Venice Commission - Report on a rule of law and human rights compliant regulation of spyware
www.venice.coe.int
Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).
Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/
6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?
There exist several national oversight mechanisms:
La L.R&S prévoit un double contrôle dans la mise en œuvre des méthodes de recueil de données (MRD) au niveau de la légalité, de la subsidiarité et de la proportionnalité : un contrôle a priori par la Commission BIM (art. 18/10) et un contrôle a posteriori par le Comité permanent “de contrôle des services de renseignement” ci-après le Comité permanent R. (art. 43/2).
In the Law on the Intelligence and Security Agency as a body of external management and supervision of the agency listed are: Presidency of Bosnia and Herzegovina, Council of Ministers, Chairman of the Council ministers, the Executive Intelligence Committee and the Bosnia and Herzegovina Parliamentary Assembly. Within the Council of Ministers, the formation of the Executive Intelligence Committee with its own was foreseen secretariat, with the aim of advising the chairman of the Council of Ministers and facilitating coordination of intelligence and security issues (Article 12 of the Law on Intelligence and Security agency). Also, the Bosnia and Herzegovina Presidency, as an important part of the executive power, plays its role in directing the work and control of the Intelligence and Security Agency of Bosnia and Herzegovina. It is stated that receives intelligence data, directs the chief inspector to carry out an inspection, audit or an investigation concerning current or potential problems related to the work of the Agency, which may pose a threat to the responsibilities of the Bosnia and Herzegovina Presidency, opined about reports of the inspector general, approves the annual intelligence policy platform, annual report on the work and expenses of the Agency, agreements between the Agency and institutions of foreign countries and international organizations and their institutions, determines the list of institutions and facilities that are object of protection. (Article 7 of the Law on Intelligence and Security Agency). Also, Article 18. The Law on the Intelligence and Security Agency provides for parliamentary supervision in the sense that The House of Representatives and the House of Peoples of the Parliamentary Assembly of Bosnia and Herzegovina are jointly established The Joint Commission for Supervision of the Work of the Intelligence and Security Agency of Bosnia and Herzegovina. The role of the Bosnian judiciary in controlling the work of the Intelligence and Security Agency is primarily related to the use of special investigative actions by the Intelligence security agencies. The Office of the Ombudsman for Human Rights also has a role in supervising the work of security institutions rights. Although this office considers cases related to poor functioning or to violation of human rights committed by any body of Bosnia and Herzegovina, its entities and Brčko District, the office also considers complaints in cases of corruption in security institutions if they are violated basic human rights of citizens or employees in the security sector. Legally, the framework defines the jurisdiction and powers of the Ombudsmen of Bosnia and Herzegovina, the rules of procedure in monitoring the work bodies and institutions in procedures for citizens' complaints and ex officio, and other important issues related to the functioning of this state mechanism for the protection of basic human rights and freedom. However, this body can only issue recommendations and they are not binding on institutions to which they refer.
In Bulgaria, Parliamentary oversight is conducted by specialized committees. Moreover, the National Bureau for Control over Special Intelligence Means carries out oversight as an independent expert body.
There are numerous oversight and review bodies in Canada for the activities of the security services. For example:
In the case of Croatia, Parliamentary committees (The Committee for Internal Affairs and National Security) oversee intelligence agencies. Moreover, high-level judicial authorization is required for certain intelligence measures. The Office of the National Security Council oversees these agencies, ensuring actions are lawful and proportional, with authority to correct violations and report findings to top government officials. Finally, Specialized bodies like the Council for Civic Oversight of Security Intelligence Agencies and the Council for Civic Oversight of Police Powers provide non-judicial oversight, handling public complaints, verifying legality, and reporting findings to the government.
An expert oversight body exists in Denmark (the Danish Intelligence Oversight Board - Tilsynet med Efterretningstjenesterne).It has the power to fully access data collected by security services. However, the Oversight Board does not supervise individual cases of use of spyware in the context of criminal or intelligence investigation. This is a matter for the courts. A specialised parliamentary committee overseeing the activities of the security services is in place.
There are parliamentary oversight measures as well as by the executive and judicial. Judicial oversight takes place prior to the use of intelligence. There is a detailed overview of the judicial proceedings in these issues by the Supreme Court (in Estonian; Conclusions on pp 27-29), as the number of case-law is quite significant.
The system of oversight constitutes a combination of both legal and parliamentary mechanisms of oversight in which various actors are charged with the task of oversight of criminal and intelligence investigations as follows.
In the case of France, the National Commission for Control of Intelligence Techniques (CNCTR) is the independent body that oversees over surveillance measures. Additionally, specialised parliamentary committee oversight the activities of the intelligence agencies.
Oversight includes both judicial and independent executive authorization bodies. More specifically, the G10 Commission and the Independent Oversight Council play a key role in the oversight of the security services. For instance, the Independent Oversight Council acts as an administrative oversight body for ex post oversight. Its members are six judges of the Federal Supreme Court and/or the Federal Administrative Court, who are elected by the Parliamentary Oversight Panel for 12 years.
Article 19 of the Greek Constitution, provides for an « independent authority », with competence to « ensure the secrecy » referred to in the 1st paragraph of the same Article. That authority is the Hellenic Authority for Communication Security and Privacy (Aρχή Διασφάλισης του Απορρήτου Επικοινωνιών, ΑDΑΕ), which was created in 1994 and renamed ADAE by law 3115 of 2003. ADAE is one of the five independent authorities expressly provided for by the Greek Constitution. Its powers, however, have been seriously contested in the last few years both by EYP and by the judiciary.
The Police Monitoring Committee, an independent administrative body, was established on 1 January 2017. Its main role is to receive notifications from citizens regarding alleged criminal conduct of the police, improper police working methods or misbehavior. The Committee operates on under the Police Act No. 90/1996, cf., Act No. 62/2016, and Regulation No. 222/2017. Court orders permitting surveillance, such as listening, may be appealed to the Court of Appeal (Landsréttur).
Oversight of security services
There are two levels of control mechanisms. First of all, a judicial control: the Prosecutor General at the Court of Appeal in Rome should authorize wiretapping ordered in the context of the activities of the Security Intelligence Services. Secondly, there is a parliamentary control, entrusted to the Parliamentary Committee for the Security of the Republic, which is composed of five deputies and five senators, and appointed, at the beginning of each legislature, within twenty days of the vote of confidence in the Government. According to Article 30 of law 3 august 2007, n. 124, the Committee is appointed «by the Presidents of the two branches of Parliament in proportion to the number of members of the parliamentary groups, while still ensuring equal representation of the majority and oppositions and taking into account the specificity of the tasks of the Committee». The Committee «shall systematically and continuously verify that the activities of the Security Intelligence Service are carried out in accordance with the Constitution and the laws, in the exclusive interest and for the defence of the Republic and its institutions». The control functions of the Parliamentary Committee for the Security of the Republic are regulated in detail by Article 31 of the law n. 124/2007. In particular, the committee «may obtain, even in derogation of the prohibition established by Article 329 of the Code of Criminal Procedure, copies of acts and documents relating to proceedings and investigations under way at the judicial authority or other investigative bodies, as well as copies of acts and documents relating to parliamentary investigations and inquiries. The judicial authority may also transmit copies of acts and documents on its own initiative».
/
In the case of intelligence surveillance, the law provides for a parliamentary oversight mechanism. In other words, the oversight of the Kosovo Intelligence Agency is conducted by an oversight parliamentary body, whose mandate is determined by law and its composition set forth in the Rules of Procedure of the Assembly.
There are the following national mechanisms in Kyrgyzstan for control (supervision) over the bodies that carry out operational investigative activities:
In Liechtenstein a secret service does not exist. Activities of the security services are subject of parliamentary scrutiny. Measures taken by the criminal investigation on behalf of the courts are subject to the judicial remedies. Other police
A person who considers that the actions of criminal intelligence entities violated his rights and freedoms may appeal against these actions to the head of the main body of criminal intelligence or the prosecutor. A person who disagrees with the decision of the head of the main body of criminal intelligence or the prosecutor may, within 20 working days from the date of receipt of the decision, file a complaint with the president of the district court or a judge authorized by him. These complaints must be dealt with no later than 20 working days from the date of receipt of the complaint. The decision of the president of the district court or the judge authorized by him is final and not subject to appeal. In cases where human rights and freedoms are violated, the subjects of criminal intelligence must, in accordance with the procedure established by legal acts, restore the violated rights and freedoms and compensate for the resulting damage. For more information on these aspects, please see Articles 5 and 22 of the Law on Criminal Intelligence.
Surveillance measures are subject to checks from investigating judges and compliance with data protection laws. Four-level oversight includes administrative, judicial, executive, and parliamentary review.
In Malta, there is no parliamentary nor judicial oversight of the Security Service. The operations of the Security Service are overseen by the responsible Minister (executive control), the Commissioner of the Security Service (an expert body) and the Security Committee (formed by members of the executive).
The Law no. 59/2012 on the special investigation activity provides for several oversight mechanism:
Judiciaire.
L’article 70 de la Constitution marocaine de 2011 charge le Parlement de voter la loi, contrôler l’action du Gouvernement et évaluer les politiques publiques. À ce titre, le Parlement peut interroger les ministres de l’Intérieur et de la Justice sur toute matière relavant des politiques publiques sécuritaires. De même, le Parlement peut créer des commissions d’enquête afin de contrôler les activités des services de sécurité.
In the Republic of North Macedonia, the oversight of communication monitoring measures is a multi-faceted process involving several key entities. The primary bodies responsible for overseeing these measures include the Assembly of the Republic of
Law enforcement authorities:
/
In Poland, oversight of the activities of the security services is carried out through a combination of judicial, parliamentary, executive, and expert mechanisms. Each of these oversight bodies has specific roles and powers, some of which include binding
The organic law of the Information System of the Portuguese Republic (SIRP) institutes a Supervisory Council (CFSIRP), composed of three citizens of recognized repute, independent, elected by the Assembly of the Republic (Parliament), by a majority of 2/3, for a four-year mandate, which works alongside Parliament; this body, among several powers, oversees the procedure for accessing telecommunications and internet data and the so obtained data by the intelligence services.
Romania employs parliamentary committees for intelligence oversight.
The Republic of San Marino does not have a national Secret Service established by law. There are only bodies that perform military or police functions.
The national oversight of the activities of the security services in the Republic of Serbia involves a combination of various mechanisms (judicial, parliamentary, executive, and expert).
The National Council of the Slovak Republic (the parliament) exercises oversight, mainly via its special commission for the monitoring of the use of information-technical devices (Sections 8a and 9 PAIA).
6.1.Parliamentary Oversight:
Sweden has parallel oversight systems for domestic and foreign intelligence functions. For domestic law enforcement (police, customs) and the security police, there is the Commission on Security and Integrity Protection (Säkerhets- och integritetsskyddsnämnden or SIN). This oversees the use of surveillance in investigations conducted under the criminal law. SIN was created in 2007 when the police and Security Service were granted increased surveillance powers. There was a realisation that the prosecutorial and judicial control only checked if there was reasonable cause to initiate surveillance, and there was no post hoc monitoring with focus on “lessons learnt”. SIN was thus given a follow-up oversight function over use of electronic surveillance for domestic investigations and other special investigative powers (such as the use of infiltration).
