Surveillance by intelligence services – Volume II: field perspectives and legal update
In Italy, the DPA is responsible for providing ongoing
and ex post oversight on the services. It has the right to
initiate inspections and to access classified materials.321
Most of the interviewed expert oversight bodies
indicated that they have full, unrestricted, relevant
access to intelligence data. According to the
interviewees, they have ‘access to (very) confidential
and secret information’, ‘unlimited access’, ’the full
access’, ‘access to all documents’, ‘can get every
information we want’, ‘can get classified information’,
‘can request anything from the intelligence services’.
Oversight body representatives noted that accessing
intelligence services’ documents and systems is a usual
practice of the oversight system and is regularly
exercised to the extent possible, regardless of the
scope of activities. A limited number of staff (directly
involved) in data protection authorities, ombudsperson
or national human rights institutions enjoy different
levels of security clearance with regard to direct access
to the intelligence services’ files.
“The important thing is for the inspector to be able to inspect
the records of the organisation itself directly. We are not
dependent on the organisation to say “we are going to show
you only these 10 files”, to provide us material. They should
and do volunteer matters which are within the scope of the
inspection; however, this is insufficient. We should be able to
inspect their computer records.” (Expert body)
“While the surveillance community, the secret service and
the police are now immersed in big data and the advanced
information society, the oversight bodies should not use
coaches drawn by horses. But this is the situation today
because intelligence organisations, services and police are
hesitant to accept the use of [certain] software by control
bodies, oversight bodies.” (Data protection authority)
For effective compliance control, the General Data
Protection Regulation grants powers of investigation
(access and collection of necessary information),
intervention (ordering corrective measures, banning
data processing, warning or admonishing the data
controller, referring the matter to national parliaments
and other political institutions), and engagement in legal
proceedings.322 DPA decisions may be subject to judicial
control. Additional Protocol 181 to Convention 108
also provides for these powers – except for advisory
power, which is mentioned in the explanatory report
to the protocol.323
DPAs’ competences vis-à-vis intelligence services vary
in the Member States, and depend on national legislation. DPAs may have no powers, limited powers or the
same powers over the intelligence services as any other
data controller.324 FRA’s findings show that, in most
Member States, DPAs have either no competences over
national intelligence services (in 11 EU Member States),
or their powers are limited (in 10 Member States).
“The primary concern of the oversight is to have access to all
the material available to the services. […] The oversight body
needs to have access to the algorithms and to the strategies
behind those algorithms.” (Expert body)
Although full access to intelligence information is crucial
for effective oversight, so is the ability to fully benefit
from such access. Some respondents questioned
oversight bodies’ ability to do so, particularly due to
limited technical capabilities. This was indicated both
by way of critical self-assessment of the competences
within the oversight bodies, and via criticisms from other
bodies or organisations in the field. Representatives
of civil society, academia and lawyers questioned the
bodies’ ‘abilities to check the things properly’, including
their general understanding of the digital environment –
for example, the digital (technical) skills of members
of parliamentary committees.
321 Italy, Data Protection Code, Art. 160 (4).
80
322 GDPR, Art 57.
323 Council of Europe, Convention 108, Additional Protocol,
para. 16.
324 See FRA (2015a), pp. 46-51, for a detailed overview of DPAs’
competences over intelligence services.