Chapter 2: Foreign Intelligence Collection and Data Transfers

The link between a company’s handling of customer data and government surveillance became far more prominent after Edward Snowden’s revelations in 2013 and subsequent inquiries into similar practices by EU member states. In July 2020, the European Court of Justice (CJEU) invalidated the Privacy Shield in the Schrems II case, finding that several U.S. surveillance authorities—specifically, Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333 (EO 12333)—do not provide an adequate level of protection for EU citizens’ data,¹ and that the United States lacks a mechanism for meaningful redress for EU citizens whose data is transferred to the United States. This was a big moment for transatlantic policymakers and the private sector alike: over 5,300 companies relied on the Privacy Shield for data transfers between the United States and Europe for services including social media, messaging, cloud services, email, and beyond.

After the court struck down the Privacy Shield, the European Commission began engaging in another attempt at a binding agreement on cross-border data flows and data protection standards regarding government access with the U.S. government.² With its decision, the court provided a clear emphasis on genuine safeguards against disproportionate government access and judicial redress for European data.

Coming to a new agreement is by no means an easy task, for a wide range of reasons. Given that the CJEU refrained from any direct comparisons of U.S. intelligence legislation with EU member state intelligence laws in its Schrems II decision, there is an understandable demand that a future agreement be evenly analytical. Thus, U.S. customers of digital services should receive the same protection against disproportionate government access and the chance of effective remedies for the processing of their data in Europe. However, ensuring this reciprocity is beyond the competence of the European Union and can only be decided by individual EU member states in their national laws on surveillance.

Policymakers need to flesh out how the abstract data protection standards used in the CJEU’s Schrems II ruling can be applied in concrete situations of intelligence collection and data processing as well as how they should be written into national intelligence legislation. We need more clarity and concrete examples of good practice as it relates to questions of adequate safeguards, disproportionate government access to communications data in foreign intelligence collection, and more. It is often easier to determine where a legal provision is underwhelming than to concoct better standards, both across Europe and in the United States.

There are three common points of friction that originate from the legal frameworks and oversight practices on foreign intelligence collection in several EU member states and the United States. First, there is a lack of safeguards in intelligence legislation regarding the re-use of personal data (purpose limitation) and the transfer of collected data to foreign services (unconstrained intelligence cooperation). Second, there is insufficient protection of non-nationals in intelligence legislation. Third, there is ineffective review and oversight practice on foreign intelligence collection and data transfers. This section will introduce each of these issues and their relevance for transatlantic cross-border data transfer consultations. It also explores potential solutions to these points of friction.

Problem Analysis

There are not enough safeguards written into national surveillance legislation in many countries to prevent the repurposing of data obtained from foreign intelligence agencies. Imagine a situation where data is lawfully being collected in bulk by a European intelligence agency for the purpose of informing its government about political developments in the Western Balkans (purpose A). And imagine then that that data is then being used, without additional authorization, for counter-terrorism finance tracking purposes (purpose B). Consider, also, that the data collected in bulk for purpose A is then used by the European intelligence service to request intelligence from the Swift Network for purpose B. Initiation of such a request means passing the data onto the U.S. Treasury Department to run searches on the basis of these requests.³ In doing so, the data collected by the European intelligence agency may end up in U.S. databases where other U.S. services may be able to access and use the data for different purposes. Alternatively, the data initially collected in bulk by one European intelligence agency for purpose A could also be shared in an unevaluated and automated fashion with additional foreign intelligence agencies who may process such data for other purposes.

The re-use of data within the government for a different purpose and the sharing of such data with foreign intelligence partners would, according to European courts, constitute a separate interference with fundamental rights and consequently require independent statutory protections that are necessary and proportionate.⁴ Therefore, national intelligence law should include specific safeguards to make these additional uses lawful and legitimate. However, this is an abstract requirement that needs to be broken down into specific intelligence governance contexts. For instance, questions to consider include, “does this require separate authorization procedures and binding obligations on the government to seek assurances from the foreign government that the data will only be used for purposes that are lawful?” and “how would one obtain binding assurances in a context that pertains to the heart of national sovereignty?”

Recent jurisprudence on legal frameworks for intelligence collection in Europe (notably in the U.K., Sweden, and Germany) and subsequent legislative reforms (Germany) give indications as to how to establish and maintain new and potentially more effective safeguards, and should be considered within the context of current U.S.-EU consultations on cross-border data flows and data protection standards.

For example, the May 2021 decision of the European Court of Human Rights in the Centrum för Rättvisa vs. Sweden case, which examined the legal mandate for bulk collection by Sweden’s National Defense Radio Establishment (FRA), provides a useful case study. The court acknowledged the possibility that the FRA would share its intelligence with foreign partners sometimes under unpredictable circumstances,⁵ and that therefore the precise scope of intelligence sharing cannot fully be circumscribed within the law.⁶ However, the court held that the existing law failed to require the FRA to assess the necessity and proportionality of its intelligence sharing with a view to its compatibility with fundamental rights.⁷

Roadmap toward Positive Change

In Sweden and beyond, national intelligence legislation should be subjected to further scrutiny regarding its suitability to provide sufficient protection when it comes to data re-use and data transfers. In response to this need, the below discusses six examples of how different policymakers and courts have tried to mitigate the risks of disproportionate government use of personal data.