Oversight mechanisms in criminal proceedings:Once the surveillance has been notified (see question 7), the person concerned has the right to appeal to the cantonal court (Articles 279 and 393 et seq. CPC, a posteriori review) and ultimately to the Federal Supreme Court (ex post control). These courts have binding remedial powers. Oversight mechanisms for the activities of the security services: There is an extensive section on control and supervision in Art. 75 et seq. of the IntelSA, in particular,
1) Law of Ukraine “On Criminal Intelligence Operation activities” establishes the following:
There is a detailed oversight regime including an IPC, Judicial Commissioners and an Investigatory Powers Tribunal (IPT). The IPC carries out detailed auditing and reporting of the use of such powers, the Judicial Commissioners are responsible for the authorisation of warrants and notices as well as having their own investigative powers and the IPT is an entirely independent Tribunal established to hear complaints about the misuse of investigatory powers. It is comprised of individuals who have held high judicial office (and the President must be such a person) and senior lawyers. The Tribunal also has power to award compensation and may make orders for the destruction of information and records of information and for the cancellation of warrants.
Executive, judicial, and legislative bodies oversee surveillance activities. For an example of the overlapping oversight, Section 702 of FISA is subject to oversight by the Department of Justice (DOJ), the Office of the Director of National Intelligence (ODNI) and other intelligence agencies, the Foreign Intelligence Surveillance Court (FISC), and Congress.
Austria
The competent organisational units for the protection of the constitution are the Directorate for State Protection and Intelligence Service (Directorate) of the Directorate General for Public Security and, in each federal state, an organisational unit responsible for state security which belongs to the respective state police directorate. In enforcing the Law on State Security and Intelligence, the Directorate shall act on behalf of the Federal Minister of the Interior, while the organisational unit responsible for state security shall act on behalf of the respective provincial police directorate. The Directorate and the competent organisational units on state level are, under certain conditions specified in the law, allowed to process data (see question 1). The legal protection officer (Section 14 of the Law on State Security and Intelligence in conjunction with Section 91a Security Police Act – is responsible for monitoring data processing covered by Section 12 paras. 1 and 1a of the Law on State Security and Intelligence (see Section 12 para. 6 and Section 14 para. 1 leg.cit.). Furthermore, the legal protection officer is responsible for special legal protection in the tasks under Section 6 paras 1 and 2 leg.cit. (extended threat investigation and protection against attacks that jeopardise the constitution). Before carrying out tasks under Section 6 paras. 1 and 2 leg.cit., the competent organisational units shall obtain the authorisation of the legal protection officer via the Federal Minister of the Interior in advance. The same shall apply if it is intended to carry out special investigative measures pursuant to Section 11 leg.cit. (observation, undercover investigation, use of licence plate recognition devices, etc.) or to further process data collected pursuant to Section 10 para. 4 leg.cit. The Directorate and the unit responsible for state security on state level also have to provide insight to the legal protection officer into all necessary documents, records and processed date as well as grant him or her access to all premises under the conditions stipulated in Section 15 of the Law on State Security and Intelligence. If the processing of personal data has violated the rights of affected persons who are not aware of this processing, the legal protection officer is obliged to inform the affected persons or, if this is not possible, to lodge a complaint with the data protection authority (Section 16 leg.cit.; Datenschutzbehörde). Furthermore, each year, the legal protection officer reports to the Minister of the Interior on his/her activities and perceptions in the context of the fulfilment of his/her duties (Section 15 para. 4 leg.cit.). The Directorate also reports to the Minister of the Interior and publishes a yearly report about current and possible developments relevant to the protection of the constitution in order to inform the public (Section 17 leg.cit.). As a crucial oversight mechanisms, the "Independent Control Commission for the Protection of the Constitution" (Unabhängige Kontrollkommission Verfassungsschutz) has been established with the Minister of the Interior in order to guarantee the lawful fulfilment of tasks. The five members are independent and not bound by instructions (Section 17a para. 4 of the Law on State Security and Intelligence). The Control Commission shall be responsible for monitoring the activities of the organisational units (with the exception of matters that are subject to the legal protection officer). It shall investigate allegations against activities of the organisational units (Section 17a paras. 1 and 3 leg.cit.). The organisational units shall grant the Control Commission access to all premises and allow it to inspect documents and records (except in cases of danger to national security or the safety of persons etc.; cf. Section 17c para. 2 leg.cit.). The Control Commission shall submit an annual report to the Federal Minister of the Interior and the Standing Subcommittee of the Committee of Internal Affairs (of the National Council) as well as prepare an annual report informing the public about its activities. It may make recommendations to the Federal Minister of the Interior at any time (Section 17d leg.cit.). With regard to the classification of the oversight mechanisms, the legal protection officer pursuant to the Security Police Act is an independent executive organ, free from any instructions. The Independent Control Commission is also an executive organ. Due to its reporting obligation to the Standing Subcommittee of the Committee of Internal Affairs of the National Council, there is a parliamentary aspect involved. Finally, the data protection authority is also an executive organ. However, complaints may be lodged against decisions of the data protection authority with the Federal Administrative Court.
Belgium
Contrôle par la Commission BIM:
La Commission BIM est une commission administrative chargée du contrôle des méthodes spécifiques et exceptionnelles de recueil des données (loi du 30 novembre 1998 organique des services de renseignement et de sécurité, article 43/1). Elle se compose de trois magistrats et est présidée par un juge d'instruction. La Commission BIM doit être informée de toute décision de mise en œuvre d’une méthode spécifique. Avant de pouvoir faire usage d'une méthode exceptionnelle, la Commission BIM doit donner son accord explicite.
La Commission a pour mission :
• de mettre fin à une méthode dès que la menace qui a justifié sa mise en œuvre a disparu ou que la méthode en question n’est plus utile à la finalité pour laquelle elle a été décidée ;
• de suspendre une méthode lorsqu’elle constate une illégalité ou estime que le principe de subsidiarité ou de proportionnalité n’est pas respecté et d’interdire l’utilisation des informations recueillies par le biais de cette méthode.
Contrôle par le Comité permanent R:
Le législateur a prévu un contrôle supplémentaire par le Comité permanent R. Le Comité R est chargé de contrôler le fonctionnement général des services de renseignement et de sécurité. Le Comité permanent R est un organe collégial : il se compose de trois membres dont un président, qui doit impérativement être un magistrat. De la même manière que la Commission BIM, le Comité permanent R contrôle la légalité des décisions relatives aux méthodes spécifiques et exceptionnelles ainsi que le respect de la proportionnalité et de la subsidiarité. Lorsque le Comité permanent R constate une illégalité ou estime que le principe de proportionnalité ou de subsidiarité n’est pas respecté, il peut mettre fin à la méthode. Toutes les informations recueillies via la méthode doivent alors être détruites. Contrairement à la Commission BIM, le Comité R n'exerce pas de contrôle a priori des méthodes exceptionnelles. Il ne faut donc pas l'accord du Comité R pour mettre en oeuvre une méthode exceptionnelle. Dans l’hypothèse d’une recherche sur base de l’article 44 de la loi (voir supra), seul le Comité permanent R intervient et exerce un contrôle préalable, un contrôle concomitant et un contrôle a posteriori. (article 44/3 L.R&S).
Bosnia and Herzegovina
Bulgaria
Canada
The National Security and Intelligence Review Agency (NSIRA) is an independent and external review body that reports to Parliament. NSIRA is empowered to review Government of Canada national security and intelligence activities to ensure that they are lawful, reasonable and necessary. Following a review, NSIRA may make findings or recommendations that is considers appropriate. NSIRA also investigates public complaints regarding key national security agencies and activities, as well as complaints related to security clearances. Following an investigation, NSIRA must provide a report containing findings of the investigation and any recommendations that it considers appropriate. Findings and recommendations made by NSIRA are non-binding.
The National Security and Intelligence Committee of Parliamentarians
(NSICOP) is a committee of Parliamentarians that has a broad mandate, including to review any activity carried out by a department that relates to national security or intelligence, unless the activity is an ongoing operation and the appropriate Minister determines that the review would be injuries to national security. NSICOP submits an annual report to the Prime Minister (which is then tabled in Parliament), which includes the findings and recommendations (non-binding) that were made during the previous year.
The Civilian Review and Complaints Commission for the RCMP (CRCC) is a legislated independent agency established under the RCMP Act that ensures that public complaints made about the conduct of RCMP members are examined fairly and impartially (except for national security complaints, which are referred to NSIRA). The CRCC also has the authority to conduct reviews of specified RCMP activities for the purpose of ensuring accordance with legislation, regulation, ministerial direction, or RCMP policies, procedures or guidelines. The CRCC can make findings and recommendations (non-binding). Note: there is a Bill (C-20) currently before Parliament that would replace the CRCC with a new Public Complaints and Review Commission under separate legislation.
The Office of the Privacy Commissioner of Canada (OPC) is independent of government and reports to Parliament. The OPC oversees compliance with the federal Privacy Act. The OPC can investigate complaints received from individuals relating to how government institutions handle individuals’ personal information, and it can also at its own discretion carry out investigations to ensure that government institutions are complying with their collection, retention, use and disclosure obligations in respect of personal information. While the OPC can make findings and recommendations, it cannot force a government institution to take any specific action.
The recommendations of the above bodies are not legally binding.
Crotia
The Council for Civic Oversight of Security Intelligence Agencies conducts a regular ex-post oversight of agencies, focused on the legality of work and implementation of special data gathering measures. It acts on the basis of requests sent by citizens and legal persons about potential irregularities and human rights violations. The Council is composed of seven citizens appointed by the Parliament on the basis of a public call for four-year mandates but with specific expertise and full security clearances. Where, in the conducted oversight, it is established that there have been some unlawful acts, the Chairperson of the Council shall notify the President of the Republic, the President of the Parliament, the President of the Government and the Chief State Attorney.
Denmark
Estonia
A special parliamentary commission is set up to supervise the intelligence activities. There is also a special commission of 8 ministers by the government to coordinate the activities of security services, but not specifically oversight of the use of spyware or other wiretapping methods. These tasks are carried out by the Ministry of Interior and Ministry of Defence on a general basis.
