European Court: UK’s Mass Interception of Online Communications Violated Rights

European Court of Human Rights
European Court of Human Rights

European Court of Human Rights
Credit: CherryX via Wikimedia Commons

On September 13, 2018, the European Court of Human Rights (ECtHR) ruled that the United Kingdom’s bulk collection of online communications and its collection of data from communication service providers (CSPs) violated the rights to privacy and freedom of expression. See ECtHR, Big Brother Watch and Others v. the United Kingdom, nos. 58170/13, 62322/14, 24960/15, ECHR 2018, Judgment of 13 September 2018. Although the Court did not rule that mass collection is inherently a violation of privacy, disappointing many privacy advocates, the ECtHR held that such programs must have adequate safeguards to protect against abuse. [Sky News]

The decision is the first time that the ECtHR has reviewed the UK’s surveillance program since whistleblower Edward Snowden’s revelations in 2013, which revealed cross-border government surveillance efforts, including those by the UK intelligence agency Government Communications Headquarters (GCHQ) to intercept millions of private communications. [Guardian] The ECtHR did not consider the legality of the 2016 legislative amendments to the UK’s surveillance program, which followed the Snowden disclosures and are currently being challenged domestically. [Guardian]

Background of the Case

The case addressed three aspects of the UK’s surveillance program: (1) the collection of the contents of communications; (2) the practice of sharing surveillance information with countries such as the United States; and, (3) the collection of communications metadata, including identity information, from service providers. See Big Brother Watch and Others v. the United Kingdom, Judgment of 13 September 2018, para. 269. The case was brought by human rights organizations, private companies, and several individuals who believed that their electronic communications were likely intercepted by UK intelligence services. See id. at paras. 1, 7-8. The applicants alleged that the UK’s surveillance scheme violated their rights under Articles 8 (private and family life) and 10 (freedom of expression) of the European Convention on Human Rights. See id. at paras. 269, 469.

ECtHR’s Analysis and Holding

Article 8: Right to Private and Family Life

The ECtHR held that both the mass collection of digital communication contents and the collection of communication metadata from service providers violated the right to privacy. See id. at paras. 388, 468. However, the Court held that the intelligence sharing of communication data with foreign governments did not. See id. at para. 448.

Under Article 8, any restriction on the right to privacy must be “in accordance with law” (having some basis in domestic law) and be necessary in a democratic society to achieve a legitimate aim. See id. at para. 305. To determine whether a State’s secret surveillance program, specifically its interception of communications, has a basis in domestic law, the ECtHR has held that the domestic law establishing the program must explicitly state the following six aspects of the program: “ See id. at para. 307. Despite the margin of appreciation that is afforded to States, their surveillance programs must meet these six minimum requirements. See id. at para. 315.

When evaluating a State’s secret surveillance program conducted for national security reasons, the ECtHR will also consider any arrangements for supervising the implementation of secret surveillance measures, procedures for notification of collection, and any remedies provided for collection. See id. at para. 307. For a collection program to meet the condition of “necessary to achieve a legitimate aim,” the ECtHR requires that there be adequate safeguards to protect individual’s privacy, and the Court has held that the extent of the required safeguards depends on the circumstances of the case, including the scope and duration of the surveillance measures; the grounds necessary for conducting collection; which State authorities are able to authorize, conduct, and oversee collection; and what remedies are provided by domestic law. See id. at 308. The Court explained that while prior independent judicial authorization of collection may constitute a “best practice,” judicial review is neither a “necessary nor sufficient [safeguard] to ensure compliance with Article 8.” See id. at para. 318, 320, 381.

The ECtHR found that while bulk collection of communication is not inconsistent with Article 8 as a matter of principle, the UK’s collection program failed to incorporate adequate privacy safeguards. See id. at paras. 317, 347, 357, 387. In particular, the Court focused on the lack of oversight of the program’s selection process, including which communications were collected, how intercepted communications were filtered, and how information was selected for review by government agents. See id. at 387. The Court also noted that the collection program failed to provide any safeguards for the examination of communications data intercepted in connection with communication contents. See id.

