National Security Surveillance in Germany

November 15, 2023

Executive Summary

  • Introduction. Germany’s intelligence services conduct electronic surveillance to protect public order and detect international threats.  Access to key international communications nodes makes Germany’s main foreign-intelligence agency, the Bundesnachrichtendienst, a valued collaborator for such partner services as the U.S.’s NSA and Britain’s GCHQ.
    • Since the Snowden leaks and a subsequent parliamentary inquiry into American and German signals-intelligence activities, Germany has comprehensively reformed its laws and institutions related to national-security surveillance.
  • Agencies that conduct national-security surveillance. Germany has three principal federal intelligence services: the Bundesnachrichtendienst (BND), the Bundesamt für Verfassungsschutz (BfV), and the Bundesamt für den Militärischen Abschirmdienst (BAMAD).  Each conducts electronic surveillance for national-security purposes.
    • The BND is Germany’s foreign-intelligence service. Notably, it is responsible for human intelligence, signals intelligence, and military intelligence, combining the functions of the United States’ CIA, NSA, and DIA into one agency.
    • The BfV, or Verfassungschutz (Office of Constitutional Protection), is the principal domestic intelligence service. It is responsible for counterintelligence, counterterrorism, monitoring domestic extremist organizations, and defending against industrial espionage.
    • BAMAD, which reports to the Defense Ministry, is responsible for military counterintelligence and force protection.
    • Other agencies, including the Federal Criminal Police Office (Bundeskriminalamt, or BKA), conduct electronic surveillance for criminal investigations closely related to national security.
      • In Germany, the constitutional Trennungsgebot (“separation”) principle requires that law enforcement and intelligence functions remain strictly separated.
  • Surveillance laws. Germany’s constitution, the Grundgesetz (“Basic Law”) requires that all surveillance activities that interfere with fundamental rights be based in legislation.  That legislation, in turn, must clearly indicate which fundamental rights will be affected by the surveillance activities (a principle known as the Zitiergebot).  Key legislation includes:
    • The “Article 10” or G10 Act, which creates legal standards and an authorization process for government interference with private communications, as required by Article 10 of the Basic Law.
    • The BND Act, which regulates the activities of the BND, including its surveillance of digital networks. The Bundestag enacted a major reform to the BND law in 2021, and further changes are forthcoming.
  • Capabilities and Priorities. The BND conducts large-scale surveillance of international telephone, internet, and satellite communications.  These activities also form the backbone of the BND’s cooperation with the intelligence services of partner countries.
    • One unique advantage is the presence in Germany of DE-Cix, the world’s largest internet exchange point.
      • As of 2020, the BND was collecting more than 1 trillion internet transactions per day at DE-Cix, using hundreds of thousands of “selectors” (such as email addresses or phone numbers). Many of those selectors are provided by allied services such as NSA and GCHQ.
    • The BND’s collection must follow its Aufgabenprofil, or priorities framework, which lists the regional and global issues that the BND’s collection should inform. The Aufgabenprofil is secret and exempt from parliamentary oversight.
    • Among federal intelligence agencies, only the BND is permitted to conduct bulk collection.
    • Most collection takes place within Germany. However, the BND also conducts some collection overseas using “mobile equipment.”
  • Authorizing and oversight bodies. German law establishes various independent bodies to authorize and oversee electronic surveillance for national-security purposes.
    • The G10 Commission is an independent, multi-member body led by a Chairman qualified to hold judicial office. It reviews applications from the Federal Chancellery (for the BND), the Interior Ministry (for the Verfassungschutz), and the Defense Ministry (for the BAMAD) to conduct surveillance activities covered by the Article 10 Act.
      • Only the Government presents arguments before the G10 Commission; there is no special advocate or “amicus curiae” to represent other interests.
    • The Unabhängiger Kontrollrat (UKR), or Independent Control Council, was created in 2022 to authorize and oversee SIGINT and hacking activities conducted under the BND Act.
      • The UKR consists of both a Judicial Control Body, which reviews individual applications and complaints, and an Administrative Control Body, which conducts proactive audits and can submit complaints to its judicial counterpart.
