PEGA-UntersuchungsausschussZwölf EU-Staaten kontrollieren Geheimdienste nicht

Nur 15 EU-Staaten haben Kontrollbehörden für Geheimdienste, obwohl die Datenschutzkonvention unabhängige Aufsicht vorschreibt. Das erschwert die Kontrolle von Staatstrojanern, kritisiert der niederländische Kontrolleur im EU-Parlament. Wir veröffentlichen ein inoffizielles Wortprotokoll der Anhörung.

Mann vor EU-Parlament.-Logo.
Der niederländische Geheimdienstkontrolleur Nico van Eijk spricht vor dem Ausschuss. – Alle Rechte vorbehalten Europäisches Parlament

Der Staatstrojaner-Untersuchungsausschuss im Europaparlament hat sich am 28. März mit Niko van Eijk ausgetauscht. Der Vorsitzende des niederländischen Geheimdienst-Kontrollgremiums sprach über unabhängige Aufsichtsbehörden und die Europäische Datenschutzkonvention.

Die Regulierung und Kontrolle von Geheimdiensten ist eine nationale Angelegenheit. Deshalb unterscheidet sich die unabhängige Aufsicht zwischen den einzelnen Staaten. Nur 15 der 27 EU-Staaten haben überhaupt unabhängige Aufsichtsbehörden. Acht von ihnen, inklusive Großbritannien, sind gemeinsam in einer Arbeitsgruppe zur Geheimdienstkontrolle. Diese Verschiedenheiten müssen vereinheitlicht werden.

Aufsicht und Kontrolle dürfen nicht statisch sein, weil der technologische Fortschritt Vieles ändert. Van Eijk sagte, dass die Regulierung flexibel und anpassungsfähig auf Geschehnisse reagieren können muss. Dafür gibt es bereits ein vorhandenes Werkzeug:

Alle EU-Mitgliedstaaten sind Mitglieder des Datenschutzübereinkommens des Europarats, der sogenannten Konvention 108. Dieses Übereinkommen ist aktualisiert worden. Ein sehr, sehr wichtiger Teil dieser Aktualisierung, die allgemein als Konvention 108 + bezeichnet wird, ist die Einbeziehung des Bereichs der nationalen Sicherheit.

Das Übereinkommen 108 + ist somit der einzige bestehende verbindliche europäische Rahmen, der sich mit der Verarbeitung von Daten durch Geheimdienste befasst. Es enthält auch die Kriterien, die hinsichtlich der Befugnisse und der Unabhängigkeit der Aufsicht erfüllt werden müssen.

Im Grunde haben alle EU-Mitgliedstaaten das Übereinkommen 108+ unterzeichnet, mehrere haben den Ratifizierungsprozess bereits abgeschlossen, viele sind dabei, es zu ratifizieren.

Im Anschluss zu Nico van Eijks Redebeitrag diskutierten die Abgeordneten über Möglichkeiten zur Umsetzung des durch die Konvention 108 + vorgegebenen Rahmens. Sophie in ’t Veld, die Berichterstatterin, äußerte sich besorgt:

Die Mitgliedstaaten, welche die Standards der Konvention 108 einhalten, wenden sich offensichtlich nicht an ihre Kolleg*innen. Denn im Europäischen Rat und im Rat herrscht Schweigen, völliges Schweigen. Sie tolerieren also, dass andere Mitgliedstaaten gegen die Regeln verstoßen. Ich finde das sehr beunruhigend.

Im zweiten Teil der Sitzung war ein virtuelles Treffen mit dem Verteidigungsausschuss des spanischen Parlaments geplant. Wegen technischen Schwierigkeiten bei der Übersetzung musste die Sitzung nach wenigen Minuten abgebrochen werden.

Von der Anhörung gibt es ein Video, aber kein offizielles Transkript. Daher veröffentlichen wir ein inoffizielles Wortprotokoll der Anhörung.


  • Date: 2023-03-28
  • Institution: European Parliament
  • Committee: PEGA
  • Chair: Jeroen Lenaers
  • Expert 1: Nico van Eijk – Chair of the Review Committee on the Intelligence and Security Services, The Netherlands
  • Expert 2: Defence Committee of the Spanish Parliament
  • Links: Video
  • Note: This transcript is automated and unofficial, it will contain errors.
  • Editors: Anna-Lena Schmierer

Nico van Eijk, Chair of CTIVD, Netherlands

Jeroen Lenaers (Chair): Good morning, everybody. Welcome to the continuation of our take up meeting, which we ended last evening. The first item for discussion today is an exchange of views with Mr. Nico van Eijk, who is the Chair of the Review Committee on the Intelligence and Security Services or in Dutch the Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten, CTIVD. I would like to thank Mr. van Eijk for his availability and his willingness to come for this exchange with our members and to discuss on independent oversight in the domain of national security. I will give you the floor for about ten minutes, and then we’ll open the floor for questions from the colleagues. So you will have ample opportunity also to add things to the introduction based on the questions that our colleagues will raise. But for the first introduction, please, you have the floor and take your time.

Nico van Eijk (CTIVD): Thank you. First of all, thank you for the invitation to speak on independent oversight. I will, in my introduction, also focus more in particular on the European Convention 108+, which gives a first structure to independent oversight. Let me start. Independent oversight has an important role to play in the context of national security. Together with parliamentary oversight and the involvement of the courts, it contributes to the lawfulness of the activities of intelligence and security agencies, while at the same time protecting fundamental rights. Independent oversight can provide transparency where secrecy is inherent in the domain of national security. National security, and therefore the activities of intelligence and security services have become increasingly dynamic. Developments that take place in society require flexibility and quick adaptation to deal with rapidly changing behaviour and technological changes, in, for example, the cyber domain. Static regulatory frameworks are no longer an adequate response to these developments.

