Bulk Surveillance: Europe’s Recent Landmark Judgements
On 25 May 2021, the ECtHR Grand Chamber delivered two landmark judgements in Big Brother Watch v United Kingdom and Centrum för Rättvisa v Sweden, which will likely shape human rights jurisprudence across Europe on bulk surveillance regimes.
The term “bulk interception” provides for the monitoring, including the collection, retention, and examination, of the private communications of vast numbers (perhaps millions) of individuals.
The collected information can include the content of those communications, for instance what was said in an email or an SMS, as well as information revealing the context and circumstances of its transmission, namely the “who”, “when”, and “where”. This rich and important contextual information is generally known as “communications data”.
Bulk surveillance regimes differ from targeted surveillance which focuses on obtaining information about the communications of a specific individual, such as a person who is already a suspect in a criminal case. Bulk interception, on the other hand, may be used to enable law enforcement and intelligence services to determine who of a group of people should be selected for targeted surveillance because they conform to certain pre-established “patterns of suspicion”.
Bulk interception may be used to enable law enforcement and intelligence services to determine who of a group of people should be selected for targeted surveillance
Bulk interception and access to communications data in the UK
In the case of Big Brother Watch v United Kingdom, the appellants challenged various provisions in the UK Regulation of Investigatory Powers Act 2000 (RIPA).
These powers included: (1) the Secretary of State’s power to issue bulk interception warrants (Article 8(4) RIPA); and (2) the power of certain designated persons to authorise the acquisition and disclosure of communications data retained by communications service providers under a separate legal obligation (Chapter II RIPA).
The process authorised by a bulk interception warrant involves three stages: (1) collection of information (through the interception of communications), (2) filtering of that information; and (3) selection of information identified through this process for further examination by law enforcement or security services.
For the collection stage, UK intelligence agencies will access some of the 100,000 “bearers” that currently make up the Internet based on the likely intelligence value of the communications they are carrying.
The filtering stage is then applied to the traffic on these bearers, selecting communications of potential intelligence value thus resulting in the creation of massive datasets.
…the selected communications are then subject to searches using novel and powerful methods of AI data analysis (such as machine learning)
Finally, the selected communications are then subject to searches using novel and powerful methods of AI data analysis (such as machine learning), to sift through these massive datasets. If considerable communications/product are retained, analysts (within the intelligence agencies) will then determine which of these should be examined based on what is “most likely to be of intelligence value”.
The inferences made as part of this process may be used to fill in gaps when piecing together a specific narrative, or profile of an individual or event, when investigating a serious crime or identifying a terrorist network. Law enforcement and intelligence services argue that the speed of this fact-finding process may also be critical to the prevention of these serious offences. They have also argued – contrary to the well-established surveillance case law of the ECtHR – that these three stages should be viewed separately and that only the final stage of examination engages individuals’ right to private life under Article 8 of the European Convention on Human Rights (ECHR).
However, as highlighted by the applicants in Big Brother Watch, all of these advances, alone and in combination, also increase the power and invasiveness of bulk interception regimes.
…these advances, alone and in combination, also increase the power and invasiveness of bulk interception regimes
Moreover, the ability to collect vast amounts of communications data and combine many different inferences about an individual’s life with sophisticated data mining for search criteria has also made having access to content often unnecessary.
The legal framework
Bulk interception warrants could only be authorised under RIPA by the Secretary of State with regard to the interception of overseas communications, i.e. where at least one end of the communication (sending or receiving) happened outside the UK. As part of the warrant, the Secretary of State had to certify both the descriptions of the types of communications included in the warrant and the fact that they considered the examination of materials that meet those descriptions necessary for the purpose of the warrant.
Access to communications data held by communications service providers was subject to a lower threshold. Specifically, Article 22 RIPA granted power to certain “designated persons”, usually those holding high office in specific public authorities, to authorise other persons holding offices, ranks, or positions within their own public authority to obtain such communications data for a range of different purposes. Those broad purposes ranged from standard public interests like national security, the prevention of crime, public safety and public health, to “the economic well-being” of the UK and tax collection, thereby granting access to a significant number of public authorities.
