ECtHR gives a half-hearted victory against UK mass surveillance
On 13 September 2018, the European Court of Human Rights (ECtHR) delivered its ruling on the case brought by EDRi members Privacy International, Open Rights Group and other NGOs against the United Kingdom. The Court found several violations of the European Convention on Human Rights in three UK mass surveillance programmes.
The Court’s judgment is that is the “quality of law” criterion for such interferences was not respected and that the procedures were incapable of keeping the interference with fundamental rights to what was “necessary in a democratic society”. It also acknowledges the value of bulk interception of data as a means for national authorities to “achieve the legitimate aim of protecting national security”. Some analysis of the ruling seems to echo previous concerns that the European Court of Human Rights has a more permissive approach towards indiscriminate data storage compared with the Court of Justice of the European Union (CJEU).
One of the many Snowden’s legacies
The present case was brought before the Court after the disclosures by Edward Snowden of surveillance and intelligence sharing programmes operated by the intelligence services of the United States and the UK. A coalition of human rights and journalists associations including two EDRi members, Privacy International and Open Rights Group, challenged three secret surveillance regimes introduced by the UK’s Regulation of Investigatory Powers Act (RIPA) in 2000. The case was originally referred to the UK’s Investigatory Powers Tribunal (IPT), a specialised court which was set up by the RIPA as a remedy for victims of unlawful interception of their communications by security and intelligence agencies. The IPT only found technical breaches. An appeal was therefore filed in 2015 before the ECtHR to challenge its findings.
The Court examined the three types of surveillance regimes:
- the bulk interception of communications data;
- the intelligence sharing regime allowing the UK’s authorities to obtain data intercepted by foreign governments, for instance the US National Security Agency; and
- the acquisition of communications data from Communication Service Providers (CSPs), such as telecommunications operators.
What’s positive about the Court’s ruling?
The Court held that both the bulk interception regime and its provisions for obtaining communications data from CSPs violated Article 8 (right to privacy) and 10 (freedom of expression) of the European Convention on Human Rights. After intercepting communications traffic flowing through British cables, the intelligence services use search criteria and other selecting tools to filter the data and to examine the most relevant material. The Court found that there were not enough safeguards governing this selection process, pointing notably to the lack of independent oversight.
When assessing the UK’s mass interception regimes in light of Article 10, the Court considered that the absence of restrictions for intelligence services in the handling of intercepted and selected confidential journalistic material was a violation of the right to freedom of expression. Indeed, the Court further recognised that this unlimited power to search journalists’ communications, including with their sources, could have a “potential chilling effect…on the freedom of the press” (cf. paragraph 495). In addition, the Court considered that having access to journalist communications data and content under RIPA was not subject to prior review by an independent or judicial body, thus infringing Article 8 of the European Convention on Human Rights.
Another important contribution of the judgement to the general debate on data protection is also its treatment of metadata in comparison to the communications content. Metadata gather all the information around the communication except its content, that is to say the source (name, location, IP address), the destination, the date, the time and the type of communications (messaging service). The Court emphasises that collecting metadata is no less intrusive than collecting content data as it can well reveal a lot about a person’s life and infringe her/his right to privacy. As a result, metadata deserves an equivalent level of protection.
This conclusion was already reached by the CJEU in its Digital Rights Ireland and Tele 2-Watson cases, as metadata could reveal information “that is no less sensitive, having regard to the right to privacy, than the actual content of communications” (Paragraph 99, Tele2 ruling).
The conclusions of both courts will certainly help in future disputes over data collection, retention and access, such as for the current European Commission’s proposal on cross-border access to data. Where the two courts appear to diverge in opinion is the nature of the data collection – bulk or targeted – and its compatibility with fundamental rights.
Time to update the safeguarding criteria
Despite the positive aspects of the ruling, the Court describes the value of bulk interception, given the current threat level from global terrorism and serious crime. This was criticised by judges Koskelo and Turković in their partly concurring partly dissenting opinion recalling the “enormous risks of abuse” this type of surveillance involves. This position also departs from the CJEU ruling which stated that the data retention regime in question in the Tele2 ruling exceeded “the limits of what is strictly necessary”.
Worse still, the criteria that the ECtHR used to analyse the three UK surveillance regimes to ensure there are enough safeguards against abuse in place have been criticised for being outdated. These criteria, developed 12 years ago, are arguably outdated considering the emergence of new technologies and surveillance techniques. Pointing out to the shortcomings of the criteria, judges Koskelo and Turković question the reason why “prior independent control by a judicial authority should not be a necessary requirement in the system of safeguards” in the Court’s examination.
This is not the end of the story
The judgment is not final because the parties to the case can ask for a referral to the ECtHR Grand Chamber. In addition, the RIPA is actually no longer valid as it was replaced 2016 by the Investigatory Powers Act (IPA), meaning that the Court did not take into consideration the new legal text. In light of this judgment, the British government will have to revise the IPA, as the law substantially extended the intelligence services’ powers and their demands on service providers.
UK mass interception law violates human rights – but the fight against mass surveillance continues (13.09.2018)
Big Brother Watch v UK – implications for the Investigatory Powers Act? (13.09.2018) https://www.cyberleagle.com/2018/09/big-brother-watch-v-uk-implications-for.html?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+Cyberleagle+%28Cyberleagle%29
Blanket data retention is illegal under EU law, court says (21.12.2017)
Analysis of the ECtHR judgment in Big Brother Watch: part 1 (16.09.2018) https://eulawanalysis.blogspot.com/2018/09/analysis-of-ecthr-judgment-in-big.html
Mass surveillance in the CJEU: forging a European consensus (07.2017)
(Contribution by Chloé Berthélémy, EDRi intern)