Legal protection against surveillance by intelligence agencies: On the need for its reform

von Prof. Dr. Wolfgang Hoffmann-Riem*

The digitalisation of communication, its dissemination through global communication infrastructures, and the services targeting it are now a fact of social and individual life, affecting also the economic activities of companies. The ‘digital revolution’ has created tremendous opportunities, but it also entails new risks. In particular, the revelations of Edward Snowden have contributed to a change in the way these risks are perceived.1 However, surveillance by state (and private) intelligence services is nothing new, even in Germany.2

At the same time, publication of the content of the countless secret documents that Snowden uncovered, particularly about the PRISM and Tempora programmes, revealed that the intelligence services in the U.S. and the UK were monitoring the data flowing through infrastructures for information and communication technology in a way and to an extent that most people had never before imagined. Thereafter, similar activities by France, Canada, China, Russia and other countries came to light. The Bundesnachrichtendienst, Germany’s Federal Intelligence Service, also called the BND, is likewise active in this field, and under the Act Concerning the Federal Intelligence Service (Gesetz über den Bundesnachrichtendienst, BNDG), is it authorised in part to conduct so-called strategic surveillance of telecommunications traffic with a cross-border connection. But to all appearances, it does not limit itself to just this.3 Since the practices first became known, new manifestations are constantly coming to light. In the process, it has become clear that the BND was considerably more closely involved in NSA activities than had initially been presumed.4

The risks for citizens accumulate when state institutions, like intelligence services, not only capture data directly when communications are taking place but also access data, with or without statutory authorisation, that are available from telecommunications companies.5 Therefore, citizens need protection against both sovereign authorities and telecommunications companies.

Accordingly, as a result of the threat potential previously described, the issue of security and its relationship to freedom are proving to have new dimensions. In terms of the state’s duty to afford protection, but also for transnational communities, a new set of tasks is emerging that, in view of rapid technological developments, the globalisation of threat sources, and the general anonymity of actors, will be difficult to manage successfully. It has become evident that existing legal systems are ill-prepared to effectively ward off all encroachments of freedom. Even though legal

* Prof. Dr. Wolfgang Hoffmann-Riem is a former judge at the Bundesverfassungsgericht and professor at Bucerius Law School, Hamburg.

1 See Rosenbach/Stark, Der NSA-Komplex (2015); Greenwald, Die globale Überwachung (2014); Schaar, Überwachung total (2015); Wolf, Der rechtliche Nebel der deutsch-amerikanischen “NSA-Abhöraffäre”: US-Recht, fortbestehendes Besatzungsrecht, deutsches Recht und Geheimabkommen JZ 2013, S. 1039 et seq.; Ewer/Thienel, Völker-, unions- und verfassungsrechtliche Aspekte des NSA-Datenskandals, NJW 2014, pp. 30 et seq.; From literature that is more journalistic in nature, see, e.g., Aust, Stefan/Ammann, Thomas, Digitale Diktatur – Totalüberwachung, Datenmissbrauch, Cyberkrieg., (2014); See also Clarke et al., The NSA Report (2014); while this report, which was prepared by a commission convened by the U.S. President, does not directly address Snowden’s factual findings and revelations, it does respond to them with a number of proposals, such that many of the publicised facts appear to be implicitly confirmed.

2 Regarding earlier cases of telecommunications surveillance, including problematic ones, see Foschepoth, Überwachtes Deutschland. Post- und Telefonüberwachung in der alten Bundesrepublik (2014).

3 Regarding BND’s activities, which seem to be partly illegal, see Bäcker, Strategische Telekommunikationsüberwachung auf dem Prüfstand, K&R 2014, pp. 556, 559 et seq.

4 Cf., e.g., the reports on p. 2 of the Süddeutsche Zeitung of 24 April 2015, No. 94, or Zeit Online of 4 May 2015, “Spioniert der BND bis heute für die NSA?” Kurt Graulich, the special investigator appointed by the NSA committee of the German Parliament, apparently found instances of substantial illegality.

5 This statement should not be understood as implying that it is legally prohibited to access such data in proceedings subject to the rule of law where there is sufficient evidence of serious violations of the law.

