By Plixavra Vogiatzoglou, Legal Researcher, KU Leuven Centre for IT and IP Law (CiTiP)
On 19th June 2018, the Third Section of the Court, in its judgment in the case Centrum för Rättvisa v. Sweden, ruled that the bulk interception of communications scheme of the Foreign Intelligence of Sweden meets the Convention standards. This ruling follows verbatim the line of argumentation from previous case law on secret mass surveillance, thus reaffirming once more a high threshold for the protection of the right to private and family life.
The latest judgment by the European Court of Human Rights (hereinafter the Court) on secret mass surveillance sets yet again a high threshold for the protection of the fundamental right to respect for private life. It also delineates the margin of discretion that Contracting States enjoy in matters of national security and according practices of foreign intelligence. More specifically, a Swedish human rights not-for-profit organisation, Centrum för Rättvisa, challenged the legal framework for signals intelligence in Sweden before the Court, claiming that there was a risk that its communications had been intercepted. In particular, it was the signal intelligence practice of the Swedish Foreign Intelligence that was put under the microscope of the Court, which provided for a very thorough, step-by-step analysis of the framework in place.
Signals intelligence is the practice of intercepting, processing, analysing and reporting intelligence from electronic signals. It should be noted that the information that is intercepted concerns all communication data that run through electronic signals and, thus, both the content data and the metadata, that is, for instance, when and where the communication took place. Signals intelligence is one form of gathering foreign intelligence. According to the Swedish Foreign Intelligence Act, it may only be carried out in relation to foreign circumstances for purposes revolving around matters of national security. Activities pursuing purposes of solving tasks in the area of law enforcement or crime prevention do not benefit from this framework. Furthermore, it only concerns signals crossing the Swedish border and, thus, communications between a sender and receiver within Sweden may not be intercepted. The interception takes place in an automated manner, through the use of pre-defined search terms. Finally, this practice is conducted only as a result of a detailed order (‘tasking directive’) that is issued by one of the specified Governmental Authorities and that determines the purpose and direction of the intelligence activity.
The applicant was afforded the victim status with the right to challenge the law in question in abstracto, since it was practically not possible to know whether it had been, in fact, victim of this law and relevant domestic remedies were not in place. In assessing the interference of the Swedish Foreign Intelligence Act to the fundamental right to private and family life, the Court based its argumentation on the general principles of foreseeability and proportionality, i.e. whether the interference was in accordance with the law and necessary in a democratic society’, as they were moulded in its 2015 Zakharov ruling, and later reaffirmed in Szabó. These principles are also widely aligned with the European Union case law, in casu the Digital Rights Ireland and Tele2 Sverige/Watson rulings. In concreto, the Court based its assessment of the following factors, in order to determine whether the Swedish law met the highly protective threshold:
- Accessibility of the law providing for secret surveillance measure
- Clear scope of application of the secret surveillance measure, in terms of nature of offences and purposes for which it may be used
- Clear indication of duration of the secret surveillance measure
- Prior authorisation of the secret surveillance measure, preferably by a judicial authority but, in any case, by an independent and impartial authority
- Procedures regarding storing, accessing, examining, using and destroying the intercepted data, which must be adequate, relevant and limited to the pre-defined purpose
- Conditions for communicating the intercepted data to other parties, e.g. international authorities or partners, under which the potential for abuse must be taken into account
- Supervision of the implementation of the secret surveillance measure by an independent supervisory body with sufficient powers, competence, access and effective and continuous control
- Obligation of notification of the secret surveillance measure to the persons concerned plus existence of available remedies: those two factors are inextricably linked in the sense that if obligation of secrecy in order to protect the mission renders the obligation of notification null, it is imperative that individuals always have the opportunity to seek for remedies.
The Court, despite finding that the law was lacking in some of the aforementioned areas, namely the communication to other parties and the notification and remedy system, stated in a unanimous decision that overall the Swedish Foreign Intelligence framework for signals intelligence was in compliance with these principles and hence was not to be considered in violation of article 8 of the Convention.
The safeguards against abuse
At first glance, this decision seems to merely reaffirm what had already been ‘well established’ in the legal order of Europe, regarding the practices of mass surveillance through the bulk collection of personal data. As discussed in this CiTiP blogpost, the two highest supranational Courts of Europe, through a series of recent rulings on mass surveillance, have adopted an aligned stand, with references from the one to the other, in interpreting strictly the lawful limitations of the fundamental rights to privacy and to data protection. In casu, the Court refers to its Zakharov ruling every step of the way, often repeating verbatim its argumentation. Nonetheless, a few points deserve to be specifically mentioned.
