Germany

Overview

Germany is an EU member state. The EU-wide framework (GDPR, LED, ePrivacy Directive) applies and is covered on the EU Framework page. This page covers national implementation, derogations, and country-specific laws.

Germany is a member of the Fourteen Eyes intelligence alliance (SIGINT Seniors of Europe / SSEUR), placing it in a unique position as both an active advocate for data protection and an active participant in multinational signals intelligence sharing. Germany’s privacy culture is deeply embedded in its constitutional law, where Article 1 of the Basic Law (Grundgesetz) enshrines human dignity as inviolable, and the Federal Constitutional Court derived an explicit right to informational self-determination (Recht auf informationelle Selbstbestimmung) in its landmark 1983 Census decision.^[1]

Germany operates DE-CIX Frankfurt, the world’s largest internet exchange point, which the BND has been intercepting for over two decades, sharing collected intelligence with the NSA. The BND co-owned Swiss encryption company Crypto AG with the CIA for decades under Operation Rubicon, backdooring encryption machines sold to 120 governments. Germany’s Federal Criminal Police (BKA) purchased NSO Group’s Pegasus spyware, and multiple state police forces have deployed Palantir analytics platforms despite constitutional challenges. The Federal Constitutional Court has repeatedly struck down surveillance laws as unconstitutional, including landmark rulings extending fundamental rights protections to foreigners abroad.

Privacy Framework

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) supervises federal public authorities, postal and telecommunications companies, and certain federal entities. Germany’s federal structure produces a uniquely complex landscape: in addition to the BfDI, each of the 16 Bundesländer operates an independent state-level data protection authority, totalling 17 DPAs nationwide. The April 2025 coalition agreement proposes to centralise private-sector supervision under the BfDI, which would end Germany’s status as the only EU member state splitting private-sector oversight across 17 authorities.^[2]

The BDSG (Bundesdatenschutzgesetz), effective 25 May 2018, is Germany’s national GDPR implementation law. Germany’s original 1977 BDSG was among the first national data protection laws in the world. The current version sets a mandatory DPO threshold of 20 persons (lower than the GDPR default), specific provisions for video surveillance and credit scoring, and employee data processing rules—though the Federal Labour Court invalidated the central employee data provision (Section 26) in May 2023 for failing to meet GDPR Article 88 requirements.^[3]

The TDDDG (renamed from TTDSG in May 2024) implements ePrivacy Directive requirements for cookie/tracking consent, extends to IoT devices and connected vehicles, and carries penalties up to EUR 300,000 separate from GDPR fines. The TKG (Telecommunications Act), revised in 2021, covers network infrastructure and customer protection.^[4][5]

Surveillance and Intelligence Laws

BND Act (BND-Gesetz) – Federal Intelligence Service Act

The Bundesnachrichtendienst (BND) is Germany’s foreign intelligence service, headquartered in Berlin. The BND Act (BNDG) provides the legal basis for its operations, including strategic telecommunications surveillance of foreign targets.^[6]

May 2020 Constitutional Court Ruling (BVerfG, 1 BvR 2835/17): In a landmark decision, the Federal Constitutional Court ruled that the BND is bound by fundamental rights under the Basic Law when conducting surveillance of foreign telecommunications of foreigners abroad. The Court extended Article 10 (secrecy of telecommunications) and Article 5 (freedom of the press) extraterritorially, holding that the binding force of German fundamental rights does not end at the country’s borders. The Court found the 2016 BND Act largely unconstitutional. Its significance extends far beyond Germany, as it established that a state’s constitutional obligations to protect fundamental rights apply to its intelligence activities regardless of where those activities take place or whom they target.^[6][7]

2021 BND Act Reform: The Bundestag passed a revised BND Act establishing an Independent Oversight Council (Unabhängiger Kontrollrat) with judicial-like review powers. However, press freedom organizations including RSF and the GFF criticised it as inadequate. RSF filed a second constitutional complaint, and in March 2025, RSF and GFF escalated to the European Court of Human Rights, challenging the BND’s self-assigned authority to determine who qualifies as a journalist eligible for protection.^[8][9][10]

G10 Act (Artikel 10-Gesetz)

The G10 Act restricts the constitutional guarantee of secrecy of correspondence, posts, and telecommunications (Article 10 of the Basic Law). It provides the legal basis for both individual-targeted and strategic surveillance by the BND and domestic intelligence services.^[11]

Individual measures (Section 3): Targeted surveillance of specific individuals when there are factual indications of serious criminal offences or threats to national security.

