The European Court of Human Rights establishes essential principles for the protection of national security. Bulk interception cannot be banned, but it must be possible to control the use governments make of it. by Andrea Monti, adjunct professor of Digital Law at the University of Chieti-Pescara – Initially published in Italian by Formiche.net
A judgment of the European Court of Human Rights made public on 25 May 2021 established an important principle: bulk interceptions are an effective tool for the protection of national security if they are carried out with a system of independent controls to protect citizen rights.
Having found an incomplete compliance with this principle, the Court ruled that the UK legislation on interception and on how the Government acquires data owned by telephone companies and internet providers infringe the right to private life and, as regards journalists, the right to freedom of expression. The Court also ruled, albeit by a majority decision, that the UK procedures on the acquisition of intercepted data from the US are respectful of these rights.
Why does this decision matter
Leaving aside the technicalities relating to the UK legislation, no longer relevant for the EU after the Brexit, the conclusions of the Strasbourg judges are interesting for three reasons.
Firstly, as mentioned above, they recognise that bulk interceptions are necessary to protect national security and that the Court’s interventions may concern the ‘how’ they are carried out but not the ‘whether’.
Secondly, they reinforce the notion that the inevitable limitation of individual rights to protect the public interest must be balanced by the existence of legal rules and independent actors authorising interception and monitoring, ex-post, their proper execution.
Finally, they implicitly recognise that data protection legislation —applicable until exit from the EU— cannot prevent information exchanges with the US, even though the US is, on paper, on the European Commission’s blacklist for compliance with the protection standards set by Regulation 679/16 (GDPR).
Flaws in the procedures authorising bulk interception
The existence of an independent body that, based on the law, assesses the adequate balance between the State’s interests to ensure order and security and the rights of citizens to suffer limited and justified compression of their individual rights is the main instrument of guarantee against abuses.
However, in the Court’s view, even though the United Kingdom has set up a tribunal to verify claims of possible infringments, the power to authorise national security-related interceptions belongs to the Secretary of State and not to a body independent of the Executive. Moreover, the form to be filled in to obtain the authorisation from the Executive does not contain the list of selectors, i.e. the search criteria necessary to individualise the search by extracting relevant information from the massive amount of data flowing through the network (paragraph 425 of the decision).
Besides the legal aspects, it is interesting to note the approach of the UK executive to ensure a (relative) operational freedom.
On the one hand, there is a clear high-level political choice: to avoid prior independent checks on the Executive’s choices, keeping ‘in house’ the authority to decide whether to activate a bulk interception.
On the other hand, there is a skilful use of the best bureaucratic techniques in order to separate the political level from the operational one. If in the request for authorisation to intercept there are no search keywords, the Secretary of State does not enter into the merits of how intelligence services carry on their job. He makes up his mind just following the criteria fixed by law (necessity, proportionality and motivation).
By doing so, the Executive operates with reasonably plausible deniability and the intelligence services with a wide margin of autonomy that can arrive —hence the indictment—also at possibly violating the confidentiality of a journalist’s sources.
Legitimate acquisition of intercepted data from other countries
The Court also dealt with the intelligence sharing between the UK and the non-Contracting States (the USA, in other words).
The starting point of the reasoning is that interception activities carried out by another sovereign State are beyond the reach of the receiving State and that it would be too easy to circumvent domestic regulatory prohibitions by ‘outsourcing’ the interception activity and importing the results. To avoid such circumvention, the Court ruled that the exchange of data is possible only under a legal basis. Moreover, it stressed the need for procedures to review the how and the why information entered the British soil.
According to the judges’ split decision, the Communication Intelligence Agreement of 5 March 1946 and the other agreements for the exchange of information signed with the former colonies are a valid legal source to justify the cooperation between the intelligence apparatus of the two countries. Moreover, as far as UK is concerned, agreements are enforced in a way that guarantees adequate safeguards for the Crown’s subjects.
The retention of traffic data is legitimate
The Court of Strasbourg acknowledged the much-contested (in the EU domain) data-retention, that is, the preservation of the Internet traffic data. It affirmed the principle according to which the limitation of the right to the respect of private life and the secrecy of the communications is possible if independent bodies preemptively verify the request’s legitimacy. Moreover, a citizen should have a judicial remedy against possible abuses.
However, as in the case of the bulk-interception, the UK has been indicted for the ‘how’ it has regulated this choice and not for having decided to do it. The difference may seem subtle, but it is substantial.
A side issue that worth highlighting is a passage in paragraph 519 of the judgment in which, in order to establish the liability of the British Government, the Court affirms the prevalence of Community law over that of the United Kingdom and takes note of the Government’s admission that the IPA rules on the retention of communications data were incompatible with EU law.
The issue is complex and involves aspects that go beyond a purely legal reading of the argument.
National security is an area that the founding treaties of the EU reserve to the exclusive sovereignty of the member states. Consequently, whatever the EU rules may be, they cannot be interpreted in such a way as to encroach on national sovereignty in those forbidden areas. Notwithstanding, the extended reach of the EU power is now a fait accomplis of which this judgment is yet another epiphenomenon.
Seemingly unaware, Member States let the Union building per facta the European constitution. The same constitution against which France and the Netherlands had spoken out in 2005, blocking its entry into force.
Although challenging to stop, this process is a severe problem because the EU is not an autonomous political entity and has not the power to directly affect the Member States’ sovereignty. It cannot have national interests, all the more so if they are hypothetically in conflict with those of the individual countries that signed the founding treaties. Consequently, when these critical issues ignored today become politically unavoidable, it will have to be understood who will have to take a step back, whether the Union or its members.
Conclusions
This ruling has been presented as a victory against States-manned mass-surveillance projects, however this is not the case. Also if some members of the bench dissented, the Court only stigmatised how intelligence services carried out their tasks, while confirming their legal acceptability.
At the same time, however, it also affirmed the principle that by paying a few hundred thousand Euros, one can operate without scrupulously respecting the rules.
The Court indeed condemned the UK to pay approximately 350,000 Euros for proceedings costs. However, it is also true that it is a matter of a few pennies compared to the more than probable advantages obtained by the British intelligence structures, made possible by the deficiencies of the legal framework.