Germany

Overview

Germany is an EU member state. The EU-wide framework (GDPR, LED, ePrivacy Directive) applies and is covered on the EU Framework page. This page covers national implementation, derogations, and country-specific laws.

Germany is a member of the Fourteen Eyes intelligence alliance (SIGINT Seniors of Europe / SSEUR), placing it in a unique position as both an active advocate for data protection and an active participant in multinational signals intelligence sharing. Germany’s privacy culture is deeply embedded in its constitutional law, where Article 1 of the Basic Law (Grundgesetz) enshrines human dignity as inviolable, and the Federal Constitutional Court derived an explicit right to informational self-determination (Recht auf informationelle Selbstbestimmung) in its landmark 1983 Census decision.^[1] This tradition has contributed to a detailed privacy framework among EU member states.

Germany’s federal structure produces a uniquely complex data protection landscape. The federal government has its own commissioner (BfDI), while each of the 16 Bundesländer operates an independent state-level data protection authority, totalling 17 DPAs nationwide. Bavaria adds a further layer of complexity by splitting its authority into separate public-sector and private-sector supervisors. This fragmentation has led to inconsistent enforcement across states, forum-shopping by companies that establish headquarters in states perceived as less aggressive, and coordination challenges that the Data Protection Conference (DSK) was created to address.

As of 2025, the German data protection landscape is undergoing a major structural reform. The April 2025 coalition agreement between CDU/CSU and SPD proposes to centralize private-sector data protection supervision under the federal commissioner, a change that would end Germany’s status as the only EU member state where private-sector oversight is split among 17 separate authorities.^[2] The agreement also envisions a new data retention regime, expanded BfDI powers, and binding authority for the Data Protection Conference (DSK).

Data Protection Authorities

BfDI – Federal Commissioner for Data Protection and Freedom of Information

Current head: Prof. Dr. Louisa Specht-Riemenschneider, elected by the Bundestag on 16 May 2024 and appointed by Federal President Steinmeier, taking office in September 2024. She is a former professor of civil law at the University of Bonn and the second woman to hold the office. Her five-year term runs until 2029, with stated priorities in health data, artificial intelligence, and security.^[3]

Predecessor: Prof. Ulrich Kelber served as BfDI from January 2019 to September 2024, during a period of intense activity including early GDPR implementation and the first years of the TTDSG/TDDDG.

Jurisdiction: The BfDI supervises all public authorities of the Federal Government, including federal ministries and agencies. Within the GDPR’s scope, it can issue binding orders and instructions. It can impose fines on non-public entities subject to its supervision (principally postal and telecommunications companies) as well as competitor companies of the Federal Government (e.g., Deka Bank, KfW Bank). Its tasks and powers are set out in Articles 51–59 GDPR and Sections 8–19 BDSG.^[4]

Independence: The BfDI operates with complete independence from government instruction, as required by both the Basic Law and GDPR Article 52. The commissioner is elected by the Bundestag on the proposal of the Federal Government and formally appointed by the Federal President.

Planned reform (2025): Under the coalition agreement described above, the BfDI would be renamed to “Federal Commissioner for Data Utilisation, Data Protection and Freedom of Information” (Bundesbeauftragter für Datennutzung, Datenschutz und Informationsfreiheit), with centralized private-sector competencies and the DSK anchored in the BDSG with binding standard-setting powers.^[2]

16 State Data Protection Authorities (Landesdatenschutzbeauftragte)

Germany has 16 state data protection authorities, one for each Bundesland. All state DPAs except Bavaria’s are responsible for both public-sector and private-sector data protection within their state. This makes Germany unique in the EU, as no other member state distributes private-sector data protection enforcement across regional authorities.

Bavaria’s unique split: Bavaria is the only German state that divides data protection supervision between two separate authorities. The Bayerischer Landesbeauftragter für den Datenschutz handles public-sector oversight, while the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) in Ansbach handles private-sector supervision. The BayLDA has been one of Germany’s most active GDPR enforcers, particularly regarding international data transfers, cookie consent, and website tracking.^[5]

Freedom of information: Thirteen of the 16 state DPAs also serve as freedom-of-information commissioners: Baden-Württemberg, Berlin, Brandenburg, Bremen, Hamburg, Hesse, Mecklenburg-Vorpommern, North Rhine-Westphalia, Rhineland-Palatinate, Saarland, Saxony-Anhalt, Schleswig-Holstein, and Thuringia. Bavaria, Lower Saxony, and Saxony do not combine these roles.

DSK – Data Protection Conference (Datenschutzkonferenz)

The independent DPAs of federal and state levels meet biannually at the Data Protection Conference (DSK) to adopt coordinated resolutions, decisions, guidance, and statements. The DSK has served as the primary mechanism for harmonizing Germany’s fragmented data protection enforcement, issuing influential guidance on topics including international data transfers, consent management platforms, video surveillance in workplaces, and the use of Microsoft 365 in public administration.^[2]

However, DSK resolutions have historically been non-binding, and individual DPAs can and do depart from DSK positions, leading to inconsistent enforcement. The 2025 coalition agreement proposes to change this by anchoring the DSK in the BDSG with binding standard-setting powers, which would represent a significant shift toward harmonized enforcement.

