Analysis: New legal framework for Dutch intelligence services becomes law

On May 1, 2018, the legal framework for the Dutch intelligence community changed as the new Intelligence and Security Services Act became operational. Previously, both chambers of parliament discussed and accepted the Act on February 14 and July 11, 2018. A group of Amsterdam-based students, however, were worried that the Act —which includes the power to intercept cable-bound communication in bulk— would induce a surveillance state. They initiated a public referendum, which was held on March 21, 2018.

In what was an intense and prolonged public debate in the months leading up to the referendum, critics of the new Act advanced their views against it. Among them was the digital civil rights group Bits of Freedom, which argued that the power to intercept cable-bound communication in bulk would destroy “the core value of our free society, that a law-abiding citizen will not be monitored”. The Act also allows the General Intelligence and Security Service (known by its Dutch acronym AIVD) and the Military Intelligence and Security service (abbreviated as MIVD) to exchange large sets of unevaluated data with their foreign counterparts without prior approval by the new independent review commission. The services see this quid pro quo data sharing as essential for their counter-terrorism mission. But in the view of opponents, the fact that unevaluated and unanalyzed datasets are exchanged is unacceptable.

Additionally, Bits of Freedom was opposed to the real-time access to databases of partners (such as tax authorities, other governmental agencies, but also banks) that was granted to the intelligence and security services. They argued that the oversight bodies and the responsible minister should have to sign off on this (it should be noted however, that such database access will be only granted on a hit/no-hit basis, so there will be no free searches. Finally, and more broadly, it was argued that the new Act contained too many “open norms”. This was in line with the cabinet’s goal to formulate a new act that would be more independent of technological developments —the Act of 2002 was not, and therefore the update was seen as necessary. But it also remains unspecified in which specific circumstances and under what criteria and norms the new powers can and cannot be applied.

The March 21 referendum gave a narrow victory to opponents of the Act. The voter turnout was 51.54%. Of those who voted, 49.44% were against the new Act and 46,53% voted in favor. A surprisingly large number of voters cast a blank vote: 4,03%. The Dutch cabinet under Prime Minister Mark Rutte said that they would proceed with the introduction of the new Act. However, in order to satisfy public concerns, six “additional guarantees” were introduced. First: the bulk interception will have to be applied “as targeted as possible”. Second, the number of years that bulk data may be stored without being searched or analyzed is reduced from three years to one year, although the minister can sign off for storing the data for an extra year. Third, the intelligence and security services have to submit a memorandum to the minister of the Interior (for the AIVD) or Defense (for the MIVD), addressing the human rights aspects, democratic context, professional character, and oversight and control of the service, along with which datasets are to be exchanged. The fourth guarantee is that cable-bound communication interception will be applied almost exclusively in other countries and not in the domestic sphere. Dutch citizens need not to worry, therefore, that their communication is massively snooped and stored by their secret services. Fifth, medical data can only be used if it is necessary in a targeted investigation, otherwise it has to be destroyed. And finally, intelligence on journalists cannot be shared with a foreign service if national security is not at stake.

Several of these guarantees were already planned and proposed prior to the referendum result. Furthermore, they will not yet be implemented in the law but only in policy documents. It may not come as a surprise, therefore, that opponents of the Act consider them as merely cosmetic. Also, their concerns about the new powers that allow hacking through third parties and storing DNA profiles appear to have been completely ignored, prompting civil rights groups to express their disappointment with the political response to the public debate.

Opponents of the new Act have now set their hopes on a lawsuit, which was initiated long before the referendum by a collective of activists and lawyers. The lawsuit has become a joint project of twelve organizations, including the Public Interest Litigation Project, civil rights organization Privacy First, the Dutch Association of Journalists, the Dutch Association of Criminal Law Attorneys, and the Platform for the Protection of Civil Rights. They will first bring the Act before a Dutch court and have already announced that they will go all the way up to the European Court of Human Rights if necessary.

Meanwhile, the Act has become operational, which means that the Review Committee on the Intelligence and Security Services (CTIVD), an independent expert oversight body,  can now start monitoring the actual implementation of the new powers. In a letter to parliament, the Review Committee said that it will focus on those issues that raised most public discussion, namely: untargeted interception and whether irrelevant data will be duly deleted; the implementation of automated data analysis methods; and cooperation with foreign partners, including the exchange of unevaluated data sets. Besides this existing oversight ex post (afterwards) there is now also a new, independent commission (known by its Dutch acronym TIB) , which provides a binding review ex ante (prior) of the approval by the minister for a range of special investigation powers. Finally, in two years’ time an independent commission will also start with a full review of the new Dutch Intelligence and Security Services Act.

Dr. Constant (C.W.) Hijzen is an Assistant Professor in Intelligence Studies at the Institute of Security and Global Affairs and the Institute for History at Leiden University in the Netherlands. His research focuses on the formative years of intelligence and security services, analyzing their early institutionalization years from a comparative and intelligence culture perspective.

Peter (P.J.F.) Koop writes about signals intelligence, communications security and top level telecommunications on his weblog www.Electrospaces.net and is associated with the Institute of Security and Global Affairs of Leiden University.