magnify
Home EJIL Analysis Surveillance without Borders: The Unlawfulness of the NSA Panopticon, Part II

Surveillance without Borders: The Unlawfulness of the NSA Panopticon, Part II

Published on November 4, 2013        Author: 

This is Part II of a post assessing the international law implications of the U.S. National Security Agency’s global spying program. Part I focused the general international law implications of the program. This part focuses on potential violations of human rights law and breaches of the law of diplomacy.

Constitutional fundamental rights binding the European states

In probably all surveilled states, citizens enjoy a constitutional right to privacy which has been affected by secret surveillance measures by the NSA. Fundamental rights embodied in European constitutions bind only the territorial state, not the USA. The territorial states’ responsibility under their own constitutional law could be involved through their condonement, toleration, or by just refraining from protesting against surveillance measures by the NSA.

In Germany, the secrecy of communication is protected by Art. 10 of the German Basic Law (Grundgesetz, GG). This fundamental right may be lawfully restricted. The principal relevant legislation in Germany is the Gesetz zur Beschränkung des Brief-, Post und Fernmeldegeheimnisses as of 26 June 2001, colloquially called the G10-Act. This Act allows for measures to repel “dangers to the troops of the non-German contracting parties of the NATO treaty” (§ 1 of the G10-Act). That Act allows for different types of restrictions of the fundamental right to privacy, for example “strategic limitations”. But all restrictions are tied to specific conditions, for example, “concrete clues” must exist to found a “suspicion”. Also, the Act only authorises specific German agencies to perform surveillance measures, notably the German intelligence service (Bundesnachrichtendienst). Third, specific procedures must be respected. Finally, the affected persons must be informed ex post, and they are guaranteed access to non-judicial remedies. None of these preconditions have been met in the course of NSA-surveillance. It remains to be seen whether German authorities have violated citizens’ fundamental right to privacy by tolerating NSA measures.

Positive obligations of ECHR member states

A different matter is that Germany (and other surveilled European states) probably violated the ECHR by concluding bilateral agreements which disregard the fundamental right to privacy as guaranteed by Art. 8 ECHR. Under the Matthews principle, ECHR member states are not allowed to escape their obligations under the Convention by “fleeing” into international law. Although the pertinent ECtHR case law is newer than the cold-war agreements, it does govern the current constellation.

This means that member states of the ECHR are not allowed to collaborate with a third state and to act as accomplices to that state’s human rights violations, e.g. by providing data and furnishing access to communication systems.

Quite to the contrary, member states of the ECHR are obliged to protect persons under their jurisdiction from threats to human rights emanating from third actors, including foreign states. This duty of protection may require the member states to take effective diplomatic and legal measures against the United States. The positive obligations arising from the ECHR are obligations of conduct, not of result. States do not need to undertake steps which would place an undue burden on them. When assessing that burden, we may take into account the member states’ wish to avoid major political dispute with a foreign state. However, the overall balance must result in an adequately sufficient level of human rights protection. The positive obligations might even imply a legal duty to examine in earnest the termination of the mentioned international agreements of the 1960s. But it would be difficult to argue that the ECHR obliges a member state to institute a complaint against the United States before an international court or tribunal.

Violation of the international human right to privacy by the United States

Another matter are potential violations of the human right to privacy as guaranteed in international law, and which is apt to address US authorities directly. This right is embodied in Art. 12 of the Universal Declaration of Human Rights, adopted by the United Nations GA on December 10, 1948. It may well be that this right already has the status of customary international law. The right to privacy is also codified in Art. 17 of the Covenant on Civil and Political Rights (CCPR).

A preliminary question is whether the United States is bound by this Convention. The state has ratified the Covenant in 1992, but has deposited a number of reservations, declarations, and understandings. This included the Senate’s statement that the provisions of the Covenant are not self-executing. This means that they cannot be invoked before US Courts, but it does not mean that the state, as an international legal person, is not bound by the Covenant.

Extra-territorial obligations of the United States?

