In my previous blog article: ‘Mass Surveillance of Electronic Communications in Europe: Recent Developments’, I summarised two recent judgments from the Court of Justice of the European Union (“CJEU”) that examined whether surveillance of bulk communications data was within the scope of European Union law and thus the Charter of Fundamental Rights of the European Union (“the Charter”). This blog article reviews another European ruling on mass surveillance, this time from the European Court of Human Rights (“ECtHR”): Big Brother Watch and Others v The United Kingdom, Application Nos. 58170/13, 62322/14 and 24960/15. This is an interesting judgment for practitioners, because it shows the different approach to the question of the collection of bulk data between the ECtHR and the CJEU. 

Introduction

Three applications were made to the ECtHR after Edward Snowden, an intelligence consultant from the United States National Security Agency (“the NSA”), publicly disclosed classified information about numerous global surveillance programmes. Some of these programmes also involved the intelligence services of the United Kingdom (“UK”). The applicants to the ECtHR believed that their electronic communications data were likely to have been either intercepted or obtained by the UK intelligence services or obtained from foreign governments and/or communications service providers (“CSPs”).

The vast majority of internet communications are carried over international fibre optic cables that run along the seabed and are operated by CSPs. Each cable carries a number of ‘bearers’; globally there are around 100,000 bearers across the cables. Communications are transmitted across the bearers and take a combination of the quickest and cheapest path. The optimum path may involve travel through bearers in multiple countries, even if the communication is sent from a person in one country to another person in the same country.

Among the Snowden revelations, was that Government Communications Headquarters (“GCHQ”) was running an operation that involved accessing huge volumes of data from bearers. GCHQ was using two processing systems. The first targeted a small percentage of bearers. A list of “simple selectors” were applied, this is a specific identifier (such as an email address) related to a known person. Any communications that matched the selectors were kept and those that did not were automatically discarded. Analysts then assessed which were valuable for intelligence and should be opened. Only a very small proportion were opened and read.

The second process focused on an even smaller number of bearers, which were a subset of those in the first process. These were bearers that were identified as being the most likely to carry communications of interest to intelligence services. A technical sifting process was applied that resulted in an index of items that were determined to be of intelligence value. Only communications that had been indexed could be opened by analysts; items not indexed were discarded.

In the United States (“US”) the NSA operated two programmes: PRISM and Upstream. The US government obtained intelligence material from internet service providers through the PRISM programme. It involved a specific targeted enquiry rather than broad-based data mining and was regulated under the Foreign Intelligence Surveillance Act (“FISA”). Upstream allowed the collection of content and communications from fibre optic cables and infrastructure owned by US CSPs. This included data of non-US citizens, which was collected and stored under the Upstream programme and could be searched using keywords. 

After Snowden’s revelations there were a number of reviews of the UK intelligence services’ interception operations.^[1]The Intelligence and Security Committee of Parliament published a report in 2015 and concluded that allegations that GCHQ had circumvented the law to access private communications were unfounded, but it made some recommendations to improve oversight. The Independent Reviewer of Terrorism Legislation also produced a report in 2015 that came to the same conclusion and provided a substantial review of the existing legislation, with proposed reforms.^[2]

The UK Legal Framework

In the UK, section 8(4) of the Regulation of Investigatory Powers Act 2000 (“RIPA”) allowed the Secretary of State to issue warrants to intercept external communications for ‘bulk’ interception. At the time of issuing a section 8(4) warrant, the Secretary of State was required to issue a certificate that described the material to be intercepted, and why it was necessary to do so (i.e. for national security, preventing or detecting serious crime, or for safeguarding national economic security). Under section 9 of RIPA a warrant issued in the interests of national security, or for safeguarding the country’s economic well-being, expired after six months; a warrant for detecting serious crime expired after three months.

External communications were defined in section 20 of RIPA and included any use of web-based services with servers overseas. As a UK browser would “communicate” with the web server based overseas, section 20 would therefore also cover postings to social media sites, the browsing of websites and cloud storage. The section 8(4) certificate set out the general categories of information that could be examined. However, the selection of bearers, simple selectors and search criteria determined the communications that were examined were not included in the certificate.