Strategic surveillance (Section 5): Authorises the BND to conduct strategic surveillance of international telecommunications using selectors (search terms). Rather than targeting specific individuals, geographic regions are defined as intelligence areas for monitoring. The G10 Commission, an independent oversight body of the Bundestag, must approve all individual surveillance measures and reviews strategic surveillance orders.

October 2024 Constitutional Court Ruling (BVerfG, 1 BvR 1743/16): The First Senate found that strategic surveillance for cyber threat detection is incompatible with Article 10(1) of the Basic Law, identifying insufficient separation of domestic from foreign data, inadequate core privacy protections, premature deletion of oversight documentation, and insufficient court-like oversight. The legislature must enact compliant replacement provisions by 31 December 2026.^[11][12]

State Trojan (Staatstrojaner) Ruling (June 24, 2025)

The Federal Constitutional Court decided two constitutional complaints concerning Staatstrojaner (state Trojan) authorisations:^[13]

Trojan I (1 BvR 2466/19): Upheld preventive source telecommunications surveillance under the NRW Police Act.

Trojan II (1 BvR 180/23): Struck down two StPO provisions: source surveillance for offences carrying three years or less (disproportionate), and remote search (Onlinedurchsuchung) authorisation for failing to specify whether the restriction targets Article 10 or Article 2(1)/1(1), a distinction determining which safeguards apply. The Bundestag must amend the affected provisions.

Operation Eikonal and the Selectors Scandal

Operation Eikonal, based on a 2002 Memorandum of Agreement, was the most significant publicly known BND-NSA collaboration. A Joint SIGINT Activity (JSA) operated from the Mangfall Barracks in Bad Aibling, Bavaria, with both German and American personnel working side by side on signals collection.^[14]

Selectors Scandal (2015): Der Spiegel revealed that the NSA had used BND infrastructure to spy on European and German targets, directly violating the cooperation agreement. A Bundestag investigation uncovered approximately 40,000 suspicious search parameters targeting Western European governments and companies, including European heads of state and defence ministries. The scandal demonstrated that intelligence-sharing agreements between Fourteen Eyes partners carry inherent risks of abuse even when explicit limitations are contractually agreed.^[14][15]

Intelligence Agencies

Germany operates three federal intelligence agencies, all participating in international intelligence-sharing through the Fourteen Eyes (SSEUR) alliance.

BND – Bundesnachrichtendienst (Federal Intelligence Service)

Germany’s foreign intelligence service, headquartered in Berlin. The BND is the primary German participant in SIGINT Seniors of Europe (SSEUR) and has been granted access to the NSA’s XKeyscore system.^[14]

BfV – Bundesamt für Verfassungsschutz (Federal Office for the Protection of the Constitution)

Germany’s domestic intelligence agency, established 1950. Core tasks include monitoring threats to the free democratic basic order, counterintelligence, and counter-sabotage. The BfV has no police or arrest powers, a deliberate design reflecting lessons from the Nazi era. Each of the 16 states also maintains its own Landesamt für Verfassungsschutz (LfV).^[16]

MAD – Militärischer Abschirmdienst (Military Counterintelligence Service)

Military counterintelligence within the Bundeswehr. Subordinate to the Federal Ministry of Defence, approximately 1,300 employees. Like the BfV, the MAD has no police powers.^[17]

Commercial Surveillance Procurement

Germany’s relationship with commercial surveillance technology reflects a fundamental tension: the same country that established extraterritorial protections for fundamental rights has also procured surveillance tools from vendors whose technologies are deployed globally with minimal human rights oversight.

