Bulk Data Interception
Module 4: Surveillance of Journalists, Searches and Digital Device Seizures
Surveillance of communications, including by introducing bulk interception regimes, has been to the forefront of legal developments on the issue of surveillance in recent years. Not only the increased data flow online, but also the technical sophistication of surveillance tools increases the risk of citizens, including journalists, becoming “transparent persons”(1) for state authorities. According to the UN Special Rapporteur on freedom of expression:
“Technological advancements mean that the State’s effectiveness in conducting surveillance is no longer limited by scale or duration. […] As such, the State now has greater capability to conduct simultaneous, invasive, targeted and broad-scale surveillance than ever before.”(2)
What is bulk data interception?
Bulk data interception is defined as “the gathering of large chunks of internet traffic from around the world” in situations where the target is unknown, and the intent of the measure is to discover rather than to investigate.(3) The data gathered can include, besides the content of the communication, the circumstances of its transmission, including the “who”, “when” and “where”.(4) It is closely linked to mass surveillance, which “involves the acquisition, processing, generation, analysis, use, retention or storage of information about large numbers of people, without any regard to whether they are suspected of wrongdoing.”(5)
Such practices – as well as targeted surveillance measures – infringe on the right to privacy (Article 17 ICCPR, Article 8 ECHR), as authorities gain access to intimate private and professional data. In addition, the knowledge – or even suspicion – of being surveilled undermines the right to freedom of expression (Article 19 ICCPR, Article 10 ECHR), as the fear of unwillingly disclosing online activity or the identity of journalistic sources creates a chilling effect and leads to self-censorship, in particular in repressive environments.
International legal standards
Various UN bodies have expressed concern over the human rights impact of surveillance measures. For instance, the UN Human Rights Committee has stated that “[s]urveillance, whether electronic or otherwise, interceptions of telephonic, telegraphic and other forms of communication, wire-tapping and recording of conversations should be prohibited.”(6) It further stated that to comply with the requirements of Article 17 ICCPR, the right to privacy, the “integrity and confidentiality of correspondence should be guaranteed de jure and de facto.”(7)
Communications surveillance has been described as a “highly intrusive act” which can only be justified in the most exceptional circumstances and must be accompanied by sufficient safeguards.(8) Beyond this – as criticised by the UN Special Rapporteur on counter-terrorism in 2014 – “[b]ulk access technology is indiscriminately corrosive of online privacy and impinges on the very essence of the right guaranteed by article 17 [ICCPR]”(9) as it “eradicates the possibility of any individualized proportionality analysis.”(10) Aligned with this assessment, the UN Office of the High Commissioner for Human Rights (OHCHR) has also stressed that indiscriminate mass surveillance, and communications interception, collecting, storing and analysing of all users, is “not permissible under international human rights law, as an individualized necessity and proportionality analysis would not be possible in the context of such measures.”(11) According to the OHCHR, “the mere possibility of communications information being captured” and thus the very existence of a mass surveillance programme, interferes with the right to privacy.(12)
Regional standards: EU
For almost a decade, mass surveillance measures have been subject to interpretation by European courts. The Court of Justice of the European Union (CJEU), in particular, has dealt with the topic of data retention measures extensively in a number of landmark judgments, raising concerns about, inter alia, the fact that the retained data allows authorities to draw very precise conclusions about the private life of the individuals concerned.(13)
- In its judgment regarding the case Digital Rights Ireland/Seitlinger and Others (2014), the CJEU invalidated the Data Retention Directive (EU Directive 2006/24/EC), which, inter alia, required telecommunications providers to retain all users’ traffic and location data for prolonged periods. The CJEU invalidated the Directive on the basis that it interfered with the right to respect for private and family life and the protection of personal data in a “particularly serious” and disproportionate manner.(14)
- Two years later, in Tele2 Sverige AB/Watson and Others (2016), the CJEU built on these findings, holding that EU law precluded domestic legislation imposing an obligation on electronic communications services to generally and indiscriminately retain traffic and location data for the purpose of fighting crime.(15) The CJEU at the same time clarified that the targeted retention of data, limited to what is strictly necessary, and imposed by clear and precise legislation containing sufficient safeguards is not precluded by EU law.(16)
- In the case of Privacy International (2020), the CJEU reiterated the prohibition of general and indiscriminate retention of data. The case required it to consider the application of EU law to domestic legislation requiring communications service providers to retain data and/or forward it to national security and intelligence services.(17) The CJEU expanded on its findings in the Tele2 case, holding that EU law precludes domestic legislation which requires electronic communication service providers to generally and indiscriminately transmit traffic and location data to security and intelligence agencies for the purpose of safeguarding national security.(18) In the joined case of La Quadrature du Net and Others (2020), the CJEU held that an order requiring general and indiscriminate location and traffic data retention can be justified where the state is facing a serious, genuine and present or foreseeable threat to national security.(19) While this order must be limited in time to what is strictly necessary, it may be extended if the threat persists.(20)
Additionally, the CJEU clarified requirements for targeted retention as well as retention of IP addressed and other data allowing the identification of users, classifying some types of data as “less sensitive”.(21)
- It its recent decision in the case SpaceNet/Telecom Deutschland (2022), the CJEU again confirmed that EU law precludes the requirement of preventive, general and indiscriminate data retention to combat serious crime and prevent serious threats to public security.(22) It further elaborated on a number of measures which, insofar as they are established by clear and precise rules containing sufficient safeguards, are not precluded, including:(23)
- Instructions to generally and indiscriminately retain traffic and location data for the purpose of safeguarding national security where there is a serious, genuine, present and foreseeable threat to national security, insofar as an effective review process is in place and the instruction is limited in time to what is strictly necessary;
- Targeted retention of traffic and location data, which is limited in time and scope, for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security;
- In addition, the CJEU elaborates on the circumstances under which the indiscriminate and general retention of IP addresses, data relating to the civil identity of users and expedited retention of traffic and location data in the possession of service providers may be justified under EU law.
