March 02, 2022
By Diana Dimitrova
In the past years, the European Court of Human Rights (the Court) has been asked numerous times to examine different aspects of the Council of Europe’s Member States’ (secret) surveillance regimes, ranging from (mass) secret surveillance against their own residents to bulk surveillance or interception of electronic communications coming from abroad. Rulings such as Zakharov, Vissy and Szabo, Centrum för rättvisa (CFR) and Big Brother Watch (BBW) were eagerly awaited and triggered a lot of discussions. It seems to me that this has not been so far the case with a recent ruling concerning Bulgaria. On 11 January 2022, in Ekimdzhiev and Others v. Bulgaria, the Court ruled on the compatibility of two sets of domestic surveillance rules in Bulgaria with the right to private life as anchored in Article 8 of the European Convention on Human Rights (ECHR), namely: (a) the secret surveillance law and (b) electronic communications data retention by service providers and access thereto by law enforcement authorities (LEAs).
The applicants – two Bulgarian lawyers and two non-governmental organisations (NGOs) – claimed that their electronic communications could be abusively accessed by the LEAs on the basis of the above-mentioned surveillance rules in violation of their right to private life (Article 8 ECHR) and that they did not have effective remedies against the measures (Article 13 ECHR). The Court examined the two sets of complaints solely under Article 8 ECHR, as it did not consider it necessary to examine the question on effective remedies separately (§§ 247 and 361, with reference to Zakharov, § 307).
More precisely, the Court examined two aspects: (a) the domestic rules and practice on secret surveillance applicable at the time of the examination as updated following its 2007 ruling in Association for European Integration and Human Rights [AEIHR] and Ekimdzhiev v. Bulgaria (back then, the Court found that the contested Bulgarian legal framework on secret surveillance had violated Articles 8 and 13 ECHR), and (b) the domestic rules and practice on electronic communications data retention and LEA access thereto, which originally had transposed the EU Data Retention Directive. (The said Directive was abolished by the Court of Justice of the EU (CJEU) in 2014 and, consequently, the Bulgarian law was amended, also following the Bulgarian Constitutional Court judgments on these domestic rules in 2015 and 2020 (§§ 151-159)).
In terms of admissibility and the applicants’ victim status, the Court followed its established case law, e.g. Zakharov and CFR. It found that the applicants’ private lives have been interfered with because of the mere existence of these two sets of surveillance laws and practices. This is so because of the scope of the surveillance laws and the fact that they do not contain remedies to prevent that everyone’s data could be potentially (abusively) accessed by the LEAs and intelligence authorities, and because the remedies are not always available to legal persons (§§ 276-7 and 383-4).
The Court examined separately the compatibility with Article 8 ECHR of the two aspects, namely: (a) the secret surveillance rules and practices, and (b) the rules and practices on the retention of electronic communications data by the communications providers and their subsequent access and further processing by the LEAs. It used one and the same test for both aspects, though: whether these rules ‘contain effective guarantees – especially review and oversight arrangements – which protect against the inherent risk of abuse’ and are ‘”necessary in a democratic society”’. Furthermore, it examined not only the applicable laws, but also two practical factors: the ‘actual operation’ of the surveillance measures and ‘the existence or absence of evidence of actual abuse.’ The Court presented these ‘principles’ as having been selected as most relevant amongst the different ‘principles’ developed in the Zakharov, CFR and BBW judgments (§§ 291-3 and 395).
More precisely, the guarantees and principles the Court focused on are: (1) accessibility of the law; (2) grounds for allowing secret surveillance measures and access to electronic communications data by the LEAs, as well as their personal scope; (3) duration of the surveillance measures and the rules on data processing by the LEAs (e.g. access in the case of electronic communications); (4) authorisation process; (5) oversight mechanism; (6) notification of the affected individuals; and (7) available remedies.
In both aspects, the Court found unanimously that the rules and practices do not fulfil the quality-of-the-law requirement, i.e. they do not ensure that secret surveillance and the rules on processing of electronic communications data for law enforcement purposes are restricted to what is ‘necessary in a democratic society’, in violation of Article 8 ECHR (§§ 358-9 and 420-1).
