Parliamentary Access to Classified Information
An analysis of the responses to the NATO Parliamentary Assembly – DCAF Survey on Legal Frameworks and Practices in NATO Member State Parliaments
Author: Nazli Yildirim Schierkolk Editors: Ruxandra Popa, Philipp Fluri, Teodora Fuior
November 2018, Geneva
Acknowledgements:
The author and the editors would like to thank the representatives of national parliaments who responded to the NATO PA–DCAF Survey on ‘Access to Classified Information for Parliamentarians’.
Note The URLs cited in this document were valid at the time of publication. Neither DCAF nor the author can take responsibility for any subsequent changes to any or all of the URLs cited in this document.
Table of Contents Foreword ...... Introduction ...... 1 Background ...... 1 Methodology ...... 3 Structure ...... 4 Chapter 1: Legal Frameworks on Information Classification ...... 5 1.1 Laws Regulating Information Classification ...... 5 1.2 Categories of Information to be Classified ...... 6 1.3 Authority to Classify Information ...... 10 1.4 Classification Levels ...... 12 1.5 Declassification Procedures ...... 12 1.6 Free Access to Information of Public Interest ...... 17 Chapter 2: Parliamentary Handling of Classified Information ...... 19 2.1 Parliamentarians’ Access to Classified Information ...... 19 2.2 Existence of Laws, Policies, Mentalities Blocking Reasonable Parliamentary Access to Information ...... 24 2.3 Security Vetting of Parliamentarians ...... 25 2.4 Parliamentary Staff Access to Classified Information ...... 30 2.5 Measures Taken by Parliamentary Committees to Protect Classified Information ...... 31 2.6 Sanctions for Unauthorized Disclosure of Classified Information ...... 32 2.7 Capacity Building for Parliaments on Handling Classified Information ...... 34 Conclusion ...... 36 Annexes ...... 38 Annex I – NATO PA-DCAF survey questions ...... 38 Annex II – List of countries that responded to the survey ...... 39
Foreword
The processes of classification and declassification of information, the laws, provisions, rules and regulations for initiating such processes, and the rules for granting access to such information to certain individuals, either ex officio or through processes of vetting, are not only of interest to the individual parliaments that have come to satisfactory results in regulating such processes: the parliaments of nations in transition towards democratic practices are equally, or even more so, in need of comparative data. Too often regulations from a preceding historical period impede the successful resolution of the issues outlined above. Existing classification systems may also be used to keep parliaments out of the information loop, to station executive-appointed classification specialists in parliaments, to limit access to classified information to representatives of the executive, or even to go as far as making access to different levels of classified information dependent on the rank of an individual within the executive.
This timely volume thus not only gives access to comparative data, it is also a source of arguments for bringing one’s house in order and establishing proper parliamentary oversight in the realm of security and defence in newly democratic states.
The Swiss Department for Defence, Civil Protection and Sport has long supported the cooperation of the NATO Parliamentary Assembly and the Geneva Centre for the Democratic Control of Armed Forces (DCAF) in the design and delivery of the Rose-Roth programme. The programme allows not only for the introduction of newly elected MPs to Euro-Atlantic parliamentary practices, values and institutions and for the organization of several annual interparliamentary Rose-Roth capacity-building and reflection seminars, but also for the publication of useful surveys, such as this. The editors would like to express their heartfelt thanks for Switzerland’s continued assistance.
Brussels and Geneva, November 2018
The editors
Introduction
Background
Democratic and civilian oversight of the security sector is now a well-established principle in democracies. The security sector refers to all structures, institutions and personnel responsible for security provision, management and oversight at the national and local levels.
A range of state and non-state actors are involved in overseeing the security sector to ensure that security providers act in an accountable, transparent and effective manner within a framework of rule of law and respect for human rights. These actors include the executive, judicial authorities, parliaments, specialized statutory institutions (for instance ombuds institutions, supreme audit offices or national human rights institutions), as well as civil society organizations and the media.
While each oversight actor fulfills a particular function in the oversight system, parliaments have a crucial role, having the ultimate ‘democratic legitimacy’ and the extensive oversight powers and competences that come with it. Although the mandate and scope of parliamentary oversight vary in each country, parliaments usually carry out five main functions with regard to security sector governance and oversight:
(i) Legislative function: reviewing, amending, drafting and adopting legislation regulating the security sector, (ii) Budgetary function: scrutinizing, approving, rejecting or amending the budget, including security-sector-related budget items, (iii) Oversight function: monitoring the policies and activities of security sector agencies, (iv) Elective function: vetoing or approving top appointments within the security sector, (v) Representative function: providing a public forum for debate on security, and facilitating political consensus through dialog and transparency.1
In order to carry out these functions effectively, parliamentarians should have access to all information necessary to fulfill their oversight duties. By way of example, without unhindered access to and review of the files, including classified information, held by intelligence services, parliamentarians would not be able to assess whether the services are acting in line with laws and government policies.
Over the last decades, the international community has increasingly emphasized the importance of access to information by oversight bodies. Following consultations with more than 500 experts across 70 countries, the Global Principles on National Security and the Right to Information (The Tshwane Principles) were launched in 2013. The Tshwane Principles established international normative standards on legal procedures for information
1 DCAF, SSR Backgrounder–Parliaments (DCAF: 2017)
1
classification, as well as access to and handling of classified information by oversight bodies, including parliaments. Since their launch, the Tshwane Principles have been endorsed by the Parliamentary Assembly of the Council of Europe as well as the European Parliament.2
More recently, the Council of Europe (CoE) Commissioner for Human Rights called on the member states of the CoE to:
“Guarantee that all bodies responsible for overseeing security services have access to all information, regardless of its level of classification, which they deem to be relevant to the fulfillment of their mandates. Access to information by oversight bodies should be enshrined in law and supported by recourse to investigative powers and tools, which ensure such access. Any attempts to restrict oversight bodies’ access to classified information should be prohibited and subject to sanction where appropriate.”3
Despite the growing body of regional and international normative standards on access to and handling of information by oversight bodies, parliaments across the world continue to face a number of challenges and risks with respect to accessing classified information.
First, in the absence of clear and comprehensive legislation on freedom of information and information classification procedures, executive and security sector agencies may tend to over-classify information or broadly interpret the restrictions to overseers’ access to classified information.
Second, in some countries, members of parliament are obliged to go through a vetting procedure before accessing classified information. When such procedures are not held in line with international standards (with respect to the authorities conducting vetting, the procedures and the length of the vetting process) the vetting procedure itself may become a tool to prevent parliamentarians from fulfilling their oversight function.
Third, security sector agencies may hesitate to share information with parliamentary committees, claiming that they do not have the physical capacities and procedures to protect classified information. As a result, information would be shared only under certain conditions, for example only within the premises of security sector agencies, which may limit the effectiveness of parliamentary oversight.
Fourth, if MPs do not have the necessary expertise or do not receive sufficient support from staff on security-related matters and information classification procedures, they may not be
2 PACE (2013) Parliamentary Assembly of the Council of Europe Resolution 1954 (2013); European Parliament (2014) Report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs, A7- 0139/2014, 21 February 2014. 3 CoE Commissioner for Human Rights (2015) Democratic and Effective Oversight of National Security Services, Recommendation 14, p.13.
2
able to ask for the right documents or may not be sure how to proceed when they are wrongfully denied access to information.
These risks and challenges are especially prevalent in states in transition to democracy, where certain factions of state bureaucracies may aspire to continue old authoritarian traditions and resist civilian and democratic oversight. Even in democratic states, legal bases and practices concerning the right to information, parliamentary access to and handling of classified information, and rules on disclosing information of public interest seem to vary to a certain degree.
Against this backdrop, the NATO Parliamentary Assembly and the Geneva Centre for the Democratic Control of Armed Forces (DCAF) conducted a survey with NATO member state parliaments, which aimed to map the legal frameworks and practices concerning information classification and parliamentary access to classified information.
This report presents an analysis of survey responses as well as key international standards on the subject matter. The findings of the survey are intended to outline good practices and serve as an inspiration for reform for parliaments to suggest and implement comprehensive and credible oversight.
Methodology
Based on consultations and the identification of challenges encountered by parliamentary oversight bodies with respect to handling classified information, the NATO PA and DCAF jointly developed a survey consisting of 14 questions. The full list of survey questions can be found in Annex I. The questions addressed the respective national legal frameworks on information classification, particularly the categorization of classified information, authorities responsible for classifying information and declassification procedures, as well as on parliamentary access to classified information, with a focus on the vetting of MPs, access by parliamentary staff, measures to protect classified information in parliaments, sanctions for unauthorized disclosure and capacity building for parliaments.
The survey was shared with member delegations of the NATO Parliamentary Assembly through official channels and a response in writing was requested. Out of 29 Member State parliaments, 24 responded to the survey, corresponding to an 83% response rate. The list of member states that responded to the survey can be found in Annex II.
