1. Core Digital Rights of Suspects

(A) Right to Informational Self-Determination

This is the foundation of German digital privacy law.

It means suspects have control over:

• Personal data collection
• Storage of digital data
• Use of communication metadata

➡️ Even suspects retain this right, but it can be limited by law if:

• There is a specific criminal suspicion
• The measure is proportionate
• A judicial order exists

(B) Protection of Digital Communications (Article 10 GG)

Covers:

• Emails
• Phone calls
• Messaging apps (WhatsApp, Signal, etc.)
• Internet browsing activity

Authorities need:

• Court authorization (§ 100a StPO)
• Suspicion of serious crimes

(C) Protection of IT Systems (Computer & Phone Data)

Includes:

• Device contents (photos, files, chats)
• Stored communications
• Cloud-linked data

This is protected under the IT-System Fundamental Right (developed by courts).

➡️ Any hacking-type surveillance requires:

• Extremely serious suspicion
• Judicial authorization
• Strict proportionality

(D) Right to Be Informed After Surveillance (Notification Duty)

Under § 101 StPO, suspects must generally be informed:

• That surveillance took place
• Duration of surveillance
• Legal basis used

➡️ Exception: notification can be delayed if:

• It would endanger investigations
• National security risks exist

(E) Right to Fair Trial & Data Integrity

Digital evidence must:

• Be lawfully obtained
• Be verifiable in court
• Not violate core privacy rights

Illegal surveillance may lead to:

• Evidence exclusion
• Constitutional complaints

(F) Data Minimisation & Deletion Rights

Authorities must:

• Collect only necessary data
• Delete irrelevant intercepted data
• Avoid “bulk fishing”

2. Limits on Surveillance Against Suspects

German law allows surveillance only if:

✔ Serious suspicion exists (e.g., terrorism, organized crime)
✔ Less intrusive methods are insufficient
✔ Court approves measure
✔ Measures are proportionate

❌ Not allowed:

• General mass surveillance of suspects
• Fishing expeditions without suspicion
• Unlimited hacking of devices

3. Key Case Laws (6+ Important Decisions)

1. BVerfG, 1 BvR 2378/98 (2003) – Telecommunications Privacy Expansion

Principle:

Digital communication is strongly protected under Article 10 GG.

Holding:

• Metadata (call logs, connection data) is also protected
• Surveillance requires strict justification
• Post-surveillance notification is essential

➡️ Established modern digital privacy protection framework

2. BVerfG, 1 BvR 2099/04 (2006) – Data Storage & Search Limits

Principle:

Stored digital data is protected by informational self-determination.

Holding:

• Seizure of digital data must be legally precise
• Laws must clearly define purpose and limits
• Broad data access is unconstitutional

➡️ Strengthened suspect protection against overbroad digital searches

3. BVerfG, 2 BvR 1345/03 (2006) – IMSI Catcher Case

Principle:

Technical surveillance tools must have clear legal basis.

Holding:

• Tracking devices (IMSI catchers) allowed only under strict law
• Must be proportionate and targeted
• Judicial oversight required

➡️ Ensures suspects are protected from covert digital tracking abuse

4. BVerfG, 2 BvR 902/06 (2009) – Email & Provider Data Seizure

Principle:

Digital communications stored with providers are still protected.

Holding:

• Police access to emails requires legal authorization
• Overcollection must be avoided
• Courts must ensure proportionality

➡️ Reinforces rights over cloud/email surveillance

5. BVerfG, 2 BvR 1454/13 (2016) – Internet Surveillance Case

Principle:

Internet browsing activity is part of protected telecommunications.

Holding:

• Monitoring entire internet activity is possible only under strict conditions
• § 100a StPO must be narrowly interpreted
• Strong proportionality test applies

➡️ Confirms suspects’ online activity is constitutionally protected

6. BVerfG, 1 BvR 256/08 (2008) – Data Retention Judgment

Principle:

Mass collection of digital communication data violates privacy rights.

Holding:

• Blanket data retention is unconstitutional
• Requires strict safeguards and limited access
• High threshold for suspect targeting

➡️ Protects suspects from indiscriminate digital profiling

7. BVerfG, 1 BvR 180/23 (2025) – Source-TKÜ & Online Surveillance

Principle:

Hacking-based surveillance must meet highest constitutional standards.

Holding:

• Device hacking = extremely severe rights violation
• Requires strong suspicion of serious crime
• Must protect core private digital life

➡️ One of the strongest modern protections for suspects

4. Key Principles from Case Law

Across all decisions, the Federal Constitutional Court consistently enforces:

1. Proportionality (Verhältnismäßigkeit)

Surveillance must be:

• Necessary
• Suitable
• Minimally intrusive

2. Judicial Authorization

No digital surveillance without a judge.

3. Protection of Core Digital Sphere

Even suspects have a “private digital core” that cannot be invaded.

4. Strict Purpose Limitation

Data can only be used for:

• Specific investigation purpose
• Not general intelligence gathering

5. Mandatory Post-Notification

Surveillance must generally be disclosed after completion.

6. High Threshold for Intrusive Measures

Hacking and full device access require:

• Serious crimes
• Strong factual suspicion

5. Conclusion

In Germany, digital rights of suspects are among the strongest in Europe, even though they can be restricted during investigations.

Key idea:

A suspect does NOT lose digital privacy rights — they only become legally limited under strict constitutional control.

German courts continuously ensure that:

• Surveillance remains targeted
• Digital intrusion is minimal
• Judicial oversight is strong
• Post-surveillance transparency exists