The International Conference of Data Protection and Privacy Commissioners, which New Zealand has chaired since 2014, had its 38th annual meeting in Marrakesh, Morocco, in October, but more on that later.
It takes such a lot of time, effort and public resource to get to the Northern hemisphere that when we go, we try to maximise the opportunity by packing meetings and other relevant events around the occasion.
This year, I was invited to attend a series of meetings in Bucharest the week before the Marrakesh conference, and I also accepted a late invitation to address the International Telecommunications Union in Tunisia immediately after.
Bucharest – intelligence initiatives
While in Bucharest I attended the International Conference on Intelligence in the Knowledge Society, and contributed as a panelist to a discussion entitled Why Backdoors to Encryption are a Bad Idea, a theme picked up at the conference the following week in Marrakech.
But the main event in Bucharest was the inaugural International Intelligence Oversight Forum, convened by the United Nations Special Rapporteur on the Right to Privacy, in conjunction with the Romanian Parliament.
There were two main reasons for deciding to attend. First, New Zealand is one of the few countries in the world whose privacy commissioner (or data protection authority) has a direct role in the oversight of intelligence and security agencies. I thought that would be useful perspective to represent at such a meeting.
Secondly, New Zealand is in the middle of the most significant statutory reform of the intelligence and security agencies for decades. My Office has made submissions to the Independent Review of Intelligence and Security, to officials as Cabinet papers were developed and to the Select Committee. We are appearing before the Select Committee, and I wanted to ensure our contributions were informed by a deep understanding of how these issues were being addressed in other jurisdictions.
Special rapporteur invitation
The aims of the meeting were set out in the letter of invitation from the UN Special Rapporteur:
The aim of this forum is to start an open and frank debate in a trusted framework on the:
(i) adequacy of oversight mechanisms;
(ii) existing and anticipated surveillance measures which may have a negative impact on privacy;
(iii) distinction between targeted surveillance and mass surveillance;
(iv) proportionality of such measures in a democratic society;
(v) cost-effectiveness and the overall efficacy of such measures.
Twenty jurisdictions were represented by over 60 delegates, mostly from intelligence oversight agencies, but also with some voices from academia, and civil society.
In the wake of multiple disclosures of information and accusations about the intelligence gathering activities of a range of countries, there seems to be a pressing need for some level of international consensus to be reached on how intelligence and security activities should be undertaken, and with what oversight. It might be naïve to expect any kind of detailed international convention on “Tradecraft”, but surely some general principles can be agreed?
What struck me about the meeting was how little multilateral international discussion there seems to have been on the subject. As a first meeting, just getting so many agencies in the room seemed to be a mark of success.
Need for common definitions
The second significant impression I gained was the importance of the preliminary task of agreeing on a set of terms for which there seem to be no common definitions. Certain terms seem to be weighted with assumptions that seem not to be based on common understandings.
The most obvious example is the term “mass surveillance”. It is a term often bandied about, with members of civil society alleging intelligence agencies are engaged in it and intelligence agencies (such as New Zealand’s GCSB) denying they are carrying out anything of the sort.
Britain has the highest concentration of CCTV cameras in the world. Is that the kind of “mass surveillance” we are talking about? Less publicly discussed is the “bulk collection” of data undertaken by intelligence agencies. This can take the form of telephony metadata, of the sort found to be unlawful in the United States.
In some jurisdictions, such collections are more openly acknowledged. The collection and maintenance of large scale datasets of personal information, whether of internet traffic, or call data is expressly provided for, however every search term used to interrogate the data must be approved by a judicial warrant. In others, each new technique or technology for surveillance must be approved by a judicial authority in advance.
Oversight systems – NZ comprehensive
We shared information about different systems of oversight, from Parliamentary committees, to judicial oversight, to specialist boards and experts, to Attorneys General and Ministers. Some provided oversight after the event only, while others provided oversight in advance, most commonly in the authorising warrant process.
One contributor made the case for including the internal compliance officers from the agencies as an essential check and oversight mechanism, given their command of operational practicalities, and their contact with the business on a granular, day to day basis. New Zealand’s combination of these authorising and oversight options seems as current and comprehensive as any other system represented at the session.
The two-day meeting concluded with a commitment from the organisers to proceed with a follow up meeting in 2017, with the venue yet to be decided.
The hosts also provided a venue for a meeting of oversight agencies from the Five Eyes Alliance, five of which were able attend. The meeting discussed the rationale and proposed terms of reference of the group, and concluded with an affirmation of the value of continuing to develop the network.
To be continued …
Image credit: Privacy Commissioner John Edwards at the ICDPPC (via Dutch DPA)