In Big Brother Watch v. U.K., a challenge to surveillance following the Snowden revelations, the European Court of Human Rights in Strasbourg concluded that the British bulk surveillance regime violated the European Convention on Human Rights. The court ruled against the U.K. in several narrow, but important, respects for human rights. However, following a trend noted recently, the court applied unusually diminished scrutiny to bulk surveillance. This reasoning is out of step with the court’s precedent.
The Court of Justice of the European Union (CJEU) in Luxembourg will have an opportunity to respond to this issue in its decision on Data Protection Commissioner v. Facebook and Max Schrems. In this case, the CJEU should not make the same miscalculation of the Strasbourg court. The CJEU should preserve the strict lens for reviewing surveillance and re-emphasize the safeguards already set out in precedent: individualized suspicion, independent review, and notice.
Big Brother Watch v. U.K.
In Big Brother Watch v. U.K., the European Court of Human Rights (ECtHR) heard a consolidated challenge to U.K. surveillance and the U.K.’s receipt of U.S. surveillance products. In addition to disclosures of bulk surveillance by the U.S. National Security Agency, the 2013 Edward Snowden revelations indicated British intelligence services were operating bulk interception of content and associated communications data through a program labelled “TEMPORA.” Conducted by tapping into international sub-marine fiber-optic cables carrying internet communications, this program has neither been confirmed nor denied by the British government. The U.K.’s Regulation of Investigatory Powers Act 2000 (RIPA) governed this surveillance activity and was at the heart of the ECtHR’s review.
A longstanding U.S. and U.K. agreement also permits the countries to transfer intelligence obtained through foreign surveillance. Big Brother Watch v. U.K. was the consolidation of three challenges to U.K. surveillance and U.K.-U.S. intelligence transfers on human rights grounds, all initiated just after the Snowden disclosures.
The court found that the U.K. surveillance violated the European Convention on Human Rights Article 8 right to privacy. The decision focused on both the “the lack of oversight of the entire selection” of data subject to surveillance and “the absence of any real safeguards” for associated communications metadata. The court also found that the surveillance violated Article 10 protections for freedom of expression for the failure to adequately protect confidential journalistic material. Finally, the court for the first time applied Article 8 standards to intelligence transfers from the U.S. to the U.K. (the subject of a brief in the case from the Electronic Privacy Information Center), though it found no violation.
These findings are undoubtedly important. However, beyond these rulings against U.K. surveillance, the court’s decision ignored earlier case law and misunderstood the scope of the privacy risk posed by modern surveillance techniques.
First, the ECtHR accepted the proposition that bulk interception regimes are “not per se outside” the discretion afforded states in the pursuit of national security. This is the second time recently that the court has made such a bold statement, coming on the heels of its June 2018 approval of the Swedish signals intelligence regime in Centrum för rättvisa v. Sweden.
Regardless of one’s views about the relative merits or risks of bulk collection, the clarity of this statement from the ECtHR is dramatic. This is particularly true given the comparative focus on individualized suspicion in a 2016 review of Hungary’s surveillance regime in Szabó and Vissy v. Hungary, which stated that a review of “sufficient reasons for intercepting a specific individual’s communications [should] exist in each case.”
In Big Brother Watch v. U.K., the court also indicated a willingness to loosen the analytical framework in order to entertain the surveillance technique. The court chose to treat bulk surveillance the same as other surveillance regimes, and perhaps even to subject it to less scrutiny in this case. The court stated that “both bulk interception and other interception regimes must satisfy” minimum requirements from its caselaw (described below).
Further, the decision ignored the expressly “strict” lens adopted by the court in Szabó and Vissy v. Hungary, as well as in an earlier surveillance case, Klass and Others v. Germany. In those instances, the court adopted a view that secret surveillance is permissible only when “strictly necessary” to safeguard institutions.
In Big Brother Watch, the court excluded the requirement of strict necessity from the analysis. Indeed, the court seemed to regressively modify its review: it “adapt[ed]” the required safeguards for surveillance “where necessary to reflect the operation of a bulk interception regime.” The effect was that the ECtHR did not give due weight to the requirements of individualized suspicion, independent review, and notice.
At the heart of the ECtHR’s historical framework established in precedent for analyzing surveillance is a set of minimum safeguards that must be set out in law to “avoid abuse of power” in deploying interception for criminal investigations and national security. These are called the Weber criteria, encompassing six factors:
- The nature of offences which may give rise to an interception order
- A definition of the categories of people liable to have their communications intercepted
- A limit on the duration of interception
- The procedure to be followed for examining, using and storing the data obtained
- The precautions to be taken when communicating the data to other parties
- The circumstances in which intercepted data may or must be erased or destroyed
In the assessment, ECtHR also considers any arrangements for supervising implementation of secret surveillance measures, notification mechanisms and the remedies provided for by national law. These latter safeguards are not an absolute requirement, the ECtHR reiterated in Big Brother Watch.
The court’s decisions in Zakhrarov v. Russia and Szabó had given significantly more weight to additional safeguards than in Big Brother Watch. The court, for instance, emphasized surveillance should be subject to judicial or other independent authorization, and subjects should receive “subsequent notification of surveillance measures” because notice is “inextricably linked to the effectiveness of remedies.” On the other hand, in Big Brother Watch v. U.K., the Court stated individualized suspicion and notification were impractical and judicial authorization unnecessary.
