7
An imperative:
control from within
Control v. Oversight
“Oversight should be distinguished from control because the
latter term (like management) implies the power to direct
an organization’s policies and activities. Thus, control is typically associated with the executive branch of government
and specifically with the senior management of intelligence
services. An example of control, as opposed to oversight,
would be the issuance of an executive order requiring an
intelligence service to adopt a new priority in international
intelligence cooperation, such as counterterrorism.”
Born, H., Leigh, I. and Wills, A. (2015), pp. 6-7
The following section describes how controls within
the services and by the executive contribute to
the services’ accountability.
7.1. Control by the services
UN good practices on intelligence services
management of personal data
Practice 24. Intelligence services conduct regular assessments of the relevance and accuracy of the personal data
that they hold. They are legally required to delete or update any information that is assessed to be inaccurate or
no longer relevant to their mandate, the work of oversight institutions or possible legal proceedings.
controls within the services may be undertaken by
a designated officer or sector, who may be appointed
by the services or the executive, and report to them
as well. The 2015 FRA report described the situation in
various Member States.213
In Germany, the NSA inquiry committee’s report
provides a detailed description of the powers of the
data protection officer within the BND. The report
highlights the impact of the Snowden revelations on her
work. Interestingly, given the lack of awareness on data
protection in the technical intelligence department of
the BND, the data protection officer launched a project
to raise awareness among the staff. 214 The 2016
amendments to the BND Law prescribe specific data
protection rules on when collected foreign data need to
be destroyed and how long they can be kept.215 Similarly,
in the United Kingdom, GCHQ’s staff are continuously
instructed and trained in the legal and other requirements
of the surveillance legislation, with particular emphasis
on human rights requirements. Additionally, there are
computerised systems for checking and searching for
potentially non-compliant uses of GCHQ’s systems and
premises.216 For example, when an authorised person
selects a particular communication for examination,
this person must demonstrate that the selection is
necessary and proportionate; this process is subject
to internal audit.217
UN, Human Rights Council (2010), Report of the Special Rapporteur Martin Scheinin
As the UN Special Rapporteur on the right to privacy
has highlighted, a mechanism enforcing accountability
“needs to be embedded first and foremost within the
authorities carrying out surveillance and it needs to
be clear who is accountable for compliance”.212 Internal
212 UN, Human Rights Council (2017), Report of the Special
Rapporteur Joe Cannataci, para. 35.
213 See FRA (2015a), p. 30 and following.
214 Germany, Federal Parliament (Deutscher
Bundestag) (2017b), p. 526 and following.
215 Germany, BNDG, S. 10 and 12. See Löffelmann,
M. in Dietrich, J.-H. and Eiffler, S. (eds) (2017),
p. 1271 and following.
216 United Kingdom, IOCCO (2016a), p. 26.
217 United Kingdom, Home Office (2017), ‘Interception of
communications: draft code of practice’, February 2017,
s. 6.14.
59