The next preliminary question is the Covenant’s scope ratione personae. This is an issue because the NSA activities were performed outside the territory of the United States. The extra-territorial bindingness of human rights conventions has been under much debate recently. Under Art. 2 CCPR, “[e]ach State Party to the present Covenant undertakes to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognised in the present Covenant (…).” The two conditions mentioned in this provision are cumulative. The state is bound either within its territory or vis-à-vis persons under its “jurisdiction”, even if the affected persons are not situated within the state’s territory (See only ICJ, Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory, Advisory Opinion of 9 July 2004, ICJ Reports 2004, 136, paras. 107-111; and the case-law of the UN Human Rights Committee (Lopez Burgos v. Uruguay of 29 July 1981, No. 52/1979, Doc. A/36/40, paras. 12.2-3; Celiberti v. Uruguay (1981) of 29 July 1981, 56 /1979, UN Doc A/36/40, para. 10.3)).

One key notion to determine whether “jurisdiction” is present is the term of “control”. The typical forms of control are control over territory and over persons. The paradigmatic types of control over persons are confinement, internment, and imprisonment. A key question in our context is whether surveillance as such can establish “control” in the sense of the concept of jurisdiction which defines the applicability of human rights treaties.

In Al-Skeini, the European Court of Human rights mentioned three types of extra-territorial control over persons which are apt to trigger “jurisdiction” in terms of Art. 1 ECHR (ECHR [GC], 7 July 2011, Al-Skeini v. UK, No. 55721/07, paras 133-135). These are (1) acts of its authorities which produce effects outside its own territory, and (2) acts of diplomats abroad: “it is clear that the acts of diplomatic and consular agents, who are present on foreign territory in accordance with provisions of international law, may amount to an exercise of jurisdiction when these agents exert authority and control over others”(ibid., para. 134). The third type is the use of force, which may bring people under control.

The mere surveillance as such does not constitute physical control, but it may (depending on the extent and intensity) constitute virtual control. It is not too far-fetched in the cyber-age to imagine that this type of control might also trigger the human rights obligations of the “virtual” controller.

Art. 17 CPR also protects privacy in the Internet

Secret surveillance of Internet communication interferes with privacy. The word used in Art. 17 CCPR is “correspondence”; the provision does not mention the telephone or the Internet. But the wording dates from 1966, when telephones were rare and the Internet did not exist. It has been construed broadly. The UN Human Rights Committee’s General Comment 16 specifies: “Surveillance, whether electronic or otherwise, interceptions of telephonic, telegraphic and other forms of communication, wire-tapping and recording of conversations should be prohibited.” (CCPR General Comment No. 16: Article 17 (Right to Privacy), The Right to Respect of Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation, of 8 April 1988, para. 8).

This means that the GA-Resolution, proposed in October 2013 by Germany and Brazil, would not create new law but merely clarify the existing human rights protection of privacy in the Internet.

Violation if unjustified interference

The right to privacy is not absolute. It may be lawfully restricted; it is violated only if the restrictions are not justified. The wording of the CCPR prohibits “unlawful or arbitrary interference” with privacy and correspondence. Beyond this old-fashioned wording, the proper, generally acknowledged test for determining the admissibility of a human rights restriction is the following: there must be a basis in law, the governmental measures must pursue a legitimate aim, and they must be proportionate. When these conditions are not satisfied, interference with privacy or correspondence is “unlawful or arbitrary”, and thereby constitutes a violation of the human right.

Germany could not, via the secret agreements, consent to human rights restrictions and thereby justify them. Governmental consent as such does not remove a potential unlawfulness of any interference with the citizens’ right to privacy, exactly because this right to privacy does not “belong” to the state of Germany, but on the contrary is directed against the state.  However, an international treaty can in principle constitute a legal basis for the limitation of a fundamental right. The legal basis must be sufficiently precise. “[R]elevant legislation must specify in detail the precise circumstances in which such interferences [with the human right to privacy] may be permitted.” (General Comment 16, para. 8).

