGE 150, 244 <306 para. 168> with further references; established case-law). During the transitional period, the Federal Constitutional Court can issue interim orders to reduce the powers of the authorities, in line with what appears necessary in light of its balancing, until a situation of constitutional conformity has been established (BVerfGE 141, 220 <351 para. 355> with further references).

2. Based on these standards, the provisions, insofar as they are unconstitutional, are not declared void. […]

3. The challenged provisions are declared incompatible with the Basic Law to the extent set forth in the operative part of the decision.

[…]

4. The declaration of incompatibility is combined with an order of temporary continued application until 31 December 2021 at the latest. […] Until new provisions have been enacted, this continued application is subject to the following conditions:

a) § 113(1) first sentence TKG and the challenged provisions on general access to subscriber data may continue to be applied where data access is required, in relation to public security, to avert a specific danger within the meaning of the general clause in police law, or where data access is required, in relation to the intelligence services, to investigate a specific act or group warranting surveillance in the individual case. In relation to the prosecution of criminal and administrative offences, § 113(1) first sentence TKG may continue to be applied if there is at least an initial suspicion of criminal conduct.

b) In addition, § 113(1) first sentence TKG in conjunction with § 40(1) first sentence BKAG or § 22a(1) first sentence BPolG, respectively, may also be applied if data access is necessary to prevent criminal offences within the meaning of § 39(2) BKAG or § 21(2) BPolG. In this respect, § 39(2) no. 1 BKAG and § 22a(2) no. 1 BPolG may only be applied subject to the condition that specific facts must give rise to the assumption that a person will, in the not so distant future, commit a criminal act within the meaning of § 5(1) second sentence BKAG and it is at least possible to determine the type of this act, or that the person will commit a considerable criminal offence within the meaning of § 12(1) BPolG, or that specific facts give rise to the assumption that their individual conduct establishes the specific probability that they will commit such a criminal act in the not so distant future (cf. BVerfGE 141, 220 <272 f. para. 112>).

c) § 113(1) second sentence TKG may continue to be applied if the conditions for using the data covered by this provision are met in the individual case (cf. BVerfGE 130, 151 <210>).

d) § 113(1) third sentence TKG and the challenged provisions on access to subscriber data determined on the basis of dynamic IP addresses may continue to be applied if the data is provided – going beyond the conditions set out under a) above – for the purposes of averting a danger to a legal interest of increased weight or of prosecuting criminal offences or at least particularly weighty administrative offences.

e) In addition, § 113(1) third sentence TKG in conjunction with § 40(2) BKAG or § 22a(2) BPolG, respectively, and insofar as they refer to § 39(2) BKAG or § 21(2) BPolG, may also be applied, subject to the conditions set out under a) and b) above; in respect of § 22a(2) BPolG, data access must be necessary to prevent serious criminal offences within the meaning of § 12(1) BPolG.

II.

[…]

This decision was rendered with one dissenting vote concerning the question whether § 113(1) first sentence in conjunction with § 113(2) first sentence TKG satisfies the proportionality requirements.