Palantir Technologies: State-Level Adoption and National Expansion

Palantir’s Gotham platform has been procured by multiple German states: Bavaria (“VeRA,” operational since 2024), North Rhine-Westphalia (“DAR,” since 2019), and Hesse (“Hessendata,” since 2017). In March 2025, Baden-Württemberg signed a EUR 25 million contract with Palantir; the state parliament approved deployment in November 2025. Federal Interior Minister Alexander Dobrindt is advocating for mandating Palantir Gotham across all 16 state police forces. The GFF and CCC have mounted legal challenges arguing Gotham violates the right to informational self-determination.^[18][19]

Under the US CLOUD Act, Palantir could be compelled to produce data stored on its platforms to US law enforcement, potentially including intelligence data collected by German authorities. This creates a legal pathway for US access to German law enforcement data that bypasses the MLAT framework.

NSO Group Pegasus

Germany’s Federal Criminal Police Office (BKA) purchased NSO Group’s Pegasus spyware. The procurement is notable given Germany’s constitutional protections: the Federal Constitutional Court has repeatedly held that surveillance must protect the “core of private life” (Kernbereich privater Lebensgestaltung), yet Pegasus provides unrestricted access to all communications, photographs, location data, and encrypted messaging with no technical mechanism to exclude constitutionally protected content.^[20]

The Sovereignty Paradox

When the BND conducts surveillance under the G10 Act, it must obtain G10 Commission approval and comply with Constitutional Court jurisprudence. When state police purchase Palantir or the BKA deploys Pegasus, those procurements are subject to standard contracting rules, not the heightened oversight that applies to intelligence agencies. The PKGr (Parliamentary Oversight Panel) has jurisdiction over the BND, BfV, and MAD but not over law enforcement procurement of surveillance technologies. Commercially procured tools can thus circumvent Germany’s own constitutional safeguards by entering through procurement rather than intelligence authorisation.

Internet Exchange Point Surveillance: DE-CIX Frankfurt

DE-CIX Frankfurt is the world’s largest internet exchange point by data throughput, handling over 17 terabits per second of peak traffic. For over two decades, the BND has conducted surveillance of traffic passing through DE-CIX, intercepting communications in bulk and sharing data with the NSA under the SIGINT alliance framework.

BND Surveillance of DE-CIX

Under the G10 Act, the BND conducts “strategic surveillance” of international telecommunications passing through German infrastructure. The BND uses selectors (email addresses, phone numbers, IP addresses, keywords) to filter intercepted traffic. The G10 Commission reviews selector lists, but the volume of traffic means even “targeted” surveillance involves initial bulk collection and scanning.^[21]

NSA Data Sharing

The Snowden disclosures revealed that the BND shares intercepted data from DE-CIX with the NSA. The BND was using NSA-provided selectors, conducting surveillance on behalf of a foreign power targeting individuals with no connection to German national security. Investigations uncovered selectors targeting European companies, politicians, and institutions including Airbus, the European Commission, and French government officials.^[22]

Constitutional Court Impact

The 2020 BND ruling directly implicated DE-CIX surveillance, finding the BND’s bulk interception lacked sufficient safeguards and that sharing raw intercept data with foreign intelligence services violated proportionality principles. The 2024 G10 ruling further affected DE-CIX by striking down cyber-threat intelligence provisions. In 2022, the Federal Administrative Court ruled the BND’s surveillance lawful under existing law but required compliance with the 2020 constitutional standards.^[23]

DE-CIX Legal Challenge

In 2016, DE-CIX itself filed a lawsuit challenging the BND’s surveillance as exceeding G10 Act authority. The case ultimately validated BND authority to intercept at IXPs while requiring enhanced safeguards.^[23]

Impact on European Internet Traffic

Traffic between France and Poland, Italy and Sweden, or Spain and the Netherlands may pass through DE-CIX, subjecting European communications to German (and by extension NSA) interception even when neither endpoint is in Germany. Traffic between Europe, the Middle East, Asia, and Africa also transits DE-CIX. This creates a jurisdictional paradox: users in other EU countries communicating through services routing via DE-CIX are subject to German surveillance law and BND interception despite having no connection to Germany beyond routing paths chosen by their ISPs.

International Data Sharing Agreements

Despite robust constitutional protections including Federal Constitutional Court oversight, the G10 Commission, and GDPR, Germany participates in extensive international data sharing frameworks that provide foreign agencies with pathways to access German person data outside these domestic safeguards.