Moreover, the necessity of a legal basis is only one prong. In addition, the impugned measure’s objective must be legitimate and the restriction must be proportionate. The policy of combatting terrorism and transnational crime is surely a legitimate objective. But the third condition does not seem to be fulfilled in the case of large-scale and systematic surveillance. It is of course difficult to assess the proportionality of a governmental measure in the absence of a thorough knowledge of the facts. However, dragnet searches and stock data retention of the entire population or large groups without concrete indications founding a suspicion that terrorist or criminal acts are being planned seems prima facie disproportionate and unnecessary.

Threats to the right to privacy emanating from Google and Microsoft

Another matter is the involvement of private actors (Google and Microsoft) in the surveillance activities. Within the traditional international legal framework, these actors are not themselves directly obliged to respect the human right to privacy, as guaranteed by the CCPR. But under the Ruggie Principles (The UN Guiding Principles on Human Rights and Transnational Corporations and Other Business Enterprises (2011), Report of the Special Representative of the Secretary-General with Guiding Principles in the Annex (UN-Doc. A/HRC/17/31) of 21 March 2011, endorsed by the UN Human Rights Council on 6 July 2011 (UN-Doc. A/HRC/RES/17/4), these transnational corporations incur a kind of soft international “responsibility”.

Additionally, their data gathering activities will engage the international responsibility of the United States. If Google and Microsoft have committed themselves to furnish data on Internet communication to US authorities, their data gathering, storing, and transmitting will normally be attributable to the United States. The pertinent principle of attribution is Art. 8 ILC Articles on State Responsibility, to the extent that corporate action in breach of Art. 17 CCPR has been taken “under the direction and control” of the USA.

Normative conflicts between ordinary treaties and human rights treaties

Another interesting issue are potential conflicts between bilateral treaties between Germany and the US on the one hand, and Art. 17 CCPR on the other hand. No formal hierarchy between human rights and “ordinary” international law exists in international law as it stands (except for the possible supremacy of those core human rights which constitute ius cogens). Still, as a matter of common sense, a human rights treaty should prevail. At the very least, the other treaties must be interpreted in conformity with human rights.

Does it matter for the normative status of the agreements of the 1950s and 1960 that those are “secret treaties”? Under 102 UN Charter, treaties should be registered with the UN. Although the non-registration does not lead to the agreements’ invalidity under international law, their secrecy does delegitimise them and makes the argument that they must somehow cede to the human rights treaties more plausible.

Is Germany under an obligation to rescind or denounce the administrative agreements of the 1960s? Here, Germany cannot rely on Art. 46 of the Vienna Convention on the Law of Treaties of 1969 (VCLT) to invoke invalidation of its consent to be bound by those agreements. This provision resolves the tension between respect for the domestic law of one contracting state party on the one hand, and the protection of the expectations of the other contracting party quite in favour of the former. Any invocation of invalidity of Germany’s consent would need to show that Germany consented “in violation of a provision of its internal law regarding competence to conclude treaties”, and that violation would have to be “manifest” and concern a rule of internal law “of fundamental importance”. We would need to examine to what extent domestic rules on the publication of treaties have been infringed by the omission to publish the administrative agreements of the 1960s. But overall it seems unlikely that Art. 46 VCLT is applicable and could lend a hand to terminating those agreements if need be.

Normative conflicts between domestic constitutional law and international human rights treaties

Another matter is a possible (but unlikely) resolution of conflict between the constitutional fundamental right to secrecy of correspondence and the parallel international human right to privacy. Suppose that the German Basic law and German legislation (upon careful examination by German lawyers) are deemed to allow for the NSA surveillance, while Art. 17 CCPR, in the reading given to the provision by international institutions, does not. The result would be a normative conflict between German domestic law and the UN Covenant. From the international perspective, the international human rights treaty prevails. But this is not necessarily so from the domestic German perspective. The German Constitutional Court, in its Görgülü-decision (Order of the Second Senate of 14 October 2004, – 2 BvR 1481/04) held that German administrative bodies and courts must “take” international law treaties “into account”, but that that this does not mean that they may disregard the German Constitution (Görgülü, paras 47-48 and 62-63). Courts only have to interpret ordinary domestic law, and the German Basic Law in conformity with international law, and must seek to harmonise conflicts. If this is not possible, they are bound to apply the German Constitution, even if this would run counter to international law.