The survey responses were analyzed qualitatively to compare national legal frameworks and mechanisms, and to identify main trends and challenges in parliamentary access to and handling of classified information.
In order to ensure a robust analysis, survey responses were triangulated with corresponding legal provisions in the national laws, where applicable. Triangulation and verification were possible in a majority of cases where country delegations provided an official English/French
3
language version of information classification and access to information laws along with their survey responses. Such verification of data was not possible in five instances,4 where an English/French language version of these laws was not available.
In the context of analyzing survey responses, there were a few instances where a particular response to a survey question did not fully correspond with the stipulations of the respective national law; this may be due to the framing of the question not being clear to the respondent(s). In such cases, the legal stipulations in the laws are taken as basis for analysis, and further clarification is provided in the footnotes.
Structure
The report is structured in accordance with the topics addressed by the survey, with each section of the report corresponding to a survey question, as follows:
Chapter 1: Legal Frameworks on Information Classification 1.1 Laws Regulating Information Classification (Question 1) 1.2 Categories of Information to be Classified (Question 6) 1.3 Authority to Classify Information (Question 7) 1.4 Classification Levels (Question 9) 1.5 Declassification Procedures (Question10) 1.6 Free Access to Information of Public Interest (Question 8) Chapter 2: Parliamentary Handling of Classified Information 2.1 Parliamentarians’ Access to Classified Information (Questions 2 and 3) 2.2 Existence of ‘Killer Laws’, Policies, Mentalities Blocking Reasonable Parliamentary Access to Information (Question11) 2.3 Security Vetting of Parliamentarians (Question 4) 2.4 Parliamentary Staff Access to Classified Information (Question 12) 2.5 Measures Taken by Parliamentary Committees to Protect Classified Information (Question 5) 2.6 Sanctions for Unauthorized Disclosure of Classified Information by MPs (Question 13) 2.7 Capacity Building for Parliaments on Handling Classified Information (Question14)
Each section begins with a brief overview of international standards on the subject matter, followed by an analysis of survey responses, and concludes with its main findings. The conclusion at the end of the report summarizes the main findings.
4 Survey responses from Greece, Denmark, Spain, Portugal and Romania stated that an English translation of the relevant laws was not available.
4
Chapter 1: Legal Frameworks on Information Classification
1.1 Laws Regulating Information Classification
It is widely accepted that a certain degree of secrecy accompanies the work of security sector agencies, and that governments and their agencies classify and withhold some information from the public in order to protect vital national security interests. The ability to shield information from the public is a strong power and, if left unchecked, may be abused. In an era where security threats are becoming ever more complex and interlinked with socio-economic and geopolitical developments, information protecting national security interests can hardly ever be kept inside the traditional defence/intelligence spheres. In this context, some states may be inclined to keep more and more information from the public for national security purposes, which poses a significant threat to transparency and accountability. Democratic societies have developed mechanisms to balance the need for secrecy and transparency. An important tool is to adopt laws on information classification procedures that are in line with international standards. In this regard, the Tshwane Principles reiterate the necessity of establishing a clear legal basis for information classification and state that:
o “States shall institute a formal system of classification, in order to reduce arbitrariness and excessive withholding. o The public should have the opportunity to comment on the procedures and standards governing classification prior to their becoming effective. o The public should have access to the written procedures and standards governing classification”.5
Against this backdrop, the first question of the survey inquired as to whether or not states have a law on information classification.
In line with international standards, in almost all 24 states that responded to the survey, information classification is regulated by publicly available law(s). The only exception is Greece, where information classification and the handling of classified information are regulated by an administrative directive that can only be accessed by persons who have been authorized by competent national authorities.
In a great majority of countries there is one single consolidated law dedicated exclusively to information classification procedures. In the remaining countries, information classification is regulated either by a number of different laws and/or regulations (Canada, Germany, Denmark, Iceland), or addressed under laws pertaining to intelligence and security (Italy, Norway, the Netherlands).
5 Tshwane Principles 11 and 12, see: https://www.opensocietyfoundations.org/sites/default/files/global- principles-national-security-10232013.pdf
5
Typically, states issue detailed ministerial decrees to provide further guidance on the implementation of information classification laws. Belgium, Germany, Slovenia, Romania, Croatia and Hungary are among the countries representing best practice, whereby both laws and detailed ministerial decrees on information classification are publicly available online. The accessibility of such decrees strengthens the transparency of the information classification regime.
It should be noted that, at the time this survey was conducted, certain countries, including Canada, Norway and Portugal, were in the process of revising their respective legal frameworks. Information classification is certainly an area which needs regular revision, considering the emerging and hybrid threats to national security and the new risks related to the unauthorized obtaining and disclosure of information due to advancements in technology and new forms of information sharing.
Main finding: Apart from one exception, information classification is regulated by publicly available laws and regulations in all countries that responded to the survey. In a majority of countries, there is one consolidated law dedicated exclusively to regulating information classification and the handling of classified information.
1.2 Categories of Information to be Classified
Another important safeguard for an information classification system that balances secrecy and transparency is establishing by law a list of categories of information that may be classified. Such a list would prevent arbitrariness in classification, 6 impede attempts to over-classify, and make it easier to hold the authorities in charge of classification accountable.
The Tshwane Principles set forth a list of categories of information that may be legitimately classified7:
o “Information about on-going defense plans, operations, and capabilities for the length of time that the information is of operational utility. o Information about the production, capabilities, or use of weapons systems and other military systems, including communications systems. o Information about specific measures to safeguard the territory of the state, critical infrastructure, or critical national institutions (institutions essentielles) against threats or use of force or sabotage, the effectiveness of which depend upon secrecy; o Information pertaining to, or derived from, the operations, sources, and methods of intelligence services, insofar as they concern national security matters; and o Information concerning national security matters that was supplied by a foreign state or inter-governmental body with an express expectation of confidentiality.”
6 Tshwane Principle 9(b) 7 Ibid., 9(a)
6
The aforementioned list is not meant to be prescriptive. Each country has unique geopolitical, socio-economic and security circumstances, which have an impact on how national security threats and interests are defined. Thus, states may include in their respective legislation additional categories of information, though it is good practice to define such categories as narrowly as possible.8
In this context, question six of the survey asked whether the law clearly and conclusively defines the categories of information that may be classified. Responses to the survey revealed considerable variance among the legal frameworks of the countries in question.9
Survey responses seem to suggest that eight out of 24 countries, namely Albania, Bulgaria, Croatia, Estonia, Greece, Latvia, Lithuania and Romania have adopted by law a list of categories of information that may be classified. In those countries, such lists are either adopted as an annex to the law on information classification or issued as a ministerial decree following the adoption of the law. However, the way categories are defined differs greatly across countries. By way of example, the Albanian law has a six-item list of rather general categories of information to be classified, while the Bulgarian law stipulates 64 categories, annexed to the law. Certain categories of the Bulgarian law are general in nature, while others are defined clearly and narrowly, such as: “Data about the designing, the trial, the accepting as armament of new models of armament, combat machinery and ammunitions and the created mobilization capacities for their production.”10 Similar to the Bulgarian case, the Latvian Government issued a Cabinet Regulation Pursuant to the Law on Official Secrets prescribing a 73-item list of information that may be classified, as well as their respective level of secrecy.11
8 Tshwane Principle 9(c) 9 Please note that in analyzing the responses to question six, survey responses were checked against national laws, and in some instances, stipulations in the laws are taken as basis for analysis instead of survey responses. It is possible that the framing of the question was not fully clear to all survey respondents. Several countries responded to question six positively, implying that there is indeed ‘a clear and conclusive list of categories of information to be classified’ in their laws, and referred to specific articles in their national laws. When such articles were checked for cross-reference, it was identified that in some cases the laws do not have such a list of ‘categories of information to be classified’ (such as ‘detailed plans of military/nuclear facilities, information about ongoing intelligence operations’); instead, the law lists vital national security interests. In such cases, the law typically allows for the classification of any information, disclosure of which would potentially cause harm to national security interests (protection of territorial sovereignty, peaceful democratic order, vital economic interests, etc.). The classification is then based on the degree of potential harm caused by the unauthorized disclosure of information. Thus, this approach does not list the categories of information to be classified conclusively, but permits any information to be classified, if its disclosure would cause harm to the list of national security interests. In the author’s opinion, such laws cannot be considered as having a ‘clear and conclusive list of categories of information to be classified’. Therefore, the analysis of responses to question six was made accordingly, by pointing out two different approaches adopted by the countries. Thus, the original responses to question six do not fully correspond with the information presented in this section. Please also note that verification with the laws was possible only in cases where the laws (or their official translations) were available in English and/or French. Some country delegations, such as Romania and Poland, stated that no English version of the law was available and did not provide any other substantive information in responding to question six. Therefore, their responses (Yes, no n/a) were taken as is. 10 Bulgaria, Protection of Classified Information Act, 2009, § 25, Appendix No 1, Part I (11). 11 Latvia, Cabinet Regulation No:887, List of Official Secrets 26 October 2004
7
The remaining 16 countries do not seem to have in their laws a clear and conclusive list of categories of information to be classified. Instead, most of them adopted an approach whereby the law allows for classification of any information, unauthorized disclosure of which would threaten the national security and vital interests of that state. In that respect, most often, the laws include a list of national security interests and attribute levels of classification (top secret, secret, confidential, restricted) based on the potential degree of harm to the national security interest that the disclosure of information would cause. By way of example, in Italy, the law stipulates that the “classification ‘Top Secret’ shall be attributed to information, documents, records, activities or items the unauthorized disclosure of which could cause exceptionally serious harm to the essential interests of the Republic”.12 Accordingly, the classifications ‘secret’, ‘confidential’ and ‘restricted’ are attributed based on the potential ‘degree of harm’ caused by an unauthorized disclosure of the information. A similar approach is observed in the Montenegrin law, which does not have a clear and exhaustive list of categories of information; rather, it has a broad formulation such as “Classified information is information whose disclosure to unauthorized person occurred or could have harmful consequences for security and defence, foreign, monetary and economic policy of Montenegro”.13
It should be noted that neither of the two approaches (prescribing a long and broad list of categories of information, or defining classified information based on potential degree of harm to vital national interests) seem to be fully in line with international normative standards as set out in the Tshwane Principles. Establishing a list of clear and conclusive categories of information to be classified is certainly a recommended standard, however defining such categories very broadly and/or expanding the list of categories to include information which may not be legitimately classified would defy the purpose.