Hoffmann-Riem, Surveillance (BLJ 2015, 2)45

protection against state surveillance may be possible in theory – particularly where there is a violation of national law or the European Convention of Human Rights or EU-Law – it is almost unattainable in practice.

When individuals use infrastructures for information and communication technology – for instance, by taking advantage of the many services available on the Internet – they enter into a highly complex regulatory system, one that they are in many ways incapable of influencing. In many respects, users forfeit autonomy over the technical ways in which communications are processed, as well as over the manner in which the data generated thereby are treated.6 When personal or business data are accessed by state bodies (or private parties), legal protection by courts fundamentally presupposes that such encroachment can be identified and assessed. However, this often fails to happen due to a lack of transparency. Users are normally unaware of the way in which their communication is processed and where their data are physically located, nor can they be certain as to which authorities collect and analyse information or the manner in which this is accomplished.

The following article can treat this issue only in broad strokes. It addresses important basic legal conditions concerning protection against surveillance under national law, European law, and public international law, and concludes by citing the need to create new legal structures.

A. Possibilities for legal protection at the national level

I. Legal constraints on spying

Possibilities for legal protection are likely most feasible at the national level. To begin with, I would like to address German law in this context.

Spying, like that recently uncovered, infringes on freedoms protected under the German legal system. If so-called metadata and/or communication content is accessed using equipment located in German territory, or if it is analysed there, this clearly involves actions covered by German law, regardless of where the participants in the communication are based7 (connection to Germany). The general German legal system protects against such encroachments (e.g. in criminal law, data-protection law, and the law concerning personality rights). Recourse to the courts is available, at least in theory, but in practice this is possible only if aggrieved parties can assert that they have been personally affected to a legally significant degree, i.e. they must at a minimum have been aware of the encroachment.

Foreign entities – even if endowed with state authority – are also generally subject to German laws for acts undertaken in German territory, such as when they “tap” lines or store collected data in Germany.8 Other than where these actors are exempt from the applicability of German law, such as under the NATO Status of Forces Agreement, they must obey German laws and submit to the jurisdiction of German courts.9 Applicable here are the general prohibitions on interference and on doing harm. However, it is difficult for citizens to tell whether foreign entities endowed with state authority are staying within the limits of German law.

When German state agencies – like the BND – engage in spying, they are bound by German law, even when they use facilities that are located outside of German sovereign territory. Indeed, protection through fundamental rights, such as Art. 10 of Germany’s Basic Law (Grundgesetz), and the right to informational self-determination, focuses neither on the place of the encroachment by German state bodies nor on who the subject of the encroachment is. Rather, what is decisive is whether a sovereign entity subject to German law interfered with a protected good of an entity protected by German law.

When the BND discloses data to other agencies, including foreign ones, such as the NSA, this is subject to strict requirements. It may make such disclosure only with the consent of the German Chancellery and only where it involves data lawfully collected by it and whose disclosure is necessary in order to safeguard foreign-policy or security-policy concerns of the Federal Republic of Germany (section 9, para. 2, sentence 1 BNDG).

If the BND, as a German sovereign entity, were to listen in on communication traffic taking place in Germany or from or to Germany by tapping into a fibre-optic cable laid somewhere outside of Germany or into a server stationed there or by using a provider located there, this would constitute an infringement of the freedom of telecommunications (art. 10 of the Basic Law). Such action would generally not be covered by the BNDG and would in any event be unlawful unless it served to “gather information about other countries” (art. 1, para. 2, sentence 1 BNDG) and, to the extent personal data are involved, met the requirements of art. 1, para. 2, sentence 2 BNDG.

The BND is strictly prohibited from transmitting (raw) data on a blanket basis, nor may it do so with data for which no connection whatsoever has been made to the factual preconditions for data transmission or for which the purpose of analysing such data does not justify their disclosure. Notwithstanding that the BND may perform only foreign intelligence work, it remains bound by the legal constraints on disclosure even where no data of German citizens are involved. Nationality is irrelevant when evaluating data collection and disclosure by the BND.