Predictability is more complex, and it’s not realistic merely to split up dynamic activities into static concepts such as ex-ante, ex-durante and ex-pose. All this is not unique to the domain of national security. There are clear similarities to, for example, the information and communications technology sector, where there is also a lot of dynamics. However, there is no European framework for independent oversight of national security, regulation is national, and there are substantial differences between the member states. This was confirmed by the recent update given to your committee by the EU Fundamental Rights Agency. About 15 Member states out of 27 have independent bodies responsible for oversight of intelligence and security services. These bodies, they exchange views in the context of the European Oversight Conference, and eight of them, including the U.K. independent oversight body, participate in the Intelligence Oversight Working Group and work on concrete projects to improve independent oversight.

For a long time, the only European guidance was offered by the European Court of Human Rights, which has a long tradition of decisions on national security. It has underlined the importance of independent oversight and the need to take binding decisions. It has decided on the lawfulness of practices in the context of national security, such as bulk interception. These decisions of the European Court of Human Rights, based on the European Convention on Human Rights, are part of the EU acquis. This is made explicit in the EU Charter of Fundamental Rights. The Luxembourg Court has also started to look into national security related topics. All EU Member States are members of the Council of Europe Convention on Data Protection. The so-called Convention 108.

This Convention has been updated. A very, very important part of this update, generally called Convention 108 +, is the inclusion of the National Security domain Convention. 108 + is now therefore the only existing European binding framework dealing with the processing of data by intelligence and security services. It also includes the criteria that need to be met regarding the powers and independence of oversight. Basically, all EU member states have signed Convention 108 +, several have already finalized the ratification process, and many are in the process of ratifying it. This again makes Convention 108+ part of the EU acquis.

In a public memo, the two independent oversight bodies of the Netherlands have described why Convention 108 is so important for overseeing the national security domain. Let me give you an illustration of its relevance. Convention 108 is fully applicable to the national security domain. This means that national security regulations must comply with it. The applicability concerns the area of oversight, but also the requirements, principles and rules in the Convention on the collection and processing of personal data. To the extent that the Convention allows a few specific exceptions and restrictions in the context of national security, each specific exception or restriction must be provided by law, must respect the essence of the fundamental rights and freedoms, and must demonstrate that it, I quote, „constitutes a necessary and proportionate measure in a democratic society on one of the legitimate grounds listed in the Convention.“ It also explicitly states that exceptions and restrictions must not interfere with the independent and effective review and supervision under the domestic legislation of respective parties. Convention 108 + states that oversight shall have the powers of investigation and intervention, effective review and supervision and place binding powers where the impact on the fundamental rights is the greatest, particularly in accessing, analysing and storing personal data. Binding powers must deal with the restrictions. Termination of data processing, including data minimization and data deletion.

It should be noted that these kinds of oversight powers are also required under the current EU standards laid down in the GDPR and the Police Directive. When it comes to protecting the rule of law as effectively as possible, the lack of binding powers within the domain of national security is incompatible with the criteria, that is, I quote, „constitute a necessary and proportionate measure in a democratic society.“ Convention 108 imposes on the state parties an obligation to require that data controllers, therefore, including intelligence and security services in the case of national security, provide the oversight body with all relevant information concerning the transfer of personal data. The reasons for trans-border exchange of data must also be substantiated. This includes an obligation to grant the oversight body the power to prohibit or suspend the exchange of data or subjected to conditions.

Convention 108, it is also specific on the cooperation of oversight bodies. They must cooperate with one another to the extent necessary for the performance of their duties and exercise of their powers. Particular forms of cooperation I mentioned: mutual assistance, coordinating investigations and interventions, conducting joint actions. Furthermore, the Convention obliges the parties to establish a network of oversight bodies. By signing it, the member states of the EU have already committed themselves to Convention 108 +. Further commitment by ratification and actual implementation of Convention 108 + will support independent oversight in the national security domain. It contributes to the lawful activity of intelligence and security services. It contributes to the protection of national security and it contributes to the protection of fundamental rights involved. Thank you.

Jeroen Lenaers (Chair): Thank you. Thank you very much, Mr. van Eijk. So thank you for being so concise, yet comprehensive in your introduction. And I personally find the reference you make to Convention 108 + very interesting. We had this discussion before once some time ago when we met personally. And I think it’s very important that this is also one of the directions that we seek in towards implementing this more effective oversight. But we first go to the questions from our colleagues, and we’ll start with our rapporteur, Sophia in ’t Veld.

Sophie in ’t Veld (Renew): Thank you, Chair. And I would like to thank our guest for being available on such short notice and to share his views on a very important topic with us. Because I think in recent years, we have seen how the powers of the authorities to use personal data or to invade into our personal sphere have increased, but oversight has not necessarily been strengthened. A couple of questions in random order: So you say 15 member states have independent oversight bodies and they meet in this European oversight conference and out of 15, eight, but that also includes the United Kingdom, are working together in the Intelligence Oversight Working group. What about the others? Because quite frankly, I think the Netherlands, which is generally seen as a very good model, is also struggling to exercise effective oversight. There is this constant and I think natural, let’s say, power struggle. But even in the Netherlands, there are concerns which have also been voiced by one of your former colleagues. So what about those who have independent bodies? Is it sufficient? And what about those who do not have independent oversight?

