At Privacy Across Borders, we have been researching how other countries contend with providing notification to individuals about whether they have been the target of surveillance by their country’s intelligence agencies. In “Without Confirming or Denying”: Opaque Notification and National Security Redress, Alex Joel examines the opacity of notification under U.S. law and the practice’s consistency with European legal norms. Building on Professor Joel’s work, I have written Opaque Notification: A Country-by-Country Review.
In this paper, I present summaries of how the national laws of certain countries handle notification. I primarily rely on two sources for this review: the European Commission’s adequacy determinations for the United Kingdom and the Republic of Korea, and the European Union’s Fundamental Rights Agency’s (FRA’s) authoritative multipart report on the surveillance laws of European Union member states (which the FRA recently updated).
As background, the two-tier redress mechanism established by Executive Order 14086 (EO) and the Department of Justice regulation (28 C.F.R Part 201) provides notification to the complainant “without confirming or denying that the complainant was subject to United States signals intelligence activities.” The European Data Protection Board (EDPB) issued an opinion on the adequacy of the new framework and articulated unease about the “general application” of the response that neither confirms nor denies a violation and, more specifically, that the EO does not include exemptions to this standard verbiage.
This paper discusses the European Commission’s adequacy decisions for the United Kingdom and the Republic of Korea, where the Commission found both countries to have redress mechanisms essentially equivalent to the standard required by EU law. More specifically, the Commission concluded that in the United Kingdom, while intelligence agencies are not required to notify individuals, the judicial body provided adequate safeguards. Furthermore, the Commission determined that the redress entitlements in the United Kingdom provided an adequate and effective judicial remedy. Similarly, in the Republic of Korea, the Commission found that the protections granted by the redress mechanism satisfied EU law requirements.
Additionally, this paper outlines the findings of Volumes I and II of the EU’s Fundamental Rights Agency (FRA) Report on Surveillance by Intelligence Services: Fundamental Rights Safeguards and Remedies in the EU, the updated report issued in 2023, and the FRA country reports. Respecting notification, all European Union Member States maintain a national security exception exempting the State from being required to disclose that an individual was subject to surveillance activities. Moreover, in the last several years, few individuals have sought a remedy against illegal surveillance activities.
The paper concludes that the practice of opaque notification is reflected in the national security laws and practices of the United Kingdom, Korea, and EU member states.