By Theodore Christakis

Last week, the European Court of Human Rights (ECtHR) issued an important, highly anticipated judgment, condemning the United Kingdom for its mass surveillance program.

Following Edward Snowden’s revelations regarding the United States-United Kingdom intelligence surveillance and intelligence sharing programme, 16 organizations and individuals (including the NGO Big Brother Watch) filed an application against the United Kingdom before the ECtHR. The 212page-long judgment published on September 13, 2018 is rich and deals with a great variety of important issues. Several among them are directly linked to some major legal questions examined in the past by the Court of Justice of the European Union (CJEU) or currently pending before it – not to mention the ongoing debate about whether the EU-US data transfer agreement known as Privacy Shield provides an “adequate level of protection”. The objective of this piece is to provide some first thoughts focusing on the strategic place of this judgment in the European legal landscape.

 A Pyrrhic victory?

Immediately following the release of the judgment, some NGOs like Amnesty International and Liberty tweeted about a “major victory” . Even Snowden tweeted that “Today, we won“.

This was undoubtedly a victory for NGOs, but it was probably not a “great” one; in fact, it may even prove to be a pyrrhic victory.

NGOs are investing a lot of resources in challenging big intelligence agencies. They contribute to striking the right balance between the conflicting values at stake and in introducing effective safeguards against the abuse of monitoring powers, an important mission in a democratic society.

In this endeavor, every success counts for NGOs, and this judgment is clearly a victory for them to the extent that the techniques of massive interception of communications practiced by the British intelligence agency (the Government Communications Headquarters or GCHQ) have been considered to violate two important rights of the European Convention of Human Rights: Article 8 (protection of privacy) and Article 10 (freedom of expression – given the lack of safeguards for the protection of journalists). In addition, the Court emphasized that access to communication data (or metadata) could be just as intrusive as access to content data.

It is therefore indeed a victory for the Applicants; a victory that is rendered all the more valuable when one reads the partly dissenting opinions of Judges Pardalos and Eicke who, as a colleague wrote to me, “wanted the Court to go that extra mile and rule it almost all as lawful”.

However, if we look more closely at the judgment we see that what the Court condemns are mainly certain techniques used by the GCHQ including the fact that, in some respects, the United Kingdom did not match its monitoring system with sufficient safeguards and adequate oversight mechanisms.

To believe that the Court has condemned mass surveillance as such as well as the “system” denounced by Snowden, as some tweets and comments from civil society suggest, is thus definitely not correct. A larger degree of nuance is needed here: an early analysis published by Privacy International or reactions by French NGOs demonstrate indeed that the reception of the judgment by NGOs was much more nuanced than the initial enthusiastic tweets.

Acceptance of the Mass Surveillance Policy

In reality, the truth is that the European Court of Human Rights accepts the policy of mass surveillance.

Already in a judgment rendered on 19 June 2018 in a case unanimously validating Sweden’s legislation permitting the bulk interception of electronic signals for foreign intelligence purposes, the Court had stated that “the decision to operate a bulk interception regime in order to identify hitherto unknown threats to national security is one which continues to fall within States’ margin of appreciation” (§112).

But in the Big Brother Watch case, the Court goes even further by saying that: “It is clear that bulk interception is a valuable means to achieve the legitimate aims pursued, particularly given the current threat level from both global terrorism and serious crime”. (emphasis added) (§386).

It could therefore be argued that the Strasbourg Court is now endorsing what Asaf Lubin called “the new normal” in Europe, namely the proliferation of intelligence laws with a “mass surveillance” dimension. In return, the European Court tries to accompany this surveillance with conditions and safeguards. This is no longer a question about the legality of mass surveillance policies, but rather a question relating to how to operate it.

A Contrast with EU Law

Henceforward, the contrast between the “law of the ECHR” and the “law of the European Union” on surveillance matters becomes all the more striking.

For the Court of Justice of the EU, the indiscriminate and very general nature of the bulk collection and processing of personal data, even to protect people against serious crimes, entails significant risks for human rights and freedoms and requires that “derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary”. (Digital Rights Ireland (2014), §52, emphasis added).

In its famous “Schrems” decision of 2015 that invalidated Safe Harbor, the CJEU clearly stated (§94) that “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter”.

Similarly, the “Article 29 Working Party”, which brings together the European Data Protection Authorities (and which has become, since the entry into force of the GDPR, the European Data Protection Board), published last December its first review report on Privacy Shield where it “recalled its long-standing position that massive and indiscriminate surveillance of individuals can never be considered as proportionate and strictly necessary in a democratic society, as is required under the protection offered by the applicable fundamental rights”.

In 2016 the ECtHR gave the impression that it might follow a similar path. In a judgment condemning Hungary for its legislation on secret anti-terrorist surveillance, the ECtHR noted that “both the CJEU and the UN Special Rapporteur require secret surveillance measures to answer to strict necessity – an approach it considers convenient to endorse” (emphasis added). Indeed, in this case the Court limited the national margin of appreciation greatly, emphasizing that “given the particular character of the interference in question and the potential of cutting-edge surveillance technologies to invade citizens’ privacy, the Court considers that the requirement “necessary in a democratic society” must be interpreted in this context as requiring “strict necessity” (Szabo and Vissy v. Hungary, §73).

The Centrum för Rättvisa v. Sweden and the Big Brother Watch judgments show a clear departure from this position and raise questions about a certain “fragmentation” of European data protection and privacy law.

Adapting Existing Safeguards to the Mass Surveillance Era?