Notable state-level enforcement: Hamburg has taken repeated enforcement actions against Hamburg-headquartered companies including Google (Street View data collection), Facebook (automatic facial recognition), and data exchanges between Facebook and WhatsApp. Berlin has been active in enforcing GDPR requirements against real estate companies and public bodies. The BayLDA serves as a key private-sector enforcer and has been particularly focused on website compliance and tracking technologies.^[5]

National Framework

BDSG – Bundesdatenschutzgesetz (Federal Data Protection Act, 2017 revision)

The BDSG came into effect on 25 May 2018 alongside the GDPR and serves as Germany’s national GDPR implementation law, fine-tuning GDPR provisions for the German legal context. Germany has a long history of data protection legislation, as the original BDSG of 1977 was among the first national data protection laws in the world, and the current version is the third major iteration.^[6]

Section 26 (Employee Data Protection): This was the central provision governing workplace data processing. It allowed employers to process personal data without consent where necessary for starting, maintaining, or ending an employment relationship. However, the Federal Labour Court (BAG) declared Section 26(1) sentence 1 BDSG invalid on 9 May 2023 (case 1 ABR 14/22), ruling it did not meet the requirements of GDPR Article 88 for member-state derogations regarding employment data. The court found that the provision merely repeated GDPR Article 6(1)(b) without adding the “more specific rules” and “suitable and specific measures” that Article 88(2) requires.^[7]

This landmark decision has created significant legal uncertainty for employee data processing across Germany, as Section 26 was the primary legal basis relied upon by virtually all German employers. Companies must now fall back on general GDPR provisions, primarily Article 6(1)(b) (performance of a contract) and Article 6(1)(f) (legitimate interests), until dedicated replacement legislation is enacted.

Video surveillance (Section 4): Specific rules for video surveillance of publicly accessible premises by private and public bodies, supplementing the GDPR’s general provisions on lawful processing. Section 4 has itself been the subject of legal controversy, with the Federal Administrative Court finding it partly inapplicable to private-sector surveillance.

Scoring (Section 31): Specific provisions on automated scoring and creditworthiness assessments, establishing conditions under which probability values (scores) may be used to predict future behaviour. This section requires that scoring methods be scientifically recognized, and that the data used be demonstrably relevant to the assessment. It has been applied in conjunction with the CJEU’s December 2023 SCHUFA ruling (C-634/21), which found that automated credit scoring constitutes “automated individual decision-making” under GDPR Article 22.^[6]

Data Protection Officers: Mandatory appointment for companies regularly employing at least 20 persons engaged in automated personal data processing, a significantly lower threshold than the GDPR’s general criteria. This reflects Germany’s long tradition of mandatory DPOs, which predates the GDPR by decades. The DPO threshold was raised from 10 to 20 persons in 2019 to reduce the burden on small businesses, a change that was itself controversial among privacy advocates.^[6]

TDDDG – Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz

Originally enacted as the TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz) on 1 December 2021, merging privacy provisions from the old Telecommunications Act (TKG) and Telemedia Act (TMG) into a single statute. The act was renamed to TDDDG on 14 May 2024 to reflect its expanded scope beyond traditional telemedia to encompass all digital services.^[8]

Section 25 (Cookie/Tracking Consent): Implements Article 5(3) of the ePrivacy Directive. Requires valid end-user consent for storing or accessing information on terminal equipment unless strictly necessary for providing a service explicitly requested by the user. Only two categories exist under German law: strictly necessary cookies (exempt from consent) and consent-based cookies. There is no intermediate “legitimate interest” category for tracking, a stricter interpretation than some other EU member states apply.^[9]

Scope: Extends beyond traditional web browsers to cover Internet of Things (IoT) devices, smart home devices, connected vehicles, and other connected objects. This means that any device storing or accessing data on end-user equipment (including smart speakers, fitness trackers, and connected appliances) falls within the TDDDG’s consent requirements. The act applies to both German and foreign companies offering services to users in Germany.

Secrecy of telecommunications: Comprehensive provisions ensuring the confidentiality of communications content and metadata, implementing the constitutional guarantee of Article 10 of the Basic Law at the provider level.

PIMS (Personal Information Management Systems): Section 26 of the TDDDG introduces provisions for recognized personal information management systems that allow users to manage consent centrally, though implementation details remain under development.

Penalties: Fines up to EUR 300,000 for violations of the TDDDG’s own provisions. These are separate from and in addition to GDPR fines, which can reach EUR 20 million or 4% of annual global turnover.^[8]

TKG – Telekommunikationsgesetz (Telecommunications Act, 2021 revision)

The TKG was comprehensively revised in 2021 to implement the European Electronic Communications Code (Directive (EU) 2018/1972). Data protection provisions formerly contained in the TKG were extracted and consolidated into the TTDSG (now TDDDG). The revised TKG focuses primarily on telecommunications regulation, customer protection, network infrastructure requirements, and market oversight by the Bundesnetzagentur (Federal Network Agency).^[10]

Surveillance and Intelligence Laws

BND Act (BND-Gesetz) – Federal Intelligence Service Act

The Bundesnachrichtendienst (BND) is Germany’s foreign intelligence service, headquartered in Berlin since its relocation from Pullach in 2019. The BND Act (BNDG) provides the legal basis for its operations, including the collection and evaluation of information on foreign countries that is relevant to German foreign and security policy.^[11]

2016 Reform: Following the Snowden revelations and the selectors scandal, the Bundestag passed a reformed BND Act in 2016. While presented as increasing oversight, the reform effectively expanded and codified legal authorities for foreign surveillance, including the BND’s ability to conduct strategic telecommunications surveillance of foreign targets.

May 2020 Constitutional Court Ruling (BVerfG, 1 BvR 2835/17): In a landmark decision on 19 May 2020, the Federal Constitutional Court ruled that the BND is bound by fundamental rights under the Basic Law (Grundgesetz) when conducting surveillance of foreign telecommunications of foreigners abroad. This was unprecedented: the Court extended the protection of Article 10 (secrecy of telecommunications) and Article 5 (freedom of the press) extraterritorially, holding that the binding force of German fundamental rights does not end at the country’s borders. The Court found the 2016 BND Act largely unconstitutional, but allowed continued application until 31 December 2021 to permit legislative reform.^[11][12]

The ruling was brought by a coalition of journalists, media organizations, and civil liberties groups including RSF (Reporters Without Borders) and the GFF (Gesellschaft für Freiheitsrechte). Its significance extends far beyond Germany, as it established that a state’s constitutional obligations to protect fundamental rights apply to its intelligence activities regardless of where those activities take place or whom they target.