RIPA included a number of safeguards. The availability of the intercepted material and the extent it could be disclosed or copied was restricted. As a general rule the information could not be used in legal proceedings. Intercepted material under a section 8(4) warrant could not be searched by use of a name, email, address or personal identifier if the individual was known to be in the British Islands; although this did not apply to communications-related material.^[3]The material could only be examined to the extent that the warrant certified and by a person with the requisite qualifications and authority. Before examining the material, a record had to be created explaining why access was required, how it was applicable to the certificate and why access was proportionate. There was also oversight provided by the Interception of Communications Commissioner (“IC Commissioner”) and the Investigatory Powers Tribunal (“IPT”) so that individuals could bring claims for any wrongful interference with their communications. 

There were various laws that provided for the sharing of intelligence between the UK intelligence agencies with their foreign counterparts, such as the Security Service Act 1989, the Intelligence Services Act 1994, the Counter-Terrorism Act 2008 and a British-US Communication Intelligence Agreement of 1946. Chapter II of Part 1 of RIPA set out the framework under which the government could obtain communications data from CSPs. Chapter 12 of the Interception of Communications Code of Practice (“the IC Code”) set out the circumstances and procedures for which the U.K. intelligence services could request material from their foreign counterparts. Chapter 12 was added after Liberty brought proceedings in 2013.^[4]

ECtHR Grand Chamber Ruling

The question for the Grand Chamber was whether the interception, retention, storage and sharing of data was compatible with Articles 8 and 10 of the European Convention on Human Rights (“the Convention”). The Grand Chamber noted that its conclusions were confined to RIPA and not the Investigatory Powers Act 2016, which has replaced RIPA and is currently being challenged in the UK courts.

The ECtHR acknowledged that communications data is of central importance to intelligence agencies to be able to observe online criminality and link an individual to an account, or to establish their whereabouts or how they are communicating with victims or other suspects. The most serious threats to democracy utilise and/or take place in the online realm. Bulk interception is used to address the most serious threats to democracy and in particular because terrorists, criminals and hostile foreign intelligence services have become increasingly sophisticated at avoiding detection through traditional methods. In practical terms, there are no alternatives to bulk interception that could yield as effective results. 

It was also recognised by the court the fact that related-communications data can be particularly intrusive to a person’s private life and magnified when collected in bulk, because it can “paint an intimate picture of a person through the mapping of social networks, location tracking, Internet browsing tracking, mapping of communications patterns and insight into who a person interacted with”.^[5] With enough metadata, you could have all the information you need to know everything about a person’s life, without the content of their communications.^[6]

Article 8 of the Convention (the right to private life)

The Grand Chamber found that the degree of interference that bulk interception has on Article 8 increases as the surveillance process progresses and it is engaged at the outset: from the initial automated collection, the mere storing of the data, and through the process to the use of the ultimate final product.^[7] Where information about a particular person is being examined, the need for safeguards is at its highest.^[8]

Any interference with Article 8 must be justified under Article 8(2) such that it must be in accordance with the law and pursuing one or more legitimate aims that is necessary in a democratic society in order to achieve the aim(s). The law must be accessible to the person concerned and foreseeable as to its effects.^[9] The court must be satisfied that secret surveillance measures are applied only when necessary in a democratic society and that there are provisions to ensure adequate and effective safeguards against abuse. To this end, there are six minimum safeguards, developed in the case-law of the ECtHR that apply to the interception of communications in criminal communications, which are as follows:^[10]

• The nature of the offences giving rise to the interception;
• A definition of the categories of people liable to have their communications intercepted;
• A limit on the duration of the interception;
• The procedure to be followed for examining, using and storing the data obtained;
• The precautions to be taken when communicating the data to other parties; and
• The circumstances in which intercepted data must be erased or destroyed.

In addition, the case of Roman Zakharov established that where secret surveillance is involved, the arrangement for supervising the surveillance, notification mechanisms and the remedies provided for by national law also need to be examined. For bulk interception, given the potential for abuse, it is imperative that “domestic law should set out with sufficient clarity the grounds upon which bulk interception might be authorised and the circumstances in which an individual’s communications might be intercepted”.^[11] The process would need ‘end-to-end safeguards’ such that at every stage, the necessity and proportionality of the measures is applied, as well as independent authorisation from the outset.^[12]

The Grand Chamber did not find that judicial authorisation was a necessary requirement for bulk surveillance, so long as it was authorised by a body that is independent of the executive. Further, the approach would be a “global assessment” of the State’s bulk surveillance operations.^[13] It recommended the following to provide sufficient safeguards, which would apply to both types of data – content and communications-related:^[14]

