Surveillance by intelligence services – Volume II: field perspectives and legal update
distinction between targeted and untargeted collection.
The UK Independent Reviewer of Terrorism Legislation
Anderson highlighted the difference between the
concept of bulk powers, as prescribed by the United
Kingdom’s legal framework, and ‘mass surveillance’,
in a 2016 report (see excerpted quote).
Bulk powers versus mass surveillance
“[T]he exercise of a bulk power implies the collection and
retention of large quantities of data which can subsequently be accessed by the authorities. On this broad definition, the characterisation of a power as a bulk power
does not depend on whether data is collected and stored
by the Government or by a private company. […]
But the [Investigatory Powers Bill] proceeds on a narrower definition of bulk powers, limited to those powers which provide for data in bulk to be acquired by the
Government itself.
Whether a broader or narrower definition is preferred, it
should be plain that the collection and retention of data
in bulk does not equate to so-called “mass surveillance”.
Any legal system worth the name will incorporate limitations and safeguards designed precisely to ensure that access to stores of sensitive data (whether held by the Government or by communications service providers [CSPs])
is not given on an indiscriminate or unjustified basis.”
Anderson QC, D. (2016), Report of the bulk powers review, p. 3-4
Technological developments and the need to respond
to new national security threats, particularly in the
context of counter-terrorism, prompted intelligence
gathering techniques to evolve. Intelligence services
now focus more on network traffic – the data moving
across a network at a given point in time.
The 2015 FRA report referred to a publication of the US
National Research Council to illustrate the conceptual
model of signals intelligence.65 Meanwhile, the Dutch
government published an alternative figure when it
submitted the Dutch draft intelligence bill, reflecting
the Dutch process of cable communications interception
after the Intelligence and Security Services Act 2017
enters into force (see Figure 2).66 It shows that the Dutch
intelligence services will intercept communications
transmitted via cables when they will not have sufficient
information from other sources. Figure 2 also shows that
the collected data are filtered before they are stored, to
disregard irrelevant materials for the fulfilment of the
intelligence services’ mandate. The final stage before
storage consists of sorting the data according to the
65 FRA (2015a), p. 16.
66 The Netherlands, National Government
(Rijksoverheid) (2016), Infographic about AIVD and MIVD’s
method of interception of information (‘Gemoderniseerde
Wet op de inlichtingen- en veiligheidsdiensten: extra
bescherming veiligheid én privacy’), Press Release
28 October 2016.
30
information they provide (for example, location or
identity). Concerning the processing of the stored data,
Figure 2 shows that selection is conducted to identify
the possibly relevant information for a particular
investigation. Once the final analysis of the gathered
intelligence is completed, intelligence services continue
with ‘follow-up research’.
In 2015 and 2016, the CJEU delivered judgments in
the Schrems 67 and Tele2 68 cases, respectively. In
Schrems, the CJEU examined the interference with EU
citizens’ right to private life and protection of personal
data resulting from surveillance activities by US
authorities – specifically, the collection of and access
to data of EU citizens transferred to the US pursuant to
the Safe Harbour Decision.69 The CJEU used the terms
‘storage of data on a generalised basis’70 and ‘access
to data on a generalised basis’71 to describe the bulk
collection of data and unrestricted access to the data
by public authorities, respectively. In Tele2, the CJEU
used the terms ‘general and indiscriminate retention
of electronic communications data’,72 ‘generalised
retention’73 and ‘access not restricted genuinely and
strictly to one of the [specified] objectives’.74 Korff et al.
used the term ‘generic access to communication data’
for the purposes of their article, based on the CJEU’s
terminology in Schrems.75
The great variety of terms used highlights that what
one deems appropriate terminology depends on one’s
point of view. The differences in terminology reflect
the varying objectives and perspectives regarding the
same or overlapping phenomena. From the intelligence
services’ point of view, ‘signals intelligence’ refers
to a type of technology used to collect data. This
technology is used for a specific (‘strategic’) purpose, at
a given scale (mass/bulk), and within legal boundaries.
In this report, FRA uses, to the extent possible, the
terminology adopted in national laws, while having
67
CJEU, C-362/14, Maximilian Schrems v. Data Protection
Commissioner, 6 October 2015.
68 CJEU, Joined Cases C-203/15 and C-698/15, Tele2 Sverige AB
v. Post- och telestyrelsen and Secretary of State for the
Home Department v. Tom Watson and Others, 21 December
2016.
69 European Commission (2000), Commission Decision of
26 July 2000 pursuant to Directive 95/46/EC of the European
Parliament and of the Council on the adequacy of the
protection provided by the safe harbour privacy principles
and related frequently asked questions issued by the US
Department of Commerce, OJ 2000 L 215 (Safe Harbour
Decision).
70 CJEU, C-362/14, Maximilian Schrems v. Data Protection
Commissioner, 6 October 2015, para. 93.
71 Ibid. para. 94.
72 CJEU, Joined Cases C-203/15 and C-698/15, Tele2 Sverige AB v.
Post- och telestyrelsen and Secretary of State for the Home
Department v. Tom Watson and Others, 21 December 2016,
para. 62.
73 Ibid. para. 113.
74 Ibid. para. 114.
75 Korff, D. et al (2017), p. 14.