The Grand Normalization of Mass Surveillance: ECtHR Grand Chamber Judgments in Big Brother Watch and Centrum för rättvisa

Yesterday the Grand Chamber of the European Court of Human Rights delivered its most important judgments on electronic mass surveillance (or bulk interception) post-Snowden: Big Brother Watch and Others v. the United Kingdom, nos. 58170/13 etc and Centrum för rättvisa v. Sweden, no. 35252/08. These follow on from, and largely affirm, the prior Chamber judgments, on which see more here and here. Other than all the mega armed conflict cases, this judgmental pair is as big a decision as one can get in Strasbourg, although CFR is very much the companion case to BBW. NGOs, including those who brought the UK claim, declared the judgments an “important win for privacy and freedom for everyone in the UK and beyond,” a “landmark victory“, a judgment that indeed “confirms definitively that the UK’s bulk interception practices were unlawful for decades.” But no. Not at all. That is not what these judgments do – except in the most technical sense. And if one had to describe them in terms of winning, I am pretty sure the lawyers of the UK and Swedish governments were not terribly displeased.

Why not? Because the most important thing about these Grand Chamber judgments is that, like the Chamber judgments before them, they normalize mass surveillance/bulk interception. The Court rejects the key argument made by privacy activists ever since the Snowden revelations that such surveillance programmes are categorically disproportionate. On the contrary, the Court finds these programmes – or at least their Anglo-Swedish varieties – to be “valuable” and “vital importance” to the security of member states, despite the lack of evidence before it on their actual functioning (BBW, paras. 323, 424). And yes, the Court finds violations in both cases, but these require comparably easy fixes; for the most part the two surveillance programmes are Convention-compliant (“The Court is satisfied that the main features of the Swedish bulk interception regime meet the Convention requirements on quality of the law and considers that the operation of this regime at the time of the Chamber examination was therefore in most aspects kept within the limits of what is “necessary in a democratic society”.” CFR, para. 373). Indeed, the Court’s review of the UK bulk interception system was that of its prior iteration, which was found somewhat wanting, and not of the current, much improved one, under the Investigatory Powers Act 2016, which would very likely “in most aspects” comply with all of the tests laid down in these cases.

So no, dear readers, these were not cases that privacy activists won. Nor was the “landmark victory” (or lack thereof) a close one. All but one of the 17 judges of the Grand Chamber accepted the necessity and proportionality of bulk interception (Judge Pinto caustically dissenting, with extra consternation at the end (his word not mine, BBW sep. op. para. 60). Three more judges in BBW and CFR  argued for a more privacy-protective approach (Lemmens, Vehabović and Bošnjak), in a careful and nuanced opinion, even while accepting bulk interception in principle. But two judges in CFR (Kjølbro and Wennerström) would have found no violations at all, penning an unusually unreasoned declaration in which they merely recorded their vote. So, no – not a “landmark victory” for privacy, but a grand, definitive normalization of mass surveillance by a virtually unanimous Grand Chamber for decades to come. Not that this is necessarily a bad thing, just to be clear, but this spade shouldn’t be spun out of being a spade.

That said, the two judgments are long, sophisticated and complex. In the remainder of this post I will not be aiming for a comprehensive analysis, but will rather flesh out some key takeaways beyond the basic bottom line set out above.

First, the BBW Grand Chamber (as the Chamber before it) elegantly avoids the whole extraterritoriality problem – i.e. the fact that states using bulk interception generally do so to collect the communications of people outside their territories – because the UK government did not raise this as an objection:

272.  In respect of the section 8(4) regime, the Government raised no objection under Article 1 of the Convention, nor did they suggest that the interception of communications was taking place outside the State’s territorial jurisdiction. Moreover, during the hearing before the Grand Chamber the Government expressly confirmed that they had raised no objection on this ground as at least some of the applicants were clearly within the State’s territorial jurisdiction. Therefore, for the purposes of the present case, the Court will proceed on the assumption that, in so far as the applicants complain about the section 8(4) regime, the matters complained of fell within the jurisdictional competence of the United Kingdom.

This was the wisest course of action for everybody concerned. But there is nonetheless something existentially concerning about a judgment that extensively deals with privacy protections that surveillance programmes must respect, while it remains unresolved in the subtext whether the vast majority of people affected by such programmes are even entitled to protection in the first place (they are, and the Court should eventually emulate the German Constitutional Court in saying so expressly). Note in that regard, however, that like the Chamber the Court here also says that the government did not suggest that the interception was taking place outside its jurisdiction, which may be a hint that if confronted directly with the extraterritoriality problem the Court would find that the Convention applied in a scenario in which the victim is outside the territory but their communications and data are within the territory (see also here and here).

On the merits the Grand Chamber judgment does, on its face, take a somewhat more privacy-protective approach than the Chamber one, and in fact the Court explicitly decided to innovate in adjusting its prior jurisprudence, mainly developed for the targeted surveillance context, to the bulk interception one. So the Court distinguishes between four different stages of the bulk interception process (BBW para 325) and holds that states must provide “end-to-end” safeguards at every stage of this process:

350.  Therefore, in order to minimise the risk of the bulk interception power being abused, the Court considers that the process must be subject to “end–to–end safeguards”, meaning that, at the domestic level, an assessment should be made at each stage of the process of the necessity and proportionality of the measures being taken; that bulk interception should be subject to independent authorisation at the outset, when the object and scope of the operation are being defined; and that the operation should be subject to supervision and independent ex post facto review. In the Court’s view, these are fundamental safeguards which will be the cornerstone of any Article 8 compliant bulk interception regime.