Separate Data Collection Regimes in Foreign Intelligence Legislation

One example of having separate data collection regimes in foreign intelligence legislation comes from Germany. Recognizing the many risks of non-compliance and rights infringements—intentional or not—the German Constitutional Court found fault in the 2016 Law on Germany’s Foreign Intelligence Service (BND Act) provisions on data transfers and intelligence cooperation. It requested that the German Bundestag amend the BND Act by the end of 2021. In so doing, it formulated minimal conditions that a future legal framework should meet. For example, it requested to limit the conditions in which sharing personal data that stems from strategic surveillance is permissible, and provided specific exemptions.⁸

More specifically, it called for separate data protection regimes in Germany’s foreign intelligence legislation depending on whether the purpose of the data collection was to provide political intelligence to the federal government or provide early threat detection. Regarding the former, the court placed restrictions around sharing with domestic or foreign agencies for other—especially operational—purposes,⁹ noting that in those cases the intelligence cannot be shared with other bodies. The exception to this is in cases of immediate danger to a person, vital public interests, or security.¹⁰

The amended BND Act now requires a prior written application wherein the government must state which lawful aim it pursues with the requested strategic foreign intelligence collection. According to §19 BND Act, this can be one of the following two general cases: gathering information for the federal government of Germany (aim one) or detecting threats of international relevance (aim two). Applications for aim one can be authorized if they serve the purpose of obtaining information about foreign countries, are relevant for German foreign and security policy, and are ordered by the federal chancellery. By contrast, applications for aim two can be authorized if they satisfy the criteria required for aim one and if they can indicate that the foreign intelligence collection might produce insights into eight general threat areas, or yield insights that allow protection of five legal interests.¹¹

The benefit of this practice of distinguishing between the different purposes of data collection is that it adds a powerful deterrence to intelligence services not to share some types of data with foreign services unless it meets specific qualifications related to severity and danger. This practice also requires the positive step of requiring documentation to independent oversight bodies.

Stronger Safeguards for Protected Professional Communications and the Core of Private Life

The amended BND Act of March 2021 now also includes stronger safeguards for data originating from either protected professional communications and what the German constitutional court refers to as the core of private life (Kernbereich privater Lebensgestaltung). It also contains provisions to better protect the right to privacy of correspondence, posts, and telecommunications (Art. 10 of the Basic Law), press freedom (Art. 5 of the Basic Law), and the right to informational self-determination, as well as the confidentiality and integrity of IT systems in specific foreign intelligence collection contexts. ¹²

With respect to protected professional communications, such as for lawyers and journalists, the court created thresholds that must be met in future German foreign intelligence legislation to ensure that surveillance of such communication is limited to investigations of serious threats to individuals, criminal activity, or to apprehend dangerous criminals.¹³ However, the court offered a compromise to the German government. If the collection of communication data from protected professions takes place with a view to provide political intelligence to the government, less stringent data protection safeguards can apply. In turn, however, this requires that the sharing of such data with other (foreign) partners must be ruled out in principle.¹⁴

German foreign intelligence law now offers stronger protections regarding the core of private life. In practice, this means that communications of highly personal character, such as expressions of feelings and thoughts, unconscious experience, or sexuality, are thus generally off-limits for bulk collection (§ 22 BND Act). Even interests of paramount importance cannot typically justify an intrusion in the core of private life.¹⁵

Mandatory Application of the Hypothetical New data Collection Rule

The German constitutional court’s “criterion of hypothetical new data collection” constitutes another interesting example of how some of the more abstract data protection standards can be applied to concrete situations of intelligence practice. Accordingly, when assessing the legitimacy of using data for different purposes than those originally intended, the constitutional court based its ruling around how the weight of the change in purpose of the data sharing compares to the original data collection purpose. The court noted that the new purpose for data collection would also have to be permissible under constitutional law using similar means.¹⁶

Volume Limitation

The amended BND Act limits the amount of data the BND may collect to a maximum of 30 percent of the transmission capacity of all globally existing telecommunications networks (§ 19 (8) BND Act).¹⁷ This is in response to the German constitutional court’s general clarification that the main goal of the requirements in the principle of proportionality is to limit telecommunications surveillance to a narrow enough set of criteria. The German constitution, the court clarified, “does not allow for global and sweeping surveillance,” even for foreign intelligence.¹⁸

Whether this new volume limitation in the BND Act will cause an actual decrease in bulk collection has been subject to debate during the policymaking process. Eco, an international business association of internet service providers, argued—in their official commentary on the draft law—that “30 percent of all global telecommunications networks” does not constitute a verifiable limit. They explained that about 70,000 communications networks participate in international data traffic, which would mean that targeting roughly 20,000 networks would be permissible under the BND Act. In Germany alone, about 1,250 carriers are linked to the internet. The legal volume limitation would consequently permit data collection up to 16 times the entire data traffic amount in Germany. A small number of large telecommunication networks have a dominant share in overall data traffic, with the 10 largest providers typically carrying about 95 percent of all data transmissions and the 25 largest networks transmitting roughly 99 percent.¹⁹ Thus, whether this volume limitation rule qualifies as a sufficient limit of bulk interception is questionable. Taking into account that the BND's technical and financial capacities will hardly suffice to get close to such an abstract data collection cap, plus recalling that the BND may collect data in bulk as part of its suitability tests, the defined legal maximum of 30 percent is unlikely to have much practical value.

Compared to the U.S. Executive Order 12333—which allows the U.S. government to conduct bulk collection of foreign intelligence without judicial oversight and volume limitation, the specific provisions in the BND Act protecting the right to privacy of correspondence, posts, and telecommunications (Art. 10 of the Basic Law), press freedom (Art. 5 of the Basic Law), as well as protecting professional communications, and the core of private life of foreigners from German bulk collection represent significant progress.

Currently, Section 2 of U.S. Presidential Policy Directive 28 (PPD-28) provides some limitations on bulk surveillance and protections for non-U.S. persons’ data—it requires intelligence agencies to only use signals intelligence (SIGINT) collected in bulk for six designated purposes. The permitted categories are for the purposes of detecting and countering threats from or regarding: espionage, terrorism, weapons of mass destruction, cybersecurity, U.S. or allied Armed Forces, and transnational criminal acts.²⁰ These categories are relatively broad, and they only govern the use of data collected in bulk, rather than limiting the collection itself. Accordingly, intelligence agencies can still engage in broad bulk collection for any foreign intelligence purpose, and PPD-28 only restricts how the government may use the data once it is in government databases, allowing room for overcollection and potential misuse of data. Notably, PPD-28 merely speaks to the privacy interests of non-nationals rather than privacy rights.

