Much Ado About Mass Surveillance – the ECtHR Grand Chamber ‘Opens the Gates of an Electronic “Big Brother” in Europe’ in Big Brother Watch v UK

By Dr Eliza Watt, researcher in cyber law, lecturer in law, Middlesex University, London, UK.

On 25 May 2021 the Grand Chamber (GC) of the European Court of Human Rights (ECtHR, the Court) handed down its much-anticipated decision in Big Brother Watch and Others v the UK (Big Brother Watch). The case is of vital importance for the future of the Council of Europe (CoE) member states increasingly relying on mass surveillance regimes because it condones their overall utility as a means of fighting serious cross-border crime and terrorism. It also lays down for the first time new procedural safeguards that all CoE domestic surveillance legislation must adhere to henceforth.

Ostensibly a victory for privacy advocates, the judgment represents a salient high water mark in achieving almost exactly the opposite. This is because it acquiesces not only to the European governments’ quest for greater securitisation, but also cements divergent levels of protection from unwarranted state intrusion based on whether the intercepted material is domestic or foreign in nature, thereby setting out separate standards for targeted and bulk interception of communications. In its earlier case-law on bulk interception of communications when considering the legality of domestic surveillance measures in Roman Zakharov v Russia and Szabó and Vissy v Hungary,  the ECtHR not only challenged their compatibility with Convention rights, but also set out a stringent requirement for the existence of ‘reasonable suspicion’ against a citizen before the surveillance can be authorised. Conversely, in its 2018 Centrum för rättvisa v Sweden (Centrum) and Big Brother Watch Chamber judgements the Court embraced the utility of bulk interception of foreign communications (or strategic surveillance) proclaiming that it constitutes ‘a valuable means to achieve the legitimate aims pursued, particularly given the current threat level from both global terrorism and serious crime’ (para 386 Big Brother Watch 2018).

The purpose of this post is to discuss how the Grand Chamber’s Big Brother Watch findings impact privacy rights and in what way they contribute to the bifurcation of legal standards between domestic and foreign surveillance. To this end, it first briefly outlines the previous ECtHR stance on states’ strategic surveillance as set out in its earlier case law. It then offers a quick reminder of the 2018 Big Brother Watch and Centrum judgements to finally highlight a number of crucial aspects of the GC’s appeal in the former case.

ECtHR Approach to Bulk Interception Regimes – A Thumbnail Sketch

The issue of the compatibility of states’ bulk interception of foreign communications with their obligation to respect individuals right to privacy stipulated in Article 8 ECHR is nothing new. The Strasbourg Court embraced this method of states’ intelligence gathering in the mid-2000s when it delivered its decisions in Weber and Saravia v Germany and Liberty and Others v the UK. At that time these techniques seem not to have attracted as much controversy from the public at large as those revealed by Edward Snowden in 2013 relating to the ‘mass surveillance’ practices of the Five Eyes alliance. The use of mass surveillance programs and the bulk interception of electronic signals in Sweden for foreign intelligence purposes were subsequently scrutinized in Big Brother Watch and Centrum respectively.

Vitally, what these cases have in common is the ECtHR underscoring that national authorities enjoy a wide margin of appreciation in choosing how best to achieve the legitimate aim of protecting national security and therefore may in principle engage in strategic surveillance of foreign communications. The Court’s acceptance of this practice dates back to Weber and Liberty. These judgements represent an important landmark as it is then that the ECtHR, in principle, accepted that bulk interception of foreign communications does not per se fall outside states’ margin of discretion. Consequently, states may lawfully engage in these activities, provided that the methods of doing so adhere to the six procedural standards set out in Weber (‘Weber minimum safeguards’). According to those safeguards, the domestic law authorising surveillance must specify: (1) the nature of the offences, which may give rise to an interception order; (2) a definition of the categories of people liable to have their telephone tapped; (3) a limit on the duration of the telephone tapping; (4) the procedure to be followed for examining, using and storing the data obtained; (5) the precautions to be taken when communicating the data to other parties; and (6) the circumstances in which recordings may or must be erased, or the tapes destroyed (para 95). Thus, crucially, already in the mid-2000s the ECtHR endorsed such intelligence gathering as an effective method in the quest to fight international terrorism and serious crime.