6 See, e.g., Hoffmann-Riem, “Der grundrechtliche Schutz der Vertraulichkeit und Integrität eigengenutzter informationstechnischer Systeme”, JZ 2008, pp. 1009, 1011-12.

7 Cf. Hermes, in Dreier (ed.), Grundgesetzkommentar, vol. I (3rd ed. 2013), margin no. 43 on Art. 10.

8 A separate question is whether and to what extent fundamental rights, including objective protection mandates, also cover protection for the exercise of fundamental rights in extraterritorial areas. See infra, V

9 Espionage is not protected by immunity under international law. Cf. Frowein, Völkerrechtliche Fragen der Strafbarkeit von Spionen aus der ehemaligen DDR: Gutachten erstattet im Auftrag des Bundesverfassungsgerichts, 1995, pp. 18 et seq; see also Verdross/Simma, Universelles Völkerrecht, 3rd ed. 1984 (reprint 2010), § 1177. Substantively farther-reaching diplomatic immunity for actors would be conceivable only if they held diplomatic privileges; even then, in accordance with art. 41 of the Vienna Convention on Diplomatic Relations, they would still have to obey the law applicable in Germany.

Hoffmann-Riem, Surveillance (BLJ 2015, 2)46

II. In particular: Extraterritorial reach of the protection of fundamental rights

Protection of the freedom of communication primarily means protection of communication content. Insofar as protection – such as that afforded to the secrecy of telecommunications (Art. 10 of the Basic Law) – also extends to encroachments in the telecommunications network, this is intended to counteract the specific threats to which communication of this nature is exposed. Art. 10 of the Basic Law protects the non-physical transmission of information to individual recipients with the aid of telecommunications traffic.

When it comes to spying, the protection afforded to communication content would be vitiated, at least in part, if it were to depend on whether the communication was processed more or less unpredictably/coincidentally over lines in German or in non-German territory. The German Federal Constitutional Court also acknowledged this with regard to communication not tied to lines, such as that via satellites. Here, in determining whether there was interference capable of legal protection, it was sufficient that the telecommunications traffic was collected and analysed with the aid of receiving equipment stationed on German soil and that the analysis took place on German soil.10 It expressly left open whether protection goes beyond this.11

In view of the reality that modern communication is accomplished using transfrontier or global infrastructures for information and communication technology, it is clear that thinking primarily in terms of categories of spatial localisation of the encroachment is no longer adequate in dealing with the actual conditions of international/global communication infrastructures and with the need for protection.12 The global reality would otherwise overtake the protection of freedom, if not largely eviscerate it.

It goes without saying that not all worldwide communication falls within the ambit of the legal protection afforded by German fundamental rights norms. Where encroachment in a communication took place extraterritorially, such as with spying on an extraterritorial network, there has to be a connecting factor in order for German law to apply. In my opinion, this is the case when a communication is involved in which communicators communicate with recipients inside of Germany or communicators inside of Germany communicate with recipients outside of Germany. The protection that fundamental rights afford to communication, i.e. that of the freedom to freely develop one’s personality, is connected to the conduct by holders of such fundamental rights. The protection of fundamental rights of communication cannot be focused on the contingencies of a path of transport, particularly one determined by third parties without the inclusion of the communicators.

Notwithstanding any consensus on this position – and it is controversial – access to court remedies remains a problem in cases where a specific infringement was not detected. Therefore we cannot rely solely on the protection of individual/subjective rights but have to include measures based on the objective protection of fundamental rights.

III. Objective protection of fundamental rights as the point of departure for special protective measures

Not just personal development but also nearly all areas of production and services, as well as knowledge generation and the way in which a democracy functions, depend on a functioning communication infrastructure that is protected against unlawful infringement. This dependence makes clear the importance of protecting not only individual rights but also the ability of the communication system to function. For a communication infrastructure to be capable of proper functioning, the integrity of IT systems must be assured, and there has to be confidence that effective checks are in place to prevent unauthorised access of such systems. This protection must also be safeguarded against threats occasioned by the global dimension of infrastructures for information and communication technology.

