Executive summary
With terrorism, cyber-attacks and organised crime
posing growing threats across the European Union, the
work of intelligence services undoubtedly remains vital.
Technological advancements have introduced both new
threats and means of fighting those threats, meaning such
work has also become increasingly complex. In addition,
the globalisation of conflicts and the transnational nature
of threats faced have made international cooperation
between intelligence services both more common and
indispensable – within and beyond the EU’s borders.
Digital surveillance methods serve as important
resources in intelligence efforts, ranging from
intercepting communications and metadata to hacking
and database mining. But – as the 2013 Snowden
revelations underscored – these activities may also
seriously interfere with diverse fundamental rights,
particularly to privacy and data protection.
This report constitutes the second part of a research
effort triggered by a European Parliament request for
in-depth research on the impact of surveillance on
fundamental rights. It updates FRA’s 2015 legal analysis
(Surveillance by intelligence services: fundamental
rights safeguards and remedies in the EU – Volume I:
Member States’ legal frameworks). In addition, it
presents findings from over 70 interviews with experts –
conducted largely in 2016 – in seven EU Member States:
Belgium, France, Germany, Italy, the Netherlands,
Sweden and the United Kingdom. The report focuses on
large-scale technical collection of intelligence, referred
to as general surveillance of communications.
Intelligence laws remain
diverse and complex
Much has happened since 2015. New threats and new
technology have triggered extensive reforms across
several Member States, particularly France, Germany,
the Netherlands and the United Kingdom, and Finland
is in the midst of an overarching reform.
These intelligence law reforms have increased
transparency. Nonetheless, the legal frameworks
regulating intelligence work in the EU’s 28 Member
States remain both extremely diverse and complex.
International human rights standards require defining
the mandate and powers of intelligence services in
legislation that is clear, foreseeable and accessible.
But experts voiced concerns about a persisting lack of
clarity as a major source of uncertainty.
According to both European Convention of Human Rights
(ECHR) and EU law, the mere existence of legislation
allowing for surveillance measures constitutes an
interference with the right to private life, and European
courts consider the collection of data by intelligence
services to amount to an interference. Such interference
needs to be justified to be human rights compliant.
Targeted surveillance – which applies to concrete
targets based on some form of individualised
suspicion – is regulated in some detail by almost all
EU Member States. By contrast, only five Member
States currently have detailed legislation on general
surveillance of communications. Safeguards do limit the
potential for abuse, and these have been strengthened
in some Member States – though less so in case of
foreign-focused surveillance. Similarly, safeguards are
generally weaker – and less transparent – in the context
of international intelligence cooperation, suggesting
a need for more regulation of such cooperation.
Oversight bodies ensure some
accountability, but room for
improvement remains
Various entities oversee the work of intelligence
services across the EU-28, including the judiciary,
expert bodies, parliamentary committees and data
protection authorities. In a field dominated by secrecy,
such oversight is crucial: it helps ensure that intelligence
services are held accountable for their actions, and
encourages the development of effective internal
safeguards within the services.
The judiciary and expert bodies are most commonly
involved in overseeing surveillance measures.
Specialised parliamentary committees generally
focus on assessing governmental strategic policies –
21 Member States have set up such committees for this
purpose. Data protection authorities have significant
powers over intelligence services in seven Member
States, but their powers are limited or non-existent in the
rest of the EU – mainly due to an exception for national
security matters enshrined in data protection law.
Almost all interviewees from oversight bodies
maintained that they are able to resist external
influence, but some lawyers, civil society, and
academics questioned both their independence and
their effectiveness. Interviewed experts emphasised
that full access to all relevant data and information is
key to effective oversight – as is the ability to benefit
from such access. With oversight bodies largely staffed
by legal specialists, the inability to do so sometimes
boils down to limited technical capacities. Interviewees
9