Congress Intelligence

Summary: Big Brother Watch and Others v. the United Kingdom

Chinmayi Sharma
Friday, October 12, 2018, 9:00 AM

On Sept. 13, the European Court of Human Rights (ECHR) ruled that the United Kingdom’s bulk data-collection programs violate human-rights law by failing to incorporate adequate privacy safeguards and oversight—but that mass surveillance and intelligence sharing did not violate international law.

Published by The Lawfare Institute
in Cooperation With

On Sept. 13, the European Court of Human Rights (ECHR) ruled that the United Kingdom’s bulk data-collection programs violate human-rights law by failing to incorporate adequate privacy safeguards and oversight—but that mass surveillance and intelligence sharing did not violate international law.

Big Brother Watch and Others v. the United Kingdom challenged three types of surveillance conducted by the Government Communications Headquarters, or GCHQ, Britain’s signals-intelligence agency:

  1. bulk interception of communications under the TEMPORA program;
  2. intelligence sharing and receipt in collaboration with the PRISM and Upstream programs run by the NSA and
  3. the obtaining of communications data from service providers.

It was the first ruling against Britain’s mass-surveillance programs since Edward Snowden’s 2013 revelations. The ruling relied heavily on the right to respect for private and family life—enshrined in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms—and the Article 10 right to freedom of expression under the same document. Read an analysis of key takeaways from the U.S.’s surveillance perspective by Robert Chesney here.


Procedural Posture

On Jan. 7, 2014, in the wake of the 2013 Snowden exposure of the U.K. surveillance regime, three nongovernmental organizations, Big Brother Watch, English PEN and Open Rights Group, along with an academic from Berlin, Constanze Kurz, applied to the ECHR to challenge the legal regime enabling surveillance propagated under the Regulation of Investigatory Powers. The complaint argued that the surveillance regime compromised the Article 8 rights of U.K. citizens due to the indiscriminate nature of bulk collections without any required showing of suspicion.

Four years later, in November 2017, the case was finally heard by a chamber of the ECHR alongside two related cases that also brought allegations under Article 8: the Bureau of Investigative Journalism and Alice Ross v. the United Kingdom (2014) and 10 Human Rights Organisations and Others v. the United Kingdom (2015). Unlike Big Brother Watch, both cases also brought claims under Article 10, which guarantees freedom of expression, and 10 Human Rights Organisations brought claims under Article 14, which prohibits discrimination.

In 10 Human Rights Organisations, applicants originally brought domestic proceedings before the U.K.’s Investigatory Powers Tribunal (IPT), which upheld the surveillance programs as compliant with relevant laws. In Big Brother, the applicants challenged those proceedings under the Article 6 right to a fair trial. The IPT judgment followed a closed hearing during which the court considered whether more information regarding intelligence-sharing programs could be shared with the public in order to comply with Articles 8 and 10. During the closed hearing, the government shed light on “below the waterline” arrangements pertaining to the U.K. information-sharing regime and the IPT used these disclosures to confirm the accuracy of claims made by the government regarding “above the waterline” safeguards.

The tribunal determined, based on the closed hearing, that while the safeguards embedded in the arrangements must be kept confidential for national security, the “above the waterline” information, or aspects of the information-sharing arrangement made public, offered sufficient disclosure to comply with the Convention and were subject to appropriate oversight, including the IPT’s right to hear future cases. Additionally, it upheld the bulk-collections program as compliant with European case law and authorizing statutes. Applicants in 10 Human Rights Organisations challenged the fairness of the IPT proceedings, including the legitimacy of the closed hearing.

The Nature of the Programs

Internet communication is carried out by communication-service providers (CSP) that transmit information regarding a communication from one party to another across the internet backbone, which is comprised of miles of submarine fiber-optic cables. The cables hosts some 100,000 “bearers” that transmit signals between network interfaces. Intercepting communication involves tapping into the flow of packets through these bearers, copying the data, recompiling the communications, and storing them.

GCHQ has confirmed the existence of two major processing systems for the bulk interception of communications—but it has neither acknowledged nor denied the existence of an operation revealed by the Snowden disclosures codenamed TEMPORA. The first processing system is targeted at a portion of bearers that include specific identifiers from a list of “simple selectors,” such as a particular email or name, relating to a known target. Intercepted data then undergoes a “triage process” to pull out the communications most likely to possess high-value intelligence.

