Big Brother Watch and Others v. the United Kingdom – Some initial thoughts

On Thursday, 13 September 2018, the European Court of Human Rights (ECtHR) handed down their decision in Big Brother Watch and Others v. the United Kingdom. This decision addressed the legality of the United Kingdom’s (UK) bulk interception programme, intelligence sharing, and the obtaining of communications data from communications service providers and was prompted by the 2013 Snowden revelations.

This is a complex decision which is likely to have significant ramifications for mass surveillance programmes. As such, it is too early to offer detailed analysis, and this post intends to highlight some of the interesting elements that we will be thinking over in the coming weeks and months. Our focus here is on the bulk interception programme.

For an excellent initial post on the implications for the UK’s Investigatory Power’s Act, please see ‘Big Brother Watch v UK – implications for the Investigatory Powers Act?’ at Cyberleagle.

An effective remedy in law, or practice?

The ECtHR found the UK’s Investigatory Powers Tribunal (IPT) to be an effective remedy, in light of the UK Government’s ‘practice of giving effect to its findings on the incompatibility of domestic law with the Convention’ despite the fact that a binding obligation, requiring the Government to remedy any incompatibility identified by the Investigatory Powers Tribunal, did not exist. See, §262. The Court found that the effectiveness of the IPT was underlined by the fact that it could make an order for reference to the Court of Justice of the European Union (CJEU) (in §263).

Extraterritorial human rights obligations?

The UK Government did not raise a jurisdictional-based objection to the Court’s consideration of section 8(4) of the Regulation of Investigatory Powers Act (RIPA), which authorises the interception of externalcommunications, or suggest that interception under section 8(4) took place outside the UK’s territorial jurisdiction.

Some of the communications classified as external may actually involve communication with in the UK, for instance when an email is sent from an external location to an address in the UK, or vice versa. As such, they all concerned communications are not necessarily entirely extraterritorial. Nonetheless, it is somewhat surprising that jurisdiction was not contested, and this has potential relevance as regards the extraterritorial effect of the right to privacy.

The general principles applicable to secret surveillance

The Court, for the first time, list the general principles which apply in all cases concerning measures of secret surveillance. This is an explicit enumeration of the principles that are extrapolated from the Court’s case law. See §304-310. Of particular relevance are the six minimum safeguards that should be set out in law to avoid abuses of power, namely: “the nature of offences which may give rise to an interception order; a definition of the categories of people liable to have their communications intercepted; a limit on the duration of interception; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which intercepted data may or must be erased or destroyed”. The Court affirmed that these safeguards also apply in cases where interception is ordered in relation to national security objectives. See, §308.

In §330, the Court clarified that when addressing the first two minimum requirements (nature of the offences, categories of persons liable to interception) the Court stated that it will examine ‘first, whether the grounds upon which a warrant can be issued are sufficiently clear; secondly, whether domestic law gives citizens an adequate indication of the circumstances in which their communications might be intercepted; and thirdly, whether domestic law gives citizens an adequate indication of the circumstances in which their communications might be selected for examination”.

Significantly, the Court declined to decide whether these safeguards applied to the interception of communications data (as distinct from interception of content and communications data). See, §352. This is particularly interesting in light of the Court’s later statement, in §356, that it was ‘not persuaded that the acquisition of related communications data is necessarily less intrusive than the acquisition of content.’

Recognising the legitimacy – in principle – of bulk interception

The Court explicitly recognised the legitimacy, in principle, of bulk interception regimes, noting that these fall within the State’s margin of appreciation ‘in choosing how best to achieve the legitimate aim of protecting national security’. See, §314.

Rejecting a ‘reasonable suspicion’ requirement (with uncertain implications)

In §317, the Court rejected the claim that ‘reasonable suspicion’ be a requirement for bulk interference, noting that ‘[b]ulk interception is by definition untargeted, and to require “reasonable suspicion” would render the operation of such a scheme impossible.’ There is a lot to digest in terms of the reasoning associated with this statement, and there is a lack of clarity as to the implications. An initial question is whether the Court would make the same statement if the bulk interception also included internal communications. If so, this raises questions as to what it means for the use of information gleaned from bulk intercept to initiate a criminal prosecution. It is the potential link between intelligence operations and domestic law enforcement activity that raises numerous issues in relation to these powers. These include very broad human rights concerns bringing in to play the rights to freedom of expression, and association as well as the effective functioning of democracy.