State bodies are charged with ensuring such functioning as part of their general state obligations, just as they are to ensure that other public services are protected. Guidance for the fulfilment of this obligation results, in particularly, from the objective content of fundamental rights norms.

In addition to guaranteeing subjective rights, German fundamental rights norms contain objective protection mandates. This applies to communication freedoms (art. 5 of the Basic Law),13 the fundamental right of telecommunications (art. 10 of the Basic Law),14 the fundamental right of the home (art. 13 of the Basic Law),15 and the fundamental right of informational self-determination,16 as well as other fundamental rights that may be affected, such as arts. 12 (occupational freedom) und 14 (protection of property) of the Basic Law.17 The objective content of fundamental rights may also be reduced to obligations to protect.18

Obligations and mandates to protect may also result from other norms. Art. 87f of the Basic Law (ensuring appropriate telecommunications services) and art. 91c of the Basic Law (development of information technology systems at the federal and state levels) relate specifically (albeit to only a limited extent) to ensuring the functioning of infrastructures for information and communication technology and thus to the protection of systems, not rights of personality.19

10 Decisions of the Federal Constitutional Court (BVerfGE) 100, pp. 313, 363-64.

11 BVerfGE 100, pp. 313, 364.

12 Cf. Richter,“Recht in interaktiven Umgebungen”, in Bieber/Leggewie (eds.), Grenzen der Interaktivität (2004), pp. 240, 248 et seq.

13 See BVerfGE 57, pp. 295, 319; 73, pp. 118, 152-53; 90, pp. 60, 94; 114, pp. 371, 387; 119, pp. 181, 214

14 See Hermes, supra note 7, at margin no. 92 on Art. 10, with further references in footnote 402.

15 See id. at margin nos. 120 et seq. on Art. 13.; Papier, in Handbuch der Grundrechte, vol. IV (2011), § 91 margin no. 5. SBVerfGE 89, 1, 11.

16 Dreier, in Dreier, Grundgesetz (2013), margin nos. 94 et seq. on Art. 2 I.

17 See generally Wieland, in Dreier, Grundgesetz (2013), Art. 12, margin nos. 142 et seq; Art. 14, margin nos. 195 et seq. (+)

18 About these generally, see Stern, “Die Schutzpflichtenfunktion der Grundrechte. Eine juristische Entdeckung”, DÖV 2010, pp. 241 et seq., with further references.

19 For details, see Hoffmann-Riem, Freiheitsschutz in den globalen Kommunikationsinfrastrukturen, in Juristen Zeitung 2013, pp. 53, 58.

Hoffmann-Riem, Surveillance (BLJ 2015, 2)47

Essentially, it is not out of the question that obligations and mandates to protect may also make their effects felt in the international/global sphere and also come into play to counter encroachments by foreign entities endowed with state authority. Failure to fulfil state obligations to protect (i.e. a state omission) may under certain circumstances, though only with substantial hurdles, be challenged in court by resorting to the subjective rights of citizens. However, breach of an obligation to protect may also bring other sanctions with it, such as by Parliament, for instance when it brings an action against other state entities (Organklage) before the Federal Constitution Court (art. 93, no. 1 of the Basic Law), applies for abstract judicial review (art. 93, no. 2 of the Basic Law), adopts resolutions, or imposes political sanctions.

Of special significance to our topic is the fundamental right to the guarantee of the confidentiality, integrity, and reliability of IT systems, which the Federal Constitution Court elaborated in 2008.20 This fundamental right was derived from an expansion of the constitutional protection of informational self-determination under arts. 1, para. 1 (protection of human dignity) and 2, para. 1 (the freedom to freely develop one’s personality) of the Basic Law. It prohibits the secret infiltration of an IT system in order to monitor system use and read storage media. Such an action is constitutionally permissible only on the basis of a law andif there are factual indications of a specific threat to a fundamentally important legal interest. In addition, such infiltration generally requires a court order.21

