Surveillance by intelligence services – Volume II: field perspectives and legal update
Figure 8: DPAs’ and expert bodies’ powers over intelligence techniques, by EU Member State
Expert bodies
AT BG
HR SE
DPA with same
powers
FI HU
SI
BE DE
UK EL FR
DPA with
limited powers
CY IE IT
LT PL
DK LU
MT NL PT
DPA with
no powers
CZ EE ES
RO SK LV
No expert bodies
Notes:
‘No powers’ refers to DPAs that have no competence to supervise intelligence services.
‘Same powers’ refers to DPAs that have the exact same powers over intelligence services as over any other data
controller.
‘Limited powers’ refers to a reduced set of powers (usually comprising investigatory, advisory, intervention and
sanctioning powers).
Source:
FRA, 2017
relation to the integrity, security or destruction of data
retained by the services. In other words, the ICO does
have competence in reviewing how the data is retained,
even if they have no access to what is retained. In
practice the ICO liaises closely with the expert bodies
and advises on data protection standards.
In Germany, the new federal data protection legislation
only grants the Federal Commissioner for Data Protection
and Freedom of Information (Bundesbeauftragte für
den Datenschutz und die Informationsfreiheit) the
power to file non-binding complaints (Beanstandungen)
against intelligence services when data breaches are
detected.327 Additionally, depending on how the law is
interpreted, it may provide the commissioner the power
to request, upon suspecting individual intelligence
service staff members of committing specific data
breaches, the court to impose individual sentences of up
to three years on such staff members.328 However, the
legal provisions on sentencing are ambiguous regarding
327 Germany, Federal Data Protection Act
(Bundesdatenschutzgesetz), s. 16 (2), in force on
25 May 2018.
328 Ibid. s. 84 in conjunction with s. 42, in force on 25 May 2018.
82
intelligence services staff, because intelligence
activities are potentially excluded from the scope of
application.329 In 2016, the commissioner filed a formal
complaint against the Federal Office for the Protection of
the Constitution (BfV) for illegal practices in transferring
data originating from domestic general surveillance of
communications to a counter-terrorism database. The
commissioner’s latest annual report notes that this
complaint was the result of a joint inspection with staff
from the secretariat of the G10 Commission.330
In Member States where expert bodies exist and DPAs
have the competence to oversee intelligence services,
their interaction is sometimes organised by law,
and sometimes in practice takes place without legal
requirements. In Member States in which DPAs and
other expert oversight bodies share competence, a lack
of cooperation between these may leave gaps in the
329 Ibid. s. 45, in force on 25 May 2018.
330 Germany, Federal Commissioner for Data Protection and
Freedom of Information (Bundesbeauftragte für den
Datenschutz und die Informationsfreiheit) (2017), pp. 134135. See also, Germany, Federal Parliament (2017a),
p. 642 and following and on the challenges to control:
Germany, Federal Parliament (2017a), p. 811 and following