On the other hand, the approach adopted by the second group of countries also bears the risk of arbitrary classification and/or over-classification of information, especially when the essential interests of the state are not defined clearly and narrowly in the law. By way of example, in the Czech law, information is marked as ‘classified’ if the unauthorized use or disclosure of it may result in “occurrence of damage not insignificant to Czech Republic”.14 Formulations such as ‘not insignificant damage’ could be interpreted very broadly, leaving a significant margin for authorities to excessively classify information, without solid justifications.
12 Italy, Section 42 (1) of Law no. 124/2007, also see Decree of the President of the Council of Ministers no. 7 of 12 June 2009 13 Montenegro, Law on Classified Information, Art. 3 14 Czech Republic, Act N.412 of 21 September 2005 on the Protection of Classified Information, Part 2, Section 3, § 4(g)
8
Table 1 provides an overview of survey responses to questions one and six, addressing the legal framework and categories of information to be classified.
Main finding: There is significant variance as to the categories of information to be classified. 8 countries out of 24 stated that their national laws have expressly listed categories of information that may be classified. The remaining countries do not seem to have a clear and conclusive list of categories, instead allowing for any information to be classified, the unauthorized disclosure of which would cause harm to national security interests.
Table 1: Legal Frameworks on Information Classification
Questions Q1– Does your country have a law on Q6 – Does the law clearly and classification and the handling of classified conclusively define the categories information? of information that may be classified? State/responses There is a Classified Classified Categories No conclusive list stand-alone information is information is of of categories, any law on regulated by addressed information information that classified several pieces under a are listed in may cause harm to information. of legislation. broader law on the national security security. law/decrees. interests can be classified. ALBANIA o o BELGIUM o o BULGARIA o o 15 CANADA o n/a CROATIA o o CZECH o o REPUBLIC DENMARK o o ESTONIA o o GERMANY o o GREECE o o HUNGARY o o ICELAND o o ITALY o o LATVIA o o LITHUANIA o o
15 In Canada, specific guidance on document marking and classification is defined in government policy rather than in law.
9
LUXEMBOURG o o MONTENEGRO o o NORWAY o o THE o o NETHERLANDS POLAND o o PORTUGAL o o ROMANIA o o SLOVENIA o o SPAIN o o
1.3 Authority to Classify Information
A key component of any lawful and transparent information classification system is publicly available information on persons and institutions that have the authority to classify information. If there were authorities who were mandated to classify information but whose mandate was unknown to overseers, it would not be possible to scrutinize the full functioning of the information classification system. In this regard, the Tshwane Principles state that:16
o “Only officials specifically authorized or designated, as defined by law, may classify information. In the absence of legal provisions controlling the authority to classify, it is good practice to at least specify such delegation authority in a regulation. o Those officials designated by law should assign original classification authority to the smallest number of senior subordinates that is administratively efficient.”
Based on those principles, question seven of the survey inquired whether the law clearly defines the persons/authorities who may classify information.
Out of 24 countries that responded to the survey, 16 have in their national laws a designated list of authorities who may classify information. Understandably, the list of persons and institutions authorized in each country varies to a certain extent. Nevertheless, there seems to be two main approaches to designating authorities: (i) entrusting the authority to classify information only to high-level figures in the executive, with a focus on security sector institutions; (ii) drawing up a broad list of designated authorities from all three branches of government as well as independent statutory institutions.
Countries such as Belgium, Denmark and Spain seem to follow the first approach. The Belgian regulatory documents establish a list of 12 persons and authorities entrusted to classify information as ‘top secret’, eight of which are from the defence/security/intelligence
16 Tshwane Principles 13(a) and 13(c)
10
community 17 In Danish law, the Security and Intelligence Service and the Defence Intelligence Service are listed as the two institutions with the authority to classify information.18
On the other hand, Hungary, Slovenia, Czech Republic and Lithuania are among the countries following the second approach, designating a wide range of authorities for information classification. By way of example, in Hungary, the highest figures in all three branches of the state, such as the speaker of the Parliament, chairpersons of parliamentary commissions, the president of the Constitutional Court, the prosecutor general, as well as top appointments within independent institutions – such as the commissioner for fundamental rights or the governor of the National Bank – are among the persons authorized to classify information.19 According to Lithuanian law, the heads of all state and municipal institutions whose activities fall under the areas that require the protection of information are authorized to classify information. However, the heads of such institutions can only do so after consulting with the ‘Commission for Secrets Protection Co-ordination’ and receiving the Commission’s approval for classifying the information.20
Eight countries that responded to the survey, namely Norway, Italy, Germany, Canada, the Netherlands, Iceland, Greece and Estonia, stated that the law does not explicitly provide a list of authorities that may classify information. However, this does not mean such a list does not exist. For instance, in Canada, classification decisions are made by government departments based on policy established by the Treasury Board Secretariat of Canada under the authority of the Financial Administration Act, which allows the Treasury Board to act for the Cabinet in relation to security matters.
Main finding: Complying with international standards, two thirds of the countries that responded to the survey list in their laws the institutions or persons authorized to classify information. In some countries the list is restricted mainly to high-level officials and security sector institutions; while other countries adopted a wider list, entrusting a variety of institutions from all branches of government with the power to classify information.
17 Belgium, Art. 4, Arr t royal portant ex cution de la loi du 11 d cembre 1 relati e la classification et aux habilitations attestations et a is de s curit , see: https://www.nvoans.be/sites/default/files/attachments/ar.pdf 18 Denmark, Security Circular 19 Hungary, Act CLV of 2009 on the Protection of Classified Information, Art. 4 20 Lithuania, Law on State Secrets and Official Secrets no VIII-1443, Art. 12
11
1.4 Classification Levels
Not all classified information requires the same degree of protection from public access. Therefore, states use a variety of classification levels to mark the required degree of protection and establish who can access such classified information. The Tshwane Principles state that “classification levels [...] should correspond to the levels and likelihood of harm identified in the justification.”21
In this respect, question nine of the Survey inquired about the levels of classification the laws define. In a great majority of countries, the law explicitly stipulates four distinct levels of classification as ‘Top Secret’, ‘Secret’, ‘Confidential’ and ‘Restricted’. Such markings are in accordance with NATO and EU classified information levels. In line with international standards, the levels correspond with the severity of the harm an unauthorized disclosure of information would cause to national security interests.
Among the respondents, Belgian, Italian and Latvian laws refer to three levels of classification: ‘Top Secret’, ‘Secret’ and ‘Confidential’.22 In Canada, classification levels are defined in policy, not in law.
1.5 Declassification Procedures
It is a widely acknowledged principle that classified information, regardless of its secrecy level, should not remain classified forever.23 Thus, it is imperative that national laws outline clear procedures for the declassification of information.
The Tshwane Principles set forth the following standards for declassification procedures:24
“National legislation should: o identify fixed periods for automatic declassification for different categories of classified information. o put in place procedures to identify classified information of public interest for priority declassification. o set out an accessible and public procedure for requesting declassification of documents.”
With respect to declassification procedures, question ten of the survey inquired about the authorities in charge of declassifying the data and the declassification procedures provided for in national laws.
