Bearing in mind the three models of extraterritorial application that I outlined in my previous post, the only model which provides an easy, clear answer is the third one. If the negative obligation to respect the right to privacy is territorially unlimited, then any interference with this right in any place in the world would implicate the ICCPR or the ECHR. This is not to say that such interferences, whether through a mass surveillance program or a targeted one, would necessarily be illegal. Rather, any such interference would need to be substantively justified within the analytical framework of human rights treaties (i.e. is the interference prescribed by law; does it serve a legitimate aim; is it proportionate to that aim). No threshold question of jurisdiction would arise, and just like with purely internal surveillance the analysis would need to be one on the merits. But again, this is also not to say that on the merits internal and external surveillance would need to be treated equally in every respect – more on this in my next, and final, post.
The third model provides a clear answer on the threshold question of applicability, but also one that is very broad and immediately leads to examination of the merits which carries with it its own uncertainties. This is precisely why the third model may not be appealing to those actors, be they governments, secret services, courts, or what have you, who would want to avoid the difficulties of a merits analysis or the constrains of human rights treaties altogether.
I will thus proceed to situate the following discussion within the confined of the more established spatial and personal models. But as soon as I do so, we will see how we run into uncertainty, complexity, and potential for arbitrariness. This is at least partly due to the fact that technological advances in obtaining information have rendered the exercise of manual, physical power over individuals unnecessary or less necessary. While privacy law in the information era frequently developed by analogy to old-school physical searches or interferences, be it in domestic systems (say under the Fourth Amendment to the US Constitution) or in international human rights law, there comes a point at which such analogies are no longer feasible or are outright misleading.
But such analogies can be a useful starting point. I will now outline some scenarios of possible interferences with privacy through searches, interception, or surveillance, starting with the more physical and ending with the most virtual. Under existing case law all of these actions by state agents against individuals could in principle count as interferences with their privacy rights under either the ECHR or the ICCPR if these actions were to occur on the state’s own territory. The problem I want to get at is jurisdiction, i.e. whether human rights treaties would apply in the first place if the state engaged in such conduct extraterritorially under either the spatial or the personal model, and whether distinctions should be made in terms of jurisdiction between the physical and the virtual methods of gathering information.
The scenarios include:
(1) Physical search of a person.
(2) Physical search of a person’s property or residence.
(3) Physical access to a person’s computer system, phone or an electronic telecommunications or data storage device.
(4) Physical interference with a person’s correspondence with another individual without the exercise of physical coercion against either individual (e.g. the opening and copying of a person’s mail at the post office).
(5) Audio-visual surveillance of a person.
(6) Audio-visual surveillance of a person’s property or residence.
(7) Remote access to a person’s computer system, phone or an electronic telecommunications or data storage device.
(8) Interception of electronic communication midstream, without accessing the computer systems, phone or other telecommunications devices of either the sender or the receiver.
(9) Collection of metadata about the communication, rather than the content of the communication.
Let us now try to apply the spatial and personal models of jurisdiction to some of these scenarios.
Spatial Model: Individual in an Area under the State’s Control
The application of the spatial model would be straightforward in principle. If an individual is located in an area under the state’s control and the individual’s privacy is interfered with by the agents of the state, the ICCPR and the ECHR would clearly apply. Thus, if Angela Merkel was in New York City visiting the UN, and a CIA agent searched her hotel room, physically tampered with her phone or computer, or intercepted her communications remotely, she would be subject to US jurisdiction under the spatial model and her privacy would be protected by the ICCPR (again, this does not mean that the surveillance would necessarily be unlawful, but that it would have to be justified in order to be lawful). Note also that for the spatial model it is control over territory alone, and not title that matters – the result of this inquiry would be the same if Angela was visiting Iraq while it was under US occupation and the CIA did its business there.
