The European Court of Human Rights (ECHR) Grand Chamber this week affirmed what we’ve long known, that the United Kingdom’s mass surveillance regime, which involved the indiscriminate and suspicionless interception of people’s communications, violated basic human rights to privacy and free expression. We applaud the Strasbourg-based Grand Chamber, the highest judicial body of the Council of Europe, for the ruling and for its strong stance demanding new safeguards to prevent privacy abuses, beyond those required by a lower court in 2018.  

Yet, the landmark decision, while powerful in declaring that UK mass interception powers are unlawful, failed to protect journalists, and lacked legal safeguards to ensure British spy agency GCHQ wasn’t abusing its power, imprudently bought into spy agency propaganda that suspicionless interception powers must be granted to ensure national security. The Grand Chamber rejected the fact that mass surveillance is an inherently disproportionate measure and believed that any potential privacy abuses can be mitigated by “minimization and targeting” within the mass spying process. We know this doesn’t work. The Grand Chamber refused to insist that governments stop bulk interception--a mistake recognized by ECHR Judge Paulo Pinto de Albuquerque, who said in a dissenting opinion: 

For good or ill, and I believe for ill more than for good, with the present judgment the Strasbourg Court has just opened the gates for an electronic “Big Brother” in Europe.

The case at issue, Big Brother Watch and Others v. The United Kingdom, was brought in the wake of disclosures by whistleblower Edward Snowden, who confirmed that the NSA and GCHQ were routinely spying on hundreds of millions of innocent people around the globe. A group of more than 15 human rights organizations filed a complaint against portions of the UK's mass surveillance regime before the ECHR. In a decision in 2018, the court rejected the UK’s spying programs for violating the right to privacy and freedom of expression, but it failed to say that the UK's indiscriminate and suspicionless interception regime was inherently incompatible with the European Convention on Human Rights. EFF filed a Declaration as part of this proceeding. The court, however, acknowledged the lack of robust safeguards needed to provide adequate guarantees against abuse. The Grand Chamber’s decision this week came in an appeal to the 2018 ruling. 

The new ruling goes beyond the initial 2018 decision by requiring prior independent authorization for the mass interception of communications, which must include meaningful “end-to-end safeguards.” The Grand Chamber emphasized that there is considerable potential for mass interception powers to be abused, adversely affecting people’s rights. It warns that these powers should be subject to ongoing assessments of their necessity and proportionality at every stage of the process; to independent authorization at the outset, and to ex-post-facto oversight that should be sufficiently robust to keep the “interference” of people's rights to only what is “necessary” in a democratic society. Under powers given to UK security services in 2000, they only needed authorization by the Secretary of State (Home Office) for interception. The Grand Chamber ruled that, in lacking adequate safeguards like independent oversight, UK surveillance law did not meet the required “quality of law” standard and was incapable of keeping the “interference” to what was necessary.

In its ruling, the Grand Chamber assessed the quality of the UK's bulk interception law and developed an eight-part test that the legal framework of new surveillance laws must meet to justify authorization of bulk interception. The legal framework must make clear and consider the following: the circumstances in which an individual’s communications may be intercepted; the procedure to be followed for granting authorization; the procedures to be followed for selecting, examining and using intercept material; the precautions to be taken when communicating the material to other parties; the limits on the duration of interception, the storage of intercept material and the circumstances in which such material must be erased and destroyed; the procedures and modalities for supervision by an independent authority of compliance with the above safeguards and its powers to address non-compliance; the procedures for independent ex post facto review of such compliance and the powers vested in the competent body in addressing instances of non-compliance.

These are welcome safeguards against abuse. But the opinion doesn’t contain all good news. We are disappointed that the Grand Chamber found that the UK's practice of requesting intercepted material from foreign governments and intelligence agencies, rather than intercepting and collecting them directly, was not a violation of the right to privacy and free expression. Our friends at ARTICLE19 and others argued this, and it also reflects our views: Only truly targeted surveillance constitutes a legitimate restriction on free expression and privacy, and any surveillance measure should only be authorized by a competent judicial authority that is independent and impartial.

Back on the bright side, we were happy that the Grand Chamber once again rejected the UK government’s contention (akin to the U.S. government’s) that privacy invasions only occur once a human being looks at intercepted communications. The Grand Chamber confirmed that the legally significant “interference” with privacy begins as soon as communications are first intercepted—becoming more and more severe as they are stored and later used by government agents. The steps include interception and initial retention of communications data; application of specific selectors to the retained data;  the examination of selected data by analysts; and the subsequent retention of data and use of the “final product”, including the sharing of data with third parties. The Grand Chamber correctly applied its analysis to every step of the way, something U.S. Courts have yet to do. 

The Grand Chamber also found that the government had neglected to subject its targeting practices to enough authorization procedures. Bulk communications may be analyzed (by machines or by people) using “selectors”—that is, search terms such as account names or device addresses—and the government apparently did not specify how these selectors would be chosen or what kinds of selectors it might use in the course of surveillance procedures. It required analysts performing searches on people’s communications to document why they searched for terms connected to particular people’s identities, but did not have anyone else (other than an individual analyst) decide whether those search terms were OK.

The Grand Chamber ruled that acquiring communications metadata through mass interception powers is just as intrusive as intercepting communications content. It considers that the interception, retention, and searching of communications data should be analyzed taking into account the same safeguards as those applicable to the content of communications. However, the Grand Chamber decided that while the interception of communications data and content will normally be authorized at the same time, once obtained the two may be treated differently. The Court explained: 

In view of the different character of related communications data and the different ways in which they are used by the intelligence services, as long as the aforementioned safeguards are in place, the Court is of the opinion that the legal provisions governing their treatment may not necessarily have to be identical in every respect to those governing the treatment of content.

On concerns raised about the impact of surveillance on journalists and their sources, the Grand Chamber agreed that the UK was substantially deficient in not having proactive independent oversight of surveillance of journalists’ communications, whereby “a judge or other independent and impartial decision-making body” would have applied a higher level of scrutiny to this surveillance.

Overall, the Grand Chamber decision falls below the standards of the Court of Justice of the European Union (the Supreme Court of the European Union in matters of European Union law), although it does have some good safeguards. For instance, the Luxembourg Court of Justice of the European Union judgment, in Schrems I. v. Data Protection Commissioner, made clear that legal frameworks granting public authorities access to data on a generalized basis compromise "the essence of the fundamental right to private life," as guaranteed by Article 7 of the European Union Charter of Fundamental Rights.  In other words, any law that compromises the “essence to right private life” cannot ever be proportionate nor necessary. 

While we would like more, this decision still puts the Grand Chamber way ahead of U.S. courts deciding cases challenging bulk surveillance. Courts in the U.S. have tied themselves in knots trying to accommodate the U.S. government’s overbroad secrecy claims and the needs of the U.S. standing doctrine. In Europe, the UK did not claim that the case could not be decided due to secrecy.  More importantly,  the Grand Chamber was able to reach a decision on the merits without endangering the national security of the U.K. 

U.S. courts should take heed: the sky will not fall if you allow full consideration of the legality of mass surveillance in regular courts, rather than the truncated, rubber-stamp review currently done in secret by the Foreign Intelligence Surveillance Court (FISA). Americans, just like Europeans, deserve to communicate without being subject to bulk surveillance. While it contains a serious flaw, the Grand Chamber ruling demonstrates that the legality of mass surveillance programs can and should be subject to thoughtful, balanced, and public scrutiny by an impartial body, independent from the executive branch, that isn’t just taking the government’s word for it but applying laws that guarantee privacy, freedom of expression, and other human rights.