21 Tshwane Principle 11(c) 22 Latvia, Law on Official Secrets, Section 3, Art. 1 23 Tshwane Principle 16(d) 24 Tshwane Principle 17(a-f)
12
In most of the countries that responded to the survey, the person/authority in charge of classification is also in charge of declassification. There are a few exceptions. In Estonia, only the most senior figure within an institution has the power to declassify information, and not the original classifying authority. For instance, when information is classified by one of the departments of a ministry, only the minister is authorized to declassify the information.25 A similar rule exists in Lithuania: in case of premature declassifications, only the head of the authority can declassify information, and not the original classifying official. In Croatia, it is the classifying authority who is responsible for declassifying information. However, according to the law, the classifying authority ‘shall ask the opinion of the National Security Council’ prior to making a decision to declassify information. The law does not clarify what happens when the Council issues a negative opinion on the decision to declassify information. If the Council had a binding ‘veto’ power, it would effectively be the only body with the definitive authority to declassify information. In Iceland, the declassification of data is not foreseen in the law, apart from exceptional circumstances, in which case only the prime minister and members of the government are authorized to declassify data.
Apart from a few exceptions, national laws do not stipulate declassification procedures in great detail. Procedures vary considerably across countries. Most commonly, laws establish maximum periods for classification levels, after which downgrading or complete declassification must be considered. Most countries seem to set 30 years for the ‘Top Secret’ level, between 15 to 30 years for the ‘Secret’ level, and between 5 to 20 years for the ‘Confidential’ level. While those are the absolute maximum periods, a great majority of national laws allow for premature declassification under a variety of circumstances, including individual requests for declassification and releasing information of public interest. Furthermore, some countries have set up a mechanism for regular review of classified information to ascertain if grounds for declassification still hold, if the classification level should be downgraded or if the information should be declassified completely.
An overview of the above-mentioned declassification procedures is provided in Table 2.26
Main finding: There is no uniform practice on declassification procedures, especially concerning the maximum period of classification. Nevertheless, a great majority of countries allow for premature declassification on a variety of grounds, including higher public interest and individual applications for declassification. Despite the existing international standards, less than half of the countries established a regular review of classified information and automatic declassification procedures.
25 Estonia, State Secret and Classified Information of Foreign States Act (01.07.2017), Division 2, Art. 13 26 It should be noted that in a considerable number of cases, either specific information was not provided by the survey respondent or no further information could be found in English language versions of country legislations, and therefore that category is marked with n/a.
13
Table 2: Information Declassification Procedures27
State/ Maximum period for Automatic Possibility of Regular review of classified Declassification classification declassification premature information procedure declassification ALBANIA Maximum 10 years for all levels of Yes, after 10 Yes Yes classification years, if not Extension possible in exceptional extended circumstances BELGIUM n/a n/a Yes Yes28
BULGARIA Maximum periods: Yes, after the Yes Yes, every 2 years Top secret – 30 years maximum period Secret – 15 years Confidential – 5 years Official use – 6 months CANADA No laws regulating the declassification of information
CROATIA n/a n/a Yes Yes Top secret: every 5 years Secret: every 4 years Classified: every 3 years Restricted: every 2 years CZECH n/a n/a n/a Yes, every 5 years REPUBLIC
DENMARK No uniform application, authority classifying the information decides how and when to declassify.
ESTONIA For restricted – 5 years, with 5 years n/a Yes n/a extension possibility For other levels of classification – up to 75 years
27 All information provided in this table is based on the information classification laws of the countries or the responses to the survey. 28 See : https://www.nvoans.be/sites/default/files/attachments/2001-05-21_art03_ar_regles_de_classification_0.pdf, Chapter 2, Sec. 2
14
GERMANY The body issuing the document shall amend or revoke the security categorization of a classified document as soon as the reasons for the previous categorization have ceased to exist. GREECE n/a n/a yes n/a
HUNGARY Maximum periods: Yes Yes Yes - Top secret and secret: 30 years Every 5 years - Confidential: 20 years - Restricted: 10 years ICELAND
ITALY Maximum period: 10 years29 Yes n/a n/a
LATVIA Maximum period: Yes Yes N/a Top secret: 20 years Secret: 10 years Confidential: 5 years LITHUANIA Maximum period: Yes, for restricted Yes n/a - Top secret: 30 years information only - Secret: 15 years - Confidential: 10 years - Restricted: 5 years - Extension possible in exceptional cases LUXEMBURG n/a n/a Yes n/a
MONTENEGRO Top secret: 30 years Yes Yes Yes - Secret:15 years - Top Secret, Secret and Confidential: at - Confidential: 5 years least once every three years - Restricted: 2 years - Restricted: at least once a year
29 Note: “After the expiry of fifteen years from the moment of application of State-secret status or, failing that, from an invocation of State-secret status that is confirmed in accordance with article 202 of the Code of Criminal Procedure (as substituted by section 40 of this Act), any person who has an interest may ask the President of the Council of Ministers to be allowed access to the information, documents, records, activities, things or places having State-secret status.” See: https://www.sicurezzanazionale.gov.it/sisr.nsf/english/law-no-124-2007.html#Chapter_V
15
THE n/a n/a n/a n/a NETHERLANDS NORWAY Up to 30 years Yes Yes n/a
POLAND n/a n/a Yes n/a
PORTUGAL n/a n/a Yes n/a
ROMANIA n/a n/a n/a n/a
SLOVENIA n/a n/a Yes Yes - Top Secret: once a year - Other levels: every three years SPAIN n/a n/a n/a n/a
16
1.6 Free Access to Information of Public Interest
As the survey responses point out, a great majority of countries have a comprehensive legal framework on information classification. In democratic societies, such information classification regimes are balanced by robust laws and mechanisms providing for public access to information, especially access to information of public interest.
Question eight of the survey addressed this issue and inquired whether the free access to information of public interest is defined by law; and if so, whether it is the same law that regulates the protection of classified information or a separate law.
All countries that responded to the survey stated that there is a separate law regulating public access to information in their legislation. A commonly observed feature of those laws is an article that removes classified information from the sphere of application of access to information laws. However, several national laws provide for exceptions to that exemption, allowing access to classified information under certain circumstances. Below are selected country practices allowing for access to classified information:
Overriding public interest: As explained above, access to information laws typically contain an article which exempts classified information from the rights and obligations provided by that law. However, countries such as Albania, Bulgaria, Canada, Croatia, Norway, Slovenia and Spain have introduced a legal mechanism whereby classified information is no longer exempted if there is an ‘overriding public interest’ for accessing such information. By way of example, the Norwegian Freedom of Information Act, Section 11, states: “Where there is occasion to exempt information from access, an administrative agency shall nonetheless consider allowing full or partial access. The administrative agency should allow access if the interest of public access outweighs the need for exemption.”30
Often national authorities decide on a case-by-case basis whether there is an overriding public interest in the disclosure of classified information. However, Latvia embodies further good practice by providing, in its Law on State Secrets, a list of categories of information which have a high presumption of public interest and thus may never be classified. The list includes, inter alia, information regarding violations of human rights, corruption cases, irregular conduct of officials, environmental and health protection, natural disasters and their consequences.31 Similar lists and legal provisions are found in several other countries’ legislation, including Slovenia,
30 Norway, Act of 19 May 2006 No. 16 relating to the right of access to documents held by public authorities and public undertakings (short title: Freedom of Information Act), see: http://app.uio.no/ub/ujur/oversatte- lover/data/lov-20060519-016-eng.pdf 31 Latvia, Law on Official Secrets, Section 5, ‘Information which may not be an Official Secret’
17
Romania and Estonia.32 Indeed, international standards encourage the use of a list of categories which should enjoy at least a high presumption in favor of disclosure, and may be withheld on national security grounds only in the most exceptional circumstances.33
Partial access to classified information: Another important international standard in information classification is that authorities should classify ‘information’ and not ‘documents’ as a whole. As stipulated in Tshwane Principle 22, “…where a record contains both exempt and non-exempt information, public authorities have an obligation to sever and disclose the non-exempt information.” In line with this standard, a number of countries such as Croatia, Germany, Norway, Canada and Denmark have included in their respective laws a provision allowing partial access to documents containing classified information. By way of example, article 13 of the Danish Act on Comprehensive Access to Public Administration Files state that: “Where the considerations mentioned in paragraph 1 (classified information) apply only to part of a document, the party requesting access shall be allowed to see the remaining contents of the document.”34 Similarly, the Croatian law stipulates that “…in case the classified data contain certain parts or enclosures whose unauthorized disclosure does not threaten the values protected by this Act, such parts of the data shall not be classified with the degree of secrecy”.35
Main finding: All countries have a separate law regulating access to information. While access to classified information usually falls outside the scope of such laws, several countries have introduced exceptions that make full or partial access to classified information possible under certain circumstances, especially when there is an overriding public interest to disclose such information.