As an initial reform to respond to the CJEU, the Open Technology Institute (OTI) has recommended that the U.S. government build upon PPD-28 by applying the six-category use limits for bulk data to cover the purposes for bulk collection, barring any other type of bulk collection—and that such limits should be codified into law.²¹ Further, the U.S. government should adopt binding rules to ensure that even within these six categories, bulk collection is only conducted when it meets the standards of necessity and proportionality under international human rights law. When a government or entity is considering instituting policies or practices that would restrict key rights, the necessity principle requires the actor to ensure that the restriction on fundamental rights is necessary and meets a “pressing social need.” Proportionality ensures that any advantages conferred by restrictions on fundamental rights are not outweighed by potential disadvantages.²² In the longer term, Congress should consider enacting a law that applies these purpose limitations (or other purpose limitations that meet the international standards of necessity and proportionality) to all intelligence.

Stronger Safeguards for Data Transfers as Part of Transnational Intelligence Cooperation

In Centrum för Rättvisa v. Sweden, the European Court of Human Rights formulated four essential safeguards that should govern the sharing of information from bulk collection with foreign partner services. First, the circumstances in which the data can be transferred must be clearly laid out in domestic law. Second, the state transferring the data must ensure the state receiving the data has adequate safeguards in place that prevent “abuse and disproportionate interference.” Specifically, the receiving state must ensure secure storage of the data and restrict its onward disclosure. Third, the court noted that heightened safeguards will be necessary when clearly dealing with the transfer of materials that require confidentiality—such as confidential journalistic materials. Fourth, the court stated that the transfer of materials to foreign intelligence partners should be subject to independent control.²³

These four safeguards can be fleshed out further—as indicated above with regard to the new provisions in the BND Act protecting professional communications data from disproportionate bulk collection. Regarding the first such safeguard, the amended BND Act provides several comprehensive provisions around how data transfers in the course of SIGINT cooperation agreements may take place. More specifically, bulk data sharing requires written agreements, so-called memorandums of understanding (Absichtserklärung), that specify the purposes of bulk data exchanges. § 31 section 3 of the amended BND Act lists three permissible operational purposes for transnational cooperation with other intelligence services: the early detection of severe threats, the protection of foreign and security interests of the Federal Republic of Germany, and if the operations of the BND would otherwise be made very difficult or impossible.

In practice, this means that the BND must negotiate agreements with foreign services about the exchange of search terms for bulk interception, as well as the automated transfer of unevaluated bulk data.²⁴ For data collection based on search terms, the BND can receive and use search terms determined by foreign intelligence services to scan data traffic and forward the relevant hits automatically to the foreign services. Conversely, the BND may also transmit its own search terms to foreign agencies, who then feed them in their operational data collection systems (assisted data collection pursuant § 28 BND Act).

The new obligations for how the BND has to handle seeking assurances from foreign partners when sharing bulk data provides an example of safeguards that could be included in future U.S.-EU cross-border data transfer agreements. More specifically, the BND Act lists eight binding assurances that the BND needs to negotiate with its partner services. For example, the foreign partner service needs to agree to delete data related to German citizens and organizations, protected groups, and the core of private life.²⁵

These new explicit requirements to seek binding assurances from foreign partner services came in response to the German constitutional court’s decision declaring Germany’s previous foreign intelligence legislation partly unconstitutional. The court stipulated that to ensure an adequate level of data protection in recipient countries, particular consideration is required to determine whether limits on the use of data—as well as requirements around control and data security—are generally observed.²⁶

The Dutch intelligence legislation provides an additional example for those engaged in U.S.-EU negotiations. This legislation requires comprehensive risk assessments with the help of “weighting notes” on the basis of the following five criteria:

• The democratic embedding of the intelligence and security services in the country concerned;
• The respect for human rights in the country concerned;
• The professionalism and reliability of the service concerned;
• The legal powers and capabilities of the service in the country concerned; and
• The level of data protection maintained by the service concerned.²⁷

These weighting notes can be reviewed by the independent oversight body The Review Committee on the Intelligence and Security Services (CTIVD) and must be regularly kept up to date.

Prior Authorization of Search Terms Used for Automated Transfer of Data in the Context of Intelligence Cooperation

The use of partner services’ search terms and subsequent data transfers is another important practice area that requires safeguards for protecting data from unproportionate government access in the context of intelligence cooperation. Here, the German constitutional court ruled that the Bundestag must create related rules to ensure the Federal Intelligence Service’s responsibility regarding the rights of the data it collects and processes. Specifically, the court stated that there must be a thorough assessment of the search terms determined by the foreign partner, and the resulting matches. These both must be checked to identify—where possible—data about persons or situations where special protection is needed, such as with whistleblowers. The court also pointed to the need for safeguards for fundamental rights.

This ruling also discussed safeguards for persons whose work requires confidentiality protection under law, such as lawyers and journalists. These include rules around filtering search terms that are meant to intercept telecommunications of these types of individuals, as well as manual screenings. The foreign partner may also be required to “plausibly demonstrate” why it wants to use such search parameters. Additionally, before the Federal Intelligence Service can provide automated sharing with a foreign partner, it must verify the search terms used in order to determine if data can be attributed to persons that require additional protection. In some cases, they may be required to manually screen this data. Individual decisions must also be subjected to judicial review.²⁸

While the Bundestag shied away from introducing a general independent approval power for transnational data sharing in response to these findings, it established an ex ante oversight power if the BND wants to share personal data related to communications of protected professions.²⁹ Accordingly, the BND may share personal data from communications of protected professions, for example, journalists, only if the judicial control body approves the transfer. It must weigh the foreigners' interests in protected confidential communications against the legitimate operational aims of the BND in its lawfulness test before data is transferred. Such a transfer of a lawyer's personal data would be allowed if the evidence justifies the suspicion that the person in question may be the perpetrator or participant of a crime or if the transfer is necessary to prevent dangers to certain legal interests (§ 29 (8) in connection with § 30 (9) BND Act). In case of imminent danger, a preliminary approval by one member of the oversight body suffices to permit the data transfer. If the decision is later revoked, the BND shall request the deletion of the shared data (§ 29 (8) sentence 5 BND Act).

