Whistleblower protection
nn Provisions on whistleblower protection are prescribed in the legislation of four of the seven Member States
covered by FRA’s fieldwork. Interviewees tended to agree that efficient whistleblower protection within
the intelligence services requires a specific regime, different than those designed for other governmental
institutions.
Continuous oversight
nn Twenty-two Member States include an independent authority – judicial or expert – in the authorisation of the
use of at least one type of targeted surveillance measure. In six Member States, all types of targeted surveillance measures may be implemented without ex ante oversight by an independent body.
nn In the five Member States that have detailed provisions on general surveillance of communications, only
three provide for the binding involvement of an independent body in the authorisation of these measures. In
the two Member States that do not do so, the oversight bodies also do not have the power to make binding
interventions.
nn In all five Member States that have detailed provisions on general surveillance of communications, an independent body is tasked with providing for ongoing oversight (oversight of the implementation) of these
measures.
Oversight of international intelligence cooperation
nn A majority of Member States – 17 out of 28 – do not prescribe oversight of international cooperation among
intelligence services. Of the 11 EU Member States that do provide for oversight of such international cooperation in law, three have excluded information originating from foreign services from the scope of oversight;
four do not differentiate between the oversight regime for international sharing of data and for domestic
sharing of data; and four have limited the scope of the control over information obtained through such
cooperation.
nn The specific characteristics of international intelligence sharing require Member States to establish safeguards tailored thereto, notably:
- prior approval of any agreement by the executive (currently in force in 27 Member States),
- complementary approval by either the executive or the head of the services before the exchange may
take place (currently in force in 4 Member States),
- an assessment of fundamental rights anchorage (currently required in the laws of 3 Member States) or of
the existence of equivalent data protection legislation (currently conducted in 2 Member States), and
- data reliability assessments and the obligation to keep records (currently mandatory in 4 Member States).
nn The dominant principle in international cooperation – the ’third party rule‘ – states that a foreign agency to
which intelligence has been transmitted can neither share this information with a third party nor use the data
for an objective different from the one for which the exchange was established in the first place. When considered to be third parties, expert bodies are not authorised to access – and therefore, oversee – intelligence
data obtained via international cooperation. In some Member States, oversight bodies are increasingly not
considered to be ‘third parties’.
57