Surveillance by intelligence services – Volume II: field perspectives and legal update
13.1. Freedom of information
To verify and, possibly, challenge surveillance measures,
access to public documents may increase individuals’
awareness of possible wrongdoings and support them,
where relevant, in lodging a complaint. This right,
generally grounded in freedom of information laws,
contributes greatly to the accountability system. As
emphasised by Born and Leigh, “Security and intelligence
agencies should not be exempted from domestic
freedom of information and access to files legislation.
Instead they should be permitted, where relevant, to
take advantage of specific exceptions to disclosure
principles referring to a limited concept of national
security and related to the agency’s mandate.”503
All but two EU Member States – Cyprus and Luxembourg –
have enacted Freedom of Information laws, or similar
laws. However, all include restrictions based on access
to classified information, or the protection of national
security, or the activities of intelligence services. These
exemptions originate in the need for intelligence services
to be able to protect the sources and methods applied
to individual operations. Only Hungary does not exclude
classified information or state security documents as
a general rule. However, the heads of the Hungarian
services have the discretion to deny the disclosure of
public information on national security grounds.504
In Germany, the Security Check Act (Sicherheitsüberprüfungsgesetz) prevents citizens from requesting access
to information that originates from the three federal
intelligence services or other authorities and bodies
of the federal state that are classified as “secret” or
“top secret”.505 The Federal Administrative Court has
clarified that this general exemption from the right
to freedom of access to documents also covers documents originating from the intelligence services and
held by supervisory authorities.506
This blanket exception based on national security shows
that, within the legal frameworks of EU Member States,
the Freedom of Information principle is, de jure, not
adapted for individuals attempting to access relevant
information and to challenge surveillance techniques.
While it is clear that certain information should remain
classified, total exceptions could be softened to
safeguard individuals’ fundamental rights. Notably,
legitimate aim and proportionality tests could be
conducted before denying access to public documents,
503 Born, H. and Leigh, I. (2005), p. 44.
504 Hungary, Act CXXV of 1995 on the national security services,
27 March 1996, Article 48(1).
505 Germany, Act to Regulate Access to Federal Information
(Informationsfreiheitsgesetz, IFG), Section 3 No. 8.
506 Germany, Federal Administrative Court
(Bundesverwaltungsgericht), BVerwG 7 C 18.14,
25 February 2016.
124
or a competent authority could be in charge of assessing
the level of confidentiality before issuing the denial.
Nevertheless, interviewed experts stated that there
have been situations where Freedom of Information
legislation proved useful to compel authorities to
disclose certain findings, where national security is
deemed not to be at risk and the information is not
otherwise publicly available.
13.2. Notification obligation
and right to access
principles
The obligation to inform and the right to access
one’s own data can generally be perceived as strong
safeguards for ensuring the effectiveness of remedial
action, and, ultimately, legal scrutiny by judicial or
non-judicial bodies.507 In data protection laws, these
safeguards also ensure transparency of data processing
and the exercise of other rights of the individual, i.e. the
rectification and/or deletion of data being processed
unlawfully.508 In the context of surveillance, even
circumscribed by the necessary restrictions to safeguard
national security and confidentiality,509 these rights also
enhance accountability of the intelligence services and
help to develop citizens’ trust in government actions.510
In the United Kingdom, for instance, IOCCO has the
power to inform individuals if it finds that they have
been adversely affected by any serious error or by
any wilful or reckless conduct by a public authority.511
Such notifications have led individuals to lodge
complaints with the IPT.512 This principle was confirmed
in the Investigatory Powers Act, which obliges the
Investigatory Powers Commissioner to inform persons
of any “significant prejudice or harm” relating to them
of which the Commissioner is aware. In doing so, the
Investigatory Powers Commissioner will have to assess
the seriousness of the error, to consider the potential
impact on public interest or national security, and to
inform the persons of their rights to apply to the IPT.
However, the fact that there has been a breach of an
individual’s ECHR rights alone is not sufficient for an
507 Born H. and Wills A., (2012), p. 52.
508 See for example Germany, Federal Constitutional Court
(Bundesverfassungsgericht), 1 BvR 2226/94, 14 July 1999,
para. 169.
509 See for example GDPR, Article 23(1).
510 UN, Human Rights Council, Scheinin, M. (2010), p. 23.
511 United Kingdom, Home Office (2015), ’Code of Practice
of Acquisition and Disclosure of Communications Data’,
March 2015, ss. 6.22 and 8.3. See also, United Kingdom,
IOCCO (2016a), paras 1.14 and 2.2.
512 United Kingdom, IOCCO (2016a), p. 71.