Order of 8 October 2024

Table of contents

1. 1

   A. Facts of the case

   1. 2

      I. Background of the challenged powers

   2. 3

      II. Relevant provisions

   3. 19

      III. Processes of strategic surveillance of international telecommunications

   4. 34

      IV. Constitutional complaints

   5. 56

      V. Statements

2. 74

   B. Subject matter and admissibility

   1. 74

      I. Subject matter

   2. 77

      II. Jurisdiction of the Federal Constitutional Court

   3. 82

      III. Admissibility

3. 131

   C. Merits
   

   1. 132

      I. Scope of protection (Art. 10(1) of the Basic Law)

   2. 139

      II. Fundamental rights interferences

   3. 144

      III. Justification
      

      1. 145

         1. Formal constitutionality

      2. 151

      3. 2. Substantive constitutionality

         1. 152

            a) General standards

         2. 156

            b) Standards for the proportionality of strategic surveillance of international telecommunications

         3. 174

            c) Application of the standards to the present case

211

D. Outcome and legal consequences

R e a s o n s :

A.

1

The two constitutional complaints are directed against the statutory authorisation of the Federal Intelligence Service (Bundesnachrichtendienst) to conduct strategic surveillance of international telecommunications for the purpose of detecting international cyberthreats under § 5(1) third sentence no. 8 of the Act Restricting the Privacy of Mail, Post and Telecommunications (Article 10 Act, Artikel 10-Gesetz – G 10). These powers were inserted into the Article 10 Act by the Act to Improve Cooperation Regarding the Protection of the Constitution of 17 November 2015 (Federal Law Gazette, Bundesgesetzblatt – BGBl I p. 1938), which entered into force on 21 November 2015. The complainants also challenge several previously-enacted provisions that supplement these powers; these concern the proportionate design and limitation of the powers conferred by § 5(1) third sentence of the Article 10 Act, and also apply to the newly created authorisation in no. 8.

I.

2

In introducing the new powers to conduct surveillance of international cyberthreats in § 5(1) third sentence no. 8 of the Article 10 Act, the federal legislator intended to adapt the existing authorisation to conduct strategic surveillance of international telecommunications to new virtual threats, in view of IT systems that are or can be globally connected (cyberspace). The legislator argued that the powers previously conferred by § 5(1) third sentence nos. 1 to 7 of the Article 10 Act for the dangers mentioned therein were inadequate to effectively counter the new dangers. It considered it necessary to create new statutory powers for the Federal Intelligence Service to gather intelligence on cyberattacks, especially in the form of cyber espionage or cyber sabotage. The new powers were meant to enable the Federal Intelligence Service to contribute to expanding and improving IT security in the state and non-state sector and to ensure greater security in cyberspace in general (cf. Bundestag document, Bundestagsdrucksache – BTDrucks 18/4654, p. 40 f.).

II.

3

The provisions relevant to the present proceedings – the provision granting the relevant powers (see 1. below) and the supplementing provisions (see 2. below) – are as follows:

4

1. § 5(1) of the Article 10 Act authorises the Federal Intelligence Service to conduct strategic surveillance of international telecommunications; it reads in relevant part as follows:

§ 5 of the Article 10 Act – Prerequisites

(1) ¹Restrictions under § 1 on international telecommunications traffic may be ordered upon application by the Federal Intelligence Service, insofar as bundled data transmission occurs. ²The affected telecommunications traffic is to be determined by the competent federal ministry pursuant to § 10(1) with the consent of the Parliamentary Oversight Body. ³Restrictions under the first sentence are only permissible to gather intelligence on facts the knowledge of which is necessary for the timely detection and addressing of the danger

1. to 7. (...)

8. of international criminal or terrorist attacks or attacks by foreign states on the confidentiality, integrity and availability of IT systems using malware or similar malicious IT technology, in serious cases affecting the Federal Republic of Germany

(...).

(2) (…)

5

§ 1 of the Article 10 Act, which is referenced by § 5, reads in relevant part as follows:

§ 1 of the Article 10 Act – Subject matter of the Act

(1) (…)

1. (...)

2. The Federal Intelligence Service is authorised to intercept and record telecommunications in the framework of its tasks under § 1(2) of the Federal Intelligence Service Act, including for the purposes laid down in § 5(1) third sentence nos. 2 to 8 (...).

(2) (...)

6

§ 1(2) of the Federal Intelligence Service Act (BND-Gesetz – BNDG), which is referenced therein, reads in relevant part as follows:

§ 1 of the Federal Intelligence Service Act – Organisation and tasks

(1) (...)

(2) ¹The Federal Intelligence Service gathers and analyses the information necessary to obtain intelligence on other countries that is of significance to the foreign and security policy of the Federal Republic of Germany. (...)

7

2. a) § 10(4) third and fourth sentence of the Article 10 Act is a supplementary provision limiting the volume of the data that may be made subject to surveillance, which entered into force on 29 June 2001 (BGBl I p. 1254). It reads as follows:

§ 10 of the Article 10 Act – Order for surveillance

(1) to (3) (...)

(4) ¹In cases concerning §§ 5 and 8, the search terms must be listed in the order. ²The area on which information is to be gathered and the transmission routes to be intercepted must be set forth. ³It must also be determined what share of the transmission capacity available on these transmission routes may be intercepted. ⁴In cases concerning § 5, this share may not exceed 20%.

(5) to (7) (…)

8

b) The exemption from the prohibitions under § 5(2) second sentence nos. 1 and 2 of the Article 10 Act concerning persons located in other countries, laid down in § 5(2) third sentence of the Article 10 Act, read as follows in the version in force since 5 August 2009 (BGBl I p. 2499):

§ 5 of the Article 10 Act – Prerequisites

(1) (...)

(2) ¹When restricting telecommunication traffic, the Federal Intelligence Service may only use search terms that serve to gather intelligence on the dangers determined in the order for surveillance and that are suitable for this purpose. ²No search terms may be used that

1. contain identifying features which result in the targeted interception of specific subscriber lines, or

2. concern the core of private life.

³This does not apply to subscriber lines in other countries, provided that the targeted interception of subscriber lines owned or regularly used by German nationals can be ruled out. (...)

9

c) The provisions protecting the core of private life in § 5a first to fourth sentence in conjunction with § 3a of the Article 10 Act, which had likewise been in force since August 2009, were amended by the Act to Adapt the Law for the Protection of the Constitution of 5 July 2021 (BGBl I p. 2274) while the present proceedings were pending. A second subsection was inserted into § 3a of the Article 10 Act; editorial changes were made to the reference in § 5a fourth sentence of the Article 10 Act. The provisions now read as follows:

§ 5a of the Article 10 Act – Protection of the core of private life

¹Restrictions under § 1(1) no. 2 may not result in communication contents from the core of private life being collected. ²If a restriction under § 1(1) no. 2 has resulted in the collection of communication contents from the core of private life, these may not be used. ³They must be deleted without delay under the supervision of a staff member who is qualified to hold judicial office. ⁴§ 3a (1) second to seventh sentence and § 3a(2) applies accordingly. (...)

§ 3a of the Article 10 Act – Protection of the core of private life

(1) (...) ²If, in the context of restrictions referred to in § 1(1) no. 1, data is directly taken note of while it is automatically recorded, the measure must be suspended immediately if facts revealed during the surveillance suggest that contents that can be attributed to the core of private life are recorded. ³If there are doubts in this regard, only the automatic recording may be continued. ⁴Automatic recordings pursuant to the third sentence must be submitted to a specific member of the Article 10 Committee or their deputy without delay for a decision as to whether the data may be used or must be deleted. ⁵Further details are set out in the Rules of Procedure. ⁶The decision of the Committee member in favour of data use must be confirmed by the Committee without delay. ⁷If the measure has been suspended in accordance with the second sentence, it may be continued unless it is impermissible pursuant to the first sentence. [...]

(2) (...)

10

d) § 5b of the Article 10 Act, which governs the protection of persons entitled to refuse to give evidence and was inserted into the Article 10 Act by the Act Amending the Federal Intelligence Service Act of 22 December 2023 (BGBl no. 410), reads as follows:

§ 5b of the Article 10 Act – Protection of persons entitled to refuse to give evidence

§ 3b applies accordingly to the protection of persons entitled to refuse to give evidence.

11

§ 3b of the Article 10 Act, which is referenced in § 5b, reads as follows:

§ 3b of the Article 10 Act – Protection of persons entitled to refuse to give evidence

(1) ¹Measures pursuant to § 1(1) no. 1 that target a person listed in § 53(1) first sentence nos. 1, 2, 3 or 4 of the Code of Criminal Procedure, limited to lawyers and chamber legal advisors in cases concerning § 53(1) first sentence no. 3 of the Code of Criminal Procedure, and that will probably reveal information with regard to which this person has the right to refuse to give evidence are impermissible. ²Information obtained nonetheless may not be used. ³Recordings thereof must be deleted without delay. ⁴The fact that such information was obtained and its deletion must be documented. ⁵The second and third sentence apply accordingly if, through a measure not targeting a person listed in the first sentence, information is obtained concerning a person mentioned therein with regard to which this person has the right to refuse to give evidence.

(2) ¹If a measure concerns a person listed in § 53(1) first sentence nos. 3 to 3b or no. 5 of the Code of Criminal Procedure, with the exception of lawyers and chamber legal advisors in cases concerning § 53(1) first sentence no. 3 of the Code of Criminal Procedure, and will probably reveal information with regard to which this person has the right to refuse to give evidence, this must be given particular consideration when the proportionality of the measure is reviewed, with due regard to the public interest in the tasks performed by this person and the interest in the confidentiality of the facts which have been confided or have become known to this person. ²Where required, the measure must be suspended or, to the extent possible with regard to the type of measure, restricted.

(3) Subsections (1) and (2) apply accordingly insofar as the persons listed in § 53a of the Code of Criminal Procedure would be entitled to refuse to give evidence.

(4) Subsections (1) to (3) do not apply insofar as the person entitled to refuse to give evidence is a suspect within the meaning of § 3(2) second sentence or factual indications establish the suspicion that they deliberately support a suspect’s endeavours pursuant to § 3(1) by receiving or passing on messages.

12

e) The documentation of completed strategic surveillance of international telecommunications and the deletion of the documentation logs has been governed by § 5(2) fourth to sixth sentence of the Article 10 Act since June 2001. § 5(2) of the Article 10 Act reads in relevant part as follows:

§ 5 of the Article 10 Act – Prerequisites

(1) (...)

(2) ¹When restricting telecommunication traffic, the Federal Intelligence Service may only use search terms that serve to gather intelligence on the dangers determined in the order for surveillance and that are suitable for this purpose.

(...)

⁴The fact that such surveillance was carried out must be documented. ⁵The documentation may only be used for data protection audits. ⁶The documentation must be deleted at the end of the calendar year following the year in which it was logged.

13

From August 2009, § 5a fifth to seventh sentence of the Article 10 Act, which governs the documentation of the collection and deletion of communication contents concerning the core of private life, has read as follows:

§ 5a of the Article 10 Act 2009 – Protection of the core of private life

(...) ⁵The fact that the data was collected and deleted must be documented. ⁶The documentation may only be used for data protection audits. ⁷It must be deleted when it is no longer necessary to this end, or at the end of the calendar year following the year in which it was logged.

14

On 5 July 2021 (BGBl I p. 2274), § 5a seventh sentence of the Article 10 Act was amended; it now reads as follows:

§ 5a of the Article 10 Act 2021 – Protection of the core of private life

(...) ⁵The fact that the data was collected and deleted must be documented. ⁶The documentation may only be used for data protection audits. ⁷It must be deleted following notification or following a determination pursuant to § 12(2).