 Updating the six minimum requirements applicable to bulk interception and other interception regimes

The applicants in the present case argued for the Court to ‘update’ its six minimum requirements, to include the following: requirements for objective evidence of reasonable suspicion in relation to the persons for whom data is being sought, prior independent judicial authorisation of interception warrants, and the subsequent notification of the surveillance subject. See, §316. The Court noted that, although the proposed additional requirements, ‘might constitute important safeguards in some cases’, it did not consider it appropriate to add them to the list of minimum safeguards in this instance.

A motivation for this reason is the Court’s conclusion that, ‘it would be wrong automatically to assume that bulk interception constitutes a greater intrusion into the private life of an individual than targeted interception, which by its very nature is more likely to result in the acquisition and examination of a large volume of his or her communications.’ This issue is not addressed in greater detail, and is likely to surface in the future, particularly if consideration of the broader societal impact is included.

Downplaying the role of prior judicial or independent authorisation?

The Court makes a number of statements that appear to downplay the role of prior authorisation by a judicial or independent authority, particularly in §318 and §377. For instance, in §318 the Court approving notes the Venice Commission’s conclusion that although the Court has recognised judicial authorisation as an important safeguard against arbitrariness, it has not, to date, considered it to be a ‘necessary requirement’. Later, in §377, the Court states that although it ‘has generally required a non-judicial authority to be sufficiently independent of the executive […] it must principally have regard to the actual operation of a system of interception as a whole, including the checks and balances on the exercise of power, and the existence (or absence) of any evidence of actual abuse […] such as the authorising of secret surveillance measures haphazardly, irregularly or without due and proper consideration’. While it is, of course, appropriate to note that judicial or independent authorisation, of itself, is insufficient, and to highlight the importance of other safeguards as applied in practice, the apparent downplaying of the role of judicial/independent authorisation is surprising. To say the least. This appears to raise a potential conflict with the CJEU’s decision in Watson and is also an unexpected shift from the Court’s own case law; e.g. ‘it is in principle desirable to entrust supervisory control to a judge, judicial control offering the best guarantees of independence, impartiality and a proper procedure ‘ (§309).

Why the Court would do this, having noted in §318 that judicial authorisation ‘is not inherently incompatible with the effective functioning of bulk interception’ is unclear, and this will inevitably give rise to further debate.

Ensuring that the ‘necessity’ of surveillance measures is built into the underlying legal framework

In §322 the Court stated that ‘[i]n cases where the legislation permitting secret surveillance is contested before the Court, the lawfulness of the interception is closely related to the question whether the “necessity” test has been complied with and it is therefore appropriate for the Court to address jointly the “in accordance with the law” and “necessity” requirements.’ This relates to the requirement that any interference with rights have an established legal basis, pursue a legitimate aim, and be necessary in a democratic society.

It does appear appropriate that the law itself limit measures to those that can be considered ‘necessary’. This may point at a requirement that there be greater nuance or specificity with respect to the grounds on which an interference may take place.

Unfortunately, however, the Court did not seem to engage further with the necessity of the measures at hand, beyond noting Contracting State’s margin of appreciation. In particular, and in light of the statement in §322, it is unfortunate that no consideration was given as to the types of activity that could constitute a threat to national security, or be classified as ‘serious crime’ warranting extensive ‘pro-active’ surveillance measures.

Intelligence sharing by the UK

In §368 and §369, the Court addressed the requirement that intercept material could be communicated ‘for an authorised purpose’, if it was ‘likely to become necessary’. Ultimately, the Court found that although further definitional precision would be desirable, adequate safeguards existed for the protection of the relevant data. This finding will require further thought, noting in particular that the specific value of bulk interception is that it allows for the development of an intelligence picture. That is, it allows for the analysis of bulk information in order to see whether this reveals patterns from which intelligence can be drawn. This is why the practice is sometimes referred to as a ‘fishing operation’ and it is presumably on this basis that the Court rejected that application of a ‘reasonable suspicion’ requirement. In this light, a significant amount of material is potentially relevant, and therefore ‘likely to become necessary’. In this regard, statements from intelligence agencies regarding the necessity of bulk collection, whereby it is argued that in order to find the needle you must first have the haystack should be recalled. As such, the Court appears to allow significant room for discretion.

Disclaimer: The views expressed herein are the author(s) alone