Regional standards: CoE
The European Court of Human Rights (ECtHR) has also assessed the legality of different domestic bulk interception systems in several landmark cases.
Initially, in the 2006 judgment in the case Weber and Saravia v. Germany, the ECtHR held that states generally enjoy a “fairly wide margin of appreciation” in respect to measures concerning national security and the prevention of crimes.(24)
A few years later, the ECtHR had to examine the Russian secret telecommunications regime in light of the ECHR in Zakharov v. Russia. The Grand Chamber found a violation of Article 8 ECHR, arguing that the domestic provisions lacked “adequate and effective guarantees against arbitrariness and the risk of abuse which is inherent in any system of secret surveillance”.(25) Similarly, the ECtHR found that the Hungarian anti-terror legislation did not contain sufficient safeguards and expressed its concern over the fact that virtually anyone in Hungary could be surveilled.(26)
In a groundbreaking judgment on bulk surveillance, the ECtHR’s First Section ruled in Big Brother Watch v. UK in 2018 that bulk interception by intelligence agencies is not in and of itself incompatible with the right to privacy.(27)
This finding was later confirmed by the Grand Chamber, which found that bulk interception measures can be justified under certain circumstances, such as for gathering intelligence data and to counter terrorism and espionage.(28) The ECtHR held that while bulk interception regimes do not per se violate the Convention rights, they must contain end-to-end safeguards as well as sufficient protection for journalistic sources.(29)
In the case of Centrum för Rättvosa v. Sweden, decided on the same day, the ECtHR’s Grand Chamber found that the Swedish bulk interception regime violated Article 8 ECHR, but also explicitly held that “bulk interception is of vital importance to Contracting States in identifying threats to their national security” and “no alternative or combination of alternatives would be sufficient to substitute for the bulk interception power.”(30)
The Court has since examined further domestic mass surveillance and data retention systems and found violations of the ECHR.(31)
Litigating bulk data interception cases: Victim status
The term “standing” is usually understood as a person’s or organisations ability to bring a case to a particular court. While its requirements differ between jurisdictions, an applicant is usually asked to establish why they are affected by the matter or what interest they represent. Often, they will be required to demonstrate a sufficient connection between an issue and their interest in it.
The ECtHR, as mandated by Article 34 ECHR, accepts applications from those “claiming to be a victim of a violation by one of the High Contracting Parties of the rights set forth in the Convention or the Protocols thereto.” While this includes not only direct victims also those who would suffer harm or have a valid interest in the case,(32) the ECtHR has made clear that:
“the Convention does not provide for the institution of an action poularis and that its task is not normally to review the relevant law and practice in abstracto, but to determine whether the manner in which they were applied or affected the applicant gave a rise to a violation of the Convention.”(33)
Therefore, the ECtHR generally requires applicants to explain how they were victims of a specific act that they claim violated their rights. However, under certain circumstances, “potential victims” can apply to the ECtHR. This includes individuals suspecting to have been targeted by covert (surveillance) measures. As these individuals cannot know whether such a measure was used, the ECtHR accepts that “the mere existence of secret measures or of legislation permitting secret measures” can may sufficient.(34) This the case where the applicant can possibly have been affected by the legislation in question and there are no sufficient and effective domestic remedies available.(35)
Similar approaches are taken by some domestic court. For example, the Federal Constitutional Court of Germany accepted the submission that the applicants, who had complained of the 2007 retention obligations in the Telecommunications Act, used telecommunication services in their private and professional capacity, accepting their standing based on the “reasonable likelihood” of being affected of such measures.(36) The Constitutional Court continued to follow this line of argument in subsequent cases, where there was a sufficient probability of the applicants having been targeted with measures under the provisions complained of when there were insufficient ex post facto disclosure obligations.(37)