Germany's top court curbs spy agency's powers to monitor international telecos

Germany's top court curbs spy agency's powers to monitor international telecos

Entrance, sign, and side-buildings of the German Federal Constitutional Court, or Bundesverfassungsgericht (BGH), the country's top court
Adobe Stock

Germany’s Constitutional Court has ruled that the country’s security agency’s surveillance of international telecom operators to try and detect cyber threats was unconstitutional.

The court found that the Federal Intelligence Service (BSD)’s surveillance powers were partially unconstitutional, ruling that a balance was needed to better protect the privacy of communications while still allowing for important national security measures.

Subscribe today for free

Section 5(1) of the G-10 Act, which regulates the surveillance powers of Germany's intelligence agencies, authorises the BSD to collect and process personal data to conduct surveillance on global providers to identify potential cyberattacks, espionage or cyber sabotage.

The Federal Constitutional Court (Bundesverfassungsgericht) found that while the powers granted to the BSD were in the public interest, the laws did not comply with proportionality.

Although the court declared the powers unconstitutional, it acknowledged their significance for the country's safety and ordered that it to remain in place until lawmakers introduced new provisions or until December 31 2026 — whichever comes first.

Central to its ruling, the court found that the powers failed to sufficiently encourage the BSD to dispose of collected data from purely domestic communications involving only German nationals or non-nationals who live in Germany.

The court also took issue with the retention period for data obtained using the surveillance measures, claiming it was “too short.”

German security agencies are required to delete data on individuals they have surveilled using global telecoms services at the end of the calendar year following the year in which the data was logged.

The court, however, argued that the period was not long enough to allow those affected to obtain effective legal protection.

“The rigid time limit is not linked in any way to the provisions governing notification of those affected,” the court said. “Notification only takes place once the respective measure has been permanently ended. At that point, there is no assurance that the log data still exists.”

Germany’s constitutional court also found that independent oversight of the BSD’s telecoms-related surveillance powers to not stringent enough.

The court ruled that independent oversight of the surveillance powers must “compensate for the de facto lack of possibilities to obtain legal protection in individual cases, which is a result of the limited information and notification obligations associated with strategic telecommunications surveillance.”

RELATED STORIES

Zayo Europe expands in Germany with GasLINE dark fibre partnership

China slams Germany’s 5G equipment ban

IQM opens quantum data centre in Germany

Gift this article