It is important to point out at the start that the Court noted that the Bulgarian legal framework on secret surveillance was framed by the legislator as a regime of ‘targeted’ surveillance, and not as a ‘bulk one’ (§ 303). In its examination, the Court paid attention, inter alia, as to whether the rules and actual practice indeed make sure that it allows only targeted surveillance.
What did the Court find about the compatibility of the Bulgarian secret surveillance measures with the above-mentioned seven guarantees and principles? With regard to accessibility (1), the Court ruled that whereas the laws were clear and accessible, the internal rules on the storage and destruction rules of the data obtained by means of secret surveillance were not publicly available (§ 296).
As concerns the legal grounds for secret surveillance (2), the Court noted that the law lacks clarity on the definition of ‘objects’ that could be subject to surveillance. Furthermore, this vagueness could lead to a broad interpretation of an ‘object’ that could be subject to surveillance, e.g. a whole police database. The Court noted that this vagueness could have been the reason why in practice a judge authorised the surveillance of a whole automated police information system (§ 303).
With regard to the duration of the surveillance measures and data processing (3), the Court noted that the initial period for authorising surveillance measures on national security grounds, a notion which was not clearly defined in law, could be up to 24 months (§ 305). In addition, the data protection rules on the processing of the data obtained via secret surveillance measures until their ultimate destruction were not clearly regulated, especially when it comes to evidentiary materials (§§ 326-332). Furthermore, the rules offered no protection for the client-lawyer communication, which is normally subject to strict confidentiality (§ 333).
Concerning the authorisation process (4), the main problem was, as evidenced by practice, that ‘no proper reasons have been given for the decisions to issue the vast majority of all surveillance warrants issued in Bulgaria in the past decade’, as visible from the ‘”blanket and generalised” reasons’ given in the authorisation decisions (§§ 311-313). The Court identified three related deficiencies in the authorisation process: (i) the lack of sufficient resources given to the authorising judges, (ii) the high percentage of authorisations and (iii) the requirement that a judge needs to examine only whether the formal requirements have been complied with, ‘without engaging with the materials in support of the application’ (§§ 317). The Court also noted that there has been practical evidence of ‘unjustified surveillance’, referring to the criminal conviction of an authorising judge for the unlawful authorisations she had issued and the recent revelations that surveillance warrants might have been illegally issued in relation to the participants in anti-government protests in 2020 (§§ 318-320).
The Court also established deficiencies with regard to the oversight mechanism (5). In Bulgaria, oversight is vested with three authorities: the judge who issued the surveillance warrant, the National Bureau for Control of Special Means of Surveillance (National Bureau) and an ad hoc parliamentary committee. However, the judges have no power to order remedial measures outside the pending criminal proceedings; they have no inspection power in relation to the surveillance technologies and suffer from a heavy workload. The National Bureau and parliamentary committee also do not have any remedial powers and the parliamentary committee may not carry out inspections. Furthermore, the National Bureau is not independent enough as its officials do not have a legal background, they often come from the surveillance authorities, where they return after their mandate at the National Bureau, and they are dependent on obtaining their security clearance on the same institutions that they are supposed to supervise. In addition, when performing inspections, it does not have ‘unfettered access to all relevant materials’ they need (§ 343). The Court also noticed that the personal data processing falling within the scope of Directive 2016/680 (Law Enforcement Directive, LED) is also subject to independent supervision by the Commission for Personal Data Protection (CPDP) and the Supreme Judicial Council. However, no information was presented to demonstrate that these are able to and have practically participated in the supervision of the secret surveillance measures (§ 346).
On the issue of notification of the concerned individuals (6), the Bulgarian law provides for such notifications only if the surveillance has been established to be unlawful. Repeating its established case law, e.g. Zakharov, the Court reminded that such notifications should be provided in all cases where the notification will not jeopardize an ongoing investigation and where the notification is a prerequisite requesting remedies. This is the case in Bulgaria, where notification is necessary in order to file claims for damages. The Court noted that in practice very small number of actual notifications have been provided, that the notification requirement does not apply to legal persons, and that the provisions of LED on information and the right of access have not been used as transparency tool (§ 350).
