Back to main site

    Bulk Data Interception

    Module 4: Surveillance of Journalists, Searches and Digital Device Seizures

    Surveillance of communications, including by introducing bulk interception regimes, has been to the forefront of legal developments on the issue of surveillance in recent years. Not only the increased data flow online, but also the technical sophistication of surveillance tools increases the risk of citizens, including journalists, becoming “transparent persons”(1) for state authorities. According to the UN Special Rapporteur on freedom of expression:

    “Technological advancements mean that the State’s effectiveness in conducting surveillance is no longer limited by scale or duration. […] As such, the State now has greater capability to conduct simultaneous, invasive, targeted and broad-scale surveillance than ever before.”(2)

    What is bulk data interception?

    Bulk data interception is defined as “the gathering of large chunks of internet traffic from around the world” in situations where the target is unknown, and the intent of the measure is to discover rather than to investigate.(3) The data gathered can include, besides the content of the communication, the circumstances of its transmission, including the “who”, “when” and “where”.(4) It is closely linked to mass surveillance, which “involves the acquisition, processing, generation, analysis, use, retention or storage of information about large numbers of people, without any regard to whether they are suspected of wrongdoing.”(5)

    Such practices – as well as targeted surveillance measures – infringe on the right to privacy (Article 17 ICCPR, Article 8 ECHR), as authorities gain access to intimate private and professional data. In addition, the knowledge – or even suspicion – of being surveilled undermines the right to freedom of expression (Article 19 ICCPR, Article 10 ECHR), as the fear of unwillingly disclosing online activity or the identity of journalistic sources creates a chilling effect and leads to self-censorship, in particular in repressive environments.

    International legal standards

    Various UN bodies have expressed concern over the human rights impact of surveillance measures. For instance, the UN Human Rights Committee has stated that “[s]urveillance, whether electronic or otherwise, interceptions of telephonic, telegraphic and other forms of communication, wire-tapping and recording of conversations should be prohibited.”(6) It further stated that to comply with the requirements of Article 17 ICCPR, the right to privacy, the “integrity and confidentiality of correspondence should be guaranteed de jure and de facto.”(7)

    Communications surveillance has been described as a “highly intrusive act” which can only be justified in the most exceptional circumstances and must be accompanied by sufficient safeguards.(8) Beyond this – as criticised by the UN Special Rapporteur on counter-terrorism in 2014 – “[b]ulk access technology is indiscriminately corrosive of online privacy and impinges on the very essence of the right guaranteed by article 17 [ICCPR]”(9) as it “eradicates the possibility of any individualized proportionality analysis.”(10) Aligned with this assessment, the UN Office of the High Commissioner for Human Rights (OHCHR) has also stressed that indiscriminate mass surveillance, and communications interception, collecting, storing and analysing of all users, is “not permissible under international human rights law, as an individualized necessity and proportionality analysis would not be possible in the context of such measures.”(11) According to the OHCHR, “the mere possibility of communications information being captured” and thus the very existence of a mass surveillance programme, interferes with the right to privacy.(12)

    Regional standards: EU

    For almost a decade, mass surveillance measures have been subject to interpretation by European courts. The Court of Justice of the European Union (CJEU), in particular, has dealt with the topic of data retention measures extensively in a number of landmark judgments, raising concerns about, inter alia, the fact that the retained data allows authorities to draw very precise conclusions about the private life of the individuals concerned.(13)

    • In its judgment regarding the case Digital Rights Ireland/Seitlinger and Others (2014), the CJEU invalidated the Data Retention Directive (EU Directive 2006/24/EC), which, inter alia, required telecommunications providers to retain all users’ traffic and location data for prolonged periods. The CJEU invalidated the Directive on the basis that it interfered with the right to respect for private and family life and the protection of personal data in a “particularly serious” and disproportionate manner.(14)
    • Two years later, in Tele2 Sverige AB/Watson and Others (2016), the CJEU built on these findings, holding that EU law precluded domestic legislation imposing an obligation on electronic communications services to generally and indiscriminately retain traffic and location data for the purpose of fighting crime.(15) The CJEU at the same time clarified that the targeted retention of data, limited to what is strictly necessary, and imposed by clear and precise legislation containing sufficient safeguards is not precluded by EU law.(16)
    • In the case of Privacy International (2020), the CJEU reiterated the prohibition of general and indiscriminate retention of data. The case required it to consider the application of EU law to domestic legislation requiring communications service providers to retain data and/or forward it to national security and intelligence services.(17) The CJEU expanded on its findings in the Tele2 case, holding that EU law precludes domestic legislation which requires electronic communication service providers to generally and indiscriminately transmit traffic and location data to security and intelligence agencies for the purpose of safeguarding national security.(18) In the joined case of La Quadrature du Net and Others (2020), the CJEU held that an order requiring general and indiscriminate location and traffic data retention can be justified where the state is facing a serious, genuine and present or foreseeable threat to national security.(19) While this order must be limited in time to what is strictly necessary, it may be extended if the threat persists.(20)

