Privacy International analyses the court's judgement and takes a look at what comes next.
This statement was originally published on privacyinternational.org on 26 May 2021.
The 25 May 2021, Grand Chamber judgment against the UK broke new ground in the regulation of bulk interception capabilities requiring enhanced safeguards to protect the rights to privacy and freedom of expression against abuse. It is a complex judgment with lights and shades, and the fight against mass surveillance is not over. Find here our initial take on the judgment and what comes next.
KEY FINDINGS
- UK’s historical bulk interception regime violated the right to privacy protected and freedom of expression
- Bulk interception should be subject to
- “end to end safeguards”, assessing the necessity and proportionality of the measures being taken at each stages
- independent authorisation at the outset
- supervision and independent *ex post facto* review.
- Interception of communications data is as serious a breach of privacy as the interception of content and should be subjected to the same protections
- Access to journalistic sources requires prior independent or judicial approval
- Intelligence sharing is an interference with the right to privacy and should be regulated as such
- But the judgment falls short on some other aspects, including that it sets aside the long established individualised reasonable suspicion requirement
The Grand Chamber of the European Court of Human Rights ruled that the UK government’s historical mass interception program violates the rights to privacy and freedom of expression. The Court held that the program “did not contain sufficient “end-to-end” safeguards to provide adequate and effective guarantees against arbitrariness and the risk of abuse.” As a result the Court ruled that UK law “did not meet the “quality of law” requirement and was therefore incapable of keeping the “interference” to what was “necessary in a democratic society”. (para 426) This finding is an important victory for human rights and the rule of law. Below, we break down the key parts of the decision.
The Court’s ruling comes after an eight-year battle against key aspects of the UK mass surveillance programs – (1) the mass interception of internet-based communications; (2) access to the intelligence gathered by other governments’ surveillance programs, including the mass surveillance programs of the U.S. National Security Agency (“NSA”) and (3) obtaining of communications data from communications service providers.
These programs were first disclosed by Edward Snowden in 2013 and subsequently challenged by Privacy International and nine other NGOs before the UK’s Investigatory Powers Tribunal. The European Court joined this case together with two separate challenges from the other groups and individuals (Big Brother Watch, Open Rights Group, English PEN and Dr Constanze Kurz, and The Bureau of Investigative Journalism and Alice Ross.)
UK mass interception violates the right to privacy
The Government Communications Headquarters (“GCHQ”), the UK signals intelligence agency, conducts mass interception of communications by tapping undersea fibre optic cables landing in the UK. The judgment found the legal regime (pursuant to section 8(4) of the Regulation of Investigatory Powers Act 2000 (“RIPA”)) governing that interception to violate the right to privacy as enshrined in Article 8 of the European Convention on Human Rights (ECHR).
The Court found three significant deficiencies in the regime: the absence of independent authorisation; the failure to include the categories of selectors in the application for a warrant; and the failure to subject selectors linked to an individual to prior internal authorisation.
Authorisation and oversight
On independent authorisation and oversight the Court noted that “that bulk interception should be subject to independent authorisation at the outset, when the object and scope of the operation are being defined; and that the operation should be subject to supervision and independent ex post facto review.” (para 350) and
that they should “be subject to supervision by an independent authority and that supervision should be sufficiently robust to keep the “interference” to what is “necessary in a democratic society”.
Selectors
In regards to selectors, it is important to note that the UK’s geographic location makes it a natural landing hub for many of the cables that carry the world’s communications. The Snowden disclosures revealed that the UK government – often with the cooperation of telecommunications companies – has attached probes to these cables to intercept their traffic. Once intercepted, the UK government uses “selectors” and “search criteria” to filter the content and metadata it collects. Those selectors and search criteria could be as broad as:
- all traffic to and from France
- all search queries on Google
- all purchases on Amazon
- all location data, or
- a wide range of IP addresses.
Intercepted information is stored in databases, which government analysts can query, data-mine or use to call up information to examine further. This process provides the UK intelligence agencies with a vast trove of content and metadata (referred to as “communications data” in the judgment) that is capable of revealing the most intimate details of anyone who uses online communications.
In this context, the Court stated that “the independent authorising body should be informed of both the purpose of the interception and the bearers or communication routes likely to be intercepted. This would enable the independent authorising body to assess the necessity and proportionality of the bulk interception operation and also to assess whether the selection of bearers is necessary and proportionate to the purposes for which the interception is being conducted” (para 353.)
And that “the authorisation should at the very least identify the types or categories of selectors to be used” (para 354), while “enhanced safeguards should be in place when strong selectors linked to identifiable individuals are employed by the intelligence services.” (para 355)
UK mass interception violates freedom of expression
The Court extended and amplified its concerns about the UK’s mass interception program in addressing its impact on freedom of expression and in particular of journalists.