Fourteen Eyes (SIGINT Seniors Europe)

Germany is a member of the Fourteen Eyes, coordinating SIGINT sharing with Five Eyes partners and other members (Denmark, France, Netherlands, Norway, Belgium, Italy, Spain, Sweden). Information flows hierarchically: Five Eyes members have access to all Fourteen Eyes intelligence, but Germany has more limited access. The Snowden disclosures revealed that the BND “transfers massive amounts of intercepted data to NSA,” including DE-CIX surveillance data.^[24]

Maximator Alliance and Operation Rubicon

Germany was a founding member of the Maximator alliance in 1976, alongside Denmark and Sweden, with the Netherlands joining in 1978 and France in 1985. Maximator was an encryption-defeat cooperative, intercepting diplomatic communications and pooling cryptanalytic effort to break encryption. Its existence was unknown publicly for nearly fifty years, first disclosed by Dutch cryptographer Bart Jacobs in 2020.^[25]

Germany’s most significant contribution came through Operation Rubicon: from the 1970s through the 1990s, the BND co-owned Crypto AG—the Swiss encryption company—jointly with the CIA. Crypto AG sold encryption machines to approximately 120 foreign governments, including adversaries and allies, with deliberate backdoors giving the CIA and BND access to their communications. Defeated foreign government communications flowed directly into the Maximator alliance’s shared intelligence product.^[25]

Mutual Legal Assistance: Layered Framework

Germany’s mutual legal assistance coverage is layered and among the most extensive in the world, operating through multiple overlapping frameworks:^[26]

EU Member States (26 countries): Within the EU, the Convention on Mutual Assistance in Criminal Matters (2000) and the Schengen Convention (1990) provide the primary MLA framework, supplemented by bilateral agreements. The European Investigation Order (EIO) has further superseded much of this for evidence gathering since 2017, applying to all EU states except Denmark and Ireland. These EU instruments take precedence over older bilateral and Council of Europe treaties.

Council of Europe (50 signatory states): The European Convention on Mutual Assistance in Criminal Matters (1959) and its Additional Protocols (1978, 2001) apply between Germany and all signatory states, covering not only Europe but also non-EU parties including Turkey, Israel, and others. Germany has been party since 1976.

Bilateral MLATs: Germany maintains bilateral mutual legal assistance treaties with countries outside the EU/CoE framework, including the United States (signed 2003, in force 2009), Switzerland (German-Swiss Police Agreement 2022, in force May 2024, covering cross-border police and judicial cooperation including enforcement of financial penalties), Morocco (Treaty of 29 October 1985), and Tunisia (Treaty of 19 July 1966). The Federal Office of Justice (Bundesamt für Justiz) serves as the central authority for processing MLA requests.

IRG fallback (worldwide): Even without any treaty, Germany can provide mutual legal assistance under the Act on International Mutual Assistance in Criminal Matters (IRG) of 1982. Section 59 of the IRG contains a general authorisation to provide MLA regardless of whether a treaty exists, provided that essential principles of German law are not violated. This means Germany can cooperate in criminal matters with virtually any country in the world, though coercive measures (search and seizure) require dual criminality.

EU Law Enforcement Data Sharing

Schengen Information System (SIS II): Germany participates in the EU’s largest law enforcement database. German federal and state police can query SIS II in real time across all Schengen countries.

European Investigation Order (EIO): Allows German judges to make binding requests to other EU member states for evidence, witness hearings, telephone interceptions, and banking information.

Prüm Convention: Germany was an original signatory (signed 2005 in Prüm) and participates in automated DNA, fingerprint, and vehicle registration data comparison. The Prüm II Regulation (2024) expands this to facial images and police records.^[27]

Bilateral Cross-Border Police Cooperation

Germany has signed cross-border police cooperation agreements with all neighbouring countries (France, Netherlands, Belgium, Luxembourg, Denmark, Poland, Czech Republic, Austria, Switzerland), covering cross-border surveillance, controlled deliveries, joint operations, and automated data exchange.^[28]

EU-US Data Sharing

EU-US Umbrella Agreement: Entered into force February 2017, governing personal data exchanged between EU and US law enforcement, granting German citizens judicial redress before US courts.