In the case at hand, the appellants argued that these RIPA powers violated individuals’ rights to private life under Article 8 ECHR and their freedom of expression under Article 10 ECHR because of their extensive scope and the lack of independent oversight at the time when the warrants or authorisations were issued. No prior authorisation by a court or independent administrative body, that is “a body which is independent of the executive“, took place during the three key stages of bulk surveillance. Instead, oversight under RIPA was entirely limited to ex post oversight by an “Interception of Communications Commissioner” and a “Tribunal”. A person had the right to make a complaint to the Tribunal if they were “aggrieved by any conduct falling within the scope of RIPA”, which they believed to have taken place in “challengeable circumstances” in relation to them or (in this case) their communications (Article 65(4) RIPA).
Consequently, proving that an individual has been swept up in one (or more) of these various wide nets of surveillance is very difficult or impossible
However, this process is severely hampered by the fact that affected individuals, the vast majority of which are innocent and of little interest to the police or intelligence agencies, are highly unlikely to have any awareness that they are under surveillance or of its consequences. Consequently, proving that an individual has been swept up in one (or more) of these various wide nets of surveillance is very difficult or impossible.
The Chamber judgement: Confusion ensues
These problems notwithstanding, the Court, in its earlier Chamber judgement in 2018, unequivocally upheld Contracting States’ general ability to engage in bulk surveillance, reasoning that a requirement on Contracting States to provide objective evidence of reasonable suspicion for the authorisation of bulk interception would be inconsistent with the wide margin of appreciation granted to them to operate such regimes. The Court (in a majority judgement) was also satisfied that the UK had not abused its surveillance powers based on the ex post independent oversight regime and the extensive independent investigations which followed the ground-breaking Edward Snowden revelations.
This was a blow to digital rights in Europe
This was a blow to digital rights in Europe even though the Chamber judgement also concluded that there had in fact been a violation of Article 8 ECHR because of the lack of oversight (including the selection of “bearers” for interception, the selectors and search criteria for filtering intercepted communications, and the selection of material for examination by an analyst) and the lack of “any real safeguards” applicable to the selection of related “communications data” for examination.
These key findings were significant because they called a clear halt to any shift by the ECtHR towards an outright finding that mass surveillance regimes may be incompatible with Article 8 ECHR as indicated in previous cases (see particularly Szabó and Vissy v Hungary and the Grand Chamber case of Zakharov v Russia).
In Big Brother Watch, the Court also diverged considerably on applicable Article 8 ECHR safeguards with respect to bulk interception regimes from those applied in its previous related Chamber judgement in Centrum för Rättvisa v Sweden which notably did not result in a violation of Article 8 ECHR. Consequently, the appellants decided to refer the case to the Grand Chamber for review.
The Grand Chamber judgement: Not so grand
The Grand Chamber granted the applicants’ request for review in February 2019 and a hearing on the case took place in July of the same year. While the judgement itself is comprehensive, this analysis will focus on the two key takeaways that are likely to have the greatest significance for digital rights organisations:
1. Article 8 ECHR ‘does not prohibit the use of bulk interception to protect national security’ and there is no need to update its safeguards
The most significant question for the Grand Chamber was whether it would determine that the very principle of bulk interception fails to satisfy the proportionality condition of Article 8(2) and thereby falls outside a State’s margin of appreciation, rendering such regimes an unjustified interference and a violation of Article 8 ECHR (para 277).
That it declined to do so will be unsurprising for those familiar with the recent data privacy and surveillance cases of the ECtHR. Specifically, the Grand Chamber affirms the key holding from the Chamber majority judgement that the decision to operate a bulk interception regime in order to “identify threats to national security” is one which continues to fall within the “margin of appreciation” granted to Contracting States (para 340). This means that it is up the states themselves to decide on their use of bulk surveillance until there is more general consensus between Contracting States on its compatibility with Convention rights.
…the “sea change” of how much more pervasive and powerful state surveillance techniques have become in the 21st century
Here again, the Grand Chamber follows the Chamber judgement by not taking into account in its Article 8(2) assessment the “sea change” of how much more pervasive and powerful state surveillance techniques have become in the 21st century. Indeed, this point is forcefully made by Judge Pinto Albuquerque in his Partially Concurring and Partially Dissenting Opinion (para 58) who observes that the standards applied “should be more exacting than those of 2006 or 2008. This is exactly the opposite of what this judgment has delivered”.
