The domestic secret services in Schengen states exchange real-time data on terrorism and operate a database of individuals. A Dutch review of the cooperation has revealed several deficits. The data protection commissioners in the member states involved thus need to work together to ensure oversight.

For almost two years, the Federal Office for the Protection of the Constitution (BfV) has been cooperating with 29 European intelligence services on an “operational platform” in The Hague. The system belongs to the “Counter Terrorism Group” founded in 2001 by the “Club de Berne”, the informal group of domestic secret services of EU Member States, Norway and Switzerland. The services involved operate a real-time information system and a shared database. The focus is on Islamist terrorism. The authorities do not only cooperate virtually, but also send liaison officers to The Hague.

Neither the CTG nor the Club de Berne are part of the European Union, which has no mandate for coordination of the secret services. All information on the work of the “Club de Berne” remains confidential. As far as is known, the “Club de Berne” only made strategic agreements until the creation of the “operational platform”. Members of the German Bundestag have attempted to obtain further details through several parliamentary questions, pertaining to matters such as the platform’s working groups, personnel and costs. The Federal Government did not provide any significant information in any of these cases, nor did it even make classified material available in the Bundestag’s Document Security Office. The specific location, the nature of the database, the data fields included and the search and analysis tools used also remain secret. The reason for this is the „third party rule“, a common agreement between secret services, in which the services involved agree to observe secrecy regarding details.

Database on servers in the Netherlands

The “operational platform” is hosted by the domestic secret service of the Netherlands, the AIVD, which has also played a leading role in setting up and maintaining the database, which officially only commenced operation in January 2017 and is located on a server in the Netherlands. As sensitive personal data is stored there, Dutch data protection law applies. The Dutch Review Committee on the Intelligence and Security Services (CTIVD) has now examined the “operational platform”. In order to do so, the committee was able to view, under a legal obligation to maintain secrecy, all desired information.

The public is finding out the details of this data transfer for the first time. When one of the services involved enters data, this is distributed to all other authorities in the system. This operational cooperation by the BfV was only regulated for Germany in the summer of 2016 by means of a hastily inserted provision in the Federal Act on the Protection of the Constitution. The “operational platform” also allows for “multilateral” sharing of information between individual secret services. This is likely to be real-time information, for example when suspicious “foreign fighters” cross one of the EU’s external borders or are intercepted within the Schengen area. In such cases, secret services increasingly make use of secret alerts within the Schengen Information System.

Dutch Committee sees “joint and several liability”

According to the Review Committee, the AIVD acts as adminstrator of the database, meaning that they are thus responsible for any due diligence requirements, such as ensuring the protection of personal data and preventing security violations. The concept for the “operational platform” thus, according to the committee, needs to ensure sufficient guarantees and the ability for these to be checked. In August 2017 the AlVD had set out internal rules, under which only data which can be assumed to be correct can be included in the database. The database was then, the committee described, “modified” by the AIVD in autumn 2017.

However, according to the CTIVD, all other 29 partners are also essentially responsible for ensuring an “adequate level of data protection”. The shared responsibility for the database was, the committee stated, to be interpreted as “joint and several liability”. That means that clear agreements regarding the exchange of data and the application of shared norms for each party to the agreement need to be concluded. This would also mean the involvement of the German Federal Ministry of the Interior in upholding data protection, which in response to all questions always referred to the AIVD as the sole service responsible.

No criteria for inclusion in the database

The Dutch Review Committee goes further still and calls for the database kept in The Hague to meet the data protection standards of the European Convention on Human Rights. It should be sufficiently clear to users, for example, upon what basis and according to which criteria an individual has been added to the database. It is furthermore unclear how affected individuals are informed of their inclusion in the database and how they can request information about this.

The recommendations of the CTIVD include a definition of the database’s objectives and its limits regarding records: “In its internal policies, the AIVD provides that the data it adds to the CTG database should relate to ‘identified counter-terrorism targets’. This definition is so general that it does not form a meaningful threshold.” Incorrect or no longer relevant information must be deleted, the committee says. In addition, criteria need to be defined for the exchange of data on minors.

How is oversight of cooperation between secret services possible?

The “operational platform” had proved until now to be outside of parliamentary oversight. The report by the Dutch Review Committee on the Intelligence and Security Services could lead to the data protection commissioners of the member states involved examining the cooperation. This would enable light to be shed on two years of darkness in the cooperation between secret services in The Hague.

To this end, the Committee recommends closer cooperation between national oversight bodies. In just one project, five relevant bodies were working together, without being able to discuss matters classified as state secrets among themselves due to the legal obligation to maintain secrecy. These restrictions need to be lifted, according to the Committee. Another option it proposes is the explicit allocation of individual monitoring tasks to one or more oversight authorities. Ultimately, it puts forward that a superior international oversight body would be conceivable. Such an authority would however first have to be established and would require a contractual agreement between the 30 participating secret services, the Committee points out.

The Bundestag’s Research Services have also produced an expert report on parliamentary oversight of the “operational platform”, which describes the secretiveness as legally questionable. It states that, although the Federal Government is permitted to safeguard its interest in maintaining secrecy, there is no blanket right to refuse to provide information.

Image: AIVD in The Hague (S.J. de Waard, Zoetermeer De Leyens AIVD kantoor (1), CC BY-SA 3.0).