CENTRUM FÖR RÄTTVISA v. SWEDEN JUDGMENT
provisions, clear legal conditions for sharing, including a duty to take
reasonable steps to ensure that the receiving party protects the data with
similar safeguards as those applicable at home and sufficient supervisory
and remedial mechanisms.
(ii) The applicant’s analysis of the impugned Swedish regime
193. Applying these standards to the impugned Swedish regime, the
applicant stated that the general scope of application of the FRA’s powers is
sufficiently constrained with the exception of the wide discretion it enjoys
regarding its development activities. However, the applicant expressed
concern that since 1 January 2013 the Security Police and the National
Operative Department of the Police Authority (the “NOA”) had been
empowered to issue tasking directives for signals intelligence, and that as of
1 March 2018, the Security Police might be granted direct access to the
FRA’s databases with analysis material. The risk of signals intelligence
being used outside the scope of foreign intelligence activities must be
sufficiently contained by clear legal provisions and effective supervision.
194. The applicant also alleged that while warrants under the Swedish
Signals Intelligence Act have a clear expiry date, there is no requirement
that a warrant must be cancelled if collection of communication under the
warrant ceases to be necessary.
195. The applicant further considered that the scope of judicial review
by the authorising body in Sweden, the Foreign Intelligence Court, was too
narrow to be effective. In particular, the existence of a reasonable suspicion
in relation to a person who is singled out is not verified and the “exceptional
importance” criterion, justifying selectors relating directly to an individual,
only refers to selectors employed in the automated collection of data, not to
the stage when the collected data is further searched. Also, the Foreign
Intelligence Court is not required to review the intended subsequent use of
the collected data and, indeed, the warrant request does not specify how the
data will be analysed – for example, via subject-based data mining or
through compilation of profiles of individuals.
196. As regards storing, accessing, examining, using and destroying
intercepted data, the applicant identified two major flaws in the Swedish
system: lack of legal obligation for the FRA to keep detailed records of the
interception, use and communication of data, for which it had been
repeatedly criticised by the Swedish Data Protection Authority, and lack of
rules specifically adapted to bulk interception as opposed to general rules on
data processing. The applicant was further concerned that as of
1 March 2018 the Security Police may be granted direct access to FRA’s
databases with analysis material.
197. The applicant also alleged that legal persons did not enjoy adequate
protection since the FRA Data Processing Act only applies to intercept
material containing personal data. This allegedly resulted in a situation