    Additionally, the CJEU clarified requirements for targeted retention as well as retention of IP addressed and other data allowing the identification of users, classifying some types of data as “less sensitive”.(21)

    • It its recent decision in the case SpaceNet/Telecom Deutschland (2022), the CJEU again confirmed that EU law precludes the requirement of preventive, general and indiscriminate data retention to combat serious crime and prevent serious threats to public security.(22) It further elaborated on a number of measures which, insofar as they are established by clear and precise rules containing sufficient safeguards, are not precluded, including:(23)
    • Instructions to generally and indiscriminately retain traffic and location data for the purpose of safeguarding national security where there is a serious, genuine, present and foreseeable threat to national security, insofar as an effective review process is in place and the instruction is limited in time to what is strictly necessary;
    • Targeted retention of traffic and location data, which is limited in time and scope, for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security;
    • In addition, the CJEU elaborates on the circumstances under which the indiscriminate and general retention of IP addresses, data relating to the civil identity of users and expedited retention of traffic and location data in the possession of service providers may be justified under EU law.

    Regional standards: CoE

    The European Court of Human Rights (ECtHR) has also assessed the legality of different domestic bulk interception systems in several landmark cases.

    Initially, in the 2006 judgment in the case Weber and Saravia v. Germany, the ECtHR held that states generally enjoy a “fairly wide margin of appreciation” in respect to measures concerning national security and the prevention of crimes.(24)

    A few years later, the ECtHR had to examine the Russian secret telecommunications regime in light of the ECHR in Zakharov v. Russia. The Grand Chamber found a violation of Article 8 ECHR, arguing that the domestic provisions lacked “adequate and effective guarantees against arbitrariness and the risk of abuse which is inherent in any system of secret surveillance”.(25) Similarly, the ECtHR found that the Hungarian anti-terror legislation did not contain sufficient safeguards and expressed its concern over the fact that virtually anyone in Hungary could be surveilled.(26)

    In a groundbreaking judgment on bulk surveillance, the ECtHR’s First Section ruled in Big Brother Watch v. UK in 2018 that bulk interception by intelligence agencies is not in and of itself incompatible with the right to privacy.(27)

    This finding was later confirmed by the Grand Chamber, which found that bulk interception measures can be justified under certain circumstances, such as for gathering intelligence data and to counter terrorism and espionage.(28) The ECtHR held that while bulk interception regimes do not per se violate the Convention rights, they must contain end-to-end safeguards as well as sufficient protection for journalistic sources.(29)

    In the case of Centrum för Rättvosa v. Sweden, decided on the same day, the ECtHR’s Grand Chamber found that the Swedish bulk interception regime violated Article 8 ECHR, but also explicitly held that “bulk interception is of vital importance to Contracting States in identifying threats to their national security” and “no alternative or combination of alternatives would be sufficient to substitute for the bulk interception power.”(30)

    The Court has since examined further domestic mass surveillance and data retention systems and found violations of the ECHR.(31)

    Litigating bulk data interception cases: Victim status

    The term “standing” is usually understood as a person’s or organisations ability to bring a case to a particular court. While its requirements differ between jurisdictions, an applicant is usually asked to establish why they are affected by the matter or what interest they represent. Often, they will be required to demonstrate a sufficient connection between an issue and their interest in it.

    The ECtHR, as mandated by Article 34 ECHR, accepts applications from those “claiming to be a victim of a violation by one of the High Contracting Parties of the rights set forth in the Convention or the Protocols thereto.” While this includes not only direct victims also those who would suffer harm or have a valid interest in the case,(32) the ECtHR has made clear that:

    “the Convention does not provide for the institution of an action poularis and that its task is not normally to review the relevant law and practice in abstracto, but to determine whether the manner in which they were applied or affected the applicant gave a rise to a violation of the Convention.”(33)

    Therefore, the ECtHR generally requires applicants to explain how they were victims of a specific act that they claim violated their rights. However, under certain circumstances, “potential victims” can apply to the ECtHR. This includes individuals suspecting to have been targeted by covert (surveillance) measures. As these individuals cannot know whether such a measure was used, the ECtHR accepts that “the mere existence of secret measures or of legislation permitting secret measures” can may sufficient.(34) This the case where the applicant can possibly have been affected by the legislation in question and there are no sufficient and effective domestic remedies available.(35)