This policy stance was subsequently applied in Centrum, where the ECtHR assessed the compatibility of Sweden’s bulk interception regime with Article 8 requirements. The Court confirmed that bulk interception of foreign communications helps to identify unknown threats to national security and thus falls within states’ wide margin of appreciation (para 112), rationalising their use on the basis of ‘the present-day threats being posed by global terrorism and serious cross border crime as well as the increased sophistication of communications technology’ (para 179).  Arguably, the case served as a prelude to the eagerly awaited Big Brother Watch decision of the same year, as it gave an indication of the Chamber’s pursuit of the judicial line of thinking encapsulated in both Weber and Liberty.

Conversely, only a few years earlier, the ECtHR had taken a much more robust stance in relation to domestic surveillance, resulting in the Court’s condemnation of mass interception regimes in both Zakharov and Szabó decisions. The former case concerned Russia’s legal framework granting sweeping surveillance powers to the intelligence and law enforcement agencies, permitting blanket interception of all mobile phone communications. The Grand Chamber found a violation of Article 8 in that the legislation in question directly affected all users of the mobile telephone services in that country, while Russian law did not provide effective remedies to those who suspected that they were subject to secret surveillance (para 189). Likewise, in the latter law suit, the Court held that the Hungarian surveillance regime breached Article 8 rights as it afforded almost unlimited secret surveillance powers to the police and anti-terrorist organisations and the government had not proved the practical effectiveness of any supervision arrangements (para 89).

Chamber Judgment

The GC’s judgment is a result of the earlier 2018 ECtHR Chamber’s decision. The case was brought before the Court by 16 organizations and individuals, including the UK NGO Big Brother Watch, against the UK government. The allegations pertained to, inter alia, the breach of the right to privacy (Article 8), together with violations of freedom of expression (Article 10) and arose partly as a result of the 2013 Edward Snowden revelations. His disclosures related to, among others, the UK Government Communications Headquarters (GCHQ) and the US National Security Agency (NSA) bulk interception of communications through the use of Tempora, PRISM and Upstream programs. The complaint against the UK government focused on three main issues under the now largely defunct Regulation of Investigatory Powers Act 2000 (RIPA) (subsequently replaced by the Investigatory Powers Act 2016) regulating the interception of communications, namely (1) the bulk interception of communications pursuant to section 8(4); (2) the obtaining of communications data from communication service providers (CSPs) under Chapter II; and (3) intelligence-sharing arrangements. The Chamber found breach of Article 8 rights in relation to grounds (1) and (2), but considered the intelligence-sharing agreements with foreign governments or intelligence agencies to be Convention compliant.

A useful overview of the Chamber’s Big Brother Watch v the UK judgment can be found here. For the purposes of this post, two important points of that decision warrant highlighting.

First, the Chamber found that the operation of bulk surveillance programs constitutes an interference, but does not per se amount to a violation of Article 8, as ‘the decision to operate a bulk interception regime in order to identify hitherto unknown threats to national security is one which continues to fall within States’ margin of appreciation’ (para 314). It also asserted  that ‘it is clear that bulk interception is a valuable means to achieve the legitimate aims pursued, particularly given the current threat level from both global terrorism and serious crime’ (para 386). However, a breach of Article 8 may be found on the basis of the manner of their operation-that is if the techniques used by the intercepting authorities do not adhere to the proscribed safeguards and adequate oversight mechanisms are lacking.

The judgment made it clear that in so far as the conducting of bulk interception of foreign communications is concerned, the ECtHR will pursue its earlier approach laid down in Weber and Liberty in that it does not concern itself with their legality vis-à-vis states’ obligations under Article 8, but rather with whether the manner of their operation meets the necessary standards.

