Features of oversight bodies
Figure 7: DPAs’ powers over national intelligence services, by Member State
Same powers as over other data controllers (7)
Limited powers (10)
No powers (11)
Source:
FRA, 2017
As Figure 8 illustrates, the extent of oversight coverage
among Member States is very diverse. In four Member
States – Austria, Bulgaria, Hungary and Sweden – both
the expert bodies and the DPA are competent to assess
the legality of surveillance techniques conducted by
intelligence services. By contrast, in six EU Member
States, no expert body has been set up to supervise
surveillance techniques, and the intelligence services are
exempt from DPAs’ scope of competences. The 2015 FRA
report raised questions regarding possible overlapping
supervision powers for Member States with both types
of oversight bodies, and questioned the effectiveness
of oversight in the EU Member States that have not
established any expert bodies and have exempted their
DPAs from overseeing intelligence services.325
protection, including the setting up of new databases
in the field of national security. DPAs treat intelligence
services as data controllers and their oversight is
limited to supervising the intelligence services’
compliance with obligations linked to the processing
of data. DPAs with limited powers do not look at the
content of intercepted communications. For example,
the DPAs could check through inspections whether the
intelligence services respect the permissible period of
retention of the collected data. However, the law may
limit their access to databases containing data that were
collected through certain intelligence techniques.
DPAs with limited powers act as regulators of the
treatment of data used for intelligence purposes. They
may have an advisory role, providing opinions on
proposed laws that have an impact on personal data
DPAs’ powers are limited in 10 Member States. For
instance, in the United Kingdom, the national intelligence
services may rely upon the exemption for national
security cases, which is provided in the data protection
law.326 The Information Commissioner Officer (ICO) must
audit compliance with requirements or restrictions
imposed by the retention of communications data in
325 FRA (2015a), p. 53.
326 United Kingdom, Data Protection Act 1998, s. 28 (1).
81