2021 BND Act Reform: The Bundestag passed a revised BND Act in spring 2021 to comply with the Constitutional Court’s ruling. Key changes included establishing an Independent Oversight Council (Unabhängiger Kontrollrat) with judicial-like review powers and new procedural safeguards for press freedom. However, the reform was criticized by press freedom organizations including RSF and the GFF as inadequate, particularly regarding protections for journalists and their sources. RSF filed a second constitutional complaint against the reformed act, arguing it still permits mass surveillance that chills press freedom.^[13][14]

G10 Act (Artikel 10-Gesetz)

The G10 Act (Gesetz zur Beschränkung des Brief-, Post- und Fernmeldegeheimnisses) restricts the constitutional guarantee of secrecy of correspondence, posts, and telecommunications enshrined in Article 10 of the Basic Law. It provides the legal basis for both individual-targeted and strategic surveillance measures by the BND and domestic intelligence services.^[15]

Individual measures (Section 3): Permits targeted surveillance of specific individuals’ telecommunications when there are factual indications that the person is planning, committing, or has committed certain serious criminal offences, or that the measure is necessary to avert threats to the security of the Federal Republic.

Strategic surveillance (Section 5): Authorizes the BND to conduct strategic surveillance of international telecommunications using search terms (selectors). Rather than targeting specific individuals, certain geographic regions are defined as intelligence areas for monitoring. Permissible purposes include countering international arms proliferation, internationally organized money laundering, international terrorism, and and, under the contested provision, cyber threats to critical infrastructure.

G10 Commission: An independent oversight body of the Bundestag that reviews and approves measures under the G10 Act before they are implemented. Composed of members appointed by the PKGr, the Commission must approve all individual surveillance measures and reviews strategic surveillance orders. However, the Constitutional Court has found this oversight insufficient in its current form, particularly regarding the depth of review and the Commission’s resources.

October 2024 Constitutional Court Ruling (BVerfG, 1 BvR 1743/16): In a decision published in October 2024, the First Senate found that Section 5(1) third sentence no. 8 of the G10 Act (strategic surveillance for cyber threat detection) is incompatible with Article 10(1) of the Basic Law. The Court identified four key deficiencies: insufficient separation of domestic communications data from foreign collection, inadequate protection of the core of private life (Kernbereich privater Lebensgestaltung), premature deletion of documentation on fundamental-rights encroachments that impedes effective oversight, and insufficient court-like oversight of BND activities. The provision may continue to apply until 31 December 2026 at the latest, by which time the legislature must enact compliant replacement provisions.^[15][16]

Operation Eikonal and the Selectors Scandal

The most significant publicly known BND-NSA collaboration, Operation Eikonal, was based on a Memorandum of Agreement signed 28 April 2002. The operation established agreed areas of cooperation including counter-terrorism, organized crime, and WMD proliferation. A Joint SIGINT Activity (JSA) operated from the Mangfall Barracks in Bad Aibling, Bavaria, since 2004, with both German and American intelligence personnel working side by side on signals collection and analysis.^[17]

Selectors Scandal (2015): Der Spiegel revealed that the NSA had used BND infrastructure to spy on European and German targets, directly violating the terms of their cooperation agreement. A BND internal review found at least 2,000 NSA “selectors” (search terms targeting specific communications) that were directed at Western European or German interests, including European heads of state and defence ministries. A subsequent Bundestag parliamentary investigation committee (NSA-Untersuchungsausschuss) uncovered approximately 40,000 suspicious search parameters targeting Western European governments and companies, a massive breach of the 2002 Memorandum of Agreement.^[17][18]

The scandal demonstrated that intelligence-sharing agreements between Fourteen Eyes partners carry inherent risks of abuse, even when explicit limitations are contractually agreed. It contributed directly to the political pressure behind the BND Act reforms and the Constitutional Court challenges that followed.

Intelligence Agencies

Germany operates three federal intelligence agencies, all of which participate in international intelligence-sharing arrangements through the Fourteen Eyes (SSEUR) alliance and other cooperative frameworks including the Maximator alliance and bilateral partnerships.

BND – Bundesnachrichtendienst (Federal Intelligence Service)

Germany’s foreign intelligence service, responsible for collecting and evaluating information of foreign and security policy significance. Headquartered in Berlin since 2019 in a new headquarters complex, one of the larger government buildings in Europe. The BND is the primary German participant in the SIGINT Seniors of Europe (SSEUR) and has been granted access to the NSA’s XKeyscore system, a search and analysis tool for signals intelligence data.^[17]

The BND also participates in the Maximator alliance, a European signals intelligence partnership alongside Denmark, Sweden, the Netherlands, and France, which has operated since the late Cold War period. The Maximator alliance focused primarily on breaking encryption systems used by third countries and sharing the resulting intelligence product among its members.^[19]

BfV – Bundesamt für Verfassungsschutz (Federal Office for the Protection of the Constitution)

Germany’s domestic intelligence agency, established in November 1950 under the Federal Ministry of the Interior. Legal basis: BVerfSchG (Bundesverfassungsschutzgesetz), Section 3. Core tasks include collecting and evaluating information on efforts directed against the free democratic basic order (freiheitliche demokratische Grundordnung), counterintelligence against foreign intelligence activities, and counter-sabotage. The BfV has no police or arrest powers, a deliberate design choice reflecting lessons from the Nazi era’s merger of intelligence and police functions.^[20]

Each of the 16 states also maintains its own Landesamt für Verfassungsschutz (LfV), creating a federated domestic intelligence structure. The relationship between the federal BfV and state LfVs has been a source of recurring controversy, particularly following the failures to detect the National Socialist Underground (NSU) terrorist cell despite multiple points of contact with state intelligence agencies.