A somewhat more difficult problem is if a state engages in surveillance of its own population and then provides the information it collected to a third party. The Five Eyes states share intelligence with one another, although the specific are of course unclear. The individuals concerned would certainly be within the jurisdiction of the collecting/sending state, but not under the jurisdiction of the receiving state, at least not under the spatial model. Various other complicity scenarios are possible (see, e.g., here for reports on the UK allowing the US to ‘unmask’ the personal data of UK residents, and here for reports about Norway sharing information it had collected with the US), but they introduce further complexities that I would prefer to avoid for the time being.
Spatial Model: Interference in an Area under the State’s Control
As Carly Nast pointed out in her post, technology now frequently leads to a disconnect between the location of the individual and the location of the interference with the individual’s privacy. For example, while sitting in her office in Berlin Angela Merkel can send an email to somebody in Australia but the communication itself can be routed through a server in the United States and intercepted there by the US. Angela is thus located in Germany, but the interference with her privacy took place in the US.
The question is how to determine state jurisdiction in situations in which the interference was done in an area under a state’s control, but the individual is not in any such area. Should we look at such cases under the spatial model, on the basis of the location of the interference, or under the personal model, by seeing whether the interception as such qualifies as an exercise of authority and control over the individual?
At a textual and conceptual level I am sceptical that the spatial model could be applied on the basis of the location of the interference alone. If the inquiry is whether the individual is within or subject to a state’s jurisdiction, and if ‘jurisdiction’ means an area under the state’s effective control, it is hard to see why the location of the interference should matter. But our intuitions, on the other hand, do seem to favour the application of human rights treaties in such circumstances. For example, I normally live and work in the UK, but I am now on sabbatical in the US. If tomorrow the UK police searched my flat in Nottingham or if they hacked into my office computer, surely the ICCPR and the ECHR would apply and my privacy rights would be engaged? If they seized my UK bank account while I was outside the UK, surely my property rights would be engaged? And so forth.
There have been plenty of cases before the European Court or the Human Rights Committee with such an extraterritorial element in which everyone, including the respondent state, simply took for granted that the treaty applied. Nobody ever doubted, for instance, that Article 6 ECHR fair trial rights applied to a person who was tried in absentia but who absconded to another state’s territory (see, e.g., Markovic v. Italy). Indeed, it would seem manifestly arbitrary for the Convention not to apply. If that is so, then why should privacy rights be any different – the question is what theory covers these kinds of situations.
The first option is to treat such situations under the spatial model, but as I have explained above that is problematic. The second is to examine them under the personal model. But if we accept that, for example, I am an individual under the ‘authority and control’ of the UK when UK agents search my flat in Nottingham even when I am outside the UK, I do not see how we could deny that I would also be under the authority and control of the UK if UK agents searched my flat in Ann Arbor, MI. Similarly, if the ECHR would apply to a search of my computer in the UK even while I am in the US, because in performing this search the UK is exercising authority and control over me, then I do not see why the ECHR would not apply to a similar search of my laptop by UK agents in the US. In other words, the location of both the individual and the interference seems to be irrelevant under the logic of the personal model.
A third option would be to say that what we have here are territorial acts producing extraterritorial effects, a line of thinking going back to the Strasbourg Drozd and Janousek case. But that is not, in my view, a sound way of conceptualizing the application of human rights treaties since in every case one can draw some kind of causal link between a territorial act (e.g. the decision to bomb Serbia in 1999 made by NATO governments in their own territories) and extraterritorial consequences (e.g. the bombing itself). The European Court for its parts sees Drozd in the context of the personal model only (see Al-Skeini, paras. 133, 135). Moreover in cases of surveillance the possible violation of privacy is entirely consummated by the act of surveillance itself, whether it takes place in an area under the state’s sovereignty, control, or beyond its control. My own preferred solution to such cases is hence the third model of jurisdiction that distinguishes between positive and negative obligations. The reason why the Convention would apply is because it should apply to all potential violations of negative obligations, e.g. the one to refrain from interfering with my privacy.