Likewise, throughout the Schrems II decision, the CJEU referred to the U.S. intelligence agencies’ “mass processing” of EU citizens’ personal data as an infringement upon the General Data Protection Regulation (GDPR), seeming to suggest that use limitations could be helpful in mitigating these concerns. The U.S. government should therefore adopt stronger and more transparent limits on how collected information—regardless of the subject’s nationality—may be used. For example, information collected under Section 702 should only be permitted for use in connection with the approved foreign intelligence purpose (the certification approved by the FISA court) for which it was collected.

Problem Analysis

While our personal data crosses borders and jurisdiction with nearly every click we make online, safeguards and enforceable rights are mostly organised at a national level. For example, imagine a European national based in Belgium who shares personal data with a U.S. company. In most jurisdictions in Europe and in the United States, fundamental privacy rights are dependent on territoriality and citizenship. As neither a U.S. citizen nor resident, the European data subject in Belgium therefore does not enjoy Fourth Amendment rights in the United States.

Fundamental rights should be considered as interdependent globally with regard to both the large amounts of data transfers across borders and to modern intelligence practice. Disregarding the rights of non-nationals bears the risk of rendering fundamental rights meaningless and undermining the rule of law—and even democracy as a whole. Recent jurisprudence in Europe has already pointed in such a direction. The German constitutional court found that human rights cannot be restricted territorially and that German authorities are bound by the basic law no matter where they operate.³⁰ With this, the court gave “recognition to the expanding sphere of action of German state authority.”³¹ Similarly, in Schrems II, the CJEU demanded equivalent and enforceable rights for European citizens in the United States.³²

Additionally, as illustrated by the impact of the Schrems II judgement, the absence of privacy rights for non-nationals in the context of national security can impede the free flow of data across borders. If such impasses are not resolved, a worst-case scenario would be a fragmented (or even “sovereignized”) internet. But even now, insufficient privacy protections and lacking legal certainty constitute a major obstacle for EU and U.S. economies.

It is important to reconceptualize privacy rights. Currently, they are too dependent on either nationality or residency even though personal data is de facto rarely confined by national borders. In order to prevent further impasses, it is important to enact strong and reasonable safeguards that both allow data exchange with trust that respects fundamental rights, and at the same time, do justice to the high sensitivity of intelligence work.

Roadmap toward Positive Change

Redress

In order for rights to be effective, they need to be enforceable. In Schrems II, the CJEU ruled that “the very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law.” Therefore, it ruled, legislation that does not provide individuals the ability to pursue legal remedies—either for access to personal data about the person or to rectify or erase the data—does not “respect the essence of the fundamental right to effective judicial protection.”³³

The right to redress is one of the most contentiously discussed issues emerging from the Schrems II judgement, as it is most difficult to reform in the United States. There, the Fourth Amendment to the Constitution, which confers privacy rights, applies to citizens or residents only. Further, when the government plans to introduce evidence against an individual that was obtained under FISA, the government must notify the “aggrieved person” so that they may challenge the surveillance. Aggrieved citizens or residents have the ability to challenge the surveillance or sue the government in a separate action—amounting to “redress,” as they have legal remedies available to them. By contrast, EO 12333 sets no mechanisms for redress.

Targets of U.S. surveillance under FISA Section 702 and EO 12333, including EU citizens, therefore, lack a mechanism through which they can seek redress in U.S. courts. Granting “enforceable data subject rights and legal remedies” to European citizens is a central demand of the CJEU in Schrems II.³⁴ In particular, the CJEU noted that FISA Section 702 and EO 12333 do not grant surveilled persons “actionable” rights of redress before “an independent and impartial court.”

Again, it remains questionable whether many EU member states themselves even comply with the provisions demanded by the CJEU. The Swedish Signals Intelligence Act, for instance, offers effective redress against misuse of data by intelligence actors, regardless of nationality and residence of the concerned individual.³⁵ This is not the case everywhere in Europe. In Germany, unless one’s communication data is protected by virtue of its professional characterization (e.g., for journalists) or by virtue of one’s identity as a citizen of Germany or the European Union, the new SIGINT framework offers little explicit protection, let alone redress options.³⁶ There is, moreover, the expectation on the U.S. side that such rights need to be reciprocal, as experts, such as Peter Swire have stated: “It’s common sense to have a reciprocal approach (i.e., to give U.S. citizens the right to appeal when European national security agencies access their data).”³⁷

As OTI has previously written, legislation will be needed to fully meet the redress standard set.³⁸ This is because the high bar that the CJEU set forth in their decision requires an independent tribunal that has a fact-finding ability, and which is available to non-U.S. nationals. No such entity currently exists, and one would need to be created by statute. As other advocates have noted, legislation would also be needed to implement any approach that involves enabling complainants to establish standing—the constitutional requirement that litigants show they have been harmed by a law or practice in order to challenge it in court.

There are major obstacles to achieving the ability for redress that the CJEU called for. The first is standing, or the ability of an individual to bring a claim in some sort of tribunal to challenge the use of surveillance powers where any decision will have binding force upon the government. Standing has been difficult to achieve, even for U.S. nationals in the United States, due to secrecy surrounding the use of surveillance mechanisms, including the government’s use of the State Secrets Doctrine (SSD).³⁹ This doctrine–which has been described as rooted in either the U.S. Constitution’s commander-in-chief language or its concept of separation of powers–allows the government to refuse to turn over or introduce evidence that it claims would harm national security if released.⁴⁰ The U.S. government has traditionally been given wide deference by U.S. courts in its use of the SSD.⁴¹ Without access to the evidence necessary to establish that an individual has been surveilled, many claimants struggle to establish standing.

