The Big Brother Watch and Centrum för Rättvisa judgments of the Grand Chamber of the European Court of Human Rights – the Altamont of privacy?
On 25 May 2021 (coincidentally or not, the third anniversary of the entry into application of the General Data Protection Regulation, GDPR), the European Court of Human Rights (ECtHR) delivered its long-awaited Grand Chamber judgments in applications against UK and Sweden and their mass surveillance regimes. The landmark judgment Big Brother Watch and others v UK is the final outcome of the Strasbourg battle of 16 different organisations against the UK government mass surveillance regime, that began after the Snowden revelations in 2013. The Chamber judgment was delivered in 2018 (analysed previously by me here and on this blog here).
The Big Brother Watch judgment also had a ‘little sister’, Centrum för Rättvisa v Sweden. This is an older case against the Swedish intelligence agencies’ laws and their mass surveillance practices. The Chamber judgment is also from 2018, but the application was lodged back in 2008.
After the Grand Chamber judgments came out, Privacy International declared ‘an important win for privacy and freedom for everyone in the UK and beyond’. Admittedly, the Grand Chamber found Article 8 of the European Convention on Human Rights (ECHR; the right to private life) violations in both cases, thereby overturning the Chamber outcome of Centrum för Rättvisa. The Grand Chamber also took the opportunity to develop the Court’s case-law further, specifically regarding bulk interception regimes. It did not content itself with a mere application of the somewhat outdated Weber and Saravia criteria. The optimism of privacy activists is, therefore, understandable at the outset. However, I believe that the bigger picture (and lesson) from the judgments is far bleaker. I agree with professor Milanović, who names the judgments as a ‘grand normalisation of mass surveillance’ and tells us to forget about declaring landmark victories for privacy. I also agree with professor Ni Loideain, who calls the Grand Chamber judgments ‘not so grand’. I will try to explain the main reasons why Big Brother Watch, Privacy International, and many other privacy activists and experts have nothing to celebrate.
Missing principles and technical safeguards – mass surveillance by default
The Grand Chamber listened to the partly concurring and partly dissenting opinion of judges Koskelo and Turković from the 2018 Chamber judgment. Back in the day, they pleaded for a Grand Chamber decision developing new criteria, arguing that the case assessment should not have been carried out on the basis of the criteria developed in the existing case-law, primarily Weber and Saravia. They argued that the latter judgment was handed in 2006 and in the meantime the global circumstances, including the technological developments and surveillance techniques, changed so drastically that the Court must develop new criteria.
However, the development we are now witnessing does not necessarily represent an improvement of the Court’s case-law.
Most importantly, the Grand Chamber upheld the Chamber findings that the bulk interception of communications by intelligence services is per se compatible with the Convention. This conclusion is supported by several striking arguments. Here are some of the most important ones from Big Brother Watch judgment: in paragraphs 322 and 345 the Court finds that the bulk interception is used predominantly for ‘foreign intelligence gathering, the early detection and investigation of cyberattacks, counter-espionage and counter-terrorism’; in paragraph 344 the Court argues that bulk interception is ‘generally directed at international communications’ and ‘to monitor the communications of persons outside the State’s territorial jurisdiction, which could not be monitored by other forms of surveillance’. Sadly, in paragraph 340 we are told that the Internet is the most dangerous place, basically a platform for ‘proliferation of threats that States currently face from networks of international actors, using the Internet both for communication and as a tool, and the existence of sophisticated technology which would enable these actors to avoid detection’.
As judge Pinto de Albuquerque rightly points out in his partly concurring and partly dissenting opinion, these statements and arguments of the Grand Chamber are not supported by any empirical evidence. I would add that the Court is anyway not well placed, as brilliantly demonstrated by Paul Yowell, to carry out empirical assessments while carrying out its judicial review. In any event, reading such statements about bulk interception eight years after the Snowden revelations leaves me, in the Court’s own words, ‘perplexed’.
Be it as it may, the Grand Chamber does recognise that its bulk interception case-law has to be further developed. In paragraph 350, it calls for ‘end-to-end safeguards’, ‘meaning that, at the domestic level, an assessment should be made at each stage of the process of the necessity and proportionality of the measures being taken; that bulk interception should be subject to independent authorisation at the outset, when the object and scope of the operation are being defined; and that the operation should be subject to supervision and independent ex post facto review.’
The Grand Chamber also admits that the Weber and Saravia safeguards were originally developed for targeted interception and replaces those six safeguards with a new eight-part set of criteria (paragraph 361):
- the grounds on which bulk interception may be authorised;
- the circumstances in which an individual’s communications may be intercepted;
- the procedure to be followed for granting authorisation;
- the procedures to be followed for selecting, examining and using intercept material;
- the precautions to be taken when communicating the material to other parties;
- the limits on the duration of interception, the storage of intercept material and the circumstances in which such material must be erased and destroyed;
- the procedures and modalities for supervision by an independent authority of compliance with the above safeguards and its powers to address non-compliance;
- the procedures for independent ex post facto review of such compliance and the powers vested in the competent body in addressing instances of non-compliance.
