Features of oversight bodies
overall oversight of the services. In Member States where
DPAs lack competence over intelligence services, the
oversight body is responsible for ensuring that privacy
and data protection safeguards are properly applied (for
example, in the Netherlands). An example of a prompt,
practical reaction after the Snowden revelations is the
Memorandum of Understanding (MoU) signed in 2013
by the Italian DPA and the intelligence services. The
MoU lists the files subject to inspection by the DPA,
and provides rules on the DPA’s access to the premises
and files, the secure storage of intelligence information
at the DPA’s premises, and the implementation by the
intelligence services of the DPA’s findings. Finally, it
provides for the possibility of the intelligence services
consulting the DPA beyond what is currently laid down
in the legal framework.331 Regrettably, the MoU’s
content is classified and not publicly available.
“The Memorandum [of Understanding] is an example of how
to extend the law in favour of citizens’ protection.”
(Data protection authority)
Similarly, a 2016 report by a committee appointed by
the Swedish executive considered possible supervisory
overlaps and suggested moving some control functions
from other agencies to the DPA.332
In the six Member States where no expert bodies have
been set up to supervise surveillance techniques, and
intelligence services are exempt from DPAs’ scope
of competences, the legal frameworks allow only
for targeted surveillance and all foresee judicial
involvement in the authorisation of such measures.
Two of these – Estonia and Slovakia – have empowered
other authorities with controlling competences.
In Estonia, the oversight of the services is since
January 2016 exercised by the ombuds institution,
the Chancellor of Justice, who may undertake ex
post review both on its own initiative and further to
a complaint. It can recommend changes to the legal
framework and can initiate judicial review of the same
by the Constitutional Court.333 In Slovakia, the oversight
of intelligence services is divided among five different
oversight bodies: one specialises in reviewing decisions
taken by the National Security Authority, three in
reviewing the performance of the intelligence services
(one per service), and a recent special commission was
set up to supervise the use of information technology
tools. This commission must include two independent
experts, chosen by the parliament, who have at
331 Italy, Italian Government (2013). See also COPASIR (2014),
p. 19.
332 Sweden, State Official Reports (Statens Offentliga
Utredningar) (2016), pp. 169 et seq.
333 Estonia, Chancellor of Justice Act (Õiguskantsleri seadus),
1 May 2016, Article 1 para 9.
least ten years of professional experience as either
police officers, prosecutors, judges or members of
an intelligence service.334
The representatives of the oversight bodies (expert
bodies, parliament committees and data protection
authorities) were asked to assess their body’s mandate
in terms of its ability to conduct effective oversight
over intelligence gathering. Powers to investigate, the
scope of investigations, the implementation of their
propositions, control limitations, and related matters
were addressed. Most respondents described their
current mandates as ‘sufficient’, ‘robust’, ‘solid’, ‘clear’,
and as having ‘broad powers’, and claimed that these
encompass important powers. Among the powers
supporting the robustness of their mandate, respondents
most often mentioned the following features along with
defined powers (e.g. ex post oversight): (a) full access
to intelligence information, including on-site visits to
premises and direct contact with staff; (b) independent
investigations and the ability to choose the subjects of
investigations and which data collection techniques to
investigate; (c) opinions, recommendations provided
(e.g. on legislation).
Even where respondents considered the mandate of
their oversight body to encompass sufficient powers,
they mentioned the non-binding nature of their
decisions (examples provided in France, Italy and the
Netherlands) or limited competence as limitations (e.g.,
dealing only with a specific issue or stage of oversight
or only with exceptional situations). A few respondents
stated that the current powers are insufficient – and the
impact of oversight low – and need to be expanded.
While discussing the role of DPAs in intelligence
oversight, respondents highlighted that other actors
in the field recognise their powers and expertise. In
the past few years, an ‘important level of listening’
has been reached. The interviewees provided examples
of regular consultation on relevant issues, including
draft legislation (particularly in France, Italy and the
United Kingdom). They maintained that they do see
their contributions making an impact in terms of
changes to legal frameworks. They also stated that
DPAs’ contributions – through cooperation with other
institutions; by submitting opinions on relevant issues,
annual reports, and special reports to the parliament;
and by providing evidence during parliamentary
334 Slovakia, Act No. 404/2015 Coll. amending and
supplementing Act N. 166/2003 Coll. on the protection
of privacy against unauthorised use of informationtechnological tools and on amendment of certain laws
(Act on protection against eavesdropping) (Zákon, ktorým
sa mení a dopĺňa zákon č. 166/2003 Z. z. o ochrane súkromia
pred neoprávneným použitím informačno-technických
prostriedkov a o zmene a doplnení niektorých zákonov
(zákon o ochrane predodpočúvaním) v znení neskorších
predpisov), 19 December 2015, art. 8(a).
83