As a European citizen it is flattering to read “The U.S. is ten years behind Europe in requiring their government agencies to protect the privacy of noncitizens when government actions affect them.” However, it is a fallacy to believe that the EU’s data protection law is the solution to privacy problems resulting from foreign intelligence gathering. First, intelligence activities fall outside the scope of EU law. Second, it is far from clear that Europe as a whole is really ahead of the U.S. when it comes to protecting its citizens’ privacy against intelligence surveillance. Indeed, on a national level, Germany is far from a shining example of this. However, there is hope for new guidance deriving from a decision of Germany’s Federal Constitutional Court that is expected later this month.
To begin with, the General Data Protection Regulation (GDPR), the EU’s showpiece data protection legislation, does not apply to member States’ intelligence services. As in the U.S. federal system, there are limits on the subjects the EU can regulate in its member States. The relation between the confederation and its member States is characterized by the principle of conferral which says “the Union shall act only within the limits of the powers conferred upon it by the member States in the Treaties.” Therefore, the EU only enjoys a limited scope of powers delegated by the member States. Powers not delegated remain the responsibility of the individual member countries. This underlying principle explains why the GDPR does not apply to intelligence gathering. Art. 2(2)(a) GDPR states, that “[t]his Regulation does not apply to the processing of personal data: (a) in the course of an activity which falls outside the scope of Union law; […].” Although it has always been difficult to determine the precise scope of EU Law, it is very clear that national security falls outside the scope of it. This can be drawn from recital 16 GDPR and Art. 4(2) TEU, which exclusively place the responsibility for national security in the hands of EU States. The same applies to Directive (EU) 2016/680, which deals with data processing in the area of law enforcement. Therefore, the EU could not, and did not, regulate the data processing of intelligence agencies through the enactment of the GDPR.
Data protection against surveillance activities by intelligence agencies is therefore subject to national legislation. And that national legislation varies across Europe. In Germany, the major problem is similar to that in the United States: It is highly disputed whether Art. 10 of the German constitution, the basic law, applies to foreigners outside German territory. Art. 10 ensures privacy of correspondence, posts and telecommunications, and can be regarded as the functional equivalent of the Fourth Amendment with regard to surveillance issues. Although the text of this fundamental right does not distinguish between citizens and non-citizens, the government still refuses to accept that it applies equally extraterritorially. Many scholars and civil liberty groups argue against this opinion, but so far, unsuccessfully. The last decision of the Federal Constitutional Court on this matter, in 1999, did not decide this particular question. Yet, it stated that if there is a technical and informational link to the German territory that is the case for screening and recording of telecommunications traffic with reception equipment located on German soil, German authorities are bound by Art. 10 basic law. A current constitutional complaint before the Federal Constitutional Court that challenges the surveillance practice regarding the communication of foreigners abroad might lead to a significant change. The judgment is scheduled for May 19 of this year.
Like the United States, Germany has a fragmented legal framework that leaves a significant gap for the protection of foreigners abroad. There are different levels of protection for citizens and foreigners. The most developed level of protection is given to German citizens (regardless of their location) and foreigners within German territory through the G 10 act, a federal statute that regulates intelligence activities concerning infringements of Art. 10 basic law, and ensures quasi-judicial oversight by Germany’s functional equivalent of the Foreign Intelligence Surveillance Court, the independent G 10-Commission. However, since the act is dependent on the application of Art. 10 basic law, it does not cover foreigners outside German territory. The communications of foreigners abroad (in other words, communication where both endpoints are on foreign soil) are outside the scope of the G 10 act as interpreted by the German government. These communications are subject to a different and lower level of protection, which I will explain next.
Before 2016, the surveillance of foreigners abroad was not explicitly addressed in German law. Consequently, those activities were not reviewed by any external oversight (only oversight within the executive branch). In 2016, as a result of the Edward Snowden revelations and the disclosed involvement of the German Federal Intelligence Service, the Bundesnachrichtendienst (BND), some reforms were initiated. In particular, the BND-act, a federal statute that covers the general legal authorities of the BND, was amended. An additional section was added to reflect the surveillance of foreigners corresponding overseas and to establish a different kind of oversight for those surveillance activities. However, this amendment adds little improvement to the protection of foreigners’ communication privacy for three reasons: First, the provisions afford great discretion to the BND, and entail few actual restraints. Second, the “Independent Committee,” a new oversight body established in § 16 of the amended BND-act, is only composed of three persons that are appointed by the government and reviews only the abstract telecommunications networks that have been chosen for surveillance purposes. Hence, it does not deal with individual surveillance measures. Third, these “safeguards” only apply if the German intelligence agencies pursue the surveillance from within the country, meaning that the reception facilities must be located on German soil. Foreign intelligence that is received abroad, is not covered.
Nevertheless, the new section in the BND-act adds some enhancement for the legal situation of EU citizens. The use of selectors that can lead to the intentional targeting of EU citizens is subject to stricter constraints than for third country nationals, and those selectors will be reviewed by the Independent Committee, rather than all other selectors. This brings the protection of EU citizens closer to the G 10 regime.
In summary, it seems that even two stable and powerful western democracies such as the United States and Germany are incapable (or unwilling) of ensuring adequate protection of foreigners’ privacy. So, how can we oblige States to respect privacy rights regardless of the nationality of the targets? Does it need judicial intervention to attain more improvements? It remains to be seen whether Germany’s Federal Constitutional Court will press for further reforms or will defer the matter to politics when it decides on the issue later this month.
Until governments respect foreigners’ rights as a matter of policy, no law will be strong enough to force compliance. International law is not likely to provide an effective solution because it depends on domestic implementation and enforcement. National solutions are not perfect but small improvements, such as the enhanced protection of EU citizens, can be regarded as a step in the right direction. Furthermore, transnational dialogue on national security issues such as academic cooperation can strengthen mutual understanding and motivate for joint efforts.