������Ƶ

The rapid evolution of surveillance technology is a commonly discussed theme in many policy circles in the United States and across Europe. Less so, are the consequences of the trend whereby the hardware and software for data collection and data processing are increasingly converging across several agencies in the security sector. Whether it is a military intelligence service, police-led intelligence, or customs, border, and migration services, there is a constant and growing demand for different government agencies to cooperate more seamlessly in response to complex, cross-border security threats. This entails data transfers and joint access to common databases and the use of so-called cross-system information analysis platforms, many of which are tailormade by contractors such as Palantir, BAE Systems, Deloitte, IBM, or Rola, and others.

The push for more cross-system analysis, as relevant for modern security provision as it may be, should invite lawmakers to ponder more intensely over various associated risks. As indicated by the Council of Europe’s Venice Commission, it is not only “the issue of who may query the bulk data collected and for what purposes” but also “lax controls on acquisition, combined with lax minimisation rules and lax controls on access to the data” that is is “a dangerous combination,”¹ especially in the context of international security cooperation.

This section highlights typical risks and unresolved governance aspects regarding the cooperation of various security agencies—both nationally and internationally. It also discusses how they relate to the current transatlantic quest for a better agreement on cross-border data transfers and lawful government access.

Fragmented Legal Frameworks for Similar Data Collection and Data Processing

Unlike other democracies, Germany still sports more than a dozen separate bodies of law on the mandates and democratic governance processes for its intelligence community alone.² This stands in stark contrast to countries like the United Kingdom, which has gone to great lengths to establish a main regulatory framework for the use and governance of investigatory powers across several agencies of the security sector (the Investigatory Powers Act). However, German lawmakers continue to focus primarily on the individual security service at hand and have thus far shied away from adopting a more functional approach that focuses instead on the general nature of investigatory powers that the state may use to obtain access to different types of data—irrespective of which agency then deploys them. Their approach to regulation has arguably done very little to improve legal clarity. Quite the contrary, new reforms in 2021 have added to the sheer complexity of the legal framework by inserting various new cross-references to similar yet still different provisions in other laws.

Consider, for example, that the BND’s bulk collection practice remains regulated in two separate bodies of laws, namely the BND Act and the Article 10 Act. Depending on whether the bulk data collection pertains to foreign-domestic traffic or foreign-foreign traffic, one must consult the Article 10 Act and the BND Act, respectively. Providers can be compelled to provide government access under two different regulatory frameworks, even though the obligation is very comparable in substance and duration. This causes undue duplications in the authorization and oversight process as well as frustration among the service providers who must unnecessarily navigate different legal regimes.

Overlapping and Unsynced Oversight

More generally, it is worth examining whether having different accountability mechanisms and fora for similar investigatory powers defies the protection of human rights, the rule of law, and core democratic principles. This is particularly important in light of growing and more seamless cooperation between different domestic and international security agencies, including the automated sharing of unevaluated personal data.

In Germany, bulk collection is not only regulated in separate laws, it is also overseen very differently—depending on whether it is the foreign intelligence service or the military that practices it. Yet, even with regard to bulk collection by the foreign intelligence service, it is overseen by two separate judicial bodies, namely the G10-Commission and the Independent Control Council.³ This creates a potential mismatch between the different oversight bodies conducting different types of reviews on similar intelligence collection practices with substantial differences in resources and competencies. Other countries should therefore not follow this model because, amongst other concerns, it carries inherent risks of duplication, turf battles, and likely deficits in the overall accountability and transparency performance.