32 Transparency International (2014), Classified Information, A Review of Current Legislation Accross 15 Countries and the EU, p.52. Also see Romania, Law no 544/2001 on Free Access to Information of Public Interest, Article 13: “The information that favours or hides the infringement of the law by a public authority or institution cannot be included in the category of classified information and shall be considered as information of public interest.” 33 Tshwane Principle 10 34 Denmark, Access to Public Administration Files Act (no 572, 1965), Art. 13. See: https://www.parlament.cat/document/intrade/723 35 Croatia, Data Secrecy Act, 18 July 2007, Article 12 (2)
18
Chapter 2: Parliamentary Handling of Classified Information
2.1 Parliamentarians’ Access to Classified Information
Parliaments are an essential component of any accountability system, since they have the ultimate ‘democratic legitimacy’ as elected individuals overseeing security services. 36 Parliamentarians use a variety of mechanisms and platforms through which they oversee the security sector. These include plenary debates, the questioning of ministers, ad hoc inquiry commissions, and parliamentary committees with a mandate on overseeing security services. However, secrecy laws make parliamentary oversight of the security sector more challenging than overseeing other public sectors. Without access to relevant classified information, parliamentary committees on defense, law enforcement and intelligence cannot be expected to function effectively. Access to classified information by the parliament, as well as other external oversight bodies, is a widely accepted international standard. In 2011, the UN instructed its Special Rapporteur on countering terrorism to compile international good practices in overseeing security services. The Special Rapporteur reported the following as international good practice:
“Oversight institutions have the power, resources and expertise to initiate and conduct their own investigations, as well as full and unhindered access to the information, officials and installations necessary to fulfil their mandates. Oversight institutions receive the full cooperation of intelligence services and law enforcement authorities in hearing witnesses, as well as obtaining documentation and other evidence.” 37
Later, this standard on access to information by oversight bodies, including the parliament, was reiterated in the Tshwane Principle38 and the recommendations of the CoE Commissioner for Human Rights.39
In this context, the second and third questions of the survey inquired whether all or selected members of parliament have access to classified information. The responses revealed a considerable degree of variance in the regulation of parliamentary access to classified information, which can be broadly sorted into three categories.
36 Aidan Wills (2010), Guidebook: Understanding Intelligence Oversight (DCAF), p. 42, see: http://www.dcaf.ch/guidebook-understanding-intelligence-oversight 37 UN Human Rights Council, Compilation of good practices on legal and institutional frameworks and measures that ensure respect for human rights by intelligence agencies while countering terrorism, including on their oversight A/HRC/14/46 (2011), Practice 7, see: https://fas.org/irp/eprint/unhrc.pdf 38 Tshwane Principle 32 39 CoE Commissioner for Human Rights (2015) Democratic and Effective Oversight of National Security Services Recommendation 14, p.13.
19
Category I: Countries where all parliamentarians may access classified information
In 16 parliaments out of 24, corresponding to a two-thirds majority of respondents, all parliamentarians may, in principle, access classified information. However, it should be noted that such access is almost never unfettered. One principle that almost all parliaments have in common is that access to classified information is granted on the basis of the ‘need to know’ principle, which means that parliamentarians can only access confidential information that is relevant to their oversight mandate.
Moreover, several countries in this category impose further conditions and limitations to parliamentary access to information. Such restrictions often relate to accessing information on security services’ ongoing operations or confidential sources of operations. For instance, Spain has exempted information related to the sources and means of the intelligence service as well as information received by foreign intelligence agencies from parliamentary access.40 Similarly, in Canada, members of the ‘National Security and Intelligence Committee of Parliamentarians’ do not have the right to access information that is directly related to an ongoing investigation that could lead to prosecution, or information that could lead to the identification of human confidential sources and protected witnesses.41
In Estonia, parliamentary access to information can be denied if the information concerns an ongoing information collection method by the intelligence service, or if the information disclosed would endanger the sources or the targets of the surveillance operation. Nevertheless, Estonian law stipulates that such denials to parliamentary access can only occur upon a ‘reasoned decision of the Prime Minister or other relevant Minister’. 42 Such a requirement of a reasoned decision by top executive officials may be considered as a safeguard to prevent security services from arbitrarily denying access to information requests. A similar practice exists in Iceland, where the executive may deny the parliament’s request to access confidential information “…if the interest of the committee in knowing its substance is exceeded by much more urgent public or private interests. Such refusal shall be reasoned in writing.”43
Furthermore, six out of 16 countries in this category, namely Germany, the Netherlands, Montenegro, Poland, Portugal and Romania, stated that there are varying practices as to the level of confidential information to which parliamentarians are granted access. In other words, while all MPs may have access to classified information in principle, they may not access all levels of classified information. By way of example, in Montenegro, all parliamentarians are granted access only to ‘restricted’ information (the lowest level of classification) by virtue of their office. However, members of certain committees (e.g. Committee for Security and Defence, Anti-corruption Committee and Inquiry Committee) have access to information with
40 Spain, Act 11/2002, of 6 May, regulating the National Intelligence Centre, Art. 11 41 Canada, National Security and Intelligence Committee of Parliamentarians Act, Section 14 42 Estonia, Status of Members of the Riigikogu [parliament of Estonia – S.S.] Act § 19 43 Iceland, Standing Orders of the Althingi, Article 50 (1), see: https://www.althingi.is/english/about-the- parliament/standing-orders-of-the-althingi-/
20
higher levels of classification. Similarly, in Romania, all parliamentarians have access to information classified as ‘service secret’ (equivalent to ‘NATO restricted’). Only 24 Senators have access to the highest levels of classified information – usually, these Senators are members of the Defence Committee, or other special committees such as the Permanent Joint Commission of the Chamber of Deputies and the Senate for exercising parliamentary control over the activity of S.R.I. (Romanian Intelligence Service). In Poland, all parliamentarians have access to all levels of classified information except the ‘top secret’ level. In the German Bundestag, members of the defence committee generally have access to explanations on the defence budget classified as ‘secret’. In the Dutch parliament, MPs do not have access to all classified information. There are internal rules to make classified information related to the political process available to MPs.
Iceland applies another type of condition for general parliamentary access to information: all parliamentarians can have access to information only when the information concerns a bill or a recommendation. In all other cases, not all MPs are entitled to classified information by virtue of their office. Instead, only the relevant committee members are given access to classified information.
Category II: Countries where only select parliamentarians or committees have access to classified information
In seven out of 24 countries, namely Albania, Croatia, Denmark, Greece, Italy, Lithuania, and Luxembourg, there is no policy granting all parliamentarians access to classified information by virtue of their office. In those parliaments, only select parliamentarians and/or members of selected committees have access to classified information. Examples include the National Security Committee of the Albanian parliament, the Parliamentary Committee of the Security of the Republic (COPASIR), the Parliamentary Inquiry Committees in Italy and the Parliamentary Control Commission in Luxembourg. In the Danish parliament, there is no single designated committee which has exclusive power to access classified information; rather parliamentary committees can be given access to classified information where relevant and necessary for their mandate, on an ad hoc basis. In Lithuania, the speaker of the Seimas (parliament) is the only parliamentarian who has access to classified information by virtue of office. According to the law, the speaker draws the list of posts in the parliament who are required to obtain a certificate of access to classified information, upon which they are given access. The list includes the deputy speakers of the Parliament, chairs and (in some cases) deputy chairs of standing committees and commissions, as well as members of the Committees on National Security and Defence, Foreign Affairs and European Affairs.
It should be noted that, in this category, the access of designated committees or parliamentarians to classified information is not absolute and is often subjected to the ‘need to know’ principle.
21
Category III: Countries where no parliamentarians have access to classified information
Belgium is the only country among respondents where no parliamentarians have access to classified information. Belgian law obliges anyone, including parliamentarians, to undergo security vetting before obtaining access to classified information. The parliamentarians refuse to undergo vetting, and therefore do not have such access. For this reason, the set-up of parliamentary oversight in Belgium is different than in other countries. The parliamentary committee does not exercise direct oversight of security sector institutions. Instead, it monitors and supervises two independent oversight bodies (the Comit I, which oversees intelligence agencies, and the Comit P, which oversees police services), which have unfettered access to classified information (relevant to their mandate) as well as other extensive oversight powers.44
Table 3 provides an overview of responses to these two questions.
Main finding: Close to two-thirds of the surveyed countries grant all parliamentarians access to classified information, in principle. However, in most cases, national laws impose a range of conditions and limitations to parliamentary access. These include exempting certain kinds of information or certain levels of classification from parliamentary access. In one-third of the countries, only select parliamentarians or designated committees are granted access to classified information. In all cases, parliamentary access to classified information is never ‘absolute’, it is always based on the ‘need to know’ principle.