The recent Wikimedia Foundation v. National Security Agency case offers an example of how a plaintiff established standing in a surveillance-related case.⁴² There, Wikimedia Foundation argued that NSA’s “Upstream” surveillance program necessarily captures some of the foundation’s international communications, and is therefore a violation of free-speech rights and its Fourth Amendment rights against unreasonable search and seizure.⁴³ (Details of NSA’s Upstream program are classified, but it collects data from the internet’s backbone through the transmissions over high-speed cables that carry electronic communications into and out of the United States.) Even though the Fourth Circuit ultimately dismissed Wikimedia’s challenge to Upstream surveillance, Wikimedia won on the issue of standing. This meaningful win showed that it may be possible for plaintiffs to establish standing (in particular, show “actual injury”) by arguing that the nature of a particular surveillance technique in itself means the government must have collected their communications.⁴⁴

Unfortunately, another recent case may make it more difficult for individuals to bring claims alleging privacy harms in U.S. courts, and for Congress to resolve this issue. In the 2021 TransUnion v. Ramirez decision, the Supreme Court further narrowed the threshold for legal standing in federal courts by ruling that “an asserted risk of future harm” is not sufficiently concrete to support standing in federal court, and that Congress’s ability to establish an injury in fact through law is limited.⁴⁵ Ultimately, the decision means that even when a legal right is created through a statute, the judiciary holds the ultimate authority to determine when a violation of that right has resulted in an injury.⁴⁶

Notification Duties

Formal notification after personal data processing plays a crucial role in ensuring the right to an effective remedy for two reasons. First, standing in court is in many cases dependent on proof that surveillance of the applicant has happened. This proof is difficult to gather without notice. Second, data subjects that are not even aware that they are being surveilled can not seek remedy. In this way, notice is one of the threshold problems to redress. In some cases, certain requirements, logistical, and safety issues make it difficult to inform non-nationals and non-residents that they are being surveilled. In other cases, secrecy regulations make it difficult for subjects to know they are a surveillance target in the first place.

In Germany, where the constitutional court accorded equivalent rights to non-nationals and non-residents, the court itself acknowledged that notification of the data subject is often impossible when non-nationals or non-residents are affected by surveillance. However, secrecy requirements and logistical difficulties in reaching data subjects that are situated outside of a country's jurisdiction are just two of the reasons why notice for non-nationals is often problematic. Additionally, notifying non-nationals could—depending on the context—endanger the data subjects themselves and, for instance, render them suspect to secret services or law enforcement in their country. For example, if the German BND would notify a Syrian citizen that they have been subject to surveillance by Germany, this communication may come to the attention of the local security services and could result in considerable danger for the person involved. In some instances omitting subsequent notification of the data subject is therefore in the interest of the data subject in question.

In the United States, even U.S. citizens often can not establish standing in court because they cannot prove that they are affected by the surveillance measures due to lack of notification. U.S. intelligence law does not provide for notice in many situations. Under FISA, the U.S. government must provide advanced notice to a criminal defendant if they intend to use evidence collected under Section 702 at trial or other proceedings.⁴⁷ The Supreme Court further ruled in Clapper v. Amnesty International that “the government…must provide advance notice of its intent” if they intend to “use or disclose information obtained or derived” from Section 702.⁴⁸

While by law this notice must be provided, in practice, criminal defendants rarely receive notice that they have been subject to Section 702 surveillance. In 2015, ACLU’s Patrick Toomey expressed dismay about why this continues to be the case, noting the Department of Justice’s notice policy—and interpretation of FISA’s requirements—are kept secret. He noted that, “because of this secrecy, the public, courts, and criminal defendants are unable to determine whether DOJ’s current view of its duty to give notice is even remotely defensible.”⁴⁹

The ability to receive notice for other intelligence gathering authorities is even worse. The Patriot Act includes no provisions for notice, and the government has not provided any. However, resourceful libraries and other organizations have taken advantage of the gag orders that usually accompany Patriot Act orders to provide “canaries” in the form of statements that they had not received such an order.⁵⁰ Finally, under Executive Order 12333, no administration has ever publicly disclosed what they view their obligations to be when it comes to notification.

In cases where the court’s jurisdiction is not limited by whether the subject of surveillance has notice (unlike the United States), this barrier becomes much less of an issue. For example, the European Court of Human Rights has held on several occasions that notification duties are not necessary “where the courts’ jurisdiction does not depend on notification to the interception subject that there has been an interception of his or her communications.”⁵¹ Similarly, the court highlighted that the British Investigatory Powers Tribunal (IPT), which has comprehensive jurisdiction over British intelligence activities, can examine any complaints about illegal interceptions regardless of notifications to the data subject.⁵²

Compensatory Approach and Effective Review

Even with equivalent rights and the theoretical possibility of having standing in court, legal protection for foreigners may remain limited in actual practice. Secrecy and security concerns (including for the data subject) limit the extent to which non-nationals’ rights can be enforced. As mentioned earlier, non-nationals may not, for example, receive the same types of notifications about past surveillance of their communications’ data that nationals do—at least in some jurisdictions, such as Germany. In turn, this is a notable disadvantage when it comes to a non-national’s attempt to seek effective remedy in courts. To compensate for the “virtual absence of safeguards commonly guaranteed (to non-nationals) under the rule of law” and the “gap in legal protection,” the German constitutional court has requested that specific safeguards are respected and has demanded reinforced and comprehensive judicial and administrative oversight over the BND’s treatment of non-national communications data.⁵³ The new German Federal Foreign Intelligence Law now places strategic surveillance of non-nationals under quasi-judicial oversight within the newly created Unabhängiger Kontrollrat (Independent Control Council).

