European privacy campaigners win battles against mass surveillance by UK and Swedish governments, but have they lost the war?

Back in 2018, the European Court of Human Rights (ECtHR) ruled that the UK’s mass interception of fiber-optic cable traffic violated people’s right to privacy because of insufficient safeguards. The privacy groups who brought the action felt that judgment did not go far enough in declaring the mass surveillance practices unlawful, and so asked for the case to be considered by the “Grand Chamber” of the EctHR, its highest court. The Grand Chamber has taken the occasion to lay down general principles for establishing whether mass surveillance – also known as “bulk interception” – is compliant with the European Convention on Human Rights, the main framework for privacy and human rights in Europe. According to the new guidelines:

in view of the changing nature of modern communications technology, its ordinary approach towards targeted surveillance regimes needed to be adapted to reflect the specific features of a bulk interception regime with which there was both an inherent risk of abuse and a legitimate need for secrecy. In particular, such a regime had to be subject to “end to end safeguards”, meaning that, at the domestic level, an assessment should be made at each stage of the process of the necessity and proportionality of the measures being taken; that bulk interception should be subject to independent authorisation at the outset, when the object and scope of the operation were being defined; and that the operation should be subject to supervision and independent ex post facto [retroactive] review.

Applying those principles, the Grand Chamber found that there were three defects in the UK’s mass surveillance activities. The bulk interception had been authorized by a government minister, not by an independent body; when applying for a warrant there was a failure to include the search terms that would be used; and a failure to ensure that search terms relating to an individual – such as an email address – were subject to prior authorization. The Grand Chamber also found that journalists’ sources were not protected from bulk interception, as required by Article 10 of the Convention. However, in a win for the UK government, the judges held that the framework for requesting and receiving intelligence from foreign governments – for example, from the US – had implemented sufficient safeguards to protect against abuse. The Grand Chamber said that these would ensure that the “UK authorities had not used requests for intercept material from foreign intelligence partners as a means of circumventing their duties under domestic law and the Convention.”

On the same day, the Grand Chamber published another judgment concerning bulk interception, this time conducted by the Swedish government. The judges used the same legal framework as they had for the UK case, and found:

that Swedish intelligence services had taken great care to discharge their duties under the Convention and that the main features of the Swedish bulk interception regime met the Convention requirements. However, the Court concluded that the regime suffered from three defects, namely: the absence of a clear rule on destroying intercepted material which did not contain personal data; the absence of a requirement in the [Swedish] Signals Intelligence Act or other relevant legislation that, when making a decision to transmit intelligence material to foreign partners, consideration was given to the privacy interests of individuals; and the absence of an effective ex post facto review.

Taken together, the two judgments might seem to be good wins for privacy campaigners. The activities of both the UK and Swedish governments were both ruled as unlawful, and Snowden’s 2013 concerns about the unrestrained collection of personal data by US and UK intelligence agencies – the starting point for the UK case – were confirmed. However, as well as these surface victories, there is a deeper defeat here. It is well articulated by one of the judges, Pinto De Albuquerque, in his dissenting opinion added after the main ECtHR decision. He concludes:

This judgment fundamentally alters the existing balance in Europe between the right to respect for private life and public security interests, in that it admits non-targeted surveillance of the content of electronic communications and related communications data, and even worse, the exchange of data with third countries which do not have comparable protection to that of the Council of Europe States. This conclusion is all the more justified in view of the CJEU’s peremptory rejection of access on a generalised basis to the content of electronic communications its manifest reluctance regarding general and indiscriminate retention of traffic and location data and its limitation of exchanges of data with foreign intelligence services which do not ensure a level of protection essentially equivalent to that guaranteed by the Charter of Fundamental Rights. On all these three counts, the Strasbourg Court [the ECtHR] lags behind the Luxembourg Court [the CJEU], which remains the lighthouse for privacy rights in Europe.

For good or ill, and I believe for ill more than for good, with the present judgment the Strasbourg Court has just opened the gates for an electronic “Big Brother” in Europe.

As that points out, the EU’s highest court, the Court of Justice of the European (CJEU), still seems to be resisting the move to accept mass surveillance as acceptable. But going by these latest judgments, the European Court of Human Rights has given up fighting against it in principle, and is content to haggle over the details of how it is implemented. That’s extremely bad news for privacy in Europe, unless the tide can be turned by future legal action at the CJEU – fortunately, still a possibility.

Featured image by Plinio the elder.