This concerns, for example, the disposal of irrelevant information, so that the privacy of citizens is not infringed. However, the services do not have enough policy and attention in practice, writes the regulator. This too, according to the regulator, poses major risks.
Gone is gone
The MIVD does not turn out to be so good at discarding data anyway. There are no good ICT systems to ensure that non-relevant information is removed automatically; this is done largely by hand and therefore not good enough. According to the CTIVD this should be arranged in a 'shortest possible time', but the MIVD seems to be planning to spread the implementation “over several years”.
If the intelligence services delete information, that information must actually be gone, and can not be retrieved again via a detour. That too is not well arranged at the MIVD. There is no internal control on the removal of data and therefore the regulator can not judge whether information is actually discarded.
The coming years should show whether the services are better organized: the CTIVD continues to report every six months. In 2020, the new intelligence law will be evaluated.
Worry about 'sleep law'
There was already a lot of criticism of the new intelligence law before the introduction: in a referendum a majority voted against its arrival. Especially the power to tap on a larger scale led to dissatisfaction; it earned the law the nickname 'sleep law'.
To meet these concerns, the Cabinet dictated that the new tap powers should be deployed “as focused as possible”. This was laid down in an official government decree and will soon be permanently included in the Intelligence Act. This should prevent information from innocent civilians from ending up in the tap machines of the intelligence service.
No work yet
The secret services, however, have not yet made work on the 'as focused as possible' data interception. Since the Cabinet decision, which came into effect on 1 May, its introduction has “virtually been omitted”. According to the CTIVD, this provides a “high risk”.
The new power to tap internet traffic on a larger scale via the cable has not yet been actually used. But the stricter precautionary measures now also apply to the large-scale interception of radio and satellite traffic, and that is not yet properly regulated.
Duty of care
In addition, the regulator writes that the secret services also have not built in proper precautions to protect citizens when their data arrives at the service. Consider, for example, rules about which employees of the services may access the data.
That this is now missing is striking, because the Cabinet promised in December last year that these precautionary measures would be there. According to the CTIVD it is “essential” that this will still happen as soon as possible.
The regulator concludes with a positive note. The complaints procedure that should be introduced with the new Intelligence Act is now complete.