The Amsterdam Law & Technology Institute’s team is inviting young scholars guest articles in ALTI Young Voices. Here is a new contribution authored by Elise Kooij.
***
- Introduction
Recently, the Dutch government proposed a new law: the ‘Tijdelijke wet onderzoeken AIVD en MIVD naar landen met een offensief cyberprogramma’ (hereafter: Cyberlaw), which would change various material aspects of the current law regulating the Dutch intelligence services (Wet op de inlichtingen- en veiligheidsdiensten 2017, hereafter: Intelligence and Security Services Act 2017).
This latter law was passed by the Dutch Parliament in 2017 and enhances the surveillance powers of the two Dutch intelligence services, granting them broader authority to intercept and analyze digital communications. The proposal sparked significant discussion and debate within the country at the time. Proponents argued that the measures were necessary to combat evolving security threats and maintain national security. Critics instead expressed concerns regarding the potential infringement on privacy rights and the lack of adequate safeguards and oversight mechanisms. The law’s passage triggered a lively public discourse on the balance between security and privacy, the backlash ultimately even culminating in a consultative referendum held in 2018. The Dutch public narrowly rejected the law, with 49,44% voting against and 46,53% in favor. The Second Chamber of Parliament had already adopted the law prior to the referendum, and as a result of the outcome some minor changes were made before the law came into effect later in 2018 (the referendum was non-binding, after all).
Discussion around the law subsequently largely subsided, until the introduction of the Cyberlaw in December 2022 invigorated the debate once more. Amongst others (such as changes to bulk interception powers), the changes put forward by the law would modify the manner in which supervision over intelligence services activities is exercised. Under the Intelligence and Security Services Act 2017, two separate bodies are tasked with supervision of the practices of the Dutch intelligence services: the Investigatory Powers Commission (TIB) and the Review Committee on the Intelligence and Security Services (CTIVD). After its establishment by the Intelligence and Security Services Act 2017, discussion arose about the functioning of the Investigatory Powers Commission, which is tasked mainly with carrying out ex ante tests of use of special measures by the intelligence services. The changes proposed to the Commission by the Cyberlaw would significantly limit its powers and have recently led to concern and discussion about the role and functioning of the Commission and the supervisory system in general.[1] Most strikingly, the chairman of the Commission resigned in September 2022 out of dissatisfaction with the proposed changes, opting to leave his position to publicly speak out against the new law. Other experts have spoken out in defense of the new law, however, noting that it provides necessary remedies for existing problems.
Over the years, the European Court of Human Rights (ECtHR) has built up an extensive body of case law on surveillance by intelligence services. Any national supervision system should then also meet the requirements specified by the Court in its case law. The Dutch government has argued that both the current system as well as the revised system proposed by the Cyberlaw meet ECtHR requirements on surveillance supervision, albeit in a different manner. Considering the public debate and controversy surrounding the law and counterarguments put forward in academic literature, however, it does not seem immediately clear whether this is actually the case. This article will then also examine the question to what extent the system of supervision over surveillance activities by the intelligence services proposed by the new Dutch Cyberlaw is in line with the standards on supervision required by case law of the ECtHR. Firstly, the Dutch system of supervision on surveillance activities by the intelligence services will be examined, and the proposed changes to it by the Cyberlaw. Secondly, the assessment by the ECtHR and relevant case law will be considered, before concluding with an analysis of how the proposed system may or may not be in line with these requirements.
- The Dutch system of supervision and the Cyberlaw
2.1 The current system: supervision under the Intelligence and Security Services Act 2017
As mentioned, the current Dutch system flows from the Intelligence and Security Services Act 2017, under which two supervisory bodies exist: the Investigatory Powers Commission and the Review Committee on the Intelligence and Security Services. Prior to the execution of certain special measures by the intelligence services, the Minister (of either Interior Affairs or Defense, depending on the intelligence agency) must approve the use of the measure. The Commission is tasked with assessing this judgment by the Minister, prior to the actual use of the measure (ex ante), whereby it must determine whether the use of a special measures is lawful (‘rechtmatig’). The Commission is comprised of three members, two of which must have prior experience as a judge.
The Review Committee is tasked with handling complaints about the intelligence services, as well as supervision over the legality of activities of the services, during and after the use of special measures (ex durante and ex post). It currently has no power to issue binding judgments on the legality of an operation, ex durante.
Case law by the ECtHR has played an important role in the development of the Dutch legal framework on the intelligence services. For example, the initial creation of the Commission was a direct result of ECtHR case law, as also argued by the Dutch government in the explanatory memorandum to the Cyberlaw. It has been argued, however, that this creation was not strictly required but the result of a strict interpretation of ECtHR case law by the Dutch government, likely motivated by a desire to incorporate the human right standards of the ECHR in a comprehensive way (specifically those relating to Articles 8 and 13 ECHR). Moreover, the Commission was arguably also given more powers than required by ECtHR case law. This has led to various debates about the form and necessity of the Commission, with some arguing that the Commission is too strict in carrying out its review, and that its influential role needlessly complicates the overall supervision system.
