A practice that extends to other Member States

65 Title I of FISA are conditioned to the identification of the targeted person, the premises targeted and the determination of a link between the target and its status as a foreign agent or power,³⁶⁴ French law applicable to surveillance of nationals is as detailed regarding the conduct of surveillance operations. For instance, regarding the collection of domestic data directly from electronic service providers, the CSI defines the specific categories of data that can be the object of such collection (i.e. subscription number, the location of device used for communications, the data and duration of communication) and specifies that the target for collection must be designated.³⁶⁵ As for the bulk collection of domestic data in transit and the subsequent automated processing, the authorisation is limited to terrorist prevention purposes and always subject to the opinion of CNCRT.³⁶⁶ Conversely, the opinion of the CNCRT is not mandated prior to the bulk data collection of foreign targets, except in matters of individualised targeting.³⁶⁷

Differences in treatment can also be found regarding the duration of authorised surveillance. While the authorisation for the processing of data pertaining to French nationals is limited to two months with the possibility of renewal,³⁶⁸ the processing of non-individualised foreign metadata is fixed to one year, and individualised targeting of communications and metadata is limited to four months.³⁶⁹

2. A practice that extends to other Member States

66 captured by the FRA.³⁷² As it is the case for surveillance authorised by Section 702 of FISA, authorisation for signals intelligence collection conducted by the FRA is issued by an intelligence court, the Underrättelsedomstolen – UNDOM, in the form of “sweeping”

warrants “not limited to a specific individual.”³⁷³ The similarities with Section 702 and Chapter IV of Title V of the CSI only grow when we consider that Swedish nationals are awarded more protection than their foreign counterparts; indeed, “the FRA is prohibited from the collection of signals that have both a sender and a recipient located in Sweden”

and the only type of domestic surveillance allowed is in the context of criminal investigations when there is a “‘reasonable suspicion’ of serious offenses”.³⁷⁴

2.2 Germany

Germany’s Federal Intelligence Service, the Bundesnachrichtendienst (BND), also conducts surveillance operations on a large scale, collecting and processing data to safeguard against “‘threats to German interests’ from abroad”.³⁷⁵ Along with other intelligence services such as the Military Counterintelligence Service (the Militärischen Abschirmdienst (MAD)), and the Federal Office for the Protection of the Constitution (the Bundesamt für Verfassungsschutz (BfV)), the BND is able to intercept, by selecting a “keyword”, up to 20% of foreign communications in transit thanks to “a service capable of directly connecting to digital traffic nodes”.³⁷⁶ The majority of interception takes place in Frankfurt, where “the biggest node in Germany – and, according to certain figures, in the world” is located: the DE-CIX (German Commercial Internet Exchange) and is processed in BND headquarters.³⁷⁷ Germany’s foreign surveillance activities are regulated by the G-10 Law, which authorises intelligence services to “operate warrantless automated wiretaps of domestic and international communications for specific purposes such as the fight against terrorism or the protection of the Constitution”.³⁷⁸

Although for many years foreign intelligence activities were carried out with no regard for the right of confidentiality for persons living outside Germany’s jurisdiction,

372 ibid., p.58. citing KLAMBERG, Mark – FRA and the European Convention on Human Rights - A Paradigm Shift in Swedish Electronic Surveillance Law. Nordic Yearbook of Law and Information Technology [online]. Bergen 2010. pp. 96-134.

373 BIGO, Didier [et al.] – op cit., p.61.

374 PRIVACY INTERNATIONAL – The Right to Privacy in Sweden [online]. Human Rights Committee 116^th Session. 2016. p.4.

375 BIGO, Didier [et al.] – op cit., p. 68.

376 ibid.

377 ibid.

378 ibid., p.71.

67 the 2016 amendment to the BND Act introduced “the necessity criterion” for the surveillance of EU citizens; however, the monitorisation of the communications from non-nationals remains without legal safeguards.³⁷⁹ Much like Section 702 of FISA, there’s a discrepancy in treatment between German citizens and legal residents of Germany, who are awarded the protection of the G-10 Act, and foreigners: be it citizens of other EU member states whose surveillance is authorised according to “the necessity criterion”, or, at the bottom of the chain, third country citizens and even people legally residing in the EU but not possessing EU citizenship, who do not have the same protection as the other persons mentioned.³⁸⁰ Despite the 2016 amendment of the BND Act excluding the economic surveillance of persons abroad and “the deliberate collection of data on heads of governments of other EU countries”,³⁸¹ the fact remains that there is, without a doubt, a double standard in German surveillance law, much like U.S., French and Swedish laws.

More recently, the difference in treatment between German nationals and non-nationals regarding surveillance was addressed by the Federal Constitutional Court in the 2020 landmark case 1 BvR 2835/17, where the it stated that, according to international human rights law, the rule of law and democracy, public authorities are expected to respect the fundamental rights of all persons, including people living outside Germany and EU borders.³⁸² However, this “does not lead to an obligation of public authorities to ensure the protection of individuals who are in foreign jurisdictions”.³⁸³ In other words, while public authorities must exercise a “control over the rights of persons” ensuring the respect of the rights of foreigners in their action,³⁸⁴ “these obligations apply only to the relationship between the individual and the German state” and, arguably, in matters of electronic surveillance only.³⁸⁵

379 ROJSZCZAK, Marcin – Extraterritorial Bulk Surveillance after the German BND Act Judgement.

Cambridge University Press [online]. Vol. 17, nº 1 (2021), p. 66.

380 ibid., p. 67

381 ibid.

382 Bundesverfassungsgericht, Judgment of the First Senate of 19 May 2020. 1 BvR 2835/17. §89-§94.

[accessed: 12 July 2022]. [hereinafter: “1 BvR 2835/17”].

383 ROJSZCZAK, Marcin – op cit., p.69.; 1 BvR 2835/17, §101-102.

384 ibid., p.70. citing ÇALI, Başak – Has “Control over rights doctrine” for extra-territorial jurisdiction come of age? Karlsruhe, too, has spoken, now it’s Strasbourg’s turn [online]. EJIL:Talk!. 21 July 2020.

[accessed: 12 July 2022]. Available at: <URL: https://www.ejiltalk.org/has-control-over-rights-doctrine-for-extra-territorial-jurisdiction-come-of-age-karlsruhe-too-has-spoken-now-its-strasbourgs-turn/>.

385 ROJSZCZAK, Marcin – op cit., p. 70.; citing KREBS, David - Global dangers and national obligations: Extraterritorial protection obligations in the Basic Law: The BND judgment and the

68