Whether these standards satisfy the well-established “living instrument” doctrine, which requires the ECtHR to interpret and apply the ECHR “in light of new and emerging technologies in a manner that renders its safeguards practical and effective”, is no doubt a ripe area for future strategic challenge by digital rights advocates.
In addition, the Grand Chamber judgement is arguably based on some inconsistent reasoning, particularly with respect to its rejection of the applicant’s other main argument that “changes in both society and technology had resulted in the need for the Court to update its existing approach – and enhance the necessary safeguards – to ensure that Convention rights remained practical and effective” (para 280). While the Grand Chamber seems to accept the fact that technology has indeed moved on from when its current safeguards were established in previous caselaw – noting that “the scope of the surveillance activity considered in those cases would therefore have been much narrower” (para 341) – this was not sufficient to persuade it to change its assessment.
Following the Chamber judgement, the Grand Chamber ultimately rejects the applicants’ argument that there is a need to re-examine whether existing safeguards are fit for purpose. It concludes instead that adapting the “six minimum safeguards” developed from its caselaw dealing with the tapping of landline phones decades ago will suffice.
Thus, in striking contrast to the prescriptive safeguards of the CJEU, no minimum standards in fact will apply to the review of the compatibility of bulk interception regimes with Article 8 ECHR. This is further emphasised by the Grand Chamber immediately proceeding to clarify their status as “principles” (para 347). These safeguards therefore effectively amount to no more than best practice in what the Grand Chamber later states will ultimately be “an overall assessment” of a bulk retention regime (para 421).
2. From minimum standards to ‘a global assessment’ primarily focused on the ‘end-to-end’ safeguards of the domestic law
The Grand Chamber thus affirms the view taken in the Chamber majority judgement that the so-called Weber criteria (six minimum foreseeability safeguards) developed under the legality condition of Article 8(2) are not the minimum standard to be met in order for a bulk interception regime to be Article 8 ECHR-compliant.
This seems incredible given that a unanimous ECtHR judgement in 2016 held that Article 8 ECHR safeguards needed “to be enhanced” in light of the capacity of state surveillance to now acquire detailed profiles of the “most intimate aspects of individuals’ private lives” (Szabó and Vissy v Hungary).
In place of the Weber-criteria, the Court establishes a new eight-part set of criteria that it will examine when determining whether a domestic law governing a bulk interception regime contains adequate and effective safeguards and guarantees to meet the requirements of “foreseeability” and “necessity in a democratic society” (para 361), including:
- The grounds on which bulk interception may be authorised;
- The circumstances in which an individual’s communications may be intercepted;
- The procedure to be followed for granting authorisation;
- The procedures to be followed for selecting, examining and using intercept material;
- The precautions to be taken when communicating the material to other parties;
- The limits on the duration of interception, the storage of intercept material and the circumstances in which such material must be erased and destroyed;
- The procedures and modalities for supervision by an independent authority of compliance with the above safeguards and its powers to address non-compliance;
- The procedures for independent ex post facto review of such compliance and the powers vested in the competent body in addressing instances of non-compliance.
In another noteworthy departure from previous caselaw, the Grand Chamber establishes that in future the operation of a bulk interception regime will be subject to “a global assessment” that will focus “primarily on whether the domestic legal framework contains sufficient guarantees against abuse” and is subject to end-to-end safeguards (para 360). The exact details of what the “global” nature of such an assessment will entail are not addressed. Rather, the Grand Chamber proceeds to highlight that, in doing so, regard will be given to the more traditional proportionality requirement of examining the “actual operation of the system … and the existence or absence of any evidence of actual abuse” (para 360).