As to the question on remedies (7), the Bulgarian law does offer opportunities for claims for damages. However, the overall system does not provide effective remedies for three main reasons. First, because of the requirement for prior notification, as mentioned above. Second, the necessity for individual surveillance measures is not always examined by the courts. Third, the remedies are not open to legal persons. Also, as noted above, the oversight authorities may not order remedial measures, such as the destruction of the data (§ 352-355).
All the above contributed to the Court’s finding of a violation of Article 8 ECHR.
What did the Court find about the compatibility of the rules on electronic communications retention by the service providers and the subsequent access by the LEAs with its seven principles and guarantees?
As to the accessibility of the law (1) and the grounds for access to the data by the LEAs (2), the Court noted that the applicable laws on data retention and LEA access are accessible, and that also the grounds for access by the LEAs are clearly set out (§§ 396 and 398).
However, when it came to the rules on LEA data access and further processing (3), the Court noted that there were no publicly available rules for the accessing and further processing of the data in the framework of criminal proceedings and that apparently the safeguards in the LED have not been used in practice as a safeguard (§§ 408-409).
With regards to the procedure for authorising LEA access (4), the Court noted that the LEAs are not required to provide the authorising judges with adequate motivation and the necessary information for access when access is sought in the framework of criminal proceedings (§§ 402-403). In addition, the authorising judges are not required to motivate their decision (§ 405).
As to the oversight (5), it is entrusted in the hands of the CPDP, the parliamentary committee responsible for overseeing the secret surveillance measures and the judge who issued the access warrant. Their powers were deemed to be ineffective. First, whereas the CPDP has been monitoring the electronic communications service providers, the Court noted that it has no express supervision powers in relation to accessing LEAs and the CPDP has not proven that its members have done any supervision activities under the LED. Second, as to the judges, they do not have the power to order remedial measures or to perform inspections. Third, while the parliamentary committee has inspection and information-gathering powers, they may not order remedies. In addition, there were doubts about the qualifications of its members, because they do not need to be lawyers (§§ 410-415).
As far as notification is concerned (6), the parliamentary committee may notify the concerned individuals only where the LEA access was sought or obtained unlawfully, provided that the notification would not prejudice an ongoing investigation. Furthermore, the transparency provisions implementing the LED did not seem to have been useful in practice (§§ 416-417).
The Court finally observed that it did not consider that there existed effective remedies (7), referring to the discussion on the admissibility of the case (§ 418).
All the identified problems under (3)-(7) contributed to the Court’s finding of a violation of Article 8 ECHR.
Earlier, scholars have noticed the difference between the stricter approach and required safeguards in Zakharov, on one hand, and the Court’s more lenient and technical examination of bulk surveillance in CFR and BBW, on the other hand (here, here, here and here). Legal scholars and practitioners would thus immediately want to know how to position Ekimdzhiev and Others v. Bulgaria. My observation is that it follows more Zakharov, which is logical bearing in mind the fact that both cases concern the issue of surveillance of their own citizens and residents, the difference being that the Bulgarian law was designed to be a targeted surveillance law. At the same time, the Court relied on, but also departed from, CFR and BBW in some respects.
For instance, the Court did not see very critically that in Bulgaria the authorising judges and the judges ensuring oversight are the same, which could lead to a conflict of interest and uncritical oversight. This point was rightfully criticized in CFR (CFR, §§ 359-364and the Concurring Opinion of Judge De Albuquerque in CFR, § 17) and it is not clear why the Court did not discuss this issue in the present case. This is also puzzling bearing in mind that the Venice Commission for Democracy through Law has noted that if the surveillance authorities are given a broad mandate and the oversight is restricted to checking the compliance with this mandate, then this cannot constitute effective oversight (§ 93).
This issue is especially relevant in the present case, where the Court noted that practically there have been instances of abuse with regard to the authorisation of secret surveillance, which emphasizes the necessity of adequate motivations by the LEAs when requesting surveillance and motivated reasoning by the authorising judges. The examination of the practice in Bulgaria, which revealed the abuse, is part of the test the Court decided to rely on in CFR and BBW, although it should not be forgotten that the Court had established it already in AEIHR and Ekimdzhiev v. Bulgaria (§ 92).