15

The provisions on the documentation of the deletion of personal data collected through strategic surveillance of international telecommunications in § 6(1) third to seventh sentence of the Article 10 Act have been in force since August 2009; they have been amended several times while the constitutional complaints were pending and now read as follows:

§ 6 of the Article 10 Act – Review, labelling and deletion requirements, purpose limitation

(1) ¹The Federal Intelligence Service examines without delay, and subsequently in intervals of no more than six months, whether the collected personal data is necessary, in the context of its tasks, for the purposes determined in § 5(1) third sentence, either by itself or in combination with other available data. ²Insofar as the data is not necessary for these purposes and is not needed for sharing with other bodies, it must be deleted without delay under the supervision of a staff member who is qualified to hold judicial office. ³The deletion must be documented. ⁴The documentation may only be used for the monitoring of data processing, including data protection audits. ⁵The documentation must be deleted at the end of the calendar year following the year in which it was logged. ⁶With the exception of cases of initial review pursuant to the first sentence, the data is not deleted insofar as it may be of significance for notification pursuant to § 12(2) or for judicial review of the lawfulness of the measure. ⁷In this case, the processing of the data must be limited; it may only be used for these purposes.

(2) to (6) (…)

16

f) From August 2009, the provision on notification requirements in § 12 of the Article 10 Act has read as follows:

§ 12 of the Article 10 Act – Notification of affected persons

(1) ¹ Affected persons must be notified of restrictions pursuant to § 3 once they have been terminated. ²No notification takes place as long as it cannot be ruled out that the purpose of the measure is jeopardised or as long as general disadvantages to the interests of the Federation or of a Land can be foreseen. ³If a notification deferred pursuant to the second sentence is not given within twelve months after termination of the measure, further deferral requires the consent of the Article 10 Committee. ⁴The Article 10 Committee determines the duration of further deferral. ⁵No notification is required if the Article 10 Committee has unanimously determined that

1. one of the prerequisites in the second sentence continues to be met five years after the termination of the measure,

2. it will in all probability also be met in the future and

3. the prerequisites for deletion are met in respect of both the collecting body and the recipient.

(2) ¹Subsection(1) applies accordingly to restrictions pursuant to §§ 5 and 8 insofar as the personal data is not deleted without delay. ²The five-year time limit starts with the collection of the personal data.

(3) (...)

17

g) § 15 of the Article 10 Act, which governs independent oversight and entered into force in June 2001, has been amended several times while the constitutional complaints were pending and now reads as follows:

§ 15 of the Article 10 Act – Article 10 Committee

(1) ¹The Article 10 Committee consists of the chairperson and four committee members as well as five deputy members, who can participate in the meeting and have the right to address the meeting and to ask questions. ²At least three members and three deputy members must be qualified to hold judicial office. ³The members of the Article 10 Committee perform their duties independently and are not bound by instructions. ⁴They hold a public auxiliary office and are appointed, after the Federal Government has been heard on the matter, by the Parliamentary Oversight Body for the length of a parliamentary term of the German Bundestag; their term of office only ends once the new members of the Committee have been appointed. ⁵The Permanent Representative of the Parliamentary Oversight Body regularly participates in the meetings of the Article 10 Committee.

(2) ¹The deliberations of the Article 10 Committee are secret. ²The members of the Committee are obliged to maintain confidentiality with regard to matters that have come to their knowledge in the course of their work on the Committee. ³This also applies after their term as Committee member ends.

(3) ¹The Article 10 Committee is to be provided with the staff and material resources necessary for the performance of its tasks; they must be listed separately in the German Bundestag’s budget section in the chapter for parliamentary oversight of the intelligence services. ²The committee must be provided with staff members with technical expertise.

(4) ¹The Article 10 Committee meets at least once per month. ²It adopts Rules of Procedure which require the consent of the Parliamentary Oversight Body. ³The Federal Government must be heard before consent is given.

(5) ¹The Article 10 Committee decides on the lawfulness and necessity of restrictions, either ex officio or following complaints. ²The Committee’s oversight powers encompass the entire processing of the personal data obtained by the Federation’s intelligence services under this Act, including decisions on the notification of affected persons. ³In particular, the Committee and its staff must be

1. provided information in response to their questions,

2. granted access to all documents, in particular to the stored data and to the data processing programmes that are related to the restriction measure, and

3. granted access to all offices at all times.

⁴Number 2 includes the ability to access data from automated databases during oversight of the Federation’s intelligence service. ⁵The Committee can provide the Federal Commissioner for Data Protection the opportunity to submit statements in relation to data protection matters.

(6) ¹The competent federal ministry obtains the consent of the Article 10 Committee for the restriction measures ordered by it. ²The order may only be implemented once the Article 10 Committee has consented to the measure following a review of its permissibility and necessity. ³If the Article 10 Committee does not consent to the measure, the competent federal ministry must suspend the order without delay.

(7) ¹The competent federal ministry shall provide monthly information to the Article 10 Committee regarding notifications given by federal authorities pursuant to § 12(1) and (2) or regarding reasons that preclude notification. ²If the Committee finds that notification is required, such notification must be given without delay. ³§ 12(3) second sentence remains unaffected insofar as consultation of a Land authority is necessary.

(8) The Article 10 Committee and the Parliamentary Oversight Body regularly exchange information on general matters relating to their oversight activities, in compliance with the applicable confidentiality requirements.

18

§ 26a(2) second sentence of the Act on the Cooperation between the Federation and the Länder in matters of protection of the Constitution and on the Federal Office for the Protection of the Constitution (Federal Protection of the Constitution Act, Bundesverfassungsschutzgesetz – BVerfSchG), which, in its version of 25 May 2018, limited oversight by the Federal Commissioner for Data Protection and Freedom of Information to the extent that oversight was carried out by the Article 10 Committee (G 10-Kommission) read as follows (BGBl I 2017 p. 2097):

§ 26a of the Federal Protection of the Constitution Act 2018 – Independent monitoring of data protection

(1) (...)

(2) ¹(...) ²Insofar as compliance with provisions is subject to oversight by the Article 10 Committee, it is not subject to oversight by the Federal Commissioner for Data Protection and Freedom of Information, unless the Article 10 Committee requests that the Federal Commissioner for Data Protection and Freedom of Information monitor compliance with data protection provisions for certain processes or in certain areas and that the Commissioner report the results exclusively to the Committee.

(3) and (4) (…)

III.

19

1. Strategic surveillance of international telecommunications under the Article 10 Act is directed at surveillance of telecommunications traffic involving at least one communication participant located in Germany and at least one communication participant located in another country. It is part of the Federal Intelligence Service’s general task of conducting surveillance, which, according to § 1(2) first sentence of the Federal Intelligence Service Act, comprises the gathering and analysis of information necessary to obtain intelligence on other countries that is of significance to the Federal Republic of Germany in terms of foreign and security policy.

20

Strategic surveillance of international telecommunications must be distinguished from strategic surveillance of foreign telecommunications under the Federal Intelligence Service Act. The latter type of surveillance concerns telecommunications traffic between foreign communication participants located in other countries only (cf. in this regard Decisions of the Federal Constitutional Court, Entscheidungen des Bundesverfassungsgerichts – BVerfGE 154, 152 ff.).

21

The Federal Intelligence Service is generally barred from using strategic surveillance to intercept telecommunications traffic between German nationals or persons located in Germany (hereinafter: domestic telecommunications – cf. also BVerfGE 154, 152 <252 para. 171>).

22

2. Pursuant to § 9(1) and (2) no. 4 of the Article 10 Act, measures involving strategic surveillance of international telecommunications may only be ordered upon application by the Federal Intelligence Service. This application must contain all information necessary for the order pursuant to § 9(3) second sentence of the Article 10 Act. The Federal Intelligence Service must state the reasons for the order, as well as the type, scope and duration of the intended surveillance measure (cf. § 10(2) second sentence of the Article 10 Act) and the search terms (selectors) which are to be used for the measure (cf. § 10(4) first sentence of the Article 10 Act). Pursuant to § 5(2) first sentence of the Article 10 Act, the search terms used must serve to gather intelligence on the dangers to be determined in the respective order for surveillance (cf. § 5(1) third sentence nos. 1 to 8 of the Article 10 Act), and must be suitable for this purpose. Moreover, the area where information is to be gathered and the transmission routes to be intercepted must be set forth (§ 10(4) second sentence of the Article 10 Act).

23

Based on an application by the Federal Intelligence Service, the Federal Ministry of the Interior and Community orders measures restricting the privacy of telecommunications (cf. § 10(1) of the Article 10 Act). This order must contain the information specified above for the application. It must also be determined what share of the transmission capacity available on these transmission routes may be intercepted (§ 10(4) third sentence of the Article 10 Act). This share may not exceed 20% of transmission capacity (§ 10(4) fourth sentence of the Article 10 Act). The order must be limited to a maximum of three months (§ 10(5) first sentence of the Article 10 Act). Any surveillance measures ordered are subject to oversight by the Article 10 Committee and require its consent under § 15(6) first sentence of the Article 10 Act. A measure may only be implemented once the Article 10 Committee has consented to the measure following a review of its permissibility and necessity (cf. § 15(6) second sentence of the Article 10 Act).

24

According to the facts submitted, no further steps are required for the surveillance of international non-wired telecommunications (transmission via satellite or radio). The Federal Intelligence Service can collect the raw telecommunications data from non-wired transmission with its own interception equipment (cf. BVerfGE 100, 313 <363>; 154, 152 <229 para. 114>; regarding intercept stations of the Federal Intelligence Service: BTDrucks 18/12850, S. 761 ff., p. 1000 ff.).

25

By contrast, when it comes to surveillance of wired international telecommunications, which is the norm in practice (cf. BTDrucks 14/5655, pp. 17; 18/12850, p. 708 f.; […]), further steps are necessary, because in this scenario, the Federal Intelligence Service cannot collect the raw data stemming from the cables under surveillance using its own interception equipment (regarding technical access to data cf. Federal Administrative Court, Judgment of 30 May 2018 – BVerwG 6 A 3.16 –, para. 5). It is therefore reliant on the cooperation and toleration of the operators of the telecommunications systems under surveillance. Pursuant to § 2(1a) first and second sentence of the Article 10 Act (until July 2021: § 2(1) third and fifth sentence of the Article 10 Act, old version), telecommunications service providers (cf. § 3 no. 61 of the Telecommunications Act, Telekommunikationsgesetz – TKG) and those involved in providing telecommunications are obliged, if an order to this effect exists, either to divert telecommunications traffic to the Federal Intelligence Service or to tolerate such a diversion. Pursuant to § 10(6) first sentence of the Article 10 Act, the operators of the telecommunications systems concerned must be informed of the order for surveillance issued by the competent federal ministry, to the extent necessary to enable them to meet their obligation to cooperate.

26

3. In the context of strategic surveillance of international telecommunications, the Federal Intelligence Service in practice first collects the raw data of the telecommunications transmitted as bundles from the transmission routes for which orders for surveillance have been issued. The bundled transmission of telecommunications traffic, which was initially used for satellite traffic and is now also used for wired transmission, allows for the simultaneous transmission of several ten thousand traffic packets via the same physical transmission route (wire or satellite) (cf. BTDrucks 14/5655, p. 17 f.; […]).

27

The raw data is subsequently subject to a multi-step process of automatic filtering and analysis in the sole sphere of the Federal Intelligence Service. The data undergoes technical processing to categorise it into different types of data (for example streaming data, browsing history data, telecommunications data).