Then you say all the member states of the European Union have signed Convention 108, some of them have already ratified, but some of them are clearly not acting in line with the standards laid down in 108. And not only that. Those member states who may respect the standards laid down in Convention 108 are clearly not addressing their peers, because in the European Council and in the Council there is silence, complete silence. So they are tolerating that other member states are acting in breach of the rules. I find that very worrying. And what means do you see, what instruments do you see, to enforce the rules, to ensure compliance.

Then Convention 108 deals with the protection of privacy and fundamental rights. But we see that the abuse of spyware has, I think, its biggest risk probably is for democracy. If we see how dissent, criticism, opposition is being oppressed and spyware is used as a tool for the oppression, but also manipulation of elections.

Then two last questions: In this, let’s say, conference or the gatherings of the independent oversight bodies, has there been a debate about the Pegasus scandal and the abuse of spyware? And finally, what are your thoughts about a definition or demarcation of the concept of national security? Thank you.

Jeroen Lenaers (Chair): Mr. van Eijk.

Nico van Eijk (Chair of CTIVD): Thank you. Thank you for your questions. The National Security is … I have a long track record in being involved in EU related topics. I’ve seen media develop from nothing into a now more coherent framework. I’ve seen the whole creation of the telecommunications sector and regulation. I’ve seen the Internet companies developing and what the European Parliament has done in this context. And I had a personal reason to be involved in national security because of that, because it’s almost the only domain, which is still not harmonised. And that lies at the basis of: Why are there so many differences? The update by the FRA clearly shows that although you can attempt to find models that … basically there are as many models as there are member states and that’s why also Convention 108 is so important because it’s the first instrument that starts harmonising to some extent the national security domain. And for example, clearly states what needs to be done in order to create independent oversight. And it’s not a choice to have independent oversight. It’s an obligation to have independent oversight.

So I assume that the countries, who are member of the Council of Europe, that the EU member states that have signed the Convention, so governments of all EU member states have said: „In spirit, we share the values of Convention 108 +.“ There are also six EU member states that have taken the opportunity to say: „Although the Convention has not yet entered into force, we will act already accordingly to it.“ That’s an option that the implementation process provides for. So I think that many countries are now looking into this Convention.

And of course, the next step is: How do we need to implement it? And that’s where we also have difference between, let’s say, those who are more active in our international cooperation and those who are still in the struggle of convincing governments that independent oversight means something and means that as an oversight body, you need to be capable to take certain steps and to have a certain involvement. And a topic that that your commission is dealing with is, for example, one of those topics where the Group of Eight talks about: What is a good framework to look at new technological developments, how to put them in a more structured context. I read yesterday’s executive order by Biden. That’s another example about how to implement a system of checks and balances, and independent oversight is an absolute necessity to have a system of checks and balances. And if the oversight body is not structured in a way that it can truly contribute to the debate, which is something Convention 108 wants to safeguard, wants to guarantee by saying „there needs to be sufficient budget“, then people need to be independent. The oversight bodies have an important role in transparency and communication about informing the audience about what’s happening in a domain of national security, where, of course, secrecy is a very, very important thing. It’s inevitable, but there is still a lot of room, if it’s given to an oversight body, and there are best practices, there are examples of how oversight bodies can do that.

Convention 108 is also very clear on the fact that oversight needs to be effective. And oversight is a profession, it’s not an excuse. So we clearly see that in these discussions, and that’s also why it’s so important that we can meet and that we can talk to each other, even though everything is secret or most of it is secret, we can still talk about: How do you deal with an issue such as bulk collection of data? What kind of staffing do you need? What kind of expertise do you need as an oversight body? And the differences in the oversight bodies are still very large. There are very small ones, there are large ones, there are more professional ones. But in this framework, we try to be frank to each other, we have open discussions and we have a clear point on where we want to go. Well, clear the weather can change from day to day, but we still have this view that independent oversight is very important. And that’s why I so much am emphasizing that we already have an instrument Convention 108 +. It’s part of the EU acquis, 13 member states have already ratified it, 26 have signed it, six have already said „we’re acting already accordingly to it“ and I think that’s the message that I want to send to the Parliament that I want to send to the EU governments: We have already made so many steps. Let’s continue those steps also there where we have now also sometimes experiences which only emphasize the importance to have good oversight.

Jeroen Lenaers (Chair): Thank you very much. Mrs. Barley.

Katarina Barley (S&D): Well, thank you very much for this very interesting intervention. As usual, Sofie in ’t Veld has already thought of all the interesting questions, especially the last one, when it comes to the concept of national security. This is what we hear here every time when we have national authorities and we ask questions. There it’s „we can’t talk about it.“ „We can’t, you know, reveal we … mh mh mh, it’s national security.“ So I don’t know if you can or want to answer this, but do you see in the majority of the member states or in some at least a willingness to have this sort of independent oversight being effective? I don’t know if my colleagues share this sentiment, but mine is that at least the people responsible for national security in the member states take a stance of „this is such an important interest and we actually think this…“ You know, these data security people, data protection, la la la, I can’t say that they don’t take it seriously, but they don’t really want to have anyone getting into their business. So do you see an openness in the member states? I’m not talking about the data protection people, but about the national security people.

The second question, the Convention 108 +, if I know it correctly, is from 2018, right? So five years in AI data protection is a very long time. Would you say that if we did it today, there would even have to be things that we would have to add or change? Is it still completely what we need? Or is there more to do? Yeah. And I think everything Sophie already mentioned, thank you.

