Raising individuals’ awareness
13.4. Restrictions on
notification obligations
and right to access with
safeguards
Some Member States provide for the involvement of
the expert body or a court in scrutinising whether the
invoked grounds for restricting the rights of notification
or access are reasonable. Examples below show that
further controls assessing justifications of restrictions
differ from one Member State to another. Some Member
States – such as Germany and the Netherlands – provide
for review of a notification’s exemption by the expert
oversight bodies. Others – such as Cyprus, Greece and the
United Kingdom – vest their DPA with such competence.
These assessments by oversight bodies also show that
the notification’s obligation is not implemented evenly
across EU Member States.
In Cyprus and Greece, the DPA may decide to restrict
or lift the obligations to inform and grant access on
the grounds of national security, upon request of the
intelligence services, and as stipulated by the data
protection laws. In Germany, the G 10 Commission
decides for how long the information may be
withheld, unless it unanimously decides that, even
after five years, disclosing the information would
endanger national interests.531
In the United Kingdom, the intelligence services may
rely upon the exemption for national security cases,
which is provided in the data protection law.532 The
Secretary of State has issued certificates exempting
the intelligence services from the application of data
protection principles. Nonetheless, the DPA may assess
whether invoking the relevant exemptions justifying
nondisclosure and/or the “neither confirm nor deny
response” was justified. In assessing the lawfulness of
the non-disclosure of the information, the DPA may ask
the services for reasoned explanations but has access
to confidential information only in very exceptional
cases. Individuals will not be given access to any of the
explanations or confidential information provided to the
Information Commissioner by the intelligence services,
unless very specific exceptions are met.533
531 Germany, G 10 Act, s. 12.
532 United Kingdom, Data Protection Act 1998, s. 28.
533 United Kingdom, Ministry of Justice (2014), ‘Memorandum
of understanding on National Security Cases (DPA)’,
2 September 2013.
Promising practice
Transparent scrutiny of denials of
rights
In both the Netherlands and Germany, oversight
bodies assess the grounds on which notification
of or access to information was denied. As no one
was notified between 2007 and 2010, in 2013 the
CTIVD decided to launch a special investigation
on the obligation to inform. The Dutch oversight
body found out that in the meantime, thirteen
persons had been notified. A similar investigation
started in 2016.
In Germany, the G 10 Commission may decide to
notify individuals based on information provided
by the intelligence services. In 2016, the oversight
body decided to not yet inform 1,040 persons/
institutions, and unanimously agreed that 188
would never be informed. In cases of strategic
surveillance, the G 10 Commission dealt with 58
cases for information related to international
terrorism. In the majority of cases (51), the
BND informed the G 10 Commission that the
individual could not be individualised through the
surveillance measure. In six cases, the commission
decided to postpone providing the information;
in no cases rejected the information indefinitely;
and in one case took note that the intelligence
service (BND) provided the information.
See The Netherlands, (CTIVD) (2013) and CTIVD (2016), p. 14;
Germany, Federal Parliament (Deutscher Bundestag) (2017a),
pp. 6 and 8
While discussing the difficulties of notifications and
the right to access information, the respondents
interviewed in the selected EU Member States
shared a variety of opinions. For example, in cases
of general communications surveillance, it might be
problematic to notify all subjects of the intelligence
activities or ensure access to information when the
intelligence services have no data about a specific
individual. These arguments are not relevant in case
of completed targeted surveillance activities. During
some interviews, representatives from the oversight
bodies, and other experts, questioned the principle
of notification in the context of fundamental rights
protection. They maintained that the value would lie
in a systematic implementation of the safeguards built
in the oversight process that would possibly prevent
breaches of an individual’s fundamental right. If the
whole system of checks and balances is implemented
through effective oversight, redress might not be
necessary. By drawing an analogy to ‘privacy by design’,
the proposed approach can be called ‘data protection
oversight by design’. The interviewees questioned the
value of having the duty of notification defined in the
legislative framework but not applicable in practice. The
respondents called for a possibility of individual legal
protection, possibility to seek redress. Representatives
127