In criminal proceedings, the supervision is regulated in Criminal Procedure Code, §§ 126:
"§ 126. Presenting the information collected by a covert operation to the person concerned
(1) Arrangements are made, for a person who has been notified according to § 126 of this Code, if they so wish, to acquaint themselves with the information collected in their respect and with the photographs, footage, audio or video recordings or other recordings of information made in the course of the corresponding covert operation. Where this is authorised by the Prosecutor’s Office, a decision may be made not to present, to such a person, until the relevant grounds cease to be present, the following particulars:
1) particulars concerning the family or private life of other persons;
2) particulars whose presentation may harm the rights and freedoms of another person that are guaranteed by law;
3) particulars that contain State secrets, classified information of a foreign State or secrets of another person that are protected by law;
4) particulars whose presentation may endanger the life, health, honour or reputation or property of an employee of a covert operations authority, of an undercover agent, of a covert operative, of a person whose secret cooperation has been enlisted in the case or of another person who participated in the covert operation concerned or of any person closely connected with any of the aforementioned persons;
5) particulars whose presentation may jeopardise the right of an undercover agent, a covert operative or a person whose secret cooperation has been enlisted in the case to maintain the confidentiality of their cooperation;
6) particulars whose presentation may lead to information being passed concerning the methods or tactics of a covert operations authority or concerning the means used to conduct covert operations;
7) particulars that it is not possible to separate and present such that they would not disclose the particulars mentioned in clauses 1–6 of this subsection.
(2) When information collected by a covert operation is presented to a person concerned or when a decision is made not to present such information to such a person, the relevant rules for appeal must also be explained to them.
(3) The rules for notification of covert operations and for presentation of covert operation files are enacted by a regulation of the Government of the Republic at the proposal of the Minister in charge of the policy sector.
§ 126. Overseeing a covert operation
(1) The Prosecutor’s Office oversees a covert operation for compliance with the authorisation provided for by § 126 of this Code.
(2) The activities of the covert operations authorities are overseen by the committee of the Riigikogu mentioned in § 36 of the Security Authorities Act. At least once every three months, a covert operations authority files a written report with the committee through the relevant ministry.
(3) Once a year, based on the information obtained from covert operations authorities, the Prosecutor’s Office and courts, the Ministry of Justice publishes on its website a report that contains the following information concerning the previous year:
1) the number and type of covert operation files that have been opened;
2) the number of authorisations for covert operations, by type of operation;
3) the number of persons notified of a covert operation having been conducted in their respect and the number of persons in whose respect notification has been postponed for more than one year in accordance with subsection 4 of § 126 of this Code.
§ 126. Filing of appeals related to a covert operation
(1) An interim appeal may be filed, following the rules provided by Chapter 15 of this Code, against any judicial warrant authorising a covert operation on the grounds mentioned in this Code.
(2) A complaint may be filed, following the rules provided by Subchapter 5 of Chapter 8 of this Code, against actions in the course of a covert operation conducted on the grounds mentioned in this Code, against a decision to forgo notification of such an operation, and against a decision not to present certain information collected by such an operation."
Finland
The Intelligence Ombudsman
The Intelligence Ombudsman oversees both the civilian intelligence and military intelligence authorities: the Finnish Security and Intelligence Service (Suojelupoliisi/Skyddspolisen), the Intelligence Division of the Defence Command (Pääesikunnan tiedusteluosasto/Huvudstabens underrättelseavdelning) and the Finnish Defence Intelligence Agency (Puolustusvoimien tiedustelulaitos/Försvarsmaktens underrätelsetjänst). According to Section 15 of the Act on the Oversight of Intelligence Gathering, the Intelligence Ombudsman has competence to order the use of the intelligence method to be suspended or stopped if the Ombudsman considers that the intelligence authority has acted unlawfully in intelligence gathering. The Intelligence Ombudsman can also order the intelligence method authorised by the court to be suspended or stopped, but only with a temporary order. This temporary order must be submitted to the court without any delay. The court can then confirm or cancel the temporary order or amend the order. Individuals can file investigation requests and complaints to the Intelligence Ombudsman. The complainant will receive a response to the complaint, but the content of the response should be considered on a case-by-case basis. Furthermore, a response is provided to investigation requests, but such a response would only state that the investigation has been carried out.
The Intelligence Oversight Committee of Parliament
The Intelligence Oversight Committee of Parliament carries out parliamentary oversight. The Committee oversees the proper implementation and appropriateness of intelligence operations, monitors and evaluates the focus areas of intelligence operations, monitors and promotes the effective exercise of fundamental and human rights in intelligence operations, prepares reports by the Intelligence Ombudsman and processes the supervisory findings of the Intelligence Ombudsman.
The Parliamentary Ombudsman and the Chancellor of Justice of the
Government
The Parliamentary Ombudsman and Chancellor of Justice of the government carry out supreme oversight of legality in Finland (for their duties, see Section 108 and Section 109 of the Constitution). The Parliamentary Ombudsman and Chancellor of Justice have also the competence to oversee the lawfulness of the acts of the Intelligence Ombudsman. Parliament has also charged the Parliamentary Ombudsman with the special task of the oversight of legality of covert intelligence. Intelligence is used by the police, Customs, the Border Guard and the defence forces. All these organisations submit a report to the Ombudsman each year on the resources used to acquire intelligence. Under the Coercive Measures Act, the Ministry of the Interior must submit an annual report to the Parliamentary Ombudsman on the use and supervision of covert coercive measures by the police and their security. Likewise, the Ministry of Finance must submit a report on the use of these measures to Customs, and the Ministry of Defence must provide the defence forces with a similar report. The Parliamentary Ombudsman's report contains its own section on covert intelligence gathering.
The Data Protection Ombudsman
The Data Protection Ombudsman oversees the legality of the processing of personal data in the context of criminal investigations and civilian and military intelligence.
France
The CNCTR ensures that intelligence gathering is undertaken in compliance with the Code of Internal Security (Code de la Sécurité Intérieure). According to Article L831-1 Code de la sécurité intérieure, the CNCTR is composed of four parliamentarians (two members of the National Assembly and two senators), two members of the Conseil d’Etat (Council of State), two magistrates, one expert in electronic communication techniques. The Commission can deliver opinions on the use of intelligence gathering techniques, but these are not binding.
Germany
Moreover, Germany also has a parliamentary oversight of the activities of the intelligence agencies. Among its tasks the Bundestag’s Parliamentary Oversight Panel scrutinises the federal intelligence agencies and the selection of members of the G10 Commission. The Ministry of the Interior shall also inform the committee of the implementation and use of the G10 Act (at least biannually).
Greece
EYP, for instance, refuses to disclose the reasons why a leader of an opposition party has been surveilled, in spite of a unanimous verdict ordering the opposite by the plenum of the Council of State, that is Greece’s Supreme Administrative Court, which upheld a petition for annulment of the said leader (ΣτΕ(Ολ.)465/2024).
As for the Judiciary, in January 2023, Greece’s Prosecutor General (Εισαγγελέας του Αρείου Πάγο) issued an Opinion (Γνωμοδότηση) addressed to OTE (the country’s most important telecommunications provider) instructing it, whenever it is seized on issues connected to national security, to obey orders emanating only from the judiciary and not from ADAE, since, under Article 19 of the Greek Constitution, ADAE is allegedly subordinated to the judiciary.
The other oversight mechanism in place for the activities of the security services is the Hellenic Data Protection Authority ( Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα), provided for by law 2472/1997.
Iceland
Ireland
Ireland does not have a distinct intelligence agency. Intelligence and state security functions are the responsibility of An Garda Síochána and the Defence Forces. In general, An Garda Síochána is answerable to the Minister for Justice and the Defence Forces are answerable to the Minister for Defence in respect of surveillance. The Policing Authority, introduced in 2015 by the Garda Síochána (Policing Authority and Miscellaneous Provisions) Act 2015, and its replacing authority, the Údarás Póilíneachta agus Sábháilteachta Pobail, to be introduced under the Policing, Security and Community Safety Act 2024, exclude security services.
Oversight of surveillance activities
Criminal Justice (Surveillance) Act 2009
The oversight mechanism under the 2009 Act currently involves judicial and executive oversight. Each year, the designated judge reviews the operation of the Act and reports to the Taoiseach. The judge has the authority to investigate any case where authorisation has been issued, renewed, or varied under the relevant sections of the Act. The Taoiseach must ensure that the report is laid before each House of the Oireachtas within six months of its completion, along with a statement on whether any sensitive matters have been excluded due to security concerns. If, during an investigation, the designated judge believes it is in the interests of justice, they can refer the case to a Referee for further investigation.
The oversight mechanism from section 12 of the 2009 Act was substituted this year following the enactment of the Policing, Security and Community Safety Act 2024. However, these provisions have not yet been commenced. When they come into force, primary oversight responsibility will be assigned to an Independent Examiner rather than a designated High Court judge.
Interception of Postal Packets and Telecommunications Act 1993
A designated judge keeps the operation of the Act under review, ensuring compliance with its provisions and reports to the Taoiseach each year regarding the general operation of the Act and as necessary on specific matters. The judge can investigate any case where an authorisation has been given and has access to and can inspect official documents related to authorisations and applications. If a designated judge finds that an authorisation should not have been given or should be cancelled, the Minister must be informed. The judge can communicate directly with the Taoiseach or the Minister on any matters concerning interceptions or disclosure requests. The Taoiseach must lay a copy of the judge’s report before the Oireachtas with a statement indicating whether any matter has been excluded due to concerns about crime prevention, detection or state security. The functions of the Data Protection Commission under the Data Protection Acts of 1988 and 2018 are not affected by the designated judge’s duties. The designated judge can communicate with the Data Protection Commission on matters related to the Commissioner’s functions under the Data Protection Acts.
The oversight mechanism from section 8 of the 1993 Act was substituted this year following the enactment of the Policing, Security and Community Safety Act 2024. However, these provisions have not been commenced. When they come into force, primary oversight responsibility will be assigned to an Independent Examiner.
Italy
Korea
Kosovo
The parliamentary oversight body holds sessions at least bi-annually. Its responsibilities include, inter alia, overseeing the legality of the work of the Intelligence Agency, reviewing reports from the Director of the Intelligence Agency regarding the operations of the Agency and the reports from the Inspector General, as well as conducting inquiries regarding the work of the Agency. "If the parliamentary oversight body has grounds to believe that the KIA is performing its duties in an unlawful, inappropriate or unprofessional manner, it may conduct an inquiry during the course of which the parliamentary oversight body may question KIA employees and have access to relevant KIA documents."
The Law on the Intelligence Agency also provides for a complaints mechanism. Individuals, institutions and third parties have the right of complaint against the Kosovo Intelligence Agency: "Complaints may be addressed to the Ombudsperson Institution," and that any complaint submitted to the Ombudsperson Institution "shall not prejudice the right of an individual, institution or third party to seek adjudication from a court."
Also in connection with the Law on the Interception of Electronic Communications, this law provides for oversight and penalties. The Regulatory Authority for Electronic and Postal Communications is the authorized body to oversee the operation of network operators or service providers and their compliance with the Law on the Interception of Electronic Communications, other relevant laws on interception and any by-laws issued in accordance with these laws. The Authority has a wide scope of powers that extend up to the revocation of licence or authorization of the respective network operator or service provider.
Additionally, the Law on the Interception of Electronic Communications establishes a distinct institution, which is the Commissioner for Oversight of Interception of Communication. The Commissioner is a mechanism functioning within the institutional structure of the Kosovo Judicial Council, and conducts annual control of the lawfulness of interception of communications in accordance with the law. It reports to the Kosovo Judicial Council, to the State Prosecutor and the respective parliamentary committees of the Assembly of Kosovo on annual basis about identified possible violations. The Commissioner is appointed by the Kosovo Judicial Council from among the group of judges of the Supreme Court.
