One central oversight body with one central legal body

One central oversight body is tasked with the ex-post control of intelligence, surveillance and security actors in Norway: the EOS Committee. This oversight body is subject to one law, that defines its activities: the Act relating to the Oversight of Intelligence, Surveillance, and Security Services of 3 February 1995 no. 7 (Read the English version of the law from page 81 to page 84 in this annual report). This clear oversight architecture allows a more effective control of the services and provides statutory clarity.

 

 

 

 

Function-based end-to-end oversight mandate

The Norwegian EOS Committee’s oversight mandate covers the whole lifecycle of information: it examines collection, sharing, use of and access to information. Furthermore, EOS Committees remit is based on functions that are used and not on services. The Committee can therefore perform oversight where intelligence, surveillance or security functions are exercised. The function-based end-to-end approach avoids gaps in the oversight of ever more complex intelligence architectures.

 

 

 

 

Extraterritorial reach of fundamental rights

In its decision on the BND Act in May 2020 the Constitutional Court (BVerfG) unequivocally affirmed that the right to private communication and press freedom as guaranteed under Article 10 and Article 5 of the German Constitution are human rights and not citizen rights. The Court clarified that the German state’s obligation to protect these fundamental rights cannot be restricted to cover only certain groups of people or only some geographical regions. Against this backdrop, the BND Act was amended to comply with the judgement. However, the practical implementation of this provision is difficult, and the level of protection remains in fact not the same for non-resident non-nationals, for instance when it comes to notification duties.

Prohibition of economic espionage

Foreign-foreign strategic surveillance with the aim of obtaining economic advantages is prohibited.

Risk-based prioritization of oversight duties

The independent Danish Intelligence Oversight Board (TET) has devised a systematic approach  to  sequencing  and  scheduling  oversight  activities. What type of engagement or task is most pressing, and why is it required? If controlling data processing by intelligence services should take precedence, which database run by which service should be selected for which kind of inspection? To arrive at answers to these and similar questions, the TET uses a risk assessment to prioritize and schedule its work. Overseers calculate risk scores for specific intelligence systems within their oversight mandate; these scores help them to determine the types and timing of inspections and other oversight tasks. Once the TET has completed mapping all systems and devices of which it is aware and to which it has access, it applies a set of fixed categories to assess the risk associated with each system and its various sub-components. The risk scores serve as a basis for creating the annual oversight plan, which sets the priorities for the oversight body and provides an overview of all controls and oversight processes.

 

The CTIVD can review the weighting notes

The Dutch Review Committee on the Intelligence and Security Services (CTIVD) has the power to review the weighting notes on international cooperation partners and the subsequent international cooperation, as such. The CTIVD also has to be informed of any exchange of unevaluated data. The obligation to inform was broadened by policy rules. The law itself stipulates that the CTIVD has to be informed of unevaluated data from bulk SIGINT interception.

Parliamentary committee must be informed regularly about operational purposes

Section 142 of the Investigatory Powers Act details the procedure for specifying operational purposes for bulk interception. Any operational purposes must be approved by the Secretary of State (142 (6)) and must go beyond what is already prescribed in law (142 (7)). Every three months, “the Secretary of State must give a copy of the list of operational purposes to the Intelligence and Security Committee of Parliament” (142 (8)). “The Prime Minister must review the list of operational purposes at least once a year” (142 (10)).

Criminal liability for willful real-time surveillance conducted for an unlawful purpose

The criminal wiretapping statute contains a prohibition to engaging in real-time surveillance (18 U.S. Code 2511 (1)). The provision bans certain wiretapping activities and then creates exceptions to that general prohibition. Section 2511(4) exempts from this criminal statute lawful intelligence surveillance activity. But intelligence officials who conduct unlawful wiretapping are committing a crime. Criminal liabilities are rarely used in national legal frameworks on intelligence, but they could be an effective means to enforce compliance with regulations. Criminalizing certain forms of intelligence surveillance deters the misuse of surveillance powers. The penalty for intentional violations against the prohibition of real-time surveillance in the US wiretapping act can be up to five years of imprisonment (18 U.S. Code 2511(4)).

Prohibition of discrimination against protected classes through bulk collection

“In no event may signals intelligence (SIGINT) collected in bulk be used for the purpose of suppressing or burdening criticism or dissent; disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion; affording a competitive advantage to U.S. companies and U.S. business sectors commercially; or achieving any purpose other than those identified in this section” (Section 2 of Presidential Policy Directive (PPD) 28).

Adequacy review of foreign cooperation partners

In order to assess which countries the services can share information with, weighting notes are drawn up on cooperation partners. These notes must be kept up to date and provide information on the basis of five criteria provided in law:

      1. a) the “democratic embedding” of the intelligence and security services in the country concerned;
  1. b) the respect for human rights in the country concerned;
  2. c) the professionalism and reliability of the service concerned;
  3. d) the legal powers and capabilities of the service in the country concerned;
  4. e) the level of data protection maintained by the service concerned.

Based on the five criteria listed above, Dutch intelligence services have to submit a weighting note for each foreign partner service they cooperate with. The weighting process requires several compulsory risk assessments on the basis of such notes. In addition, the pertinent policy rules from April 2018 state that unevaluated data from bulk cable interceptions may not be exchanged without the existence of a weighting note that covers this type of exchange. Put differently, in the absence of a weighting note for such a case, no sharing of unevaluated data can be authorized by the responsible minister. The Dutch review body, the CTIVD can review the notes and report to parliament whether it found them to be correct and adequate.