Op-Ed: “Big Brother (cannot) Watch: the Grand Chamber ruled against surveillance in the Snowden revelation’s aftermath” by Oreste Pollicino and Federica Paolucci
The Grand Chamber of the European Court of Human Rights has recently delivered the most important judgment on mass and bulk surveillance yet: Big Brother Watch and Others v. United Kingdom (application nos. 58170/13, 62322/14 and 24960/15), followed by another, Centrum för rättvisa v. Sweden (application no. 35252/08). The applications were lodged after Snowden, the former US National Security Agency (NSA) contractor, revealed the existence and use of the surveillance system between the intelligence services of the United States and United Kingdom.
One of the cores of this judgment is the applicants’ claim: relying on Article 8 of the European Convention on Human Rights (ECHR) (right to respect for private and family life and correspondence) and Article 10 ECHR (freedom of expression), they complained about the bulk interception of communication systems, the tolerance of intelligence from foreign governments and/or intelligence agencies, and the acquisition of data from communications service providers. The arguments of the claim are noteworthy not only for the case at hand but because they are summarising a whole spectrum of privacy related issues. It is a kaleidoscope that investigates the power related implications, both internal and external to the State, it muses the ‘Schrems Saga’ and originates from the Snowden revelations that radically changed the way we think of surveillance and privacy.
Even if all the premises to deliver a landmark judgement were on stage, the Grand Chamber ruling is, unfortunately, far from being considered so. Even if some human rights activists are labelling it as an important win for privacy, some weaknesses have not delivered a full win in the hands of the applicants.
The Chamber did not actually ban surveillance: they instead normalised those practices. The applicants’ claim was, in fact, that the bulk interception system was ‘neither necessary nor proportionate within the meaning of Article 8 of the Convention’ (paragraph 277). Nevertheless, even if the landscape is far from being bright and there is still lack of evidence on their actual functioning, those systems have been found by the Chamber to be ‘valuable’ and of ‘vital importance’ for the security of Member States (paragraphs 323, 324).
The Court indeed described bulk interception as ‘a gradual process in which the degree of interference with individuals’ Article 8 rights increases as the process progresses’ (paragraph 325). The criterion the Chamber applied is based on what is ‘necessary in a democratic society’. The Court reiterated the criteria that should be set out in law in order to avoid abuses of power: (i) the nature of offences which may give rise to an interception order; (ii) a definition of the categories of people liable to have their communications intercepted; (iii) a limit on the duration of interception; (iv) the procedure to be followed for examining, using and storing the data obtained; (v) the precautions to be taken when communicating the data to other parties; and (vi) the circumstances in which intercepted data may or must be erased or destroyed (paragraph 335). All of them should comply with the twofold systems of necessity and proportionality in order to be in accordance with the law.
The decision to operate a bulk interception regime did not therefore in and of itself violate Article 8. The Court considered that, in view of the changing nature of modern communications technology, its ordinary approach towards targeted surveillance regimes needed to be adapted to reflect the specific features of a bulk interception regime with which there was both an inherent risk of abuse and a legitimate need for secrecy. The Court elaborated also on the need for ‘end to end safeguards’ (paragraphs 350-360) throughout surveillance practices to respect fundamental rights. This would require an ex ante risk assessment to determine beforehand whether adequate mechanisms have been enforced to protect individuals’ fundamental rights by an independent or judicial authority.
Having said so, silence was maintained on many issues. It seems to dive into Nietzsche’s Eternal Return these days. From the reading of this judgment and the analysis of the recent draft proposal by the EU Commission, such as the AI Regulation, a huge void seems to hopelessly appear: the lack of redress mechanisms for the individuals. The Court avoided the whole extraterritoriality problem, even if this was one of the pillars of the story and conflicts with the principle of the rule of law.
