A Dangerous Convergence: The Inevitability of Mass Surveillance in European Jurisprudence

Recent Grand Chamber judgments in Big Brother Watch and Others v. United Kingdom and Centrum för Rättvisa v. Sweden held that some aspects of the UK’s and Sweden’s domestic surveillance regimes violated Articles 8 and 10 of the European Convention on Human Rights (“ECHR”). Despite the findings of violation due to insufficient safeguards, the Grand Chamber asserted that “bulk interception is of vital importance to Contracting States in identifying threats to their national security” and “no alternative or combination of alternatives would be sufficient to substitute for the bulk interception power” (BBW ¶ 166; CFR ¶ 365). As has already been discussed on EJIL: Talk!, the judgments normalize mass surveillance regimes for decades to come (see here).

An Emerging Convergence: Procedural Fetishism

In this post, I do not discuss the judgment in detail or repeat the same argument about the normalization of mass surveillance (although I strongly agree with it). Instead, I suggest that ECtHR’s approach in Big Brother Watch and Centrum för Rättvisa points to an emerging dangerous convergence on the legality of bulk surveillance operations between the two most privacy-friendly courts – the ECtHR and the CJEU. Thus, I will go through the recent CJEU case-law to show that the two Courts converge in their approach. Grounded in “procedural fetishism”, this convergence signals: not only can governments continue to deploy mass surveillance regimes, they can also share the information with other countries, as long as certain safeguards – even if sometimes (often?) vague – are incorporated (read more on Big Brother Watch’s proceduralist approach and its shortcomings here).

The procedural fetishism reinforces what I term the “inevitability of securitisation” narrative, which disregards the effectiveness or proportionality of blanket surveillance regimes, and instead assumes that they are inevitable and necessary for ensuring national security. The inevitability of securitisation narrative has risen to political prominence after 9/11, even as it was pushed back against by some actors in Europe, such as the Data Protection Authorities, the EU Parliament and NGOs, and, as I argue below – until recently, the CJEU.

The Fading Anti-Securitisation Stance at the CJEU

In particular, after the Snowden revelations in 2013, the CJEU initially pushed back against securitisation narrative with its numerous pro-privacy judgments, in which the Court rejected blanket data retention,  and data sharing mechanism with third countries whose surveillance regimes lacked sufficient safeguards. In its ground-breaking 2014 decision in Digital Rights Ireland, the CJEU invalidated EU Directive 2006/24/EC (known as “Data Retention Directive”, which required communications service providers to store traffic and location data for a period between 6 months and 2 years and maintain a surveillance database for law enforcement purposes) for its disproportionate interference with the Articles 7 and 8 Charter of Fundamental Rights of the European Union (“EUCFR”), guaranteeing the rights to private life and data protection respectively. The CJEU has rejected that blanket or indiscriminate data retention can be proportionate. In the subsequent case of Tele2 Sverige, the CJEU held that indiscriminate data retention for the purposes of fighting serious crime was incompatible with the EU law, thus extending the Digital Rights Ireland ruling to national data retention regimes in the EU Member States.

The CJEU further reinforced its opposition to “inevitability of securitization” narrative in cases concerning international data sharing. While these cases did not directly concern the legality of mass-surveillance regimes in the EU Member States, the CJEU still found ways to communicate its disapproval of the limitless securitization. In particular, in Schrems I, which came out in 2015, soon after Snowden revellations and the Digital Rights Ireland ruling, the CJEU invalidated the EU Commission’s decision the on adequacy of data protection provided by the Safe Harbour agreement, which had facilitated EU-US data-sharing between 2000 and 2015. The CJEU ruled that the Safe Harbour arrangement did not provide sufficient safeguards and remedies for the EU residents to challenge transfers of personal data to the US. This was because of the omnipotence of US surveillance regime, with little recourse for those in Europe. 

