20k sec. 3 BKAG regarding the access to information technology systems or in § 20w
sec. 2 sentence 3 BKAG regarding the deferral of a notification. However, even in
those cases that require the documentation of the notification, it remains unclear
whether this also includes the reasons for a deferral. In any event, the provisions remain sporadic and fail to adequately ensure a retrospective review of the surveillance
measures. While important findings resulting from the data collection are at least documented on the basis of the general rules for file keeping, this is neither set out with
sufficient clarity nor statutorily with regard to the data protection law requirements of
effective review. This is particularly significant in the area of the protection against
threats where the investigation of and protection against threats does not need to be
directed at specific individual persons, unlike in the case of criminal investigations in
criminal proceedings. Insofar, it is not apparent that there is a guarantee that the collection of data is documented in a transparent manner – also from the perspective of
affected parties in potential subsequent criminal proceedings. The fact that the measure requires a judicial order does not alter this finding, given that such an order only
gives the permission to carry out the measure but does not indicate whether and to
what extent use was made of it. Furthermore, and unlike in the case of criminal proceedings pursuant to § 100b sec. 4 sentence 2 StPO, there is not even a requirement
demanding that the ordering court be informed of the results of the investigations.
d) Finally, reporting duties vis-à-vis Parliament and the public that are necessary for
a proportionate design of the challenged surveillance powers are lacking, too (cf.
BVerfGE 133, 277 <372 paras. 221 and 222>). The law neither requires reports indicating the degree in which the powers were made use of and on the grounds of which
suspicious circumstances, nor does it require reports providing information as to
whether the affected parties were notified of the exercise of such powers and if so to
what extent. However, given that the exercise of the powers in question occurs largely without the knowledge of the affected party and the public, such reports are constitutionally required at regular intervals in order to enable a public debate and democratic control (see above, C IV 6 e).
268
4. The provision in § 20v sec. 6 BKAG governing the requirements to delete the collected data also does not satisfy the constitutional requirements in all respects.
269
a) The overall structure of the provision is indeed not objectionable under constitutional law. Data must be deleted after the underlying reason for the data collection is
fulfilled (sentence 1). This refers to the constitutional law principle of purpose limitation (see below, D I). Accordingly, with regard to a further use of the data pursuant to
§ 20v sec. 4 sentence 2 BKAG, refraining from deleting the collected data beyond the
specific incident is, when interpreting the provision in conformity with the Constitution,
only permissible insofar as the data provides a specific evidentiary basis for further investigations to protect against threats from international terrorism. The deletion must
be documented (sentence 2). The deletion may be deferred so as to be available for a
possible judicial review; in that case, the data in question needs to be blocked (sentence 4). Procedurally, the provision is to be read in conjunction with § 32 BKAG. In
270
44/71