By Steven van der Plas
It has already been half a year since the Dutch government implemented the new law on intelligence and security services (WIV), which simultaneously expanded the powers of the Algemene Inlichtingen- en Veiligheidsdienst (AIVD) and the Militaire Inlichtingen- en Veiligheidsdienst (MIVD) while also providing an improved regulatory framework to manage these competencies. This piece of legislature was the subject of intense political and societal debate, with critics claiming that the expanded powers of Dutch intelligence services would infringe on citizens’ privacy. In the end, the law was adopted with minimal changes, even though the Dutch population voted against the new law in an advisory referendum. Last year, in another article on the JASON website, I argued that the privacy versus security dilemma that was brought forward in the discussion surrounding the law was a false one, as the new regulatory framework contained provisions to provide accountability and to minimize privacy infringement. On the other hand, if the new powers of the intelligence services are not properly managed, the new competencies can actually negatively affect data security. In this article, I want to look back and evaluate whether this assumption still holds up today by looking at the implementation of the WIV and its effects on security and privacy while also discussing accountability measures and how these have been implemented.
Privacy, security and accountability in the legal framework
The privacy effects of the WIV were widely portrayed in the media, leading up to the national referendum in 2018. Several clauses were incorporated into the law in order to address concerns regarding the mass collection of citizens’ data. For example, mass data interception methods can be used only when they are tied to a specific research goal. This means that in theory, no data can be collected without purpose, which is why the law defines these practises as research guided interceptions. Furthermore, the mass collection of data can only occur when a specific need or urgency has arisen. Lastly, the intelligence services have increased responsibilities with regards to the data they have collected, which means that the data must be managed properly and eventually destroyed. The main problem is that the work of the intelligence agencies requires a certain degree of secrecy that contradicts the principles of transparency and accountability. In order to address this, two institutions were created to provide oversight in the process of mass data collection: the Toetsingcommissie Inzet Bevoegdheden (TIB) and the Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten (CTIVD). The TIB assesses the data collection requests of the intelligence services while the CTIVD provides oversight during and after the data collection. This system puts a lot of pressure on the supervising organisations to ensure the legality and legitimacy of the mass surveillance practises of the two Dutch intelligence services. Crucial here is the ability of the inspection organisations to provide oversight when it comes to potentially classified data collection practises.
Problems of implementation
In practise, the oversight and privacy risk minimalization of the WIV has proven to be far from perfect. A progress report from the CTIVD on the 4th of December, 2018summarizes the problems with the implementation of the law. The CTIVD has identified that the intelligence services lack the instruments and the internal structures to effectively protect and process the massive amounts of data that is currently being collected. Such instruments and structures to protect and to ensure the integrity of the collected data are one of the cornerstones of the functioning of the new law. Without these protections, the intelligence services cannot fulfil their data collection responsibilities. Notably, the minister of the Interior and Kingdom Relations promised that such instruments would be in place at the time of the implementation of the law. Another problem is that the interception of data does not happen as precise as possible, as the CTIVD has found no visible evidence that the intelligence services make efforts to minimize the risk to civilian privacy in their operations. The absence of internal control over the data analysis and data reduction processes creates further risks for illegal actions. Lastly, the confidential nature of the tasks of the intelligence services make it difficult for the scrutinizing organisations to provide effective oversight.
The problems with the implementation of the WIV are the result of inefficiencies in the regulatory framework and the lack of capacity on the side of the intelligence services to fulfil all necessary legal requirements. What I provided here is just a small overview of the main aspects of the law and the problems the intelligence services are currently facing in the implementation process. It shows that new organizational capabilities are required to address the problems of citizen privacy and data security when collecting data on a massive scale. Transparency and accountability are key aspects here that seemingly contradict the classified nature of the work of the intelligence services. Nonetheless, I believe that with the right organisational structures and legal frameworks, the new competencies of the intelligence services can be effective, legal and legitimate.