The objective reach of this fundamental rights construct is a consequence of the fact that it was developed from these fundamental rights norms with (also) objective content. It moreover suggests itself due to the Federal Constitutional Court having designated “information technology systems” as being an object of protection. Even though this protection is guaranteed for the sake of the freedom of individual communication behaviour – the decision deals with a constitutional complaint by individuals who were potentially affected – it is specified as the protection of the important infrastructural conditions of modern telecommunications technologies, which are the prerequisite for the exercise of communication freedoms. It is only with respect to them – i.e. also to the potential threats associated with them – that the significance of the protection of reliability and integrity can be measured. This is an important basis for the confidence of citizens in IT systems, which at the same time is the prerequisite for their social acceptance and thus for their social functioning.22

IV. Norm-spanning obligation to guarantee

Technical infrastructures and the services necessary for their operation are based on a self-contained ensemble of hardware and software. They are used for a wide variety of communication purposes, and each of them can be covered by a variety of constitutional norms, each of these of varying legal quality (fundamental rights, infrastructure mandates, defined state objectives, etc.). It is practically impossible to enact different rules for carrying out the various obligations to guarantee, with each having a separate legal basis for the guarantee, and to ensure their effectiveness: The functioning of telecommunications infrastructures and, in particular, the Internet is resistant to such differentiations, due to the diversity and interlocking nature of the services. In view of the multi-faceted significance of infrastructures for information and communication technology for the state, society, and individual citizens, and in view of the differing threat exposures, the guarantee mandate must therefore be understood as a single whole. It includes the protection of fundamental rights, as well as that of constitutionally based infrastructure mandates and generally defined state objectives (democracy, social justice, and rule of law). The protection of individual rights goes hand in hand with the protection of systems. Without sufficient protection of systems, the ability to provide for effective protection of individuals is at risk of being vitiated, as is the use of telecommunications infrastructures for the purposes of fulfilling state obligations. The various fundamental rights norms (arts. 1, para. 1, 2, para. 1, and 10 GG), the mandates to guarantee infrastructure (arts. 87f and 91c GG), and the general defined state objectives (democracy, social justice, rule of law, art. 20 GG) lead to a norm-spanning obligation of the state to guarantee the protection of the functioning of IT systems.

There are a variety of ways to fulfil this duty, including promoting the ability to protect systems using technology and developing new software and hardware that afford stronger protection against spying. In the following, however, I will limit my remarks to legal measures.

Various normative elements therefore complement one another in protecting the proper use of IT systems. The particular legal context in which each of the individual elements is set may be of significance for the specific legal consequences, but not for the obligation itself. The constitutional obligation described in this way does not as such depend on whether its breach can be challenged and, if so, by whom and how (e.g. whether and to what extent there is court-mandated protection of individual rights), or on the particular sanctions available. The significance of normative obligations is not of necessity tied to the ability to impose a sanction for misconduct, let alone a specific legal sanction. What is decisive is the legal obligation on the responsible state bodies to assume the obligation. Whether and how state bodies can, where necessary, be compelled to fulfil their obligations – be it with the aid of the courts or only with the aid of political sanctions – is certainly not unimportant for the effectiveness of protection, but it is not decisive for the normative significance of the obligation itself.

V. Protective functions

There are several other objective protection mandates in German law. These relate to protecting infrastructures for information and communication technology, including a mandate to protect against direct encroachments by foreign sovereign entities where the target is communication within, from, or to Germany. This covers, e.g. the “tapping” of network lines, as well as the infiltration and manipulation

20 BVerfGE 120, pp. 274, 313 et seq. (English translation: 1bvr037007en.html).

21 Id. at Headnotes 2 and 3.

22 Cf. Hoffmann-Riem, supra note 6, at p. 1012.

Hoffmann-Riem, Surveillance (BLJ 2015, 2)48

of IT systems. However, as we now know, it is difficult to carry out such a mandate to protect where representatives of foreign sovereign authority are involved, as well as to prevent interference with communication traffic occasioned by access to communication networks outside of Germany. This difficulty does not obviate the guarantee mandate.23 Just the opposite, it magnifies the obligation on state bodies to see to it that protective measures are put into place.

