The Intelligence Commissioner Act, Section 20 (2) allows the Intelligence Commissioner to approve, reject, or approve with conditions the retention of foreign datasets. These conditions may refer to “the querying or exploitation of the foreign dataset or the retention or destruction of the dataset or of a portion of it,” and the Intelligence Commissioner has to “provide reasons for doing so, if he or she is satisfied that those conclusions are reasonable once the conditions are attached.”

The option to authorize with conditions now applies across the board for all intel authorizations (beyond the Communications Security Establishment (CSE) which is the Canadian foreign intelligence agency). In principle, this can provide oversight bodies with greater control over the implementation of surveillance measures. This could mean, for example, setting a specific number of days before data has to be deleted, or defining specific kinds of information that must be destroyed before analysis.

After a warrant has been issued, the requested bulk SIGINT measure must be authorized or – as the case may be in different jurisdictions – approved by a review body that assesses the necessity and proportionality. Differences exist across nations as regards the moment when the independent judicial review process comes into play. In some countries, the competent minister or other members of the executive authorize warrants. In the United Kingdom, for example, the authorization of warrants is the privilege of the executive. Ministerial authorization, then, has to be approved by independent Judicial Commissioners. By contrast, in the German legal framework, warrants are authorized by bodies such as the G10 Commission or the Independent Control Council (for future foreign-foreign intelligence collection).

The independent ex-ante authorization/approval of data collection is a crucial safeguard against the misuse and abuse of bulk surveillance powers. The legitimacy of surveillance practice depends on the control of executive conduct from the outside. Enacting the control mechanism prior to implementation is crucial, because this can both deter and prevent certain actions from being taken. Independent authorization/approval also contains an important learning element, because the competent bodies can improve their controls, draw lessons from past mistakes, and then declare more assertively that certain measures are not required, or that no sufficient proof was presented.

Across many democracies, a dual system of authorization/approval has emerged that combines a judicial and an executive control function. A judicial oversight body – ideally a court – is best suited to administer a competent legal review of a bulk surveillance application.