Breaches of the law of diplomacy

A final question concerns breaches of the law of diplomacy through surveillance activities emanating from US embassies abroad, for example in Berlin. Art. 3(1) lit d) of the Vienna Convention on Diplomatic Relations of 18 April 1961 states: “The functions of a diplomatic mission consist inter alia in: (…) “ascertaining by all lawful means conditions and developments in the receiving State, and reporting thereon to the Government of the sending State; (…)”. This provision, first of all, refers to the domestic law of the host state. It is therefore important that the secret surveillance, in probably all affected states, constitutes a crime. Most states criminalise both the spying out of state secrets (by tapping inter-governmental communication) and spying on private communication, e.g. through illegal tapping of telephone conversations. For example § 96 of the German Criminal Code (Strafgesetzbuch; StGB) makes “Auskundschaften von Staatsgeheimnissen” a crime, and also the breach of confidential communication and spying and intercepting data (see § 201 StGB: Verletzung der Vertraulichkeit des Wortes; § 202a StGB: Ausspähen von Daten; § 202b StGB: Abfangen von Daten).

I submit that the word “unlawful” should be interpreted expansively so as to include not only unlawfulness under domestic law but also unlawfulness under international law. The modern approach to expressions such as these is to construe them autonomously, i.e. not as pure renvois to domestic law, in order to contribute to a universal understanding of the treaty provision.

The interesting point about possible violations of the law of diplomacy is that this actually opens the way to the International Court of Justice. The Optional Protocol of the Vienna Convention on Diplomatic Relations Concerning the Compulsory Settlement of Disputes of 18 April 1961 was ratified by the United States in 1972 (and was not rescinded like the Optional Protocol on Consular Relations).

Its Art. I foresees that “[d]isputes arising out of the interpretation or application of the Convention shall lie within the compulsory jurisdiction of the International Court of Justice and may accordingly be brought before the Court by an application made by any party to the dispute being a Party to the present Protocol.” Given the fact that both Germany and the United States are parties to the Protocol, Germany could institute proceedings before the ICJ with the complaint of a breach of the Diplomatic Convention.

It is generally assumed that the US-American culture lays a strong emphasis on the protection of privacy, more than the European legal culture. In fact, the concept of privacy is an Anglo-American one which only in the last decades has been received in Europe. In the post-9/11 constellation, sensibilities seem to have been reversed. Or it may be that Americans care more about their own privacy under US-constitutional law, as opposed to foreign citizens’ privacy. But international law does not allow this type of gazing without being seen; it prohibits the modern Panopticon.

*I thank Raffaela Kunz for speedy research assistance and all participants of the Monday meeting at the Max-Planck-Institute for Comparative Public Law and International Law for valuable input.

Print Friendly
 

10 Responses

  1. Geoff Gilbert

    Did the NSA steal Part 1? Can’t find it via link above or original email link

  2. Sadie Blanchard Sadie Blanchard

    Thank you for the heads up. The link above should be working now.

  3. Jordan

    A few points:
    (1) with respect to the putative U.S. Declaration of non-self-execution, it should be recognized that in view of the Vienna Convention on the Law of Treaties and ICCPR H.R. Comm. Gen. Comment No. 24, etc., the declaration is treated like a putative reservation and, under the inconsistent with the object and purpose test, it is necessarily void ab initio as a matter of law. Additionally, there was no reservation to Article 50 and by express terms of that article all of the provisions of the ICCPR shall [i.e., mandatory self-executing language] be law in all parts of the United States. See http://ssrn.com/abstract=1989099 ; http://ssrn.com/abstract=1331159
    (2) there are many actors other than the “state” and international law has never been merely state-to-state, human rights have never been merely against the state — see, e.g., http://ssrn.com/abstract=1548112 ; http://ssrn.com/abstract=1701992 ; http://ssrn.com/abstract=1487719 . Article 5 of the ICCPR and the preamble are important bases for recognition of private duties under the ICCPR. Other human rights instruments also recognize private duties, see, e.g., the American Declaration of the Rights and Duties of Man, which applies in the Americas through the O.A.S. Charter and partly as CIL.
    (3) again (see response to Post No. I), the U.S. would be obligated re: persons under the actual “power or effective control” of the U.S. as such a phrase is used in connection with the reach of the ICCPR (despite claimes to the contrary by the Bush-Cheney regime which, hopefully, will not be mistakenly reitereated by the Obama Administration).