With respect to the bulk collection of communication metadata from service providers, the ECtHR found that the domestic law authorizing the collection was not “in accordance with law,” as required by Article 8 of the Convention, because the UK’s law allowed collection in cases prohibited under EU law. See id. at para. 467. However, the Court determined that the UK’s intelligence sharing scheme was clear concerning the process for transferring communication information and that it provided adequate safeguards because the program only allowed foreign collected information to be searched and collected in conformity with the UK’s national standards for searching. See id. at para. 447. The Court emphasized that States may not circumvent protections under Article 8 of the Convention by obtaining information from foreign governments that they would not otherwise be able to capture themselves. See id. at para. 410.

Article 10: Right to Freedom of Expression

The ECtHR also held that the collection of communication contents and metadata violates the right to freedom of expression (the Court did not consider whether intelligence sharing program implicated Article 10). See id. at para. 500. Under Article 10, any restriction on expression must be “prescribed by law” and necessary in a democracy to serve a legitimate interest. See id. at para. 470. Furthermore, any restriction on free expression that interferes with press freedom is a violation of the right to freedom of expression unless the restriction “is justified by an overriding requirement in the public interest.” See id. at para. 488. The ECtHR found that the collection of communication created a perceived risk of interference with the confidentiality of journalistic sources and accordingly, that the collection program posed a chilling effect on the freedom of the press. See id. at para. 495. Additionally, with respect to the collection of metadata from internet service providers, the Court found that the collection was not “in accordance with the law” for the same reasons that it failed to meet the Article 8 requirements. See id. at para. 499.

Dissenting Opinions

There were two separate dissenting opinions in this case. In the first, Judge Koskelo, joined by Judge Turković, dissented from the majority’s position that prior judicial authorization of communication interception is not necessary to protect the right to privacy. See id. (Koskelo, J., Dissenting) at paras. 24, 29. Judge Koskelo indicated that no policy of bulk collection can comply with Article 8 unless the program incorporates prior judicial review of collection. See id. In the second dissenting opinion, Judges Pardalos and Eicke objected to the majority’s ruling on whether the bulk collection of communications violated the right to privacy under Article 8. See id. (Pardalos, J. and Eicke, J., dissenting) at para. 1. Judges Pardalos and Eike stated that the collection regime had adequate safeguards to prevent arbitrariness and risk of abuse. See id. at para. 25.

ECtHR Jurisprudence on Mass Surveillance

Although Big Brother Watch and Others v. the United Kingdom marked the first opportunity for the ECtHR to address surveillance programs disclosed during the Snowden revelations, it is the second landmark surveillance case to come out of the ECtHR in 2018. See ECtHR, Centrum för Rättvisa v. Sweden, no. 35252/08, ECHR 2018, Judgment of 19 June 2018. Last June, the ECtHR ruled that Sweden’s bulk interception of electronic communication for the purposes of gathering foreign intelligence did not violate the right to privacy of a public interest law firm because there were adequate safeguards in place, such as prior judicial authorization of the bulk collection and a time limit of six months for the collection, among others. See Centrum för Rättvisa v. Sweden, Judgment of 19 June 2018, paras. 130, 179-81. Additionally, a case concerning France’s bulk collection under the French Intelligence Act of 2015 is pending before the ECtHR. See ECtHR, Association Confraternelle de la Presse Judiciaire v. France et 11 autres requêtes, nos. 49526/15, 49615/15, 49616/15, 49617/15, 49618/15, 49619/15, 49620/15, 49621/15, 55058/15, 55061/15, 59602/15, 59621/15, Communicated 26 April 2017.

Additional Information

The ECtHR is a regional human rights judicial body based in Strasbourg, France. The Court has jurisdiction to decide complaints submitted by individuals and States concerning violations of the European Convention on Human Rights by a State party to the Convention. All 47 Member States of the Council of Europe are party to the Convention.

For more information about the European Court of Human Rights, visit IJRC’s Online Resource Hub. To stay up-to-date on international human rights law news, visit IJRC’s News Room or subscribe to the IJRC Daily.