Jeroen Lenaers (Chair): We will change the order of speakers for the next… I sense frustration in the room. I’m joking.

Nico van Eijk (Chair of CTIVD): Yes. To the notion of national security: There is a lot of leeway to have national interpretations of national security. Nonetheless, it’s also clear when you have more international instruments and you have more decisions of courts, the definition also becomes clearer. So for example, in more recent discussions, the court in Strasbourg has indicated that national security is not a loose term that you can use as an excuse to use powers that nobody else has. It has also indicated that you have to be very careful to call everything national security. It has indicated the distinction between severe crime and national security. You cannot call every severe crime national security, although the actual threats, that’s one of the big challenges because it becomes closer and closer, serious crime can present, even if it’s not intended to be a threat to national security, can be a threat to national security. If courts are no longer free to talk, if lawyers are no longer free to talk because they get guilt, then this becomes a matter of national security to some extent.

But still, you need to be sure that boundaries are respected. And when I, in my introduction, mentioned cyber. Cyber is particular one of those domains where, of course, a lot of the data is around. And in this domain working matters are such that you cannot solely say „oh, we need a warrant and then everything will be okay.“ Because things happened very, very quickly. So already for the legitimation of the activities of services, it’s important that if it means that there need to be more possibilities to act on the spot, that trust in society is there. And one of the ways to achieve that is by having independent oversight, which is then, like I mentioned [incomprehensible], something which is embedded in the traditional model that we have developed in the EU through the last 30, 40 years for fast moving environments. Like in competition, like in technology sectors. Which means that an oversight body is there permanently. And weights the risks, weighs the interest of national security vis a vis the interest of fundamental rights. That is not a static oversight body which writes a report once a year, where there it’s fully embedded in the kind of activity that today’s society, maybe some people would say unfortunately, but what today’s society requires to keep society and citizens safe. Safe, both from a national security perspective, but also safe from a fundamental rights perspective.

So this is a different, I would say more evolving way of looking to oversight, an evolving way that we went through in all these other dynamic sectors and that we are now going through, sometimes in very quick steps and very confrontational, going through in several member states. And yes, of course, things will take time and that’s why I emphasize the importance of Convention 108 because it’s already there. And you have a building block that you can use, that you can work on and that you can use to further discuss: What does it mean, national security? But that will always be a complicated debate. But if you have an oversight body that looks into national security, the definition is covered by the fact that the oversight body has authority. So this is, again, my remark about: Don’t try to think that you can solve everything beforehand, that you can have a clear definition and that it will work. No, I’m trained, [incomprehensible] of the Court of Strasbourg, and I’m trained with the concept of it being a living instrument.

This is typically a domain where oversight needs to be able to be part of a living instrument system. So we need to be honest on the fact that we cannot find all the definitions, which means we often have to look more into a capable toolbox which can be applied to things that we have never thought of, that they would happen. If the plumber comes to you and he has a wrench ten and a wrench 12 and you have a pipe that needs wrench 14. Then he could go home and try to order a wrench 14. He could also have a tool, a [incomprehensible], I don’t know whether this is a proper word, but that can do all the things. And that’s why it’s so important that an oversight body has this broader authority, like many other oversight bodies, and it can give confidence to services that what they are doing is lawful and it can give comfort to society that if things happen which are not in accordance with the law, that the oversight body can say „it has to stop, and if you don’t agree, we still have the courts. That’s how we normally work in these kind of situations. And the things that national security makes special do require some adaptations to that.

We cannot prior inform a target that he is a target, but we dealt with that also under the police directive. And there are several other things: Finding an intelligence agency is not very helpful because we assume that states have unlimited resources. So it’s much more important that you can say „this action needs to be stopped and or need to be reviewed before it can continue.“ And mature oversight bodies are not going to hamper the effective protection of national security, as oversight bodies have never been there to stop markets from working, have never been there to stop the information exchange between citizens. This is where we have learned a lot in the last 20, 30 years, when we started establishing independent oversight bodies within the EU framework, about how oversight bodies have to behave, how governments have to behave, how private parties have to behave.

Jeroen Lenaers (Chair): Thank you. Thank you very much. Saskia Bricmont.

Saskia Bricmont (Greens): Good morning, everyone, and thank you [incomprehensible] van Eijk for intervention. Sorry I arrived a little bit late, but nevertheless, I have some questions for you. Considering the very intrusive capabilities of a spyware such as Pegasus, do you consider it and its use in line with the EU law, including the notion of the principle of proportionality, for instance? You’ve been talking a lot about oversight bodies. Would you see them both at national and EU level? Could you a little bit develop maybe what would be the frame of such an oversight at national and or EU level? Who would it be in that body? Experts? Politics? Could you maybe develop a little bit?

And also, would you see in the EU law additional safeguards to add in the current frame and or limit the use of such spyware? Because you know that we’re talking about that also in our recommendations to have such a conditional moratorium. And I think the opportunity of our exchange today to maybe also share views on the very fresh news coming from the US. Biden administration just decided to prohibit the use of commercial spyware if threats to national security. So I presume it will be also a question of interpretation. But nevertheless, I’m interested in your view on this decision and if somehow it could inspire us at EU level. Thank you.

