Surveillance by intelligence services – Volume II: field perspectives and legal update
hearings or discussions, etc. – enhance the transparency
of the intelligence oversight process. The interviewees
believe that DPAs serve as ‘a constant reminder to
the balance of rights’, raising public awareness on
possible rights violations.
“In the past year, the consulting activity that is requested
by [intelligence services] increased considerably. We were
consulted three times, […] opinions were requested. The DPA
activities are perceived as important.” (Data protection authority)
However, despite their recognised expertise in the
area, DPAs feel they are operating in a ‘fragmented
system’ (‘fragmented nature of the regimes’). They
noted that they have limited powers in the intelligence
oversight process – for example, by focusing solely on
data processing and not the techniques used; having
oversight only of a specific step/stage in the process,
such as ex ante; limiting their review to compliance
with data retention rules; or having only indirect
access to data. These give DPAs a sense of lacking
power – as being unable to follow ‘the file as a whole‘.
Interviewees also mentioned that they sometimes do
not fully understand the competences of all the other
actors in the field.
“[It is important] to make sure each body with powers in
this area has an understanding about what one could do…
But I think the concern is really around the fragmentation,
complexity, lack of transparency.” (Data protection authority)
“The other bodies are very important because the DPA
cannot go as far in its review.” (Data protection authority)
DPAs repeatedly emphasised the importance of
institutional cooperation with different national and
international authorities, the coordination of activities,
and the complementarity of different actors’ activities
in the field. They acknowledged that they interact
with few other national authorities, but noted that
they have been developing beneficial cooperation
with intelligence services (e.g. ‘from suspicion to
increasingly seen as a partner’; ‘[a] bond of trust is
being established’). The interviewees noted that some
of the cooperation is not formalised, and that it remains
fragmented, selective and occasional. The Article 29
Working Party was referred to as the main forum
for international cooperation, although differences
between DPAs’ competences in intelligence oversight
hinder further cooperation.
“[Some] DPAs feel uncomfortable because they have
no expertise in the field in question, and therefore stop
themselves from even thinking about it.”
(Data protection authority)
Providing oversight bodies with sufficient financial
resources is key to ensuring that their oversight is
84
effective.335 Human resources also play a key part.
A certain parity between the powers of the overseer
and the mandate and powers of the intelligence services
also contributes to the effectiveness of the oversight
structure. Especially in view of the trend of intelligence
services increasing their technological capacities,
financial resources and their reliance on complex systems,
“recourse to independent technical expertise has become
indispensable for effective oversight”.336 Therefore, highly
specialised legal and technical knowledge constitute
particularly important resources for oversight systems.
The 2015 FRA report emphasised the need for oversight
bodies to be technically competent.337 Several expert
bodies have tackled this issue by recruiting external
technicians, either on an ad hoc or more permanent
basis. In December 2014, the Dutch CTIVD established
a ‘knowledge network’ of scientific experts (in the fields
of security, intelligence, and information law) to regularly
advise the Review Committee on specific reports relating
to technological, legislative and social developments.338
Indeed, with the increased sophistication of surveillance
techniques, often automatised, the CTIVD recognised the
need for ICT expertise and invested additional financial
resources in technology for carrying out oversight.
The CNCTR is provided with the human, technical and
budgetary means needed to accomplish its missions.339
A secretary general and 14 staff members assist its
work.340 It can also consult and answer the questions
of the Electronic Communications and Posts Regulatory
Authority (Autorité de régulation des communications
électroniques et des postes, ARCEP).341 In the United
Kingdom, the Investigatory Powers Act requires the IPC
to establish a Technology Advisory Panel, mandated to
provide advice on “the impact of changing technology
on the exercise of investigatory powers and the
availability and development of techniques to use such
powers while minimising interference with privacy”.342
Although not yet fully functional, IPC has already started
identifying experts to fill this new panel.
While discussing the skills available in their institutions,
the respondents – representing a variety of oversight
bodies – confirmed that oversight of intelligence
collection is dominated by legal expertise. Most
interviewed staff working on relevant issues at
expert oversight bodies, data protection authorities,
ombuds or national human rights institutions have legal
335 Council of Europe, Commissioner for Human Rights (2015),
p.9.
336 Ibid. p.10.
337 FRA (2015a), pp. 43, 60 and 73.
338 The Netherlands, CTIVD (2015), p. 10.
339 France, Interior Security Code (Code de la Sécurité
Intérieure), Art. L. 832-4, first sentence.
340 France, CNCTR (2016), p. 60.
341 France, Interior Security Code (Code de la Sécurité
Intérieure), Art. L. 833-11.
342 United Kingdom, Investigatory Powers Act, s. 246 (1).