Just because foreign actors – such as, in the U.S., the NSA under the Patriot Act and the Foreign Intelligence Surveillance Act24 – believe that their national laws entitle them to spy on the conduct of citizens of other countries by accessing infrastructures for information and communication technology, this doesn’t change the fact that German state bodies must work to protect holders of rights fundamentally safeguarded under German law against such an infringement. This will be difficult to achieve. Obviously, international agreements will have to be concluded – e.g. against infringement occasioned by encroachments in extraterritorial areas – and this will be a formidable task. The guarantee mandate provides normative guidance to German state entities when operating in the relevant trans- and international arenas. The objective must be to work toward compliance with the rule-of-law standards on which the citizens of such countries are entitled to rely, even in the case of encroachments by foreign agencies.

Since most of the larger companies involved in information and communication are headquartered in the U.S., and since they undoubtedly have an interest in having their worldwide activities protected by the U.S. government and its laws, – at least some of them have an incentive to cooperate with U.S. authorities25, even if not obliged to do so – and to block restrictive measures by other countries. The political influence of the U.S. as a global power and the technological, infrastructural, and communicative might of large U.S. IT companies complement each other. This commercial/political/military complex is threatening to become a hegemonic structure in the world of communication. A new form of colonialism might emerge here. It is incumbent upon states, but also the EU, to prevent this from occurring.

B. Protection mandates within the framework of the EU

The protective norms applicable at the EU level also have objective content, at least in part.26 These include the guarantees under the European Convention on Human Rights (see art. 6(2) and (3) of the Treaty on European Union (TEU)).27 Also noteworthy in EU law are arts. 16(1) and 18(1) of the Treaty on the Functioning of the European Union (TFEU) and arts. 1, 6, 7, 8, and 11 of the Charter of Fundamental Rights of the European Union28 , as well as fundamental freedoms in EU law (in particular, arts. 26-66 TFEU) and special arrangements in the area of freedom, security, and justice (arts. 67-89 TFEU).29 . Mandates to protect and guarantee derive from these norms as well, which enable action to be taken and, in some cases, create an obligation to do so.30 In view of the significance for the realisation of fundamental rights and freedom in the EU, as well as that of the obligation to promote European integration, they also have an effect on the implementation of general legal principles under EU law. For instance, they also have an impact on the fulfilment of the mandate to establish and develop trans-European telecommunications networks (arts. 170 et seq. TFEU).

To the extent that protection is achievable only through international agreements, the efforts to reach such understandings also form part of the protection mandates under EU law. European treaties provide for reciprocal support by the European Union and the Member States in fulfilling their obligations thereunder, including where fulfilment of such obligations has trans- and international aspects. Member states are obliged to coordinate their action (art. 34 TEU).

In view of the significance of the EU for many areas of life, including for the protection of essential infrastructures, it will have to come to see itself as a community for guaranteeing the freedoms not just of companies but also of individual citizens.

C. Protection mandates under international law

Obligations to protect are also recognised (at least in principle) in international law.31 Particularly pronounced is so-called diplomatic (especially consular) protection, such as immunity

23 The German legal system recognises a “reservation as to what is feasible” in other contexts as well. See, e.g., Mehde, Grundrechte unter dem Vorbehalt des Möglichen (2000), p. 80.

24 In the documentation published by the U.S. government at, section 215 of the Patriot Act and section 702 of the Foreign Intelligence Surveillance Act are constantly cited as forming the legal basis for foreign surveillance. See now also USA Freedom Act of 2015.

25 However, they risk losing the confidence of users, thereby threatening the success of their business models.

26 For the literature, see also the references supra, notes 13-18, and Calliess, “Schutzpflichten”, in Handbuch der Grundrechte, vol. II (2006), § 44, margin no. 17.

27 On the obligations to guarantee set down there, see Grabenwarter/Pabel, Europäische Menschenrechtskonvention, 5th ed. 2012, pp. 138 et seq.

28 In terms of the European Convention on Human Rights, arts. 8 and 10 are particularly worthy of mention. The European Court of Human Rights has held that so-called “exploratory” or general surveillance is not permitted. See judgment of 6 September 1978, Case of Klass and Others v. Germany, application no. 5029/71; judgment of 10 February 2009, Case of Iordachi and Others v. Moldova, application no. 25198/02. Furthermore, the Court assumes that the “mere existence of legislation which allows a system for the secret monitoring of communications entails a threat of surveillance for all those to whom the legislation may be applied.” See decision on admissibility of 29 June 2006, Weber and Saravia v. Germany, application no. 54934/00.

