New Rules for SIGINT Collection in Germany: A Look at the Recent Reform
Those following the Section 702 reauthorization debate may be interested in Germany’s recent intelligence reforms. One aspect of particular interest—which I also focus on in a new paper—is new limits on the collection of data from non-nationals outside of Germany, enforced in part by a new judicial oversight mechanism.
Context: Germany’s recent intelligence reform process
Published by The Lawfare Institute
in Cooperation With
Those following the Section 702 reauthorization debate may be interested in Germany’s recent intelligence reforms. One aspect of particular interest—which I also focus on in a new paper—is new limits on the collection of data from non-nationals outside of Germany, enforced in part by a new judicial oversight mechanism.
Context: Germany’s recent intelligence reform process
In December 2016, the most significant intelligence legislation in recent German history was finally put on the books. It followed a year of secret negotiations and a brief legislative process to codify new rules about the authorization, practice, and oversight of foreign data collection by the Bundesnachrichtendienst (BND), Germany’s foreign intelligence agency. Unlike most other countries, German intelligence law now contains specific restrictions on the collection of foreigners’ data. Foreigners will not be notified about surveillance measures, and therefore the restrictions I describe in further detail below are not procedural. However, the new law sets an additional international standard in requiring a panel of judges to authorize most foreign intelligence collection on a non-targeted basis.
A Compelling Case for Reform
The Snowden disclosures and subsequent far-reaching intelligence inquiry by the German Parliament were the impetus for the reform. The Bundestag’s inquiry into NSA surveillance quickly turned inward and brought to light major legal gaps, poor executive control, and grave democratic deficits concerning the governance of signals intelligence collection in Germany. A separate investigation by Germany’s parliamentary intelligence oversight body revealed that this practice has harmed German and European strategic interests and has led to unjustified spying on German and EU citizens, EU Member States and EU institutions, as well as international organizations.
Up until last year, Germany’s BND performed its single most important surveillance activity—collect against non-German nationals located outside of Germany—for decades absent a clear legal framework and without independent authorization and oversight. In German, that surveillance is called Ausland-Ausland-Fernmeldeaufklärung, which translates roughly to strategic foreign-foreign (meaning foreign persons on foreign soil) communications data surveillance. In Germany, strategic surveillance refers to the non-targeted, bundled collection of large quantities of communications data for foreign intelligence purposes. That surveillance power is distinct from surveillance activity directed at an individual suspect and his or her contacts. The table below distinguishes foreign-foreign strategic surveillance from other BND surveillance practices and informs whether a judicial review of the legality and necessity of these measures is being performed, and if so, by which committee.
Examples of BND current surveillance powers and their legal basis
|
Practice |
Brief description |
Legal basis |
Review body |
|
Surveillance measures with individual probable cause |
Surveillance of communications data of individual German citizens as well as residents and legal entities in Germany |
Section 3 Art. 10 Law |
G 10 Commission |
|
Foreign-Domestic Strategic Surveillance |
Strategic surveillance of communications data with either origin or destination in Germany |
Section 5 Art. 10 Law |
G 10 Commission |
|
Foreign-Foreign Strategic Surveillance |
Strategic surveillance of communications data with neither origin nor destination in Germany (that may be transiting or that may be acquired abroad) |
Section 6 and 7 BND Law |
Independent Committee |
|
Purely Foreign Strategic Surveillance |
Surveillance of communications data of foreign individuals on foreign territory |
Not codified; administered by secret executive decree |
None |
The above table requires some further unpacking. “Foreign-domestic strategic surveillance” refers to one-end-foreign, one-end-domestic communications. For that authority, German intelligence law has long established a legal regime and oversight system, known as the Art. 10 Law. This is similar to an observation Bobby Chesney has made about U.S. practice, “if the “target of such collection is a (national) person, (national law) generally applies in such cases.” The Art. 10 Law protects German citizens at home and abroad, national residents, and legal entities in Germany from undue surveillance. It also requires notifications to allow for an effective remedy in case of a violation of their fundamental right to private communication guaranteed in Art. 10 of the German Constitution.
The 2016 intelligence reform left the entire Art. 10 Law and the institutional set-up for legality and necessity reviews for foreign-domestic strategic surveillance by the G10 Commission untouched. Instead, the 2016 intelligence reform filled a legal vacuum that existed in German legislation for the foreign-foreign communications that may be transiting and collected in Germany or that may be acquired abroad.