In the United States, the Title 10-Title 50 debate has long demonstrated the jurisdiction and mismatched oversight problem between military and intelligence activities. This debate is ultimately about the proper roles and missions of U.S. military forces (“Title 10”) and intelligence agencies (“Title 50”).⁴ One crux of the debate has been the vast differences in oversight between military operations and intelligence activities. Former CIA General Counsel Jeffrey H. Smith summarized the issue, noting “if the activity is defined as a military activity (‘Title 10’) there is no requirement to notify Congress, while intelligence community activities (‘Title 50’) require presidential findings and notice to Congress.” The natural inclination for executive branch lawyers, according to Smith, is to prefer the Title 10 paradigm to escape congressional notification requirements.⁵

Bulk data collection through signals intelligence and computer network exploitation (hacking) are practices that both the German armed forces and Germany’s foreign intelligence service (BND) regularly use.⁶ Computer network exploitation is particularly noteworthy in this regard: It is "the Swiss army knife of surveillance" because it combines many powerful surveillance functions in one powerful tool. This can include audio, visual, email, texts, communications metadata, online activity surveillance, as well as location tracking through one single method.⁷

While these practices by the civilian intelligence services and military intelligence are often closely aligned, often for a good reason, such as force protection, they remain subject to substantially different oversight bodies with radically different control densities.⁸ The requirements for data processing, transfers, and deletion within the armed forces are fewer and less transparent. There is, however, a need for a more holistic perspective, for example, when the BND automatically transmits data that it collected as part of its “cold-start collection via suitability testing” (which does not carry data minimization requirements) to the German armed forces (§ 24 (7) sentence 3 BND Act). Comparing the oversight remits and resources for civilian intelligence with that for military intelligence and recalling the increased cooperation between these actors, it is deplorable that the newly created German judicial and administrative oversight body (ICC) will have no mandate to review the use of such data by the German armed forces. This is done very differently, for example, in Canada. See the discussion further below.

Furthermore, the practice to establish limited oversight mandates for separate oversight bodies runs counter to the norm established in international conventions, notably the modernized Convention of the Council of Europe for the protection of individuals with regard to the processing of personal data.⁹ As observed recently by the Dutch intelligence oversight bodies CTIVD and TIB in their memo on that convention, “when appointing the oversight body/supervisory authority (i.e., Article 11.3, 15, and 16(2) of the Convention), it must be clear that the entire national security domain falls under the responsibility of the oversight body or bodies to be appointed.”¹⁰

U.S. government “fusion centers” have also brought this information-sharing issue into focus. Fusion centers are state-owned and operated centers, funded by the Department of Homeland Security, that serve as focal points in states and major urban areas for the receipt, analysis, gathering, and sharing of threat-related information between state, local, tribal and territorial; federal; and private sector partners.¹¹ According to the Brennan Center, which has done in-depth analyses of fusion centers, “the theory is that in their normal activities, state and local police come across information that might be useful in uncovering terrorist plots. The Department of Homeland Security funded and promoted fusion centers as a means to harvest this information and provide it to intelligence analysts so they could ‘connect the dots’ and prevent terrorist attacks… But as early as 2007, leaked reports from fusion centers showed serious problems with their intelligence gathering. Instead of looking for terrorist threats, fusion centers were monitoring lawful political and religious activity.”¹²

Most recently, the January 6, 2021 insurrection in the United States has brought attention back to these issues, as intelligence sharing between the various domestic U.S. agencies has come to the forefront—some officials blaming failures in intelligence sharing for the severity of the attack.¹³

As government agencies are increasing their interconnectedness thanks to the rapid evolution of surveillance hardware and software, there is also a substantial increase in automated data transfers and cross-system information analysis between different actors of the security sector. In light of this, narrow horizontal oversight mandates and fragmented legal frameworks can unduly contribute to obfuscation and an increase of accountability gaps and transparency deficits. This also carries the risk of creative non-compliance or malfeasance. Therefore, U.S. and EU policymakers should be interested in learning how to overcome such risks, especially in view of a potential review of a new cross-border data sharing agreement. A future European Court of Justice or a U.S. court will have to assess whether robust safeguards exist in both entities to legitimize lawful government access to personal data obtained in such contexts, many of which also concern data held by the private sector.

Establishing Holistic All-Inclusive Oversight Remits

Fortunately, as argued below, there are positive examples from which to draw inspiration for a rights-based cross-border data agreement. While the German government sees no problem with the above-mentioned mismatch of having different oversight bodies review similar intelligence collection practices with substantially different resources and review competencies,¹⁴ recent statutory reforms in Canada¹⁵ and the United Kingdom¹⁶ point in a notably different direction.