29 See Papier, “Drittwirkung”, in Handbuch der Grundrechte, vol. II (2006), margin nos. 49 et seq.

30 On the fundamental issues (particularly with regard to the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union), cf. also Seifert, Die horizontale Wirkung von Grundrechten (2011), pp. 698 et seq.

31 See, among others, Seibert-Fohr, “Die völkerrechtliche Verantwortung des Staats für das Handeln von Privaten: Bedarf nach Neuorientierung?”, ZaöRV 2013, pp. 43 et seq., 49 et seq., 55 et seq.; Scheidler, “Der Schutz deutscher Staatsangehöriger gegenüber der Hoheitsgewalt ausländischer Staaten”, DÖV 2006, pp. 417 et seq; Koenen, Wirtschaft und Menschenrechte. Staatliche Schutzpflichten auf der Basis regionaler und internationaler Menschenrechtsverträge (2012), pp. 201 et seq. and passim.

Hoffmann-Riem, Surveillance (BLJ 2015, 2)49

against criminal prosecution or seizure of private property.32 Diplomatic protection has a long tradition and is set down, inter alia, as a fundamental right.33 The normative premises underlying this protection can also be extended to the threat exposure addressed here. Efforts have to be made to expand this recognised legal doctrine through development of the law so as to enable protection to be extended beyond the cases of application covered in the past and encompass those encroachments in communication that take place in foreign or extraterritorial areas.

Also relevant are international human rights accords34 – such as art. 17 of the International Covenant on Civil and Political Rights (ICCPR)35 (right to privacy and freedom of correspondence) and art. 19 ICCPR (right to freedom of opinion and to seek, receive and impart information). Civil rights accords are vested with objective dimensions.36 However, there are difficulties in implementation.37

D. Discretion in fulfilling protection mandates

States as subjects of international law, as well as EU and state bodies, do however have discretion in implementing protection mandates.38 In view of the great significance of freedom of communication and of the use of infrastructures for information and communication technology, German and European bodies may not in principle question the “whether” of protective measures. If failure to act gives rise to considerable risks for the protection of fundamental rights and, in general, for the functioning of IT systems, a limiting of political discretion should be considered. This may consist of obligating the responsible state and EU bodies to become active in implementing the guarantee mandate in the trans- and international area. However, because of broad discretion, the “how” is essentially up to them. But there remains the obligation to take expedient measures, such as realistically facilitating the protection of fundamental rights and maintaining the functioning of IT systems.

E. On the need to reform protection of freedom at the global level

In a globally networked world, while protection can also be guaranteed at the national level, substantial protection has to take place at the global level, or at least in a globally networked manner. States are confronted with a global challenge to accord protection to each and every (world) citizen in view of new threats. To this end, it is not enough to merely add to the many civil rights of the many users in each and every country. What is needed is a reform of the protection of freedom at the global level. This may require a paradigm shift, a further surmounting of territorial constrictions in protection of freedom, which has to be coupled with new possibilities for protection, including by courts.

While legal responses can be and must be set down in various national and supranational legal systems, such as in the European Union, they should increasingly be taken into account at the transnational level, particularly the global level. Therefore, they also necessarily form part of transnational constitutionalisation and emerging transnational law.39

However, it will not be easy to motivate various nations, organisations, and companies to create regulatory structures that are effective at the international and transnational level, given that they often have conflicting interests. In this regard, it would be misguided to ward off risks solely under one model or concept and to primarily view protection of freedom as a problem of protecting specific rights. In some cases, the protection of specific rights is indispensable. But to the extent that freedom is threatened by systems – here, by global IT systems committing encroachments on a massive scale – the specific threats are utterly incapable of being perceived and influenced. The protection of specific rights alone is not enough. Protection of freedom demands comprehensive protection, particularly systemic protection. Indispensable for the future are new concepts for the protection of freedom and protective measures for its globalisation, in this case, with regard to the use of global infrastructures of information and communication technology.

