Surveillance by intelligence services – Volume II: field perspectives and legal update
“Talking about data protection, and not violations of
fundamental rights in general, the text of the law, albeit
complex, is clear and comprehensible overall.”
(Data protection authority)
“The general framework is sufficiently clear and it requires
no further adjustments.” (Judiciary)
Even though interviewed experts from oversight and
executive control institutions from different Member
States – e.g. Belgium, France, the Netherlands and
Sweden – view the current legislation and oversight
setting positively, they acknowledged several problems.
Many of these echo the complaints voiced by individuals
with overall more critical views. They referred to their
respective system as ‘quite sophisticated’, ‘quite
unique’ and ‘very credible’, noting that ‘the construction
is well-thought through’.
However, some stated that, even if clear, the legislation
was outdated and needed to be updated (or was in the
process of discussion). Some said it was still not able
to respond to current situation while implementation
of recent legislative reforms which is not yet clear.
Respondents often referred to the problem of general
inconsistency, fragmentation of the legal framework,
and the need to improve current practices in terms
of coordination among different institutions. This
includes clarifying the division of competences and
avoiding overlapping functions. Some respondents also
stated that the legislation regulating the oversight of
intelligence services lacks clarity.
4.1. Member States’ laws on
surveillance
In some Member States, the legal basis that frames
the intelligence services’ mandate and powers consists
of one unique legal act governing their organisation
and means – Cyprus is a recent example.90 In others,
complex frameworks consisting of several laws and
regulations stipulate specific aspects of the services’
mandate, organisation, competences or means (e.g.
the United Kingdom). However, most Member States
organise the work of their intelligence services in two
laws: one on their mandate and organisation, the other
on means of action and the conditions for using them.
For instance, the Act on the Security Services of the
Czech Republic sets out the general legal framework
for the intelligence services in that Member State. The
90 Cyprus, Law providing for the establishment and functioning
of the Cyprus Intelligence Service (Νόμος που προβλέπει
για τη θέσπιση και τη λειτουργία της Κυπριακής Υπηρεσίας
Πληροφοριών) Ν. 75(Ι)/2016.
40
powers of each intelligence service are further detailed
in two separate acts.91
A review of legal frameworks regulating surveillance
methods used by intelligence services shows that 27
of 28 Member States have codified their use; Cyprus
is the exception. In Cyprus, a recently adopted law
codifies the existence of operations conducted by
intelligence services. However, it does not regulate the
surveillance methods used by the intelligence services,
nor does it explicitly sanction or prohibit surveillance.92
In Portugal, a law adopted in July 2017 lays down the
conditions for intelligence services to access metadata
of an existing target.93
As far as general surveillance of communications is
concerned, the 2015 FRA report showed that France,
Germany,94 the Netherlands, Sweden and the United
Kingdom have detailed legislation governing the
use of measures aiming at general surveillance of
communications.95 France, Germany and the United
Kingdom have significantly reformed their intelligence
laws since 2015. Several other EU Member States
have started wide-reaching reform processes – such
as Finland, which will be the sixth Member State
with detailed legislation on general surveillance of
communications if the proposed reform is adopted.
“The reform of the legal framework has been very positive.
It has brought clarity and changed the world of intelligence
services, changed the approach and the methodology. No
more deviated secret services.” (Parliamentary committee)
“The [new] legislation is positive to the extent that it makes
explicit things which were previously implicit.” (Lawyer)
The reforms in the Member States were triggered by various factors. The intelligence services needed to adapt to
91
Czech Republic, Act on the Security Information Service
(Zákon o bezpečnostní informační službě), No. 154/1994,
7 July 1994; and Czech Republic, Act on Military Intelligence
(Zákon o Vojenském zpravodajství), No. 289/2005,
16 June 2005.
92 Cyprus, Cypriot Intelligence Services Act 2016 (Ο περί της
Κυπριακής Υπηρεσίας Πληροφοριών Νόμος του 2016).
93 Portugal, Organic Law No. 4/2017, of 25 August, approving
and regulating the special procedure to grant the Security
Intelligence Service (SIS) and the Defence Strategic
Intelligence Service (SIED) access to communication and
Internet data and proceeds to the amendment to the Law
No. 62/2013 26 August (Law on the organisation of the
Judicial System), Lei Orgânica n.° 4/2017 de 25 de agosto
Aprova e regula o procedimento especial de acesso
a dados de telecomunicações e Internet pelos oficiais de
informações do Serviço de Informações de Segurança e do
Serviço de Informações Estratégicas de Defesa e procede
à segunda alteração à Lei n.º 62/2013, de 26 de Agosto
(Lei da Organização do Sistema Judiciário).
94 The NSA inquiry committee’s report provides
additional explanation on the legal framework and its
implementation before the 2016 reform: Germany, Federal
Parliament (2017a), p. 687 and following.
95 FRA (2015a), p. 20.