Ex-ante consultations with data protection authority on automated databases  

German intelligence legislation requires so-called file orders (or: database establishing orders) for each automated database that the intelligence services wish to operationalize. Such orders ought to contain very specific information: the name of the database, its purpose, the requirements regarding retention, transfer, and use (including information on the group of persons to be affected and the type of data used), origins of the data, access restrictions, dates for required reviews, and protocol requirements. By law, this information is to be made available not just to the government but also to the federal DPA. It needs to be consulted prior to the operationalization of each new database, no matter the origin of the data therein. The DPA can put this information to good use as the totality of file orders (or: database establishing orders) can give independent supervisory bodies substantial knowledge on the variety of different databases used by the intelligence community and the data types therein. Its positive effect can further be strengthened through oversight cooperation. For example, sharing that knowledge, to the extent possible, with review bodies can also influence future authorization decisions.

Written agreements on the aims of international cooperation must be approved by the Chancellery

International SIGINT cooperation requires a memorandum of understanding (MoU) that specifies the lawful aims. The MoUs with partner services from EU, EFTA or NATO member states must be approved by the Federal Chancellery. All other cooperation agreements must be approved by the head of the Federal Chancellery. If the MoU entails sharing unevaluated bulk data automatically, it requires the head of the BND to sign off.

Open oversight – civil society dialogue on proportionality standards for the review of bulk powers

Following the publication of the Advisory Notice in January 2018, IPCO proceeded to enrich these principles in May 2018 with the help of a public invitation for input on issues relevant to the proportionality of bulk powers. IPCO asked NGOs and others to provide assistance in identifying the broad range of factors that the Judicial Commissioners should have in mind when evaluating the proportionality of bulk warrants:

  • – What factors should the Judicial Commissioners take into account when considering whether the conduct proposed in a bulk warrant is proportionate?
  • – Is there any particular approach that the Commissioners should adopt when evaluating those factors, some of which may be competing?


Explicit standards for proportionality assessments when approving bulk SIGINT warrants in actual practice (IPCO Advisory Notice 01/2018)

Explaining exactly how the necessity and proportionality test of a bulk collection warrant is conducted is crucial information for rating the thoroughness and legitimacy of the process. The United Kingdom’s Investigatory Powers Commissioner’s Office (IPCO) has published an Advisory Notice that provides advice and information to public authorities and the general public as to the general approach that Judicial Commissioners will adopt under the IP Act when deciding whether to approve decisions to issue warrants.

The Judicial Commissioners, who are in charge of approving bulk SIGINT warrants, must have regard for whether what is sought to be achieved by the warrant, authorization, or notice could reasonably be achieved by other, less intrusive means. In exercising that statutory responsibility, the Judicial Commissioners must, in particular, take into regard:

  • -whether the level of protection to be applied in relation to any obtaining of information by virtue of the warrant, authorization, or notice is higher because of the particular sensitivity of that information;
  • -the public interest in the integrity and security of telecommunication systems and postal services;
  • -any other aspects of the public interest in the protection of privacy;
  • -additional safeguards for matters such as legal professional privilege (e.g., for all professional legal advisers) and journalistic material;
  • -the tests of necessity and proportionality, as applicable under the Human Rights Act 1998 and under European Union law, to the extent that this applies to the powers/activities for which approval is sought.


This Advisory Notice is not binding and can theoretically be changed at any point in time. Therefore, it only represents the opinion of the current Judicial Commissioners, because there is also no obligation to inform the public whether the guidelines were revised. The gold standard for providing transparency remains setting out such procedural rules in law. Some critics have pointed out that the Advisory Notice has failed to emphasize “the importance of a current and relevant intelligence case justifying the decision to issue warrants,” particularly in national security cases, where the Advisory Notice leans toward a wider margin of judgment.

Quotas for specific data collection methods

The French intelligence law sets quantitative limits for the use of specific intelligence techniques in order to end dispensable authorized warrants before approving new ones. The number of simultaneous authorizations of specific operations is limited to a fixed amount set by the prime minister at the recommendation of the French oversight body, the National Commission for the Control of the Intelligence Techniques (CNCTR).