Nico van Eijk (Chair of CTIVD): Thank you. Thank you. Intrusiveness is always an element that needs to be taken into account when an independent oversight body has to look at proportionality issues. So several of the annual reports of my colleagues reflect that independent oversight focuses on what other independent oversight bodies also do, on risk-harm-analysis. So the more the risk, the more cautiousness is necessary. And this then needs to be translated to the domain of national security. So spyware is part of more questions that independent oversight bodies deal with like vulnerabilities. So this is also where you see that they develop a risk-harm approach and I also make the link to your question about the executive order. This executive order in a U.S. context reflects those kind of thoughts. So it doesn’t say like this is the case, for example, with bulk interception. It doesn’t say it’s forbidden to use spyware. It’s already, again, very complicated to define what spyware is because technological developments are ongoing. Is spyware, by definition, technological? Is it software? Is it hardware? Is putting a microphone near a device, is that also spyware? So but I think I have reflected on what you can do with definitions. You can give guidance by definitions, but it’s very complicated to find a definition which really covers everything. And that’s where independent oversight then should have the flexibility, from a normative framework, to look at what should be done.

And this normative framework is something you also see in this executive order. It says „if spyware is not complying with several criteria, it should not be deployed or it should be deployed under specific circumstances.“ So, for example, the high risk element in the executive order is very clearly reflected in several obligations of the intelligence sector in the U.S., to report, to register, to explain, bound by terms to do that annually or monthly. It says within 90 days, the intelligence sector should give an overview of what kind of tools they are using. So that already reflects that in this executive order this is not an ordinary means that is being used in the context of national security. But it also reflects what I would see as partly the task of independent oversight bodies to have this control role, to be involved in compliance related issues.

My own oversight body is very much working on creating a good environment of compliance, so that, you know, that if there are things that are more intrusive, that they are also dealt with as being more intrusive. And that’s also why it’s a permanent task because awareness is not something that comes and stays, something where, in dialogue, you need to be permanently available for further discussion and explanation. We very much stimulate in our daily practice that if the intelligence services have questions about their working methods or new developments that they enter in dialogue with our oversight body, because nobody benefits from the fact that two years later or three years later, we conclude that something is not lawful. But that demands a serious investment and I think the benefits on both sides are becoming more and more clearer. And you need that kind of mutual benefit to move forward.

And in my view, that’s what we as oversight bodies are pushing for and I think that’s what these kinds of discussions, the fact that we pay a lot of attention to the relevance of national security and how trust is needed, that all this contributes to improvement. Is the improvement going at the same speed as we all wish? I have many colleagues who wished that things would move faster and even faster than just within the framework of a national oversight. Because if we harmonize national oversight and it results in a well running steam train, we still have to be aware that we by now have fast moving trains. And so our point of reference should not be only our own best practices, but also best practices in oversight in general, and Convention 108 reflects best practices [incomprehensible] in how to deal with data related aspects of national security.

And that’s where I want to end by also saying we are talking very much about data, which is obvious because intelligence services work with intelligence, but they do also a lot of other things. And that comes to your question: where should we position oversight? The report of the FRA has several remarks about what happened after the GDPR. In some countries, privacy bodies were given tasks in the domain of national security, but in some countries they were taken away. Countries are free to choose what kind of model they have. I think, although data is very important in a domain of national security, national security is a little bit more than just data. And for the time being, it’s I think it’s very relevant to have a focus on national security in oversight and not to split it up in little particles and to give a little bit of it to one authority, give a little bit to another authority, give a little bit to a third authority. There are countries that have such a complex system of oversight that it takes a Bible to describe the system. I don’t think that’s how it works. And that’s why we learned from other types of oversight how we can improve. So that’s what I’m very much encouraging. Look, a little bit out of sight your own box. Responsibility in society, transparency are topics that are not exclusive for national security to make.

Jeroen Lenaers (Chair): Thank you. Thank you very much. And I just have two questions of my myself to add. First, on the Convention 108. Of course, some suggestions have been tabled also to the recommendations and the report that our rapporteur is working on in order to call on the member states to ratify it, and for those already to adhere to the standards of the Convention, even if it hasn’t yet entered into force. Is there anything more that we could do from this Parliament’s perspective with regards to Convention 108? Is there something more we could do from the European Union, part of the Council of Europe? Because of course there are two different organizations, but if all EU member states have signed the Convention, would it be feasible, would you say, to develop European legislation in the field that sort of covers the same the same aspects?

Secondly, on the Biden executive order that was already mentioned, I also read it with great interest today, yesterday, and it says two things: „we won’t use commercial spyware if it sort of threatens the security interests of the U.S. or if it can be improperly used by foreign governments or persons.“ Of course, I was also thinking at the same time, it is fairly easy maybe to say for the U.S. in the sense that they are not as a country, reliant on commercial spyware as such. They have the capacity to develop their own, and there is no word about improper use of their own technology or their own services. And the problem, of course, that we’ve seen in Europe is not so much, also partly the improper use by foreign countries or persons, but the improper use of the services of this particular member states themselves.

So how do you see that in the context of the executive order? And do you see if there is in terms of oversight, whether there is a difference between countries or member states of the EU using self-developed technology like we see also in some member states and who are not reliant on commercial spyware if they want to use these capabilities and those member states who are solely reliant on external access for getting the same results.

Nico van Eijk (Chair of CTIVD): Thank you. It will definitely help if that would be a call on the member states to ratify and already act accordingly if they have signed, which is the case. So like I said in my statement, they are already morally bind by it. And six member states have said we are not only morally bind by it, we will respect the Convention as it is. It would be helpful if the … there are exceptions allowed that offers the opportunity to Parliament to express what it thinks about exceptions. When I call for binding powers, then I’m doing so because the court in Strasbourg has already said that the context of bulk data collecting that there need to be binding powers by independent oversight. It sometimes takes years before the court gets a case, and many of the case law of the court relates back to cases that happened four or five years before. So with quick developing technologies, I think it’s interesting and helpful if there would be clear statements about how to look at future developments.

