Surveillance activities using digital means have been rapidly growing and developing. Political developments started with the ‘War on Terror’ in the aftermath of the attack on the 11th of September 2001 in the United States. This led to new policies to fight perceived threats of terrorism and radicalisation. Digital surveillance methods are increasingly used for this purpose. These developments have triggered law reforms in the field of intelligence- and security services in many countries.
The Snowden revelations of 2013 led to widespread criticism on the interferences with fundamental rights, made by the “mass-surveillance” projects the United States and several European countries participated in. It is new and unique to have a debate on the secrecy of the work of the services. These developments taken together lead to the question how far states can go in their measures to protect their citizens and national security.
This question forms the decor of this research. More specifically, it focuses on the law reform in the Netherlands, introducing the Intelligence and Security Services Act 2017 (‘Wet op de Inlichtingen- en Veiligheidsdiensten 2017’, hereafter: Wiv 2017). This Act and the Dutch debate are exemplary of this development and therefore can function as a model. Firstly, because the arguments given for the need of this new law are the aforementioned perceived threats of terrorist attacks and the need for modernisation to keep up with the technological developments of society, more specifically in communications technology. Secondly, because the law reform unchained a discussion in Dutch society on the aforementioned question: To what extent are we willing to allow the services to make infringements on our fundamental rights in order to protect national security? Thirdly, because in the Netherlands an open debate is enabled by a sufficient level of free speech and transparency on the functioning of the Dutch services and government. Fourthly, it is possible to have a well-informed debate on the content of the law, since there is not one obvious flaw in the system which is blocking a broader discussion. And fifthly, because of a referendum started by five students from Amsterdam, the debate has been held throughout society, giving the topic momentum, causing more transparency and debate, producing publicly accessible information, and giving citizens a voice in the national security policies of their country.
The initiative to start a referendum with appurtenant campaigns, the announced court cases, and the lively debate about the Act show there is a lot of criticism on the expansion of powers of the intelligence services. The core of the criticism is directed at the untargeted effects of surveillance powers, and the perceived lack of safeguards to protect civilians against unlawful infringements on their rights. With the newly introduced bulk powers, large amounts of data of citizens that are not targets of the services will be gathered. Opponents state that the effectivity of bulk powers has not been proven, while the risks are occurrent. Data gathered by the government is not in the control of citizens anymore. Regimes can change, and in that case, so can the use of this data. Especially when unevaluated bulk data sets are provided to foreign services there is a lack of control. Also, governments get hacked, and data leaks occur. Apart from that, the bulk capabilities cause for a “chilling effect”; the inhibition or discouragement of the legitimate exercise of certain fundamental rights these measures might have. This research addresses the capabilities in the law that are the most prominent within the debate. These are bulk interception, the hacking capability, real-time access to databases, the exchange of data with foreign services, and oversight and control mechanisms.
European law, including case-law, is providing the parameters within which the national law reforms can be formulated. The debates on the law reforms are being held against this background, and eventually it will be the judge who has the last verdict on the legality of the reforms. Therefore a sketch of the European case-law is included.
An emerging trend is visible regarding the law reforms on intelligence services in the Netherlands, the United Kingdom and Germany. It consists of a shift from surveillance measures with targeted effects to surveillance measures with untargeted effects, and an intensified international cooperation between the services. Also, all Acts unchained a lot of societal debate, critique and legal challenges. I found the differences between the Acts to be smaller than I expected. However, some aspects of the Wiv 2017 appeared remarkable when placed in an international context:
– The Wiv 2017 does not make a difference between domestic, international and foreign communication data. In Germany as well as the UK this distinction is made. Germany even has different regimes according to this classification. However, this difference might be mostly de-jure, and it is a bit unclear what remains of it de-facto. The United Nations Special Rapporteur on the Right to Privacy (hereafter: SRP) calls it a “xenophobic fallacy” based on the idea that the threat is coming from the foreigners. Since the majority of terrorist attacks in Europe were carried out by EU citizens, I join the SRP in his opinion that it is a fallacy that it makes sense to discriminate against people whose citizenship lies not within the lawmakers’ jurisdiction.