The French have adopted fixed quotas for certain collection methods in their governance scheme for targeted surveillance methods. The underlying logic – namely to force agencies to use or abandon existing authorized warrants instead of simply applying for new authorizations – seems to be an adequate tool to limit the use of specific instruments. Potentially, quotas may also spur annual public debates about the set numbers. Naturally, the effectiveness of this approach hinges both on the process and the actual quotas used. Ideally, the quota-setting should be based on a transparent and verifiable process that outlines the specific need for a surveillance allowance.

The quota system applies to three types of data collection: first, to the interception of electronic communications, with a quota of 3,040 in 2017; second, to the use of international mobile subscriber identity (IMSI) catchers, with a total quota of 60; and third, to the real-time collection of connection data, with a quota of 500. The different relevant ministerial departments are assigned a subset of the overall quota (e.g., sub-quotas for interior, customs, defense, and other ministries) and checked on a daily basis by the Groupement Interministériel de Contrôle (GIC).


Privacy representative at the Swedish Foreign Intelligence Court

In Sweden during the court’s examination of SIGINT measures, a privacy representative (integritesskyddsombud) must be present – unless a delay would significantly impede the purpose of the application. Representing the interests of individuals in general, the representative acts independently, monitors integrity issues, may make statements during the examination, and has complete access to the case files. The Government appoints current or former permanent judges or attorney as privacy protection representatives for a period of four years.

Option to request external legal opinion in authorization procedures

The FISC can “appoint an individual to serve as amicus curiae to assist in the consideration of any application for an order or review that, in the opinion of the court, presents a novel or significant interpretation of the law.” Hence, the Court has the option to engage in an adversarial proceeding when determining the legality/necessity of foreign intelligence warrants. The law explicitly requires the appointed “friend of the court” to provide “legal arguments that advance the protection of individual privacy and civil liberties” (50 U.S. Code §1803 (i)(2)(A)).

The authorization of a surveillance operation becomes more robust if adversarial council is made available to the authorizing (or approving) body at the decision-making point in time. Hearing only one side of the argument invites regulatory capture. Therefore, the FISC maintains a pool of designated legal counsels, from which the Court may appoint an individual amicus curiae for a specific case. Requesting external expertise from such amici offers a fresh view on a significant or new legal matter and helps to avoid tunnel vision while enhancing the input legitimacy of the process.

The mere indication that the FISC intends to appoint an amicus curiae has already proven to have had a deterrence effect on the executive branch. According to the FISA Annual Report 2017, no amicus was appointed during that year. Yet, the Court considered appointing a person three times, but in all three cases, the government ultimately did not proceed with the proposed application or modified the final application “such that they did not present a novel or significant question of law, thereby obviating a requirement for consideration as to the appropriateness of appointment of amicus.” This said, the opinions presented by an amicus curiae need not be “adversarial.” They may also bolster the government’s argument, for example with technical aspects, as opposed to by default taking the opposite position from that of the government.


Required declassification review for new legal interpretations

Section 602 (a) of the USA Freedom Act outlines a declassification requirement. “[T]he Director of National Intelligence, in consultation with the Attorney General, shall conduct a declassification review of each decision, order, or opinion issued by the Foreign Intelligence Surveillance Court or the Foreign Intelligence Surveillance Court of Review (as defined in Section 601(e)) that includes a significant construction or interpretation of any provision of law, including any novel or significant construction or interpretation of the term ‘specific selection term,’ and, consistent with that review, make publicly available to the greatest extent practicable each such decision, order, or opinion.” To satisfy the needs for the protection of sources and methods, documents may also be made publicly available in redacted form.

Option to request publication of a Foreign Intelligence Surveillance Court decision or opinion

“The Judge who authored an order, opinion, or other decision may sua sponte or on motion by a party request that it be published. Upon such request, the Presiding Judge, after consulting with other Judges of the Court, may direct that an order, opinion or other decision be published” (FISC, “Rules of Procedure”).

Mandatory public report by authorization body

Unlike in some countries that lack such important transparency measures, the Dutch TIB oversight body is legally required to publish a public annual report.