Because it is examining the bulk interception regimes in abstracto, and not how they’ve been applied to any given case, the Court primarily looks at the quality of the domestic regulatory framework and develops an eight-part test in that regard, saying that it needs to examine whether that framework clearly defined (para 361):

1. the grounds on which bulk interception may be authorised;
2. the circumstances in which an individual’s communications may be intercepted;
3. the procedure to be followed for granting authorisation;
4. the procedures to be followed for selecting, examining and using intercept material;
5. the precautions to be taken when communicating the material to other parties;
6. the limits on the duration of interception, the storage of intercept material and the circumstances in which such material must be erased and destroyed;
7. the procedures and modalities for supervision by an independent authority of compliance with the above safeguards and its powers to address non-compliance;
8. the procedures for independent ex post facto review of such compliance and the powers vested in the competent body in addressing instances of non-compliance.

And the Court also says that the same safeguards should apply to the collection and processing of communications data/metadata, not just the content of communications (paras 342, 363-4).

But all of these privacy-protective principles are immediately qualified in how they are being applied. The Court’s overall posture is very deferential towards the respondent governments, especially as to the actual functioning of the surveillance programmes in fact. While differentiating between the various stages of such programmes, the Court even says that the mere collection of data “does not constitute a particularly significant interference” with privacy (para. 330). And yes collecting metadata is intrusive and the safeguards should be the same, but no they need not be treated identically to content (paras 364, 423). The eight-part test is part of a “global assessment” of the proportionality of the programme (para 360), so that a state failing one of the criteria can nonetheless compensate for that failing by being very good on some of the other criteria. These are in other words useful indicators, but there are few specific minimum standards that need to be met.

The bottom line is essentially one of a very process-focused type of analysis – the rules need to be clear and detailed enough, and safeguards need to be in place, but if they are bulk interception is basically Convention-compliant. The Court does not really engage with the broader question of whether the benefits of such programmes outweigh the intrusion into the privacy of the individuals whom they affect – that is more or less assumed, on the basis that better-placed institutions within these states already made such determinations. Thus, in addition to the issues regarding the selection of communication bearers and search criteria that were already identified by the Chamber, the main fault with the UK’s regime was that the authorization for such programmes could be made by a minister. While judicial authorization is still not regarded as indispensable, the Court now holds that bulk interception programmes need to be authorized by a body independent of the executive (BBW paras 350, 377, 425). Today that is the case in the UK, because the authorization of surveillance needs to go through a double-lock of approval by a minister and by an independent judicial commissioner. And Sweden was also fine on that front, because authorization was made by a special intelligence court. Sweden was at fault, however, for not having the possibility for effective ex post facto review by such a court, which the UK did and does have.

Finally, there is the whole question of intelligence sharing – in CFR the actual sharing of intelligence to third parties (e.g. Sweden sends information obtained by intercept to the US), in BBW the solicitation and receipt of such information from a third party (e.g. the UK asks for it from the US). Here the GC judgment largely traces the judgments below, but with some developments. And here too the unresolved extraterritoriality issue lurks in the background – would, for example, the Convention even apply if state A shared intelligence with B about a person located in C?

Thus, Sweden was now found to be in violation of Article 8 ECHR because its law did not specify that its intelligence agencies had to take the privacy interests of the affected individual into account when deciding to share information with third parties, including by conducting a necessity and proportionality analysis and assessing whether the recipient partner had minimum safeguards in place (CFR paras 327-330), unlike UK law and practice. As for these safeguards (BBW para 362, CFR para 276):

to date the Court has not yet provided specific guidance regarding the precautions to be taken when communicating intercept material to other parties. However, it is now clear that some States are regularly sharing material with their intelligence partners and even, in some instances, allowing those intelligence partners direct access to their own systems. Consequently, the Court considers that the transmission by a Contracting State to foreign States or international organisations of material obtained by bulk interception should be limited to such material as has been collected and stored in a Convention compliant manner and should be subject to certain additional specific safeguards pertaining to the transfer itself. First of all, the circumstances in which such a transfer may take place must be set out clearly in domestic law. Secondly, the transferring State must ensure that the receiving State, in handling the data, has in place safeguards capable of preventing abuse and disproportionate interference. In particular, the receiving State must guarantee the secure storage of the material and restrict its onward disclosure. This does not necessarily mean that the receiving State must have comparable protection to that of the transferring State; nor does it necessarily require that an assurance is given prior to every transfer. Thirdly, heightened safeguards will be necessary when it is clear that material requiring special confidentiality – such as confidential journalistic material – is being transferred. Finally, the Court considers that the transfer of material to foreign intelligence partners should also be subject to independent control.

As for the UK, its system of safeguards regarding the solicitation and receipt of signals intelligence from third parties was found to be Convention-compliant (BBW paras 500-14). The Court does hold that even requesting such intelligence is an interference with privacy that requires justification (496-7), but does NOT require that such requests be authorized by a body independent from the executive as with interception done domestically – see in that regard the separate opinion of judges Lemmens, Vehabović, Ranzoni and Bošnjak, who see no reason for treating these requests differently.

Let me stop there. In sum, this is a hugely important pair of judgments, which need to be seen for what they are – rightly or wrongly, the permanent normalization of mass surveillance in human rights terms. The price of that normalization is the subjecting of such surveillance to more rigorous regulation and administrative and judicial safeguards, but without really questioning the substantive merits of these programmes. Both the judgments and the various separate opinions are nuanced and sophisticated, and there are many individual paragraphs in them that would each require a detailed post. Some major issues lurk in the background but are avoided or not addressed – extraterritoriality foremost among them, but also whether any distinctions can justifiably be made between the state’s own citizens and foreign nationals. But that’s it for now – and no more dreams of landmark victories for privacy, you hear?