The second processing system targets a smaller portion of bearers that are most likely to carry communications with intelligence value. Data is scraped from these bearers according to “processing rules” and then queried to pull out and index the communications most likely to be of high value. Only at the end of these processes are communications read by analysts; all other data is discarded.

The U.K. also requests and receives information from the U.S. collected by the NSA through one of two operations: Prism and Upstream. Prism obtains specific and targeted communications and metadata from internet service providers (ISP), as distinguished from its data mining capabilities, and is authorized under the recently reauthorized Section 702 of the FISA Amendments Act. Upstream involves the collection of communications and metadata from CSPs and targets non-U.S. persons.

The Relevant Law

The court’s opinion began with a comprehensive review of the relevant U.K., EU, and international statutory and case law relevant to their analysis.

Interception of Communications

Regarding the interception of communications, the court cited to the Regulation of Investigatory Powers (RIPA) for the relevant authorizing provisions and safeguards relating to warrants as well as the Interception of Communications Code of Practice. Section 1 of RIPA prohibits the unlawful interception of communication in the course of transmission unless authorized by a Section 5 warrant, which must be approved by the secretary of state. A Section 5 warrant permits the interception of communication if it is necessary in the interests of national security, for the purpose of preventing or detecting serious crime, or for safeguarding the U.K.’s economic wellbeing.

Section 8(4) warrants are separate. They also require approval by the secretary of state and authorize the “bulk interception” of “external communications in the course of their transmission by means of a telecommunication system” if it is deemed necessary for one of the aforementioned Section 5 justifications. Section 20 defines “external communications” as being “sent or received outside of the British Islands,” but two people engage in “internal communication” as long as the parties to the communication are located in the U.K., regardless of whether the email service is housed on an overseas server.

Section 15 limits the disclosure and use of information obtained through interception warrants by requiring the secretary of state to minimize the number of individuals authorized to access the information and to destroy all information after it is deemed no longer necessary. Section 16 provides for additional safeguards specific to intercepted communications by limiting individuals permitted to view communications to those who received the data through the warrant. It also prohibits the purposeful accessing of communications of a person known to be located in the United Kingdom.

Section 71 of RIPA incorporates the requirements and principles set forth in the Interception of Communications Code of Practice, imputing a “necessity and proportionality” requirement on interception justifications, a duration limitation on the validity of warrants, and other specific limitations on the enforcement of warrants under RIPA.

Intelligence Sharing

The court summarized the relevant law around intelligence sharing. The U.K. intelligence community consists of three services: the security service (“MI5”), the intelligence service (“MI6”) and GCHQ. Each arm may receive no more information than is necessary for the proper discharge of their functions under their authorizing statutes. However, the Counter-Terrorism Act of 2008 (CTA) allows for the disclosure of information to each arm to exercise any of their functions. Additionally, the intelligence community services are each “controllers” for the purpose of the Data Protection Act of 1998 (DPA) and are therefore required to comply with its provisions, including the prohibition on retaining data longer than is necessary and taking technical and organizational measures to protect data. Individual members of the intelligence community are prohibited by the Official Secrets Act (OSA) and Human Rights Act (HRA) from unlawfully disclosing information obtained by virtue of their position.

The U.K.-U.S. Communication Intelligence Agreement governs the exchange of intelligence information relating to “foreign” communications between the U.K and the U.S. Additionally, the Interception of Communications Code of Practice governs the intelligence communities receipt of information from foreign entities by limiting the circumstances in which the U.K. can request information outside the scope of a mutual legal-assistance treaty and implementing safeguards governing the receipt of unanalyzed foreign information.

Acquisition of Communication Data

The acquisition of communication data from providers is authorized and governed by Chapter II of RIPA. Communication Data, which in the U.S. is typically called metadata, is defined under Section 21(4) of RIPA and “embraces the ‘who’, ‘when’, ‘where’, and ‘how’ of a communication but not the content, not what was said or written.”