– The Wiv 2017 displays a far-reaching willingness of the Dutch services to share data with foreign services. The logic of the provisions that determine in what cases data can be shared can be summarised as ‘sharing, unless…’ as opposed to the logic of ‘only sharing if…’. Germany is one of the few EU member states that has implemented a relatively detailed procedural regulation on how to implement cooperative relationships in their primary legislation.
– Especially worrying, regarding the international exchange of intelligence, is the oversight gap. Data that is collected through bulk interception can be shared with foreign services before it is analysed by the Dutch services, even with services with whom the Dutch services do not have a cooperative relationship. The ex-ante assessment on the authorisation of the Minister only accounts for the collection of data, and its scope does not extend to the provision to foreign services. Apart from that, the oversight of the CTIVD only applies to the conduct of the Dutch services. This means that there is no control nor oversight over data that is provided to foreign services, or over its use.
– The Wiv 2017 does not assign any power to the DPA. The only safeguard in terms of data protection is the general duty of care of the services. In Germany as well as in the 294 HRC Report of the Special Rapporteur on the right to privacy, Joseph A. Cannataci, UN Doc. A/HRC/34/60, 24 February 2017, p. 36. UK, the Acts do assign limited power to the DPA.
– Regarding the hacking capability the expected differences between the countries are slightly visible. In comparison, it is noteworthy that the IPA 2016 gives examples of possible conduct under the hacking capability, where the Wiv 2017 provides a limited enumeration of possible conduct. Also, the authorisation procedure within the IPA 2016 allows for all conduct necessary to do what is expressly mentioned in the warrant. Unforeseen conduct is assumed lawful. In the Wiv 2017, separate authorisation is required for all conduct. In this regard, the German Act is more limited regarding permitted conduct by describing only two forms. However, since this limitation of the capability is deemed technologically impossible, it is the question to what extent the total reach of the capability is more restricted.
– Noteworthy in regard of the hacking capability as well is the fact that the Wiv 2017 does not make a distinction between data in transmission and storage data. In the German Act two different capabilities address each type of data, and the IPA 2016 excludes data in transmission from the equipment interference warrant. In the Dutch Act, this distinction is not made, and conduct regarding both kinds of data is allowed and possibly combined. – The capability to get real time access to databases is new in the Wiv 2017. The UK already has a practice in the acquirement of bulk personal datasets. The German Act does not account for this capability. The untargeted effect is mainly present within the acquisition of bulk data sets. In the IPA 2016, a distinction is made between warrants depending on the sensitivity of the nature of the data within the dataset. In case of sensitive data, a more strict regime applies. In the Netherlands, this distinction is made in practice and in internal rules, but it seems a valid suggestion to implement this in the Act. Remarkable about this capability as well is the classification as regular power instead of special power.
This leads to the conclusion that with the introduction of the Wiv 2017, the Netherlands places itself within the broader trend of the international development that is visible in the capabilities of intelligence services. Case-law of the ECtHR as well as the CJEU show that these Courts are taking a critical stance towards the shift from targeted to untargeted effects of surveillance measures. Whether the criteria laid down in contemporary judgments also apply to the domain of intelligence and security services, in the light of the national security exception, is not clear yet. In this regard, we wait for the judgments in pending cases to be adjudicated.
In my opinion, it is a good thing that throughout several countries there are NGOs, activists, journalists, lawyers, and other people fighting the trend of wanting to collect more and more data. The ‘security paradigm’ appears to be very dominant. It seems that politicians want to show that they are taking the fear of citizens seriously, and that they are ‘doing something’. However, we should not jump the gun. It is important to think rationally about what, and how urgent, these perceived threats are, and to take appropriate measures. It is important as well to not forget what it is that needs protection.
The ECtHR acknowledges the risk that a system of secret surveillance set up to protect national security may undermine or even destroy democracy under the cloak of defending it. Therefore, the introduction as well as the implementation of surveillance measures needs to be necessary, proportional, and subsidiary. In my opinion, this excludes surveillance powers with untargeted effects.