Oversight: The BfV is subject to oversight by the Federal Ministry of the Interior (administrative and functional control), the Bundestag’s Parliamentary Oversight Panel (PKGr), the BfDI for data protection compliance, and the Federal Court of Auditors.^[21]

MAD – Militärischer Abschirmdienst (Military Counterintelligence Service)

The third federal intelligence agency, responsible for military counterintelligence within the Bundeswehr. Subordinate to the Federal Ministry of Defence, headquartered in Cologne with 12 offices throughout Germany, approximately 1,300 employees, and a 2019 budget of EUR 113.25 million.^[22]

Legal basis: MADG (MAD-Gesetz, 20 December 1990, as amended), in conjunction with the BVerfSchG and SuG (Security Clearance Check Act). Tasks include counterintelligence and detection of anti-constitutional activities within the Bundeswehr, protection from sabotage and foreign espionage, vetting new armed forces members, and monitoring for extremism. Like the BfV, the MAD has no police powers and cannot make arrests.^[23]

Commercial Surveillance Procurement

Germany’s relationship with commercial surveillance technology reflects a fundamental tension: the same country that established extraterritorial protections for fundamental rights in its May 2020 BND ruling has also procured surveillance tools from vendors whose technologies are deployed globally with minimal human rights oversight. This contradiction reveals how commercial surveillance markets can undermine constitutional protections by routing capabilities outside traditional intelligence frameworks.

Palantir Technologies: State-Level Adoption Despite Federal Concerns

While Germany’s federal government has expressed concerns about data sovereignty and Palantir’s ties to US intelligence agencies, at least three German states have procured Palantir platforms for law enforcement and intelligence purposes. These state-level contracts operate independently of federal oversight structures, creating a fragmented surveillance procurement landscape that mirrors Germany’s decentralized data protection enforcement model.^[40]

The use of Palantir by state police forces (Landespolizei) and state-level intelligence agencies (Landesämter für Verfassungsschutz) raises questions about extraterritorial data access. Under the US CLOUD Act, Palantir could be compelled to produce data stored on its platforms to US law enforcement agencies, potentially including intelligence data collected by German authorities. This creates a legal pathway for US access to German law enforcement data that bypasses the mutual legal assistance treaty (MLAT) framework and the privacy safeguards Germany negotiated with the United States.

NSO Group Pegasus: Federal Criminal Police Procurement

Germany’s Federal Criminal Police Office (Bundeskriminalamt / BKA) purchased NSO Group’s Pegasus spyware, the same tool used by authoritarian regimes to target journalists, human rights defenders, and political opposition figures worldwide. The procurement was justified as necessary for counterterrorism investigations, but the decision placed Germany in the position of funding a surveillance vendor whose technologies have been directly linked to extrajudicial killings (the murder of Jamal Khashoggi) and systematic human rights abuses.^[41]

The Pegasus procurement is notable given Germany’s constitutional protections. The Federal Constitutional Court has repeatedly held that surveillance powers must be narrowly tailored, subject to judicial oversight, and designed to protect the “core of private life” (Kernbereich privater Lebensgestaltung). Yet Pegasus operates as a total compromise tool: once deployed, it provides unrestricted access to all communications, photographs, location data, passwords, and encrypted messaging, with no technical mechanism to exclude the constitutionally protected “core” of private life from collection.

The Sovereignty Paradox

Germany’s procurement of US and Israeli surveillance technologies creates a sovereignty paradox. The BND is constitutionally bound to protect fundamental rights extraterritorially when conducting foreign surveillance, a standard that exceeds the constitutional requirements imposed on most other intelligence services. Yet when German law enforcement and state-level intelligence agencies purchase commercial spyware, those tools are subject to the legal jurisdiction of the vendor’s home country, not Germany’s constitutional protections.

This means that a BKA investigator using Pegasus operates under a legal framework governed by NSO Group’s Israeli export licenses, US foreign surveillance authorities (if data transits US infrastructure), and commercial terms of service, rather than the G10 Act, BVerfSchG, or Federal Constitutional Court precedents that would apply if the BKA developed equivalent capabilities domestically. The result is that commercially procured tools can circumvent Germany’s own constitutional safeguards.

Oversight Gaps

When the BND conducts strategic surveillance under the G10 Act, it must obtain approval from the G10 Commission, operate within parameters set by the Independent Oversight Council, and comply with the Federal Constitutional Court’s extensive jurisprudence on proportionality and fundamental rights protections. When state police forces purchase Palantir analytics or the BKA deploys NSO spyware, those procurements are subject to standard government contracting rules and normal criminal procedure, not the heightened oversight that applies to intelligence agencies.

The PKGr (Parliamentary Oversight Panel) has jurisdiction over the BND, BfV, and MAD, but not over law enforcement procurement of surveillance technologies. State-level intelligence agencies are subject to state parliamentary oversight, which varies widely in effectiveness across Germany’s 16 Bundesländer. The result is a patchwork of accountability mechanisms that fail to provide coherent oversight of commercial surveillance procurement.

Internet Exchange Point Surveillance: DE-CIX Frankfurt

Germany is home to DE-CIX Frankfurt, the world’s largest internet exchange point by data throughput, handling over 17 terabits per second of peak traffic as of 2024. DE-CIX’s infrastructure serves as a critical hub for European internet traffic, routing communications between networks across the continent, the Middle East, and Asia. For over two decades, the Bundesnachrichtendienst (BND) has conducted surveillance of traffic passing through DE-CIX, intercepting communications in bulk and sharing data with the NSA under the SIGINT alliance framework.