In contrast to the Court’s departure from recent precedent, the applicants and two judges of the court actually contended that changes in technological capabilities call for new and added scrutiny. This style of argument is no doubt familiar for U.S. readers from a slate of recent U.S. Supreme Court decisions. “As technology has enhanced the Government’s capacity to encroach upon areas normally guarded from inquisitive eyes,” the Court recalled in June decision Carpenter v. United States, the Supreme Court ought to maintain the level of privacy against the government less individuals be “at the mercy of advancing technology.” Alotn these lines, applicants in Big Brother Watch, encouraged the court to explicitly require additional safeguards outside of the Weber criteria to reflect the fundamentally different nature of bulk surveillance in 2018. In their observations, the applicants urged three additional requirements:
- Objective evidence of reasonable suspicion in relation to the persons for whom data is being sought
- Prior independent judicial authorization of interception warrants
- The subsequent notification of the surveillance subject
The court declined.
However, as noted by the partial concurrence and partial dissent of Judge Pauliine Koskelo joined by Judge Ksenija Turković, the cour’s analytical approach to communications surveillance dates back four decades to Klass and Others v. Germany in 1978 and Weber in 2006. “It is noteworthy that at the time of the surveillance regime which gave rise to the complaint in Weber and Saravia, strategic monitoring was mainly carried out on telephone, telex and fax communications,” Judge Koskelo explains. By contrast, under the U.K. regime at the center of Big Brother Watch:
“[I]nterception (as a matter of technical necessity) encompasses vast volumes of communications traffic in an indiscriminate manner, without being linked to any kind of prior elements of suspicion related to the threats by reason of which the surveillance is conducted, everything in terms of the protection of individuals and their rights depends on whether and how the subsequent stages of the treatment of the intercepted communications provide effective and reliable safeguards for those rights, and against any abuse of the surveillance.”
In particular, Judge Koskelo faulted the conclusion that judicial authorization should not be required for modern surveillance. The court concluded that judicial scrutiny need not be mandatory because such scrutiny may not be foolproof. That judicial control may not be a sufficient safeguard merely signals the importance of reviewing the quality, or independence, of the control, Judge Koskelo said.
Schrems II: An Opportunity for the Court of Justice to Respond
The CJEU and ECtHR famously cross-pollinate — and sometimes compete — to establish legal norms, particularly in the privacy realm, that are also adopted around the world. Data Protection Commissioner v. Facebook and Max Schrems (or “Schrems II”) is now pending before the CJEU. This case provides the opportunity to respond to the recent rulings on U.K. and Swedish bulk surveillance. The CJEU should faithfully apply the strict lens for reviewing surveillance, and reiterate key safeguards already set out in fundamental rights precedent.
Through the lens of cross border data flows in Schrems II, the CJEU is asked to review the compatibility of U.S. surveillance and legal remedies with EU fundamental rights. Schrems II follows the Court of Justice 2015 ruling that struck down the “Safe Harbor” arrangement, a framework for transferring personal data from the EU to the U.S.
By way of background, EU law only permits transfers of data abroad where the privacy of that data will be preserved; transatlantic transfers must be grounded in a finding like Safe Harbor or a similar legal basis. In that 2015 case, privacy activist Max Schrems had argued that EU data transferred under the pact could be subjected to U.S. signals intelligence in violation EU fundamental rights. When the CJEU struck down the arrangement, Facebook continued to transfer data based on an alternate legal mechanism called “standard contractual clauses” (SCCs). The validity of those SCCs is now being similarly challenged at the CJEU.
The Irish national court referred eleven questions to the CJEU, but two matters of U.S. law are most relevant for the purposes of this analysis. First, the CJEU was asked to decide whether personal data transfers based on SCCs violate the EU Charter of Fundamental Rights Article 7 (privacy) and Article 8 (data protection) because of the potential for U.S. surveillance. Second, the CJEU was asked whether the transfer violates Article 47 (right to a judicial remedy) because the U.S. does not have sufficient remedy under law for violations associated with surveillance.
Clearly, this case raises many of the same issues that were before the ECtHR in Big Brother Watch. The CJEU should take the opportunity in Schrems II to emphasize the required safeguards for modern bulk surveillance.
The CJEU has consistently required surveillance be limited only to what is “strictly necessary.” The CJEU has also emphasized the need for the additional safeguards considered by the ECtHR when states conduct broad-based surveillance. For instance, in Schrems I, the CJEU condemned generalized storage without “differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access,” and, in particular “generalised” access to content.
In a ruling on the EU-Canada passenger name recognition (PNR) agreement, the court insisted that use of data should be subject to a prior review by a court or by an independent authority following a “reasoned request,” except where there is “validly established urgency.” As to notice, in the same decision, the CJEU required notification of an individual where his or her PNR data was accessed or used. Likewise in Watson v. Tele 2, the CJEU again emphasized that “authorities to whom access to the retained data has been granted must notify the persons affected … as soon as that notification is no longer liable to jeopardise the investigations being undertaken by those authorities.” The court should emphasize the continued importance of these safeguards and respond with clear direction on the requirements of European law.
Big Brother Watch v. U.K. is among the Strasbourg court’s first assessments of modern bulk surveillance, and the opinion was more limited than recent decisions concerning surveillance. As the court in Luxembourg looks to these matters under the Charter of Fundamental Rights, the justices should seize the opportunity to re-emphasize fundamental rights and update privacy safeguards that reflect the current scope of state surveillance.