Introduction
As explained in the 2015 FRA report, if EU law is not
applicable, Council of Europe conventions might be.32
These include the ECHR and the Convention for the
protection of individuals with regard to the automatic
processing of personal data (Convention 108),33 and
its 2001 Additional Protocol related to transborder
data flows to non-parties to Convention 108 and the
mandatory establishment of national data protection
supervisory authorities.34 Convention 108 is currently
being amended to, on the one hand, better address
challenges resulting from the use of new information
and communication technologies and, on the other
hand, to strengthen its implementation.35 The reform
maintains the general and technologically neutral
nature of the convention’s provisions; it does not impose
or discriminate in favour of the use of a particular type
of technology. At the same time, it aims to be coherent
with other legal frameworks, such as the EU’s. In line
with the GDPR, the reformed Convention 108 will include
an exception to the protection of personal data for the
processing activities for national security.36 However,
such an exception must be provided for by law, respect
the essence of fundamental rights and freedoms, and
constitute a necessary and proportionate measure in
a democratic society. The reformed Convention 108
will also require processing activities for national
security purposes to be subject to independent and
effective review and supervision. Convention 108 is of
great importance to the EU legal order given that all EU
Member States ratified it following a 1999 amendment,
and that the EU could become a party thereto.37
32
33
34
35
36
37
Report structure
The report is structured as follows:
•• Part 1 provides an overview of intelligence services and surveillance laws in all EU Member States.
Highlighted findings from fieldwork interviews
conducted at national level in selected EU Member
States offer insights into how experts view legal
frameworks in terms of their compliance with human rights standards.
•• Part 2 presents existing statutory safeguards, focusing on oversight of intelligence services. Most
fieldwork findings are presented in this part. While
the 2015 FRA report treated oversight mechanisms
according to the type of institution involved, this
report presents oversight mechanisms according to
their role in oversight.
•• Part 3 analyses the available remedies for an individual in cases of alleged unlawful surveillance.
The fieldwork findings on the availability and effectiveness of remedial avenues provide empirical
evidence.
The report’s annexes present the research data
collection methodology (Annex 1), the intelligence
services in the EU-28 (Annex 2), and key features of
expert oversight bodies’ and parliamentary oversight
committees’ annual reports (Annex 3 and Annex 4).
FRA (2015a), p. 11.
Council of Europe, Convention for the protection of
individuals with regard to Automatic Processing of Personal
Data, CETS No. 108, 1981 (Convention 108); CJEU, C-387/05,
European Commission v. Italian Republic, 15 December 2009,
para. 45.
Council of Europe, Convention 108, Additional Protocol
to the Convention for the protection of individuals with
regard to automatic processing of personal data, regarding
supervisory authorities and transborder data flows, CETS
No. 181, 2001.
Council of Europe, Draft Modernised Convention for the
Protection of Individuals with Regard to the Processing of
Personal Data (Draft Modernised Convention 108).
Ibid. Art. 9.
Council of Europe, Amendments to the Convention for
the protection of individuals with regard to Automatic
Processing of Personal Data (ETS No. 108) allowing
the European Communities to accede, adopted by the
Committee of Ministers, in Strasbourg, on 15 June 1999;
Art. 23 (2) of the Convention 108 in its amended form.
23