In light of the reduced possibilities for rights enforcements and remedy for non-nationals, involving adversarial representatives that specifically argue in the interests of the affected group could provide another layer of protection.⁵⁴

Possible International Instrument

Since the Schrems II decision, experts have pondered about new opportunities for a “more sustainable kind of transatlantic cooperation on security and civil liberties, in which technology and intelligence sharing goes together with real cross-national protections for civil liberties.”⁵⁵

International cooperation between national oversight bodies could be a novel mechanism alleviating limited redress possibilities (among other issues). Such cooperation can take many forms and will require mutually acceptable regulations on effective redress. This could go in the direction of aligning standards to ensure an equal standard of privacy for citizens of participating states, as proposed by the Parliamentary Assembly of the Council of Europe with its “Intelligence Codex” in 2015.⁵⁶ More extensive cooperation in the field of intelligence oversight—for instance in the form of an international authority—could be used to strengthen the de facto privacy rights of non-nationals facing limited options for effective redress. The draft “Legal Instrument on Government-led Surveillance and Privacy” by the UN Special Rapporteur on Privacy Joe Cannataci also proposed, in 2018, that an international authority be put in place to oversee privacy matters between signatory countries.⁵⁷ More recently, the Global Privacy Assembly encouraged governments and international organisations to develop “multilateral instruments ensuring adherence to key data protection and privacy principles in relation to government access to personal data.”⁵⁸

Admittedly, such instruments are unlikely to be implemented on a global level. However, an agreement could potentially be reached at a smaller scale among certain countries that share the same values, perhaps in the spirit of an “alliance of democracies,” as Henry Farrell and Abraham L. Newman have proposed.⁵⁹ Such an alliance could prove helpful to foster the respect of civil rights and liberties as the backbone of democracies, especially vis-à-vis authoritarian countries such as China and Russia.⁶⁰ In a recent study for the European Parliament requested by the Committee on Civil Liberties, Justice and Home Affairs (LIBE), for instance, Ian Brown and Douwe Korff proposed a “minilateral treaty” on intelligence activities between the EU and the Five Eyes countries including “clear rules on the states concerned not surreptitiously spying on each other, with transparent arrangements for mutual assistance, subject to crucial rule of law and human rights safeguards and openness about practice.”⁶¹

Problem Analysis

Much of recent European jurisprudence—not just in the CJEU Schrems II case, but also in other judicial proceedings at the European Court of Human Rights and in the highest national courts—have focused on bulk collection and its democratic oversight.⁶² Some European parliaments recently amended, or are about to introduce, legislative changes to the codified mandates of intelligence services, as well as the laws and regulations on the institutional design and mandate of oversight institutions.⁶³ Meanwhile, some intelligence services, such as the U.K.’s GCHQ, have recently increased transparency regarding their use of artificial intelligence and their respective data ethics frameworks.⁶⁴ In so doing, they acknowledged that legal frameworks and oversight practice need to be further aligned with this development.

It is of utmost importance to provide effective oversight and accountability for a highly complex and big data-driven intelligence collection process that interferes—at several stages—with fundamental rights. Oversight provides a much-needed check on the executive branch, and also adds legitimacy to its use of investigatory powers, ideally preventing executive overreach and establishing public trust in the intelligence process. In order to achieve these goals, oversight must go far beyond rubber-stamp authorization and weak ex-post review mechanisms—oversight must be driven by independent and rigorous fact-checkers that have substantial resources, sufficient decision-making, and enforcement powers.

Before delving into how the oversight and accountability process can be strengthened, it is useful to discuss some common points of friction regarding oversight—both in the United States and across Europe—which largely show that oversight and accountability are somewhat elusive goals, and are a constant work in progress.⁶⁵

The French Council of State on the French Intelligence Oversight Body CNCTR

In response to the CJEU’s influential October 2020, where it ruled that France’s surveillance laws did not safeguard fundamental rights and freedoms, the French Council of State laid out in April 2021 how the CJEU’s judgment—amongst other interpretations—ought to be translated into concrete legislative reform in France.⁶⁶ More specifically, as discussed by Arthur Messaud and Noémie Levain, “[it] found that [the French] review mechanism is too permissive compared to what the CJEU has required.”⁶⁷ Theodore Christakis elaborated that the French Council of State gave the French Parliament “six months […] to introduce all new mechanisms, procedures and safeguards,” including a requirement that France change its surveillance law to provide the National Commission for the Control of Intelligence Techniques (CNCTR), an independent oversight body, with authority to render binding opinions related to intelligence data.⁶⁸ There might be additional room for oversight improvement, though—as Arthur Messaud and Noémie Levain have suggested—because CNCTR does not have access to information that French intelligence services collect from foreign partners.⁶⁹ Provided that analysis is correct, then this appears to stand in conflict with the European Court of Human Rights’ findings in Centrum för Rättvisa v. Sweden about minimal procedural and legislative safeguards for intelligence sharing.⁷⁰

Independence of the Oversight Body

In the May 2021 European Court of Human Rights (ECtHR) Grand Chamber decision on Centrum för Rättvisa v. Sweden, Judge Pinto de Albuquerque wrote a concurring opinion in which he criticized the “highly politicised status of the FIC’s [Sweden’s Foreign Intelligence Court] members,” noting that it has “never held a public hearing and its decisions are final and confidential.”⁷¹ As a result, he argued that the Swedish oversight bodies “either do not meet the requirement of sufficient independence or provide effective scrutiny, or both.”⁷²

German Constitutional Court on Insufficient Resources and Expertise in Previous German Oversight Body

In its ruling regarding the BND Act, the German constitutional court stated that people must be appointed to the oversight body as their primary occupation to ensure the oversight is “competent and professional.” The court noted that it is not sufficient to have an oversight board act in an honorary capacity. It also determined that oversight bodies must be able to develop their own databases and software, in part, to ensure the bodies can effectively scrutinize key components such as filtering mechanisms. ⁷³

U.S. Department of Justice Inspector General’s Audit of FISA Procedures

In the United States, the recent DOJ Inspector General audit of FISA “Woods Procedures,” released September 30, 2021, has also raised significant questions about oversight and accountability in the FISA process. Woods Procedures are documentation requirements that are designed to ensure FISA applications are “scrupulously accurate”—each factual assertion in the applications to the FISC must have documentary support in the FBI’s files.

