‘Intelligence services store too much data to be able to comply with Wiv’

Spread the love

The AIVD and MIVD still run the risk of violation of the Intelligence and Security Services Act. The intelligence regulator says the services have kept so much bulk data that it is not being deleted quickly enough.

The report comes from the Committee on Supervision of the Intelligence and Security Services, the CTIVD. It checks every six months whether the AIVD and MIVD comply with the ISS Act 2017, also known as the Sleep Act. The Ctivd says that the intelligence services have recently taken important steps to comply with all safeguards of the law, but that much remains to be done. On certain points, the law still has to be transposed into ‘internal processes, concrete instructions, technical systems and adequate internal control mechanisms’.

The services run the risk of misuse of personal data in various areas. In one case, the services are actively breaking the law. That violation concerns the bulk data sets that are collected. The services keep it too long. That is because it involves too much data, concludes the Ctivd. Bulk datasets are collections that have been collected through untargeted interception, popularly referred to as the ‘dragnet’: data collected on a large scale to see if it contains data about a target. The services must determine within a year whether these sets are relevant for an investigation. Anything not relevant should be removed. “However, this requirement is not easy to implement in practice. It concerns too much data,” the regulator writes. Datasets are therefore kept longer. Removing them altogether would lead to ‘operational risks’.

According to the regulator, the collected data sets were collected lawfully. “Only destroying in time is not according to the law,” says a spokesperson. It is striking that so far no data sets have been collected on the cable. This so-called ‘research-oriented interception of the cable’ was one of the most important new elements why the Wiv was introduced in 2017. The supervisor writes that the services are ‘still busy with the operationalization of that authority’.

In a number of other cases, no concrete violations were found, but there is a risk, writes the Ctivd. For example, there is still too little internal control within the services themselves. This concerns, for example, the automatic deletion of data and the automated analysis thereof. On the other hand, the Ctivd does see in the intelligence services that such checks are now given higher priority. “The AIVD and the MIVD are aware of the need for internal control over the lawfulness and quality of data processing,” the report states.

The AIVD and its military counterpart MIVD have often been criticized by the regulator. In October, for example, it became apparent that the AIVD acted unlawfully in providing data to foreign intelligence services, that both services ran the risk of untargeted wiretapping too often, and that there is a high risk of abuse of algorithms.

You might also like
Exit mobile version