It noted that the bulk interception regime did not require “that the use of selectors or search terms known to be connected to a journalist be authorised by a judge or other independent and impartial decision-making body”. (para 456) It also found insufficient safeguards to require the indendent authorisation in order to continue to store communication when it had become apparent that it contained confidential journalistic material. (para 457)
Communications data (metadata) is as intrusive as content
The UK government’s mass interception program involves the interception of both content and metadata. In our case, we argued how the interception, storage and analysis of metadata is just as intrusive as similar interferences with communications. Metadata is the digital equivalent of having a private investigator trailing you at all times, recording where you go and with whom you speak. But in the digital realm, metadata records even more — for example, your web activity, which could reveal items purchased, news sites visited, forums joined, books read and movies watched. Each of these pieces of data gives insight into an individual. Pieced together, they can allow an intrusive and comprehensive view into a person’s private life, revealing his or her identity, relationships, interests, activities and location.
The Court agreed with us, rejecting the UK government’s claim that “the acquisition of related communications data through bulk interception is necessarily less intrusive than the acquisition of content.” The Court importantly ruled “that the interception, retention and searching of related communications data should be analysed by reference to the same safeguards as those applicable to content.” (para 363)
Because the UK government lacks safeguards on bulk interception, as noted above, the Court found the mass interception of communications data law to violate Article 8 ECHR. The Court also agreed with the Chamber’s findings that the regime for the acquisition of communications data is incompatible with their rights under Article 8 of the Convention.
Intelligence sharing constitutes an interference with the right to privacy
In addition to its direct surveillance programs, the UK government also has access to information collected by foreign intelligence agencies, including the NSA. In some cases, the UK government may have direct and unfettered access to raw data intercepted by other governments, which it can then filter, store, analyse and further disseminate. Or it might have access to information stored in databases by other governments. The Snowden disclosures revealed both the breath-taking scope of US mass surveillance programs, including a program analogous to the UK’s mass interception program, as well as the UK government’s wide-ranging access to the information gathered through those programs.
In our case, we argued that when the UK government obtains information through intelligence sharing, the interference with the right to privacy is equivalent to if it had obtained that information through its direct surveillance. We further argued that, for that reason, the Court should approach its scrutiny of intelligence sharing in the same manner as it would assess direct surveillance.
The Court agreed with us in principle, noting that “the protection afforded by the Convention would be rendered nugatory if States could circumvent their Convention obligations by requesting either the interception of communications by, or the conveyance of intercepted communications from, non-Contracting States; or even […] by obtaining such communications through direct access to those States’ databases.” (para 497)
Hence the Court rules that a request access to intercepted materials must have a basis in clear, accessible and foreseeable law, providing “adequate indication of the circumstances in which and the conditions on which the authorities are empowered to make such a request […] and effective guarantees against the use of this power to circumvent domestic law and/or the States’ obligations under the Convention.” (para 497)
Further the Court noted that the receiving state must have in place adequate safeguards for the examination, use and storage; onward transmission; and erasure and destruction of the intercepted materials (para 498) and provide for independent supervision and ex post fact review (para 499). The Court also noted that states cannot avoid applying these safeguards by arguing that they “do not always know whether material received from foreign intelligence services is the product of interception”, ruling that instead “” the same standards should apply to all material received from foreign intelligence services that could be the product of intercept.” (498)
Centrum för rättvisa judgment
On the same day, the Grand Chamber of the European Court of Human Rights ruled on another case related to bulk interception of communications. Centrum för rättvisa, a public interest law firm, alleged that the Swedish legislation permitting the bulk interception of electronic signals in Sweden for foreign intelligence purposes breached the right to privacy.
The Court reaffirmed the above principles and noted three shortcomings in the Swedish bulk interception regime:
- the absence of a clear rule on destroying intercepted material which does not contain personal data (para 342);
- the absence of a requirement in the Signals Intelligence Act or other relevant legislation that, when making a decision to transmit intelligence material to foreign partners, consideration is given to the privacy interests of individuals (paras 326-330);
- and the absence of an effective ex post facto review (paras 359-364).
Why the fight is not over
Notwithstanding the positive aspects of the judgment, there remain significant shortcomings, particularly in the way it applies the law to the specific UK surveillance programs.
First, the Court states that “Article 8 of the Convention does not prohibit the use of bulk interception to protect national security and other essential national interests against serious external threats”. (para 347)
While the Court accepts that all stages of the bulk interception process engage the right to privacy, it applies a sliding scale of safeguards noting how “the initial interception followed by the immediate discarding of parts of the communications does not constitute a particularly significant interference, the degree of interference with individuals’ Article 8 rights will increase as the bulk interception process progresses.” (para 330) While this approach might seem reasonable, it ends up allowing the inteception and storage of personal information on a mass scale, without any requirement of individualised suspicion.
