Ten standards for oversight and transparency of national intelligence services: custodiet ipsos custodes


On July 23rd 2015, legal scholars from the Institute for Information Law of the University of Amsterdam — Sarah Eskens, Ot van Daalen (@DigiDefence) and Nico van Eijk — published a report (.pdf, in English) entitled “Ten standards for oversight and transparency of national intelligence services”. The proposed standards are substantiated by, among others, analysis of CJEU jurisprudence.

The report appears three weeks after the Dutch government released a new intelligence bill into public consultation (details). That bill includes significant expansions of power, notably enabling bulk interception of domestic and foreign cable communications, and mandatory cooperation from (to be selected) “providers of communication services” — a broad category that covers internet providers, hosting providers (cloud? CDNs?), and website operators. Notably, the authors of the report plead for ex ante review of interception and intelligence operations by a court. The bill neither includes independent ex ante review, nor any court involvement.

The executive summary from the report:

Executive summary

The main goal of this report is to contribute to the policy debate on surveillance by intelligence services from the perspective of oversight and transparency. Both are considered essential for devising checks and balances in which human rights are respected.

By offering this concise list of ten standards, we intend to provide practical guidance for those who seek further input for discussions, policymaking and the review of existing legislation. These standards are based on our analysis and interpretation of relevant jurisprudence, literature and selected policy documents.

Standard 1: Intelligence services need to be subject to oversight that is complete.

This means it should be complete in terms of a) the oversight body: the government, parliament, the judiciary, and a specialised (non-parliamentary, independent) commission should all play a role in oversight; b) the moment of oversight: prior oversight, ongoing oversight, and after-the-fact oversight, and c) the mandate of oversight bodies: reviews of lawfulness and effectiveness.

Standard 2: Oversight should encompass all stages of the intelligence cycle.

Surveillance involves different stages, including the collection, storage, selection and analysis of data. As all these stages amount to an interference with the right to privacy, these separate stages should be subject to oversight.

Standard 3: Oversight of the intelligence services should be independent.

In this context, this means independence from the intelligence services and the government. Judicial oversight offers the best guarantees of independence. Therefore, it is preferable to involve the judiciary in the oversight on secret surveillance and data collection.

Standard 4: Oversight should take place prior to the imposition of a measure.

In the field of secret surveillance of communications, especially by means of sophisticated technologies now associated with untargeted surveillance, the risk of abuse is high, and abuse can have harmful consequences not only for individual rights but also for democratic society as a whole. Therefore, prior independent oversight on the application of surveillance and collection powers is essential.

Standard 5: Oversight bodies should be able to declare a measure unlawful and provide for redress.

Prior and ongoing oversight bodies for intelligence services should have the power to prevent or end a measure imposed by intelligence services, and oversight bodies should have the power to declare a measure unlawful after the fact and provide for redress.

Standard 6: Oversight should incorporate the adversary principle.

The ‘adversary principle’ is a basic rule of law principle. Where secrecy is necessary, this can be implemented by the appointment of a special advocate who defends the public interest (or the interest of affected individuals). As a result, some form of adversarial proceedings would be introduced without the secrecy of measures to be imposed being jeopardised.

Standard 7: Oversight bodies should have sufficient resources to perform effective oversight.

This standard includes the attribution of the necessary equipment and staff, resources in terms of information and technical expertise. This also contributes to their independence from the intelligence services and the government.

Standard 8: Intelligence services and their oversight bodies should provide layered transparency.

This means that: a) the individual concerned, the oversight bodies, and civil society are informed; b) there is an adequate level of openness about intelligence activities prior to, during and after the fact; and c) notification, aggregate statistics, working methods, classified and detailed information about operations, and general information about what will remain secret under all circumstances is provided.

Standard 9: Oversight bodies, civil society and individuals should be able to receive and access information about surveillance.

This standard more or less mirrors the previous one. Clear legislation on receiving and access to information about surveillance must provide a framework for oversight and supports public scrutiny of the surveillance powers.

Standard 10: Companies and other private legal entities should be able to publish aggregate information on surveillance orders they receive.

Organisations should be able to disclose aggregate information publicly about orders they receive directing them to provide information to the government. They should be able to make more detailed/confidential information available to oversight bodies.

Hopefully the arguments brought forward will have a positive impact on the further development of the Dutch intelligence bill, as well as be of use to debate about intelligence legislation in other (EU) countries.

Also see the coverage by Nu.nl (in Dutch) and the coverage by Volkskrant.nl (in Dutch).