28

In order to automatically remove telecommunications traffic involving only German nationals and persons located in Germany, the raw data is filtered by means of the data filtering mechanism (DAFIS) using various formal parameters – such as country calling codes (‘+49‘), top-level domains (‘.de‘) or IP addresses. In addition, the data is compared with a list, maintained by the Federal Intelligence Service, of telecommunications identifiers that can be attributed to Germans or persons within Germany (‘Article 10 list’). The communications identified as domestic communications in the context of this filtering are automatically removed and deleted.

29

According to the Federal Government, the Federal Intelligence Service implements an additional electronic filtering process for packet-switched telecommunications to identify domestic communications (‘Article 10 assessment’). This process takes into account further indications and parameters relating to metadata that suggest a link to Germany; it was not specified further what these indications and parameters are.

30

According to information provided by the Federal Government, the DAFIS filtering mechanism and the Article 10 assessment allow for the automatic removal of 96% to 98% of all domestic telecommunications traffic. It is unknown how many errors occur during the entire filtering process.

31

Raw data that has not been removed is then automatically cross-checked against the search terms determined in the respective orders for surveillance. Thus, telecommunication contents are only manually analysed by staff of the Federal Intelligence Service when elements of collected telecommunications have been flagged as relevant in the computer-based cross-checking (‘matches’). Raw data which does not yield any matches when cross-checked against the search terms is deleted from the systems without delay.

32

The telecommunications stored as matches are manually examined as to their relevance for intelligence services in a multi-step process and then further analysed. It is also manually examined whether domestic telecommunications traffic or traffic relating to the core of private life has been collected despite the automatic filtering mechanisms. Data that is not relevant to the intelligence services, domestic telecommunications, and telecommunications relating to the core of private life that have not been identified in the automated procedures are deleted.

33

4. Pursuant to § 6(1) first sentence of the Article 10 Act, the Federal Intelligence Service must examine whether the personal data collected through strategic surveillance of international telecommunications (‘matches‘) is necessary in the context of its tasks for the purposes determined in § 5(1) third sentence of the Article 10 Act, either by itself or in combination with other available data. It must conduct the initial examination without delay and subsequent examinations in intervals of no more than six months. Pursuant to § 6(1) second sentence of the Article 10 Act, data that is not needed must be deleted without delay and under supervision. Its deletion must be documented in accordance with § 6(1) third sentence of the Article 10 Act. This documentation data must be deleted at the end of the calendar year following the year in which it was logged (§ 6(1) fifth sentence of the Article 10 Act). Moreover, the collected data must be labelled in accordance with § 6(2) of the Article 10 Act; it may only be used for the surveillance purposes referenced in § 5(1) third sentence of the Article 10 Act and for data sharing purposes pursuant to §§ 7 and 7a of the Article 10 Act.

IV.

34

The complainants lodged their constitutional complaints on 5 August 2016 (1 BvR 1743/16) and 11 November 2016 (1 BvR 2539/16), respectively. They assert that the challenged provisions violate the privacy of telecommunications under Art. 10(1) of the Basic Law.

35

With regard to the protection of the core of private life, the complainants in proceedings 1 BvR 2539/16 further claim a violation of Art. 1(1) of the Basic Law. Regarding the provisions on documentation, deletion and notification requirements, they also claim a violation of Art. 19(4) of the Basic Law. Complainants nos. 5) and 6) in proceedings 1 BvR 2539/16, who are not from Germany, additionally assert a violation of Art. 3(1) of the Basic Law with regard to the fact that the prohibition on using targeted surveillance of individuals in § 5(2) second sentence no. 1 of the Article 10 Act only applies to German nationals and persons in Germany.

36

By submission of 23 February 2024, the complainant in proceedings 1 BvR 1743/16 expanded his constitutional complaint to include the provision on the protection of persons entitled to refuse evidence in § 5b of the Article 10 Act, which entered into force on 1 January 2024.

37

To the extent that the complainants in proceedings 1 BvR 2539/16 initially challenged the inadequate cooperation of the oversight bodies in the context of oversight pursuant to § 15(5) of the Article 10 Act in conjunction with § 24(2) third sentence of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) as amended on 25 February 2015 (BGBl I p. 162), they amended their constitutional complaint by submission of 4 June 2018. In this regard, they now challenge § 15(5) of the Article 10 Act in conjunction with § 26a(2) second sentence of the Federal Protection of the Constitution Act 2018.

38

To the extent that the complainants in proceedings 1 BvR 2539/16 initially also challenged the Federal Intelligence Service’s powers to share data collected in accordance with § 5(1) third sentence no. 8 of the Article 10 Act with other authorities (§ 7(2), (4), (4a) and § 7a(1) first sentence, (2) of the Article 10 Act as amended by the Act to Improve Cooperation Regarding the Protection of the Constitution of 17 November 2015, BGBl I p. 1938 – hereinafter: Article 10 Act 2015), they declared, by submission of 5 February 2024, that this part of their constitutional complaint had been resolved.

39-55

[…]

V.

56

The Federal Government, the Federal Commissioner for Data Protection and Freedom of Information and the Sixth Division deciding on appeals on points of law (Revisionssenat) of the Federal Administrative Court (Bundesverwaltungsgericht) submitted statements on the constitutional complaints.

57-73

[…]

B.

I.

74

1. The two constitutional complaints are directed against the statutory authorisation of the Federal Intelligence Service to conduct strategic surveillance of international telecommunications in relation to cyberthreats under § 5(1) third sentence no. 8 of the Article 10 Act, which was inserted into the Article 10 Act in November 2015. Such cyberthreats are, in particular, threats posed by possible attacks on the confidentiality, integrity or availability of IT systems and networks, using malware (such as virus software) or similar malicious IT technology (i.e., threats posed by cyberattacks, for example in the form of cyber espionage or cyber sabotage, cf. BTDrucks 18/4654, p. 40 f.).

75

2. Moreover, the constitutional complaints challenge several supplementary provisions regarding the proportionate design of the surveillance powers under § 5(1) third sentence no. 8 of the Article 10 Act (§ 5(2) second sentence no. 1 and no. 2, third sentence in conjunction with the second sentence no. 1 and no. 2, sixth sentence, § 5a first sentence, second to fourth sentence, seventh sentence, § 5b in conjunction with § 3b, § 6(1) fifth sentence, § 10(4) third and fourth sentence, § 12(2) first sentence in conjunction with §12(1) second sentence, § 15 of the Article 10 Act and § 15(5) second sentence of the Article 10 Act in conjunction with § 26a(2) second sentence of the Protection of the Constitution Act 2018). These can therefore be included in the constitutional review (cf. BVerfGE 155, 119 <157 para. 64> – Subscriber data II; 162, 1 <50 paras. 90 and 64 f., para. 132> – Bavarian Protection of the Constitution Act; 165, 1 <44 f. para. 75> – Police powers under the Security and Public Order Act for Mecklenburg-Western Pomerania; established case-law).

76

3. The constitutional complaint in proceedings 1 BvR 2539/16 is no longer directed at the authorisations of the Federal Intelligence Service to share the data obtained through strategic surveillance of international telecommunications pursuant to § 5(1) third sentence no. 8 of the Article 10 Act with other authorities (§ 7(2), (4), (4a) and § 7a(1) first sentence, § 7a(2) of the Article 10 Act 2015). These powers to share data were fundamentally revised by Art. 2 of the Act to Amend the Federal Intelligence Service Act of 22 December 2023 (BGBl I no. 410). The complainants in proceedings 1 BvR 2539/16 thereupon declared that their constitutional complaint had been resolved in this regard. This means that there is no longer any basis for a decision within the scope of this declaration (cf. BVerfGE 85, 109 <113>; 162, 1 <49 f. para. 88>; established case-law).

II.

77

The Federal Constitutional Court has jurisdiction to review the compatibility of the challenged provisions with the fundamental rights of the Basic Law, even though the challenged provisions are related to data protection provisions in legal acts of the European Union. This is because under Art. 4(2) third sentence of the Treaty on European Union (TEU), which provides that national security in particular remains the sole responsibility of each Member State, the legal acts of the European Union relating to data protection are not applicable to the Federal Intelligence Service’s powers to conduct strategic surveillance of international telecommunications.

78

The Court of Justice of the European Union (CJEU) has held that the objective of safeguarding national security corresponds to the primary interest in protecting the essential functions of the state and the fundamental interests of society. This responsibility encompasses the prevention and punishment of activities capable of seriously destabilising the fundamental constitutional, political, economic or social structures of a country and, in particular, of directly threatening society, the population or the state itself, such as terrorist activities (cf. CJEU, Judgments of 6 October 2020, La Quadrature du Net and Others, C‑511/18, C-512/18 and C-520/18, EU:C:2020:791, para. 135 and Privacy International, C-623/17, EU:C:2020:790, para. 74; Judgment of 5 April 2022, Commissioner of An Garda Síochána, C‑140/20, EU:C:2022:258, para. 61; Judgment of 20 September 2022, SpaceNet AG and Others, C‑793/19 and C-794/19,, EU:C:2022:702, para. 92; Judgment of 23 March 2023, Generalstaatsanwaltschaft Bamberg, C‑365/21, EU:C:2023:236, para. 55).

79

The Federal Intelligence Service’s authorisation to conduct strategic surveillance of international telecommunications under § 5(1) third sentence no. 8 of the Article 10 Act, which is at the centre of the present challenge, serves to protect national security by allowing for the early detection of international cyberattacks that are capable of seriously destabilising the fundamental constitutional, political, economic or social structures of the Federal Republic of Germany and, in particular, of directly threatening society, the population or the state itself.

80

In this context, Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, does not apply in accordance with Art 2(3)(a) of the Directive, read in the light of its 14th recital (cf. CJEU, Judgment of 30 January 2024, Direktor na Glavna direktsia ‘Nationala politsia’ pri MVR-Sofia, C-118/22, EU:C:2024:97, para. 38). Under its Art. 2(3)(a), this directive does not apply to the processing of personal data in the course of an activity which falls outside the scope of EU law. This is the case for activities concerning national security in accordance with the 14th recital.

81

The same applies to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) in accordance with Art. 2(2)(a) of the Regulation, read in the light of its 16th recital.

III.

82

The constitutional complaints are admissible in part, to the extent that the complainant in proceedings 1 BvR 1743/16 and complainants nos. 1) to 4) in proceedings 1 BvR 2539/16 assert that the authorisation to conduct strategic surveillance of international telecommunications in relation to cyberthreats pursuant to § 5(1) third sentence no. 8 of the Article 10 Act is not appropriate, given that it does not sufficiently guarantee that data stemming from domestic telecommunications is removed (para. 95 ff.). The constitutional complaints are also admissible with regard to the challenge that the protection of the core of private life is inadequate for persons in Germany under § 5(2) second sentence no. 2 and § 5a first sentence of the Article 10 Act, as claimed by the complainant in proceedings 1 BvR 1743/16 (para. 105), and that such protection is inadequate for persons in other countries under § 5(2) third sentence in conjunction with § 5(2) second sentence no. 2 of the Article 10 Act, as claimed by complainant no. 5) in proceedings 1 BvR 2539/16 (para. 106 f.). The constitutional complaints are also admissible to the extent that all complainants in proceedings 1 BvR 2539/16 assert that the retention period for the documentation of strategic surveillance of international telecommunications, laid down in § 5(2) sixth sentence of the Article 10 Act, is too short (para. 108) and to the extent that the complainant in proceedings 1 BvR 1743/16 claims that the independent oversight regime is inadequate (para. 109).

