Dutch intelligence services still do not comply with the Intelligence and Security Services Act (Wiv), popularly referred to as the 'towing act', writes the Supervisory Committee for Intelligence and Security Services (CTIVD) in a report published Tuesday.

In December last year, the regulator also wrote that the General Intelligence and Security Service (AIVD) and Military Intelligence and Security Services (MIVD) failed considerably on several points.

Six months ago it appeared that the intelligence services had taken many steps in the right direction, but still did not comply with the law. The CTIVD reached the same conclusion on Tuesday in the new report.

The regulator now believes that the intelligence services have done a lot of work, but that the risk of unlawful action is still as great as six months ago. "The necessary legal safeguards for the legal protection of the citizen are still insufficiently implemented," says the CTIVD.

"Collecting bulk data is illegal"

The Wiv took effect on 1 May 2018. The law gives intelligence services powers to intercept data on a large scale. In this way, the services can, for example, investigate and detect terrorists or other threats.

The data collected may only be relevant for the performance of tasks of the services, other information must be destroyed quickly. "This is to ensure that as few infringements as possible occur in the personal lives of citizens who are not involved in the use of the authority, but whose data are stored."

The CTIVD therefore questions the collection and storage of bulk data from citizens. This data also contains data from organizations and persons that are not investigated by the intelligence services and for which this will never be necessary. This data should have been destroyed by law.

"Important steps must be taken"

To comply with the ISS, the information services of the regulator must convert the legislation into concrete instructions for employees, internal processes, technical systems and adequate internal control mechanisms.

These are the preconditions that the AIVD and the MIVD must meet, "for both the legality of their activities and their verifiability," the CTIVD states. "So that it also works in practice as it should work and can be checked internally and externally."

The regulator wants to publish a report in May 2020 with conclusions about the implementation of the Wiv.