Table 3: Access to Confidential Information by Members of Parliament
Countries All members Only the following committee members have No members have access access have access ALBANIA Members of the National Security Committee
BELGIUM o
BULGARIA o
CANADA o
CROATIA Only parliamentarians whose scope of responsibilities/committee membership covers the specific issue for which the information is needed CZECH o REPUBLIC
44 Belgium, Loi organique du contrôle des ser ices de police et de renseignement et de l'Organe de coordination pour l'analyse de la menaceI, see: http://www.ejustice.just.fgov.be/cgi_loi/loi_a.pl
22
DENMARK When relevant/necessary, committees can be given access to classified information. ESTONIA o
GERMANY o *
GREECE Info n/a
HUNGARY o
ICELAND o *
ITALY Members of the Parliamentary Committee for the Security of the Republic (COPASIR) and Parliamentary Inquiry Committees LATVIA o
LITHUANIA Members of the Seimas (parliament) Board; Deputy speakers of the parliament; Chairs and deputy chairs of the standing committees; Chairs of standing commissions; Members of the Committee on National Security and Defence; Members of the Committee on Foreign Affairs; and Members of the Committee on European Affairs LUXEMBOURG Members of the Parliamentary Control Commission MONTENEGRO o *
THE o * NETHERLANDS NORWAY o
POLAND o *
PORTUGAL o *
ROMANIA o *
SLOVENIA o
SPAIN o
* Parliamentarians’ access is restricted to certain levels of classification and/or certain tasks, such as review or amendment of a bill or a recommendation (as is the case in Iceland).
23
2.2 Existence of Laws, Policies, Mentalities Blocking Reasonable Parliamentary Access to Information
The previous section provided an overview of legal bases for parliamentarians’ access to classified information. The survey responses showed that, with the exception of Belgium, in all countries there is a reasonably clear legal framework allowing all or selected parliamentarians to access classified information, under certain conditions and with certain limitations. However, often the existence of laws may not be sufficient when they are not effectively implemented in practice. For instance, authorities holding classified information and excessively or arbitrarily delaying the granting of access to parliamentarians would obstruct the parliamentary oversight process. Against this background, question 11 of the survey inquired whether there are laws (for example ‘killer-laws’ sanctioning the sharing of security/defense-related data), procedures or mentalities that interfere with a reasonable access to classified information for parliamentarians.
Out of 24 countries, 17 expressly responded that there are no laws or practices hindering parliamentary access to classified information. Most of the respondents stated that the regulation of information classification in their countries is reasonable and implemented without any major obstacles. By way of example, in 2013, the Parliament of Luxembourg set up a commission of inquiry concerning the activities of secret services. All members and relevant staff were given security clearance and access to classified information without any delay or obstacles. The Committee’s investigation had profound results, which led to comprehensive intelligence reform.
Three countries shared experiences or opinions on attempts to obstruct reasonable parliamentary access. In Poland, parliamentarians need security clearance to access ‘top secret’ classified information (no clearance is needed for lower levels of classification). So far, there have been few cases of a vetting authority refusing to grant security clearance to parliamentarians for access to top secret information. In Norway, while the Law on Security was being amended, certain members of the security establishment argued for instituting a security clearance requirement for parliamentarians. However, those arguments did not gain further ground and were not incorporated in the amended law. Belgium pointed out the rules providing that parliamentarians should be security vetted to access classified information and that a parliamentarian who has access to such data cannot invoke it in plenary or to question a minister. In the Belgian case, these rules raise necessary questions. Is it acceptable for parliamentarians to submit to a security vetting conducted by the services they are supposed to oversee? How can parliamentarians’ absolute freedom of speech and criminal immunity be reconciled with access to classified information?
24
Main finding: In a significant majority of countries, parliaments enjoy access to classified information without any other laws, policies and mentalities blocking reasonable access. A few isolated practices and issues concern the vetting of parliamentarians.
2.3 Security Vetting of Parliamentarians
Whether parliamentarians, especially those overseeing defense and security agencies, should undergo security vetting in order to access classified information is a highly debated issue, especially in countries in transition to democracy. While there is no binding international standard on this issue, the Tshwane Principles stipulate that the decision on vetting should be left to parliaments:
“(b) Legislatures should have the power to decide whether […] members of legislative oversight committees should be subject to security vetting prior to their appointment.
(c) Where security vetting is required, it should be conducted (i) in a timely manner, (ii) in accordance with established principles, (iii) free from political bias or motivation, and (iv) whenever possible, by an institution that is not subject to oversight by the body whose members/staff are being vetted”.45
As seen in paragraph c, the Tshwane Principles stipulate the need for standards for a vetting procedure that would not hamper parliamentary oversight. One of the most essential standards in this respect is that the vetting agency should not be among the institutions that the parliamentary committee is mandated to oversee. When parliamentarians are required to go through security vetting to access classified information, and especially if this vetting is conducted by the very security/intelligence agencies that parliamentarians are supposed to oversee, their oversight capabilities could be seriously jeopardized. In such cases, intelligence agencies may excessively and arbitrarily delay the vetting process of members of the parliamentary oversight committee, effectively rendering it dysfunctional. Alternatively, the intelligence agency may arbitrarily deny the security clearance of some parliamentarians and force the committee to re-elect members, effectively interfering with the committee’s composition. It is therefore crucial that national laws on vetting procedures be clear, comprehensive and in line with international standards.
Question four of the survey explored whether parliamentarians sitting on security-related committees undergo vetting, and if so, inquired about the authorities and procedures related to conducting the vetting and granting security clearance.
45 Tshwane Principle 35
25
The responses to this question revealed a significant tendency to exempt parliamentarians from security vetting. In 17 out of 24 countries, parliamentarians do not need to undergo security vetting to access classified information. An essential justification for this practice is that by virtue of being elected by popular vote, parliamentarians hold a sufficient degree of credibility to access information relevant to their mandate. Germany went a step further and introduced a rule whereby parliamentarians who are nominated by their parliamentary group to sit on the Parliamentary Control Panel (the committee overseeing domestic and foreign intelligence services) are voted in the plenary, and only those who receive the majority of the votes are elected to sit in that committee. This rule provides an additional layer of legitimacy for elected parliamentarians and ensures that those sitting in that committee are well respected and have cross-party backing.46
Among four of those 17 countries, namely Norway, Estonia, Croatia and Poland, exemption from vetting is the norm, but security clearances are required for exceptional circumstances. Such exceptional circumstances often relate to parliamentarians’ access to foreign classified information (Norway, Estonia, Croatia) or to ‘top-secret information’ (Poland). It is important to note that when security clearance is exceptionally required for a parliamentarian in Norway, it is the Norwegian Parliament that issues security clearances and not the Norwegian National Security Authority – which is the clearance authority for other citizens. This practice is in line with international standards as stipulated in the Tshwane Principles. In Estonia, while the security service carries out the vetting procedures, the final decision on the matter is left to the Parliament’s Security Authorities Oversight Committee.
In six out of 24 countries, namely Albania, Canada, 47 Hungary, Latvia, Lithuania and Romania, parliamentarians have to undergo security vetting to access classified information. In most cases, it is the domestic security or intelligence service that conducts the vetting and decides whether to issue the security certificate.
Lastly, in Belgium, security vetting is compulsory. However, in practice, all MPs refuse to undergo security vetting and therefore do not access classified information. Table 4 provides an overview of all responses.
Main finding: In two-thirds of the countries surveyed, parliamentarians sitting in security-relevant committees do not undergo security vetting. In the remaining countries, most often the security or intelligence services, which are supposed to be overseen by the parliamentary committee, conduct the security vetting of parliamentarians.
46 See: https://www.bundestag.de/ausschuesse/ausschuesse18/gremien18/pkgr/einfuehrung/248044 47 It should be noted that, in Canada, the committee is not a parliamentary body, even though the members are composed of parliamentarians.
26
Table 4: Vetting of Parliamentarians
Country MPS are MPs need Vetting authority and the decision maker Remarks on the process not to undergo vetted vetting ALBANIA o The decision is made by the director of the While the Directorate issues security certificates, it Directorate of Security of Classified consults with the State Intelligence Service during the Information. vetting process. BELGIUM o Members of the parliamentary committee refuse to undergo security vetting, and hence cannot access classified information. BULGARIA o CANADA o The Royal Canadian Mounted Police and the The Committee in Canada is a committee of Canadian Security Intelligence Service parliamentarians, but not a parliamentary body. conduct vetting. The decision is made by the Privy Council. o * The security clearance procedure is carried No vetting is required for accessing national classified out by the National Intelligence Agency, information. Vetting is required for MPs attending CROATIA while the certificate of security verification is meetings where foreign classified information will be issued by the Office of the National Security handled. Council. CZECH o REPUBLIC DENMARK o ESTONIA o * Either the Internal Security Service or the Vetting is usually not needed, but the law provides for Foreign Intelligence Service conducts a number of instances where it is exceptionally vetting. The final decision is made by the required (such as access to classified information ‘Security Authorities Oversight Committee’ obtained from another state). of the parliament. GERMANY o
27
o
GREECE HUNGARY o The Constitution Protection Office conducts vetting. The decision is made by the director of the Office or the ministry of interior. o
ICELAND ITALY o LATVIA o The Constitution Protection Bureau conducts vetting. The decision is made by the director of the Bureau.