2.2 The proposed system: supervision under the Cyberlaw
Following recommendations made by an evaluation commission in 2021, the Cyberlaw proposes fundamental changes to the structure of supervision (it would also alter certain provisions relating to special measures, including data interception, but it is beyond the scope of this article to consider this in detail here). Most prominently, the binding, ex ante test of the Commission will be significantly scaled back. This will be compensated by an expansion of the powers of the Review Committee, which will be given the power to conduct binding ex durante/ex post tests. These binding judgements must be heeded by the responsible Minister within three days. Moreover, a special appeals procedure will be introduced.
With these changes, the law aims to increase the effectiveness of the use of certain special measures by the intelligence services, while safeguarding the guarantees which surround such use. The lawmaker notes that currently, tension exists between the ‘static’ ex ante test carried out by the Commission, and the dynamic nature of the use of certain special measures. This tension refers to the meticulous manner in which the Commission carries out its work, which in practice has led to unwanted delays in the operation of special measures by the intelligence services. Consequently, this can lead to significant problems in the effectiveness of their operations, something which has been linked directly to the oversight carried out by the Commission. The Cyberlaw thus aims to increase the effectiveness of the operations carried out by the intelligence services, by removing the ‘cumbersome’ ex ante test by the Commission.
- Surveillance by intelligence services in ECtHR case law
Over the years, a continuous debate about the supervision of surveillance practices by intelligence services has existed. ECtHR case law on the topic focuses on potential violations of the right to privacy under Article 8 ECHR, as this right can easily be breached when intelligence services carry out surveillance on citizens. Assessment of a possible unlawful infringement of Article 8 ECHR normally follows a three-step test (Art. 8(2) ECHR): a consideration of the presence of legitimate interest, whether the infringement was in accordance with the law, and the necessity of the infringement.
The ECtHR has expanded this test further in case law on surveillance, focusing particularly on these latter two considerations (which the Court normally assesses jointly, see also Kennedy v. United Kingdom para. 155). The Court pays special attention to the quality of the relevant legislation. In the landmark Big Brother Watch v. United Kingdom case, it was specified which standards mass surveillance legislation should meet to satisfy this quality of law (foreseeability) requirement. These include, among others, the procedures for supervision by an independent authority and procedures for independent review of compliance (see also Big Brother Watch v. United Kingdom, para. 361 and and Centrum för rättvisa v. Sweden, para. 275).
Another question concerns whether supervision should be entrusted to courts or other (independent) bodies. In the Klass v. Germany case, the ECtHR partially answered this question by stating that a non-judicial system supervision over intelligence activities is permitted, but that supervisory control should preferably be in the hands of a judge (para. 55-56). This was later reiterated in other cases.[2]
A trend in ECtHR case law seems to be that emphasis is placed on the necessity of a system of control over surveillance that is ‘good enough’ (both ex ante, ex durante and ex post). Such oversight should be able to provide sufficiently effective control over surveillance activities, whilst also being supported by effective checks in a national legal system (Article 13 ECHR is also relevant in this context). In Klass v. Germany, the Court stated that “the exclusion of judicial control does not exceed the limits of what may be deemed necessary in a democratic society.” (para. 56). The Court later sharpened this requirement in Szabó & Vissy v. Hungary, stressing that regardless of the specific system of supervision used, it must allow for ‘an assessment of strict necessity’ (para. 71-73). Moreover, the Court noted (again) that an effective ex post test can balance out a possible lack of ex ante authorization of the use of special measures (para. 79). Key seems to be that any system which can provide effective control over surveillance can be acceptable. Considering these points, it can thus be said that the essence of the requirements on supervision on intelligence services lies with the effectiveness of the supervision system as a whole. The specific manner in which a supervisory system is structured can vary.
- Applying the ECtHR requirements to the proposed system by the Cyberlaw
In brief, in thus becomes clear from ECtHR case law that the following requirements on supervision of surveillance activities by intelligence services must be met. Firstly, the ECtHR has expressed a strong preference for entrusting supervision to a judicial body, considering the perceived independence of such an institution, its impartiality and binding judgements. However, this is not strictly required. Secondly, an independent ex ante test is an important safeguard, but not a required procedure. A lawmaker is free to choose another manner of supervision, as long as that option still constitutes an independent, binding and effective manner of supervision.
The independence of both the Commission and Review Committee has been subject of discussion in the past, but does not seem to be a pressing issue in the discussion on the Cyberlaw. Similarly, the power to issue binding judgements in the supervision process is present. It is the second question of ‘effective supervision’ that warrants most discussion.
In the past, the Review Committee itself has argued on the basis of the Big Brother Watch v. United Kingdom case that the requirement of ‘effective supervision’ by the ECtHR should be interpreted as binding supervision. The Cyberlaw reflects this position, granting the Review Committee binding supervisory powers, but it is somewhat unclear whether the requirement of ‘effective supervision’ must also automatically be interpreted as necessitating binding supervision powers for the Review Committee.