Second, the applicants contended that the requirement of ‘reasonable suspicion’ introduced in Zakharov should equally be applicable to bulk systems. This claim was rejected as the Court reasoned that  ‘bulk interception is by definition untargeted and to require “reasonable suspicion” would render the operation of such a scheme impossible’ (para 317).

Thus, before the GC’s Big Brother Watch judgment, mass surveillance of foreign communications was recognised as an indispensable tool for states to safeguard national security when undertaken in accordance with the adequate safeguards and oversight mechanisms. The question on the lips of civil society, pro-privacy advocates and academics was whether the Grand Chamber would continue to apply this approach or would make a ‘U turn’ thus aligning its way of thinking with that applied in Zakharov/Szabó cases on domestic surveillance, thereby adopting a higher level of protection in relation to bulk acquisition of foreign communications.

Big Brother Watch Grand Chamber Judgment

To the ardent observers of the ECtHR’s jurisprudential machinations since the Snowden disclosures, it perhaps comes as no surprise that the Grand Chamber largely affirmed the prior judgment handed down by the Court’s First Section. Underpinned by the rhetoric of threats posed by global terrorism and cross-border crime, previously propounded by the Chamber in that case, the GC confirmed that operating a bulk interception regime does not in and of itself violate the Convention, thus entrenching its conviction as to the utility of mass acquisition of foreign communications (para 323). To this end, the Court reiterated that bulk interception is of vital importance to states in identifying threats to national security as recognised by the Venice Commission. The GC confirmed that national authorities enjoy a ‘wide margin of appreciation in choosing how best to achieve the legitimate aim of protecting national security’ (para 228). Consequently, the decision to operate a bulk interception regime does not of itself violate Article 8 rights.

What is, however, novel in this judgement is the Court’s setting out new fundamental safeguards to minimise the risk of the bulk interception powers being abused, which it referred to as the ‘cornerstone of any Article 8 compliant bulk interception regime’ (para 350). In doing so, the Court made a clear distinction between targeted and bulk interception, emphasising that the latter is generally directed at international communications, with the purpose of gathering of foreign intelligence, the early detection and investigation of cyberattacks, counterespionage and counter-terrorism (para 345). The Court then outlined the approach that must be followed in bulk interception cases, having as its departure point the six minimum safeguards set out in Weber and proceeding to tailor these criteria to fit bulk methods of intelligence collection (paras 348-364). It held that the first two requirements (that domestic law must clearly identify the nature of the offences, which may give rise to an interception order, and the categories of people liable to have their communications intercepted) are not ‘readily applicable to a bulk interception regime’ (para 348).

The GC yet again rejected the requirement of ‘reasonable suspicion’ as unsuitable in the context of bulk interception, since its purpose is ‘in principle preventative, rather than for the investigation of a specific target and/or an identifiable criminal offence’ (para 348). Having said that, the Court did recognise that domestic law must nevertheless contain detailed rules, including the grounds upon which bulk interception might be authorised and the circumstances in which an individual’s communications may be intercepted (para 348).

The remaining four Weber safeguards (i.e. the limits on the interception’s duration; the procedures to be followed for examining, using and storing the data; the precautions for communicating the data to other parties; and the circumstances when the obtained material must be erased or destroyed), the Court held as equally applicable to bulk interception. By adopting this new approach, the GC seems not only to confirm the establishment of two separate sets of procedural standards based on whether the surveillance is domestic or foreign in nature, but also begins to delineate new key criteria that must be clearly set out in domestic law. Of particular note here is the Court’s recognition of different stages of the interception process, namely (1) the interception and initial retention of communications and metadata; (2) the application of specific selectors to the retained data; (3) the examination of selected communications by analysts; and (4) the subsequent retention of data and use of the ‘final product’, including the sharing of data with third parties (para 325). Each of these interception stages, the Court held, must be subject to ‘end-to-end safeguards’, which means that

