Unregulated intelligence sharing poses substantive risks to human rights and to the democratic rule of law

News & Analysis
Unregulated intelligence sharing poses substantive risks to human rights and to the democratic rule of law

Data sharing among states is gaining prominence, particularly in light of the need to coordinate counter-terrorism activities across borders. The President of the European Commission put it in stark terms just a couple of months ago: “Terrorists know no borders. We cannot allow ourselves to become unwitting accomplices because of our inability to cooperate.” And several UN Security Council resolutions have emphasized the need for international cooperation in counter-terrorism.

Privacy International also recognises the importance and benefit of intelligence sharing, for example in the context of fighting terrorism, organised crime or to identify other genuine threats to national security. Intelligence sharing does not per se violate international human rights law. When done appropriately, the sharing of intelligence can enhance human rights protection by helping authorities to identify and curtail threats to the security of its population. As the European Court on Human Rights stated in its recent judgment in Big Brother Watch v. UK, “due to the nature of global terrorism, and in particular the complexity of global terror networks, the Court accepts that taking such a stand – and thus preventing the perpetration of violent acts endangering the lives of innocent people – requires a flow of information between the security services of many countries in all parts of the world.”

But unregulated intelligence sharing does pose substantive risks to human rights and to the democratic rule of law because it allows governments to share information in the absence of clear laws and robust independent oversight. And we know that most governments around the world engage in such unregulated intelligence sharing. In August 2018, the UN High Commissioner on Human Rights confirmed, in his report on the right to privacy in the digital age, that “with very few exceptions, legislation has failed to place intelligence-sharing on a proper statutory footing, compliant with the principle of legality under international human rights law.”

Tellingly, some oversight bodies have also expressed concerns that their mandate is not sufficient to effectively monitor intelligence sharing. In September 2017, Privacy International (in partnership with national civil society organisations) wrote to oversight bodies in over 40 countries as part of a project to increase transparency around intelligence sharing. We received responses from oversight bodies in 20 countries, indicating their respective assessments of relevant domestic laws as well as their mandates and powers. In April 2018 we published our analysis (and the full text) of their responses.

Last week, five oversight bodies from Belgium, Denmark, the Netherlands, Norway and Switzerland issued a joint statement, where they further elaborated on their assessment of current intelligence sharing oversight practices. The joint statement discusses the risk of an oversight gap and ways to tackle this risk when overseeing international data exchanges by intelligence and security services.

The joint statement lists among the concerns:

  • The lack of specific legal bases for the oversight bodies to cooperate with each other, across borders;
  • The limits to effective oversight imposed by the application of the ‘third party rule’, which prohibits the disclosure of information shared between agencies to third parties, including oversight bodies;
  • The difficulties in assessing necessity and proportionality (as required under international human rights law) when faced with the reticence of intelligence services to reveal their practices, and even more so when dealing with sharing amongst multiple intelligence agencies;
  • The oversight gap created by different legal regimes regulating the authorisation and oversight of gathering intelligence about nationals and foreigners;
  • The challenges to oversight when faced with informal means of sharing of intelligence.

Privacy International believes that these concerns and the recommendations made by the oversight mechanisms to address them should be reflected in the on-going debates on reform of intelligence sharing practices at national and international level.

There is an urgent need to provide guidance to states, particularly in light of the fact that some of the intelligence sharing done in the context of counter-terrorism is envisaged in UN Security Council resolution 2396 (2017), which is legally binding on all UN member states (by virtue of having been adopted under Chapter VII of the UN Charter.)

Privacy International has identified some minimum safeguards that states must introduce in order to ensure their intelligence sharing laws and practices are compliant with applicable international human law. These include:

  • Intelligence sharing must be prescribed by law and limited to that strictly and demonstrably necessary to achieve a legitimate aim. That law must be accessible to the public and sufficiently clear and precise to enable persons to foresee its application.
  • Intelligence sharing must not be used to circumvent international or domestic legal constraints – including effective safeguards and oversight – that regularly apply to direct surveillance conducted by the State.
  • Intelligence sharing must be authorised by an independent authority, preferably judicial.
  • Independent intelligence oversight mechanisms should be able to exercise their powers with respect to intelligence sharing activities.
  • Intelligence sharing arrangements must be subject to transparent and legally binding agreements and approved pursuant to the international and domestic procedures governing international agreements.
  • Independent oversight bodies must have access to intelligence sharing agreements and must have the power and capacity to consider all relevant policies and activities related to intelligence sharing.
  • Due diligence obligations apply to States acquiring and then sharing information as well as to States accessing or receiving such information. Both states share responsibility for the collection, storage, analysis, dissemination, and use of the information. And both states may be liable for human rights violations that occur as a result of the transfer of the data or its later utilization.