Caught in the Act? An analysis of Germany’s new SIGINT reform

Executive Summary

When the German parliament amended the legal framework for Germany’s foreign intelligence service in March 2021, it had a unique chance to set the pace among liberal democracies for better legal standards on proportionate government access to data and the protection of fundamental rights. Recent European jurisprudence such as the Schrems II ruling by the European Court of Justice and the Big Brother Watch and Centrum för Rättvisa decisions by the European Court of Human Rights brought additional momentum to the international quest for better standards in legislation and oversight practice.

Unfortunately, the Bundestag did not seize the moment. Despite laudable progress in some areas, there is a pressing need for future legislative work to align the German legal framework on foreign intelligence collection with international standards and to better meet the German Constitutional Court's minimal requirements. This report thus calls for a comprehensive intelligence reform to improve the quality of the legal framework and to guarantee more robust fundamental rights protections and to overcome the undue fragmentation of oversight and authorization processes.

Regarding the quality of the legal framework, lawmakers should

• establish a clear and consolidated legal framework for investigatory powers across the German intelligence and security sector. This should include a single judicial authorization mechanism that eliminates inefficient duplications.
• regulate bulk data access more transparently, provisions on commercial data purchases, suitability tests, and interception of machine-to-machine communications.

Regarding fundamental rights protection, lawmakers should

• create an effective judicial remedy mechanism for ex post facto review of foreign surveillance, as required by European jurisprudence.
• apply the same standards and safeguards that pertain to the collection of personal content data also to the collection of metadata. This is in line with the recent ECtHR Grand Chamber judgement which deemed both data types as equally worthy of protection.

Regarding the oversight and authorization process, lawmakers should

• expand the independent approval powers to cover bulk data analysis (examination warrants), suitability tests (testing and training warrants), and commercial data buying (data acquisition warrants).
• include systematic points of friction in the judicial authorization process by allowing for adversarial counsel in the assessment of bulk warrants, as well as by providing direct access for the oversight body to bearers of communications in order to verify adherence to warrant criteria, as is common practice in the Swedish foreign intelligence framework.
• define a concrete ex post control mandate that enables data-driven oversight of the BND's data handling, including the independent analysis of the selectors used.
• introduce binding enforcement powers for the independent oversight body, including the power to prohibit certain data collection and to require data destruction.
• codify comprehensive public reporting obligations for the oversight body.