On a theoretical level, it is interesting to note the way the traditional ‘three-step-test’, i.e. the assessment of whether an interference to fundamental rights is ‘in accordance with the law’, ‘necessary in a democratic society’ and ‘in pursuit of a legitimate aim’, is being formulated. More specifically, in cases of secret mass surveillance, this test is progressively becoming the ‘minimum-safeguards-against-abuse’ test. It is always clear and unquestionable that laws pursuing the interest of national security through the means of surveillance, despite being in bulk and secret, fulfil the third condition (legitimate aim). Therefore, the Court focuses its analysis on the other two conditions, in an often fused manner. In other words, after having discussed separately the general principles of quality of law, foreseeability and proportionality, the Court applies these principles through the means of ‘six minimum safeguards that surveillance regimes must incorporate in order to be sufficiently foreseeable to minimise the risk of abuses of power’ (though in fact they are eight rather than six as demonstrated above). It is noteworthy at this point to remark that, in this recent series of mass surveillance case law, the Swedish Foreign Intelligence framework is the first to pass this test.
In particular, the Court found that the majority of the safeguards were implemented within the signals intelligence framework, and used that argument to reach the conclusion that overall the Swedish law is compliant. In this way, the fact that there is no consideration of potential abuse or possible harm to the individual when communicating the signals intelligence to third parties is overlooked due to there being a strong cluster of supervision over the implementation of the Foreign Intelligence Act. However, supervision only concerns the internal practices, while abuse by third parties remains uncovered. Moreover, the system for notification and effective remedies is equally problematic. It is acknowledged that in practice ‘a notification has never been made due to secrecy’, while there is also no way for an individual to actually be informed on whether their data have been intercepted. The Court finds that the existence of general remedies to assess the lawfulness of measures in a generalized manner suffices, especially in light of the aforementioned supervisory powers. This implies however that only individuals who are actually aware of such practices and want to challenge them, will in practice be able to seek some form of remedy.
Furthermore, while it is true that supervision takes place in multiple layers, the question arises whether some of these safeguards have greater value than others. Nonetheless, it should be noted that the supervision in question includes a Privacy Protection Council within the Swedish authority conducting the signals intelligence, while the Swedish Data Protection Authority has also been involved, by publishing reports that have been given serious consideration by the former authority. Therefore, it is indeed demonstrated that considerations of privacy and data protection are strongly and practically taken into account, a fact that widely justifies the Court’s standpoint.
Finally, it is also interesting to note that, even though the Court finds the requirement of prior authorisation on the whole to provide for sufficient guarantees, it does not address the argument of the applicant, which refers to a lack of independence of the judicial authority from the Government. Instead, the Court discusses on the lack of transparency and how it is justified as well as compensated by other measures. Be that as it may, the Swedish framework provides for judicial prior authorisation or, in urgent situations, ex post judicial oversight, which is already a higher control than what the Court is usually satisfied with.
Mass surveillance in the context of intelligence services
Another point to be made is that the mass surveillance practice in question does not concern daily law enforcement activities or, even more so, any type of preventive policing method, as for example did the relevant PNR case. Instead, it is restricted in scope, to the area of national security. However, it’s precisely this element that makes this case even more interesting, especially taking into account current developments. In particular, it is pleasantly surprising that the Court provides for the exact same reasoning and standards for measures of national security and foreign intelligence, an area where states enjoy the widest margin of appreciation, as it did so for measures of regular law enforcement activities and criminal proceedings. Of course, the European Court of Human Rights is not bound by the same lack of competence with regard to matters of national security as the European Union. More specifically, according to article 4 of the Treaty on European Union, ‘national security remains the sole responsibility of each Member State’. Nonetheless, with a pending case regarding the UK bulk data collection by intelligence services under the scrutiny of the Court of Justice of the European Union, it is noteworthy that the European Court of Human Rights took the step towards the application of the same criteria for both law enforcement and intelligence services in an indiscriminate manner. While it might take a long time, especially as this proceeding takes place in the midst of the Brexit process, before we are given the opportunity to read the ruling by the CJEU, or even the according Opinion of the Advocate General, it will be legally and politically interesting to see whether the CJEU will react in the same or similar manner as the Court did.