The Council of Europe’s Commissioner for Human Rights published an issue paper entitled Democratic and effective oversight of national security services (.pdf, June 2015). The paper was prepared by Aiden Willis, who earlier co-authored a statement (.pdf) given before a hearing on November 7th 2013 at the LIBE Committee Inquiry on Electronic Mass Surveillance of EU Citizens. The issue paper gives a comprehensive overview of best practices and makes recommendations. First take note of these remarks from p.7:

The paper includes 25 recommendations, some of which explicitly make references to bulk interception and Computer Network Exploitation (CNE). The remainder of this post consists of a verbatim copy of the commissioner’s recommendations, for quick reference. To fully appreciate the recommendations, read the original report.

Taking into account the findings and conclusions of this issue paper, the Commissioner makes the following recommendations aimed at strengthening oversight of national security services and thereby improving human rights compliance in the work of security services.

In order to ensure that the operations, policies and regulations of security services comply with Convention rights and are subject to effective democratic oversight, the Commissioner calls on the member states of the Council of Europe to:

On general parameters for a system of oversight

1. Establish or designate one or more bodies that are fully independent from the executive and the security services to oversee all aspects of security service regulations, policies, operations and administration. All references to oversight bodies in these recommendations are to independent oversight bodies as defined in these recommendations.
2. Ensure that their systems for the oversight of security services comply with the minimum oversight requirements set out in the European Court of Human Rights’ jurisprudence, the UN compilation of good practices on intelligence agencies and their oversight, as well as the recommendations put forward by the [Council of Europe’s] Venice Commission (.pdf).
   

On the scope of oversight of security services

3. Ensure that all aspects and phases of the collection (regardless of its method of collection or provenance), processing, storage, sharing, minimisation and deletion of personal data by security services are subject to oversight by at least one institution that is external to the security services and the executive.
4. Ensure that the oversight of security services focuses not only on the lawfulness of security service activities that restrict the right to privacy and family life but also the rights to freedom of expression, assembly, association and religion, thought and conscience.
5. Mandate oversight bodies to scrutinise the human rights compliance of security service co-operation with foreign bodies, including co-operation through the exchange of information, joint operations and the provision of equipment and training. External oversight of security service co-operation with foreign bodies should include but not be limited to examining:
   1. ministerial directives and internal regulations relating to international intelligence co-operation;
   2. human rights risk assessment and risk-management processes relating to relationships with specific foreign security services and to specific instances of operational co-operation;
   3. outgoing personal data and any caveats (conditions) attached thereto;
   4. security service requests made to foreign partners: (i) for information on specific persons; and (ii) to place specific persons under surveillance;
   5. intelligence co-operation agreements;
   6. joint surveillance operations and programmes undertaken with foreign partners.
6. Require that security services obtain authorisation from a body that is independent from the security services and the executive, both in law and in practice, before engaging in any of the following activities either directly or through/in collaboration with private sector entities:
   1. conducting untargeted bulk surveillance measures regardless of the methods or technology used or the type of communications targeted;
   2. using selectors or key words to extract data from information collected through bulk surveillance, particularly when these selectors relate to identifiable persons;
   3. collecting communications/metadata directly or accessing it through requests made to third parties, including private companies;
   4. accessing personal data held by other state bodies;
   5. undertaking computer network exploitation.
7. Ensure that, where security services engage in computer network exploitation, these activities are subject to the same level of external oversight as is required for surveillance measures that have equivalent human rights implications.
8. Consider the introduction of security-cleared public interest advocates into surveillance authorisation processes, including both targeted and untargeted surveillance measures, to represent the interests of would-be targets of surveillance.
9. Consider how surveillance authorisation processes can be kept under ex post facto review by an independent body that is empowered to examine decisions taken by the authorising body.
10. Create or designate an external oversight body to receive and investigate complaints relating to all aspects of security service activity. Where such bodies are only empowered to issue non-binding recommendations, member states must ensure that complainants also have recourse to another institution that can provide remedies that are effective both in law and in practice.
11. Give an external oversight body the power to quash surveillance warrants and discontinue surveillance measures undertaken without the need for a warrant when such activities are deemed to have been unlawful, as well as the power to require the deletion of any information obtained from the use of such measures.
12. Ensure that the procedures of any institution tasked with adjudicating on complaints relating to matters that have been revealed to a complainant or otherwise made public comply with due process standards under European human rights law.

