By Sarthak Gupta

[Sarthak Gupta is an undergraduate law student on the B.A; L.L.B [Hons] at the Institute of Law, Nirma University, India. His scholastic interest follows Constitutional Law, Human Rights & Gender Studies, and International Law. He can be reached at guptasarthak7060@gmail.com]

The Grand Chamber [GC] of the European Court of Human Rights [ECtHR] in the case of Big Brother v. the United Kingdom delivered one of its significant judgement on the UK’s mass surveillance regime being in violation of the European Convention on Human Rights [Convention]. The GC delineates three systems: bulk interception of communication, acquiring communications data from service operators and foreign government intelligence apportions. In this article, the author attempts to analyze the GC judgement in the abovementioned systems. The author addresses the potential concerns which the GC failed to deliberate upon.

Background of the Case

The case concerned the applications which were filed by privacy rights advocacy group and a UK-based NGO, Big Brother Watch with various other non-profit organizations and academics. The applications were filed after former U.S. National Security Agency employee Edward Snowden [whistleblower] revealed the exploitation of surveillance systems by the intelligence services of the US and UK.  The primary contention of the application was that the bulk surveillance interception regime operated by the UK Government Communications Headquarters (GCHQ) including the TEMPORA system, and the intelligence-sharing regime violated the Convention.

In 2018, the ECtHR’s lower chamber, determined that the surveillance regime violated Articles 8 and 10 of the Convention by acquiring communications data from the communications service regime. However, the chamber, concluded that there is no violation of Article 8 of the Convention in respect of the intelligence-sharing regime. The applicant requested to refer the case to the GC in accordance with Article 43 of the Convention.

Grand Chamber’s Judgement

The GC observes that due to the extreme multitude of vulnerabilities that States witness in contemporary society, executing a mass interception regime did not in and of itself violate the Convention. Such interception, nevertheless, would be subjected to “end-to-end safeguards,” that would entail a necessity and proportionality determination, independent authorization, and constant supervision, among other things.

Subsequently, the GC identified three “fundamental deficiencies’ in the UK’s bulk surveillance interception regime’s end-to-end safeguards, “absence of independent authorization, failure to include categories of selectors, and the failure to subject selectors linked to an individual to prior internal authorization.” The GC observed that UK’s bulk interception did not meet the “quality of law” requirement, thus violating right to privacy enshrined in Article 8 of the Convention and was therefore incapable of keeping the “interference” to what was “necessary in a democratic society”

The GC observed that the bulk interception regime violated the right to privacy and family life [Article 8] and freedom of expression [Article 10] of the Convention. The regime for acquiring communications data from service suppliers were also observed to be irreconcilable with the Convention because it was not confined to countering “serious crime,” it was not subject to prior assessment by a national authority, and it ceased to comprehensively protect journalists’ privacy and confidentiality. Thus, accepting the chamber judgement that acquiring communications data from service suppliers is a violation of Article 8 and is not in “accordance with law”

However, on the issue of foreign government intelligence apportions, GC reiterated the UK’s intelligence-sharing regime’s conformity with the Convention and held that the intelligence-sharing regime used by UK authorities to access data from US intelligence agencies does not breach Articles 8 or 10 of the Convention. The GC concluded that intelligence sharing is acceptable if “adequate safeguards” against misuse are in existence and the regime is subjected to independent monitoring and ex post facto review.

Comment: A Triumph for Privacy?

Nevertheless, the ruling is presumably a triumph for privacy advocates, it constitutes a substantial pinnacle in accomplishing nearly completely the opposite. As it not only capitulates to European governments’ eagerness for greater surveillance but also identifies distinct standards of protection from unmerited state interception contingent on whether the intercepted membrane is domestic or foreign in nature, thereby establishing segregated standards for prioritized and bulk communications interception. In its earlier judgments, contemplating the legitimacy of domestic surveillance measures in Roman Zakharov v Russia and Szabó and Vissy v Hungary, the ECtHR not only questioned their compatibility with Convention rights but also formed a rigorous regime for the emergence of “reasonable suspicion” against a citizen before the surveillance could be authorized. In juxtaposition, the GC endorsed the functionality of bulk interception of foreign communications (or strategic surveillance) within the 2018 Centrum för rättvisa v Sweden and Big Brother Watch Chamber decisions, asserting that it is “a valuable means to achieve the legitimate aims pursued, particularly given the current threat level from both global terrorism and serious crime.”

Normalization of Bulk Surveillance Interception

The GC in Big Brother reiterated that operating a bulk surveillance interception regime may indeed not in itself contravene the Convention, strengthening its belief in the efficiency of bulk foreign communications acquisition. The GC confirmed the findings of the Chamber of provocations posed by international terrorism and cross-border crime in that case. To this end, the GC reaffirmed the Venice Commission’s acknowledgement that bulk surveillance interception is essential for states in recognizing threats to national security. The GC affirmed that national authorities have a “wide margin of appreciation” in determining how to accomplish the legitimate aim of national security protection. 

However, the significant factor in judgement is GC’s setting out of new fundamental standards to prevent the impact of bulk interception prerogatives being exploited, which is resorted to as “the cornerstone of Article 8 compliant bulk interception regime.” Through this the GC reinforced the differentiation between targeted and bulk interception, demonstrating that the latter is commonly directed at international communications with the goal of collecting foreign intelligence, initial detention and interrogation of cyberattacks, cyber warfare, and counter-terrorism. Furthermore, the GC, articulated the framework that must be drawn in bulk interception cases, beginning with the six minimum safeguards highlighted in Weber & Saravia v. Germany, and tailoring these standards to bulk intelligence collection methodologies. However, GC observed that the first two components (that domestic law must specifically define the essence of the crimes that may result in an interception order, as well as the categories of people who may have their communications intercepted) are not “particularly conducive to a bulk interception regime.