The designing of IT infrastructures in legal and practical terms affects powerful interests, including political influence, military clout, and the relationship between security and freedom, but also access to information that is important for the economic competition engaged in by companies and

32 See, e.g., Kmentt, Grenzüberschreitendes Verwaltungshandeln, 2010, at p. 177, with further references in footnotes 93-94.

33 Id. at p. 177, footnote 94. Specifically, there is a great deal of controversy here. Cf., e.g., Katzarov, “Hat der Bürger ein Recht auf diplomatischen Schutz?”, ÖZöR NF 8 (1957/8), pp. 434,443 et seq; comprehensively, Stahl, Obligations to Protect in International Law, 2012.

34 On the reach of these accords, see Vedder, “Die allgemeinen UN-Menschenrechtspakte und ihre Verfahren”, in Handbuch der Grundrechte, vol. VI/2 (2009), § 174.

35 Data collection constitutes an interference with art. 17(1) ICCPR. See, e.g., the report of the special rapporteur for freedom of opinion, F. Larue (2011): According to the report, the protection of communication via the Internet is covered by the right to privacy and freedom of correspondence.

36 See, e.g., Ziemele, “International Protection of the Right to Privacy”, Max Planck Encyclopedia of International Law (2009), No. 4. See also Nowak, U.N. Covenant on Civil and Political Rights. 2nd ed. 2005, pp. 379 et seq., 448-49.

37 For instance, while a complaint brought by a state before the Human Rights Committee against the U.S. or the UK is theoretically conceivable, this option is almost never used. A complaint brought by an individual under the First Optional Protocol will fail because the U.S. and the UK have not acceded to it. Nor has the U.S. submitted to the jurisdiction of the ICJ. In the context under discussion here, it is important to note that the U.S. views the ICCPR as stipulating requirements for domestic actions, and it rejects its validity for extraterritorial actions. See Koenen (Fn.28), p. 153.

38 Cf. BVerfGE 77, pp. 84, 106; BVerfGE 110, pp. 141, 157-58; BVerfGE 117, pp. 163, 183; BVerfGE 121, pp. 317, 350; BVerfG, NJW 2012, pp. 1062, 1063. See also Powell and Rayner v. the United Kingdom, A/172 (1990), 12 E.H.R.R. pp. 355, 369, para. 45. For an extensive treatment of the margin of appreciation and obligations to protect under the European Convention on Human Rights, see Klatt, Positive Obligations under the European Convention on Human Rights, ZaöRV 2011, pp. 691, 711 et seq.

39 See, e.g., Fischer-Lescano, Globalverfassung (2005), with further references. On the limits of the capability of transnational, non-sovereign regulation generally, see Berman, Globaler Rechtspluralismus in: Kötter, Matthias/Schuppert, Gunnar Folke (Hrsg.), Normative Pluralität ordnen. Rechtsbegriffe, Normenkollisionen und Rule of Law in Kontexten dies- und jenseits des Staates, (2009), S. 41 ff, 135; Winter, Transnationale Regulierung: Gestalt, Effekte und Rechtsstaatlichkeit, in: Das Parlament, Beilage 2009, Nr. 8, S. 9 ff.. Further considerations on transnational law can be found in Viellechner, Transnationalisierung des Rechts (2013).

Hoffmann-Riem, Surveillance (BLJ 2015, 2)50

states. To this extent, power issues are highly relevant here.

In view of the many conflicting interests, it has to be expected that the bodies that are politically responsible for making decisions will only haltingly – if at all – face up to the obligation to provide an effective guarantee for concerns of freedom. This is shown at present by the feeble reactions by policymakers to the uncovered spying scandal. To all appearances, political decision-makers have knowledge of activities of intelligence services that are so explosive that they are reluctant to disclose the extent of the actions and the collaboration between various intelligence services, to facilitate public discussion, or to see to changes.

This shows that the task of reforming the protection of freedom cannot by any means be entrusted solely to politicians. Academics as well as non-profit organisations, the internet community and other parts of civil society also need to take up this issue and develop concepts of global governance and the legal structures to frame it.