Surveillance by intelligence services – Volume II: field perspectives and legal update
be unattractive to possible candidates (‘it is very tough
procedure’, ‘it takes 4-5 months’).
Among other difficulties faced by oversight bodies
regarding resources, respondents mentioned the
following issues: staff turnover, which can affect
credibility and might risk leaked information; part-time
staff (e.g. judges) with competing private practices; and
a lack of control over outsourced staff.
Regarding budgets, opinions varied – ranging from
being positive about sufficient budgets, recent
increases or adequate funding to references to a lack
of financial resources.
Respondents were also asked if they could hire or
recruit additional external staff in case of need. There
are no common opinions and experiences in this
regard as situations differ quite extensively. In some
Member States, oversight bodies have no possibility
to hire external expertise; in other Member States,
oversight bodies have never used this opportunity
although it is provided for in the relevant legislation.
In some Member States, expert bodies receive external
support, including from academia, when needed. Still,
the outsourcing of expertise is rare. Most institutions
rely on available internal resources.
“The oversight process is becoming an extremely technical
and massive task.” (Expert body)
Some interviewees referred to computerised/
automated oversight tools, including those built into
the software used by intelligence services, as providing
possibilities for furthering technological development
and strengthening oversight. These include “automated
checking”, “the ability to carry out a technical verification
at regular intervals”, and “updates of the data banks”,
including “computerised clean-up techniques” or
“automated data destruction”. Other respondents
refer to these as providing an important opportunity
to identify possible violations at an early stage, and
encourage application of, for example, data protection
oversight by design. They are also considered a positive
feature for the intelligence services, bringing more
balanced oversight and a possible solution for oversight
bodies’ need for technical expertise. In some Member
States, strategies for implementing such tools have
recently been developed or implementation has just
started. The oversight experts noted the importance
of following closely ICT developments in the agencies
themselves, and progress in understanding the digital
world among the various stakeholders.
“At minimum, there must be very close cooperation
governed by law, and not just dependent on the will and the
intention of the acting persons.” (Data protection authority)
86
Finally, in connection with resources, interviewees
repeatedly pointed out that not only the resources
themselves matter, but the way institutions work
and communicate with each other does, as well. The
interviewed experts generally raised the importance
of cooperation in its different constellations – including
with intelligence services, executive control; between
oversight bodies; with civil society – and natures (e.g.
prescribed by law by different functions, formalised
through a MoU, informal exchanges) when discussing
different topics, such as effective oversight, measures
to uphold fundamental rights, and the transparency
of the activities of both intelligence services
and oversight bodies.
According to the interviewees, cooperation through
‘constant dialogue’ and ‘continuous sharing of
information’ contributes to having a systematic
approach to oversight and helps overcome possible
fragmentation of the oversight system. Likewise,
sharing good practices helps build trust, and
sufficient levels of trust allow actors to cooperate.
The respondents also expressed a great need for
both national and international cooperation, and
exchanges of information and best practices in the
area. The General Data Protection Regulation gives
advisory powers to DPAs when Member States draw
up legislative or administrative measures. Therefore,
DPAs can contribute by pointing out potential threats
to data protection when Member States plan to modify
surveillance powers granted to intelligence services.
Swedish government preparatory study
recommends stronger role for DPA
In 2016, the national government appointed an expert
committee to examine how a higher degree of integrity
protection can function within a single governmental department, allowing thus the supervision of collection of
personal data to be also attributed to a single authority.
The expert committee issued a 222-page report which
provides an overview of the role of the committee and
previous work in the area, then scrutinises the current
system of supervision and how it could be improved.
While the general assessment is positive, it does, for instance, call for some simplifications or clarifications in relation to the mandate of control functions. In particular,
the committee recommends giving the DPA a more central role, mainly in relation to provisions in sector-specific
legislation that are of a more general nature (such as related to cookies), and states that other monitoring bodies
should consult the DPA or even hand issues over to it to
resolve them.
Sweden, Government preparatory study (2016), ‘Joint responsibility over
personal integrity’