Section 22 allows the secretary of state to grant a “designated person” authority to require disclosure of data by CSPs if it is necessary for:

  1. national security,
  2. preventing or detecting crime or of preventing disorder,
  3. the economic well-being of the United Kingdom,
  4. the interests of public safety,
  5. protecting public health,
  6. assessing or collecting any tax, duty, levy or other imposition, contribution, or change payable to a government department,
  7. in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating nay injury or damage to a person’s physical or mental health, or
  8. any other purpose under this subsection by an order of the secretary of state.

Section 71 of RIPA incorporates the code of practice for handling communications data, which was compiled by the UK government Home Office to provide guidance for the implementation of RIPA and outline additional requirements and safeguards. As with the bulk interception of communications, the requests must be necessary and proportionate, include privacy protecting safeguards, abide by set durations of authorization validity, and maintain records.

Adjudication and Oversight

Section 65(1) of RIPA establishes the IPT as the only appropriate forum in relation to proceedings against the intelligence community for violations of the relevant laws herein. IPT decisions cannot be appealed. However, the IPT is not a court under the meaning of Section 4 of the HRA, so it cannot make a finding of incompatibility between U.K. law and the European Convention on Human Rights.

RIPA also provides that the interception-of-communications commissioner and his or her inspectors alongside an intelligence-services commissioner serve as independent oversight over intelligence activities.

International and EU Law

Finally, the court looked to the relevant international law as well as EU laws and directives.

U.N. Resolution 68/167 on the 2013 Right to Privacy in the Digital Age calls upon all states to review their policies and practices around surveillance to better ensure privacy under human-rights law and establish independent, effective oversight mechanisms to ensure transparency and accountability. Additionally, the Constitution of the International Telecommunication Union of 1992 ensures to the extent possible the secrecy of international correspondence for citizens of Member States.

Four documents from the Council of Europe—the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the Recommendation of the Committee of Ministers, the Convention on Cybercrime, and the Report on the European Commission for Democracy through Law on the Democratic Oversight of Signals Intelligence Agencies—echoed and adopted similar privacy protecting principles as set forth in the UN Resolution and called for meaningful oversight.

Last, the Charter of Fundamental Rights for the European Union protects private and family life, personal data, and freedom of expression and information in articles that serve as corollaries to the Convention on Human Rights. The court also pointed to the Data Protection Directive, the General Data Protection Regulation (or GDPR) and the Privacy and Electronic Communications Directive as EU law recognizing and protecting similar rights to personal privacy.

The Court’s Judgment

Exhaustion of Domestic Remedies

As a preliminary matter, the government argued that the applicants in the Big Brother Watch and Bureau of Investigative Journalism suits had not exhausted their domestic remedies before applying to the ECHR. Specifically, the government said the two applicants did not first pursue remedies in the IPT, which was a “bespoke domestic tribunal set up for the very purpose of investigating, considering, and ruling on the issues” that were then brought before the ECHR.

However, applicants argued in response that in Kennedy v. the United Kingdom, the court held that the IPT did not provide the applicant with effective remedy. Applicants, and interveners on their behalf, further argued that when a domestic remedy would not be effective, parties do not need to exhaust those options. The government replied that since Kennedy, the IPT has been dispositively shown to provide sufficient remedy.

Ultimately, the court held that applicants “could not be faulted for relying on Kennedy as authority” and therefore there are “special circumstances absolving” applicants of their requirement to bring their complaints first to the IPT.

Alleged Violation of Article 8

  • Bulk Collections

Although the court stated that bulk interception regimes do not fall outside the margin of legal surveillance, it still acknowledged the potential for abuse of surveillance. However, it rejected applicants’ request for a showing of “reasonable suspicion” in relation to the persons for whom data is being sought because “bulk interception is by definition untargeted, and to require ‘reasonable suspicion’ would render the operation of such a scheme impossible.” It did not believe ex ante judicial authorization is inherently incompatible with an effective bulk collections program, but it also disagreed that judicial oversight can, by itself, “be necessary nor sufficient to ensure compliance with Article 8 of the Convention.”

In analyzing the three sets of applicant claims that the bulk collections secret surveillance program violated Article 8 rights, the court first laid out principles regarding the legality of surveillance regimes. First, any interference with Article 8 rights can only be justified if it is

  1. in accordance with the law,
  2. pursues one or more legitimate aims to which the authorization is limited by law, and
  3. is necessary in a democratic society to achieve the aim. To be “compatible with the rule of law,” the surveillance must be “accessible to the person concerned,” and “foreseeable as to its effects.”