And this is where I put forward my toolkit approach to say „in the toolkit of oversight bodies, there needs to be at least this or that or that or that, that has an harmonizing effect.“ So some minimum requires or as far as Parliament wants to go in this, again, Convention 108 offers the opportunity to member states. And let me be clear, the EU is allowed to be a partner of Convention 108 +. 108 + is not limited to the member states of the European Union. Like with the Cybercrime Treaty it’s also possible that the US becomes part of this treaty. And that’s something a lot of people forget. The cybercrime treaty has … its value lies to a large extent in the fact that other countries than EU member states or even member states of the Council of Europe can adhere to it. You were asking questions about technologies. Services, work together, of course, meet each other. They also discuss technologies. Maybe they develop together technologies.

This is cooperation. And that’s why it’s so important that the Convention 108 has particular provisions on cooperation, because when cooperation ends, as far as oversight, at the border of your country, there will be many questions about cooperation. When oversight can work cross-border it allows oversight to share what also services are sharing. That’s a very, very important thing. And by the way, this is one of the provisions in Convention 108+ that doesn’t allow exceptions. Well, it does allow some exceptions. Let’s not go into too many details as far as exceptions are concerned. But the fact that it says „this needs to be part of oversight“ is a very important step, because in various countries, international developments are excluded from the tasks of independent oversight. So it would definitely help.

My Belgium colleagues just this month, it’s still March, just this month published a report where they also ask this question „Should we be more self-proficient when it comes to buying into commercial products?“ This is based on an earlier revelation about a corporation where Belgium was excluded. Switzerland has had a similar debate, so countries are becoming more aware. So this is not just a debate that started because it’s a popular or an interesting debate today to what extent the European Union should be self-sufficient. This started already two or three years ago in the domain of national security. Because if you buy stuff, it requires an extra step to understand how it works. This is what you also see reflected in the executive order. It clearly stipulates that if you buy commercial products that you need to understand these commercial products, that you need to know how they work.

In in the Dutch case, we recently published a report on OSINT open-source activities, which nowadays also require very highly sophisticated tools. Open source is not about reading the newspaper anymore or a telephone guide. It’s about very, very highly developed tools which can access enormous amounts of database at the same time, sometimes specialized private databases. Similar questions arise like: „Do you know what you’re buying? Does the third party that you’re buying from still has access?“ And this is where oversight bodies deal with these questions that your committee now is focusing on in many, many other ways. One more than the other, because not everyone has the same authority to deal with these kind of questions. But let’s say the Group of Eight is particularly composed of oversight bodies that do have responsibilities in this field, explicit responsibilities.

And they want to be challenged and they want to discuss with each other how to apply this. What kind of technical expertise do you need? What kind of technicians do you need in your staff? Is this something where you need to have a not just one or two people, but a sufficient continuity to monitor technological developments? Because a lot is technology. In my staff there are several people who have particular expertise in hacking or particular expertise in in computer design, in software design and processing, etc.. Not to do the work of the services, but to understand what they are doing and to avoid misunderstanding and to use that also in public communication to explain. Again, one of the important things that is explicitly mentioned going on it the role of oversight bodies as the communicating step between everything what is secret and only having to believe what the interested party tells them, even though if that is objectively correct, to have that confirmed or looked into again by an independent oversight body. And that’s why it’s so important that also these rules apply on how these bodies are being put together.

Because here we also have an extensive EU acquis to say that needs to be an independent body, which means that the people in the body needs to be independent. It means that you need to have a sufficient mandate that you can’t be fired on the spot. Things that the FRA has also mentioned in its earlier 2015 and 2017 reports which we can find in in all kinds of documents on, for example, media oversight. Very important studies were done, I think almost a decade ago on what it means to say „We have independent oversight on media“ because media is also a sensitive topic to put it that way. So I hope that that experience through having already a framework, will come to more value and will be introduced in debates about creating new independent oversight bodies where there are no independent oversight bodies or to improve the functioning of the oversight bodies.

Jeroen Lenaers (Chair): Thank you. There was a follow up question from Saskia Bricmont.

Saskia Bricmont (Greens): Yes. Thank you. You touched upon so many topics that I was wondering: you were talking about steam and speed trains. In the discussions I have had with people more related to secret services, they were also saying that we as legislators should work on the obligations for providers, producers of technologies, of apparels, to fix vulnerabilities and to work on that parts of the issue to limit the possibilities to use very intrusive spyware and or phones and apparels. What do you think about that with your knowledge of the situation? Is it possible at all? Aren’t we always one step too late to fix things? And technologies will always have a [incomprehensible], some advance.

And my second question is related to what Sophie asked in her list of questions: Have you been talking about Pegasus and related issues in your organisation? And related to that, do you also touch upon the victims issue? So the access to remedy, the possibilities for victims to access to information if they’ve been spied on? What’s the follow up? Have you had sometimes contacts with victims yourself or in a structural manner? I would like to know that. Thank you.