On the independence and democratic legitimacy of oversight bodies

13. Consider strengthening the link between expert oversight bodies and parliament by taking the following steps:
    1. giving a designated parliamentary committee a role in the appointment of members;
    2. empowering parliament to task expert bodies to investigate particular matters;
    3. requiring that expert oversight bodies report and take part in hearings with a designated parliamentary committee.

On the effectiveness of oversight bodies

14. Guarantee that all bodies responsible for overseeing security services have access to all information, regardless of its level of classification, which they deem to be relevant to the fulfillment of their mandates. Access to information by oversight bodies should be enshrined in law and supported by recourse to investigative powers and tools which ensure such access. Any attempts to restrict oversight bodies’ access to classified information should be prohibited and subject to sanction where appropriate.
15. Ensure that security services are placed under a duty to be open and co-operative with their oversight bodies. Equally, oversight bodies have a responsibility to exercise their powers, including seeking and handling classified information, professionally and strictly for the purposes for which they are conferred by law.
16. Ensure that access to information by oversight bodies is not restricted by or subject to the third party rule or the principle of originator control. This is essential for ensuring that democratic oversight is not subject to an effective veto by foreign bodies that have shared information with security services. Access to information by oversight bodies should extend to all relevant information held by security services including information provided by foreign bodies.
17. Require security services to proactively disclose to overseers (without being requested) information relating to areas of activity that are deemed to present particular risks to human rights, as well as any information relating to the potential violation of human rights in the work of security services.
18. Ensure that external oversight bodies – including parliamentary oversight committees and expert oversight bodies – are authorised by law to hire independent specialists whose expertise is deemed to be relevant. In particular, oversight bodies should have recourse to specialists in information and communications technology who can enable overseers to better comprehend and evaluate surveillance systems and thus to better understand the human rights implications of these activities.
19. Make sure that all institutions responsible for the oversight of security services have the necessary human and financial resources to fulfill their mandates. This should include recourse to technological expertise that can enable overseers to navigate, understand and evaluate systems for the collection, processing and storage of information. The adequacy of such resources should be kept under review and consideration should be given as to whether increases in security service budgets necessitate parallel increases in overseers’ budgets.
20. Ensure that all oversight bodies with access to classified information and personal data (regardless of whether it is classified) put in place measures to make sure that information is protected from being used or disclosed for any purpose that is outside the mandate of the oversight body.

On transparency and engagement with the public

21. Require by law that external bodies responsible for scrutinising security services publish public versions of their periodic and investigation reports. Any such requirements should be accompanied by additional resources that enable oversight bodies to produce informative reports without undermining their core oversight functions.
22. Ensure that security services and their oversight bodies are not exempt from the ambit of freedom of information legislation and instead require that decisions not to provide information are taken on a case-by-case basis, properly justified and subject to the supervision of an independent information/data commissioner.

On reviewing oversight bodies and systems

23. Evaluate and review periodically the legal and institutional frameworks, procedures and practices for the oversight of security services. Evaluations should include but not be limited to examining:
    1. the legal mandate of oversight bodies;
    2. the effectiveness of oversight bodies in helping to ensure that security service policies, regulations and operations comply with national and international human rights standards;
    3. the efficacy of oversight bodies’ investigative techniques;
    4. the implications of new technologies for oversight;
    5. the protection of information by oversight bodies;
    6. the relations and co-operation between oversight bodies;
    7. reporting and public outreach.
24. Review the adequacy of arrangements for the oversight of the collection and retention of personal data by private companies, including communications providers, for national security purposes, as well as the co-operation between private companies and security services.
25. Review the legal framework for the oversight of computer network exploitation by security services and consider whether existing arrangements provide necessary safeguards under national and European human rights law.