• The independent body should be informed of the purpose of the interception and the bearers or communications routes likely to be intercepted.
• Authorisation should at the very least identify the types or categories of selectors that will be used.
• The use of every selector must be justified when applying ‘strong’ selectors (e.g. an email address) and scrupulously recorded.
• Each stage of the bulk interception process must be subject to suitably robust supervision by an independent authority.
• An effective remedy should be available to anyone who suspects their communications are being intercepted, but the remedy does not depend on notification to the subject of the interception.
• The remedy should be before an independent body with the ability to make a legally binding decision. 

The Grand Chamber concluded that the UK pursued legitimate aims in operating a bulk surveillance regime and that the domestic law was adequately accessible and had oversight in the form of the IC Commissioner and the IPT. Overall, it found that the safeguards deployed in the UK’s legislation were generally satisfactory, with the exception of the following:

• The application of a section 8(4) warrant did not provide for oversight of the categories of selectors at the point of authorisation.
• There was an absence of prior authorisation in relation to the strong selectors linked to an identifiable individual.
• The certificate regulating access to material on the index created by intelligence services was insufficiently precise to provide any meaningful restriction.
• Retention periods should be made public.

The deficiencies outlined above led the court to find that there had been a violation of Article 8 of the Convention.

Article 10 of the Convention (freedom of expression)

In relation to Article 10, the applicants argued that the large-scale interception of communications had a ‘chilling effect’ on the freedom of communications for journalists, in particular it interfered with their right to maintain confidentiality of their sources. Concerns were also raised by interveners to the proceedings about other confidential and privileged material, such as correspondence between lawyers and their clients. The applicants proposed that prior authorisation from a judicial or independent body was required before the data is collected. 

The Grand Chamber found significant the fact that the access to journalists’ communications was a by-product of the bulk surveillance system and not an intentional action. The initial interception, without further examination, did not interfere with Article 10, but any storage, examination, use or onward transmission would require sufficient safeguards in domestic legislation to justify the interference with the right. It concluded that the use of selectors or search terms connected to a journalist would result in the acquisition of significant amounts of confidential journalistic material. Therefore, should such selectors or search terms be intended to be used, it must be authorised by a judge or an independent body. 

The IC Code relating to storage, onward transmission and destruction of confidential journalistic material was found to be adequate. However, the deficiency – pre-authorisation by a judge or independent body before inspection – was not present in the code or legislation to justify the overriding requirement that the interference was in the public interest, or to consider whether a lesser measure would suffice. Further, confidential information that was selected ancillary to examination of certain communications could continue to be stored and examined. Accordingly, the UK was found to be in breach of Article 10 of the Convention.

Information from Foreign Intelligence Services

Where the Grand Chamber was divided was on the question of the receipt of information from foreign intelligence services. The applicants had been critical of the intelligence gathered by the US intelligence services, in particular where the legal regime did not provide the equivalent safeguards that were found in the receiving countries. 

This is particularly relevant given section 702 FISA enables the US intelligence services to collect information on non-US citizens and could therefore include those communications of individuals in States that are a party to the Convention. Under FISA, the Attorney General and Director of National Intelligence make annual certifications that authorise the targeting of non-US persons located outside of the US. In doing so, it is not necessary to specify to the US Foreign Intelligence Services Court (“FISC”) who is being targeted: the certifications identify categories of information to be collected that meet the definition of foreign intelligence information. 

The NSA is then able, with the assistance of CSPs, to copy and search internet traffic data, including both telephone calls and internet communications. There are obligations under FISA to apply minimization procedures which is reviewed by FISC, but otherwise there is no prior judicial oversight, no reasonable suspicion is necessary to obtain certifications and there is no statutory obligation to notify the subjects of the surveillance. Executive Order 12333 is not subject to regulation under FISA and it is not subject to any judicial oversight; how much data are collected under it is unknown.

