Oversight framework of intelligence services
component of the right to personal data protection.257 Their
powers and competences are analysed in Section 9.2.
Protecting fundamental rights via strategic
litigation
8.5. Watchdogs
In France, in 2017, the NGOs La Quadrature du Net, French
Data Network and Fédération des fournisseurs d’accès
à internet associatifs filed a ‘priority preliminary ruling
on constitutionality’ (Question Prioritaire de Constitutionalité, QPC) with the Council of State related to the access
of intelligence services to metadata retained by telecommunication providers. The Council of State referred the
case to the Constitutional Court. The Constitutional Court
decided on 4 August 2017 that the four-month authorisation the intelligence services can obtain to access metadata of a targeted suspect complies with the constitution.
However, the Constitutional Court declared unconstitutional the extension of the same authorisation to access
metadata of the suspect’s entourage.
Other actors also substantially contribute to ensuring
the effectiveness of existing safeguards. These
include national human rights institutions, civil
society actors – including the media, academia258 and
NGOs – and whistleblowers.
NGOs have launched lawsuits in various EU Member
States, promoted reforms,259 developed international
principles applicable to oversight of intelligence
services,260 and have acted as watchdogs of legislative
processes.261 Consequently, it is important to support
and respect their roles so that they can contribute
to improving the oversight of intelligence matters.
The same is true about national human rights
institutions (NHRIs). 262 In France, for example, the
French NHRI in 2015 contributed to the legislative reform
regarding surveillance measures and their oversight by
providing parliament with various opinions on different
laws relating to intelligence and counter-terrorism.263
The German NHRI submitted written opinions on
relevant issues for parliamentary hearings, including
the one on the BND reform in 2016.264 However, NHRIs’
opinions are not sought systematically in this area.265
257 See in particular CJEU, Joined cases C-293/12 and C-594/12,
Digital Rights Ireland and Seitlinger and others, 8 April 2014,
para. 68; CJEU, C-362/14, Maximillian Schrems v. Data
Protection Commissioner, 6 October 2015, para. 41 and 66.
See also Working Group on Data Protection in
Telecommunications (2017).
258 University of Amsterdam (2015), Ten standards for
oversight and transparency of national intelligence services,
IViR (Institute for Information Law, University of Amsterdam).
See also the various projects funded by the European Union
under the FP7 and now the Horizon 2020 programme.
259 See, for example, Löning, M. (2015); Brown, I. et al. (2015).
See also the strategic litigation, advocacy, capacity building
and reporting undertaken by Privacy International.
260 See Forcese, C. and LaViolette, N. (2006), Ottawa Principles on
Anti-terrorism and Human Rights; Open Society Justice Initiative (2013), Global Principles on National Security and the Right to
Information (Tshwane Principles); and Access et al. (2014), International Principles on the Application of Human Rights to Communications Surveillance (Necessary and Proportionate Principles).
261 See, for example, ECtHR, Youth initiative for human rights v. Serbia, No. 48135/06, 25 June 2013. The Serbian intelligence agency
denied the applicant NGO information on the number of people
subjected to electronic surveillance by the agency, despite an
Information Commissioner order supporting the NGO’s request.
The ECtHR found a violation of freedom of expression, acknowledging the NGO’s role in a debate of public interest (para. 24);
Bits of Freedom, a NGO, a digital rights organisation in the Netherlands closely follows the legal reforms.
262 Council of Europe, Commissioner for Human Rights (2016).
263 See France, Commission Nationale Consultative des Droits de
l’Homme (2015); France, Commission Nationale Consultative
des Droits de l’Homme (2016); France, Commission Nationale
Consultative des Droits de l’Homme (2017a); France, Commission Nationale Consultative des Droits de l’Homme (2017b).
See also France, Défenseur des Droits (2017).
264 Germany, Deutsches Institut für Menschenrechte (2016)
265 France, Le Monde (2017).
France, Constitutional Court, Decision n. 2017-648 QPC, 4 August 2017
In France, in 2016, four associations – La Quadrature du
Net, FDN, Fédération des fournisseurs d’accès à Internet
associatifs and igwan.net – filed a QPC with the Council of
State, on the grounds that radio surveillance was not subject to any procedural safeguards. The Council of State referred the matter to the Constitutional Court, which held –
in October 2016 – that the legal provision allowing for radio
surveillance was contrary to the French constitution. As
a result, Article L.811-5 of the Internal Security Code was
repealed; this will take effect on 31 December 2017.
France, Constitutional Court, Decision n. 2016-590 QPC, 21 October 2016
In 2015, United Kingdom-based Privacy International
started a legal challenge in the Investigatory Powers Tribunal (IPT), about whether the acquisition, use, retention,
disclosure, storage and deletion of Bulk Personal Datasets (BPD) and Bulk Communications Data (BCD) is in accordance with the law or necessary and proportionate.
In 2016, the IPT ruled that obtaining BPD and BCD, before
doing so was publicly acknowledged, violated the right to
private life, by virtue of the lack of foreseeability to the
public and the lack of adequate oversight. However, the IPT
accepted that, following public acknowledgment of the use
of these powers, the changes made to oversight powers
and the publication of the relevant procedures, the powers
were compatible with the right to private life. The case was
referred to the CJEU for matters relating to EU law.
United Kingdom, Investigatory Powers Tribunal, Privacy International v. Secretary
of State for Foreign and Commonwealth Affairs, IPT/15/110/CH, 17 October 2016
and 8 September 2017
In 2014, Privacy International brought an action before
the IPT, challenging the compliance of GCHQ’s Computer
Network Exploitation (CNE) – colloquially, ‘hacking’ – with
domestic law and the right to private life (Article 8 of the
ECHR) and freedom of expression (Article 10 of the ECHR).
In 2016, the IPT ruled that CNE activities can in principle
be lawful. The tribunal considered and gave guidance on
how a warrant allowing for CNE activity would have to
describe the potentially intercepted equipment. The IPT
concluded that warrants compliant with such guidance
would be lawful both under domestic law and the ECHR.
United Kingdom, Investigatory Powers Tribunal, Privacy International
v. Secretary of State for Foreign and Commonwealth Affairs, IPT/14/85/CH 14/
120-126/CH, 12 February 2016
69