In reviewing the first prong of the test, the court gauged the accessibility of the bulk collections legal scheme and concluded it is “extremely complex.” However, it did not find the complexity of the details of the operations to be dispositive against the legitimacy of the program because “States do not have to make public all the details of the operation of a secret surveillance regime” and “below the waterline” arrangements must exist given the security based impetus of the program. It instead found the analysis must focus more on the requirements of “foreseeability” and “necessity.”

The court broke the Section 8(4) regime into four distinct stages and evaluated each to determine whether it met the standard for “foreseeability” and “necessity”:

1. The interception of a small percentage of Internet bearers, selected as being those most likely to carry external communications of intelligence value.

2. The filtering and automatic discarding (in near real-time) of a significant percentage of intercepted communications, being the traffic least likely to be of intelligence value.

3. The application of simple and complex search criteria (by computer) to the remaining communications, with those that match the relevant selectors being retained and those that do not being discarded.

4. The examination of some (if not all) of the retained material by an analyst).

In establishing foreseeability and necessity for each stage, the court pointed to six minimum requirements:

the nature of offences which may give rise to an interception order; a definition of the categories of people liable to have their communications intercepted; a limit on the duration of interception; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which intercepted data may or must be erased or destroyed.

The necessity prong is also informed by case law that suggests the requirement of review and supervision of surveillance programs to ensure that the activities are kept only to what is “necessary in a democratic society.” Moreover, the oversight must exist at all three stages: “when the surveillance is first ordered, while it is being carried out, or after it has been terminated.”

The RIPA permits a bulk interception warrant for the purpose of preventing or detecting crime, safeguarding the economic interests of the U.K., and ensuring national security. The court reiterated that foreseeability does not require the government to articulate exhaustively the specific offenses that may give rise to interception, “provided that there is sufficient detail about the nature of the offences in question.” The court believed the terms “national security,” “serious crime” and “economic well-being” were sufficiently clear in statutes and case law to give citizens adequate indication of the offense-related circumstances in which their communications might be intercepted.

However, the court expressed substantial concern about the foreseeability of the class of individuals targeted by the program. In finding that the selection process of the bulk interception regime violated Article 8, the court pointed to the lack of procedural safeguards in the process of selecting bearers from which to intercept communications, selectors to sort through the intercepted data to decide what to retain, and criteria to decide which data analysts will examine. The court was uncomfortable with the ambiguity and discretion in these decisions, pointing specifically to

  1. the lack of articulation of principles used to identify bearers to target, the lack of transparency into the selectors and search criteria used to sort intercepted information for indexing and retention;
  2. the lack of specificity in certificates analysts rely on to decide which communications to examine; and
  3. the lack of pre-authorization on these decisions to examine communications by a senior operational manager.

The court did not believe the process provided adequate guarantees against abuse.

The court also expressed concern about the exemption of related communications data, or metadata, from the safeguards set forth in Section 16 of RIPA. It did not think “the authorities have struck a fair balance between the competing public and private interests by exempting it in its entirety from the safeguards applicable to the searching and examining of content.” It recognized that metadata possesses different privacy protections and intelligence value compared to communications data—and that not all metadata warrants the same protection. The court also recognized that case law has not extended the minimum six requirements to surveillance on communications data thus far and opts not to resolve the issue.

However, “related communications data,” which the government confirmed is traffic data, includes geolocation information, browsing information, routing information, equipment information, etc. which does possess some privacy value. The court was uncomfortable with the government’s ability to search this information “without restriction” and called for the adoption of sufficient safeguards in the handling of this data to “ensure that the exemption of related communications data from the requirements of [S]ection 16 of RIPA is limited to the extent necessary to determine whether an individual is, for the time being, in the British Islands.”

The court felt confident that procedures regarding the storage, access, examination and use of intercepted data were sufficiently clear and restrictive. Intercepted data could only be accessed by specifically authorized analysts for a predetermined and limited period of time, and compliance was regularly audited. The court also granted that “while it would be desirable for the term “likely to become necessary,” the procedure for communicating intercepted data to other parties does not infringe on Article 8 rights. Intelligence disclosure and copying must be “limited to the minimum necessary for the ‘authorised purposes,’” when “necessary” can include “likely to become necessary.” However, “likely to become necessary” is not defined in RIPA or the IC Code; it is therefore at risk of an expansive reading. Finally, the court upheld RIPA’s processes regarding the destruction of intelligence as sufficiently clear and limited.

