Oversight of international intelligence cooperation
Communications Commissioner questioned the extent
and exact scope of his remit in this area in his 2013
annual report. 442 Similarly, in Germany, a member of
the G 10 Commission wondered to what extent the
third party rule limits the commission’s oversight over
data transfers, when the G 10 Act does not refer to
any limitation.443 In some Member States, the absence
of specific reference may be understood as a de
facto application of the domestic oversight system
to international cooperation.
“Legislation should include provisions that oblige the service
and/or executive to inform the intelligence oversight body
about international intelligence cooperation agreements.”
Born, H., Leigh, I. and Wills, A. (2015), p. 94
“The legislative mandates of bodies that oversee the
intelligence services […] should make clear that their role
and powers extend to relevant intelligence cooperation and
activities of the services they oversee.”
Born, H., Leigh, I. and Wills, A., (2015), p. 190
Eleven EU Members States have laws that specify the
legal basis for oversight bodies to oversee international
cooperation. Of these, three – France, Ireland and
Spain – have excluded information originating from
foreign services from the scope of oversight. Four –
Denmark, Finland, the Netherlands and Romania – do
not differentiate between the oversight regime for
international sharing of data. Three – Luxembourg,
Portugal and Sweden – have limited the scope of the
control over such information. In Germany, the scope
of competences of the oversight bodies depends on
the type of surveillance conducted: it is limited for
strategic surveillance, and similar to domestic oversight
for foreign-to-foreign data transfers. The following
paragraphs introduce some of the specificities of the legal
frameworks prohibiting, allowing or limiting national
oversight over international intelligence cooperation.
In the Netherlands, the CTIVD conducted several
investigations into the legality of international
cooperation.444 In 2015, it conducted two investigations
following requests from the House of Representatives,
on the criteria for establishing cooperation and on the
prior ministerial approval required before any exchange
of data. The CTIVD concluded that the intelligence
services’ systematic acquisitions of personal data
were done lawfully, but still deemed current privacy
safeguards inadequate, and suggested enhancing
them. 445 The CTIVD added that “the potential of the
442 United Kingdom, IOCCO (2013), p. 62.
443 Huber, B., in: Schenke, W. et al. (eds.) (2014), p. 1451 and
following.
444 See The Netherlands, CTIVD (2009), (2016), (2016a), (2016b)
and (2016c).
445 The Netherlands, CTIVD (2014), p. 37 and following. See also
The Netherlands, CTIVD (2015), p. 28.
General Intelligence and Security Service of the
Netherlands (AIVD) […] to infringe privacy in the digital
domain goes further than was foreseen when the
ISS [Intelligence and Security Services] Act 2002 was
drafted and enacted”, and found some procedures that
govern the intelligence services unlawful, calling for
stricter oversight of the services’ digital activities. 446
Based on past review reports, the CTIVD also emphasised
that “the services have not yet been able to establish
a procedure that ensures their consistent compliance
with the statutory safeguards when selecting from
untargeted interception (SIGINT).”447
In Belgium, the Standing Committee I in 2013 launched
an investigation regarding one of the missions of the
Coordinating Unit for Threat Analysis (OCAM), which
establishes and maintains contacts with foreign
partners. This investigation, jointly conducted with
the Standing Committee P, followed previous similar
investigations in 2009 and 2011 on OCAM’s international
activities. Concluded in 2015, the investigation recalled
that OCAM is not an intelligence service as such, and
therefore the foreign counterparts with whom it may
establish cooperation should be better defined. 448
The oversight body clarified, though, that a directive
regulating OCAM’s international cooperation was
adopted by the national security council after
the investigation concluded.449
In France, Spain and the United Kingdom, similar wording
included in the respective acts regulating intelligence
services exempt “information communicated by
foreign services or international organisations” from
the remit of parliamentary oversight commissions,450 as
well as, in the case of France, the independent expert
oversight body (CNCTR).451
In Luxembourg, Portugal and Sweden, the oversight
bodies are not expressly tasked with overseeing
international data transfers and they generally cannot
exercise their full competences over international
intelligence cooperation. However, in these
four Member States, the body charged with ensuring
the control of domestic intelligence activities must be
informed of data transfers. In Sweden, for instance,
the intelligence services must inform the Swedish
446
447
448
449
450
The Netherlands, CTIVD (2014), p. 5.
Ibid. p. 28.
Belgium, Standing Committee I (2016), p. 33-37.
Ibid. p. 34.
France, Ordinance no. 58-110 of 17 November 1958 related
to the functioning of parliamentary assemblies (Ordonnance
n° 58-1100 du 17 novembre 1958 relative au fonctionnement
des assemblées parlementaires), Art. 6 nonnies; Spain, Law
11/2002 of 6 May, regulation of National Intelligence Centre
(Ley 11/2002, de 6 de mayo, reguladora del Centro Nacional
de Inteligencia), Art. 11 and the United Kingdom, Justice and
Security Act 2013, schedule 1, para. 5 (c).
451 France, Interior Security Code (Code de la sécurité
intérieure), Art. L. 833-2. - IV.
105