    Similar approaches are taken by some domestic court. For example, the Federal Constitutional Court of Germany accepted the submission that the applicants, who had complained of the 2007 retention obligations in the Telecommunications Act, used telecommunication services in their private and professional capacity, accepting their standing based on the “reasonable likelihood” of being affected of such measures.(36) The Constitutional Court continued to follow this line of argument in subsequent cases, where there was a sufficient probability of the applicants having been targeted with measures under the provisions complained of when there were insufficient ex post facto disclosure obligations.(37)

    Footnotes

    1. This term, which was originally used the debates around the 1982 German census law, describes the extensive collection of personal data by public authorities. Back
    2. UN Human Rights Council, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression (17 April 2013), para 33, A/HRC/23/40, (accessible at https://www.ohchr.org/sites/default/files/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf). Back
    3. Big Brother Watch, Interception (undated) (accessible at https://www.bigbrotherwatch.org.uk/wp-content/uploads/2016/03/Interception.pdf). Back
    4. Nóra Ní Loideáin, Bulk Surveillance: Europe’s Recent Landmark Judgements (5 July 2021), (accessible at https://digitalfreedomfund.org/bulk-surveillance-europes-recent-landmark-judgements/). Back
    5. Privacy International, Mass Surveillance (undated), (accessible at https://privacyinternational.org/learn/mass-surveillance), Back
    6. UN Human Rights Committee, General Comment No. 16: Article 17 (The right to respect of privacy, family, home and correspondence, and protection of honour and reputation) (1988), para 8, HRI/GEN/1/Rev.1 (accessible at https://tbinternet.ohchr.org/_layouts/15/treatybodyexternal/Download.aspx?symbolno=INT/CCPR/GEC/6624&Lang=en). Back
    7. Ibid. Back
    8. UN Human Rights Council, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression (17 April 2013), para 81, A/HRC/23/40, (accessible at https://www.ohchr.org/sites/default/files/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf) available at Back
    9. Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, Promoting and protecting human rights and fundamental freedoms while countering terrorism (23 September 2023), A/69/397, paras 47 and 59. Back
    10. Ibid. para 12. Back
    11. UN OHCHR, Report on best practices and lessons learned on how protecting and promoting human rights contribute to preventing and countering violent extremism (21 July 2016), A/HRC/33/29, para 58, (accessible at https://documents.un.org/doc/undoc/gen/g16/162/55/pdf/g1616255.pdf?token=7ZE6OZPumcc3EEN1ef&fe=true) available at; see also: UN OHCHR, The right to privacy in the digital age (3 August 2018), A/HRC/39/29, para 17, (accessible at https://documents.un.org/doc/undoc/gen/g18/239/58/pdf/g1823958.pdf?token=vHBHl8grgdBvUurNtZ&fe=true). Back
    12. UN OHCHR, The right to privacy in the digital age (30 June 2014), A/HRC/27/37, para 20,(accessible at https://documents.un.org/doc/undoc/gen/g14/088/54/pdf/g1408854.pdf?token=fFdsUu2JQmijfG6MYr&fe=true) Back
    13. See for instance CJEU, Judgment of the Court (Grand Chamber) concerning SpaceNet AG and Telekom Deutschland GmbH v Bundesrepublik Deutschland (20 September 2022), paras 117 and 184. Back
    14. CJEU, Judgment of the Court (Grand Chamber) concerning Digital Rights Ireland Ltd v Minister of Communications, Marine and Natural Resources and Others and Kärtener Landesregierung and Others, Joined Cases C-293/12 and C-594/12 (8 April 2014), paras 37 and 69. Back
    15. CJEU, Judgment of the Court (Grand Chamber) concerning Tele2 Sverige AB v Post- ich telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others, Joined Cases C-203/15 and C-698/15 (21 December 2016), para 112. Back
    16. Ibid. para 108. Back