The court concluded the oversight and supervisory checks on the bulk-collection program were sufficient. First, it mentioned that while warrants can be authorized by the secretary of state, these warrant requests are overseen by the interception of communications commissioner, an independent surveillance watchdog. Next, the court pointed to the IPT as a judicial body capable of hearing complaints against the regime and providing redress. Finally, it acknowledged that the new Investigatory Powers Act of 2016, though not at issue in the legal analysis, requires warrants to be approved by judicial commissioners, introducing an additional layer of accountability.

In assessing proportionality, the court held that data interception programs were justified by the international socio-political climate. It pointed to reports by the Independent Reviewer of Terrorism Legislation and the Venice Commission who both concluded that bulk interception was “an essential capability: first, because terrorists, criminals and hostile foreign intelligence services had become increasingly sophisticated at evading detection by traditional means; and second, because the nature of the global Internet meant that the route a particular communication would travel had become hugely unpredictable.”

Ultimately, the court held that it was satisfied that the U.K. takes its legal obligations seriously and is not abusing its powers under Section 8(4) of RIPA. But the court stillit still identified two concerns:

first, the lack of oversight of the entire selection process, including the selection of bearers for interception, the selectors and search criteria for filtering intercepted communications, and the selection of material for examination by an analyst; and secondly, the absence of any real safeguards applicable to the selection of related communications data for examination.

The court therefore found the regime violated the first prong of the test, the rule of law requirement, and the third prong of the test, or the necessity requirement.

  • Intelligence Sharing

The court determined that the complaints by the applicants against the intelligence sharing programs were admissible. It first stated that, where effective domestic remedies such as the IPT exist for victims to raise general, impersonal concerns about a surveillance regime, applicants could only proceed at the ECHR if they can show that “due to their personal situation, they were potentially at risk of having their communications obtained” by the U.K. However, the court found that applicants were potentially at risk of having their information obtained by the U.K. and requested by foreign governments from the U.K., pointing to the Liberty case as evidence that two applicants already have had their communications intercepted.

The court acknowledged that it was the first time it had been asked to “consider the Convention compliance of an intelligence sharing regime.” Shared intelligence can be divided into three categories:

  1. intercepted communications shared by a foreign entity but unsolicited by the UK,
  2. intercepted communications shared by a foreign entity upon solicitation by the UK, and
  3. foreign intelligence obtained by means other than interception.

The analysis focused on the second category of information, further dividing it into intercepted information solicited by the U.K. after it is already, independently of the request, intercepted by the foreign government and information the U.K. requests the foreign government to intercept on their behalf.

The court then analyzed whether the solicitation of signals intercepts was “in accordance with the law,” with the basis in domestic law accessible to the person concerned, foreseeable as to its effects, proportionate to the legitimate aim pursued, and conducted with adequate safeguards to ensure that the “interference” is limited to what is “necessary in a democratic society.” The court then confirmed that the program must meet the same six minimum requirements as used in the bulk interception analysis.

The 1946 U.K.-U.S. Communication Intelligence Agreement governs the exchange of intelligence between the two countries. Additionally, the SSA and ISA authorize MI5 and MI6 respectively with their intelligence services functions, setting forth guidelines for their ability to receive foreign intelligence to ensure they only obtain as much information as is necessary for the proper discharge of their functions. The “legitimate aims” articulated include “the interests of national security, public safety and the economic well-being of the country, the prevention of disorder or crime, and the protection of the rights and freedoms of others.” The court considered the arrangements established by these laws sufficiently accessible to potentially affected persons.

Intelligence sharing requests are only permitted

if an interception warrant under RIPA has already been issued by the Secretary of State, the assistance of the foreign government is necessary to obtain the particular communications because they cannot be obtained under the existing warrant, and it is necessary and proportionate for the intercepting agency to obtain those communications.

In the case of “exceptional circumstances,” a request can be made without a RIPA warrant as long as it does not amount to a “deliberate circumvention” of RIPA or frustrate its objectives. The court found these restrictions sufficiently narrow to prevent the abuse of this power.