Of course, the Big Brother Watch judgment attempts to strike the right balance between, on the one hand, deferring to national security considerations and endorsing the policy of mass surveillance and, on the other hand, the need to effectively protect human rights, by insisting on a series of conditions and safeguards that States should meet in order to limit the risks of abuse.

However, one could note here a certain paradigm shift in the case law of the Court. The endorsement of the policy of mass surveillance seems to lead the Court to “adjust” the conditions and requirements of its own case law.

Let’s take for instance the issue of notification. In previous judgments, the Court has held that “the question of subsequent notification of surveillance measures is inextricably linked to the effectiveness of remedies and hence to the existence of effective safeguards against the abuse of monitoring powers, since there is in principle little scope for any recourse by the individual concerned unless the latter is advised of the measures taken without his or her knowledge and thus able to challenge their justification retrospectively”. As a consequence, “as soon as notification can be carried out without jeopardising the purpose of the restriction after the termination of the surveillance measure, information should be provided to the persons concerned” (Szabo and Vissy, §86). In the Big Brother Watch judgment, though, the Court says that the very idea of ​​notification is logically incompatible with a mass surveillance system (which, by definition, is not targeted) and must therefore be discarded (§317).

Conversely, on other points the Court seems to require “more rigorous safeguards” (ex. §338) for mass surveillance to counterbalance the flexibility given to the authorities elsewhere.

It seems pretty clear then that, in the case law of the ECtHR, we now have two separate legal regimes: a “classic” one, for targeted surveillance; and a second one designed for mass surveillance. It remains to be seen how the two will communicate and how developments in one field could affect the other.

No ex-ante authorization by an independent authority for mass surveillance measures?

The issue of ex-ante authorization is an example of this. In previous judgments (such as in Zakharov §258 or in Szabo and Vissy §77) the Court held that authorization to conduct surveillance should be given (except in exceptional cases) either by a judge (preferable option) or by an administrative authority independent from the Executive Power. This is a procedural requirement intending to avoid abuses and has proved useful in the structuring of intelligence laws in Europe. Moreover, the Court monitors not only the respect of this procedural condition but also whether it is effective: in the case of Zakharov (2015), for example, it condemned Russia because, while ex-ante judicial review was provided by law, the Court considered that this control did not function effectively and therefore did not prevent the risk of abuse.

In Big Brother Watch, however, the Court neglects this procedural requirement. It states that while in the United Kingdom the authorization to carry out mass surveillance was given neither by a judge nor by an independent administrative authority, there is no problem because some elements show that there is no abuse by the Executive Power (§381).

For the Court, then, substance prevails over form. But we might lose in terms of legal certainty and predictability: it is one thing to lay down a clear procedural condition that States should respect – and then check of course whether it works effectively as in the Zakharov case; and it is another to remove this procedural requirement by saying that “what is relevant is whether or not there was abuse”. How will the Court evaluate this and according to what criteria? Is there not a risk of a two-speed control? On the one hand there are Eastern European countries (Hungary, Russia, Romania, Croatia, Bulgaria, Moldova, Turkey etc.), whose surveillance laws the Court has found to be in violation of the Convention; and on the other, there are Western countries (Sweden, United Kingdom, possibly France in the future) who could benefit from a more “flexible” evaluation because their democratic systems as such would be a pledge against abuse?

Dealing with Intelligence Sharing

Big Brother Watch is the first time that the Court has been asked to consider whether an intelligence sharing regime has complied with the Convention, namely by evaluating the exchange practices between the GCHQ and the NSA. The Court eventually considered that these practices did not violate the Convention and that the interference with human rights “was kept to that which was “necessary in a democratic society” (§244). There is a lack of room here to discuss this issue extensively, although Marco Milanovic made some interesting comments on it here. However, we should notice that the Court is almost exclusively concerned with the question of whether the sharing of information was “in accordance with the law” of the United Kingdom – and devotes only two brief paragraphs (§445-446) to the crucial question of proportionality. This part of the judgment could have been more analytical and the Court could have discussed further the issue of risks, that of prior authorization by an independent authority and that of the effectiveness of controls, safeguards and remedies.

Conclusion: Tracking the Constitutional Significance of the Fragmentation

The Big Brother Watch judgment is clearly an important one from a “political” standpoint as this was not only the first mass electronic surveillance case to be decided against the UK after the Edward Snowden revelations, but it was also a case directly concerning these revelations.

The judgment is important from a legal standpoint as well, as it touches upon a great variety of important issues relating to mass surveillance. Its implications and ramifications need to be studied thoroughly.

Indeed, it will be interesting to examine closely, in the coming months and years, the constitutional significance of the fragmentation described in this article. Several important cases (concerning, for instance, data retention issues or legal challenges to Privacy Shield) are currently pending in the CJEU, while important surveillance cases (including several applications against the new French intelligence laws) are under examination by the ECtHR. Could the “lower” standards adopted by the ECtHR in Big Brother Watch have an impact on EU case-law? Or vice-versa? Are there situations (such as the ones directly concerning national security issues) that might be considered in the future as falling outside the scope of EU law and therefore be subject only to the ECtHR regime? And how could the Big Brother Watch judgement affect the pressure currently exercised by the European Parliament or by the WP29/EDPB to the EU Commission to renegotiate Privacy Shield?

While waiting for these questions to be answered, it remains to be seen if the parties will request a referral of the case to the Grand Chamber and if we might have in the future a Big Brother Watch 2.0. judgement by the Grand Chamber.

Many thanks to Mark Rees for helping put together these ideas during an interview with https://www.nextinpact.com