Kyrgzstan
− Departmental - heads of agencies carrying out operational investigative activities bear personal responsibility for compliance with the law when organizing and conducting operational investigative activities;
− Prosecutor's - Supervision over the implementation of the laws of the Kyrgyz Republic by bodies carrying out operational-search activities is carried out by the Prosecutor General of the Kyrgyz Republic and prosecutors authorized by him, not lower in status than prosecutors of regions and the city of Bishkek.
At the request of the authorized prosecutor in connection with materials, information and appeals from citizens received by the prosecutor's office regarding violations of laws during the conduct of operational-search activities, as well as during the verification of the established procedure for conducting operational-search activities and the legality of the decisions taken in this regard, the heads of the body carrying out operational-search activities shall submit to the said prosecutor operational-service documents that served as the basis for conducting these activities.
Information about persons embedded in the environment of the object of operational interest and full-time undercover employees of the bodies implementing operational-search activities, as well as persons providing or providing assistance to these bodies on a confidential basis, shall be submitted to the prosecutor only with the written consent of the said persons, except for cases requiring their prosecution. Information about the organization, tactics, methods and means of implementing operational-search activities is not included in the subject of prosecutorial supervision.
− Judicial – the courts assess the legality and validity of special investigative actions and, based on the ruling of the investigating judge, permit their implementation;
− Parliamentary - annually the Jogorku Kenesh of the Kyrgyz Republic (parliament) hears a report from the Prosecutor General of the Kyrgyz Republic and law enforcement agencies on the state of law in the Kyrgyz Republic. The Jogorku Kenesh of the Kyrgyz Republic exercises control over the activities of national security agencies in accordance with the procedure established by law;
− Administrative – The President and the Cabinet of Ministers of the Kyrgyz Republic exercise control over the activities of national security agencies in accordance with the procedure established by law.
Liechtenstein
measures are subject to administrative appeal and a complaint before the administrative court. In all cases, the Constitutional Court decides on individual complaints regarding violations of fundamental rights against decisions of the court instances. From an administrative point of view, there is also the instrument of the supervisory complaint, although there is no subjective right to its handling.
Finally, there is the Association for Human Rights, which can help victims of human
rights violations in court and administrative proceedings.
Lithuania
According to the Criminal Procedure Code, the use of procedural coercive instruments during criminal investigations and the evidence collected during these investigations can be disputed in court during criminal proceedings.
Additionally, the Constitution of the Republic of Lithuania provides: 1. Person whose constitutional rights or freedoms are violated shall have the right to apply to a court; 2. Compensation for material and moral damage inflicted upon a person shall be established by law. Interpreting these provisions, the Lithuanian Constitutional Court has developed a broad doctrine. In this context, the Constitutional Court emphasised that the Constitution is a directly applicable act; therefore, even in the absence of the respective regulation established by means of a law, an individual, by making direct reference to Paragraph 2 of Article 30 of the Constitution and other articles thereof, in which guarantees are established for the protection of the respective human rights and freedoms, may claim compensation for damage inflicted on him/her as a result of unlawful actions performed by state institutions or its officials. For more information, please see Selected Official Constitutional Doctrine 1993-2020, pp. 183-195, available at https://lrkt.lt/data/public/uploads/2021/06/selected-official-constitutional-doctrine-19932020.pdf ).
It is also important to highlight that, since 2022, Lithuania has established the position of the Intelligence Ombudspersons. Under the Law on Intelligence Ombudspersons, this role is authorized to investigate cases where there are signs that intelligence institutions or officers are abusing their powers, infringing upon human rights and freedoms, compromising legitimate interests, or breaching regulations related to the processing of personal data for national security or defense purposes. The Intelligence Ombudsperson is also mandated to address any other violations of human rights and freedoms in public administration.
Luxembourg
According to Chapter 6 of the Loi SRE, the Parliamentary Control Committee is informed biannually of all SRE-initiated surveillance measures, ensuring accountability. The Parliamentary Control Committee shall be informed ex officio every six months of the measures for surveillance and control of communications ordered by the Ministerial Intelligence Committee at the request of the SRE. The Parliamentary Control Committee may also carry out audits on specific issues.
The National Commission for Data Protection and the General Data Protection Regime is competent to monitor and verify the SRE’s compliance with the applicable legal provisions on the protection of personal data, with regard to the processing of personal data in criminal matters as well as than in terms of national security.
Malta
The Commissioner for the Security Services oversees the activities of the intelligence agencies. The Commissioner, appointed by the Prime Minister, is either a judge of the superior courts or an officer of the Attorney General. According to Chapter 391 of the Security Service Act, has the power to investigate complaints about the Security Service. Indeed, according to the same article, “any person may complain to the Commissioner if he is aggrieved by anything which he believes the Security Service has done in relation to him or to any property of his.”
Moreover, Malta also has a Security Committee, which is composed of the Prime Minister, the Minister responsible for the Security Service, the Minister for Foreign Affairs, and the Leader of the Opposition. This Committee examines expenditure, administration, and policy of the Security Service and is also required to write an annual report on the discharge of its functions.
On the other hand, according to Chapter 586 of the Data Protection Act, the Office of the Information and Data Protection Commissioner (IDPC) does not have the competence to supervise the data processing activities of the Maltese Security Service, nor has any power to take action against the Security Service.
Moldova
- Judicial – Article 22 paras (4) and (5) of the Law provides that at the end of the special investigative measure or at the request of the investigating judge or the prosecutor who authorized the special investigative measure, the investigating officer shall, for the purpose of verifying the legality of the special investigative measure, within 10 days at the latest, send the report on the results of the special investigative measure, to which all the materials gathered as a result of the special investigative measure shall be attached. If it is established that the special investigative measure was carried out in clear violation of the rights and freedoms of the person or that the investigative officer acted in violation of the provisions of the authorization order, the investigating judge or the public prosecutor shall declare the results of the special investigative measure null and void and shall order, by means of the order, their destruction.
- Parliamentary control – Article 38 of the Law - (1) The Committee on National Security, Defense and Public Order shall exercise parliamentary control over the special investigative activity.
(2) The authorities carrying out special investigative activity shall be obliged to submit to the Prosecutor General, by January 15 of the following year, a report on special investigative activity, which shall include:
(a) the number of authorized special investigative measures;
b) the number of special investigative measures canceled;
c) the results of the special investigative measures.
(3) The Prosecutor General, on the basis of the submitted reports and on the basis of the information available to the Prosecutor General's Office, shall submit the final report on the special investigative activity to the Commission for National Security, Defense and Public Order by February 15 of each year.
(4) The Commission for National Security, Defense and Public Order may request, within the limits of its competence, any additional information on the special investigative activity, with the exception of special files, if it considers that the submitted report is incomplete.
- Control exercised by the public prosecutor – Article 39 of the Law - The control over the execution of this Law shall be carried out by the hierarchically superior public prosecutors on the basis of complaints lodged by persons whose rights and legitimate interests are alleged to have been violated as a result of the special investigative activity or ex officio. The hierarchically superior public prosecutors carrying out the control shall have the right of access to the information constituting state secret in the manner established by law. The activity of confidential collaborators shall be under the control of the Prosecutor General or of a special prosecutor authorized by order of the Prosecutor General.
- Departmental control- Article 40 of the Law – Departmental control over the work of investigation officers shall be exercised by the heads of the administrative authority that carries out special investigative activity.
Monaco
Morocco
En outre, l’article 54 de la Constitution prévoit la création du Conseil supérieur de la sécurité qui est une instance de concertation sur les stratégies de sécurité intérieure et extérieure du pays et de gestion des situations de crise, il s’agit de l’organe national le plus élevé qui a la charge d’œuvrer à l’institutionnalisation des normes de bonne gouvernance en matière sécuritaire.
North Macedonia
North Macedonia, the Directorate for Security of Classified Information, the Directorate for Personal Data Protection, and the Ombudsman. Additionally, the Council for Civil Control plays a crucial role in overseeing both the authorized bodies implementing the measures and the Operational Technical Agency (OTA), which assists with technical oversight.
The Assembly establishes a dedicated Commission for Oversight of Communication Monitoring Measures. This Commission is comprised of a president, a vice president, four members, and four vice members. The leadership of the Commission is structured such that the president or their deputy is from the major opposition party, while the remaining members include representatives from both ruling and opposition parties, ensuring a balanced perspective.
To ensure effective oversight, the Commission engages both national and international technical experts. These experts are selected based on their accreditation and provide crucial support in assessing the legality and effectiveness of communication monitoring measures. Within 50 days of its formation, the Commission appoints two permanent experts and prepares a list of additional experts who can be called upon as needed.
The Commission's primary goal is to verify that communication monitoring measures are implemented legally and effectively. This involves comparing data from various sources, including operators, the OTA, and authorized bodies. The Commission also
reviews the annual report from the Public Prosecutor on special investigative measures to gauge the effectiveness of these measures.
Operators, the OTA, and authorized bodies are required to provide specific data during oversight activities. Operators must supply logs detailing the start and end times of monitoring measures, activation confirmations, and the total number of positive
confirmations. The OTA must provide anonymized court orders, logs of these orders, and data on the implementation of monitoring measures. Authorized bodies must supply similar documentation related to the court orders and the implementation process.
Oversight is conducted at least every three months, often without prior notice. After each oversight session, the Commission prepares a detailed report indicating whether the conduct observed was legal or if any abuses were detected. If the report finds no issues, it is submitted to the Assembly, and the public is informed. In cases of irregularities or abuses, the Commission is required to notify the public prosecutor and relevant authorities promptly. Additionally, the Assembly and the public may be informed without disclosing specific data if necessary.
Finally, the Commission submits an annual report to the Assembly by the end of February each year. This report is reviewed and approved by the Assembly, which also provides recommendations for the Commission's future work. Additional reports can be
requested by the Assembly as needed, and the findings are shared with the public to ensure transparency.
The Council for Civil Control is established to ensure civilian oversight of communication surveillance measures. Appointed by the Assembly of the Republic of North Macedonia, the Council comprises a president and six members, serving a three-year term without the possibility of reappointment. The members include three experts and three representatives from non-governmental organizations focused on human rights, security, and defense.
The Council submits an annual report on its activities to the Assembly by the end of February each year, which is reviewed in a parliamentary session. Additional reports can be provided upon request, and the public is kept informed about these reports.
The Council can act on its own initiative or in response to citizen complaints. If a complaint is received, the Council requests the Commission to verify whether the citizen’s phone number has been unlawfully monitored in the past three months and conducts oversight of the OTA and authorized bodies. The Commission must report back to the Council within 15 days. This report will only confirm whether any abuse was detected or not. For confidentiality, the Council performs oversight with prior notice to the OTA and authorized bodies, comparing anonymized data from the past three months. If abuse is found, the Council promptly informs the public prosecutor and the affected citizen.