      • The UKR reports to the parliamentary oversight committee at six-month intervals.
    • Other bodies also conduct post-hoc oversight:
      • The Federal Data Protection Authority reviews so called “file orders,” which establish databases maintained by the government. This enables it to consider the purpose and contents each database that the intelligence services create.
      • Legislative oversight is provided by the Bundestag’s Parliamentary Control Committee (Parlamentarisches Kontrollgremium).
  • Process and Standards for Approving Surveillance. The standards and processes for authorizing surveillance techniques depend on the type of surveillance (targeted or bulk) and the communications targeted.
    • For domestic collection against a specific domestic target, the BfV must first file an application with the Ministry of the Interior. The application must show an imminent risk of a serious threat to public order.  The Ministry then can issue a temporary approval, with further review by the G10 Commission.
        • The G10 Commission then accepts, rejects, or modifies the order based on the sufficiency of the factual showing as well as other factors affecting the privacy and civil liberties of the target.
    • Domestic collection against overseas targets (e.g., on internet backbone cables at DE-Cix), is regulated under both the Article 10 Act (for one-end-foreign communications) and the BND Act (for foreign-to-foreign communications).
        • Unlike the U.S. Section 702, this is regarded in German law as “bulk” collection.
        • For domestic collection on international signals (one-end-foreign), the BND applies to the Ministry of Interior for approval. The ministry then issues a warrant, which must be reviewed by the G10 Commission.
            • The warrant lists the communications channels from which the BND will collect traffic, along with other information about the surveillance. The G10 Commission and the Federal Data Protection Authority monitor implementation.
    • For domestic collection on foreign-foreign signals, the BND must obtain authorization from the Independent Control Council (UKR). The BND’s application must describe the purpose of the collection, theme, geographical focus and duration, and justification.  It does not, however, include specific selectors.
    • In each case, approval by the requisite authorization body permits the state to compel the cooperation of telecommunications providers.
    • German law does not require a prior warrant for agencies to collect metadata or examine data already collected.
  • The role of nationality and other protections. German law generally does not distinguish between Germans and non-Germans for these purposes.  The Federal Constitutional Court has held that the fundamental protections of the Basic Law bind the government in all of its activities.  This would include surveillance conducted abroad.
    • The Court allowed, however, that notification requirements for those affected by surveillance could differ for people living in Germany and people living abroad.
    • Germany’s surveillance laws also establish heightened protections for the Kernbereich persönlicher Lebensgestaltung, or innermost area of personal life. This principle derives from the Basic Law’s foundational requirement that the state protect human dignity.  They also include special protections for the communications of attorneys, journalists, and clergy.
  • Transparency. Transparency has increased, but further improvements are possible.
    • The new Independent Control Council (UKR), which oversees bulk surveillance conducted by the BND, does not issue public reports about its activities. There is thus little information available to help the public assess its performance.
    • The current coalition government led by SPD Chancellor Olaf Scholtz has promised a comprehensive accounting of all surveillance activities (Überwachungsgesamtrechnung) and their effect on fundamental rights and freedoms. As of this writing, this has yet to materialize.
  • Reforms. Germany’s recent legislative reforms place its activities on much sounder footing in terms of public legitimacy and democratic accountability.  The new legal regime stands out in international comparison in several respects:
    • All bulk surveillance measures are now authorized and constrained by legislation, in contrast to other countries where these activities remain governed (at best) by executive decree.
    • German law provides judicial review of foreign-foreign intelligence collection (though not of individual targets).
    • Germany’s oversight agencies have direct access to IT databases and systems of the operational agencies.
    • German law minutely regulates automatic transfers of data collected by the intelligence services to international partners.

Download Full Paper

Thorsten Wetzling

Head, Research unit on digital rights, surveillance and democracy, Stiftung Neue Verantwortung