BND Surveillance of DE-CIX: The Legal Framework

Under the Article 10 Act (G10 Act), the BND is authorized to conduct “strategic surveillance” of international telecommunications, intercepting communications passing through German infrastructure when at least one endpoint is located outside Germany. The BND has used this authority to install intercept equipment at DE-CIX, copying data flows for analysis.^[42]

The BND’s surveillance operates through selectors, search terms such as email addresses, phone numbers, IP addresses, or keywords used to filter intercepted traffic. The G10 Commission, a secret parliamentary body, reviews and approves selector lists. However, the volume of traffic passing through DE-CIX means that even “targeted” surveillance using selectors involves the initial collection and scanning of vast amounts of communications in bulk.

The NSA Connection: Sharing Data with Five Eyes

Documents from the Snowden disclosures revealed that the BND shares intercepted data from DE-CIX and other German IXPs with the NSA. Under the SIGINT alliance framework, the BND provides the NSA with access to German-collected intelligence, including metadata and content intercepted from European communications passing through Frankfurt.^[43]

The partnership raised constitutional concerns because the BND was using selectors provided by the NSA, meaning the agency was conducting surveillance on behalf of a foreign power, targeting individuals and entities that had no connection to German national security. Investigations revealed the previously disclosed selectors targeting European companies, politicians, and institutions, including Airbus, the European Commission, and French government officials.

Constitutional Court Rulings: 2020 and 2024

The Constitutional Court's 2020 BND ruling (discussed above) directly implicated DE-CIX surveillance, as the Court found the BND’s bulk interception practices lacked sufficient safeguards for proportionality, necessity, and judicial oversight. The Court specifically criticized the BND’s practice of sharing raw intercept data with foreign intelligence services (including the NSA) without adequate review, finding that such transfers violated Germany’s obligations under international law and the principle of proportionality.^[8]

The October 2024 G10 ruling further affected DE-CIX operations, as the Court struck down provisions governing cyber-threat intelligence collection for lacking adequate procedural safeguards and independent oversight of BND internet traffic interception.^[9]

DE-CIX Legal Challenge

In 2016, DE-CIX itself filed a lawsuit challenging the BND’s surveillance, arguing that the agency’s bulk interception orders exceeded the legal authority granted under the G10 Act and violated the privacy rights of DE-CIX customers. The case worked its way through German courts for years.^[44]

In 2022, the Federal Administrative Court ruled that the BND’s surveillance was lawful under the G10 Act as it existed at the time, but emphasized that the practice must comply with the constitutional standards set by the 2020 Constitutional Court ruling. The decision effectively validated the BND’s authority to intercept traffic at IXPs, while requiring enhanced safeguards and oversight.

Implications for European Internet Traffic

DE-CIX’s position as Europe’s largest internet exchange means that BND surveillance affects communications from across the continent. Traffic between France and Poland, Italy and Sweden, or Spain and the Netherlands may pass through DE-CIX’s Frankfurt infrastructure, subjecting European communications to German (and, by extension, NSA) interception even when neither endpoint is in Germany.

The infrastructure also handles traffic between Europe and the Middle East, Asia, and Africa. Communications between users in India and the UK, or between Saudi Arabia and France, routinely transit DE-CIX. The BND’s surveillance authority extends to this traffic as well, provided that the selectors target foreign intelligence objectives rather than purely domestic communications.

This creates a jurisdictional paradox: Users in France, Italy, or Poland who communicate through services routing via DE-CIX are subject to German surveillance law and BND interception, despite having no connection to Germany beyond the routing path chosen by their internet service providers. For those users, Germany’s constitutional protections apply only to the extent required by the Federal Constitutional Court’s 2020 ruling, and oversight is conducted by the G10 Commission, a secret body with no public accountability and no mechanism for individuals to challenge their inclusion on selector lists.

Cryptography and the Right to Encryption

Germany has not enacted legislation mandating encryption backdoors or key escrow systems. This stance reflects both Germany’s historical sensitivity to state surveillance (shaped by the Stasi era in East Germany) and its role as a major technology economy within the European Union.^[34]

No Restrictions on Encryption Use or Import

There are no restrictions on the import, development, or use of encryption products in Germany, whether hardware or software. Individuals and businesses may freely deploy cryptographic systems of any strength without prior authorization, licensing, or registration requirements.^[35]

Germany has no legal obligation for technology companies to implement backdoors for law enforcement or intelligence access. While German legislators have periodically debated whether to introduce backdoor requirements, particularly in the context of encrypted messaging services, no such legislation has been enacted as of February 2026.^[35]

Proposed Right to Encryption (BMDV Draft Bill)

In February 2024, the Federal Ministry for Digital and Transport Affairs (BMDV) published a draft bill that would establish a statutory right to end-to-end encryption for users of messaging and cloud storage services. The draft legislation represents a notable encryption policy initiative.^[36]

Key provisions of the proposed legislation:

• Mandatory E2EE for Messengers: Providers of number-independent interpersonal communications services (including email, messenger, and chat services) would be required to either implement end-to-end encryption by default or ensure that users can enable E2EE
• Cloud Storage Services: Similar requirements would apply to cloud storage providers
• User Control: Users must have the ability to activate end-to-end encryption for their communications and data storage
• No Backdoor Mandates: The legislation explicitly rejects government-mandated backdoors or key escrow mechanisms

The BMDV’s proposal attracted significant international attention, with digital rights organizations praising the bill as a model for other governments. However, the draft also faced criticism from law enforcement agencies and intelligence services, who argued it would undermine lawful access to communications in criminal and terrorism investigations.^[37]

As of February 2026, the bill has not yet been enacted. It remains under consideration in the Bundestag, with ongoing negotiations between the BMDV, the Federal Ministry of the Interior (which oversees law enforcement and domestic intelligence), and the Federal Ministry of Justice.