‘at the domestic level, an assessment should be made at each stage of the process of the necessity and proportionality of the measures being taken; that bulk interception should be subject to independent authorisation at the outset, when the object and scope of the operation are being defined; and that the operation should be subject to supervision and independent ex post facto review’

(para 350)

The GC declined however, to require judicial authorisation, noting that it is sufficient that bulk interception be authorised by an ‘independent body ‘, that is, a body that is independent of the executive (para 351). Crucially, to assess whether the bulk interception regimes fall within states’ margin of appreciation,  the Court laid down eight new and ‘wider range of criteria than the six Weber standards’ to examine the domestic legal frameworks’ compliance with the Convention, namely (1) the grounds on which bulk interception may be authorised; (2) the circumstances in which an individual’s communications may be intercepted; (3) the procedures to be followed for granting authorisation; (4) the procedures to be followed for selecting, examining and using intercepted material; (5) the precautions to be taken when communicating the material to other parties; (6) the limits on the duration of the interception, the storage of the intercept material and the circumstances in which such material must be erased or destroyed; (7) the procedures and modalities for supervision by an independent authority of compliance with the above safeguards and its powers to address non-compliance; and (8) the procedures for independent ex post facto review of such compliance and the powers vested in the competent body in addressing instances of non-compliance (para 361).

The upshot of the Grand Chamber judgment is that it unanimously upheld the earlier findings of the breach of Article 8 rights in respect to bulk interception and the obtaining of data from CSPs.  Likewise, in line with the earlier decision, the ECtHR found (by 12 votes to 5) that there had been no violation of privacy rights in respect to the UK intelligence-sharing arrangements.

Comments

 Although the GC unanimously held that there had been a violation of Article 8 in relation to the UK’s bulk interception practices under section 8(4) and the obtaining of metadata under Chapter II of the RIPA, the decision is disconcerting. The main and poignant criticism of the judgement was made in the partly dissenting opinion by Judge Pinto De Albuquerque, observing that it ‘fundamentally alters the existing balance in Europe between the right to respect for private life and public security interests, in that it admits non-targeted surveillance’ (para 59). As Marco Milanovic pointed out, the judgment represents a definitive normalisation of mass surveillance for decades to come.

My recently published book discusses the issues of state-sponsored mass surveillance and queries inter alia,  whether the obvious hostility to it from the UN human rights bodies and mandate holders, together with the pro-privacy stance of the Court of Justice of the European Union (CJEU) can be reconciled with the ECtHR condoning the utility of such systems. The UN Human Rights Committee on numerous occasions commented on the states’ running of mass surveillance programs and the impact this has on an individual’s right to privacy often emphasising the highly intrusive nature of these practices. Similarly, in the 2014 report ‘The Right to Privacy in the Digital Age’, the Office of the High Commissioner for Human Rights warned that, globally, ‘mass surveillance [is] emerging as a dangerous habit rather than an exceptional measure’ and made it clear that ‘the existence of mass surveillance programs […] creates an interference with privacy’ and that ‘the onus would be on the State to demonstrate that such interference is neither arbitrary nor unlawful’ (para 20). Referencing the CJEU landmark decision in Digital Rights Ireland v Minister for Communications, the report emphasised the dangers of unrestricted retention of metadata as this ‘may give an insight into an individual’s behaviour, social relationships, private preferences and identity that go beyond even that conveyed by assessing the content of private communications’ (para 20). Until its recent 2020 judgement in the four joint cases of La Quadrature du Net and Privacy International  (La Quadrature du Net), the CJEU took a robust and antagonistic stance towards blanket data retention and data sharing arrangements with third countries, which lacked the necessary privacy safeguards. A case in point is the CJEU Schrems II judgement, which invalidated the data transfers of EU citizens to the US on the basis  of the Privacy Shield agreement for violating Article 7 and Article 8 rights under the EU Charter of Fundamental Rights (EU Charter). The Luxembourg Court examined the use of US surveillance programs, including PRISM and Upstream and held that the US surveillance powers do not meet the requirements set out in Article 52(1) of the EU Charter, including that of proportionality. This privacy-friendly stance may however be changing following the CJEU decision in the four joint cases of La Quadrature du Net. Here the Court ruled that EU law precludes national legislation from requiring CSPs to carry out the general and indiscriminate transmission or retention of traffic or location data. Where an EU member state is facing a serious threat to national security that is genuine and present, or foreseeable, that state may derogate from the obligation to ensure the confidentiality of communications data by requiring through legislation its general and indiscriminate retention for a period that is strictly limited and necessary, which may be extended if the threat persists. Thus, although the UN human rights apparatus continues to regard mass surveillance as inherently disproportionate, the CJEU, by acquiescing to the possibility of EU states adopting in certain circumstances indiscriminate data retention legislation, has seemingly legitimised such measures and, at least for the time being, aligned itself closer with the ECtHR’s approach to mass surveillance.  

