gal orders in the wording of the authorisations, the substantive level of protection is
not called into question (cf. BVerfGE 141, 220 <343 para. 331>).
b) In addition, however, a separate requirement when sharing data with foreign bodies is the ascertainment that the foreign bodies will handle the data shared with them
in accordance with the rule of law. This reflects the fact that, once shared with foreign
bodies, the use of data collected by German authorities is no longer subject to the
requirements of the Basic Law since the foreign state authority is only bound by its
own laws, yet German state authority is responsible for the sharing of data and is
bound by the fundamental rights when sharing data (cf. BVerfGE 141, 220 <342
paras. 326 and 327>).
233
According to established case-law, the state receiving the data is required to adhere
to guarantees under data protection law (see aa) below) and to uphold human rights
when using the information (see bb) below). Both require clear provisions ensuring
that the Federal Intelligence Service sufficiently ascertain that they will be upheld
(see cc) below). In addition, adherence to restrictions on the sharing of data collected
through strategic surveillance must be ensured by obtaining sound assurances from
the receiving states (see dd) below).
234
aa) The first requirement serves to uphold the data protection guarantees following
from the right of personality. Yet it is not required that receiving states have rules on
the processing of personal data that match those within the German legal order or
that they guarantee protection that is equivalent to the protection afforded by the Basic Law. In fact, the Basic Law recognises the autonomy and diversity of legal orders
and it generally respects them, including in the context of data sharing. Value decisions and parameters [in receiving states] do not have to conform to those of the
German legal order or the Basic Law.
235
However, the sharing of personal data with other states is only permissible if the
handling of the shared data in these states does not undermine the protection of personal data guaranteed by human rights. This is not to say that the other state’s legal
order must guarantee institutional and procedural safeguards corresponding to Germany’s; in particular, it is not necessary that there be the same formal and institutional safeguards as required under data protection laws applicable to German bodies.
What is required is the guarantee of an appropriate substantive level of data protection for the handling of the shared data in the receiving state. In this respect, it must
be considered in particular whether limits resulting from purpose limitation, deletion
requirements as well as fundamental requirements for oversight and data security –
all of which were communicated in the course of data sharing – are at least generally
observed in data usage. The assessment of whether this is the case must be made
on the basis of the receiving state’s domestic law as well as its international obligations and the implementation thereof in everyday practice (BVerfGE 141, 220 <344
and 345 paras. 334 and 335> with further references).
236
bb) Sharing data with other countries is ruled out if there is reason to fear that its
237
61/87