Encryption as a Security Requirement

Several German laws affirmatively require encryption as a technical safeguard for data protection and cybersecurity:

GDPR and BDSG: Controllers and processors are obliged to implement appropriate, state-of-the-art technical and organizational measures to ensure a level of security appropriate to the risk. This explicitly includes pseudonymization and encryption of personal data (GDPR Article 32).^[38]

Telemedia Act (TMG): The TMG stipulates security obligations for businesses and digital service providers to implement state-of-the-art organizational and technical measures that prevent unauthorized access to systems and personal data. Technical measures explicitly include encryption.^[38]

BSIG (BSI Act): The Federal Office for Information Security (BSI) provides guidance on encryption standards for federal government systems and critical infrastructure operators. The BSI’s cryptographic recommendations are treated as authoritative throughout the German public sector and increasingly by private-sector organizations seeking to comply with state-of-the-art security requirements.^[39]

International Context

Germany’s pro-encryption stance places it in tension with several of its intelligence-sharing partners in the Fourteen Eyes alliance. The United Kingdom’s use of Technical Capability Notices to block Apple’s Advanced Data Protection, Australia’s TOLA Act encryption backdoor mandates, and ongoing “going dark” debates in the United States reflect a divergent approach among Western democracies.

Within the European Union, Germany has opposed proposals for mandatory client-side scanning in the Chat Control (CSAM Regulation) negotiations, arguing that such requirements would fundamentally undermine end-to-end encryption. Germany’s position (alongside the Netherlands, Poland, Austria, and other member states) contributed to the blocking minority that forced amendments to the Commission’s original proposal in October 2025.^[34]

Parliamentary Oversight

PKGr – Parlamentarisches Kontrollgremium (Parliamentary Oversight Panel)

The PKGr is the Bundestag committee responsible for overseeing all three federal intelligence agencies (BND, BfV, MAD). Established under the Control Body Act (PKGrG / Kontrollgremiumgesetz), the panel serves as the primary mechanism for democratic accountability over Germany’s intelligence services.^[24]

Powers: The federal government must inform the PKGr comprehensively about general intelligence activities and events of particular importance. The panel has the right to inspect files, enter any intelligence service office, and interview staff. It meets at least quarterly and can convene additional sessions as required. Members are bound by secrecy obligations regarding classified information received during oversight activities.^[25]

2016 Enhancement: A significant amendment established annual public hearings of intelligence agency presidents, a major transparency measure allowing parliamentary questioning in open session for the first time. The amendment also created the office of a Permanent Representative of the PKGr, tasked with ongoing examinations and individual case reviews to provide continuous oversight between quarterly meetings. This role was created in direct response to criticism that quarterly meetings were insufficient to meaningfully oversee complex intelligence operations.^[24]

Additional oversight bodies: Beyond the PKGr, German intelligence oversight includes the G10 Commission (reviewing surveillance measures), the Independent Oversight Council created by the 2021 BND Act reform, the BfDI (data protection compliance), and the Federal Court of Auditors (financial oversight). This multi-layered structure reflects Germany’s post-war commitment to preventing the concentration of unchecked intelligence power.

Limitations: Despite these reforms, oversight critics argue the PKGr remains insufficiently resourced relative to the scope of intelligence activities it must monitor, and that intelligence agencies retain significant discretion over what information they proactively disclose to the panel. The selectors scandal demonstrated that even fundamental violations of cooperation agreements can go undetected for years.

Data Retention

Germany’s data retention history is among the most contentious in Europe, reflecting the country’s deep-seated tension between security imperatives and privacy rights. The issue has been litigated at both the national constitutional and EU levels, producing a series of rulings that have effectively prevented any data retention regime from operating in practice.

2010 – Constitutional Court strikes down first law: The Federal Constitutional Court declared Germany’s implementation of the EU Data Retention Directive unconstitutional (BVerfG, 1 BvR 256/08), finding it incompatible with Article 10 of the Basic Law (secrecy of telecommunications). The ruling held that blanket retention of telecommunications data constitutes a “particularly serious” interference with the right to privacy and ordered the immediate deletion of all retained data. It was one of the strongest judicial statements against blanket data retention in Europe.^[26]

2015 – Second attempt: The Bundestag passed a new, more limited data retention law with shorter retention periods (10 weeks for traffic data, 4 weeks for location data). However, following the CJEU’s December 2016 ruling in Tele2 Sverige/Watson (C-203/15 and C-698/15), which held that blanket, indiscriminate retention of telecommunications data is incompatible with EU law, German courts and the Federal Network Agency effectively suspended enforcement. The Oberverwaltungsgericht Münster ruled in June 2017 that providers could not be compelled to retain data. The 2015 law has never been applied in practice.^[26]

Current status: Data retention is not being enforced in Germany. The April 2024 CJEU ruling in case C-470/21 clarified that data retention is not per se contrary to EU law but must comply with strict proportionality requirements, creating renewed legal space for carefully designed national legislation.

2025 Coalition Agreement proposal: The CDU/CSU-SPD government proposes a proportionate three-month retention period for IP addresses and port numbers to identify connection owners, along with source telecommunications surveillance authorization for the Federal Police for serious crime. A “quick freeze” procedure is under discussion, which would allow authorities to order providers to preserve specific data for a limited time upon suspicion of crime, rather than mandating blanket retention of all users’ data. The BfDI has expressed support for the quick-freeze approach as a good balance between data protection and effective law enforcement.^[26][27]

Youth Protection and Age Verification (JuSchG)

Germany maintains a comprehensive youth protection framework through the Jugendschutzgesetz (JuSchG), the Protection of Young Persons Act, and the Interstate Treaty on the Protection of Minors in the Media (JMStV). Together, these laws regulate youth protection in public spaces, media consumption, and online environments.^[28]

JuSchG Overview

The JuSchG regulates:^[29]

• Presence of young people in restaurants and amusement arcades
• Film events and age ratings
• Gambling services
• Alcoholic drinks and tobacco products
• Smoking in public
• Online media consumption and age verification

2025 Amendments – Effective December 1, 2025

Federal states adopted significant amendments to the Interstate Treaty on the Protection of Minors in the Media (JMStV), with revised rules entering into force on December 1, 2025.^[30]

Age Verification Requirements: Under the JuSchG and JMStV, pornographic content, indexed content, and content that is obviously harmful to minors may only be accessible online if the provider implements effective age verification. For German online providers in 2025, supervisory authorities are pursuing violations aggressively, including issuing court orders to block non-compliant content.