However, the application of those new criteria in both judgments clearly demonstrates that they will not get us much further than the status quo. The principle-based assessment of the bulk interception regimes remains screamingly absent.
In the case of the UK, the violation of Article 8 ECHR results from three shortcomings out of eight criteria: ‘the absence of independent authorisation, the failure to include the categories of selectors in the application for a warrant, and the failure to subject selectors linked to an individual to prior internal authorisation’ (paragraph 425). In the Swedish case, the Court again finds three shortcomings: ‘the absence of a clear rule on destroying intercepted material which does not contain personal data, the absence of a requirement in the Signals Intelligence Act or other relevant legislation that, when making a decision to transmit intelligence material to foreign partners, consideration is given to the privacy interests of individuals; and the absence of an effective ex post facto review’ (paragraph 369).
Hence, violations of Article 8 ECHR found by the Grand Chamber are of a technical nature and constitute ‘easy fixes’ for the UK’s, the Swedish or any other national mass surveillance regime.
Both judgments are long and very complex, and many of their paragraphs deserve careful analysis in the months to come. However, the trend is obvious. First, the Court of Justice of the European Union (ECJ) backtracked in La Quadrature du Net and others (analysed previously on this blog here), where general and indiscriminate retention of traffic and location data was allowed for purposes of safeguarding national security, while general and indiscriminate retention of ‘civil identity’ data was allowed also for law enforcement purposes. Now, the ECtHR ‘races to the bottom’ and accepts bulk interception regimes by intelligence agencies, which is something that the ECJ, to the extent it is competent to do so in matters of national security, refused to do in Privacy International (paragraphs 78-81; analysed previously on this blog here).
The consequences of these judgments are grave. Firstly, by accommodating the alleged needs of intelligence and law enforcement agencies, the highest European jurisdictions accept mass surveillance for national security purposes and a removal of online anonymity for law enforcement purposes as the ‘new normal’. This could have a spill-over effect to other State activities, in the pandemic (or post-pandemic) context. Secondly, in the UK context and its data protection adequacy talks with the European Commission, the Big Brother Watch can only strengthen the UK case. The UK can now argue that its mass surveillance regime is not per se violating the ECHR and that it will, or it already did, bring itself in line with the Strasbourg requirements easily. Thirdly, the judgments fit within the trend in Europe we can observe in the last five years, both on legislative and on judicial level. Rather than banning certain intrusive intelligence or investigatory measures at the outset, the trend is to allow and then burden it with several procedural and technical safeguards. However, in practice these safeguards often become just a bit more paperwork and rubber-stamping. In the cases at hand, the outcome could have been different if the Court had sought for answers to basic questions of principle, such as:
- how can the State deploy a mass surveillance regime, while respecting the purpose limitation principle (the cornerstone of both Convention 108 of the Council of Europe and of Article 8 of the Charter of Fundamental Rights of the European Union)?
- has the national legislator, in creating the mass surveillance regime, demonstrated the necessity and proportionality of the regime, by providing objective and empirical evidence in its support?
- has the legislator carried out a proper human rights/privacy/data protection impact assessment? If yes, how did it mitigate the detected risks for the affected individuals?
Finally, the disagreement between Luxembourg and Strasbourg Grand Chambers on the question of bulk interception regimes may result in the application of the more favourable Strasbourg regime, without involvement or knowledge of service providers, leaving the important conclusions of the Luxembourg Court in Privacy International empty of practical consequences (in October 2020, the ECJ prohibited bulk interception by state authorities of all individuals’ data and demanded that national legislation allowing the authorities’ interception of personal data collected by service providers must develop objective criteria for both the acquisition of a particular dataset from a service provider and its actual use by those authorities).
Part of the Grand Chamber recognises some of these dangers. Judges Lemmens, Vehabović and Bošnjak, in their partly concurring opinion, warn that ‘in performing the balancing exercise, the majority have failed to assign proper weight to private life and correspondence, which in several respects remain insufficiently protected in the face of interference by bulk interception’. In a more alarming tone, judge Pinto de Albuquerque, concludes his (long) partly concurring and partly dissenting opinion (containing a lot of arguments to which I fully subscribe) by saying that ‘for good or ill, and I believe for ill more than for good, with the present judgment the Strasbourg Court has just opened the gates for an electronic ‘Big Brother’ in Europe’ (paragraph 60).
If 25 May 2018 (entry into application of the GDPR) was the Woodstock of privacy, and Jan Phillipp Albrecht (MEP rapporteur) its Jimi Hendrix, then I am afraid that 25 May 2021 is the Altamont of privacy and judge Pinto de Albuquerque its Mick Jagger. Three years in, because of its failing enforcement mechanism, the GPDR is becoming, in the words of Johnny Ryan, ‘a collective hallucination’. The Law Enforcement Directive receives almost no attention from any of the stakeholders (the European Data Protection Board, for instance, still did not adopt one single set of guidelines on this instrument). The highest European courts are allowing mass surveillance schemes. The prospects for privacy and data protection seem gloomy.