Below is a brief depiction, before I turn to these new provisions, of the basic set-up for the two types of strategic surveillance described above.
|
Practice |
Foreign-Domestic Strategic Surveillance (Strategische Fernmeldeaufklärung) |
Foreign-Foreign Strategic Surveillance (Ausland-Ausland-Fernmeldeaufklärung) |
|
Legal Basis |
Art. 10 Law |
BND Law |
|
Surveillance Orders |
BND requests them through Interior Ministry |
BND requests them through Chancellery |
|
Review Body & Composition |
G10 Commission (4 honorary members, 4 deputies) |
Independent Committee (UG) (3 members, 3 deputies) |
|
Characterization |
Judicial oversight by quasi-judicial body |
Restricted judicial oversight by an administrative body |
|
Review Sessions |
Once a month |
Once every three months |
|
Warrants |
Default standard: Ex ante authorization with full knowledge of search terms |
Default standard: Ex ante authorization with limited knowledge of search terms |
|
Oversight Mandate |
G10 Commission can prompt immediate end of measures deemed unlawful or unnecessary |
UG can prompt immediate end of measures deemed unlawful or unnecessary |
|
Investigation Powers |
Full access to premises & documents |
Not specified |
|
Effective Remedy Procedure |
Default standard: Ex post notifications |
No notifications |
|
Data Minimization |
DAFIS Filter System |
DAFIS Filter System |
|
Quantity Restriction |
20% rule in Section 10.4 Art.10-Law |
None |
Both practices are of course very similar and employ the same tools. Yet, still, they require a different authorization and oversight trajectory via the Interior Ministry and the G10 Commission (for domestic-foreign strategic surveillance) or via the Chancellery and the Independent Committee (for foreign-foreign strategic surveillance). These are not minor differences and de jure the practice of domestic-foreign strategic surveillance is subjected to more robust oversight as shown by the different composition of the review bodies, their investigation powers, the notification requirements and the quantity restrictions. This said, there are many open questions as regards the actual implementation of the Art. 10 Law, including its quantity restriction, which has not been addressed by the 2016 reform.
The treatment of non-national data in Germany’s foreign intelligence legislation
Whereas there were no changes to the Art. 10 Law, the newly amended BND law now contains several new chapters, including new provisions regulating the practice, authorization, and oversight of strategic foreign-foreign communications data surveillance. Before, as the table below illustrates, there was only a general provision in the law that the BND is entitled to collect foreign data in keeping with its general mandate.
Pre-2016 reform framework for the BND’s foreign-foreign strategic surveillance
|
Law |
Section 2.1 BND Law and secret interpretations |
|
Surveillance Orders |
Unregulated in German intelligence law |
|
Review Body & Composition |
Only executive control (if at all) |
|
Warrants |
N/A |
|
Oversight Mandate |
N/A |
|
Investigation Powers |
N/A |
|
Effective Remedy Procedure |
N/A |
|
Data Minimization |
DAFIS Filter System |
|
Quantity Restriction |
None |
The reformed BND law now distinguishes between four different groups for which different authorization procedures, data protection standards, and oversight provisions apply with regard to the collection of content data for the practice of foreign-foreign strategic surveillance. The table below illustrates this in further detail.