Subsequently, the GC again turned down the requisite of “reasonable suspicion” as inappropriate in the framework of bulk interception since it is in “principle preventative”, rather than for the investigative process of a particular target and/or a “recognizable criminal offence”. Having said that, the GC observed that domestic law must still constitute comprehensive regulations such as the grounds for bulk interception and the predicaments under which a person’s communications may be apprehended. The GC appears to have confirmed the formation of two separate frames of procedural standards premised on whether the surveillance is domestic or foreign in essence by incorporating this new approach, but it also initially appeared to have initiated the demarcation of new key criteria that must be specifically laid out in domestic law, affirming the normalization of bulk surveillance.

The Necessity of Judicial Authorization?

On the contention of judicial authorization and ex post control processes, the GC declined to necessitate judicial authorization claiming that bulk interception must be authorized by an “independent body”, that is, an institution separate from the executive branch. The GC’s observation is unsatisfactory to preclude arbitrary violations of the right to privacy. One of the legal framework’s prerequisites eschews a significant assurance of human rights protection, notably “judicial oversight”. Nevertheless, stipulating that security services be spearheaded by an “independent body”, the GC should have taken a step further and mandated that the process be monitored by the judiciary. The institution would certainly be not “independent”, because anyone with the relevant information to represent on it would almost certainly be a former member of the security services. The European Court of Justice took a strengthened stance on this subject, necessitating the intervention of judicial authority in Schrems II judgement (Para 186-194).

Pragmatic Yet Procedural Approach

To determine whether bulk interception regimes fall within states’ margin of appreciation, the GC reinforces the proceduralist approach and establishes “wider range of criteria than the six Weber standards” to assess compliance with the Convention by domestic legal frameworks. The GC observes that the very same safeguards should extend to the collection and processing of communications data/metadata, not just the content of communications. All of these privacy-protecting safeguards, however, are instantaneously competent in their application. The GC’s general approach toward the governments is very obsequious, particularly when it comes to the initial implementation of the surveillance programs. The GC perhaps asserts that the mere collection of data “does not constitute a particularly significant interference” with privacy, while distinguishing between the different phases of such interventions. Nevertheless, metadata collection being cumbersome, and the safeguards should be the equivalent, but metadata does not have to be considered the same as “content”. The eight-part test is a component of a “global assessment” of the system’s proportionality so that a state that neglects one of the criteria can compensate by achieving excellence in other aspects. These are effective determinants but there are a few particular minimum standards that ought to be fulfilled.

Commercialisation and Normalization of surveillance via Pegasus Spyware

The Pegasus Project’s findings by Amnesty International’s Security Lab and Forbidden Stories, have revealed that the Israel’s NSO Group’s cyber surveillance company developed spyware, Pegasus, commercialised the world-wide mass surveillance, which has led to hacking and manipulating more than 50,000 phone numbers of potential surveillance targets. Pegasus is a formidable spyware application that can be installed remotely on smartphones without the person ‘s knowledge. Clients could take complete access to the device after installing it, including reading messages from protected messaging applications like WhatsApp and Signal, as well as switching on the camera and microphone. 

The Commericialisation of the Pegasus was initiated ostensibly for purpose in law enforcement investigations and to counter-terrorism, but it has apparently been employed in a significantly broader variety of settings in a way that may have been unethical & unconstitutional. Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates are among a several of the countries where NSO clients have been identified in the Project Pegasus. Human rights advocates, academics, lawyers, union leaders, diplomats, politicians, and many heads of state are all prospective targets of the Pegasus.

The potential to remotely access the phone was long thought which to be limited to a few countries even after Edwarn Snowden’s reveals on US & UK’s mass surveillance operations. However, now with commercialization of mass-surveillance spyware, many governments, as well as individuals and small organizations, can access to high-end espionage and monitoring capabilities, whih illustrates the future-potential of mass-surveillance all over the world and gross violations of human rights.  

Subsequently, the GC’s ruling will act as a skeleton in the normalization and commercialisation of the mass-surveillance in the European jurisdiction. The mass-surveillance via spyware unquestionably violates the Convention including the fundamental right of privacy of the targeted individuals and necessitates the moratorium on the commercialisation, transmission, and use of surveillance technologies unless human rights-compliant regulatory institutions are in operation as recommended by United Nations Special Rapporteur on freedom of opinion and expression expert David Kaye in its report on surveillance. 

Conclusion

Although, the GC observed unanimously that the UK’s Bulk interception approaches and acquiring of metadata under Chapter II of the RIPA violated Article 8 of the Convention, the decision is still not a victory of privacy. The primary and perhaps most evocative criticism of the decision was made by Judge Pinto De Albuquerque in his partially dissenting opinion, who noted that it “fundamentally alters the existing balance in Europe between the right to respect for private life and public security interests, in that it admits non-targeted surveillance.” [Para 59] For future decades, the GC’s ruling symbolizes a conclusive normalization of mass surveillance which has become vital in the outlook of the prevailing pandemic and continuous reforms in intelligence sharing and privacy law, such as the EU’s e-Privacy Regulation, and the Additional Protocol to the Council of Europe’s Convention on Cybercrime.