It is also not very clear why in casu the Court was relatively lenient on terrorism, namely that in those cases the authorities requesting secret surveillance measures do not need to provide as much information to the authorising judge as in other cases (§ 309).
Another notable observation is that, given the scant jurisprudence on the LED by the CJEU, it is welcome that the Court considered at different instances the effectiveness of the Bulgarian law implementing the LED as providing adequate data protection safeguards. This is despite the fact that the LED is a piece of EU law and not a Council of Europe instrument. However, this demonstrates what an important role EU and national data protection law is playing in examining whether a violation of Article 8 ECHR could be established. In casu, the Court was not satisfied that the safeguards merely existed in law: proof of their practical effectiveness by the government was required. The Court noted that the government could not demonstrate that its provisions have been effectively used in practice, which raises questions about the practical impact of the LED. This is an especially interesting observation bearing in mind the ongoing LED evaluation by the European Commission.
In addition, the Court indicated that it was not certain in how far the provisions applied to national security surveillance measures. Notably, national security falls outside the scope of EU law and hence the LED (Article 2(3)(a) LED). This legal discussion raises the question of whether it is feasible to apply different safeguards to national security and law enforcement measures, especially since the case demonstrates the practical difficulty of separating them.
Finally, the Court seems to be uncritical in principle towards a system in which the electronic communications service providers have to store the metadata on every electronic communications exchange. It did not examine the necessity and proportionality of the whole scheme as such, in contrast to the CJEU approach, e.g. in Tele2 Sverige and Watson. Instead, it implied that if LEA access to the collected data would be more strictly regulated, the whole system as such would be likely to be compliant with Article 8 ECHR (§ 419). In that sense, it resonates with CJEU’s conclusion in Privacy International that the Charter of Fundamental Rights of the EU does not allow general disclosure of electronic communications data to the authorities for national security purposes.
Ekimdzhiev and Others v. Bulgaria demonstrates a good level of consistency with Zakharov in the sense that it was critical of a surveillance system that could in practice operate as a mass surveillance system. In casu, the Court made it clear that the Bulgarian legislator aimed for a targeted surveillance regime and the Court examined whether the laws actually ensure that it remains targeted. However, the question of whether in principle secret surveillance systems, including bulk surveillance systems, could as such be necessary and proportionate in a democratic society when they would ensure adequate safeguards against abuse, remains unanswered. This is problematic because the Court seems to be focusing on rather technical examinations of the different surveillance regimes and not so much on the question of whether and to what extent democratic societies should allow for secret surveillance regimes, especially bulk ones. What is also evident from the ruling is that the Court concluded that because the Bulgarian legal framework does not satisfy the quality-of-the-law requirement, the processing is not ‘necessary in a democratic society.’ This is in contrast to its earlier ruling in AEIHR and Ekimdzhiev v. Bulgaria, where it concluded only that the quality-of-the-law requirement is not satisfied and did not even examine whether the measures were ‘necessary in a democratic society’ (§ 93). One wonders whether this means that the Court does not consider any longer to examine the question of whether the different surveillance regimes are compatible with the underlying values such as democracy and to look beyond the existence of adequate safeguards against abuse.
Finally, the Court was less critical of the amassing of personal data by private actors, i.e. electronic communications service providers. This is too problematic as they store the personal data of the users because they are mandated to so by the law for law enforcement purposes. Hence the storage in itself should not be seen as entirely separate from the question on the LEAs’ access to the stored data. Actually, the Court ruled in its landmark judgment S. and Marper v. the United Kingdom (2008) that the mere storage of personal data constitutes an interference with one’s private life, independent of the further usage of the data.
Therefore, while it is welcome that the Court discussed in such a detailed manner the availability of safeguards against abuse and their effectiveness, the fundamental question still remains whether even the mere ‘mass’ storage of electronic communications data should be acceptable in a democratic society. This is an especially valid question bearing in mind the fact of how easily safeguards could be circumvented or even abolished.