The majority of the Grand Chamber found that the UK’s receipt of communications under RIPA that had been originally intercepted by the US authorities did not breach the Convention.^[15] The principle reason for their conclusion was that the interception by a foreign intelligence service does not engage the responsibility of the receiving State within the meaning of Article 1 of the Convention, unless its intelligence services were “placed at the disposal of the receiving State and were acting in exercise of elements of the governmental authority of that State” and were aware of any wrongful act, or if it exercised any direction or control over the foreign intelligence service.^[16]

It was noted that the sharing was not requested in bulk, but on the basis of an existing warrant, which the Secretary of State had approved. So long as the request by a State subject to the Convention has a basis in domestic law that is accessible and foreseeable as to its effects, with an indication as to the circumstances and conditions under which it can make a request, then the receiving State will not be in breach of Article 8 of the Convention. 

The Minority Opinion

While the minority supported the overall conclusion of a violation of Articles 8 and 10 of the Convention, the reasoning underpinning that conclusion was not accepted. In their view surveillance, and the feeling of being watched, fundamentally undermines democratic society given that privacy underpins individual moral autonomy, development and freedom. Their view is that the development of new technologies and the more effective use of information increases the risks to privacy and the abuse of personal data such that the majority should have attached “significantly more weight to private life in general”.^[17]

Judge Albuquerque highlighted how the “indiscriminate and suspicionless bulk collection of communications would frustrate the protection of legally protected and confidential information” and that the Convention does not allow for “data fishing”.^[18] His view, and the remaining minority, was that RIPA’s definitions were too wide, such that crimes of a less serious nature, and imprecise national security considerations were included, thereby undermining the substantive protection that would be required to guard against abuse.^[19] Judge Albuquerque pointed out that if there is a lack of appropriate substantive protection, then the procedural protection will also be undermined and cannot guarantee effective protection from arbitrariness and abuse. Further, it was noted that the Parliamentary Assembly of the Council of Europe and the Council of Europe Human Rights Commissioner had demonstrated that indiscriminate mass communications surveillance had not proven to be effective in the prevention of terrorism.^[20]

The criteria set out by the majority to assess the compliance of a State’s bulk surveillance operations with the Convention was in the minority’s view insufficient, because it did not contain any requirement of reasonable suspicion as part of the grounds to authorise the bulk interception. In their view, inspection of communications should only occur where it can be demonstrated that the individual may be engaged, or be about to be engaged, in activities that infringe a specified national security interest.

The minority were critical of the setting of a lower standard of protection for the transfer of data from foreign intelligence services’ bulk data collection regimes. Their view is that the same safeguards that are relevant to the receiving States in their collection of communications data should also apply to the receipt of such data, otherwise “the protection afforded by the Convention would be rendered nugatory if States could circumvent their Convention obligations by requesting such data from non-Contracting States”.^[21] For foreign intelligence surveillance data to be validly received, any request must be subject to prior authorisation by an independent body to assess whether it is both necessary and proportionate to the aim pursued and to “ensure that this power is not used to circumvent domestic law and/or the State’s obligations under the Convention”.^[22]

CJEU versus ECtHR

There have been a number of cases in the CJEU on the question of data interception and retention. The joined cases of Tele2 Sverige AB v Post-och telestyrelsen and Secretary of State for the Home Department v Watson and Others C-203/15 and C-698/15^[23] involved an assessment of the legal obligation on commercial telecommunications operators to retain data so that it could be made available not only to intelligence agencies, but also to other public bodies. In the ‘Schrems I’ and ‘Schrems II’ cases, the CJEU concluded that the transfer arrangements of personal data from Europe to the US was invalid because data subjects could not pursue legal remedies against the US government when it accessed the information under FISA or Executive Order 12333.

Recently in Privacy International v Secretary of State for Foreign and Commonwealth Affairs C-623/17^[24] and the joined cases of La Quadrature du Net and Others C-511/18 and C512/18^[25] (see my blog article here) the court reiterated that the preventative retention of data, on an indiscriminate basis, must be limited to what is strictly necessary, cannot be indefinite, cannot be systematic in nature, and must be subject to limitations and safeguards.^[26]

The Grand Chamber outlined these cases in its judgment and noted that the CJEU in Tele2/Watson had declined to answer the question of whether the protection afforded by the Charter in Article 7 (the right to respect for private and family life) and Article 8 (the right to data protection) was wider than that guaranteed by Article 8 of the Convention.^[27] The Grand Chamber did not make any further comment on the comparison in its judgment.

It is difficult to make comparisons between the approach to bulk data collection and use between the ECtHR and the CJEU, because the formulation of ‘proportionality’ and ‘necessity’ by the respective courts differ. However, for the UK, it is important, given that it is in Article 8 of the Convention that the UK courts will need to find a way to interpret “fundamental rights and freedoms” in the UK GDPR now that the Charter no longer applies (see the section on ‘interpretation of EU law’ in my blog article on Brexit here).