|
|
Group A |
Group B |
Group C |
Group D |
|
Type of targets |
German citizens at home & abroad, all persons on German territory and domestic legal entities |
Public institutions of EU-Bodies & Member States
|
EU citizens |
Rest of the world |
|
Collection Order |
This group may not be subjected to strategic surveillance of foreign-foreign communications data. |
Group B may be targeted. This requires collection order that must identify search terms. |
Group C may be targeted. Requires collection order but no need to mention search terms therein. |
Group D may be targeted. Requires collection order but no need to mention search terms therein. |
|
Restrictions on the use of search terms |
Any surveillance must be done in accordance with Art. 10 Law. |
Search terms may only be used if necessary for information related to 12 circumstances referred to in legislation: Eight circumstances under Section 5.1 Art.10-Law (see the next table for a list of those 8 circumstances); Three broad justifications (Section 6.1 BND Law, see table below) when deemed necessary for obtaining third country information of particular relevance to Germany’s security; Data collection under Section 12 of the BND Law. |
Search terms may only be used if necessary for information related to 21 circumstances referred to in legislation: Eight circumstances under Section 5.1 Art.10-Law; Three broad justifications (Section 6.1 BND Law) if needed for third country information of particular relevance to Germany’s security; Nine justifications under Section 3.1 Art. 10 Law; Data collection under Section 12 of the BND Law. |
Search terms can be used if necessary for information related to four broad circumstances referred to in legislation: Three broad justifications (Section 6.1 BND Law) without the third country relevance caveat; Data collection under Section 12. |
|
Ex ante authorization |
Legality and necessity review by G10 Commission with knowledge of search terms |
Legality and necessity review by Independent Committee with knowledge of search terms |
Legality and necessity review by Independent Committee without knowledge of search terms |
Legality and necessity review by Independent Committee without knowledge of search terms |
|
Notification requirement |
General notification requirement to allow effective remedy |
No notifications to surveillance targets |
No notifications to surveillance targets |
No notifications to surveillance targets |
Notice that the restrictions on the collection of non-national data do not apply to metadata. Put differently, the BND’s collection of metadata through strategic foreign-foreign communications data surveillance remains unrestricted. The retention of metadata is limited to six months. By contrast, content data may be retained for up to 10 years.
The foreign-foreign strategic surveillance measures require a collection order. Yet, depending on the different groups that these measures can be aimed at, the collection order may not mention the specific search terms that are being used by the BND to obtain specific information from the huge amount of data acquired by its strategic surveillance. Three things should be remembered here: First, a judicial review of the actual practice is much less meaningful without actual knowledge of the search terms used. Second, some of the circumstances referred to in legislation that may give rise to the use of search terms (see table below) are very broad. This shows that Germany assigns different data protection priorities to those four groups—with group A being the most protected. Third, Section 12 BND Law (Eignungsprüfung) provides for an important exception to the search term provisions. It states that “Telecommunication nets,” may be temporarily tested to assess the quality of their output and to generate new search terms.
For easier reference, the table below lists the different justifications for strategic surveillance measures known to German intelligence law:
|
Three circumstances referred to in Section 6.1 BND Law |
|
|
Eight circumstances referred to in Section 5.1 Art. 10 Law |
|
|
Nine circumstances referred to in Section 3.1 Art. 10 Law |
|
My paper discusses the question whether these restrictions are meaningful and whether they can be honored in practice in further detail. It aims to provide a balanced account of the intelligence reform, reviewing the good, the bad, and what is missing.
The new limits on the collection of data from non-nationals outside of Germany and judicial oversight are too soft, and more investment is needed in effective judicial oversight for both strategic surveillance powers.
Despite the NSA-inquiry committee’s many important revelations—a public report is due next week—the 2016 intelligence reform did not draw the necessary conclusion, in my view, to substantially strengthen the system of judicial oversight in Germany.
Indeed, the BND reform created an authorization body for foreign-foreign strategic communications data surveillance by the BND. Yet, despite being staffed by professional jurists and its proximity to the Federal Court of Justice in Karlsruhe, the Independent Committee (UG) is neither independent nor a court. Instead, the Independent Committee may be referred to as an administrative body tasked with the ex ante authorization of the newly codified surveillance measures. Not only are its three members and deputies appointed by the executive, but one of the three members will also be a public prosecutor from the Federal Public Prosecutor’s Office. This is problematic for potential conflicts of interest.
What is more, the new provisions say very little on the Independent Committee’s actual oversight powers. By comparison, the G10 Commission (responsible for, among other things, the judicial review of foreign-domestic strategic surveillance) is not only tasked to authorize surveillance measures but also has the authority to review the collection, subsequent data handling and use of all personal data related to the surveillance measures. To exercise this oversight, the G10 Commission has guaranteed access to all documents, saved data and data management programs used in conjunction with surveillance measures, as well as access to any premises used for SIGINT purposes by all three federal intelligence agencies (Section 15.5 Art. 10 Law).
By contrast, the BND Law makes no mention of such judicial oversight powers for the Independent Committee. Apart from the missing provisions on the Independent Committee’s actual oversight powers, one can also express serious concerns regarding the authorization procedure for foreign-foreign strategic surveillance. More specifically, when the Independent Committee assesses the legality and necessity of a surveillance measure, it may do so on the basis of interception orders that do not list the search terms. Any legality and necessity assessment it makes without knowledge of the search terms is likely to lack credibility and substance.