The explanatory memorandum to the Cyberlaw reiterates that the independent ex ante test by the Commission is a stricter manner of supervision than what is required by ECtHR case law. The system proposed by the Cyberlaw, weaking the test by the Commission, would then also still be in line with requirements of the ECtHR. It is argued that the proposed changes fall within the margin of appreciation afforded to states regarding national security and possible infringements of Article 8 ECHR in this context. The level of protection ensured by the revised system of supervision thus remains equal, according to the Dutch government.
An advisory report to the Dutch government published in 2022 (after the influential Big Brother Watch v. United Kingdom and Centrum för rättvisa v. Sweden cases and the earlier evaluation report published in 2021), characterized recent ECtHR case law as becoming stricter, formulating ever stricter guidelines on supervision over intelligence services. The report subsequently advised to strengthen the position of the Review Committee by granting it the power to issue binding judgements ex durante and ex post. It was argued that this was even required in light of the ECtHR judgments, which require ‘sufficiently robust’ and ‘effective’ supervision. However, as mentioned above, opinions differ as to the necessity of creating binding judgment. There seems to be less disagreement on the fact whether independent ex durante/ex post supervision should exist at all, as this can be more clearly distilled from case law. The proposed binding ex durante/ex post test by the Review Committee is thus also in line with this requirement.
Though it is thus not possible to effectively say that binding ex durante/ex post test is necessary, this may in fact be true in the Dutch case, as this may serve as necessary compensation for the removal of the binding ex ante test by the Commission. As a result, the system seems to pass the ECtHR test of independent, binding and effective supervision, thus being compliant with ECtHR case law. Some have specified that as long as the combination of two supervisory bodies (with different modalities of supervision) remains, this meets the requirements of effective supervision.[3] However, it is difficult to predict how the possible revised system of supervision, whereby two bodies are tasked similarly, but with different competences, may work in practice. The extent to which this complexity may become a serious issue, potentially jeopardizing compliance with the ECtHR requirement of ‘effective supervision’ is contested, however.
- Conclusion
Generally, it is argued that the proposed loss of the ex ante test by the Commission via the Cyberlaw is sufficiently compensated with the installment of the binding ex durante/ex post test by the Review Committee. This proposed system seems to meet the ECtHR requirement of effective supervision, and thus likely is in line with the standards of supervision required by case law. It is hard to conclude this with certainty, however.
Various parties have been quite vocal about their opposition to the Cyberlaw, but there are also multiple experts who have spoken out in support proposed changes. Reporting on the topic in media virtually all link the law to the controversy surrounding the implementation of the Intelligence and Security Services Act 2017. At the time, various interest groups initiated judicial proceedings to prevent the law from coming into force, ultimately to no avail. The public backlash against the new law seems to be less strong this time, however. This may also have to do with the fact that debates in parliament about the law are still ongoing, and only in preliminary stages as of this moment. Currently, no parties have indicated possible court proceedings as a result of the new law yet. This may of course change with time, however. While the public response to the new Cyberlaw may be relatively subdued at this stage, the possibility of future court proceedings and the ongoing parliamentary debates suggest that the final judgment on its effectiveness and compliance with case law by the ECtHR is yet to be given.
[1] See for example: Jan Daalder & Sebastiaan Brommersma, “Geheime diensten forceren nieuwe inlichtingenwet, toezichthouder stapt op,” Follow the Money, https://www.ftm.nl/artikelen/toezichthouder-inlichtingendienst-als-sta-in-de-weg.; Lotte Houwing, “De Cyberwet is een regelrechte aanval op de toezichthouder,” Bits of Freedom, https://www.bitsoffreedom.nl/2022/09/23/de-cyberwet-is-een-regelrechte-aanval-op-de-toezichthouder/.; Maurits Martijn, “De geheime diensten bedonderen ons, zegt de man die het kan weten,” De Correspondent, https://decorrespondent.nl/13987/de-geheime-diensten-bedonderen-ons-zegt-de-man-die-het-kan-weten/98e8c813-b1e0-05ea-1438-1c1612ed90b8.; Huib Modderkolk, “Nederland stemde tegen de ‘sleepwet’ en toch staat nu alles klaar voor grootschalig aftappen,” De Volkskrant, https://www.volkskrant.nl/nieuws-achtergrond/nederland-stemde-tegen-de-sleepwet-en-toch-staat-nu-alles-klaar-voor-grootschalig-aftappen~b2233e43/.
[2] See for example, Szabó and Vissy v. Hungary, No 37138/14, Eur, Ct. H.R. (2016), para. 77.; Big Brother Watch & Others v. United Kingdom para. 351., Centrum för rättvisa v. Sweden No 35252/08, Eur. Ct. H.R. (2021), para 265.
[3] See also comments by prof. dr. Paul Bovend’Eert, Rondetafelgesprek over de Tijdelijke wet cyberoperaties, Tweede Kamer, https://www.tweedekamer.nl/debat_en_vergadering/commissievergaderingen/details?id=2023A01504.
***
Photo by Arthur Mazi