Operating System Obligations (Amended Section 12 JMStV): The amended Section 12 JMStV establishes a primary obligation for designated operators of operating systems commonly used by children and adolescents to implement an effective youth protection mechanism.^[31] This obligation extends beyond content providers to platform operators, requiring built-in parental controls and age-appropriate default settings.

Enforcement Authority

Youth protection enforcement is overseen by the Bundeszentrale für Kinder- und Jugendmedienschutz (BzKJ), the Federal Centre for Child and Youth Media Protection. The BzKJ maintains the index of media harmful to young persons and coordinates with state media authorities on enforcement.^[32]

German supervisory authorities have demonstrated willingness to use blocking orders against non-compliant platforms, creating significant compliance pressure on both domestic and foreign providers accessible to German users.

EU Digital Identity Integration

Germany is developing integration with the upcoming EU digital identity (eID) wallet, planned for the end of 2026. A temporary age verification app has been commissioned for deployment by summer 2025 to bridge the gap until the EU-wide eID system becomes operational.^[33]

This integrated approach aims to provide privacy-preserving age verification across multiple services while avoiding the creation of centralized databases linking identities to specific content consumption. The eID wallet would allow users to prove their age category (e.g., “over 18”) without revealing their full identity or specific birth date to content providers.

International Data Sharing Agreements

Despite Germany’s robust constitutional protections (including Federal Constitutional Court oversight of BND activities, the G10 Commission, and strict data protection under GDPR), Germany participates in extensive international data sharing frameworks that provide foreign agencies with pathways to access German person data through processes that often operate outside these domestic safeguards.

Mutual Legal Assistance Treaty with the United States

Germany maintains a bilateral MLAT with the United States, allowing German law enforcement to request data on US persons, and US law enforcement to request data on German persons, through diplomatic channels. The Federal Ministry of Justice serves as Germany’s central authority for processing MLAT requests, with average processing times of 10 months for complex cases involving electronic evidence.^[45]

Fourteen Eyes (SIGINT Seniors Europe)

Germany is a member of the Fourteen Eyes (SIGINT Seniors Europe), an expansion of the Five Eyes intelligence alliance that coordinates exchange of military signals intelligence. The BND (Bundesnachrichtendienst) shares signals intelligence with Five Eyes partners (US, UK, Canada, Australia, New Zealand) and other Fourteen Eyes members (Denmark, France, Netherlands, Norway, Belgium, Italy, Spain, Sweden).^[46]

Information flows hierarchically within the alliance: Five Eyes members have access to all Nine Eyes and Fourteen Eyes intelligence, but Germany as a Fourteen Eyes member has more limited access. The Snowden disclosures revealed that the BND “transfers massive amounts of intercepted data to NSA,” including data from DE-CIX Frankfurt surveillance and cable access, sharing the NSA-provided selectors that targeted European companies and politicians.

EU Law Enforcement Data Sharing Frameworks

Schengen Information System (SIS II): Germany participates in the EU’s largest law enforcement database. German federal and state police can query SIS II in real time and contribute alerts visible to law enforcement across all Schengen countries (27 EU members plus Norway, Iceland, Switzerland, Liechtenstein).

European Investigation Order (EIO): Germany participates in the EIO framework, allowing German judges to make binding requests to other EU member states for evidence, witness hearings, telephone interceptions, and banking information. The EIO is based on mutual recognition.

Prüm Convention: Germany was an original signatory of the Prüm Convention (signed 2005 in the German city of Prüm) and participates in automated DNA, fingerprint, and vehicle registration data comparison across EU member states. The Prüm II Regulation (2024) expands this to include facial images and police records.^[47]

Bilateral Cross-Border Police Cooperation

Germany has signed bilateral cross-border police cooperation agreements with all neighboring countries (France, Netherlands, Belgium, Luxembourg, Denmark, Poland, Czech Republic, Austria, Switzerland), covering:^[48]

• Cross-border surveillance, controlled deliveries, and pursuit
• Joint police operations and patrols
• Automated data exchange (DNA, fingerprints, vehicle registration via Prüm)
• Direct cooperation between regional police forces

These agreements enable German police to conduct operations in neighboring countries and vice versa, creating a comprehensive cross-border law enforcement network across Central Europe.

EU-US Data Sharing Frameworks

EU-US Umbrella Agreement: Entered into force February 1, 2017, governing personal data exchanged between EU and US law enforcement. Grants German citizens judicial redress rights before US courts.

SWIFT/TFTP Agreement: US Treasury can subpoena SWIFT for financial transaction data, affecting German persons’ international wire transfers, with Europol verification.

PNR Agreements: Germany participates in the EU-US PNR agreement, enabling transfer of passenger data from German air carriers to US CBP. Every passenger on Germany-US flights has comprehensive personal data shared.

Multilateral Frameworks

Interpol I-24/7: Germany participates in Interpol’s global network (195 countries, 100,000+ messages daily) for criminal intelligence sharing.

Egmont Group: The German FIU participates in the Egmont Group network of 164+ Financial Intelligence Units, sharing financial intelligence on money laundering and terrorist financing.

