Surveillance by intelligence services – Volume II: field perspectives and legal update
Recording and tracking obligation
“Legislation should include provisions on the duty of record keeping for international intelligence cooperation, in
particular, concerning the exchange of information with
foreign partners.”
Born, H., Leigh, I. and Wills, A. (2015), p. 94
To ensure adequate accountability, it is essential that
intelligence services track and keep records of all
transactions with foreign partners. Some EU Member
States – including Croatia, Estonia, Germany and
Hungary – have included such obligations in their laws
governing the functioning of such services.436 Recording
obligations may be hampered, though, by the so-called
‘third party rule’ – further discussed in Section 11.3.
Indeed, some partner and allied services only provide
intelligence on the understanding that the receiving
service will seek permission before disclosing it outside
the intelligence community, and that such permission
may be denied. Such a rule, referred to as the ‘control
principle’, is widely adhered to within intelligence
communities to ensure trust among partners.
In Germany, transfers have to be documented. The
exchange agreement must state that the data may
only be used for the same purpose for which they were
transferred, and that the German intelligence service
from which the data originate reserves the right to ask
how data are used.437 Receiving parties have to sign up to
purpose limitation, to keep tag on the data that indicates
their origin from telecommunication surveillance, and
to provide information about further use on request of
the BND. Similarly, in Croatia, the submitted data must
be documented, including a written disclaimer that the
information provided can only be used for the purposes
for which they were provided.438 In both Germany and
Croatia, intelligence services include in these caveats
the right to seek feedback on how the submitted data
are used. In Germany, such caveats must be clearly
indicated before the cooperation starts: the intelligence
services must include, in the intent of cooperation that
is transmitted to the Federal Chancellery for approval,
these two agreements with the foreign partner, on
purpose limitation and a posteriori information of the
use made of the data.439
436 Croatia, Act on the Security Intelligence System of the
Republic of Croatia, Art. 60 (3), Estonia, Security Authorities
Act, s. 34; Germany, BNDG, S. 15 (2) and Germany, G10 Act,
S. 7a (3); Hungary, Act CXXV of 1995 on the National
Security Services, s. 46.
437 Germany, BNDG, S. 13 (3) and Germany, G10 Act, S 7a (4).
438 Croatia, Act on the Security Intelligence System of the
Republic of Croatia (Zakon o sigurnosno-obavještajnom
sustavu Republike Hrvatske), Official Gazette (Narodne
novine) Nos. 79/06 and 105/06, 30 June 2006, Art. 60.
439 Germany, BNDG, S. 13 (3) and Germany, G10 Act 7a (4).
104
Prior controls and authorisations must be complemented
by ex post controls, which can be performed internally
or externally. However, oversight of international
arrangements requires access to information relating
to activities and data transfers conducted under
international cooperation. In 2016, the CTIVD expressed
regret that the draft intelligence bill did not include
a recording requirement. According to the Dutch
Review Committee, to enable internal and external
control, “personal data should be provided exclusively
in writing”.440 This is the case, in particular, for exchange
of large volume of data that did not go through any
evaluation from the services before being exchanged.441
11.2. Limited but existing
oversight
UN good practices on oversight of
international cooperation
Practice 34. Independent oversight institutions are able to
examine intelligence-sharing arrangements and any information sent by intelligence services to foreign entities.
UN, Human Rights Council, Report of the Special Rapporteur Martin Scheinin
ECtHR case law: external supervision of
international cooperation
“The governments’ more and more widespread practice
of transferring and sharing among themselves intelligence retrieved by virtue of secret surveillance – a practice, whose usefulness in combating international terrorism is, once again, not open to question and which
concerns both exchanges between Member States of
the Council of Europe and with other jurisdictions – is yet
another factor in requiring particular attention when it
comes to external supervision and remedial measures.”
ECtHR, Szabo and Vissy v. Hungary, No. 37138/14, 12 January 2016, para. 78
Although essential for ensuring fundamental rights
compliance and boosting trust among intelligence
service partners, the laws of a majority of Member
states – 17 out of 28 – do not enshrine a clear provision
stating whether, and to which extent, oversight bodies
have competence over international cooperation. The
absence of such a legal basis obliges both intelligence
services and oversight bodies to interpret the legal
framework to define whether, and to what extent,
oversight bodies may assess international exchanges
of data. To be lawful, any measure that interferes with
privacy must first and foremost be prescribed by law.
In the United Kingdom, for example, the Interception of
440 Netherlands, CTIVD (2016a), p. 10.
441 The Netherlands, CTIVD (2016d), p. 27.