investigating state agency respects the core area of his or her private life. This complete loss of control is to be countered by special provisions which provide protection
against the danger of a violation of the core area through suitable procedural precautions.
cc) The constitutional requirements as to the concrete structure of the protection of
the core area can differ depending on the nature of the collection of the information
and the information collected by it.
276
A statutory empowerment to carry out a surveillance measure which may affect the
core area of private life must ensure as far as possible that no data is collected which
relates to the core area. If – as with secret access to an information technology system – it is practically unavoidable to obtain information before its reference to the core
area can be evaluated, sufficient protection must be ensured in the evaluation phase.
In particular, data that is found and collected which refers to the core area must be
deleted without delay and its exploitation must be ruled out (see BVerfGE 109, 279
(318); 113, 348 (391-392)).
277
(1) In the context of secret access to an information technology system, data collection will already be automated for technical reasons, at least in the vast majority of
cases. The automation however makes it more difficult in comparison with monitoring
carried out by individuals to make suitable distinctions when collecting data with and
without reference to the core area. According to the view unanimously held by the experts heard by the Senate, technical search or exclusion mechanisms to determine
relevance to the core area of personal data do not work so reliably that effective protection of the core area could be achieved with their aid.
278
Even if data access takes place directly by persons without first being recorded by
technical means, for instance in the case of personal surveillance of speech telephony carried out via the Internet, protection of the core area already encounters practical difficulties when it comes to data collection. It is as a rule not predictable with certainty when such a measure is carried out what the contents of the collected data will
be (see on telecommunication surveillance BVerfGE 113, 348 (392)). There may also
be difficulties in analysing the contents of the data during collection. This applies for
instance to foreign-language text documents or conversations. Also in such cases,
the core area relevance of the monitored events cannot always be evaluated prior to
or during data collection. In such cases, it is constitutionally not required to forgo access from the outset because of the risk of a breach of the core area at collection level, since access to the information technology system is based on factual indications
of a concrete danger to a predominantly important protected interest.
279
(2) The constitutionally required protection of the core area can be guaranteed in the
context of a two-tier protection concept.
280
(a) The statutory provision must endeavour to ensure that collection of data that is
relevant to the core area is avoided as far as possible in terms of information technol-
281
49/60