    17. CJEU, Judgment of the Court (Grand Chamber) concerning Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others, Case C-623/17 (6 October 2020), para 82. Back
    18. Ibid. para 49; see for an analysis for instance Monika Zalnieriute, A Dangerous Convergence: The Inevitability of Mass Surveillance in European Jurisprudence (4 June 2021), (accessible at https://www.ejiltalk.org/a-dangerous-convergence-the-inevitability-of-mass-surveillance-in-european-jurisprudence/)and Juraj Sajfert, Bulk data interception/retention judgments of the CJEU – A victory and a defeat for privacy (26 October 2020), (accessible at https://europeanlawblog.eu/2020/10/26/bulk-data-interception-retention-judgments-of-the-cjeu-a-victory-and-a-defeat-for-privacy/). Back
    19. CJEU, Judgment of the Court (Grand Chamber) concerning La Quadrature du Net and Others v Premier minister and Others, Joined Cases C-511/18, C-512/18 and C-520/18 (6 October 2020), para 168. Back
    20. Ibid. Back
    21. Ibid. paras 152, 168. Back
    22. CJEU, Judgment of the Court (Grand Chamber) concerning SpaceNet AG and Telekom Deutschland GmbH v Bundesrepublik Deutschland (20 September 2022), para 132. Back
    23. Ibid. Back
    24. ECtHR, Weber and Saravia v. Germany, App. No. 54934/00, §137, 29 June 2006. Back
    25. ECtHR, Roman Zakharov v Russia [GC], App No. 47143/06, §302, ECHR 2015. Back
    26. ECtHR, Szabó and Vissz v. Hungary, App. No. 37138/14, §88, 12 January 2016. Back
    27. ECtHR, Big Brother Watch and Others v. the United Kingdom, App Nos. 58170/13 and 2 others, §314, 13 September 2018; see for an analysis Nóra Ní Loideáin, Bulk Surveillance: Europe’s Recent Landmark Judgements (5 July 2021), (accessible at https://digitalfreedomfund.org/bulk-surveillance-europes-recent-landmark-judgements/). Back
    28. ECtHR, Big Brother Watch v. UK, App Nos. 58170/13 and Others, 25 May 2021; see for an analysis Eliza Watt, The legacy of the privacy versus security narrative in the ECtHR’s jurisprudence (21 April 2022) (accessible at https://verfassungsblog.de/os6-privacy-vs-security/). Back
    29. ECtHR, Big Brother Watch v. UK, App Nos. 58170/1 and Others, §§350, 442-450, 25 May 2021. Back
    30. ECtHR, Centrum för Rättvisa v. Sweden, App. No. 35252/08, §365, 25 May 2021; Monika Zalnieriute, A Dangerous Convergence: The Inevitability of Mass Surveillance in European Jurisprudence (4 June 2021), (accessible at https://www.ejiltalk.org/a-dangerous-convergence-the-inevitability-of-mass-surveillance-in-european-jurisprudence/). Back
    31. See for instance ECtHR, Ekimdziev and Others v. Bulgaria, App. No. 70078/12, 11 January 2022; ECtHR, Podchasov v. Russia, App. No. 33696/19, 13 February 2024; ECtHR, Škoberne v. Slovenia, App No. 19920/20, 15 February 2024. Back
    32. ECtHR [GC], Vallianatos and Others v. Greece, App. Nos. 29381/09 and 32684/08, §47, 7 November 2013. Back
    33. ECtHR, Roman Zakharov v Russia [GC], App No. 47143/06, §164, ECHR 2015 with further references. Back
    34. See ECtHR, Klass and Others v. Germany, App No. 5029/71, §34, 6 September 1978. Back
    35. ECtHR, Roman Zakharov v Russia [GC], App No. 47143/06, §171, ECHR 2015; see also ECtHR, Kennedy v. UK, App No. 26839/05, §124, 18 May 2010; ECtHR, Centrum för Rättvisa v. Sweden, App. No. 35252/08, §§166-167, 25 May 2021; ECtHR, Wieder and Guarnieri v. The United Kingdom, App Nos. 64371/16 and 64407/16, §§97-110, 12 September 2023. Back
    36. German Federal Constitutional Court, Order of 2 March 2010 (TKG), 1 BvR 256/08, 1 BvR 586/08, 1 BvR 263/08, §§177-178, (accessible at https://www.bundesverfassungsgericht.de/SharedDocs/Entscheidungen/DE/2010/03/rs20100302_1bvr025608.html). Back
    37. German Federal Constitutional Court, Order of 20 April 2016, 1 BvR 966/09, §§82-84, (accessible at https://www.bundesverfassungsgericht.de/SharedDocs/Entscheidungen/DE/2016/04/rs20160420_1bvr096609.html) and Order of 19 May 2020, BNDG, 1 BvR 2835/17, §§71-76, (accessible at https://www.bundesverfassungsgericht.de/SharedDocs/Entscheidungen/DE/2020/05/rs20200519_1bvr283517.html). Back