83

By contrast, both constitutional complaints are inadmissible to the extent that all complainants claim that the limits on the volume of data under surveillance under § 10(4) third and fourth sentence of the Article 10 Act are insufficient (para. 111 ff.). Moreover, the constitutional complaint in proceedings 1 BvR 1743/16 is inadmissible to the extent that the complainant asserts that the protection of the core of private life at the stage of data analysis pursuant to § 5a second to fourth sentence in conjunction with § 3a(1) second to seventh sentence of the Article 10 Act (para. 114) and the protection of confidentiality in relationships of trust pursuant to § 5b in conjunction with § 3b of the Article 10 Act are inadequate (para. 115). The constitutional complaint in proceedings 1 BvR 2539/16 is also inadmissible to the extent that the complainants claim that the design of the targeted surveillance of individuals in Germany pursuant to § 5(2) second sentence no. 1 of the Article 10 Act (para. 116 f.) and of foreigners in other countries pursuant to § 5(2) third sentence in conjunction with § 5(2) second sentence no. 1 of the Article 10 Act (para. 118 f.) is inadequate. It is further inadmissible to the extent that they challenge insufficient documentation of the deletion of communication contents relating to the core of private life pursuant to § 5a seventh sentence of the Article 10 Act (para. 120) and of collected personal data pursuant to § 6(1) fifth sentence of the Article 10 Act (para.121 ff.), insufficient notification requirements pursuant to § 12(1) second sentence in conjunction with § 12(2) first sentence of the Article 10 Act (para. 124) and insufficient cooperation of different oversight entities pursuant to § 15(5) of the Article 10 Act in conjunction with § 26a(2) second sentence of the Protection of the Constitution Act 2018 (para. 125).

84

1. If a constitutional complaint is directed against legislation that authorises security authorities to carry out covert measures, as in the present case, special admissibility prerequisites apply with regard to standing and the subsidiarity of the constitutional complaint (cf. BVerfGE 162, 1 <51 ff. para. 93 ff.>; 165, 1 <29 ff. para. 37 ff.>).

85

a) Pursuant to Art. 93(1) no. 4a of the Basic Law and § 90(1) of the Federal Constitutional Court Act (Bundesverfassungsgerichtsgesetz – BVerfGG), a constitutional complaint can only be admissible if the complainants assert that their fundamental rights – or rights equivalent to fundamental rights – have been violated by an act of public authority (standing; cf. BVerfGE 140, 42 <54 para. 47>; 162, 1 <51 f. para. 93>). They must demonstrate, in accordance with the substantiation requirements under § 23(1) second sentence and § 92 of the Federal Constitutional Court Act, that a violation of fundamental rights appears possible (see aa) below) and that they are individually, directly and presently affected (see bb) below) (cf. BVerfGE 125, 39 <73>; 159, 355 <375 para. 25> – Federal pandemic emergency brake II).

86

aa) […]

87

bb) Special prerequisites apply for demonstrating that complainants are individually, directly and presently affected when a constitutional complaint is directed against statutory powers to carry out covert measures (cf. BVerfGE 162, 1 <52 f. para. 96>; 165, 1 <31 para. 41>).

88

(1) It is true that the provisions challenged here only take effect on the basis of additional acts of implementation that take the form of data collection or further processing. However, it must be assumed that complainants are directly affected by legislation that requires implementation if they cannot seek legal recourse because they have no way of knowing whether a measure was carried out or when they may not be notified, even though a requirement to notify the data subject ex post is applicable, given that it can be waived over long periods on the basis of extensive exceptions (cf. BVerfGE 155, 119 <159 para. 73>; 162, 1 <53 f. para. 99>).

89

(2) (a) In order to establish the possibility of being individually and presently affected by the statutory authorisation of covert measures which only gives rise to specific impairments once implemented and in respect of which affected persons typically have no knowledge of any acts of implementation, it is sufficient that complainants demonstrate that it is likely that their fundamental rights are affected by measures taken on the basis of the legislation in question (cf. BVerfGE 155, 119 <160 para. 75>). A submission that the complainants are responsible for activities threatening security in order to demonstrate that they are individually affected is not necessary in this regard, nor are statements in which complainants would have to incriminate themselves (cf. BVerfGE 130, 151 <176 f.>; established case-law). It is likely that complainants are individually affected when the surveillance measures at issue have an exceptionally broad and indiscriminate scope, i.e. when the measures do not target a narrow group of persons, in particular when they also cover a large number of third parties at random (BVerfGE 162, 1 <53 para. 98>). In special cases, complainants must additionally provide more detailed information about the type and subject of the technologies and services that may be subject to surveillance and about their own usage behaviour. This is necessary when it would otherwise not be readily ascertainable whether their usage even generates any data that could come under the scrutiny of the security authorities (BVerfGE 162, 1 <53 para. 98> with further references).

90

(b) If a statutory provision authorises different measures that each result in separate fundamental rights interferences, it must be examined separately, for each measure, whether the complainants are affected. Complainants must demonstrate for each measure challenged by them that it is likely that their fundamental rights are affected (cf. BVerfGE 155, 119 <160 para. 75>; 162, 1 <53 para. 97>; 165, 1 <31 para. 43>). This is because the Court only examines the constitutionality of a statutory authorisation if there is a specific challenge in this regard (cf. BVerfGE 162, 1 <64 f. para. 132>; 165, 1 <44 f. para. 75>).

91

(3) The supplementary provisions regarding the proportionate design and limitation of the covert surveillance powers are treated differently when it comes to the question whether the complainants are affected. These provisions are generally no separate subject matter in the proceedings, but are indirectly reviewed by the Federal Constitutional Court in the context of the review of the principally challenged provisions (cf. BVerfGE 162, 1 <65 para. 132>). The fact that these supplementary provisions insufficiently specify and limit the surveillance powers results in a violation of fundamental rights as these powers are inappropriate, but it does not amount to a separate interference with fundamental rights. In light of this, when examining whether the complainants are affected by these supplementary provisions, it must be assessed whether the complainants are affected by the surveillance powers in such a way that statutory specification and limitation by supplementary provisions become necessary to satisfy proportionality requirements. When complainants are affected by the surveillance powers, this generally indicates that they are also affected by the supplementary provisions specifying and limiting these powers. Whether complainants are affected by such supplementary provisions need only be examined separately in cases where the powers in question need only be specified and limited for a specific subset of those affected by the powers.

92

b) The subsidiarity of the constitutional complaint also gives rise to special admissibility prerequisites. It is true that no remedies exist before the ordinary courts within the meaning of § 90(2) of the Federal Constitutional Court Act to directly challenge acts of Parliament, which would have to be exhausted before lodging a constitutional complaint. However, constitutional complaints must also satisfy the requirements arising from the principle of subsidiarity in a broader sense. Exhausting the remedies formally available for achieving the immediate aim of legal action is not sufficient in this regard; rather, all options that might remedy the asserted fundamental rights violation must be pursued. This also serves the purpose of ensuring that the Federal Constitutional Court does not have to take far-reaching decisions on an uncertain factual and legal basis. It is the ordinary courts – which are primarily responsible for the interpretation and application of ordinary law – that must first address the points of fact and law at issue. The principle of subsidiarity therefore generally requires that, before lodging a constitutional complaint, the complainants first pursue all available procedural options that might remedy the alleged violation of the Constitution or prevent a fundamental rights violation. This also applies if it is unclear whether the type of remedy sought is in principle admissible and can be admissibly lodged in the specific case (cf. in this regard BVerfGE 162, 1 <54 para. 100>; 165, 1 <32 f. para. 45>; Federal Constitutional Court, Order of the First Senate of 17 July 2024 - 1 BvR 2133/22 -, para. 40 – Hessian Protection of the Constitution Act; established case-law).

93

c) The constitutional complaints satisfy these requirements in part. The complainants have sufficiently substantiated their standing in part […], and the constitutional complaints are not rendered inadmissible in view of the principle of subsidiarity […].

94-125

aa) […]

126

bb) The principle of subsidiarity does not preclude the admissibility of the constitutional complaints, as no other suitable procedural avenues before the ordinary courts exist that could remedy the asserted violations of fundamental rights.

127

The complainants cannot be expected to lodge a complaint with the Article 10 Committee within the meaning of § 15(5) first sentence of the Article 10 Act (cf. BVerfGE 100, 313 <354 ff.>). Such a complaint is not part of the legal protection afforded by the ordinary courts. Rather, the Article 10 Committee is a special type of oversight body outside the judiciary (cf. BVerfGE 30, 1 <23>; 67, 157 <171>).

128

Nor can the complainants be pointed to avenues of legal protection before the administrative courts (in terms of the outcome see BVerfGE 100, 313 <354 ff.>; 154, 152 <212 f. para. 79 f.>). In particular, it cannot be ascertained that the complainants could meet the strict admissibility prerequisites of the Federal Administrative Court regarding legal protection against strategic surveillance of international telecommunications (cf. Decisions of the Federal Administrative Court, Entscheidungen des Bundesverwaltungsgerichts – BVerwGE 149, 359 <364 para. 19 ff.>; 157, 8 <12 ff. para. 14 ff.>; 161, 76 <77 f. para. 12 ff.>).

129-130

2. […]

C.

131

Insofar as the constitutional complaints are admissible, they are well-founded for the most part. The complainants can invoke the privacy of telecommunications protected by Art. 10(1) of the Basic Law (see I. below), and the challenged provisions interfere with the privacy of telecommunications (see II. below). These interferences are not justified under constitutional law (see III. below).

I.

132

1. The complainants in both proceedings can invoke the privacy of telecommunications (Art. 10(1) of the Basic Law). This also applies to complainant no. 1) in proceedings 1 BvR 2539/16 as a domestic legal person, since Art. 10(1) of the Basic Law is applicable to legal persons in its essence (cf. BVerfGE 154, 152 <207 para. 67>).

133

Complainants nos. 5) and 6) in proceedings 1 BvR 2539/16, who are from another country, can invoke Art. 10(1) of the Basic Law in its dimension as a defensive right against state interference. The protection afforded by Art. 10(1) of the Basic Law also applies to telecommunications surveillance of persons in other countries (cf. BVerfGE 154, 152 <215 para. 87>). This is not altered by the fact that complainants nos. 5) and 6) are officials of a legal person based abroad. Officials can invoke their own fundamental rights, even if the protection claimed by them automatically also benefits the legal person they are part of (cf. BVerfGE 154, 152 <207 f. para. 69>).

134

2. The challenged powers in § 5(1) third sentence no. 8 of the Article 10 Act implicate the scope of protection of Art. 10(1) of the Basic Law (privacy of telecommunications).

135

The constitutional protection afforded by Art. 10(1) of the Basic Law has historically sought to prevent a situation in which remote exchanges of opinions or information cease altogether, or the content or means of communication is altered, because of the expectation that state authorities will intercept communications and thereby obtain knowledge of the relevant content and circumstances of the communications (cf. BVerfGE 100, 313 <359>; 113, 348 <365>). The privacy of telecommunications counters both old and new risks to one’s personality arising from the increased significance of information technology for the personal development of the individual (cf. in this regard BVerfGE 120, 274 <307> with further references).

136

The privacy of telecommunications under Art. 10(1) of the Basic Law first and foremost protects the content of communications. The state should, in principle, not be allowed to obtain knowledge of the content of communications made via telecommunications systems. Art. 10 of the Basic Law does not distinguish between communication of a private nature and other communication, such as business or political communication, nor does it distinguish between different modes of transmission or forms of expression. Rather, the fundamental rights protection extends to all communication taking place by means of telecommunications technology. The fundamental right likewise protects the circumstances of communications. In particular, this includes whether, when, and how often telecommunications traffic occurred or was attempted, between whom or between which devices. The confidential use of the telecommunication medium must be ensured in all respects. By generally shielding individual communications from the reach of the state, the fundamental right is meant to preserve the conditions that are necessary to ensure free telecommunications in general (cf. BVerfGE 100, 313 <358 f.>).