Of the initial sample of 29 FISA applications, the audit found more than 400 instances of non-compliance with Woods Procedures. After those initial findings, the IG conducted further review of more than 7,000 FISA applications authorized between January 2015 and March 2020 and found at least 179 instances in which the required Woods file was completely missing, damaged, or incomplete.⁷⁴ FISA experts across the board were shocked by the severity of these IG audits.⁷⁵ In fact, Lawfare’s editor in chief Ben Wittes remarked that he “will never say again in public these applications go through a rigorous process and they are subject to intense oversight within the FBI and the Office of Intelligence in the Justice Department before it ever goes to the FISA Court.”⁷⁶

The FISA Court Amicus Role

In the United States, the FISA amicus operates as a key check on the secretive FISA Courts. Congress created the role of the FISA amicus through the USA FREEDOM Act in 2015 as a reform to the FISA Court (as well as the FISA Court of Review, or FISCR). Under current law, FISA Court and the FISCR judges appoint a panel of at least five independent experts with security clearances who possess expertise in privacy, civil liberties, intelligence collection, or communications technology, and then task these “amici” to participate in particular cases and advise the judges on their areas of expertise.

The current standard is that amici are included in the FISA Court process during cases involving “a novel or significant interpretation of the law,” but experts have pushed for expansion of their valuable role, as the amici have been limited by the law.⁷⁷One issue is that the “novel or significant interpretation” standard relates to the legal issues involved in the case, rather than the level of threat that the surveillance poses to privacy and civil liberties. Further, amici have inadequate access to information even in the cases in which they do participate. Finally, these special advocates are not currently able to appeal from the FISA Court to the FISCR. Advocates, academics, and the Privacy and Civil Liberties Oversight Board (PCLOB) have recommended rectifying these flaws and most importantly, expanding the role of the amicus to include cases relating to First Amendment issues and involving novel technologies, among others. Accordingly, during Congress’s 2020 attempt at reforming Patriot Act Section 215, (known as the USA FREEDOM Act of 2020) the Senate overwhelmingly passed an amendment that would adopt these key reforms.⁷⁸ Unfortunately, these reforms were never enacted, as Congress never moved to conference the Senate and House versions of the bill amid the COVID-19 pandemic shutdown.⁷⁹ (The relevant Section 215 authorities have also not been reauthorized, and have seen an unprecedented lapse.)

Roadmap toward Positive Change

Standards for Effective Review as Observed by the European Court of Human Rights

In its May 2021 decision on the Swedish legal framework for foreign intelligence collection and oversight, the ECtHR shed light on the following safeguards that should significantly strengthen the overall quality of an intelligence accountability and oversight regime:

• Establishing and improving an adversarial process within the authorization process;
• Providing information on the selectors to allow for a genuine proportionality assessment;
• Introducing a ‘double lock’ system for oversight bodies;
• Endowing oversight bodies with sanctioning powers even in the context of foreign intelligence collection; and
• Providing for an independent audit of the oversight process.

Regarding the first aspect, the judgement noted that "relevant safeguards against arbitrariness" should be included in the independent ex ante authorization procedure. To achieve this, the Swedish bulk interception law requires the mandatory presence of a “privacy protection representative” at court sessions, except for in urgent cases. Additionally, it points to the role of the FISA amicus in the U.S. courts as an example—a representative such as a judge, former judge, or attorney who acts “independently and in the public interest but not in the interest of any affected private individual. He or she has access to all the case documents and may make statements."⁸⁰

Not many other countries have taken this important state "against arbitrariness,"⁸¹ notably the recent German intelligence reform also shied away from this. It remains less than suboptimal when judicial control bodies only hear the perspective of the intelligence service members and the executive when reviewing the lawfulness of bulk warrants. In light of the special protections for certain professional groups, for example, and recalling the inherent danger of group-think, it might be very worthwhile to include adversarial representatives into authorization proceedings to argue in the interests of affected groups, such as protected professions.⁸²

In addition, the ECtHR also emphasized that any independent authorization process "implies necessity and proportionality analysis,"⁸³ and goes on to underscore that it might be difficult for the judicial approval body "to appreciate the proportionality aspect where only categories of selectors are specified"⁸⁴ in applications for bulk interception. For example, against this backdrop, the fact that no individual selectors of any kind must be listed in the bulk warrants⁸⁵ calls into question whether the ECtHR would be satisfied with the judicial approval process pursuant to the new BND Act.

Moreover, the ECtHR's Centrum för Rättvisa v. Sweden judgment also examined whether the Swedish ex post oversight body, the Foreign Intelligence Inspectorate (SIUN),⁸⁶ is adequately equipped to assess aspects of the proportionality of the interference with the rights of individuals in SIGINT activities. In so doing, it observed that SIUN conducts "numerous detailed examinations of, in particular, the selectors used" and that "it is tasked with granting the FRA access to communications bearers after verifying that the requested access corresponds to the permit issued by the Foreign Intelligence Court."⁸⁷

This practice is not currently on the cards in many other jurisdictions. In Germany, for example, the amended BND Act does not foresee direct access to bearers of communications for the members of the newly found Independent Control Council, nor does it foresee a similar double verification method of approved warrants. More specifically, the ability to unblock particular bearers and to grant access to specific cables or facilities after checking a warrant is a powerful control competence that has yet to see the light of day in many European countries.

Moreover, as observed by the ECtHR, if the Swedish Foreign Intelligence Inspectorate identifies undue SIGINT conduct, it can also decide—with binding effect—"that the collection must cease or that recordings or notes of collected data must be destroyed."⁸⁸ By contrast, the amended BND Act does not specify the extent to which the newly-found complaint mechanism available to the administrative control body of the ICC (§ 52 BND Act) may also be used to sanction malfeasance.

Finally, we learned from the recent ECtHR judgement that the Swedish oversight body is also subjected to independent audits by the Swedish National Audit Office. The latter evaluates whether the oversight activities make a difference and how they could be improved.⁸⁹ This independent review of an independent oversight process is also very progressive and should be considered by other nations, too. By contrast, the newly created provision in the BND Act that calls for the evaluation of the effectiveness of the ICC's oversight, will be conducted by the ICC itself (§ 61 BND Act).