Nico van Eijk (Chair of CTIVD): One of the things that is part of the Dutch oversight [incomprehensible] is the fact that we have full access to all information of the services, which means that at the desks of my staff there are screens which offer access to the data of the services. I think that, and this is a basic principle of, of independent oversight, it’s the same with competition authorities or media [incomprehensible], that you have full access to all information. It creates an enormous level of awareness on the side of the oversight body, but it also creates a high level of awareness on the services involved, because they know that they have an oversight body that has access to their information. All our staff people have access to all buildings of the intelligences. Are we using all those means to be there as daily spies to spy on the spies? No, but this is what is part of a normal oversight model. This is part of the high speed train. This was not part of the steam train.

So best practices for me is in particular looking at what has technology already to offer and what might the future have to offer. It’s thanks to my staff that I get informed, but I think I can understand it still, although people might think that I’m a little bit old, but it’s a thing that I’m very much interested in. Technology is just moving very rapidly. We cannot predict things. We can’t predict the unpredictable, and that means that we have to shift towards more a toolkit approach, a risk-harm approach. Then we can put everything in solid legislation. That’s just a fact of life. And we have seen that development in many other domains. So I’m only saying please take that into account.

Convention 108 + has an explicit provision that says that oversight bodies need to deal with complaints. So that partly already answers your question. We have a complaints department that receives complaints. But I honestly think that complaints should not be the driver of having a good system of national security. That should be inherent to it. So complaints are a what we call a sui generis mechanism. It’s not to compensate for oversight. But I can tell you that the oversight committee, which is, by the way, the only one who has at this moment within my oversight body and which functions fully independently from oversight in general, has last year for the first time after they were granted binding powers, decided that a particular set of data sets need to be destroyed because the law just obliged to the destruction of these data sets. So yeah, things happen. But again, complaints are one of the means, but for lawfulness, we should not, in a democracy, under a rule of law, depend on complaints. We should have a good system of checks and balances and complaints is something that is part of it.

Jeroen Lenaers (Chair): Thank you. Thank you very much. Mr. van Eijk, there are no further questions. So we thank you very much for, again, for your willingness to be with us today and for a very, very interesting contribution on the topic of oversight with some sidesteps trains and plumbing equipment. It was very interesting. And I think it’s also a lot of food for thought for our committee as we work to a conclusion of our findings and recommendations under the leadership of our rapporteur. So thank you very much. And please keep a close eye on what we do. And if you have any suggestions, feel free to also proactively share them with us. Thank you. Thank you so much.

Nico van Eijk (Chair of CTIVD): Thank you very much for the invitation. And I’ll share this with my international colleagues.

Jeroen Lenaers (Chair): Great. Thank you.

Defence Committee of the Spanish Parliament

Jeroen Lenaers (Chair): The next point on our agenda is an exchange of views with the Defence Committee of the Spanish Parliament. I’m just going to check whether we have already established a connection, because officially we would have said 10:30. Okay. I hear it’s probably best if we just stick to the original time and start the meeting at 10:30 with the Spanish Defence Committee. Oh, sorry. 10:15. I was mistaken. So we take a small break of 7 minutes and we will reconvene at quarter past 10 for our exchange of views for the Spanish Defence Committee. Thank you very much.

Jeroen Lenaers (Chair): Okay, colleagues, if everyone could take their seats, we could start the meeting. Okay. Dear colleagues, as I already indicated, today’s second item for discussion is an exchange of views with the Defence Committee of the Spanish Parliament. Of course, as most of us are aware, this was originally foreseen during our mission to Spain last week on Tuesday. We even made it to the Spanish Parliament but the there was such a such a delay in the debate on the motion of censure that even though we did appreciate the hospitality of the Spanish parliament that we received, we unfortunately could not have the meeting as planned. Also because we did not have much flexibility in our program given the fact that we had a press conference already organized directly afterwards of this meeting.

So when we were there, we did agree that both sides saw the added value of having such an exchange of views with each other, and we decided to see if we could organize a digital meeting at the shortest possible notice. Now I think a week is quite short notice in that in that sense. So we have organised this with a very limited time frame available to us, which also means that we are going to improvise a little bit. We don’t have a set speaker lists for, for the moment, but if I understand correctly, we will be meeting with the Defence Committee Board and also representatives of the ten existing parliamentary groups in the Congress of Deputies. Without further ado, I would therefore like to test the connection with our Spanish colleagues and already thank them for their willingness to be with us. Yes, we have. We have contact.

Spanish Defence Committee Board and representatives of Congress of Deputies: Good afternoon. It is a pleasure to be here with you this morning. I would like to begin by welcoming you and by apologizing for what happened last Tuesday. We had planned for a break in the motion of no confidence. We had planned a meeting of about an hour, an hour and a quarter. Unfortunately, during the debate … Around the motion of no confidence in the government and this was a very important milestone in our parliamentary debate and unfortunately we didn’t have that break. We were not able to meet with members of the European Parliament…

translator: I’m afraid. The sound is unacceptable, and the interpretation will not be able to continue.

Jeroen Lenaers (Chair): Excuse me, Mr. Chairman, sorry for interrupting you, but there seem to be some issues with the background noise and the connection, which makes it impossible for our interpreters to interpret the Spanish into the other working languages of the European Parliament. I am not sure if we will be able to address that at short notice or whether there is another possibility to at least provide interpretation in one of the languages.

Spanish Defence Committee Board and representatives of Congress of Deputies: Si, buenos dias de nuevo. Si, buenos dias, hola?

Jeroen Lenaers (Chair): Yes, we can hear you. I’m just looking at the interpretation in the room here to see whether this … Because we can we can hear you quite well, actually, in the room here.

Jeroen Lenaers (Chair): If you give us one more moment with this, check with us with the interpretation services here to see if we can address this, one second, please.