137

The protection under Art. 10(1) of the Basic Law applies not only to the initial access whereby public authorities obtain knowledge of telecommunications activities and contents. This fundamental right also protects against information and data processing measures that follow after the state obtained knowledge of protected communications, and against any subsequent use of the information thus obtained (cf. BVerfGE 100, 313 <359>; 125, 260 <309>).

138

§ 5(1) third sentence no. 8 of the Article 10 Act authorises the Federal Intelligence Service to collect and further process personal data in the context of covert strategic surveillance of international telecommunications; it thus concerns the protections afforded by the privacy of telecommunications under Art. 10(1) of the Basic Law.

II.

139

The challenged powers to conduct strategic surveillance of international telecommunications under § 5(1) third sentence no. 8 of the Article 10 Act allow for different fundamental rights interferences.

140

1. Given that Art. 10(1) of the Basic Law serves to protect the confidentiality of communications, any instance where the state obtains knowledge of, records or uses communication data constitutes an interference with fundamental rights (cf. BVerfGE 100, 313 <398>; 125, 260 <310> with further references).

141

2. a) The recording of raw data stemming from telecommunications traffic from transmission modes that are specified by the orders for surveillance – i.e. the interception of satellite and radio signals and of wired data – constitutes an interference with Art. 10(1) of the Basic Law, both in relation to foreign persons and in relation to German nationals, regardless of whether either foreign or German nationals are located in Germany or in other countries (cf. BVerfGE154, 152 <229 f. para. 114 ff., 252 para. 172>). Such recording of personal data constitutes data collection within the meaning of constitutional law. Its aim is to make the data of affected persons accessible to the Federal Intelligence Service, allowing it to analyse the data according to content-related criteria on the basis of search terms. The data that is later removed is not just intercepted unintentionally, but is deliberately collected to analyse whether it contains relevant intelligence and, as the case may be, for subsequent use (cf. BVerfGE 154, 152 <229 para. 115>; cf. also BVerfGE 100, 313 <366>).

142

The recording of telecommunications traffic involving German nationals and persons located in Germany also amounts to an interference with Art. 10(1) of the Basic Law. Such an interference cannot be found to exist only where domestic telecommunications traffic is recorded incidentally and for purely technical reasons and then deleted immediately after signals processing without leaving any trace (cf. BVerfGE 100, 313 <366>). In this case, the authorities’ interest in such incidentally recorded data would not have taken such specific shape that the persons concerned must be considered to be affected in such a way that it qualifies as an interference with fundamental rights (cf. BVerfGE 100, 313 <366>; 115, 320 <343>; 150, 244 <266 para. 43>). However, the current state of technology does not allow for a complete removal of data concerning German nationals and persons within Germany, meaning that in some cases such data is included in the analysis. It is then only deleted once the relevant data has been identified during manual screening. While it is not clearly ascertainable that § 5(1) third sentence no. 8 of the Article 10 Act permits this approach, such an understanding of the provision is required in order to be able to apply it at all; this is also how it is understood in practice (cf. BVerfGE 154, 152 <230 para. 117> regarding a similar understanding of § 6(1) and (4) of the Federal Intelligence Service Act 2016 governing strategic surveillance of foreign telecommunications; this is also supported by the Federal Government’s statement in the present proceedings). This amounts to an interference in relation to persons whose data is intercepted in this manner, is not deleted after signals processing without leaving any technical traces, and whose data is thus viewed by Federal Intelligence Service staff (cf. BVerfGE 154, 152 <230 para. 117>).

143

b) § 5(1) third sentence no. 8 of the Article 10 Act gives rise to further interferences with fundamental rights in that the provision authorises [the Federal Intelligence Service] to analyse the intercepted data. The powers to automatically screen the recorded telecommunications using search terms, to manually analyse the telecommunications traffic thereby identified and to further use the collected data each constitute a separate interference with fundamental rights (cf. also BVerfGE 154, 152 <230 f. para. 118>).

III.

144

These interferences with Art. 10(1) of the Basic Law are justified only in part. While the challenged provisions are formally constitutional (see 1. below), they do not satisfy the requirements arising from the principle of proportionality (see 2. below).

145

1. In formal terms, the authorisation to conduct strategic surveillance of international telecommunications for the purpose of detecting cyberthreats under § 5(1) third sentence no. 8 of the Article 10 Act is compatible with the Constitution. In particular, the Federation has the necessary legislative competence.

146

a) Under Art. 73(1) no. 1 of the Basic Law, the Federation has exclusive legislative competence with regard to foreign affairs and defence, including the protection of the civilian population. Foreign affairs within the meaning of Art. 73(1) no. 1 of the Basic Law are those matters that are significant for the relations between the Federal Republic of Germany and other states or international organisations, in particular with regard to foreign policy (cf. BVerfGE 100, 313 <368 f.>; 154, 152 <232 f. para. 125>). This also includes the establishment of a body to conduct comprehensive foreign surveillance and its equipment with powers that match these tasks. That said, the tasks that the legislator can confer in this regard are limited (cf. BVerfGE 100, 313 <369 f.>; 154, 152 <232 para. 124>).[…]

147-150

1. b) […]

151

2. Yet the interferences with fundamental rights resulting from § 5(1) third sentence no. 8 of the Article 10 Act are not justified, as these surveillance powers do not satisfy the principle of proportionality.

152

a) Covert surveillance powers are only compatible with the Constitution in substantive terms if they satisfy the requirements of specificity and legal clarity (see aa) below) and of proportionality (see bb) below).

153

aa) Under Art. 10(2) first sentence of the Basic Law, interferences with Art. 10(1) of the Basic Law must be based on a statutory authorisation, which must satisfy the principle of specificity and legal clarity (cf. BVerfGE 154, 152 <237 para. 137>; established case-law). It is sufficient that, when interpreting the relevant provision in line with the accepted rules of interpretation, it is possible to determine whether the actual conditions that trigger the legal consequence laid down in the provision have been met (cf. BVerfGE 156, 11 <45 para. 86>; 163, 43 <83 para. 109>; established case-law). The primary focus of legal clarity is that citizens are able to understand legislation; this requires that the substance of individual provisions must be comprehensible and can be specified through interpretation without any major difficulty (cf. BVerfGE 163, 43 <83 para. 111>; 165, 1 <54 para. 97>; established case-law).

154

When data is collected and processed covertly, particularly strict requirements apply with regard to specificity and legal clarity. Affected persons are typically unaware that they are being targeted by covert surveillance measures and are thus seldom able to take legal action to defend themselves. As a result, the contents of the relevant legislation can only be specified to a limited degree through the interplay of practical application and judicial review, and the legislator must compensate for this by ensuring that the provisions in question are sufficiently specific (cf. BVerfGE 154, 152 <237 f. para. 137; 162, 1 <95 para. 200, 125 f. para. 273> with further references). Intelligence services, including those conducting foreign surveillance, are not exempt from these requirements. Their powers must be determined by law in a clear and specific manner (cf. BVerfGE 154, 152 <238 f. para. 138 ff.>; 162, 1 <126 para. 274>).

155

bb) To the extent that the challenged provision authorises interferences with the privacy of telecommunications, it can only be justified if it satisfies the principle of proportionality. Thus, it must pursue a legitimate purpose, be suitable and necessary to achieve the legitimate purpose and be proportionate in the strict sense. For covert surveillance powers, special requirements arise from the principle of proportionality in the strict sense (cf. BVerfGE154, 152 <239 para. 141>; 162, 1 <72 f. para. 149> with further references; established case-law).

156

b) The principle of proportionality gives rise to special requirements regarding the design and limitation of the powers to conduct surveillance of international telecommunications. These surveillance powers can be compatible with Art. 10(1) of the Basic Law despite their particular severity of interference (see aa) below) due to the exceptional public interest in effective foreign surveillance (see bb) below) as a special instrument of gathering foreign intelligence (see cc) below), provided that they are sufficiently specified and limited by law (see dd) below).

157

aa) Strategic telecommunications surveillance is an instrument that gives rise to particularly serious interference (cf. also BVerfGE 154, 152 <241 para. 146>). This is based on the consideration that any covert surveillance of telecommunications in principle amounts to a serious interference with the privacy of telecommunications, because such surveillance encroaches on communications that are often private and possibly even highly confidential in nature (cf. BVerfGE 113, 348 <382 ff.>; 141, 220 <264 f. para. 92>; 154, 152 <241 para. 147>).

158

However, the fact that the surveillance of international telecommunications is incomplete and typically less targeted than the surveillance of individual telecommunications reduces the severity of the resulting interference. Moreover, the type of surveillance at issue is aimed at gathering intelligence on other countries, and it is the exclusive responsibility of the Federal Intelligence Service, an authority that in principle does not have any operational powers of its own (cf. in this regard BVerfGE 154, 152 <241 f. para. 148 f.>). On the other hand, it must be taken into account that the strategic surveillance of international telecommunications also covers German nationals and persons in Germany, and thus reaches deeper into the domestic legal order. Not only is the German state vested with sovereign powers in this regard, such surveillance measures can also entail operational action against affected persons who are German nationals or located in Germany – in contrast to the strategic surveillance of foreign telecommunications (cf. in this regard BVerfGE 154, 152 <242 para. 149>). The severity of interference resulting from the surveillance of international telecommunications therefore exceeds that resulting from the surveillance of foreign telecommunications (cf. BVerfGE 154, 152 <252 para. 172>).

159

The exceptionally broad and indiscriminate scope of strategic telecommunications surveillance is particularly aggravating, as such surveillance can be used against anyone without specific grounds and is guided solely by certain specific purposes (cf. BVerfGE 100, 313 <380>; 154, 152 <242 para. 150>).

160

Such powers have an exceptional reach, particularly given the realities of modern communication technology and the significance of its effect on communications. The severity of interference resulting from these powers significantly exceeds that of the powers which the Federal Constitutional Court addressed in its 1999 decision concerning strategic surveillance measures targeting international communications (BVerfGE 100, 313). At the same time, the possibilities available to intelligence services for analysis have expanded. It is now also possible to use strategic telecommunications surveillance to target specific persons by using formal search terms such as telecommunications identifiers; strategic surveillance thus more closely resembles targeted surveillance of individuals (cf. BVerfGE 154, 152 <242 ff. para. 150 ff.>).

161

bb) This particularly severe interference must be balanced against an exceptionally significant public interest: the effective surveillance of international telecommunications by the Federal Intelligence Service with the aim of timely detection and addressing of the dangers listed in § 5(1) of the Article 10 Act. The weight accorded to this public interest is determined by circumstances that cannot be compared with the realities at the time [of the Federal Constitutional Court’s decision in 1999] (BVerfGE 100, 313), both in view of the fundamental changes in the foreign and security policy situation and the considerably expanded technological possibilities that can be used against the national interests of the Federal Republic of Germany. The surveillance interest is of particular significance especially with regard to international surveillance, given its domestic dimension. It is significant that threats originating from abroad have increased considerably as part of the advances in information technology and international communication as well as the greater interconnectedness of life across international borders. Also of concern are the increased IT vulnerabilities of modern society, which is reliant on IT networks in a number of ways. The early detection of dangers originating from abroad therefore takes on particular importance for public security. The expansion and internationalisation of the possibilities for conducting communication and the resulting increased politicisation and ability to organise of international state and non-state groups mean that domestic threat situations frequently originate from networks of actors cooperating internationally. Some of these activities seek to destabilise society and can jeopardise the constitutional order, the existence and security of the Federation or the Länder and life, limb and liberty. These are legal interests that are exceptionally significant under constitutional law, and the legislator may consider effective foreign surveillance, circumscribed in accordance with the rule of law, to be an essential means for protecting these interests (cf. for strategic surveillance of foreign telecommunications BVerfGE 154, 152 <248 f. para. 161 ff.> with further references).

