Last week, as he delivered his first report to the UN Human Rights Council, the UN Special Rapporteur on the right to privacy made headlines with his sharp criticism of the United Kingdom’s Investigatory Powers Bill, which was introduced in Parliament earlier this month. The bill is undoubtedly the most comprehensive and expansive surveillance statute Europe (and, arguably, the world) has ever seen. It would enshrine far-reaching and invasive governmental powers into law, including bulk interception, hacking (both targeted and bulk), and the retention of web history logs (known as “Internet Connection Records”). Under the bill, such powers can be used both domestically and abroad, against UK citizens and foreigners, and without a court-ordered warrant.
A doomed law
The Special Rapporteur’s critique of the bill rested not on the threat such powers pose to privacy — the hundreds of individuals and organizations who submitted their opinions to a Joint Committee scrutinizing a draft of the bill made such an argument convincingly enough. Instead, he focused on the bill’s failure to comply with European case law on the subject. The bill’s provisions “prima facie fail the benchmarks” set by recent jurisprudence of the Court of Justice of the European Union (CJEU) and the European Court of Human Rights (ECtHR). The implication is that not only is the UK government flaunting mandatory legal authority by which it is bound, but that the bill is doomed to fail scrutiny by regional courts. If that’s right, this legislative process will be a costly waste of time that will need to be replicated following legal challenges.
In a way, the Government’s insistence on advancing the expansive powers of the Investigatory Powers Bill in the face of clear counter-authority is illustrative of the UK’s increasingly hostile stance towards the European community and its own membership in it. However, it is also emblematic of another trend: the growing divide between EU member state practice and ambition in the field of surveillance and intelligence gathering, and human rights norms, as articulated by the regional courts.
Following the leader
For the UK is not the only European country which is legislating for broader and more intrusive surveillance powers: the Netherlands is currently considering a number of pieces of legislation that expand bulk interception (from non-cable bound communications to cable interception) and hacking powers (authorizing hacking by intelligence agencies for “reconnaissance,” as well as extending hacking powers to police). France and Switzerland both adopted laws last year authorizing bulk interception (although the latter may be subject to revision after public demands for a referendum were successful), and Denmark and Finland have indicated their intention to do the same.
And yet, in October 2015, the European Union’s highest court held that US surveillance law — in particular, provisions enabling bulk interception — does not meet European standards. This conclusion has confused many, who see the practice of European states as being equivalent to — if not worse than — US surveillance practices. The CJEU’s decision highlighted the increasing non-compliance of European domestic legislation with regional conventions; not only does the US not comply with human rights standards, but European states don’t either.
So what are those human rights standards, as articulated by the European regional courts? What is the threshold that surveillance laws — be they European or the US — must meet in order to be in compliance with human rights law?
Before I attempt to answer such questions below, some quick background on the relationship between the ECtHR, the CJEU, and the two human rights texts they enforce — the European Convention on Human Rights and the EU Charter of Fundamental Rights, respectively. The European Court of Human Rights is part of the institutional machinery of the Council of Europe, and 47 states — including countries such as Russia — are party to the European Convention. While the jurisprudence of the European Court is binding on member states, the degree of influence ECtHR decisions have over domestic courts differs from state to state, and decisions will generally require subsequent action by domestic parliaments in order to give them effect. The European Convention on Human Rights came into force in 1953; the Court was established in 1959 and became a permanent institution in 1998.
In contrast, the CJEU — the superior judicial mechanism in the European Union — applies and adjudicates claims under the EU Charter of Fundamental Rights, which only came into effect in 2009 with the entry into force of the Treaty of Lisbon. The decisions of the CJEU have direct and binding effect on EU member states. The Charter states that, wherever it contains rights that correspond to the European Convention, “the meaning and scope of those rights shall be the same” as are granted by the Convention. In fact, the CJEU is empowered to provide “more extensive protection” than that granted by the ECHR. The Charter further includes a non-regression clause by which the Charter must not to be interpreted as “restricting or adversely affecting” the human rights recognized in the Convention.
Indeed, as demonstrated below, the CJEU has been quick to adopt an expansive and robust interpretation of the rights enshrined in the Charter, and arguably has been more willing to take a strong position against surveillance measures, such as bulk interception and mandatory data retention, than the European Court had been previously. The ECtHR now appears to be taking an equally robust stance — perhaps emboldened by the CJEU (recent ECtHR opinions have referenced and relied on the reasoning of CJEU decisions).
Generalized access to communications content
Putting aside the controversial nature of the CJEU’s October decision in Schrems v. Data Protection Commissioner, at least one of the Court’s conclusions was unqualified and clear: “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter” (para. 94). Under international human rights law, measures that impair the essence of that right cannot be justified, even by reference to extremely pressing legitimate objectives. Thus, such a conclusion renders bulk interception capabilities fundamentally in violation of human rights.