Of equal importance is the issue of rationalising the GC Big Brother Watch judgment with Article 26 of the International Covenant on Civil and Political Rights  (ICCPR), laying down the principle of non-discrimination and equality of treatment, together with some domestic courts’ recognition that foreigners subject to extraterritorial surveillance deserve the same privacy protection as the nationals of the intercepting state (such as this decision by the German Federal Constitutional Court). Fundamentally, in the Big Brother Watch, the GC has from now on entrenched two different sets of procedural standards on surveillance relying on nationality/territoriality distinction. This is difficult to reconcile with the universalist approach to human rights protection adopted by the UN human rights treaty bodies. In proclaiming that ‘Article 8 ECHR does not prohibit the use of bulk interception to protect national security and other essential national interests against serious external threats’ (para 347), the ECtHR contributed to an already existing uncertainty as to how exactly international law, including human rights protection applies to low-level cyber activities, including mass cyber-surveillance. As it is doubtful that online privacy has become a customary international law rule, the obvious problem is what legal recourse would individuals have bearing in mind that, first, not all states are parties to international treaties protecting this right and, second, that one of the most technologically advanced states, the US, does not regard itself as being bound by the obligations set out under the ICCPR in relation to acts conducted outside of its territory. Despite the problem the extraterritorial application of human rights treaties creates in the context of cyber-surveillance, this has not been addressed by the Strasbourg Court in either the 2018 Chamber’s or the 2021 Grand Chamber’s Big Brother Watch judgements, leaving the issue unaddressed and unresolved.

Needless to say, the ECtHR sowed the seeds of bulk interception of communications in the mid-2000s, which seemed to have ‘flown under the radar’ of the general public. Big Brother Watch reiterates and elaborates on this policy line, which will most likely be the guiding precedent for the ECtHR when confronted with the pending mass surveillance cases.

Conclusion

The GC Big Brother Watch judgment aligns with the judicial thinking ever since the Weber/Liberty decisions on foreign surveillance, but recognises that both these cases are now more than ten years old and therefore the rules they have established must be adjusted in view of the new methods of communications and technological developments. Three key points are of note. First, the ECtHR upheld mass interception and collection of foreign communications as a legitimate state practice. Second, the Court confirmed two separate sets of rules for targeted and bulk surveillance and set out a new conceptual framework comprising of eight criteria for assessing the compatibility of the bulk regimes with Article 8 rights. Third, in the words of Judge Pinto De Albuquerque, the GC judgement  ‘has just opened the gates for an electronic “Big Brother” in Europe’. The outcome of the case is nevertheless hardly surprising when viewed in the broader context of almost pan-European pro-surveillance domestic policies, yet it is highly disappointing to the proponents of civil liberties. Above all, the European Court of Human Rights has re-affirmed that bulk surveillance is here to stay.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s