In departing from the reasoning of earlier judgments where the Court identified individualised reasonable suspicion as a necessary safeguard when states conduct surveillance (Szabo & Vissy v. Hungary, Zakharov v. Russia), the Court notes that “the requirement of “reasonable suspicion”, […] is less germane in the bulk interception context, the purpose of which is in principle preventive, rather than for the investigation of a specific target and/or an identifiable criminal offence.” (para 348)
We disagree and believe that the principle of resonable suspicion needs to be upheld to prevent abuse. In this regard, we note that the United Nations High Commissioner for Human Rights, in a 2018 report on “The right to privacy in the digital age” to the Human Rights Council, stated that “[w]hile some States claim that… indiscriminate mass surveillance is necessary to protect national security, this practice is ‘not permissible under international human rights law, as an individualized necessity and proportionality analysis would not be possible in the context of such measures’”.
Second, the judgment accepts without too strong questioning the need of secrecy that governments claim as necessary to preserve their capacity to carry out intelligence activities. In particular the Court notes “that the Governments of both the United Kingdom and the Netherlands have submitted that any requirement to explain or substantiate selectors or search criteria in the authorisation would seriously restrict the effectiveness of bulk interception”. (para 353)
The risk of allowing such level of secrecy is noted in the concurrent opinion, which stated “if an intelligence service or other authority is not able to articulate such reasons [to examine communications and related metadata] and demonstrate them before an independent institution, this should simply mean that it ought not to have any access to such communications.
Even more so given the increasing blurring of the boundaries between intelligence and law enforcement activities. Again the concurring opinion of judges Lemmens, Vehabović and Bošnjak clearly frames it: “It appears that on the basis of the information thus obtained, law enforcement agencies could act, for example, by proceeding to conduct investigative measures or even arrests, this in turn producing evidence for the purpose of prosecution. It is likely that in a not so distant future, by exploring this particular ground, crime investigation might move from targeted surveillance to bulk interception of data.”
Thirdly, the Court finds the UK intelligence sharing regime compliant with the right to privacy and its own applicable test (described in paras 495 to 499, mentioned above). In particular, the Court finds that “the regime for requesting and receiving intelligence from non-Contracting States had a clear basis in domestic law”. (para 501) But in doing so, the Court relies heavily on a ‘note’ disclosed during our domestic proceedings. That note consisted of 2 pages, with no heading, and just a few paragraphs of text. It was unclear who drafted or adopted the note (and under what legal authority) or who had the power to amend it. It was further unclear whether the note represented an actual policy, part of a policy, a summary of a policy, or a summary of submissions made by the UK government to the Tribunal in a closed hearing. Although that note was substantially reproduced in the Interception of Communications Code of Practice, its substance also remains inadequate. For example, the Code of Practice speaks of the UK government making a “request” for “unanalysed intercepted communications content (and secondary data).” However, it fails to address other ways that the UK government may access data through its intelligence sharing arrangements, including direct and unfettered access to raw data intercepted in bulk or databases of material collected in bulk by foreign authorities.
The Court’s findings on intelligence sharing get both the facts and law wrong. It ignores the reality of modern intelligence sharing, which does not involve antiquated notions of agencies “requesting” dossiers from other agencies, but rather unregulated access to enormous troves of data collected and stored in databases.
It is also baffling how the Grand Chamber did not find the UK intelligence sharing regime in violation of Article 8 despite noting that “the domestic legislation followed, with respect to such requests for intelligence sharing, the same approach as in bulk interception” (para 506), an approach the same judgment has found to be in violation of Article 8 just a few paragraphs earlier.
Conclusion
The 25 May 2021 judgment against the UK constitutes a change in the Court’s jurisprudence, as it adapts its approach (known as the Weber test) on targeted surveillance to take into account the specific features of a bulk interception regime.
The Court it recognised that “there is of course considerable potential for bulk interception to be abused in a manner adversely affecting the right of individuals to respect for private life” (para 447) and this should guide its future jurisprudence to ensure that enhanced protections are in place to safeguards our fundamental freedoms in a democratic society.
While today’s judgments are targeted to the UK and Sweden, they also provide interpretation of the European Convention on Human Rights for the 47 member States of the Council of Europe (CoE), all of which are parties to the Convention. We expect those countries to review their surveillance laws and practices in light of these judgments and bring them to line with the Court’s jurisprudence.
In the meantime, we will continue to fight against the use of mass surveillance by the UK and other governments around the world.