It is also true that the UK Government did not raise any objection on this (paragraph 272): ‘In respect of the section 8(4) regime, the Government raised no objection under Article 1 of the Convention, nor did they suggest that the interception of communications was taking place outside the State’s territorial jurisdiction. Moreover, during the hearing before the Grand Chamber the Government expressly confirmed that they had raised no objection on this ground as at least some of the applicants were clearly within the State’s territorial jurisdiction’. A stance that does not satisfy and does not seem consistent with the real long-standing problem, as some commentators are also pointing out: the judicial manipulation of the parameter of ‘adequacy’, which is transformed in the different requirement of ‘essential equivalence’ and the unbalanced extraterritorial application of the ‘European’ privacy principles.
Once again, the worrying aspect here is not just the lack of clarity on the difficult balance among ‘sovereign’ powers, but the possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromising the essence of the fundamental right to effective judicial protection. The Court indeed avoided considering whether the risks of such programmes outweigh the intrusion into individuals’ privacy. The only aspect in this sense is the need for a ‘twofold’ approval: the Grand Chamber found that the sole authorisation from a minister is a risk, and bulk interception programmes need to be authorised by a judicial or independent body (paragraphs 350- 425). This seems a critical logical-juridical short circuit that, as Judge Pinto de Albuquerque underlines in the dissenting opinion, as judicial oversight cannot become ‘a panacea’: this last intervention is not feasible when the categories of offences are not per se set out by the domestic law with the necessary degree of clarity and precision.
This judgment appeared as an opportunity to shed light on many aspects: from the feasibility of the third-party doctrine in what is about to become the ‘data-driven society’, to the revision of the protection of metadata. The latter was also advocated by EDRi and other privacy watchdogs as long as the dichotomy that the Court is still applying to contents and metadata is not either technically or juridically acceptable. Far from the Malone v. UK judgement (application no. 8691/79), metadata can now provide a detailed and intimate picture of a person. Nonetheless, this aspect, like the aforementioned, was not taken into consideration by the Grand Chamber.
It would however be unfair to conclude that this is not a noteworthy decision as far as the Court addressed important issues such as the evaluation that certain aspects of the UK’s mass surveillance regime violated the right to respect for private and family life and correspondence (Article 8 ECHR), as well as the right to freedom of expression (Art 10 ECHR), through the infringement of the protection of journalistic sources. However, ‘the Strasbourg Court lags behind the Luxembourg Court, which remains the lighthouse for privacy rights in Europe’, as Judge Pinto wrote. This is not a sole matter of judicial bodies’ (missed) interplay, but it shows some worrying aspects: the normalisation of mass surveillance under the curtain of a fundamental rights-oriented approach. The provision of ex ante evaluation mechanisms and the pleading for the design of a regulation and administrative and judicial safeguards is the image of the tacit acceptance of those mechanisms within our society as the Court did not really question the substantive merits of these programs.
If we look at the problem in the long run, it is possible to foresee that we are going to deal with (even more) serious surveillance methodology. It is a matter of fact that our lives are bundled with ‘always-ready’ and ‘always-on’ devices. It is not the aim of this comment to articulate on whether law enforcement agents should be able to access IoT (Internet of Things) data with a warrant. However, it is crucial to understand that times are ripe for recognising the limits of traditional surveillance doctrines that do not take into adequate consideration the challenges of the ‘always-on’ devices or of the so-called ‘culture of surveillance’ (D. Lyon, 2018).
‘This judgment fundamentally alters the existing balance in Europe between the right to respect for private life and public security interests, in that it admits non-targeted surveillance of the content of electronic communications and related communications data, and even worse, the exchange of data with third countries which do not have comparable protection to that of the Council of Europe States’. As Judge Pinto observes, it is the risk of this new normality that worries the most.
Oreste Pollicino, Full Professor of Constitutional Law at Bocconi University in Milan. Member of the Managing Board of the European Agency for Fundamental Rights.
Federica Paolucci, LLM Candidate in Law of Internet Technology at Bocconi University in Milan.