Oversight of the legality of special investigative measures and communication monitoring measures is conducted by the public prosecutor leading the investigation and the investigating judge who issued the relevant orders. For communication monitoring, the oversight also involves the Public Prosecutor of North Macedonia and a judge from the Supreme Court who issued the monitoring order.
Here are the provisions of the Law on Communications Surveillance dealing with the oversight mechanisms:
Article 35 of the Law on Communications Surveillance
Oversight Bodies for the Implementation of Communication Monitoring Measures
(1) Oversight of communication monitoring measures implemented by authorized bodies, as well as oversight of operators and the OTA (Operational Technical Agency), is carried out by:
The Assembly of the Republic of North Macedonia,
The Directorate for Security of Classified Information,
The Directorate for Personal Data Protection, and
The Ombudsman of the Republic of North Macedonia.
(2) Oversight of communication monitoring measures implemented by authorized bodies, as well as oversight of the OTA, is performed by the Council for Civil Control.
(3) At the request of the oversight bodies mentioned in paragraph (1) of this article, the OTA assists in the oversight of operators.
(4) The OTA, in accordance with the Law on the Operational Technical Agency, independently or at the request of authorized bodies, performs technical oversight of the operator.
Article 38
Oversight by the Assembly of the Republic of North Macedonia
Composition of the Commission
(1) For the purpose of conducting oversight as stipulated in Article 35 of this Law, the Assembly of the Republic of North Macedonia shall establish a Commission for the Oversight of Communication Monitoring Measures (hereinafter referred to as the "Commission") from among its members.
(2) The Commission consists of a president, four members, a vice president, and four vice members.
(3) The president of the Commission, or their deputy, is from the political party in the Assembly of the Republic of North Macedonia that is in opposition and which received the most votes in the last parliamentary elections. Two members of the Commission, or their deputies, are from the ruling political parties, and two members, or their deputies, are from opposition political parties in the Assembly of the Republic of North Macedonia.
Article 39
Accreditation of Technical Experts
(1) The Commission, as per Article 38 of this Law, for the effective conduct of oversight, engages national or international technical experts with relevant expertise. These experts, based on their accreditation, can actively participate in the oversight as part of the Commission.
(2) Immediately upon its formation and no later than 50 days thereafter, the Commission selects two experts for permanent support. Within six months, the Commission prepares a list of additional national or international experts who can be accredited for individual cases as needed for preparation, execution, and reporting on the technical results of the oversight.
(3) At the request of the Commission, the Electronic Communications Agency, the Directorate for the Security of Classified Information, and the Directorate for the Protection of Personal Data, as well as any other state institution not subject to oversight, provide expert support to the Commission on matters within their jurisdiction as established by law during the oversight process, in accordance with this Law.
Article 40
Purpose and Procedure for Conducting Oversight
(1) The Commission conducts oversight as per Article 35 of this Law to determine the legality of the implementation of communication monitoring measures as described in Articles 7 and 18 of this Law, as well as the effectiveness of the special investigative measures.
(2) The Commission and accredited technical experts, as part of the Commission, compare data from Articles 41, 42, and 43 of this Law, which are owned, possessed, or generated by authorized bodies, OTA, and operators, to determine the legality of the measures mentioned in paragraph (1) of this Article.
(3) To determine effectiveness as per paragraph (1) of this Article, the Commission reviews the annual report of the Public Prosecutor of the Republic of North Macedonia on special investigative measures during a session. The Public Prosecutor provides this report to the Assembly of the Republic of North Macedonia in accordance with the law.
Article 41
Data Required from the Operator During Oversight
The data owned, possessed, or generated by the operator and which is available upon request by the Commission or directly obtained by accredited technical experts as part of the Commission during oversight includes:
Logs of the start time and date of the communication monitoring measure,
Logs of the end time and date of the communication monitoring measure,
Activation confirmation logs,
Logs of the total number of positive confirmations performed within a specified time period.
Article 42
Data Required from OTA During Oversight
The data owned, possessed, or generated by OTA, which is available upon request by the Commission or directly obtained by accredited technical experts as part of the Commission during oversight includes:
The anonymized court order and anonymized temporary written order,
Logs of the number of anonymized court orders,
Logs of the time of starting and ending the implementation of the communication monitoring measure,
Logs of the total number of implemented communication monitoring measures for a specified time period.
Article 43
Data Required from Authorized Bodies During Oversight
The data owned, possessed, or generated by authorized bodies, which is available upon request by the Commission during oversight includes:
The anonymized court order and anonymized temporary written order,
Documents related to the start and end of the implementation of the communication monitoring measure.
Article 44
Method of Conducting Oversight
(1) The Commission performs oversight without prior notice, as needed, and at least once every three months, even in the absence of a majority vote.
(2) After the oversight is conducted, the Commission prepares a report detailing whether legal or illegal conduct was observed, or if there was any abuse in the procedure.
(3) If the report from paragraph (2) of this Article finds legal conduct, it is submitted to the Assembly of the Republic of North Macedonia, and the Commission informs the public.
(4) If during the oversight, irregularities or abuses in the implementation of the communication monitoring measures as determined by the provisions of the Criminal Procedure Law and this Law, or violations of any international treaty ratified in accordance with the Constitution of the Republic of North Macedonia are found, the Commission is required to:
Notify the competent public prosecutor within 24 hours,
In cases of personal data violations or human rights violations, notify the relevant competent authorities.
If possible and without providing specific data, inform the Assembly of the Republic of North Macedonia,
If possible and without disclosing specific data, inform the public.
Article 45
Reports of the Commission
(1) The Commission submits an annual report to the Assembly of the Republic of North Macedonia for the previous calendar year, no later than the end of February of the current year.
(2) The Assembly reviews and approves the report mentioned in paragraph (1) of this Article with a majority vote of the total number of members and provides recommendations for the Commission's work.
(3) If needed and based on the request of the Assembly of the Republic of North Macedonia, the Commission provides additional reports.
(4) The public is appropriately informed about the report mentioned in paragraph (2) of this Article.
1.2. Council for Civil Control
Article 47
Appointment of the Council
To achieve civilian oversight of the legality of implementing communication surveillance measures, a Council for Civil Oversight (hereinafter: the Council) is appointed.
Article 48
Composition of the Council
(1) The Council is composed of a president and six members, appointed by the Assembly of the Republic of North Macedonia for a period of three years, with no right to reappointment.
(2) The Assembly of the Republic of North Macedonia announces a public call for the appointment of the president and six members, of which three are experts and three are representatives from non-governmental organizations (associations) in the field of protection of fundamental human rights and freedoms, security, and defense.
(3) The president and members of the Council must meet the following conditions:
….
Reports of the Council
Article 50
(1) The Council submits an annual report to the Assembly of the Republic of North Macedonia on the Council's activities for the previous calendar year, no later than the end of February of the current year.
(2) The report mentioned in paragraph (1) of this article is reviewed at a session of the Assembly of the Republic of North Macedonia.
(3) As needed and upon request by the Assembly of the Republic of North Macedonia, the Council provides additional reports.
(4) The public is appropriately informed about the report mentioned in paragraph (1) of this article.
Procedure of the Council
Article 51
(1) The Council acts on its own initiative or based on a complaint submitted by a citizen.
(2) Based on a complaint submitted by a citizen, the Council is required to:
Immediately request the Commission referred to in Article 38 of this law to conduct oversight in accordance with Article 40 of this law to ensure whether the citizen's telephone number has been or was unlawfully monitored in the past three months; and
Conduct oversight of the OTA and authorized bodies.
(3) The Commission, based on the oversight conducted under paragraph (2), item 1 of this article, provides a report to the Council within 15 days from the date of the request submission.
(4) To maintain the confidentiality of communication monitoring measures, the report mentioned in paragraph (3) of this article only states whether in the specific case:
a) Abuse was found, or
b) No abuse was found.
(5) The oversight mentioned in paragraph (2), item 2 of this article is conducted by the Council with prior notice to the OTA and authorized bodies. This is done to compare data from anonymized samples of orders for oversight and control purposes, covering the past three months.
(6) Based on the report mentioned in paragraph (3) of this article and the oversight from paragraph (5), the Council promptly informs the citizen referred to in paragraph (2). If abuse is detected, the Council also immediately informs the competent public prosecutor.
(7) When the Council acts on its own initiative, it conducts oversight according to paragraph (5) of this article.
(8) The Council informs the public about the oversight conducted under paragraph (7).
Oversight Bodies
Article 57
(1) The legality of implementing special investigative measures by authorized bodies, operators, and the OTA is overseen by:
The public prosecutor leading the investigation, and
The investigating judge who issued the order for the special investigative measure according to the law.
(2) The legality of implementing communication monitoring measures under Article 18 of this law by authorized bodies, operators, and the OTA is overseen by:
The Public Prosecutor of the Republic of North Macedonia, and
The judge of the Supreme Court of the Republic of North Macedonia who issued the communication monitoring order.
Netherlands
There are several oversight bodies involved. Judges can remedy the unlawful use of investigatory powers during trial. he Inspection Authority of the Ministry of Justice and Security has a special mandate to check (mostly procedures) the use of hacking as an investigative power. They report annually but have no binding remedial powers. They first published about the use of (commercial) hacking tools by the Dutch National Police (specifically, its ‘Digital Intrusion Team’). In 2022, the Procurator General of the Dutch Supreme Court and his office also published a report as part of the oversight function on the Dutch Public Prosecutors Office. The Procurator General’s office found that between 2019-2021, a ‘technical device’ was used in 36 cases. Commercial tools were used in 33 out of 36 cases. In all investigated cases, the use of hacking power was deemed proportionate. This oversight body has no remedial powers. The Data Protection Authority conducts oversight on the processing of personal data by the police. They did not publish any reports relating to the lawfulness of hacking as an investigative power. As an administrative body, they do have remedial powers.
Intelligence and security services:
The Dutch Review Committee on Intelligence and Security Services (CTIVD) is the oversight body for intelligence and security services. As mentioned, the Investigatory Powers Commission (TIB) conducts a prior review of the lawfulness of the hacking power. The TIB has binding powers: if it is not lawful, the investigatory power cannot be applied. The CTIVD conducts oversight during the application of hacking as an investigative power, i.e., to test the technical risks involved and which devices are targeted. It also publishes reports about the lawfulness of hacking as an investigative power, such as report no. 39 (2014), no. 53 (2017) and no. 70 (2019). However, as part of new legislation relating to ‘State actors with cyber programs’ in 2024, the CTIVD has limited binding powers in its oversight relating to hacking powers. Under this new legislation, intelligence and security services can appeal a decision of the TIB and CTIVD, and a judge can decide on this. There is no judgment available yet. Individuals who believe they have been treated unlawfully or unfairly by the intelligence and security services can file a complaint with the Minister of the Interior and Kingdom Relations or the Minister of Defence. If they are dissatisfied with how their complaint was handled, they can file a complaint with the CTIVD. Under certain circumstances, they can report the complaint to the CTIVD directly, such as when they cannot reasonably be expected to first file the complaint with the responsible minister. The complaints department can issue binding decisions after unlawful conduct by the intelligence and security services. This occurred in 2022, following complaints from an NGO about the unlawful processing and storage of bulk datasets. Five bulk datasets had to be destroyed. Decisions are published (anonymously) on the CTIVD website.