The new Canadian oversight body, NSIRA, for example, can “review any activity in the federal government that relates to national security or intelligence.” The organization calls it “horizontal, in-depth interagency review.​”¹⁷ It […] allows NSIRA to break down the previously compartmentalized approach to review and accountability, and replace it with horizontal, in-depth interagency review.”¹⁸

While compartmentalized oversight setups might lack the general overview of all data processing and data transfers across national security agencies, they have become specialized, which is also an important feature. Hence, lawmakers should be cautious not to merely opt for centralized oversight at the expense of resources and precision in investigations.

Multilateral and Transatlantic Oversight Cooperation

Transnational threats prompt closer cross-border cooperation among intelligence services, but increasingly also involve a range of other security agencies, including the military, police, and other branches of the security sector. Typically, joint databases are run multilaterally, with all participating services adding and accessing data, albeit with several restrictions and caveats. In such cases, there is a need for creating joint responsibility among the participating states for the database and subsequent data processing.

The Dutch Intelligence Oversight Body’s (CTIVD) 2018 report on the European Counter Terrorism Group’s (CTG) operational database in the Netherlands provides a useful illustration of typical open questions related to government responsibility and oversight in the context of international intelligence cooperation. The CTG facilitates, amongst other things, the multilateral exchange of evaluated data on individuals who have traveled to and returned from conflict areas. The CTIVD concluded, for example, that safeguards for the protection of fundamental rights were not sufficiently addressed and recommended setting up multilateral controls.¹⁹

While some states may accept responsibility and oversight for their services’ submissions to joint databases, the subsequent data processing is rarely covered, certainly not if the database is not hosted by a foreign government, on foreign territory. This creates the potential for severe accountability gaps: Who is held responsible for the processing of erroneous data? Furthermore, as acknowledged by the Dutch government, there is a pressing need to ensure effective oversight over the use of joint databases, possibly in the form of multilateral oversight.²⁰

The forward-looking recommendations by the Dutch oversight body with respect to multilateral oversight is something that policymakers should pay greater attention to—beyond the complex accountability deficits of the European CTG’s operational platform—to which the United States has apparently an observer status.²¹

EU member states and the United States may find it increasingly difficult to defend the fact that data processing across their respective security sectors is done with similar investigatory powers, yet is governed and overseen by substantially different statutes, review bodies, mandates, and with different resources.

According to a recent study by the Geneva Centre for Security Sector Governance (DCAF) and NATO’s Parliamentary Assembly, “a sub-standard legal base, insufficient expertise and little public attention have deprived military intelligence oversight of effectiveness in too many countries and for too long. In most parliaments there is no routine oversight over military intelligence.”²²

Bulk collection by military intelligence services can present the same risks to fundamental rights as similar practices by (civilian) intelligence agencies. Yet, oversight over military intelligence’s access and use of such data is rarely as comprehensive and resourceful as intelligence oversight has become in some jurisdictions.

Given the privileged partnership between the military and the civilian intelligence services, a comprehensive legal framework would go a long way to mitigate the inherent risk of creative non-compliance. For example, a government may be inclined to maintain separate oversight regimes and accept accountability deficits as part of a hidden motive to foster “autonomy-enhancing capacities and opportunities to somehow forestall, neutralize, transform, resist, or overcome the societal constraints imposed upon them.“²³ To illustrate this further, the federal German government may be inclined to delegate more tasks to intelligence units of the military due to the fact that processing of data from bulk collection there is far less rigidly overseen there than for the BND’s data processing. This is unlikely to be the sole decisive criteria for such data transfer decisions, but good legislative and oversight practice ought to be more mindful of such potentially hidden raisons d’état, too.²⁴

Accordingly, a more comprehensive framework with reduced but strengthened oversight bodies would limit the risks to oversight effectiveness discussed above.