Europol: Germany is a major contributor to Europol, which has cooperation agreements with US FBI (intelligence sharing increased 30% recently).

The Privacy Backdoor Effect

Despite Federal Constitutional Court oversight of BND surveillance, the G10 Commission review of strategic surveillance, and GDPR enforcement, international data sharing agreements create alternative pathways for accessing German person data:

• Fourteen Eyes Sharing: BND transfers intercepted data (including the previously disclosed NSA-provided selectors targeting Europeans) to NSA; NSA/GCHQ can collect on German persons and share with BND
• EU Framework Sharing: German person data entered into SIS II, Prüm, or EIO channels becomes accessible to 27 EU member states, and through Europol, potentially to US FBI
• MLAT Bypass: US authorities can request data via MLAT, potentially with lower evidentiary standards than German judicial warrants under StPO (Code of Criminal Procedure)
• SWIFT/PNR Dragnet: All international financial transactions and air travel subject to US access

For German persons, this means data nominally protected by the Grundgesetz (Basic Law), Federal Constitutional Court jurisprudence, and GDPR can be accessed through Fourteen Eyes intelligence sharing, EU law enforcement frameworks, MLAT channels, or SWIFT/PNR agreements. The Federal Constitutional Court’s 2020 ruling holding that fundamental rights apply to foreigners abroad when German authorities conduct surveillance does not extend to data sharing through multilateral frameworks where foreign agencies conduct the collection.

Recent Developments (2024–2026)

October 2024: The October 2024 G10 ruling (detailed in the Surveillance and Intelligence Laws section above) finds BND cyber-threat surveillance powers partly unconstitutional, requiring legislative reform by 31 December 2026.^[15]

September 2024: New BfDI Commissioner Prof. Dr. Louisa Specht-Riemenschneider takes office, bringing academic expertise in civil law and AI governance to the role. Her appointment reflects a focus on the intersection of data protection and artificial intelligence.^[3]

May 2024: The TTDSG is formally renamed to TDDDG, as described in the National Framework section above.^[8]

April 2025: The CDU/CSU-SPD coalition agreement proposes the most fundamental restructuring of German data protection supervision in decades, with provisions for centralization, DSK reform, data retention, and an expanded BfDI mandate as described in the Overview and Data Protection Authorities sections above. As of February 2026, the pledge to centralize private-sector data protection supervision under the BfDI remains without draft legislation or an announced timeline.^[2][50]

Employee data protection: The dedicated Employee Data Protection Act (Beschäftigtendatenschutzgesetz) is now effectively dead. The draft legislation lapsed when the Bundestag dissolved ahead of the February 2025 federal election, and the new CDU/CSU-SPD coalition has not included it among its legislative priorities. This marks the third failed attempt to enact standalone employee data protection legislation in Germany, following earlier collapses in 2010 and 2021. The legal uncertainty surrounding employee data processing continues following the BAG’s May 2023 invalidation of BDSG Section 26(1), leaving employers reliant on GDPR Article 6(1)(b) and (f) as legal bases.^[7][49]

Pending litigation: RSF’s second constitutional complaint against the 2021 BND Act reform remains before the Federal Constitutional Court, potentially leading to a third major ruling on intelligence surveillance law within a decade.^[13]

NIS2 Implementation: BSI Act Reform (December 2025)

December 6, 2025: Germany’s national implementation of the EU NIS2 Directive entered into force through a comprehensive reform of the BSI Act (BSI-Gesetz), dramatically expanding the scope of mandatory cybersecurity obligations. The number of entities subject to the law increased from approximately 4,500 to 29,500 companies, covering critical infrastructure operators, essential service providers, and important entities across 18 sectors. The BSI opened its registration portal on January 6, 2026, with a compliance deadline of March 6, 2026. Non-compliance carries fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher, and the reform makes cybersecurity a direct board-level responsibility, with personal liability for company directors who fail to implement adequate risk management measures.^[51][52]

BND Act Reform: Offensive Cyber Powers (December 2025)

December 16, 2025: The federal cabinet approved a draft reform of the BND Act (BND-Gesetz) that would grant Germany’s foreign intelligence service its first-ever offensive cyber capabilities. The proposed legislation would also authorize the BND to conduct vehicle data queries, deploy facial recognition technology, and carry out covert entry of apartments for technical surveillance purposes. Reporters Without Borders (RSF) criticized the draft for providing insufficient protections for journalists and their sources, warning that the expanded powers risk enabling unconstitutional surveillance of press communications. The bill awaits debate in the Bundestag.^[53][54]

KI-MIG: AI Act National Implementation (February 2026)

February 11, 2026: The federal cabinet approved the KI-MIG (Künstliche Intelligenz Markteinführungsgesetz), Germany’s national implementation legislation for the EU AI Act. The bill designates the Bundesnetzagentur (Federal Network Agency) as the central AI supervisory authority, with BaFin (Federal Financial Supervisory Authority) overseeing AI systems in the financial sector. It establishes a coordination center (KoKIVO) to harmonize enforcement across sectoral regulators and introduces innovation sandboxes allowing companies to test AI systems under regulatory supervision before full market deployment. The legislation is heading to the Bundestag and Bundesrat for parliamentary debate.^[55][56]

IP Address Retention Legislation (2025–2026)

IP address retention: The coalition government is preparing legislation mandating a three-month retention period for IP addresses and port numbers by telecommunications providers. The proposal relies on the CJEU’s April 2024 ruling in case C-470/21, which held that targeted retention of IP addresses for combating serious crime can be compatible with EU law when subject to strict proportionality safeguards. As of February 2026, no bill text has been published, but the measure appears in the coalition agreement and has been confirmed in government policy statements. If enacted, this would end Germany’s de facto moratorium on data retention, which has been in place since the suspension of the 2015 law following the Tele2 Sverige ruling.^[2]

Sources