Whatever theory one chooses, surveillance programs in which the interference takes place within an area under the state’s control, even though the individual is not located in this area, may be more open to challenge than those programs in which both the interference and the individual are outside areas controlled by the state. For example, GCHQ’s massive Tempora program taps transatlantic fibre-optic cables as they pass through the UK and obtains enormous amounts of data. The interference hence takes place within the UK even though the person whose communication is intercepted is located outside it. Similarly, Australia is reported to have been using its embassies in a number of countries to intercept calls and data, equipping them with surveillance collection facilities, as part of the STATEROOM program of using diplomatic missions of the Five Eyes states. Recall, in that regard, the possibility of shrinking the spatial model of jurisdiction to cover smaller areas or places, as in Al-Saadoon, including embassies and military bases.
Notably, at least two surveillance/data collection cases before the European Court dealt with situations in which the interference was territorial while the individual was outside any area under the state’s control. In the first, Weber and Saravia v. Germany (2006), the applicants lived in Uruguay while their communication was allegedly intercepted in Germany. Germany actually even objected (para. 66) that the case was outside its jurisdiction under Bankovic, but the Court avoided the matter (para. 72) and dismissed the case as manifestly ill-founded. In the second, Liberty and Others v. the United Kingdom (2008), two of the applicants were Irish organization that communicated with a British one, and their communication was allegedly intercepted in the UK. Neither the UK government nor the Court proprio motu considered that an Article 1 jurisdiction issue arose with respect to the Irish applicants, i.e. they both assumed that the ECHR applied, and the Court went on to find a violation of Article 8.
The most problematic situation of surveillance is one where both the individual and the interference with their privacy take place in an area outside the state’s control, when we have to look at such cases through the personal model of jurisdiction. The case law of the European Court and the Human Rights Committee defines such jurisdiction in similar terms, as ‘authority and control’ or ‘power and effective control’ over individuals. The question is what exactly qualifies as such authority, power, or control, and how we would apply them to overseas surveillance. Consider the following scenarios, all of which for the sake of the argument take place in Berlin:
(1) A CIA agent grabs Angela Merkel, disables her escort (assume he’s some kind of judo badass), and then physically searches her for items in her possession.
(2) A CIA agent breaks into and searches Angela’s apartment and plants cameras and listening devices.
(3) A CIA agent manages to get Angela’s phone when she’s not looking, and furtively plants a tracking device in it.
(4) A CIA agent breaks into Angela’s office and hacks into her computer, uploading a virus and downloading sensitive data.
(5) A CIA agent observes and listens to Angela using a high-resolution camera/directed mike.
(6) A CIA agent observes Angela’s residence from the outside using a high-resolution camera.
(7) A CIA agent hacks Angela’s phone or computer remotely.
(8) A CIA agent intercepts Angela’s calls, texts, or emails midstream.
(9) A CIA agent is able to collect information about who Angela calls, when, for how long (telephony metadata) or whom and when she emails (internet metadata).
Which of these situations qualify as an exercise of authority, power or control over Angela? All, some, or none? As I explained in my previous post, the personal model of jurisdiction is prone to collapse (and that may be either a bug or a feature, depending on your point of view). It is very difficult to draw lines that are not arbitrary. Indeed, some lines clearly would be arbitrary, for instance if we said that in any of these scenarios Angela would be under US jurisdiction but only if she was a US citizen.
Of these nine scenarios, only (1) involves the exercise of physical power against Angela herself in the sense of an agent handling her bodily. (2)-(4) all involve the exercise of physical power, but against Angela’s property rather than her person. (5) and (6) are physical but non-corporeal, as it were. (7)-(9) are entirely virtual or digital.
I personally see no legitimate way of drawing lines here. If (1) equals jurisdiction, then why not (2)-(4), et cetera. In particular, if virtual methods can accomplish the exact same thing as physical ones, then there seems to be no reason to treat them differently and insist on some kind of direct corporeal intervention. Therefore, unless one is willing to knowingly draw lines that are arbitrary, for instance by requiring direct physical intervention or by using a nebulous and undefined criterion such the Bankovic/Al-Skeini concept of ‘public powers,’ the personal model would again seem to collapse and all cases of overseas surveillance would be within the state’s jurisdiction.
My final post will look at what the right to privacy might mean in the extraterritorial surveillance context, assuming that the ICCPR and the ECHR would indeed apply.