  4. David

    Highly inspiring post. From a layman: what about diplomats’ personal responsibility for breaches of the law of diplomacy? Is it true, as the leading legal commentator of a German public broadcaster just said, that they’d enjoy bullet-proof immunity from local prosecution? Even if they resort to clearly “un-lawful means”? (Just as one wonders what happens to them if i.e. they kill a local pedestrian in a hit-and-go incident)

  5. Jordan

    p.s. H.R. Comm. General Comment No. 20 (1992) recognizes private duties under the ICCPR: “or by private persons…. whether inflicted by people acting … in a private capacity.”

  6. Matthew

    Both posts on this subject matter appear to assume that the NSA conducted its actitivites from within Germany – how would the analysis change if the US tapped foreign heads of government either by using sattelites or coordinated and conducted its activities from locations based in the US? See e.g. the analysis of the ECtHR in WEBER AND SARAVIA v. GERMANY or Talmon’s comments: http://cjicl.org.uk/2013/11/06/tapping-german-chancellors-cell-phone-public-international-law/

  7. Jordan

    Matthew: if you mean re: initiating conduct in the U.S. and eavesdropping in Germany, Germany would have objective territorial prescriptive jurisdiction b/c there would be an intent to produce effects in Germany and effects in Germany plus, by fiction, a “continuing act” in Germany (since something is sent through the internet, etc.) as well as an innocent agent in Germany (since something is transferred into Germany and within Germany by the internet providers) so there are, by fiction, acts within Germany as well. Perhaps Germany would have protective jurisdiction if direct and significant national security interests were at stake.

  8. Matthew

    Hi Jordan, thank you for your response – I was referring to a scenario such as the one discussed in Weber and Saravia by the ECHR (http://hudoc.echr.coe.int/sites/eng/pages/search.aspx?i=001-76586#{%22itemid%22:[%22001-76586%22]}) where the ECHR held that as “Signals emitted from foreign countries are monitored by interception sites situated on German soil and the data collected are used in Germany” the German authorities “have [not] acted in a manner which interfered with the territorial sovereignty of foreign States”. This applied to communciation not transmitted by fixed/land lines but only to information transmitted by radio signlas via satelites etc. (see para 88) So by analogy, if the US only intercepted signals emitted from Germany using interception sites situated within US territory (and not on embassy premises) and if the data thus acquired was used only in the US – then the US has not acted “in a manner which interfered with the territorial sovereignty” of Germany. I think this is the point Talmon makes in his post and which might actually be a very good argument the US could rely on.

  9. Jordan

    Matthew: sounds (metaphor?) interesting, but I am not sure how data is received, e.g., whether it is merely intercepted in the U.S. or on a satellite in orbit as opposed to use of worms, bugging devices, etc. and the internet or servers inside of Germany. Older claims had been that merely receiving information by satellite is permissible as opposed to transmitting information from a satellite into a foreign state.

  10. Clément Marquet

    Thanks for the read, a comprehensive review of the issue!

    I wonder about one point, though. Considering Google/Microsoft and others corporations under scrutiny here have a self-interest in the data gathered, if the US agencies are not expressly requiring them to gather the informations, does it still fit under art. 8 of the ILC Draft articles?

    To be clearer, if Google already owns the data for commercial purposes, the Government isn’t encouraging of asking them to do it, only tapping what the corporation already owns.