Whereas in Schrems I and Schrems II the CJEU had found the inadequacies of the US surveillance regime highly significant, and required equivalent protection before data could be transferred, the Grand Chamber in this judgment was of the view that such equivalence in receiving surveillance data was unnecessary.^[28] This is of course logical given that for the former it was the personal data of European data subjects that was being transferred to an unsatisfactory regime, as opposed to data being imported into a regime with safeguards. 

The problem the minority of judges in this ECtHR judgment were alive to, was the possibility that private information of subjects of States party to the Convention could be unlawfully collected by other countries not bound by the Convention, thereby circumventing the Convention’s obligations and undermining the very rights that it is designed to protect. This is in line with the CJEU’s approach that the law in regard to data collected in bulk cannot be general and indiscriminate such that it makes an exception the rule.^[29]

The majority recognised the intrusiveness of the mass collection of communications data into an individual’s private life, but it did not accept that bulk communications surveillance was as intrusive as the direct monitoring of individual’s devices, given it targeted bearers not people. It therefore took the approach that the indiscriminate nature of the collection of data proved only a minimal interference with Article 8 and so long as the requisite safeguards are in place, there would be no breach of the Convention.

If you are interested in any further information or advice, please contact my clerks on 020 3179 2023 or privacylawbarrister@proton.me

---

^[1] The Royal United Services Institute also undertook a review: “A Democratic Licence to Operate: Report of the Independent Surveillance Review”.

^[2] Sometimes referred to as the “Anderson Report”.

^[3] Section 16(2) RIPA

^[4] Liberty, along with a number of other civil liberties organisations, brought proceedings against the UK Government before the Investigatory Powers Tribunal to challenge its use of data collected under the UK and US surveillance programmes.

^[5] Paragraph 342 of the judgment.

^[6] This point was made by the organisation European Digital rights, quoting general counsel of the NSA Stewart Baker; see paragraphs 317 and 342 of the judgment.

^[7] Paragraphs 325 to 330 of the judgment.

^[8] Ibid., paragraph 330.

^[9] Ibid., paragraph 332, citing Roman Zakharov v Russia [GC] No. 47143/06 ECHR 2015.

^[10] See paragraph 335 of the judgment for the case references. Sometimes referred to as the ‘Weber safeguards’.

^[11] Ibid., paragraph 348.

^[12] Ibid., paragraphs 347 and 350.

^[13] Ibid., paragraph 360.

^[14] Ibid., paragraphs 349 to 362.

^[15] Twelve votes to five.

^[16] Paragraph 495 of the judgment. Here distinguishing the circumstances from those found in Al-Skeini and Others v the United Kingdom, No. 55721/07 and Jaloud v the Netherlands, No. 47708/08. 

^[17] See paragraphs 2 to 10 of the joint partly concurring opinion of Judges Lemmens, Vehabović and Bošnjak.

^[18] Paragraphs 22 and 25 of his separate opinion.

^[19] Ibid., paragraphs 35 and 36.

^[20] See PACE Resolutions 1954 (2013) and 2045 (2015) and the Council of Europe Human Rights Commisioners’ Memorandum on Surveillance and Oversight Mechanisms in the United Kingdom, CommDH (2016) 20, May 2016.

^[21] Paragraph 4 of the joint partly dissenting opinion of Judges Lemmens, Vehabović, Ranzoni and Bošnjak.

^[22] Ibid., paragraph 8.

^[23] ECLI:EU:C:2016:970.

^[24] 6 October 2020, CJEU ECLI:EU:C:2020:790.

^[25] French Data Network, Fédération des fournisseurs d’accès à Internet associatifs, Igwan.net v Premier minister, Garde des Sceaux, ministre de la Justice, Ministre de Ministre de l’Intérieur, Ministre des Armées (interveners: Privacy International, Center for Democracy and Technology), 6 October 2020, CJEU ECLI:EU:C:2020:791.

^[26] La Quadrature du Net judgment, paragraphs 137 to 139.

^[27] At paragraph 219 of the judgment.

^[28] Ibid., paragraph 362.

^[29] See the Schrems II ruling, in particular paragraphs 69 and 81.