If the Cabinet is the object of a motion (or other expression) of no-confidence, it has to tender its resignation. In theory it might be possible that the Cabinet remains in charge, dissolves the Chamber and waits for the result of the election of the new Chamber, hoping for a positive outcome: a so-called ‘conflict dissolution’. However, since 1922 practice is that the Cabinet members tender their resignations on the eve of the elections (whether a periodic election or because of dissolution of the Chamber ). Some qualify the 1922 practice as a binding convention (customary constitutional law), but others believe this still is mere political practice. What surely is a binding convention – already established in the 19th century, is that a Cabinet that dissolved the Chamber and remains in charge, waiting for the election results, when again confronted with a motion of no-confidence has to tender its resignation. Of course, in this system the motion of no-confidence is not accompanied by a proposal for a new Cabinet/Prime Minister: what Cabinet will take office will be decided by the elections and subsequent formation.
It has to be stressed that 1939 was the last time an explicit motion of no-confidence against a Cabinet has been accepted by the Chamber, leading to the resignation of the Cabinet. As observed in Answer 8 there are other ways leading to a conclusion of no confidence.
Norway
Poland
remedial measures.
As mentioned above, courts have binding remedial powers regarding surveillance and operational controls. They can issue rulings on the legality of specific surveillance measures or operational controls conducted by security services. If a court finds that a
surveillance measure was not properly authorized or violated legal standards, it has the authority to rule against its use, ensuring adherence to the law and respect for individual rights.
Parliamentary committees have the power to oversee the activities of security services. Key among these is the Committee on Special Services, which monitors and reviews the operations carried out by the Internal Security Agency (ABW) and the Intelligence Agency (AW). This committee holds hearings, examines reports, and ensures that the activities of security services are conducted in compliance with the law and democratic principles. Additionally, parliamentary investigative committees have the authority to conduct hearings to the extent that the matters under investigation fall within their scope of activity.
Parliamentary committees also have the power to recommend legislative changes and demand reforms concerning the activities of security services. Although their recommendations are not legally binding on their own, they can lead to legislative amendments. These amendments can result in significant changes to how security services operate, ensuring that their activities comply with legal and ethical standards.
In the context of executive authority, it is important to highlight the specific roles of the Minister of the Interior and Administration and the Minister of Justice. The Minister of the Interior and Administration oversees the activities not only of the Police but also of some special forces, such as the Internal Security Agency (ABW). This executive oversight includes setting strategic directions and ensuring that security services operate within the bounds of the law. However, the Minister’s role is more administrative and less focused on day-to-day operational control. The Minister of Justice plays a role in overseeing surveillance activities, especially those related to significant criminal investigations.
Last but not least, the President of the Personal Data Protection Office (UODO) has the authority to impose fines and sanctions on entities, including security services, for violations of data protection laws.
Portugal
The law of the Information System of the Portuguese Republic (SIRP) also establishes a Data Inspection Commission (CFDSIRP), composed of three magistrates from the Attorney General Office, appointed and empowered by the Attorney General of the Republic.
In addition to judicial intervention in the authorization, the SIRP Data Supervision Commission is the competent public authority for monitoring compliance with the principles and compliance with the rules relating to quality and safeguarding the confidentiality and security of data obtained in accordance with the mandatory and legally bound procedure provided for in organic law nº 4/2017.
The verification by the Commission is carried out through access to data with nominative references, upon complaint or well-founded suspicion of illegitimate or unfounded collection, and the Commission must order the cancellation or rectification of data collected, which involve violation of the rights, freedoms and guarantees set out in the Constitution and in the Law.
Without prejudice to the other supervisory powers provided for in the general regime applicable to SIS and SIED data centres, telecommunications and Internet data obtained in accordance with the procedure provided for in this law are subject to ex officio supervision, by nominative reference, by the Data Inspection Commission For this purpose, the Formation of the criminal chambers of the Supreme Court of Justice communicates to the SIRP Data Inspection Commission the authorizations granted with nominative reference – article 15 of the Law.
Furthermore, in accordance with article 16 of this Law, the procedure for access, and telecommunications and Internet data obtained in accordance with the provisions of law 4/2017, are also subject to the supervisory powers of the SIRP Supervisory Board, which constitutes an independent body, with the mission of ensuring compliance with the Constitution and the law, with a special focus on the preservation of rights, freedoms and guarantees, ensuring control of the Intelligence Service, monitoring and supervising the activity of the Secretary General, the SIED, the SIS and the intelligence activity carried out by the Armed Forces.
Romania
San Marino
Only the Judicial Authority may order interceptions during investigative activities. Therefore, the control mechanisms in place are those expressly provided for by procedural law.
It should be recalled that Law no. 98 of 21 July 2009 provides, in addition to the Investigating Judge, for the presence of another Judge responsible for Interceptions with the function of authorising and controlling interception operations, as well as for several moments of cross-examination with the defence lawyers of the suspected person in order to ensure the usual acquisition of evidence in the proceedings.
The Judge responsible for Interceptions exercises formal and substantive control over the use and acquisition of evidence from interceptions and has the power to take several important measures: can extend the time-limit for interceptions; validates the investigative act of the individual interception (in case of refusal, the interception cannot be carried out); controls the confidential register of interceptions6 where all measures pertaining to the individual investigative act are recorded for each interception, and gives binding consent to the destruction of interceptions if they are not relevant to the investigation; authorises the
defendant’s lawyers to take copies of the documents related to interceptions for the full exercise of the rights of defence; orders the acquisition of interceptions relevant to the proceedings, the use of which is not prohibited; orders an expert report on the transcription of the recordings or the printing or reproduction, in the clearest and most comprehensible form possible, of the information contained in the computerised or telematic communication streams obtained, if necessary for the purposes of understanding; may request direct access to recordings and computer media; may, at any stage and level of the proceedings, order that all documents related to interceptions be destroyed, unless they constitute the corpus delictiand gives binding consent if the request for destruction comes from the Investigating Judge who ordered the interception.
Serbia
As regards the judicial oversight the Constitutional Court of Serbia can review the constitutionality of laws and regulations, including those related to the security services. Thus, if a citizen believes their rights have been violated by the actions of the security services, they can challenge these actions submitting constitutional complaint. Individuals can also seek redress through regular courts if they believe that their rights have been violated by the security services. Judicial decisions have binding remedial powers.
According to the Law on Security Information Agency (Article 17- Work Control), the Director of the Agency shall be under obligation to submit a work report of the Agency and on the security status of the Republic of Serbia to the National Assembly and the Government of the Republic of Serbia twice a year. In performing activities from its field of work, the Agency shall be obliged to comply with basic principles and guidelines of the Government, which refer to security-intelligence policy of the Republic of Serbia (Article 18.)
As regards the parliamentary oversight, the National Assembly has a special Security Services Control Committee which according to the Rules of Procedure of the National Assembly shall:
-supervise the constitutionality and legality of the work of security services;
-supervise conformity of the work of security services with the National Security Strategy, the Defence Strategy and the Security and Intelligence Policy of the Republic of Serbia;
-supervise preservation of political, ideological and interest neutrality in the work of the security services;
-supervise the legality of the application of special procedures and measures for secret collection of data;
-consider proposal of budget resources necessary for the work of security services and supervise the legality of budget and other resources spending;
-consider and adopt reports on the work of the security services;
-consider Bills, other regulations and general acts from the scope of work of the services;
-launch initiatives and submit Bills from the scope of work of the services;
-consider proposals, petitions and complaints of citizens addressed to the National Assembly regarding the work of the security services and propose measures to resolve them, and notifies the applicant thereof;
-determine facts on identified illegal acts or irregularities found in the work of the security services and their personnel and deliver conclusions thereon;
-inform the National Assembly on its conclusions and proposals.
The executive branch, particularly the Ministry of the Interior and the Ministry of Defence, oversees various security services. These ministries have administrative and operational oversight responsibilities.
It should be mentioned as well the expert oversight through the work of the Commissioner for Information of Public Importance and Personal Data Protection. This body oversees compliance with laws related to information and data protection. While not exclusively focused on security services, it can address issues related to personal data handling by these agencies.
Slovakia
The Commission has eight members, of whom one is its president, who must belong to the opposition.
The parliament selects six members from among the members of each of the three parliamentary committees involved: two members from the Special Monitoring Committee of the National Council of the Slovak Republic for the monitoring of the activities of the Slovak Information Service, two members from the Special Monitoring Committee of the National Council of the Slovak Republic for the monitoring of the activities of the Military Intelligence, and two members from the Committee of the National Council of the Slovak Republic for Defence and Security. Three members must be selected from among the majority’s deputies and three members from among the opposition deputies. The remaining two members may be non-parliamentarian citizens with relevant work experience defined in Section 8a PAIA and the highest level of security clearance. They are selected by the parliament upon proposal by the chairperson of the Defence and Security Committee.
The Commission must carry out inspection at least on an annual basis, but may do so at any time of its own motion and upon complaint by anyone who claims they have been subjected to unlawful surveillance.
The Commission’s powers are mostly of monitoring nature. Its members have the right to enter premises, access registers and obtain information, even if classified, from the relevant state authorities. The protocols of inspections carried out are then submitted to the relevant parliamentary committees.
Should the respective parliamentary committees suspect that surveillance has been carried out in violation of the law, they must inform the Speaker of Parliament, who then informs the Prosecutor General.
The parliament must discuss in plenary twice a year the reports of the committees on the state of use of surveillance measures. The reports submitted to the plenary must include any detected case of illegal use of surveillance methods. The reports must not reveal the identity of the persons under surveillance or otherwise violate their right to privacy.
It must be admitted that even though Section 8a PAIA regulating the Commission was introduced by a 2015 amendment, the Commission has still not been established in practice, mostly due to political disagreements.
Spain
1.1.-Legal Framework
The specific laws on intelligence services oversight are:
Law 9/68 (amended in 1978 with the entry into force of the Constitution) establishes which matters may be declared secret or reserved ("classified matters") and the body that may declare them as such (basically the Council of Ministers). This declaration shall not affect (Article 10.2) the Congress of Deputies or the Senate, which shall have access to the information in the manner established in their regulations and, where appropriate, in camera sessions.
Parliamentary oversight of classified expenditure is provided for in Law 11/1995, Article 7.3 of this law entrusts it to a standing parliamentary committee. For its part, Law 11/2002 attributes to the same committee (art. 11) the control over the operation of the National Intelligence Centre (CNI). This control involves the periodic appearance of members of the government and, in particular, of the director of the CNI.
