Image: Mo Photography Berlin / Shutterstock.com
The online portal heise.de reports on a ruling with explosive implications for the control of German intelligence services: The Federal Administrative Court has ruled that the Federal Commissioner for Data Protection and Freedom of Information (BfDI) cannot enforce its supervisory rights over the Federal Intelligence Service (BND) in court.
Specifically, the question was whether the data protection supervisory authority could demand access to certain orders issued by the BND—and, if necessary, take legal action to obtain such access. The court ruled that this was not the case and dismissed the action as inadmissible (Ref. 6 A 2.24). The corresponding press release can be viewed on the website of the Federal Administrative Court.
Dispute over access to secret measures
The proceedings began with an inspection visit by the data protection authority to the BND. During this visit, the BfDI requested access to internal orders issued by the intelligence service.
These documents concern so-called CNE measures (Computer Network Exploitation). These include digital interventions in IT systems abroad—for example, measures that could technically be considered state-sponsored "hacking."
However, the BND refused to allow access to these documents. The data protection officer then sought a court ruling on whether she could enforce her supervisory rights in court if necessary.
Court sees no right to sue
The Federal Administrative Court has now clarified that the applicable legal provisions governing data protection supervision do not confer an enforceable right of access.
In the opinion of the judges, the relevant provisions of the BND Act and the Federal Constitution Protection Act do not give rise to a so-called "defensible legal position." This means that the data protection officer lacks the basis for enforcing her claims before an administrative court.
In other words, even if the BND refuses to disclose information, the data protection supervisory authority cannot take legal action against it.
Only appeals to the Chancellery are possible
Under current law, the BfDI has only one other option: it can lodge a complaint with the Federal Chancellery about the refusal to grant access.
However, this instrument has its limitations. It does not allow for binding orders to be issued to the intelligence service. According to the court, this is precisely in line with the intention of the legislature.
Warning about "control-free spaces"
The Federal Data Protection Commissioner, Louisa Specht-Riemenschneider, is critical of the decision. She fears that the ruling could create areas that are effectively exempt from independent control.
Heise quotes Specht-Riemenschneider:
"As a result of the ruling, I fear that uncontrolled areas will emerge in the field of intelligence services. The controlling authority can now effectively decide for itself what I am allowed to see and what I am allowed to control."
Citizens are particularly dependent on external oversight in the area of intelligence, because those affected by surveillance measures are usually completely unaware of them.
Call for legislative change
The data protection commissioner is therefore calling for a legal amendment. In her view, there must be an independent body that can rule on disputes between the supervisory authority and the intelligence service—ideally a court.
She also emphasizes:
"I must be able to enforce my supervisory rights in court in the interest of protecting fundamental rights."
comment
The decision highlights a fundamental conflict in security law: intelligence services inevitably operate in secret, while at the same time a democratic constitutional state requires effective oversight. If a supervisory authority cannot enforce its rights in court, it quickly creates the impression that the body being monitored ultimately determines for itself how far oversight extends. This is precisely where the real political discussion begins.