162

cc) Given this exceptionally significant interest in effective foreign surveillance, the powers to conduct strategic surveillance of international telecommunications, which are in part more intrusive than the powers to conduct strategic surveillance of foreign telecommunications, are in principle still compatible with Art. 10(1) of the Basic Law as a special instrument of gathering foreign intelligence, although such powers, which are guided solely by the specific purpose pursued, would be disproportionate when granted to security authorities or intelligence services operating domestically (cf. BVerfGE 100, 313 <383>; 154, 152 <244 f. para. 155 f.>). Even as an instrument of foreign surveillance, however, the powers to conduct strategic surveillance are exceptional powers that must be restricted to surveillance conducted by an authority that has no operational powers for public security measures. These powers can only be justified by the authority’s particular tasks and the specific conditions under which these tasks are performed. Under the principle of proportionality, the specific design of the surveillance powers must be in line with these considerations (cf. BVerfGE 154, 152 <250 para. 166>).

163

dd) As a special instrument for gathering foreign intelligence, the statutory authorisation to conduct strategic telecommunications surveillance is only appropriate if its focus is sufficiently shaped and limited through clear provisions despite its exceptionally broad and indiscriminate scope. The Basic Law does not allow global and sweeping surveillance, including for the purpose of gathering foreign intelligence (cf. BVerfGE 100, 313 <376>; 154, 152 <250 f. para. 167 f.>). This also applies to strategic surveillance of international telecommunications.

164

(1) Firstly, the legislator must use sufficiently precise and clear legal provisions to limit the powers to conduct strategic surveillance of international telecommunications to those purposes that serve to protect high-ranking interests of the common good, the violation of which would result in serious harm to external and domestic peace or to the legal interests of individuals (cf. BVerfGE 100, 313 <373>; 154, 152 <253 f. para. 176>).

165

(2) Secondly, clear provisions are needed that require the use of the technical means available to remove data from domestic telecommunications traffic, i.e. telecommunications involving only German nationals and persons located in Germany. As far as technically possible, automated filters must be used to ensure that the Federal Intelligence Service’s staff do not obtain knowledge of such telecommunications data. The indiscriminate interception of all data, including domestic data, by the Federal Intelligence Service’s systems is not impermissible from the outset as long as it is technically unavoidable. However, the legislator must then enact clear provisions requiring that data stemming from domestic communications be technically separated and deleted without any trace, using any means available, before the data is manually analysed. The Federal Intelligence Service must also be required to continuously develop and adapt the filtering methods. Moreover, data stemming from domestic telecommunications traffic that has not been removed for purely technical reasons must generally be deleted without delay (cf. BVerfGE 154, 152 <252 f. para. 173 f.>).

166

(3) Art. 10(1) in conjunction with Art. 1(1) of the Basic Law gives rise to further requirements for the protection of the core of private life (cf. BVerfGE 154, 152 <262 ff. para. 200 ff.>). The free development of one’s personality within the core of private life encompasses the possibility of expressing internal thought processes, reflections, views and experiences of a highly personal nature. Protection is afforded in particular to non-public communication with persons enjoying the highest level of personal trust, conducted with the reasonable expectation that no surveillance is taking place. Such conversations do not lose their overall highly personal character merely because they concern both highly personal and everyday matters. However, communication that directly concerns criminal conduct does not form part of this protected domain, even if it also touches on highly personal matters (cf. BVerfGE 141, 220 <276 f. para. 121 f.>; 154, 152 <262 f. para. 201 f.>; 162, 1 <126 f. para. 276>; established case-law).

167

At the data collection stage, the core of private life must not be the target of investigations by the state. Statutory safeguards going beyond this prohibition of the targeted interception of data from the core of private life are not required at this stage. Given that it can generally not be ascertained from the search terms as such that communications relating to the core of private life will in all likelihood be intercepted, no specific provisions are required that are aimed at removing selectors relating to the core of private life prior to data collection (cf. BVerfGE 154, 152 <263 f. para. 204 ff.>).

168

At the stage of manual data analysis, legal provisions must ensure that further analysis is suspended without delay as soon as it becomes clear that surveillance is encroaching on the core of private life. If there are doubts in this regard, an independent body must examine the recorded telecommunications traffic and decide whether the analysis may be continued (cf. BVerfGE 141, 220 <279 f. para. 129>; 154, 152 <264 para. 207>).

169

(4) The powers to conduct strategic telecommunications surveillance must be accompanied by obligations to delete collected personal data without delay once its storage is not (or no longer) necessary, and to document deletion, and thus ensure their proportionate design. The key steps of the data deletion process must be documented, insofar as this is practical and necessary for independent oversight; the deletion logs must be retained for a sufficiently long period to allow for effective oversight (cf. BVerfGE 100, 313 <364 f.>; 141, 220 <302 f. para. 205>; 154, 152 <265 para. 210>). The retention period for the deletion logs must be long enough so that the logs are typically still available after affected persons have been notified and for the next periodic data protection audit (cf. BVerfGE 100, 313 <400>; 141, 220 <323 para. 272>).

170

(5) Finally, strategic telecommunications surveillance is only compatible with the proportionality requirements if it is complemented by an independent oversight regime. Such oversight must be continuous and comprehensive; its aim must be the protection of the fundamental rights of affected persons (cf. BVerfGE 100, 313 <361 f.>; 154, 152 <290 para. 272>). In principle, oversight must cover all key procedural steps of strategic telecommunications surveillance and the associated data processing (cf. BVerfGE 100, 313 <361 f.>; 154, 152 <291 f. para. 278>).

171

The constitutional requirements regarding the design of the oversight regime for strategic surveillance are particularly strict. This is because the oversight must compensate for the absence of many of the safeguards commonly guaranteed under the rule of law. Firstly, such oversight is to compensate for the de facto lack of possibilities to obtain individual legal protection, which is a result of the limited information and notification obligations associated with strategic telecommunications surveillance. Secondly, oversight must compensate for the fact that surveillance powers are essentially only guided by the purpose pursued. To this end, it must ensure that the procedures governing the ordering and application of surveillance are sufficiently specified and always serve to achieve the legislative aims. Oversight thus serves as a counterweight to the wide-ranging possibilities for conducting surveillance granted to the Federal Intelligence Service (cf. BVerfGE 154, 152 <290 para. 273>; cf. also BVerfGE 100, 313 <361 f.>).

172

The legislator must provide for two different types of oversight, which must also be reflected in the organisational framework (BVerfGE 154, 152 <291 para. 274). Firstly, oversight must be conducted by a body resembling a court with staff who must be independent in a way that is equivalent to judicial independence; its decisions must be final. This type of oversight must be equal to judicial review both in substantive and in procedural terms and, in particular, must be at least equally effective (cf. BVerfGE 154, 152 <291 para. 275>; regarding Art. 10(2) second sentence of the Basic Law: BVerfGE 30, 1 <23>; regarding sufficient effectiveness cf. also BVerfGE 100, 313 <361 f.>). Secondly, independent oversight must also be exercised by a body that is administrative in nature (for more details cf. BVerfGE 154, 152 <291 para. 276>).

173

For independent oversight to be effective, it is also necessary that reasons are given for any amendments to orders for surveillance made in the administrative procedure. Only when reasons are given in respect of any amended contents can the oversight body examine whether the requirements arising from the Article 10 Act were satisfied when the surveillance measure was ordered – including with respect to the amendments. Such reasons specifying amendments to the contents of orders for surveillance are also necessary to ensure that affected persons can obtain individual legal protection.

174

c) The authorisation to collect and further process data in the context of strategic surveillance of international telecommunications under § 5(1) third sentence no. 8 of the Article 10 Act violates the privacy of telecommunications protected by Art. 10(1) of the Basic Law as it does not fully comply with the principle of proportionality. While the provision serves a legitimate purpose (see aa) below) and is suitable (see bb) below) and necessary (see cc) below) to achieve this purpose, it does not fully satisfy the requirements arising from the principle of proportionality in the strict sense regarding the limitation and specification of strategic surveillance of international telecommunications (see dd) below).

175

aa) § 5(1) third sentence no. 8 of the Article 10 Act serves a legitimate purpose. According to the legislative intent, strategic surveillance pursuant to § 5(1) third sentence no. 8 of the Article 10 Act is meant to yield intelligence on cyberthreats originating from other countries that are of significance to the Federal Republic of Germany in terms of foreign and security policy. Statutory powers to gather intelligence on international cyberattacks (such as cyber espionage or cyber sabotage) are conferred on the Federal Intelligence Service so as to effectively address cyberthreats originating from other countries. The early detection of these international cyberthreats serves to protect critical digital infrastructure or similarly important IT systems (cf. BTDrucks 18/4654, p. 41).

176

Under the relevant legal framework, critical infrastructure means an entity, asset or system which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in the state (cf. Art. 2(a) of Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, OJ EU L 346 p. 75; cf. also § 2(1) of the Act on the Federal Office for Information Security, Gesetz über das Bundesamt für Sicherheit in der Informationstechnik – BSIG; regarding the law since 18 October 2024 cf. Art. 2 nos. 1, 4 and 5 of Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC, OJ EU L 333 p. 164). Critical infrastructure thus includes hospitals, the water and energy sectors and important transport infrastructure such as airports.

177

At least equally important are the IT systems of constitutional organs and other necessary elements of the constitutional order (e.g. political parties under Art. 21 of the Basic Law: cf. BVerfGE 144, 20 <194 para. 512>; 162, 207 <228 f. para. 71> with further references – The right of the Federal Chancellor to issue political statements; parliamentary groups under Art. 38(1) second sentence of the Basic Law: cf. BVerfGE 84, 304 <324> with further references; or courts under Art. 92 of the Basic Law: cf. BVerfGE 54, 277 <292>; 153, 74 <155 para. 143> – Unified Patent Court).

178

bb) The powers to conduct strategic surveillance of international telecommunications under § 5(1) third sentence no. 8 of the Article 10 Act are also suitable for achieving this legitimate purpose. The criterion of suitability is met if there is a possibility of achieving the legislative purposes with the statutory provisions. In this regard, the legislator has leeway in terms of evaluating the factual situation, making any necessary prognoses and choosing the means by which the legislative aims are to be achieved (cf. BVerfGE 159, 223 <305 para. 185> with further references; established case-law). § 5(1) third sentence no. 8 of the Article 10 Act satisfies these requirements, since it appears at least possible that the gathering of intelligence on cyberthreats originating from other countries that are of significance to the Federal Republic of Germany in terms of foreign and security policy can be achieved through these powers.

179

cc) The surveillance powers in § 5(1) third sentence no. 8 of the Article 10 Act are also necessary to achieve the purpose pursued. Without the broad interception and analysis of data that is not based on specific grounds, such intelligence could not be obtained. No less intrusive means that would yield generally comparable intelligence are available (cf. BVerfGE 100, 313 <375>; 154, 152 <241 para. 144>).

180

dd) However, § 5(1) third sentence no. 8 of the Article 10 Act does not fully satisfy the requirements arising from the principle of proportionality in the strict sense. In principle, the powers to carry out strategic surveillance of international telecommunications can be justified despite their great severity of interference due to the exceptional public interest in gathering intelligence on international cyberthreats (see (1) below). Moreover, § 5(1) third sentence no. 8 of the Article 10 Act limits the purpose of surveillance to the protection of high-ranking interests of the common good in a sufficiently specific and clear manner (see (2) below). However, a sufficiently specific and clear provision regarding the removal of data stemming from domestic telecommunications involving only German nationals or persons located in Germany is lacking. Further, § 5(2) third sentence in conjunction with § 5(2) second sentence no. 2 of the Article 10 Act does not satisfy the constitutional requirements with regard to affording specific and clear protection of the core of private life to persons located in other countries (see (4) below). The retention periods for the documentation of strategic surveillance of international telecommunications provided for in § 5(2) sixth sentence of the Article 10 Act are too short (see (5) below). Finally, the independent oversight by the Article 10 Committee does not fully comply with the particularly strict requirements applicable in this regard (see (6) below).