SWIFT/TFTP Agreement: US Treasury can subpoena SWIFT for financial transaction data, affecting German persons’ international wire transfers.

PNR Agreements: Germany participates in the EU-US PNR agreement, transferring comprehensive passenger data for every Germany-US flight.

The Privacy Backdoor Effect

Despite Constitutional Court oversight and GDPR enforcement, international agreements create alternative access pathways:

• Fourteen Eyes Sharing: BND transfers intercepted data (including NSA-provided selectors targeting Europeans) to NSA; NSA/GCHQ can collect on German persons and share with BND
• EU Framework Sharing: German person data in SIS II, Prüm, or EIO channels becomes accessible to 27 EU member states, and through Europol, potentially to US FBI
• MLAT Bypass: US authorities can request data with potentially lower evidentiary standards than German judicial warrants under StPO
• SWIFT/PNR Dragnet: All international financial transactions and air travel subject to US access

The Federal Constitutional Court’s 2020 ruling holding that fundamental rights apply to foreigners abroad when German authorities conduct surveillance does not extend to data sharing through multilateral frameworks where foreign agencies conduct the collection.

Cryptography and the Right to Encryption

Germany has not enacted legislation mandating encryption backdoors or key escrow systems. There are no restrictions on the import, development, or use of encryption products, reflecting Germany’s historical sensitivity to state surveillance shaped by the Stasi era.^[29][30]

Proposed Right to Encryption

In February 2024, the BMDV published a draft bill establishing a statutory right to end-to-end encryption for messaging and cloud storage services. Key provisions include mandatory E2EE for messengers (by default or user-enabled), similar requirements for cloud storage, and an explicit rejection of government-mandated backdoors. As of early 2026, the bill has not been enacted and remains under consideration.^[31]

Encryption as a Legal Requirement

Several German laws affirmatively require encryption: GDPR Article 32 (state-of-the-art technical measures including encryption), the TMG (security obligations for digital service providers), and the BSI Act (cryptographic standards for federal systems and critical infrastructure).^[32][33]

International Tension

Germany’s pro-encryption stance conflicts with several Fourteen Eyes partners. The UK uses Technical Capability Notices to block Apple’s Advanced Data Protection, Australia’s TOLA Act mandates encryption backdoors, and the US continues “going dark” debates. Within the EU, Germany opposed mandatory client-side scanning in the Chat Control negotiations, contributing to the blocking minority that forced amendments to the Commission’s original proposal in October 2025.^[29]

Parliamentary Oversight

PKGr – Parlamentarisches Kontrollgremium (Parliamentary Oversight Panel)

The PKGr oversees all three federal intelligence agencies (BND, BfV, MAD). The federal government must inform the PKGr comprehensively about general intelligence activities and events of particular importance. The panel can inspect files, enter any intelligence service office, and interview staff. A 2016 enhancement established annual public hearings of intelligence agency presidents and a Permanent Representative for continuous oversight between quarterly meetings.^[34][35]

Additional oversight: The G10 Commission (surveillance measures), the Independent Oversight Council (2021 BND Act), the BfDI (data protection compliance), and the Federal Court of Auditors. This multi-layered structure reflects Germany’s post-war commitment to preventing unchecked intelligence power.

Limitations: The PKGr remains insufficiently resourced relative to the scope of intelligence activities, and agencies retain discretion over what they proactively disclose. The selectors scandal demonstrated that fundamental violations of cooperation agreements can go undetected for years. The PKGr has no jurisdiction over law enforcement procurement of surveillance technologies, creating an oversight gap for commercial tools.

Data Retention

2010: The Federal Constitutional Court declared Germany’s implementation of the EU Data Retention Directive unconstitutional, finding blanket retention a “particularly serious” privacy interference, and ordered immediate deletion of all retained data.^[36]

2015: A second, more limited law (10 weeks traffic data, 4 weeks location data) was passed but never enforced after the CJEU’s 2016 Tele2 Sverige/Watson ruling held blanket retention incompatible with EU law.