The Grand Chamber also places considerable weight on the role of independent oversight to minimise the “risk of the bulk interception power being abused” as the cornerstone of any Article 8 ECHR compliant regime (para 350):
“[I]n order to minimise the risk of the bulk interception power being abused, the Court considers that the process must be subject to “end-to-end safeguards”, meaning that, at the domestic level, an assessment should be made at each stage of the process of the necessity and proportionality of the measures being taken; that bulk interception should be subject to independent authorisation at the outset, when the object and scope of the operation are being defined; and that the operation should be subject to supervision and independent ex post facto review. In the Court’s view, these are fundamental safeguards which will be the cornerstone of any Article 8 compliant bulk interception regime.”
In its overall deferential assessment of the domestic law “as a whole”, the Grand Chamber determines that the UK domestic law meets each of the above eight-part criteria with the exception of three “shortcomings” (para 426) which result in a violation of Article 8 ECHR. Falling within the scope of the filtering requirements under the fourth criterion, the Court takes issue with the failure of the domestic law to require that “categories of selectors” be included in warrant applications and the failure for there to be any “prior internal authorisation” of selectors linked to specific individuals (para 425).
The most significant deficiency for the UK legal framework now governing bulk interception regimes is the holding by the Court that the section 8(4) regime “lacked one of the fundamental safeguards; namely, that bulk interception should be subject to independent authorisation at the outset” (para 377).
The UK bulk regime framework reviewed by the Grand Chamber is no longer in force, having since been replaced with the Investigatory Powers Act 2016 (IPA). The new framework was initially devised because of a political compromise between the governing parties that formed the UK’s coalition government from 2010 to 2015. Since its adoption, it already had to be further revised, and additional safeguards included, following the CJEU judgement in Watson and Tele2. However, even under the IPA in its current form, the authorisation of bulk regimes is still not subject to ex ante independent authorisation by “a body that is independent of the executive” (para 351).
Digital rights organisations have been highly critical of this so-called “double lock” mechanism
Instead, the law currently provides that this prior authorisation is made by the Secretary of State with approval from a judicial commissioner from the Investigatory Powers Commissioner’s Office. Digital rights organisations have been highly critical of this so-called “double lock” mechanism, arguing that this effectively constitutes a highly diluted form of independent judicial oversight. Consequently, the Grand Chamber’s important determination may still have significant implications for the UK legislation currently in force and calls into question its compatibility with Article 8 ECHR and the UK Human Rights Act 1998.
Ultimately, the legal assessment and outcome of the Grand Chamber majority judgement in Big Brother Watch will be unsurprising to those familiar with its recent case law dealing with bulk surveillance systems and data retention.
Instead, there is now concern that both Grand Chamber judgements represent the “permanent normalisation of mass surveillance in human rights terms”
It will still, nevertheless, be a disappointment to digital rights groups who had urged the ECtHR to adopt at least some – if not all – of the high standards the CJEU continues to establish in its related landmark cases. This is particularly the case given that these standards have in fact been built on the previously lauded standard-setting jurisprudence of the ECtHR. Instead, there is now concern that both Grand Chamber judgements represent the “permanent normalisation of mass surveillance in human rights terms”.
The Grand Chamber judgements also have broader implications for the scrutiny of surveillance programmes across the EU and the ECHR legal orders.
The first is the clear departure for the ECtHR from its role as an important driving force in setting minimum standards in the review of laws governing state surveillance of communications across Europe. Secondly, the adoption of the general eight-part criteria and the more lenient approach of the ECtHR’s increasingly criticised joint-analysis assessment for bulk interception regimes means that there is now a clear and significant divergence between the rules and safeguards of the ECHR and EU legal systems with respect to the protection of fundamental rights and laws permitting bulk interception.
For now, the Grand Chamber has called a clear halt to any apparent shift by the ECtHR towards an outright finding that general and indiscriminate surveillance regimes may be incompatible with Article 8 ECHR. It is thus up to the Contracting States themselves, and their Constitutional Courts in line with the CJEU, to determine what shape this margin of appreciation may take in future.
Dr Nora Ni Loideain is Director and Lecturer in Law, Information Law & Policy Centre, Institute of Advanced Legal Studies, University of London and an Associate Fellow of the Leverhulme Centre for the Future of Intelligence, University of Cambridge. She is also a member of the UK Home Office Biometrics and Forensics Ethics Group (BFEG). Her book, EU Data Privacy Law and Serious Crime, is forthcoming from Oxford University Press.