Spanish Defence Committee Board and representatives of Congress of Deputies: [untranslated Spanish – incomprehensible]

Jeroen Lenaers (Chair): Can you just allow us for two more minutes? We’re trying to find a solution here. We are hopeful that it will work, but we need two more minutes.

Spanish Defence Committee Board and representatives of Congress of Deputies: Okay. Doesn’t matter.

Jeroen Lenaers (Chair): Dear, Mr. Chair, it seems that under the current circumstances of the connection, we will not be able to have interpretation of the meeting. And since we unfortunately don’t have all native Spanish speakers present here in our committee meeting today, it would mean that we will not be able to have a full exchange of views in such a way that all members of both the Spanish and the European Parliament will be able to. To understand it, I’m very I’m very disappointed in this. It’s unfortunately not the first time that we have been confronted with this, with these issues.

We have made a number of creative proposals for solutions, but none of them were acceptable for our interpretation. So in that sense, I’m afraid I have to cancel the meeting. With apologies to you and the members of your committee, for not being able to make the technology work in such a way that we can have this exchange of view in in a proper way. So with my sincere apologies, I would like to thank you for your availability both last week and this week. And maybe we can, if can find a way to exchange in written form. But unfortunately, the technology according to the interpretation services of the European Parliament is not adequate for interpretation. And I would like to underline that for us here in the room, the quality what was more than adequate to understand what you were saying. But there seems to be no willingness to further engage on this. So it’s very disappointing, but this is all I can say about it at the moment. I do apologize and we look forward to an opportunity in the future. Thank you. Sophie.

Sophie in ’t Veld (Renew): You know, if it’s [incomprehensible], it’s [incomprehensible]. But this is the umpteenth time, and for some reason in other committees, or at least the ones that I’m a member of, we haven’t had this problem or not with the same frequency. I don’t know what’s going on. I mean, it’s not your fault, I understand, but we have to find a solution because it’s happened nine times out of ten. I don’t know what’s happening, but every time it seems to hit this committee is very embarrassing, it’s frustrating. You know, we were looking forward to this exchange since last week, since we didn’t have the opportunity to meet when we were in Madrid. We have to find a solution. We cannot every time, you know, come to a meeting and find out whether or not there is interpretation. So I hope that the services can conduct an investigation, an inquiry, and find out what the problem is.

Katarina Barley (S&D): Maybe I think things like this can be checked in advance. I mean, if they have a setting where they say „our speaker will sit“, then this can maybe be checked in advance. I also find it terribly embarrassing. I can only agree.

Jeroen Lenaers (Chair): I fully share the embarrassment. Just [incomprehensible]. Also, after the last time I’ve written a letter to the president of the parliament to underline our embarrassment and the fact that we cannot do our work here because very simply, for a meeting, a committee like ours, we cannot expect all guests always to be physically present in Brussels or Strasbourg. So we are fully reliant on remote connections. We’ve had no problem whatsoever during the whole Corona pandemic. But now all of a sudden, we have only problems. And my fear is that this is not simply a matter of technological issues, but there are wider issues at stake here, for which we are, unfortunately, the victims.

So I share your embarrassment and we will address it and we will try to see for the next meeting that we will try to limit remote connections to the furthest extent possible. And if there are no other ways than remote connection, we will make sure to do it in a proper way, but that we also need those indications. So I do apologize and I will brief you on the follow up on this. And also apologies to everybody in the room for the fact that we cannot have a meeting with the Spanish Defence Committee, which we would have wanted to have last [incomprehensible] already, which is still cancelled now today. So I will look maybe if we could see the opportunity for a written exchange or something. We collect questions that we would like to ask and send them and ask them to provide their input. That’s all we can do. Thank you very much.

Spanish Defence Committee Board and representatives of Congress of Deputies: We tried last Tuesday to have this meeting and we already apologise for the [incomprehensible] the impeachment that we had last Tuesday was a pleasure to have you in this House, in Spanish Parliament. And here we are, all the speakers of spokespersons of their groups who have arrived today to Madrid to connect with you, and we expect that you can offer another way to connect with you or during this week probably, or next week to do by write paper or answering your questions but we hope to keep the contact with you are to help for your work. So thank you very much for the connection I we expect the next step then the news from your committee in order to maintain this contact. Thank you very much.

Deine Spende für digitale Freiheitsrechte

Wir berichten über aktuelle netzpolitische Entwicklungen, decken Skandale auf und stoßen Debatten an. Dabei sind wir vollkommen unabhängig. Denn unser Kampf für digitale Freiheitsrechte finanziert sich zu fast 100 Prozent aus den Spenden unserer Leser:innen.

Eine Ergänzung

  1. > Nur 15 EU-Staaten haben Kontrollbehörden für Geheimdienste, obwohl die Datenschutzkonvention unabhängige Aufsicht vorschreibt. <

    Um welche Staaten handelt es sich dabei? Bzw. welche EU-Mitgliedsländer kontrollieren ihre Geheimdienste nicht? Das sollte man doch genau wissen.

Ergänzung an nachgefragt Ergänzung abbrechen

Wir freuen uns auf Deine Anmerkungen, Fragen, Korrekturen und inhaltlichen Ergänzungen zum Artikel. Bitte keine reinen Meinungsbeiträge! Unsere Regeln zur Veröffentlichung von Ergänzungen findest Du unter netzpolitik.org/kommentare. Deine E-Mail-Adresse wird nicht veröffentlicht.