Once the U.K. has this information, it becomes a data controller under the meaning of the Data Protection Act of 1998 (DPA) and must comply with that statute’s principles of privacy and security. Additionally, the Counter-Terrorism Act of 2008 (CTA) and Official Secrets Act (OSA) protect against employees unlawfully disclosing shared intelligence. Finally, the court gave significant weight to the safeguards set forth in Section 15 and 16 of RIPA, which the newly amended IC Code confirmed applied to material obtained from foreign intelligence. Recipient U.K. intelligence agencies are also restricted in their ability to disclose material obtained from foreign entities to other parties unless specifically authorized by law. Finally, the court gave credence to the independent oversight provided by the ISC, the interception of communications commissioner, and the IPT in reviewing activities under this program.

The court ultimately stated that “due to the nature of global terrorism, and in particular the complexity of global terror networks,” information flow between countries is necessary, and its import is recognized in a legislative framework that provides “considerable safeguards against abuse” and ensures that the “resulting interference was kept to that which was “necessary in a democratic society.” The court found no evidence of shortcomings in the application of the regime, evidence of abuse, or violation of Article 8 of the Convention by the intelligence sharing regime.

  • Acquisition of Communications Data

The court ruled that the applicants’ complaints against the Chapter II communication data acquisition program were admissible because the applicants qualify as “victims” within the meaning of Article 34 of the convention and thereby hold standing to sue their for asserted Article 8 rights. The government argued that the applicants were not targets of the acquisition program and therefore cannot be victims, but the court found that the “large number of public authorities entitled to make such requests” and the wide grounds on which a request might be made increase the likelihood that applicants were targets of a CSP request for communications data. Additionally, given that the Bureau of Investigative Journalism applicants were “investigative journalists who have reported on issues such as CIA torture, counterterrorism, drone warfare, and the Iraq war logs,” the court accepted that they were at risk of having their communications obtained by the U.K. through a CSP “either directly, through a request to a CSP for their communications data, or indirectly, through a request to a CSP for the communications data of a person or organisation they had been in contact with.”

In assessing the validity of the data-acquisition program, the court asked “whether the Chapter II regime was in accordance with the law; whether it pursued a legitimate aim; and whether it was necessary in a democratic society, having particular regard to the question of whether it provided adequate safeguards against arbitrariness.” The court conceded that the program is clearly authorized by domestic law under Section 22 of the RIPA and the ACD Code. However, it said that the domestic authorizations are in tension with EU law, where the latter has primacy.

In Digital Rights Ireland v. Minister for Communications, Marine and Natural Resources and Others and Settinger and Others, and Secretary of State for the Home Department v. Watson and Others, the Court of Justice of the European Union (CJEU) indicated that access to CSP data should be limited “to what was strictly necessary for the objective pursued, and, where that objective was fighting crime, it should be restricted to fighting serious crime.” Additionally, it suggested that access should be subjected to prior independent review. Since Chapter II of the law does not restrict acquisition to communications data to cases of “serious crime” and does not subject requests to independent review by a court or independent administrative body, it is not compliant with controlling EU law.

  • Alleged Violation of Article 10

The applicants in 10 Human Rights Organizations and Bureau of Investigative Journalism both alleged violations of Article 10’s guarantee of freedom of expression. The court ruling deemed claims by 10 Human Rights Organizations applicants inadmissible because, unlike the other two suits, their suit was first brought to the IPT and so cannot benefit from the special exception granted the other two suits allowing them to bring claims before the ECHR despite not exhausting their domestic remedies. Applicants in 10 Human Rights Organizations did not raise the complaint that the intelligence sharing regime violated Article 10 early enough during the IPT proceedings, and so their claims before the ECHR were dismissed.

The court held that the Bureau of Investigative Journalism applicants were permitted to proceed with their claim that bulk collections of communications and that the acquisition of communications data from CSPs violated Article 10 of the Convention.