The current regulation of this standing parliamentary committee is developed by the Resolution of the Presidency of the Congress of Deputies on official secrets of 26 April 2022. By virtue of this resolution, the permanent parliamentary committee (popularly known as the Official Secrets Committee, although its official name is the Committee for the control of credits destined to reserved expenses) is composed of the President of the Congress of Deputies and a representative of each Parliamentary Group appointed by the absolute majority of the chamber The committee meets "in camera" and its members are bound by an obligation of confidentiality. No records of its meetings are published.
The resolution of the presidency establishes the following relevant points on access to classified information:
- The request for information can be submitted by any parliamentary committee or parliamentary group.
- If the information is secret, the government provides the information through the members of the standing committee .
- If the information is "reserved", the information is transmitted to the spokespersons of the parliamentary groups or to their representatives in the requesting committee (if it comes from a request for information from another parliamentary committee).
- Exceptionally, the government may request that the information be transmitted to the president of the Congress (or of the requiring committee if it comes from one other than the standing committee on official secrets).
In addition to these specific instruments, the general regime of information and control of the parliament over the government is applicable. In particular, there is the possibility of setting up parliamentary committees of inquiry (by agreement of the majority of the plenary of the chamber) whose work may cover any subject (Art. 76.4 SC), including reserved or secret matters, on which a duty of confidentiality may be imposed or which may agree to hold in camera sessions (Art. 64.4.a Standing Rules of the Congreso) and whose conclusions must also respect the matters qualified as secret.
2.- Judicial Control
Spain has an ex-ante and an ex-post system of judicial control of any intervention by intelligence services that involves an invasion of privacy rights and the secrecy of communications. Both systems are applicable to cases of use of software such as those mentioned in the consultation.
a) Ex- ante Judicial Control:
See supra answer 2.1.
b) Ex-post Judicial Control:
Ex post judicial control of secrets related to the activities of the intelligence services was established by the case law at the end of the last century. According to this case law, any judge in the framework of a judicial investigation can ask the Council of Ministers to declassify information considered confidential. The Council of Ministers' discretion is not entirely free. It has to be a sufficiently reasoned decision in which the reasons cannot exclude considerations of general interest following the specific judicial investigation and the individual assessment of the fundamental rights concerned. The refusal by the Council of Ministers of the requested information or documentation may be challenged before the Administrative Chamber of the Supreme Court, which will assess whether it is in accordance with the law, even by examining "in camera" the requested documentation (access to which was denied to the complainant judge but which the Council of Ministers must make available to the Supreme Court) to check whether the refusal is properly reasoned. In certain cases, the Supreme Court has ruled the declassification of documents considered secret by the government. The basic case law is contained in Judgments of the Supreme Court (Third Chamber): 4, April 1997 and 30, January 1998.
Sweden
SIN’s mandate is 1) to ensure that surveillance activities by the police, including the Security Police, are conducted in accordance with laws and other regulations and 2) that the Security Police filing of personal data is ‘conducted in accordance with laws and other regulations’.
These laws etc. include the limits set out on the filing of sensitive data in the constitution (Instrument of Government Chapter 2, Section 6; ECHR Article 8) and in the Police Data Act, as well as the Security Police’s own regulations on initiating, adding to, correcting and terminating personal files. Although the mandate is only framed in terms of ensuring compliance with the law, a proportionality test is a fundamental part of this.
SIN is an example of a “hybrid” body, mixing political and legal oversight. Under Section 5 of the Act on Supervision of Certain Crime-Fighting Activities, SIN shall have a maximum of ten members. These are appointed by the government for a (renewable) fixed period of no more than four years. The members are to be ‘suitable for the assignment in terms of judgment, independence, obedience to the law and other circumstances’. All the parties in the Riksdag can propose a member of the Commission. Most of the parties have appointed experienced politicians, some of whom are active MPs. The Chair and Vice Chair shall be, or have been, a tenured judge or have other equivalent legal experience. The position was taken at the time of its creation that this was necessary for the integrity and competence of SIN.
Appointment of the Chair is preceded by consultations with the heads of the other parties represented in the Riksdag.
Decisions are taken by majority vote: there is a quorum when the Chair and half of the other members are present. Any member may request that a meeting should be held but the Chair decides. SIN as a monitoring/complaints body meets around once a month, as do its delegations.
The permanent staff of SIN consists of a number of lawyers (usually 15-20). Since 2023, it also has a technical expert.
Section 2 of the Supervision Act provides that SIN exercises its supervision through inspections and other investigations. It takes up a number of cases of its own motion every year. On complaints, see the reply to the next question.
Section 4 of the Supervision Act provides that SIN is entitled to obtain the information and assistance it requests from agencies subject to its’ supervision. Even courts and agencies that are not subject to its supervision are also obliged to supply it with the information it requests.
While SIN cannot compel witnesses to appear before it, failure to cooperate with SIN can, ultimately, be seen as misuse of office and reported as a criminal offence (Criminal Code, Chapter 20, Section 1).
Another restriction is that SIN’s mandate in relation to monitoring surveillance applies to the law enforcement agencies (i.e., the police, including the Security Police and the prosecutors). It does not, as such, extend to the courts which authorise the use of such measures. Scrutiny of the adequacy of the reasoning of a court thus is not within SIN’s mandate. This restriction is to preserve judicial independence. However, satisfactory oversight here really involves matching the initial suspicions justifying the surveillance against the product of the surveillance. Where a pattern emerges of weighing losses to integrity too lightly against
alleged gains to an investigation, SIN should criticise this and demand improvements in routines. This must, reasonably, involve implicit criticism of the body which has authorised the surveillance—the courts.
SIN members and staff are bound by secrecy. The Public Access to Information and Secrecy Act, Chapter 15, Sections 1 and 2, deals with maintaining secrecy for purposes of protection of national security and foreign relations. Chapter 18, Sections 1 and 2 deals with secrecy in the prevention and investigation of crime and in intelligence gathering. As SIN is an administrative agency, its members (even if they are serving MPs) can be and are security vetted. Criminal sanctions for breach of the Act are to be found in the Criminal Code, Chapter 20, Section 3. Other security crimes in Chapter 19 of the Code (espionage, unlawful revealing of secret information, reckless revealing of secret information etc.) may also be applicable.
Section 2 of the Supervision Act provides that SIN ‘may make statements on established circumstances and express its opinion’. It can decide to publish special reports, something which is an important feature of oversight. Parliament may not formally task SIN to look at a particular issue but the fact that the composition of SIN consists mainly of politicians means that the same thing can be achieved informally: where there is a majority for investigating a particular issue, SIN will do so.
SIN reports annually to the government. The report is published. SIN itself decides what information to reveal (albeit applying its duty to keep confidential secret information). If SIN considers that laws or regulations are deficient, it may express its opinion on this, if need be confidentially. It can be noted that SIN’s reports are not the only official source of information on surveillance.
If SIN considers that a criminal offence has been committed, it is to refer the case to the Prosecutor-General. If it considers that errors have been committed in handling of personal data which should be rectified, or which might entitle an individual to damages, it is to refer the case to the Data Inspection Board or the Chancellor of Justice (or both). These bodies
make an independent assessment of the need for rectification/damages, so SIN’s decision in this regard should be seen as only the first stage in the obtaining of an effective remedy. As far as I am aware, so far, only one referral has been made to the Chancellor of Justice.
As regards secret data reading specifically, unlike for other secret investigative measures, such as telecommunications interception, there is a duty on an authorising court to inform SIN when an authorization has been granted (section 21 of the Act). This proactive duty gives SIN a better overview of how the Act is being applied, and to decide whether or not to initiate an oversight investigation.
Switzerland
− Article 75 on self-control by the FIS;
− Articles 76-78 on the independent supervisory authority, its status and its tasks;
− Article 79 on the independent supervisory authority for radio and cable communications
intelligence;
− Article 80 on control and supervision by the federal council (the Swiss government);
− Article 81 on parliamentary oversight.
It is crucial to emphasise that the duly appointed parliamentary committees (the "oversight delegation" and the "finance delegation") have complete and unhindered access to all information they require to fulfil their oversight responsibilities, as outlined in the Federal Act on Parliament. Since 2019, the oversight delegation has received an annual performance report from the FIS on the measures taken under Article 26 IntelSA and the measures against foreign computer systems under Article 37 IntelSA.
Ukraine
Article 9. Guarantees of legality during the implementation of criminal intelligence operation activities
Violation of the human rights and freedoms and legal entities is not allowed during the implementation of investigative activities. Single restrictions of these rights and freedoms are of an exceptional and temporary nature and can be applied only by the decision of the investigating judge for the purpose of detecting, preventing or to stop grave crimes or especially grave crimes and in cases provided for by the legislation of Ukraine, for the purpose of protecting the rights and freedoms of other persons, public safety .
In cases of violation of the human rights and freedoms or legal entities in the process of criminal intelligence operation activities, as well as in the event that the person against whom criminal intelligence operation measures were carried out was not confirmed as involved in the criminal offense, the Security Service of Ukraine, the State Bureau of Investigation, the National Police , the central body of executive power that implements state policy in the sphere of state border protection, the Office of State Security of Ukraine, the Bureau of Economic Security of Ukraine, the central body of executive power that ensures the formation and implementation of state policy in the sphere of execution of criminal punishments and probation, the intelligence body of the Ministry of Defense of Ukraine, the intelligence body of the central executive body that implements state policy in the sphere of state border protection, the Foreign Intelligence Service of Ukraine, the National Anti-Corruption Bureau of Ukraine are obliged to restore the violated rights immediately and compensate in full the material and moral damages caused.
Citizens of Ukraine and other persons have the right, in accordance with the procedure established by law, to receive from the criminal intelligence operation bodies a written explanation regarding the restriction of their rights and freedoms and to appeal these actions.
It is forbidden to transmit and disclose information about security measures and persons taken under protection, or such information that may harm the investigation or the interests of a person or the security of Ukraine. It is prohibited to make public or provide collected information, as well as information regarding the conduct or non-conduct of criminal intelligence operation activity in relation to a certain person until a decision is made based on the results of such activity. The issue of publicizing or providing such information after a decision is made is regulated by law.
Information obtained as a result of criminal intelligence operation activities related to the personal life, honor, and dignity of a person, if it does not contain information about the commited actions prohibited by law, is not subject to storage and must be destroyed. Information obtained as a result of criminal intelligence operation activities, regarding preparation for terrorist acts or their commission by individuals and groups, is stored for up to 5 years.
Criminal intelligence operation measures related to the temporary restriction of human rights are carried out in order to prevent grave crimes or especially grave crimes, also for detection and termination of them, the search for persons who are evading criminal punishment or who have disappeared, also to protect life, health, housing and property of court employees and law enforcement agencies and persons participating in criminal proceedings, also for termination of intelligence and subversive activities against Ukraine.
2) Law of Ukraine "On National Security of Ukraine"
Section III
DEMOCRATIC CIVIL CONTROL
Article 4. Principles of democratic civil control
1. Within the limits of the powers granted in accordance with the Constitution of Ukraine, the security and defense sector is subject to democratic civil control (hereinafter referred to as civil control).