More Decisions by Security and Intelligence Services Should be Subjected to Independent Review

The CJEU’s Privacy International v. Secretary of State⁹⁰ and La Quadrature du Net and Others v. Premier Ministre and Others cases offer important insights into the scope of judicial review.⁹¹

While the former case did not pronounce on foreign intelligence legislation specifically, it clarified that “a legislative measure […] on the basis of which the competent national authority may require providers of electronic communications services to disclose traffic data and location data to the security and intelligence agencies by means of general and indiscriminate transmission […] exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society.”⁹² Moreover, it stipulated that “national legislation governing access to traffic data and location data must rely on objective criteria in order to define the circumstances and conditions under which the competent national authorities are to be granted access to the data at issue.” Finding also that “those requirements apply, a fortiori, to a legislative measure […] on the basis of which the competent national authority may require providers of electronic communications services to disclose traffic data and location data to the security and intelligence agencies by means of general and indiscriminate transmission,” one can then argue that the requirements that the CJEU formulated with respect to data retention in the LQDN case, should equally apply to legislative measures that compel service providers to transmit data in bulk to the security and intelligence services.

Equally interesting, the CJEU recalled in the LQDN case that the following categories of decisions by security and intelligence services ought to be subject to an independent court’s or administrative body’s jurisdiction:

• A decision giving an instruction to providers of electronic communication services to carry out general and indiscriminate retention of data (paragraph 139);
• Decisions on national security grounds requiring providers of electronic communication services to retain general and indiscriminate traffic and location data (paragraph 168)
• Decisions authorising automated analysis (paragraph 179);
• The sharing of real-time traffic and location data (paragraph 189); and
• National rules which authorise automated analysis (paragraph 192).

Whether these decisions are sufficiently subject to the jurisdiction of oversight bodies across Europe is a matter that requires further consultation. In part, this is also addressed in Chapter Three.⁹³

In the United States, the PCLOB is the primary body with oversight capability over the intelligence community and activities. Among other things, the PCLOB is tasked with continually reviewing all regulations, laws, and procedures related to counterterrorism efforts, as well as “the information sharing practices of the departments, agencies, and elements of the executive branch to determine whether or not such practices appropriately protect privacy and civil liberties and adhere to the information sharing guidelines.” However, as the Congressional Research Service has noted, the PCLOB “was not vested with potent authority to obtain information relative to the execution of these responsibilities,” as it does not have subpoena power, among other issues.⁹⁴

End-to-End Oversight as the Way Forward

There is a greater insistence both by legal courts and oversight bodies regarding the need for a more comprehensive mandate and oversight processes to cover each phase of the information continuum.⁹⁵ Given that each phase of the “lifecycle of information, from how it is collected and safeguarded, to how it is shared and, ultimately, how it is used to inform real-world actions undertaken for national security or intelligence purposes”⁹⁶ entails unique risks to fundamental rights and civil liberties, it is important to establish—in legislation and in actual practice—an oversight remit that subjects the entire process to rigorous independent scrutiny. This includes the initial formulation of intelligence priorities, the authorisation process, the various stages of data processing, and the numerous data sharing and retention practices. While this may have been on the agenda for quite some time now, legislation still lags behind in many countries and practice seems to encounter significant obstacles, especially when it comes to a comprehensive independent review of the various data processing processes. Yet, this is precisely where independent review is most needed because “effective review and supervision implies binding powers where the impact on the fundamental rights is the greatest, particularly in the accessing, analysis and storage phases of processing personal data.”⁹⁷

The German constitutional court judgement on the 2016 BND Act provides a recent and insightful illustration of this pressing challenge. It found fault with Germany’s intelligence oversight architecture because its design and processes were deemed insufficient to satisfy the proportionality requirement. More specifically, the BND’s powers to conduct strategic surveillance measures, to share the intelligence thus obtained, and to cooperate with foreign intelligence services were not complemented by sufficiently rigorous and independent oversight. The court stipulated that “it must be guaranteed that the entire process of strategic surveillance…can comprehensively be subjected to oversight.”⁹⁸ The court further specified that “an oversight body must be created that can, on its own initiative, randomly scrutinise the entire process of strategic surveillance as to its lawfulness; this concerns individual decisions, processes, the design of data processing and filtering mechanisms as well as the technical resources used for them.”⁹⁹

Similarly, the ECtHR observed in its May 2021 Centrum för Rättvisa v. Sweden decision that “each stage of the bulk interception process–including the initial authorisation and any subsequent renewals, the selection of bearers, the choice and application of selectors and query terms, and the use, storage, onward transmission and deletion of the intercept material–should also be subject to supervision by an independent authority. “¹⁰⁰ Emphasizing the need for supervising bodies to be in a position to assess the necessity and proportionality of the action being taken, the ECtHR also requested that “detailed records should be kept by the intelligence services at each stage of the process.”¹⁰¹ The German constitutional court was even more specific on the documentation of data sharing practices. It requested that “data sharing must be documented so as to ensure independent oversight of adherence to the requirements for data sharing […] Such documentation must also specify the statutory provision on which data sharing is based.”¹⁰²

However, aside from the need to embed this principle in primary surveillance legislation, it needs to be honoured in practice. This is where most oversight bodies in Europe, even in countries where practice is comparatively quite advanced,¹⁰³ still seem to encounter substantial and long-term challenges—both regarding expertise and aptitude, but also resources required for “data-driven intelligence oversight.”¹⁰⁴

The basic premise has been summarised well by Graham Smith. When “sophisticated analytical techniques such as anomaly detection and pattern analysis are brought to bear on intercepted material, particularly communications data,” he observed “robust end to end oversight ought to cover these techniques as well.”¹⁰⁵

On the basis of a thorough discussion of common points of friction in national surveillance and intelligence legislation that relate to cross-border data transfers, this chapter illustrated how the more abstract safeguards referred to in the CJEU Schrems II judgement can be fleshed out further when read in conjunction with recent European jurisprudence on national intelligence legislation and national data retention frameworks. Analysis of these rulings indicates that much more must be done to adequately safeguard against risks of non-compliance and fundamental rights infringements when it comes to data re-use and data transfers and the rights of non-nationals including their rights to receive notice and their right to judicial remedy. This includes taking steps such as establishing specific data protection regimes for shared data, reinforcing independent end-to-end oversight, and making the right to redress independent from notification and secrecy regulations. International agreements and instruments can further play a crucial role in strengthening civil rights and liberties in democracies.