CENTRUM FÖR RÄTTVISA v. SWEDEN JUDGMENT
11
submitted to the Government following an inspection of whether the FRA’s
intelligence activities were carried out within the direction given. During the
years 2009-2017 the Inspectorate found reason to make a report to another
authority – the Data Protection Authority – on one occasion, concerning the
interpretation of a legal provision. In its annual reports, the Inspectorate has
noted that it has been given access to all the information necessary for its
inspections.
40. The supervisory activities of the Foreign Intelligence Inspectorate
have been audited by the National Audit Office (Riksrevisionen), an
authority under Parliament. In a report published in 2015 the Office noted
that the FRA had routines in place for handling the Inspectorate’s opinions
and that the supervision helped develop the activities of the FRA.
Suggestions were dealt with in a serious manner and, when called for, gave
rise to reforms. At the same time the Office criticised the Inspectorate’s lack
of documentation of inspections and that there were no clearly specified
goals for the inspections.
41. Within the FRA there is a Privacy Protection Council tasked with
continuously monitoring measures taken to ensure protection of personal
integrity. The members are appointed by the Government. The Council shall
report its observations to the FRA management or, if the Council finds
reasons for it, to the Inspectorate (section 11 of the Signals Intelligence
Act).
42. Further provisions on supervision are found in the FRA Personal
Data Processing Act. The FRA shall appoint one or several data protection
officers and report the appointment to the Data Protection Authority
(Chapter 4, section 1). The data protection officer is tasked with
independently monitoring that the FRA treats personal data in a legal and
correct manner and point out any deficiencies. If deficiencies are suspected
and no correction is made, a report shall be submitted to the Data Protection
Authority (Chapter 4, section 2).
43. The Data Protection Authority, which is an authority under the
Government, has on request access to the personal data that is processed by
the FRA and documentation on the treatment of personal data along with
the security measures taken in this regard as well as access to the facilities
where personal data is processed (Chapter 5, section 2). If the Authority
finds that personal data is or could be processed illegally, it shall try to
remedy the situation by communicating its observations to the FRA
(Chapter 5, section 3). It may also apply to the Administrative Court
(förvaltningsrätten) in Stockholm to have illegally processed personal data
destroyed (Chapter 5, section 4).