LITHUANIA o
LUXEMBOURG MONTENEGRO o NORWAY o * The Storting (Parliament) issues security No vetting is required for accessing national classified clearances (and not the Norwegian National information. Vetting is required for MPs attending Security Authority, which is the clearance international meetings where foreign classified authority for other citizens). information will be handled. o
THE NETHERLANDS POLAND o * The Internal Security Agency conducts the Vetting is required only for ‘Top Secret’ information. vetting. The final decision is made by the director.
28
PORTUGAL o ROMANIA o National Register Office for State Secret Information SLOVENIA o SPAIN o
Table 4: Responses to survey question 4: Do parliamentarians sitting on security relevant committees need to undergo vetting? If so, which is the vetting agency, and according to what principles does the vetting take place? Who takes the decision of giving them security clearance?
29
2.4 Parliamentary Staff Access to Classified Information
The important work of parliamentary staff rarely receives the emphasis it deserves. While parliamentarians’ work in the committee is limited to terms that are determined by elections, the permanent staff remain in the committee, and their involvement in the work of the committee greatly contributes to the institutional memory of parliaments. Full-time staff with the necessary expertise on the subject matter can provide substantial support to a parliamentary committee’s oversight activities.
In security-related parliamentary committees, the staff needs to have access to classified information in order to prepare necessary documentation and analysis to support the work of the members. In this respect, question 12 of the survey explored the practices regulating staff access to classified information.
Apart from Belgium and Canada, all national parliaments seem to allow staff access to classified information. In Luxembourg and the Netherlands, parliamentary staff access is not a routine procedure and is allowed only in specific and legitimate circumstances. This access comes with the regular caveats of the ‘need to know’ principle and the ‘permanent secrecy’ duty, which is valid even after the end of their contract.
Of those parliaments providing staff with access to classified information, almost all of them subject the staff to a security-vetting procedure. There are some differences in national practices. Germany, Slovenia and Estonia are among the countries which stated that the vetting of staff is not required for ‘restricted’ level. In Norway, even after the vetting procedure, staff are allowed to access information up to the level ‘Secret’.
Italy and Portugal are the two countries where specific vetting procedures for Committee staff are not expressly stipulated in laws. In Italy, access to classified information is restricted to formally assigned committee staff, and not to the MPs’ assistants.
Apart from the question of vetting, the ‘need to know’ and ‘permanent secrecy’ principles seem to be the routine pre-conditions for parliamentary staff to access classified information.
Main finding: A significant majority of countries provide committee staff with access to classified information. In most cases, staff are required to undergo security vetting, in addition to the general principles of ‘need to know’ and ‘permanent secrecy’, before being granted access to such information.
30
2.5 Measures Taken by Parliamentary Committees to Protect Classified Information
A common prerequisite for sharing classified information is a set of security measures that must be taken by the recipient in order to protect such information. This condition applies to parliaments as well. Indeed, the UN Special Rapporteur included the following in the compilation of international good practices in the oversight of security services:48
“Oversight institutions take all necessary measures to protect classified information and personal data to which they have access during the course of their work. Penalties are provided for the breach of these requirements by members of oversight institutions.”
The Tshwane Principles also state that “…the law should require independent oversight bodies to implement all necessary measures to protect information in their possession.”49
In this regard, question five of the survey inquired about the type of security measures parliaments apply to safeguard classified information.
With the exception of Bulgaria, all countries that responded to the survey listed a variety of security measures in place in their parliaments. The most common two measures, at least one of which is applied in almost all countries, are a separate ‘shielded’ or ‘secure’ meeting rooms for committee meetings where classified information is discussed, and a separate and safely guarded registry or archive for classified documents.
In addition to those two fundamental security measures, below is a selection of additional measures provided by countries:
Selected examples of physical and electronic security measures: o Security checks against prohibited devices and bugging before committee meetings where classified information would be handled (Albania, Estonia) o Designation of a ‘restricted area’ for which records detailing the access to the area are maintained and audited (Canada) o Special certification for all electronic devices in the secure room, encrypted servers (the Czech Republic) o Manned guard on site for secure rooms (Estonia, Croatia) o Tempest-zoning measures and jamming around the secure rooms (Hungary) o Seconded police officers safeguarding separate archives for classified information (Italy)
48 UN Human Rights Council, Compilation of good practices on legal and institutional frameworks and measures that ensure respect for human rights by intelligence agencies while countering terrorism, including on their oversight A/HRC/14/46 (2011), Practice 8 https://fas.org/irp/eprint/unhrc.pdf 49 Tshwane Principle 35(a)
31
Selected examples of procedural security measures: o Meetings are held in camera, without registration (Belgium) o Documents containing sensitive information are shared with committee members shortly before the meeting (Belgium)50 o During committee meetings, only the resolutions/decisions are recorded and not deliberations concerning ‘Top Secret’ and ‘Secret’ information (Germany) o Documents containing classified information can be examined by committee members, but no copies or other reproduction can be made (Spain, the Netherlands) o Meeting notes which contain classified information are reviewed before being shared with participants (Estonia) o Documents containing classified information can only be consulted inside ‘the specifically designated archive rooms’ (Italy), or at a place designated by the Central Information Unit of the Parliament (the Netherlands)51 o When reading classified documents each MP has to register his/her name for verification (The Netherlands)
Main finding: Almost all countries put in place at least one of the two fundamental security measures, which are: establishing a secure room and designating a separate registry and archive for documents containing confidential information. Several countries apply further physical, electronic and procedural measures to safeguard confidential information.
2.6 Sanctions for Unauthorized Disclosure of Classified Information
As the previous sections pointed out, the right to access classified information comes with the duties of maintaining the confidentiality of the information and taking the necessary measures for its protection. Sanctioning a breach of those duties in the framework of the law is a globally accepted principle.
Question 13 of the survey focused on the sanctions the respective national laws foresee for unauthorized disclosure of classified information and inquired whether there are different sanctions for parliamentarians and staffers.
50 As stated earlier, parliamentarians in Belgium refuse to undergo security vetting and therefore cannot access classified information. However, the parliament has appointed an independent expert body exclusively mandated to oversee the security services (Standing Committee I). Members of this committee are not parliamentarians, they have full security clearance and access to all classified information. The Standing Committee I regularly reports to the Parliament’s Monitoring Committee. However, the reports that are submitted to the Monitoring Committee of the Parliament do not contain classified information. Nevertheless, the reports may contain ‘unclassified’ but sensitive information. The security measures referred to with regard to Belgium should be taken in this context. For more information on the Standing Committee I and the parliamentary Monitoring Committee, see: http://www.comiteri.be/index.php/en/39-pages-gb/307-what-is-the-difference-between-the- standing-committee-i-and-the-monitoring-committee-of-the-chamber-of-representatives-responsible-for- monitoring-the-standing-committee-p-and-the-standing-committee-i 51 For more details on the protective measures in Netherlands, see the Parliamentary regulation on the handling of classified information (in Dutch), see: https://www.tweedekamer.nl/sites/default/files/atoms/files/rvo_regeling_vertrouwelijke_stukken_1.pdf
32
The national laws of all countries stipulate a range of administrative and criminal sanctions for unauthorized disclosure of classified information. In most cases, the severity of sanctions foreseen by the law depends on: The category of classified information that is disclosed; The way in which it is disclosed (purposefully or by negligence); To whom the information is disclosed (a third person, a national of a foreign country or the general public); The motive of the disclosure (monetary gain, espionage, treason, etc.); and The circumstances in which information is disclosed (peacetime vs. wartime)
In this respect, the punishment foreseen in national laws varies from monetary fines to a few years of imprisonment, and life imprisonment in the most extreme cases. By way of example, the German Criminal Code provides for life imprisonment for treasonous activities that seriously prejudice the external security of the Federal Republic.52
It should be noted that some countries, while criminalizing unauthorized disclosure of classified information in general, include specific legal provisions which exempt unauthorized disclosure from criminal responsibility if it is in the public interest. For instance, section 15 of the Canadian Security of Information Act53 provides that:
“No person is guilty of an offence under section 13 or 14 (unauthorized communication of special operational information) if the person establishes that he or she acted in the public interest. A person acts in the public interest if
o (a) the person acts for the purpose of disclosing an offence under an Act of Parliament that he or she reasonably believes has been, is being or is about to be committed by another person in the purported performance of that person’s duties and functions for, or on behalf of, the Government of Canada; and
o (b) the public interest in the disclosure outweighs the public interest in non- disclosure.” As for the applicability of the laws, in a great majority of countries, the laws are applicable to both parliamentarians and staffers. Canada seems to be one of the few countries where there are safeguards against the application of criminal sanctions. In Canada, while the law provides for sanctions, including an imprisonment of up to 14 years,54 parliamentary privilege offers potential protection to parliamentarians who receive and disclose classified information, but only insofar as these actions are undertaken in the course of parliamentary proceedings. Parliamentary privilege may also shield staffers from liability under the law should they view or handle a classified document in the course of their parliamentary duties.