181

(1) The powers conferred in § 5(1) third sentence no. 8 of the Article 10 Act can in principle be justified despite the particular severity of interference resulting from strategic surveillance of international telecommunications, which has increased significantly (cf. para. 160) since the last decision rendered by the Federal Constitutional Court on such surveillance powers (BVerfGE 100, 313). This is because there is an exceptionally significant public interest in early detection of cyberthreats from abroad – the purpose of § 5(1) third sentence no. 8 of the Article 10 Act – that are of significance to the Federal Republic of Germany in terms of foreign and security policy, as well as in the protection of critical digital infrastructure or similarly important IT systems.

182

The interest in effective early detection of the danger of international cyberattacks on critical digital infrastructure or similarly important IT systems is particularly great. The rate of international cyberattacks on IT systems in Germany is high and continues to increase ([…]). In Germany, the number of international cyber offences that inflict damage in Germany identified in 2022 and 2023 exceeds the number of cyber offences committed from Germany ([…]). Cyberattacks in particular target critical infrastructure and significantly affect its proper functioning ([…]).

183

The potential for damage caused by international cyberattacks is exceedingly high. In the context of the digital transformation of society, the economy, administration and politics, almost all aspects of life are increasingly dependent on a properly functioning and secure digital infrastructure. Secure and properly functioning IT systems are becoming more and more vital for the freedoms protected by fundamental rights (cf. BVerfGE 120, 274 <303 ff.>; 158, 170 <185 para. 33> – IT security vulnerabilities). Constitutional organs and other necessary elements of the constitutional order, too, are increasingly reliant on the use of IT systems to perform their tasks. The change from analogue to digital processes and the increasingly widespread mobile use of IT systems are leading to ever greater dependence on information technology, including by state actors (cf. BVerfGE 158, 170 <185 para. 33>). Moreover, threats from abroad have proliferated due to the advances in international communication and the greater interconnectedness of life circumstances across borders in general (cf. BVerfGE 154, 152 <248 f. para. 163>). The abilities of actors that are responsible for cyberthreats are immense and continue to develop further (cf. ECtHR <GC>, Big Brother Watch and Others v. the United Kingdom, Judgment of 25 May 2021, no. 58170/13 inter alia, para. 323; […]).

184

In light of all this, the international cyberthreats listed in § 5(1) third sentence no. 8 of the Article 10 Act concern high-ranking interests of the common good, the violation of which would result in serious harm to external and domestic peace or to the legal interests of individuals (cf. BVerfGE 100, 313 <373>; 154, 152 <248 f. para. 163). International cyberattacks on critical digital infrastructure or similarly important IT systems are aimed at destabilising society and can jeopardise the constitutional order, the existence and security of the Federation or the Länder and life, limb and liberty (cf. BVerfGE 154, 152 <248 f. para. 163>). International cyberattacks permit hostile state and non-state actors to disrupt digital infrastructure and the proper functioning of democratic processes, posing a serious threat to national security (cf. ECtHR <GC>, Big Brother Watch and Others v. the United Kingdom, Judgment of 25 May 2021, no. 58170/13 inter alia, para. 323). Ultimately, the danger of international cyberattacks can reach a level comparable to that of an armed attack on the Federal Republic of Germany, which has always been recognised as legitimate grounds for strategic telecommunications surveillance in § 5(1) third sentence no. 1 of the Article 10 Act (cf. in this regard BVerfGE 67, 157 <178>; 100, 313 <373>). Given the digital transformation of society, targeted and comprehensive cyberattacks against the IT infrastructure of key and vital areas – such as the water and energy sectors and transport and healthcare – can have the same impact as an armed attack. Both international cyberattacks and armed attacks can jeopardise the well-being of the population, the free democratic basic order and even the existence of the state as such.

185

(2) Contrary to the complainants’ view, the surveillance powers granted by § 5(1) third sentence no. 8 of the Article 10 Act are limited, in a sufficiently specific and clear manner, to the protection of high-ranking interests of the common good, the violation of which would result in serious harm to external and domestic peace or to the legal interests of individuals (see (a) below). The type of cyberthreats covered by the provision is likewise sufficiently specific and clear (see (b) below).

186

(a) The scope of application of § 5(1) third sentence no. 8 of the Article 10 Act can be specified through recognised methods of interpretation without any major difficulty, to the effect that these powers only serve to protect high-ranking interests of the common good.

187

The Federal Intelligence Service may only conduct surveillance measures under § 5(1) third sentence no. 8 of the Article 10 Act in the framework of the tasks generally assigned to it pursuant to § 1(1) no. 2 of the Article 10 Act in conjunction with § 1(2) of the Federal Intelligence Service Act, which means that it may only do so to gather intelligence on cyberthreats that are of significance to foreign and security policy, and thus have an international dimension (cf. BTDrucks 18/4654, S. 41, cf. also para. 148 above).

188

§ 5(1) third sentence no. 8 of the Article 10 Act is limited to the protection of critical digital infrastructure or similarly important IT systems (cf. BTDrucks 18/4654, p. 41). This is linked to the protection of high-ranking interests of the common good, the violation of which would result in serious harm to external and domestic peace or to the legal interests of individuals (cf. in detail para. 175 ff. above).

189

Moreover, the limitation of the scope of application of § 5(1) third sentence no. 8 of the Article 10 Act to cases of great significance can be derived from a comparison with the other dangers listed in § 5(1) third sentence of the Article 10 Act (nos. 1 to 7). The closer the effects of a cyberthreat resemble the legal interests set forth therein, the more likely it is that it is ‘serious’. In light of this, and contrary to the views of the complainants in both constitutional complaint proceedings, it can be inferred with sufficient specificity that the term ‘international criminal cyberattack’ must be interpreted, with the help of the attribute ‘in serious cases’, to mean that only attacks on high-ranking interests of the common good are covered by the provision, rather than all cases of international cybercrime.

190

(b) Moreover, § 5(1) third sentence no. 8 of the Article 10 Act is sufficiently specific and clear with regard to the alternative of ‘similar malicious IT technology’ that is set out in addition to attacks ‘using malware’. It follows from the explanatory memorandum to the draft act that it is primarily intended to cover overload attacks with the aim of sabotage, the faking of identities, for example to obtain access information, attacks on IT systems by circumventing physical boundaries and hardware manipulation of network devices (cf. BTDrucks 18/4654, p. 41). The Federal Government correctly pointed out that more precise descriptions of the cyberattacks concerned may be impossible due to the many different technical forms of attacks on IT systems.

191

(3) By contrast, the powers to conduct strategic surveillance of international telecommunications under § 5(1) third sentence no. 8 of the Article 10 Act are not – as would be required under constitutional law (cf. BVerfGE 154, 152 <251 ff. para. 170 ff.>) –shaped and limited by sufficiently specific and clear provisions regarding the removal of data from domestic telecommunications traffic.

192

Carrying out strategic surveillance of international telecommunications inevitably results in the collection of data from domestic telecommunications traffic. It is true that § 5(1) third sentence no. 8 of the Article 10 Act limits surveillance to international telecommunications traffic. However, the Federal Intelligence Service cannot, at least with regard to digital, packet-switched telecommunications (cf. BTDrucks 18/12850, p. 713 ff.), which in practice make up the largest share of international telecommunications (including all communication occurring via the Internet), limit the interception of raw data to data from telecommunications traffic that has an international dimension (cf. BVerfGE 154, 152 <301 para. 304>; […]).

193

The Article 10 Act does not contain any rules on how such incidentally collected data from domestic telecommunications is to be handled. According to information provided by the Federal Government, purely domestic telecommunications data is automatically separated and removed in practice. However, this does not relieve the legislator from its constitutional obligation to enact specific and clear provisions requiring that data stemming from domestic telecommunications be technically separated and deleted without any trace, using any means available, before the data is manually analysed. Moreover, the legislator must provide that the filtering methods used be continuously developed and refined (cf. para. 165 above).

194

(4) The safeguards protecting the core of private life are likewise not fully adequate.

195

(a) § 5(2) third sentence in conjunction with § 5(2) second sentence no. 2 of the Article 10 Act does not satisfy the constitutional requirements when it comes to affording specific and clear protection of the core of private life to persons in other countries. According to its wording and systematic approach, § 5(2) third sentence of the Article 10 Act exempts non-Germans located in other countries from the prohibition to use search terms concerning the core of private life under § 5(2) second sentence no. 2 of the Article 10 Act. Based on its wording (‘This does not apply to subscriber lines in other countries’) and its systematic approach, the exemption in § 5(2) third sentence of the Article 10 Act concerns the entirety of § 5(2) second sentence of the Article 10 Act, without distinguishing between § 5(2) second sentence no. 1 (prohibition on the targeted interception of certain subscriber lines) and no. 2 (prohibition on the use of search terms concerning the core of private life).

196

This is incompatible with Art. 10(1) in conjunction with Art. 1(1) of the Basic Law. The targeted interception of data from the core of private life is impermissible (cf. BVerfGE 154, 152 <263 para. 204>), including with respect to persons located in other countries. This means that search terms concerning the core of private life may not be used against such persons.

197

It is true that § 5(2) third sentence in conjunction with § 5(2) second sentence no. 2 of the Article 10 Act appears somewhat at odds with § 5a of the Article 10 Act, introduced in 2009, which provides for an absolute and general prohibition on the interception of all communication contents from the core of private life. It also follows from the explanatory memorandum to the draft act for the introduction of § 5a of the Article 10 Act that the legislator considers § 5(2) third sentence of the Article 10 Act merely as an exemption from § 5(2) second sentence no. 1 of the Article 10 Act, which was meant to permit the use of foreign subscriber lines (such as phone numbers or email addresses) as so-called formal search terms, rather than as an exemption from § 5(2) second sentence no. 2 of the Article 10 Act, which prohibits the use of search terms affecting the core of private life (cf. BTDrucks 16/12448, p. 11).

198

That said, even when taking the explanatory memorandum into consideration, § 5(2) third sentence of the Article 10 Act does not, in a sufficiently specific and clear manner, rule out the use of search terms affecting the core of private life. This is because the interpretation of the wording and systematic approach conflicts with the legislative history, and legislative history does not clearly take precedence here. § 5(2) third sentence of the Article 10 Act thus does not satisfy the particularly strict requirements regarding the specificity and legal clarity of provisions governing the covert interception and further processing of data (cf. in detail para.154 above).

199

(b) By contrast, the protection of the core of private life for German nationals and persons located in Germany at the data collection stage under § 5(2) second sentence no. 2 and § 5a first sentence of the Article 10 Act is not objectionable. With regard to strategic surveillance of international telecommunications, statutory safeguards that go beyond the prohibition on the targeted interception of data relating to the core of private life at the data collection stage are not required (cf. BVerfGE 154, 152 <264 para. 206>; see para. 167 above). For German nationals and persons located in Germany, this prohibition on the targeted interception of data relating to the core of private life is set out in § 5(2) second sentence no. 2 and § 5a first sentence of the Article 10 Act in a sufficiently specific and clear manner. Under § 5(2) second sentence no. 2 of the Article 10 Act, no search terms affecting the core of private life may be used with respect to these persons. Moreover, under § 5a first sentence of the Article 10 Act, surveillance measures pursuant to § 1(1) no. 2 of the Article 10 Act, including strategic surveillance of international telecommunications, may not intercept communication contents relating to the core of private life.