Similarly, in Opinion 1/15, the CJEU invalidated the proposed EU-Canada agreement on the transfer of PNR data due to lack of data protection safeguards and incompatibility of the agreement with EU fundamental rights framework. Furthermore, in the recent CJEU decision in Schrems II, delivered in July 2020, the CJEU invalidated (again!) the EU-US Privacy Shield framework, which enabled transatlantic data transfers between the two regions, due to lack of adequate safeguards in the surveillance framework of the receiving country – the USA. While the Court could not directly rule on the legality of the US surveillance regime, it again found its way to send a clear message: it is not ok for EU to send data to USA because of the extensive US surveillance framework.  Schrems II thus solidified a number of far-reaching CJEU judgments delivered after Snowden and suggested that the Court had developed a strong principled position on the limits of surveillance regimes and transfers of personal data to third countries (read more on Schrems II here).

In the most recent and relevant case to Big Brother Watch – Privacy International, decided in October 2020 – the CJEU unequivocally ruled that mass transmission of personal data by commercial operators to UK intelligence agencies is not consistent with EU law. The CJEU thus reiterated its strong position in Tele 2 Sverige, prohibiting bulk transmission and interception of personal data. Yet, because Tele 2 Sverige concerned data retention regimes for the purposes of combatting crime, Privacy International went a step further and imposed the same demands on the intelligence agencies. And if the intelligence agencies are not allowed to demand bulk data transmission from service providers for the purposes of national security, no other agencies are in any other context.

However, was Privacy International the final judgment in the CJEU’s “anti-securitisation” stance? Its decision in Quadrature Du Net, delivered in October 2020 at the same time as Privacy International, held that the EU law does not preclude indiscriminate data retention measures when Member States can prove legitimate and serious threats to national security. This contrasts sharply with CJEU’s earlier rulings in Digital Rights Ireland and Tele 2 Sverige, which insisted that to be proportionate, data retention had to be targeted. Again, Tele 2 Sverige did not concern national security, like Quadrature Du Net did, so maybe this is why the CJEU had adopted a softer approach, given that national security has traditionally been outside of European integration (on CJEU, national security and surveillance, read more here).

Could it be that lax proceduralist approach adopted in 2018 in the Chamber rulings in  Big Brother Watch ruling (very similar decision to Grand Chamber) and Centrum för Rättvisa (which found no violation at all!) had influenced the CJEU’s softer approach in Quadrature Du Net? Either way, Quadrature Du Net signals a paradigm shift away from the CJEU’s earlier progressive approach against securitisation and mass-surveillance. A further echoing of this approach in Big Brother Watch and Centrum för Rättvisa by the ECtHR’s GC points to a dangerous convergence of the two European courts on the acceptability of the good old “inevitability of securitisation” narrative in context of intelligence collection and sharing.

The Implications of Converging Judicial Acceptance of Mass Surveillance

This convergence around procedural fetishism, and the GC’s rulings in Big Brother Watch and Centrum för Rättvisa are shadowing the global pandemic, when world governments are increasingly relying upon intrusive methods of data collection and contract tracing to prevent the spread of COVID-19. Such convergence is dangerous, as it would most likely justify any surveillance measure deployed in the context of the pandemic in Europe.

The convergence on procedural fetishism also impacts ongoing reforms in the EU data protection and privacy law, including the EU’s preparation of the e-Privacy Regulation (set to repeal the e-Privacy Directive and complete the EU’s updated data privacy legal apparatus alongside the GDPR and the Law Enforcement Directive) and the ongoing discussions on the EU’s proposed e-Evidence package. Moreover, and the Council of Europe’s Cybercrime Convention Committee is working on the second additional Protocol to the Council of Europe’s Convention on Cybercrime with the latest draft published on 12 April 2021. The emerging convergence on the legality of mass surveillance between the ECtHR and the CJEU – which are often regarded as the most pro-privacy Courts in the world – strengthens the negotiating position of law enforcement agencies and governments in these ongoing discussion and reforms by affirming the prima facie legality of mass surveillance measures, within the wide “margin of appreciation”, afforded by the ECtHR.

The constitutional significance of such an increasing convergence between the two powerful European Courts remains to be seen – but it will have serious implications for the future development of data protection and privacy law, mass surveillance programs, and data retention and sharing frameworks. Mass-surveillance regimes will become increasingly popular and legitimate in the EU, wider Europe, and beyond.

*****

The author thanks Australian Research Council for research funding under Discovery Early Career Research Award scheme (project number DE210101183) and Emily Hunyor for her research assistance.