Publication review report on the exchange of personal data on (alleged) jihadists by the AIVD
The Review Committee on the Intelligence and Security Services (CTIVD) performed an in-depth investigation into the exchange of personal data on (alleged) jihadists by the AIVD within the Counter-Terrorism Group (CTG) and within the framework of cooperation in the field of signals intelligence (sigint). In a sense, the results of the investigation provide a picture of the current state of cooperation. This concerns a snapshot, showing where, at this point in time, adequate safeguards for the legal protection of the individual are in place and where they are not, and what the possible risks are. In this way, the CTIVD has aimed, in its investigation plan, its findings, its conclusions and its recommendation, to do justice to the developments that the multilateral cooperation is currently undergoing.
The CTIVD finds that, as of yet, insufficient safeguards for the protection of the individual in the context of the exchange and further processing of data within the framework of the investigated multilateral cooperation exist. For the exchange of data by the AIVD to be lawful, it is important that the current situation is not allowed to continue and that the degree of legal protection is improved. The CTIVD is of the opinion that, where the multilateral cooperation of the AIVD with foreign services lead to the joint retention and processing of personal data or the joint exercise of (investigatory) powers, a joint responsibility exists. Each of the cooperating services is responsible for the whole i.e. for the consequences of potential unlawful actions. It is necessary in this connection that the cooperating services decide together which concrete multilateral safeguards they will jointly establish for the protection of the rights of the individual. The general data protection principles are leading here. The CTIVD finds that the multilateral safeguards within the CTG have only been implemented to a limited extent. In the context of sigint cooperation there is a higher degree of data protection.
The CTIVD assessed the exchange of data by the AIVD against the ISS Act 2002 (and the ISS Act 2017). It is of the opinion that the current practice of this data exchange is largely within the limitations set by the legal requirements. There are two counts of structural unlawful conduct: the failure to perform a risk assessment on the basis of the (legal) criteria applicable to the cooperation with foreign services and the failure to provide an indication of the reliability of the data provided by the AIVD. On one count there is incidental unlawful conduct: for a five-month period there was no authorisation by the Minister of the Interior (and the Minister of Defence) to provide unevaluated data in the context of sigint cooperation. Except for these instances of unlawful conduct, the CTIVD has not come across any personal data provided by the AIVD in a multilateral context that did not meet the requirements of necessity, propriety and due care.
Because of the threat emanating from jihadism and its cross-border nature, it is necessary for the AIVD to cooperate with the intelligence and security services of other countries. However, the CTIVD has identified certain risk areas where insufficient safeguards exist for the protection of the individual. One example is the risk of the cooperating services constantly lowering the threshold for the exchange of data, which may compromise the protection of the fundamental rights of citizens. Another risk is the development of a growing database, in which it is not sufficiently clear how to assess the correctness and reliability of the data it contains. Another conceivable risk concerns the increasingly frequent exchange of personal data orally. These and other risks have not yet or rarely manifested themselves in practice. Nonetheless it is of vital importance that these risks are already taken into account, as they may in the near future result in unlawful conduct on the part of the AIVD in its multilateral cooperation with foreign services. The CTIVD makes recommendations aimed at creating additional safeguards in order to prevent unlawful conduct from occurring. With this, the CTIVD aims to ensure a more stringent protection regime and to allow for effective oversight.