200

(5) The retention period for the documentation of strategic surveillance of international telecommunications, laid down in § 5(2) sixth sentence of the Article 10 Act, does not satisfy the constitutional requirements, since it is too short.

201

§ 5(2) fourth sentence of the Article 10 Act provides that the carrying out of strategic surveillance of international telecommunications must be documented. Such complete documentation is intended to ensure that the surveillance measures are properly handled (cf. BTDrucks 12/6853, p. 43 regarding § 3(2) fifth sentence of the Article 10 Act 1994, which has the same content). Under § 5(2) sixth sentence of the Article 10 Act, this documentation must be deleted at the end of the calendar year following the year in which it was logged.

202

However, the retention period set out in § 5(2) sixth sentence of the Article 10 Act is long enough to allow for effective oversight by the Article 10 Committee. The Article 10 Committee, whose oversight powers extend to the entire cycle of processing personal data obtained under the Article 10 Act (cf. § 15(5) second sentence of the Article 10 Act), meets at least once a month (cf. § 15(4) first sentence of the Article 10 Act). In view of this monthly oversight, the log data is typically still available for the next periodic oversight by the Article 10 Committee and is only deleted subsequently in accordance with § 5(2) sixth sentence of the Article 10 Act.

203

It is true that in a prior decision, the Federal Constitutional Court found that a similar retention period – i.e. deletion at the end of the calendar year following the year of documentation – was too short to allow for oversight (cf. BVerfGE 141, 220 <302 f. para. 205, 323 para. 272>). However, the frequency of oversight of strategic surveillance of international telecommunications by the Article 10 Committee differs significantly from the frequency of oversight of data processing by the Data Protection Commissioner under the Act on the Federal Criminal Police Office and the Cooperation of the Federation and the Länder in Criminal Police Matters (old version), to which the relevant judgment (BVerfGE 141, 220) made reference. This is because the judgment in question was based on the assumption that oversight by the Data Protection Commissioner was only conducted in intervals of up to two years (cf. BVerfGE 141, 220 <285 para. 141>) – much less frequently than the monthly oversight by the Article 10 Committee.

204

(b) By contrast, the retention period in § 5(2) sixth sentence of the Article 10 Act is too short to allow those affected to obtain effective legal protection (cf. BVerfGE 141, 220 <302 f. para. 205, 323 para. 272>). It typically does not ensure that the documentation data under § 5(2) fourth sentence of the Article 10 Act is still available when affected persons are notified of a surveillance measure. The rigid time limit in § 5(2) sixth sentence of the Article 10 Act, which starts at the time of documentation, is not linked in any way to the provisions in § 12 of the Article 10 Act governing notification of those affected. However, such connection is made necessary because, under § 12(2) first sentence in conjunction with § 12(1) first sentence of the Article 10 Act, notification only takes place once the respective measure has been permanently ended. At that point, there is no assurance that the log data still exists. This is because, firstly, an order for surveillance can be renewed several times. Moreover, under § 12(2) in conjunction with § 12(1) second sentence of the Article 10 Act, notification can be deferred for a longer period on the grounds that it cannot be ruled out that the purpose of the measure may be jeopardised or on the grounds that general disadvantages to the interests of the Federation or of a Land can be foreseen. In both constellations, the time when the measure has been permanently ended, and thus the time of notification, may be after the end of the calendar year following the year of documentation.

205

This is not altered by the Federal Administrative Court holding that the Federal Constitutional Court’s case-law on the negative impact on individual legal protection of rigid time limits for deletion (cf. BVerfGE 141, 220 <302 f. para. 205, 323 para. 272>) cannot be applied accordingly to the time limit for deletion laid down in § 5(2) sixth sentence of the Article 10 Act (cf. Decisions of the Federal Administrative Court, Entscheidungen des Bundesverwaltungsgerichts – BVerwGE 157, 8 <17 para. 26>). The Federal Administrative Court’s decision concerned data that was recorded in the context of strategic surveillance of international telecommunications and that was deleted immediately after being recorded or examined as to its relevance. The Federal Administrative Court mainly based this on the consideration that this data, which was deleted immediately under § 12(2) first sentence in conjunction with § 12(1) of the Article 10 Act, was not subject to a notification requirement, which meant that individual legal protection could not be adversely affected by the rigid time limit for deletion of the data (cf. BVerwGE 157, 8 <13 ff. para. 20 ff.>). This decision of the Federal Administrative Court cannot be applied to constellations in which the collected data is not deleted immediately and which therefore are subject to a notification requirement pursuant to § 12(2) first sentence in conjunction with § 12(1) of the Article 10 Act. Rather, in view of the constellations that are subject to a notification requirement, the time limit for deleting the log data in § 5(2) sixth sentence of the Article 10 Act must be such that the log data is typically still available when those affected have been notified; this is ensured by a rule such as the one in § 5a seventh sentence of the Article 10 Act.

206

Contrary to the Federal Government’s view, it is not ensured in a sufficiently specific and clear manner that deletion of the log data is not carried out at the end of the calendar year following the year of documentation if the data could be relevant for notification under § 12(2) of the Article 10 Act or for judicial review of the lawfulness of the measure. There is no statutory basis whatsoever for such an exemption from the deletion requirements in § 5(2) sixth sentence of the Article 10 Act. In particular, it is not evident that such an exemption could be derived from § 6(1) sixth sentence of the Article 10 Act, given that this provision concerns a different context and, in view of its systematic position, does not make reference to the deletion requirements laid down in § 6(1) of the Article 10 Act. In light of the systematic interpretation suggesting that the provision is not applicable to the deletion requirements in § 5(2) sixth sentence of the Article 10 Act, such an exemption from the deletion requirements would not be sufficiently specific and clear in any event.

207

(6) Moreover, the independent oversight regime applicable to strategic surveillance of international telecommunications under the Article 10 Act does not fully comply with the particularly strict constitutional requirements.

208

(a) Firstly, the members of the Article 10 Committee perform their functions in an auxiliary capacity rather than as their primary office, as would be required under constitutional law. In order to compensate for the significantly reduced possibilities to obtain legal protection in individual cases associated with strategic telecommunications surveillance, competent and professionalised oversight resembling judicial review must be ensured, which must be equal to review by a court both in substantive and procedural terms and, in particular, must be at least equally effective (cf. para. 172 above). It is insufficient in this regard to have oversight essentially conducted by persons performing their functions in an auxiliary capacity (cf. BVerfGE 154, 152 <295 para. 287>). In light of this, § 15(1) fourth sentence is inadequate as it provides that the members of the Article 10 Committee merely perform their functions in an auxiliary capacity.

209

(b) Moreover, the Article 10 Act fails to ensure that a judicial perspective is represented on the Article 10 Committee. For oversight to resemble judicial review, it must be ensured that the composition of the oversight body is such that a judicial perspective is represented on the body. This requires that the oversight body also includes members with judicial experience (cf. BVerfGE 154, 152 <295 para. 286>). Although the Parliamentary Oversight Body has regularly also appointed judges as members of the Article 10 Committee in practice, this is not required by law. While § 15(1) second sentence of the Article 10 Act provides that a majority of members and their deputies must be qualified to hold judicial office, it does not require judicial experience.

210

(c) Finally, comprehensive oversight – and (where available) effective legal protection of affected individuals – is not sufficiently ensured as the law does not require that reasons are given for any amendments to orders for surveillance made in the administrative procedure. It is true that § 9(3) first sentence of the Article 10 Act requires that the Federal Intelligence Service gives reasons for its application for an order for surveillance. However, the Article 10 Act does not provide for an obligation to give reasons insofar as the Federal Ministry of the Interior and Community amends the Federal Intelligence Service’s application when ordering the surveillance under § 10 of the Article 10 Act. § 10(2) first sentence of the Article 10 Act merely provides that the surveillance must be ordered in writing, while no requirement to give reasons is set out in the law.

D.

I.

211

Ultimately, the provisions that were admissibly challenged only satisfy the constitutional requirements in part. In this respect, the constitutional complaints are well-founded.

212

The authorisation to collect and further process data through strategic surveillance of international telecommunications under § 5(1) third sentence no. 8 of the Article 10 Act is incompatible with Art. 10(1) of the Basic Law, given that an adequate provision governing the removal of data from domestic telecommunications traffic is lacking, that the protection of the core of private life of persons in other countries in § 5(2) third sentence in conjunction with § 5(2) second sentence no. 2 of the Article 10 Act is insufficient, that the retention period for documentation of completed strategic surveillance of international telecommunications in § 5(2) sixth sentence of the Article 10 Act is too short and that the independent oversight regime laid down in § 15 of the Article 10 Act is insufficient.

II.

213

1. The finding that a statutory provision is unconstitutional in principle results in that provision being declared void. However, pursuant to § 31(2) second and third sentence of the Federal Constitutional Court Act, the Federal Constitutional Court may limit its decision to declaring that an unconstitutional provision is merely incompatible with the Constitution. It then merely objects to the unconstitutional provision without declaring it void. The Court may combine the declaration of incompatibility with a temporary order to continue to apply the unconstitutional provisions. This may be considered in cases where the immediate invalidity of the objectionable provision would eliminate the statutory basis for protecting exceptionally significant interests of the common good, and if a balancing of these interests against the affected fundamental rights requires that the interference be tolerated for a transitional period. During the transitional period, the Federal Constitutional Court may issue interim orders to reduce the powers of the authorities, in line with what appears necessary in light of its balancing, until a situation of constitutional conformity has been established (BVerfGE 141, 220 <351 para. 355> with further references; established case-law).

214

2. a) Based on these standards, § 5(1) third sentence no. 8 of the Article 10 Act is declared incompatible with the Basic Law. The grounds for the unconstitutionality of the authorisation, insofar as challenged, do not affect the core of the powers granted, but merely touch upon individual aspects of their design in light of the rule of law. Under such circumstances, the legislator is given the opportunity to remedy the constitutional concerns and thereby achieve the core of the objectives pursued by the authorisation.

215

The declaration that the provision is incompatible with the Constitution is combined with the order that it is nonetheless to stay in effect on an interim basis until 31 December 2026 at the latest. The powers at issue, though constitutionally objectionable, could have significant importance for the security of the Federal Republic of Germany, and this development could take place on extremely short notice, especially when taking into account the potential threat dynamics in light of the realities of information technology (cf. BVerfGE 154, 152 <311 para. 330>). This applies in particular given that both the number of international cyberattacks and the potential threats entailed by them have constantly increased, and this trend is likely to continue (see para. 182 f. above). That is why the provision stays in effect on an interim basis.

216

b) However, in ordering the continued applicability of § 5(1) third sentence no. 8 of the Article 10 Act on an interim basis, it is necessary to impose certain restrictions in light of the privacy of telecommunications. The data from domestic telecommunications traffic (involving only communication participants who are German nationals or located in Germany) must be removed when the provision is applied. As far as technically possible, automated filters must be used to remove data from domestic telecommunications traffic and to automatically delete it without delay; data that meets these criteria but is collected despite automated filters must be [manually] deleted without delay (cf. para. 165). Furthermore, no search terms concerning the core of private life may be used, also with respect to persons in other countries (cf. para. 196 ff.). § 5(2) third sentence of the Article 10 Act is therefore not applicable in relation to § 5(2) second sentence no. 2 of the Article 10 Act. The logs stored pursuant to § 5(2) fifth sentence of the Article 10 Act must be handled in accordance with § 6(1) sixth and seventh sentence of the Article 10 Act, rather than with § 5(2) sixth sentence of the Article 10 Act.

III.

217

[…]