The system of civil control consists of control carried out by the President of Ukraine; control carried out by the Verkhovna Rada of Ukraine; control carried out by the National Security and Defense Council of Ukraine; control carried out by the Cabinet of Ministers of Ukraine, executive authorities and local self-government bodies; judicial control; public supervision.
<...>
Article 11. Responsibility for violation of the legislation on national security of Ukraine
1. Officials guilty of non-fulfillment or violation of the legislation on the national security of Ukraine shall bear responsibility in accordance with the law.
2. Citizens who believe that their rights, freedoms, or legitimate interests have been violated by the decisions, actions, or inactivity of members of the security and defense sector or their officials have the right to apply to the court, the Commissioner for Human Rights of the Verkhovna Rada of Ukraine, or use any other mechanisms for the protection of rights and freedoms provided for by the legislation of Ukraine.
3. Control of compliance with legislation during civil control is carried out in accordance with the procedure determined by the Constitution and laws of Ukraine.
3) Law of Ukraine “On the Security Service of Ukraine”
Section VI. CONTROL AND SUPERVISION OF THE ACTIVITIES OF THE SECURITY SERVICE OF UKRAINE
Article 31. Accountability of the Security Service of Ukraine
Permanent control over the activities of the Security Service of Ukraine and its compliance with legislation is carried out by the Verkhovna Rada of Ukraine.
The head of the Security Service of Ukraine annually, by February 1, submits a report on the activities of the Security Service of Ukraine to the Verkhovna Rada of Ukraine.
Article 32. Control of the President of Ukraine over the activities of the Security Service of Ukraine
Control over the activities of the Security Service of Ukraine is carried out by the President of Ukraine and state bodies authorized by him.
Permanent control is carried out by officials specially appointed by the President of Ukraine over the observance of the constitutional rights of citizens and legislation during criminal intelligence operation activities and activities in the field of protection of state secrets of bodies and units of the Security Service of Ukraine, as well as control over the compliance of the provisions, orders, decrees, instructions issued by the Security Service of Ukraine with the Constitution and laws of Ukraine. The powers of these officials and the legal guarantees of their activities are determined by the Regulation, which the President of Ukraine shall approve.
The Security Service of Ukraine regularly informs the President of Ukraine, members of the National Security Council of Ukraine and officials specially appointed by the President of Ukraine about the main issues of its activity, about cases of violations of legislation, and also submits other necessary information at their request.
The head of the Security Service of Ukraine annually submits a written report on the activities of the Security Service of Ukraine to the President of Ukraine.
The head of the Security Service of Ukraine bears personal responsibility for the timeliness, objectivity and completeness of the submitted information.
4) Law of Ukraine “On the Foreign Intelligence Service”
Article 1. Legal status of the Foreign Intelligence Service of Ukraine
1. The Foreign Intelligence Service of Ukraine is an intelligence body of Ukraine that functions as a separate state body, is not part of the system of executive authorities and carries out its activities under the guidance of the President of Ukraine and democratic civilian control in accordance with the Law of Ukraine "On Intelligence".
5) Law of Ukraine "On Intelligence"
Section VIII. FEATURES OF DEMOCRATIC CIVIL CONTROL OVER INTELLIGENCE
Article 51. Principles of implementation of democratic civilian control over intelligence
1. Democratic civil control over intelligence is carried out in accordance with the Law of Ukraine "On National Security of Ukraine" taking into account the specifics defined by this Law.
2. The procedure for visiting the facilities of intelligence agencies and providing access to information containing intelligence secrets during democratic civil control is determined by joint acts of intelligence agencies and relevant control subjects.
3. During the implementation of democratic civil control, documents or information about persons involved or those who were involved in confidential cooperation with intelligence agencies, about employees under cover, as well as about the methods, forces and means of intelligence involved or were involved during carrying out intelligence activities, as well as planning, organization, financing and logistical support of specific intelligence activities before their full completion are not provided.
4. Information about intelligence agencies and intelligence activities obtained during the execution of democratic civil control shall be processed, stored, transferred or made public in compliance with the requirements provided for in Article 46 of this Law [see above]. The actions of persons who have gained access to such information should not create a threat of its disclosure.
Article 52. Particular aspects of control over intelligence by the President of Ukraine
1. The head of the intelligence body reports to the President of Ukraine on the execution of the tasks assigned to this body and, in accordance with the procedure established by the President of Ukraine, annually submits a report on the activities of the relevant intelligence body to the coordination body on intelligence.
2. On the basis of the report submitted by the head of the intelligence agency, the intelligence coordination body annually prepares an assessment of the intelligence agency's performance of the priority tasks assigned to it, the results of which it reports to the President of Ukraine.
3. In compliance with the requirements of Article 46 of this Law, the coordination body on intelligence publishes information on the directions and main results of the activities of intelligence agencies (White Book).
Article 53. Particular aspects of exercising parliamentary control over intelligence
1. Within the limits set by the Constitution of Ukraine and the laws of Ukraine, parliamentary control is ensured by the committee of the Verkhovna Rada of Ukraine, the subject of which is the issue of ensuring the control functions of the Verkhovna Rada of Ukraine, in particular, over the activities of special-purpose bodies that are entrusted with law enforcement functions, special-
purpose law enforcement bodies and intelligence agencies.
3. […] People's deputies of Ukraine receive the information specified in the second part of Article 46 of this Law exclusively in connection with the exercise of their powers in the committee of the Verkhovna Rada of Ukraine that is authorized to exercise control over special-purpose bodies that are entrusted with law enforcement functions, special-purpose law enforcement bodies and intelligence agencies.
Article 54. Particular aspects of public and judicial control over intelligence
1. Citizens of Ukraine participate in the implementation of democratic civil control in the manner determined by the Constitution of Ukraine and the laws of Ukraine, taking into account the requirements of Article 46 of this Law.
2. Information on the activities of intelligence agencies is published in the media and on the official websites of these agencies in the scope determined by the head of the relevant intelligence agency.
3. Decisions, actions or inactivity of the intelligence community subjects may be challenged in court in accordance with this Law.
For reference: The subjects of the intelligence community are:
1) coordination body on intelligence;
2) intelligence agencies defined by this Law;
3) Security Service of Ukraine;
4) other components of the security and defense sector determined by the National Security and Defense Council of Ukraine, which are involved by intelligence agencies in the execution of intelligence tasks and strengthening of the intelligence capabilities of the state (part two of Article 4 of this Law).
United Kingdom
United States of America
Oversight Applicable to Targeted Surveillance in General
A. Executive Oversight
Under Executive Order 14086 (October 2022) (“Enhancing Safeguards for United States Intelligence Activities”), the Privacy and Civil Liberties Oversight Board (PCLOB) is responsible for reviewing new policies and procedures implemented by intelligence agencies and conducts an annual review of the Data Protection Review Court’s redress process.
B. Judicial Oversight
The FISC and the Data Protection Review Court (DPRC) are mandated to provide oversight. FISC proceedings are closed due to their classified nature and conducted ex parte. However, when FISC issues significant opinions, they are provided to Congress and thereafter declassified and released to the public. The DPRC provides a mechanism for redress through independent and impartial review of specific complaints from individuals who allege violations of U.S. law in the conduct of U.S. intelligence activities. The DPRC reviews decisions of the ODNI Civil Liberties Protection Officer (CLPO), according to which individuals may submit a complaint when there is an allegation of a violation in “collecting or handling their data through signals intelligence activities." The DPRC works as a panel of three judges who review and decide, based on the CLPO’s findings, whether a violation occurred and what the appropriate remedy should be. The DPRC’s decisions are final and binding.
C. Legislative Oversight
The House Permanent Select Committee on Intelligence (HPSCI) and the Senate Select Committee on Intelligence (SSCI) provide congressional oversight of intelligence activities, including surveillance practices. The HPSCI is responsible for overseeing the United States Intelligence Community and the Military Intelligence Program. The HPSCI has legislative and oversight responsibilities over Intelligence Community programs, policies, budgets, operations, all covert actions, and the collection, exploitation, and dissemination of human intelligence. The SSCI provides legislative oversight concerning the intelligence activities of the US government. They do this by inter alia conducting hearings with high-ranking intelligence agency officials; conducting investigations and review of intelligence programs; and reviewing and collecting intelligence activities/analysis. US law also “specifically obligates the President to ensure that intelligence agencies keep the committees ‘fully and currently informed’ of their activities, including all "significant anticipated intelligence activities" and all "significant intelligence failures," and make available any information requested by either of the two committees." However, the law does not define the
categories of information that must be reported, allowing intelligence agencies to choose what information they report. The Congressional committees cannot disapprove of “covert action findings” but can “prohibit the expenditure of funds for such activities in subsequent years.” Also, through the National Security Act of 1947, Congress must be kept “fully informed” of intelligence activities of significance.
Oversight Applicable Specifically to Spyware
Public Law 117-263 (50 USC §3232a) (2022) requires U.S. intelligence agencies to provide annual reports assessing counterintelligence threats and “other risks to national security” that “foreign commercial spyware” poses to the United State. The reports are to include “an assessment of the counterintelligence threats and other risks to the national security of the United
States posed by the proliferation of foreign commercial spyware." The law also authorizes the Director of National Intelligence to prohibit intelligence agencies from “entering into any contract or other agreement for any purpose with a company that has acquired, in whole or in part, any foreign commercial spyware." Public Law 117-81 (22 USC §2679e) (2021) requires the Secretary of State to prepare a list of contractors that have “knowingly assisted or facilitated a cyberattack or conducted surveillance” against the United States or against:
"[i]ndividuals, including activists, journalists, opposition politicians, or other individuals for the purposes of suppressing dissent or intimidating critics, on behalf of a country included in the annual country reports on human rights practices of the Department for systematic acts of political repression, including arbitrary arrest or detention, torture, extrajudicial or politically motivated killing, or other gross violations of human rights."
As noted in the 8 March note, the Secretary of State acted under the Immigration and Nationalization Act to restrict visa issuances to those involved in the abuse of commercial spyware. Further, the 27 March 2023 Executive Order discusses the importance of federal oversight of commercial spyware to advance national security and foreign policy interests by “mitigating, to the greatest extent possible, the risk emerging technologies may pose to United States Government institutions, personnel, information, and information systems."
State Level Oversight on Surveillance
State and local authorities may impose further restraints on surveillance technologies than required under existing federal law. The California Electronic Communications Privacy Act (CalECPA), for instance, requires law enforcement and government entities to obtain a warrant, based on probable cause and supported by an affidavit, before accessing any electronic communications from an individual’s service provider or their electronic device(s). CalECPA provides judges with the discretion to confine warrants to relevant information and calls for the sealing and destruction of irrelevant information collected through the warrant. Additionally, the warrant must be specific as to the information sought. Through its warrant requirement, CalECPA regulates all individuals within governmental agencies including the criminal justice system, public school, and hospital officials. CalECPA also “requires the government to furnish notice, in all cases [even emergencies], to the target of the investigation, and provides a
suppression remedy for evidence gathered in violation of its terms."