It should be noted that the CJEU relied on both Article 7 and Article 8 of the EU Charter, which cover the rights to privacy and protection of personal data, respectively. Article 7 has its equivalent in Article 8 of the European Convention on Human Rights.
Mandatory retention of communications data
Article 8 of the Charter, however, has no equivalent in the Convention, and it was primarily Article 8 upon which the CJEU based its 2014 decision in Digital Rights Ireland to invalidate the European Data Retention Directive, which had EU member states require communications service providers to retain communications data for up to two years. The CJEU found that the mandatory retention of communications data contravenes the right to protection of personal information when provisions mandating retention fail to make any differentiation between categories of data and the specific objective pursued, or stipulate objective criterion upon which competent national authorities can have access to the data, and when access to data is not subject to independent prior authorization.
The CJEU reiterated this finding in the context of US surveillance practices in the Schrems case, emphasizing that:
Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail (para. 93).
Reasonable suspicion
An issue closely related to the question of bulk interception is the reasonable suspicion requirement. Modern signals intelligence gathering practices — also called “strategic surveillance” in previous ECtHR jurisprudence — is fundamentally opposed to the concept of reasonable suspicion. Instead, it is premised on an approach that sees mass surveillance as a tool for target development and pattern recognition. Two prior ECtHR cases looked at “strategic surveillance” systems operated by the UK and Germany – respectively, Liberty & Ors v. United Kingdom (2008) and Weber and Saravia v. Germany (2006) — and in neither case did the Court critique the relevant laws on their failure to require reasonable suspicion (or, for that matter, individualized targeting). But, both cases were issued by sections of the Court rather than the Grand Chamber, meaning their reading of the law was open to subsequent revision.
In the Grand Chamber’s December 2015 decision in Zakharov v. Russia, the Court reasserted the requirement for individualized reasonable suspicion, including in national security cases. It held that the entity authorizing interception must be “capable of verifying the existence of a reasonable suspicion against the person concerned” and required “factual indications for suspecting that person of planning, committing or having committed criminal acts or other acts that may give rise to secret surveillance measures” (para. 260).
This authority was followed and applied in the subsequent decision of the Fourth Section in Szabo and Vissy v. Hungary. In that case, the Court highlighted the absence of a requirement to establish “a sufficient factual basis” by which an independent authority could evaluate both the necessity of the surveillance and the individualized suspicion of the target. The Court emphasized that only demonstrable existence of a reasonable suspicion “would allow the authorising authority to perform an appropriate proportionality test” (para. 71).
There is some lingering doubt as to whether the Grand Chamber and Fourth Section intended to set such a high threshold for interception in the case of national security and intelligence gathering — such doubt was expressed in a separate (but concurring) opinion by Judge Pinto de Albuquerque in Szabo. Arguably, a further decision is necessary to clarify this issue. Nevertheless, when paired with the CJEU’s finding in Schrems, it would appear that European law outlaws untargeted interception of content.
Judicial authorization for interception and access to data
The Schrems and Digital Rights Ireland cases reiterated that, according to Article 8 of the Charter (protection of personal data), access to retained communications data requires prior independent authorization. In relation to communications content, the threshold is even higher — with the ECtHR’s decision in Szabo, the requirement under Article 8 of the Convention (right to privacy) is that judicial authorization should be the norm, with other forms of authorization as the exception. Szabo also dispelled arguments that executive authorization of surveillance was sufficient to ensure compliance with human rights law, with the Court adding that “supervision by a politically responsible member of the executive, such as the Minister of Justice, does not provide the necessary guarantees” (para. 77). This is arguably the strongest statement by the European Court to date on the requirement under Article 8 for judicial authorization.
* * *
With all of this in mind, one might observe that we are moving towards a cross-court concurrence on key issues of surveillance law, one that departs significantly from the practice of member states across the EU and the Council of Europe. Such a trend has two distinct implications: the first is for the new spate of surveillance laws being advanced in member states, which seem to be placing states on a collision course with regional courts. The recent approach of the courts departs significantly from the practice of allowing states a considerable margin of appreciation in national security matters. The result may well be a direct flouting of regional court decisions by member states, whose financial and political investment in the very surveillance capabilities that the CJEU and ECtHR are saying are unacceptable under human rights law is often monumental.
A separate implication is for transatlantic relations, particularly with respect to data flows, which have been hampered by the US perception of European hypocrisy with respect to surveillance practices. Time will tell if the new adequacy agreement, the Privacy Shield, will be sufficient to keep data protection authorities and domestic courts at bay, or whether US surveillance practices will once again be under scrutiny by European courts.