52 Germany, Criminal Code, Section 94 (promulgated on 13 November 1998, Federal Law Gazette [Bundesgesetzblatt] I p. 3322, last amended by Article 1 of the Law of 24 September 2013, Federal Law Gazette I p. 3671), see: https://www.gesetze-im-internet.de/englisch_stgb/englisch_stgb.html#p0974 53 Canada, Security of Information Act, (1985) http://laws-lois.justice.gc.ca/eng/acts/O-5/page-3.html#docCont 54 Canada, Security of Information Act (see previous footnote)
33
Other countries, including, inter alia, Denmark, Romania, Norway, Iceland and Luxembourg, expressly stated that even though parliamentarians enjoy immunity and privilege with respect to freedom of speech, such immunities can be repealed if the Criminal Code is violated, which means they can be held criminally responsible. However, the procedures for bringing charges against parliamentarians differ from those against staffers or any other person.
In almost all countries, the severity of sanctions foreseen for parliamentarians and staffers is the same. The only exception is Italy, where article 326 of the Criminal Code foresees a longer term of imprisonment for parliamentarians in cases of unauthorized disclosure (penalty is increased by between one third and one half compared to the standard punishment).55
Main finding: In all countries, a range of administrative and criminal sanctions are applied for unauthorized disclosure of classified information and, in most countries, they are equally applicable to both parliamentarians and staffers, albeit through different prosecutorial procedures.
2.7 Capacity Building for Parliaments on Handling Classified Information
Considering the sensitivity of handling classified information and the sanctions for unauthorized sharing or disclosure of such information, question 14 of the survey inquired whether parliamentarians and relevant committee staff receive capacity-building support on handling classified information.
Thirteen out of 24 respondents stated that there is capacity-building assistance either in the form of training, briefing of informative materials. Among these 13 countries, in Albania, the Czech Republic, Estonia, Montenegro and Poland, such capacity-building activities are provided either directly by, or in cooperation with, the respective security/intelligence service. In other countries, capacity-building is either provided by a designated official or department in the parliament, or by an external body, such as the Federal Office for Information Security in the case of Germany.
Eleven countries responded by stating either that there are no capacity-building activities on handling classified information, or that no information is available on this question. Table 5 provides an overview of country responses.
55 Italy, Criminal Code, see: http://www.altalex.com/documents/news/2014/10/14/dei-delitti-contro-la-pubblica- amministrazione
34
Table 5 – Capacity Building on Handling Classified Information
Responses to question 14: Are there capacity-building activities on handling classified information? Who organizes them?
Country Yes Organizer(s) No Information not available ALBANIA o Directorate For The Security Of The Classified Information of the National Security Authority BELGIUM o BULGARIA o Designated staff of the Parliament
CANADA o Secretariat of the NSICOP CROATIA o Office of the National Security Council CZECH o National Security Authority REPUBLIC DENMARK o Parliament & Minister of Foreign Affairs
ESTONIA o Foreign Intelligence Service & Office of the Secretary General of the Parliament GERMANY o Federal Office for Information Security & the Parliament GREECE o Hellenic National Defence General Staff HUNGARY o ICELAND o ITALY o LATVIA o LITHUANIA o LUXEMBOURG o MONTENEGRO o Directorate for Protection of Classified Information of the National Security Agency NORWAY o THE o NETHERLANDS POLAND o Internal Security Agency of the Military Counterintelligence Service PORTUGAL o National Security Cabinet of Portugal ROMANIA o SLOVENIA o Office of the Secretary General of the Parliament SPAIN o
35
Conclusion
The NATO PA-DCAF Survey on Access to Classified Information for Parliamentarians aimed to explore the legal frameworks and practices on information classification and parliamentary access to classified information in NATO member state parliaments. In line with this objective, the report provided an analysis of country responses in two chapters; the first focusing on the overall legal framework on information classification, the second addressing parliamentary access to and handling of classified information in responding countries.
The responses to the survey provided valuable insights into national approaches to regulating information classification and helped identify gaps or potential shortcomings observed across countries.
With respect to the legal frameworks on information classification, a majority of the countries regulate information classification through publicly available laws and officially designate the authorities that are competent to classify information, which is in line with international standards.
However, the survey responses revealed significant variance in national laws and practices regarding the categories of information to be classified and declassification procedures. International standards recommend establishing a clear and conclusive list of categories of information to be classified in the law. One-third of the countries stated that they have such categories in their national laws. However, in most cases, the categories do not seem to be as clear and conclusive as stipulated in the Tshwane Principles. The remaining two-thirds of the countries do not seem to have a list of categories of information to be classified. Instead, national laws refer to a list of vital national security interests and allow for any information that would cause harm to national security interests in case of unauthorized disclosure to be classified. Such broad formulations on what information may be classified present the risk of leaving the authorities a great margin of discretion, which may result in pervasive over-classification of information.
Survey responses seem to suggest that information declassification procedures are not regulated in great detail in national laws. Declassification is an area where there is a need for greater compliance with international standards. The survey found that less than half of the countries established mechanisms for regular review of classified information and automatic declassification procedures. Such periodic reviews and automatic declassification procedures are crucial tools for transparency and balance the tendency to unnecessarily extend the classification period of documents that no longer need to be classified.
The survey responses have also revealed insights into parliamentary access to and handling of classified information. It is commendable that almost all countries grant parliamentarians access to classified information, with the majority granting all parliamentarians access, while the rest allow select parliamentarians and/or parliamentary committees to access classified
36
information. Nevertheless, it should be noted that parliamentary access to classified information is never absolute. The ‘need to know’ principle seems to be applied in all countries. In addition, some countries impose additional restrictions by exempting certain information from parliamentary access. Such information often relates to ongoing operations and confidential sources of intelligence services.
In one third of the countries that responded to the survey, parliamentarians have to undergo security vetting before they can access classified information. In most of these cases, contrary to international standards, the vetting is conducted by the security or intelligence services that the parliamentarians are supposed to oversee. When vetting procedures are not clearly stipulated in the law (conducting background checks, decision making on issuing clearance, appeal mechanisms) then the vetting process itself bears the risk of being instrumentalized to obstruct any meaning oversight attempt by the parliament.
As for the handling of classified information, parliaments seem to be in line with international practice, by putting in place a range of security measures to protect classified information and by imposing sanctions for the unauthorized disclosure of classified information. The different types of additional security measures implemented by countries and the various sanctioning policies listed in the report may be useful for parliaments that are in the process of revising laws and practices related to handling classified information.
The international standards and examples of country laws and practices outlined in this report are intended to help with understanding the common practices as well as gaps and challenges regarding access to classified information and to illustrate how parliaments handle classified information. It is hoped that those standards and good practices will contribute to reform efforts for a more effective parliamentary oversight of the security sector.
37
Annexes
Annex I – NATO PA-DCAF survey questions
1) Does your country have a law on classification and the handling of classified information? If so, please attach to survey, ideally in English. If not, how is access to classified information regulated?
2) Do all parliamentarians have access to classified information?
3) Do only some committees or select parliamentarians have access to classified information? If so, which ones?
4) Do parliamentarians sitting on security relevant committees need to undergo vetting? If so, which is the vetting agency, and according to what principles does the vetting take place? Who takes the decision of giving them security clearance?
5) Are there any other means for protecting classified information within the security and intelligence committees? (such as a shielded room for closed committee meetings, for example)
6) Does the law clearly and conclusively define the categories of information that may be classified?
7) Does the law clearly define the persons/authorities who may classify information?
8) Is the free access to information of public interest defined by law? Which law? Or: Is this the same law that regulates the protection of classified information or a separate law?
9) What levels of classification does the law define?
10) What are the stipulations of the Law on the de-classification of data? Who may de-classify under which conditions?
11) Do you feel that there are Laws, procedures or mentalities which interfere with a reasonable access to classified information for parliamentarians (e.g., is there a 'killer law' that sanctions the passing-on of defense or security related data - whatever the level of classification, formal or informal, may be - to persons outside the defense/security sphere)?
12) How is access to classified information regulated for parliamentary (expert) staff?
13) What sanctions does the Law foresee for unauthorized disclosure of classified information by parliamentarians? Are there different sanctions for staffers?
14) Are there capacity-building activities on handling classified information? Who organizes them?
38
Annex II – List of countries that responded to the survey
Countries that responded the survey 1 ALBANIA 2 BELGIUM 3 BULGARIA 4 CANADA 5 CROATIA 6 CZECH REPUBLIC 7 DENMARK 8 ESTONIA 9 GERMANY 10 GREECE 11 HUNGARY 12 ICELAND 13 ITALY 14 LITHUANIA 15 LUXEMBOURG 16 LATVIA 17 MONTENEGRO 18 NETHERLANDS 19 NORWAY 20 POLAND 21 PORTUGAL 22 ROMANIA 23 SLOVENIA 24 SPAIN
39