The court ruled that the Section 8(4) bulk collections program was incompatible with freedom of expression despite the fact that surveillance was not “aimed at monitoring journalists or uncovering journalistic sources” because it would still cause a “potential chilling effect.” The court set a high bar to establish the necessity for viewing communications involving journalists: it must be “justified by an overriding requirement in public interest.” The judges wrote that this bar can be met by the implementation of “sufficient safeguards relating both to the protection to the circumstances in which they may be selected intentionally for examination, and to the protection of confidentiality where they have been selected for examination.” As they stand, the court found the transparency and process for selecting communications for examination lacking.

Regarding acquisition of communications data from CSPs, the court was concerned about “collateral intrusion” into the confidentiality of journalists and potential sources without proper oversight. Querying CSPs for the purpose of identifying a journalist or his o her source requires approval from a court or administrative body, but any other request may inadvertently compromise the confidentiality of a source without any independent oversight. Additionally, the court was concerned that there “are no special provisions restricting access to the purpose of combating ‘serious crime’” in regards to journalist communications data. The court believed journalists to be uniquely deserving of protections not currently afforded under law and therefore held that the Chapter II authorities were not compatible with Article 10.

  • Alleged Violation of Article 6

Applicants in the 10 Human Rights Organizations case challenged the IPT proceedings as “disproportionate and impaired the very essence of their right to a fair trial” under Article 6 of the Convention.

First, the court sided with the government in concluding that it is unclear whether Article 6 rights extend to decisions to place an individual under surveillance and that in fact, no case law exists to suggest that it does. It argued that the IPT had, of its own accord, imposed on itself Article 6 requirements pertaining to questions of civil rights violations vis-a-vis surveillance decisions. However, the ECHR did not see the need to decide on the outer bounds of Article 6 rights in surveillance proceedings because it found applicants’ complaints “manifestly ill-founded.”

Applicants argued a lack of independence and impartiality as well as a lack of proper right to representation evidenced by the fact that the IPT held a secret meeting with the Security Services during which MI5 decided not to search or disclose any bulk data related to complainants from the 10 Human Rights Organizations suit. Applicants were not permitted to attend the meeting and were not permitted to view all the material introduced and reviewed during the course of the meeting. The court acknowledged the limitation on applicants’ procedural rights but cited Kennedy v. the United Kingdom in ruling that restrictions are necessary to ensure the efficacy of the secret surveillance regime. As in Kennedy, this court did not feel this impaired the essence of applicants’ Article 6 rights.

  • Alleged Violation of Article 14 Combined with Articles 8 and 10

Applicants in the 10 Human Rights Organizations case brought charges of discrimination under Article 14 of the Convention. It relied on the theory that Section 8(4) warrants only provided additional safeguards for individuals known to be in the United Kingdom, which subjects individuals not located in the U.K. to a greater risk of violations of their Article 8 right to privacy and Article 10 right to freedom of expression.

However, the court was not persuaded by this argument, holding that the applicants did not substantiate their claim that persons outside the United Kingdom are disproportionately impacted by the Article 8(4) regime. It pointed to the fact that Article 8(4) covers communications between parties where one party is in the U.K., which militates against the argument that the surveillance program specifically targets non-U.K. individuals. Additionally, some wholly “internal communications” are captured by an Article 8(4) warrant if the provider’s host servers are overseas. The court concluded that even if there is a difference in treatment between individuals in the U.K. and those overseas, it is justified by the government’s diminished investigative authorities and abilities overseas that require it to resort to interception of communication.

Impact on other authorities

In 2016, Parliament passed the Investigatory Powers Act which overhauled surveillance law. The ECHR decision did not directly address that law, which replaced large parts of the RIPA that were at the core of the lawsuit. The IPA included new safeguards including the requirement of warrants for the use of surveillance powers to be authorized by the secretary of state and approved by a judge, sometimes called a “double lock.” It also created an independent watchdog, the Investigatory Powers Commissioner, to oversee the use of the IPA. The legality of the IPA faces a separate legal challenge. It will be worth watching how the IPA law survives in the wake of Big Brother.

Chinmayi Sharma is an Associate Professor at Fordham Law School. Her research and teaching focus on internet governance, platform accountability, cybersecurity, and computer crime/criminal procedure. Before joining academia, Chinmayi worked at Harris, Wiltshire & Grannis LLP, a telecommunications law firm in Washington, D.C., clerked for Chief Judge Michael F. Urbanski of the Western District of Virginia, and co-founded a software development company.

Subscribe to Lawfare