One central oversight body is tasked with the ex-post control of intelligence, surveillance and security actors in Norway: the EOS Committee. This oversight body is subject to one law, that defines its activities: the Act relating to the Oversight of Intelligence, Surveillance, and Security Services of 3 February 1995 no. 7 (Read the English version of the law from page 81 to page 84 in this annual report). This clear oversight architecture allows a more effective control of the services and provides statutory clarity.

The Norwegian EOS Committee’s oversight mandate covers the whole lifecycle of information: it examines collection, sharing, use of and access to information. Furthermore, EOS Committees remit is based on functions that are used and not on services. The Committee can therefore perform oversight where intelligence, surveillance or security functions are exercised. The function-based end-to-end approach avoids gaps in the oversight of ever more complex intelligence architectures.

In its decision on the BND Act in May 2020 the Constitutional Court (BVerfG) unequivocally affirmed that the right to private communication and press freedom as guaranteed under Article 10 and Article 5 of the German Constitution are human rights and not citizen rights. The Court clarified that the German state’s obligation to protect these fundamental rights cannot be restricted to cover only certain groups of people or only some geographical regions. Against this backdrop, the BND Act was amended to comply with the judgement. However, the practical implementation of this provision is difficult, and the level of protection remains in fact not the same for non-resident non-nationals, for instance when it comes to notification duties.

Foreign-foreign strategic surveillance with the aim of obtaining economic advantages is prohibited.

The Dutch Review Committee on the Intelligence and Security Services (CTIVD) has the power to review the weighting notes on international cooperation partners and the subsequent international cooperation, as such. The CTIVD also has to be informed of any exchange of unevaluated data. The obligation to inform was broadened by policy rules. The law itself stipulates that the CTIVD has to be informed of unevaluated data from bulk SIGINT interception.

Section 142 of the Investigatory Powers Act details the procedure for specifying operational purposes for bulk interception. Any operational purposes must be approved by the Secretary of State (142 (6)) and must go beyond what is already prescribed in law (142 (7)). Every three months, “the Secretary of State must give a copy of the list of operational purposes to the Intelligence and Security Committee of Parliament” (142 (8)). “The Prime Minister must review the list of operational purposes at least once a year” (142 (10)).

The criminal wiretapping statute contains a prohibition to engaging in real-time surveillance (18 U.S. Code 2511 (1)). The provision bans certain wiretapping activities and then creates exceptions to that general prohibition. Section 2511(4) exempts from this criminal statute lawful intelligence surveillance activity. But intelligence officials who conduct unlawful wiretapping are committing a crime. Criminal liabilities are rarely used in national legal frameworks on intelligence, but they could be an effective means to enforce compliance with regulations. Criminalizing certain forms of intelligence surveillance deters the misuse of surveillance powers. The penalty for intentional violations against the prohibition of real-time surveillance in the US wiretapping act can be up to five years of imprisonment (18 U.S. Code 2511(4)).

“In no event may signals intelligence (SIGINT) collected in bulk be used for the purpose of suppressing or burdening criticism or dissent; disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion; affording a competitive advantage to U.S. companies and U.S. business sectors commercially; or achieving any purpose other than those identified in this section” (Section 2 of Presidential Policy Directive (PPD) 28).

In order to assess which countries the services can share information with, weighting notes are drawn up on cooperation partners. These notes must be kept up to date and provide information on the basis of five criteria provided in law:

1. 1. 1. a) the “democratic embedding” of the intelligence and security services in the country concerned;
2. b) the respect for human rights in the country concerned;
3. c) the professionalism and reliability of the service concerned;
4. d) the legal powers and capabilities of the service in the country concerned;
5. e) the level of data protection maintained by the service concerned.

Based on the five criteria listed above, Dutch intelligence services have to submit a weighting note for each foreign partner service they cooperate with. The weighting process requires several compulsory risk assessments on the basis of such notes. In addition, the pertinent policy rules from April 2018 state that unevaluated data from bulk cable interceptions may not be exchanged without the existence of a weighting note that covers this type of exchange. Put differently, in the absence of a weighting note for such a case, no sharing of unevaluated data can be authorized by the responsible minister. The Dutch review body, the CTIVD can review the notes and report to parliament whether it found them to be correct and adequate.

Section 3 of PPD 28 requires all competent department heads to “review any priorities or requirements identified by their departments or agencies and advise the Director of National Intelligence [DNI] whether each should be maintained.”