Current status: Data retention is not being enforced in Germany. The April 2024 CJEU ruling (C-470/21) created renewed legal space for carefully designed national legislation.

2025 Coalition Agreement: The CDU/CSU-SPD government proposes a three-month retention period for IP addresses and port numbers, along with source telecommunications surveillance for the Federal Police. A “quick freeze” procedure is under discussion, allowing authorities to order preservation of specific data upon suspicion rather than mandating blanket retention. No bill text has been published as of early 2026.^[36][37]

Recent Developments

BND Act Reform: Offensive Cyber Powers (December 2025)

The federal cabinet approved a sweeping BND Act reform nearly doubling the law (69 to 139 paragraphs). Key provisions:^[38][39]

• Offensive cyber operations: BND may launch counter-cyberattacks, reroute data flows, and sabotage infrastructure abroad, subject to PKGr two-thirds approval
• DE-CIX monitoring expansion: BND authorised to monitor up to 30% of all data traffic at DE-CIX Frankfurt, including full content, for up to six months
• Computer Network Exploitation: BND could covertly infiltrate systems of Google, Meta, X, and other platforms if they refuse cooperation
• Covert entry: BND personnel may secretly enter premises to install state Trojans
• Reduced press protection: Exception allowing surveillance of media organisation employees tied to “authoritarian” governments

RSF and GFF criticised the draft for insufficient journalist protections. The bill is framed as reducing dependence on US intelligence sharing following concerns about the Trump administration’s reliability. Awaits Bundestag debate.

BfV Classifies AfD as Extremist (May 2025): The BfV officially classified the entire AfD party as a “confirmed right-wing extremist organisation,” unlocking enhanced surveillance powers: recruiting informants within the party, placing members under surveillance, and intercepting telecommunications. A court granted a preliminary injunction in February 2026 suspending the label pending full adjudication.^[40]

Facial Recognition Scraping Plan (October 2025): Federal Interior Minister Dobrindt announced plans to permit federal police to scrape internet images, including social media, for facial recognition, naming Clearview AI and PimEyes as candidate systems. The plan directly conflicts with EU AI Act Article 5 (which prohibited indiscriminate biometric scraping from February 2025) and GDPR Article 9. Dobrindt received the 2025 BigBrotherAward for this proposal.^[41]

KI-MIG — AI Act Implementation (February 2026): The Federal Cabinet adopted the official government draft of the KI-Marktüberwachungs- und Innovationsgesetz (AI Market Surveillance and Innovation Act) on February 10, 2026. The Bundesnetzagentur (Federal Network Agency) will serve as the central market surveillance authority for AI Act compliance. An Independent Market Surveillance Chamber (UKIM) within BNetzA will monitor sensitive high-risk AI systems (law enforcement, migration, border control, justice, democracy) and report annually to the Bundestag. The bill awaits Bundestag and Bundesrat passage.^[42]

NIS2/BSI Act Registration Deadline (March 6, 2026): The revised BSI Act implementing NIS2 entered into force December 6, 2025. The BSI registration portal opened January 6, 2026, with a March 6 deadline for covered entities. Germany significantly broadened NIS2 scope to include cloud computing, data center operators, managed security service providers, and online marketplaces. Non-compliance penalties reach €10 million or 2% of global turnover, with personal liability for management board members.^[43]

National Chat Control Proposal (March 27, 2026): After the EU Parliament rejected the voluntary CSAM scanning extension (311–228, March 26), Chancellor Merz called the vote “a serious setback for the protection of our children” and announced Germany would pursue a national-level chat control law. Family Minister Karin Prien was tasked with developing proposals, with a political decision before the summer break and a draft law in the federal cabinet by summer. This would allow systematic scanning of private messages on WhatsApp, Signal, and similar services without concrete suspicion. Justice Minister Hubig directly contradicted the proposal, stating “indiscriminate chat control must be taboo in a constitutional state.” The proposal faces significant constitutional challenges under the BVerfG’s 1983 Census Act jurisprudence on informational self-determination and the 2020/2025 surveillance rulings limiting bulk collection.^[44]

Pending Litigation: RSF’s ECHR application (March 2025) challenging BND Act journalist protections is pending in Strasbourg.^[10]

Sources