Surveillance of Journalists, Searches and Digital Device Seizures – Europe

Key Insights

Safeguarding the rights of journalists in the digital space, including protecting their communications and other sensitive data, has become an increasingly complex and relevant issue in the new information age. This module explores various measures by European states, courts and institutions which grapple with questions relating to privacy, security, and freedom of expression.

Introduction

Safeguarding the rights of journalists in the digital space, including protecting their communications and other sensitive data, has become an increasingly complex and relevant issue in the new information age. As the usage of the Internet, including online communication tools and electronic data sharing platforms, expand rapidly, a growing amount of data is transferred and stored digitally. In addition, many contributions to public debate are disseminated and received online.

While legislative, judicial and policy developments are struggling to keep up with the fast pace of technological developments, European countries and regional organisations, such as the European Union (EU) and the Council of Europe (CoE) have introduced measures addressing both old standing as well as emerging questions relating to privacy, security and freedom of expression. These include questions around the surveillance and retention of journalists’ communications and other forms of access to their devices.

Bulk Data Interception

Surveillance of communications, including by introducing bulk interception regimes, has been to the forefront of legal developments on the issue of surveillance in recent years. Not only the increased data flow online, but also the technical sophistication of surveillance tools increases the risk of citizens, including journalists, becoming “transparent persons”¹ for state authorities. According to the UN Special Rapporteur on freedom of expression:

Technological advancements mean that the State’s effectiveness in conducting surveillance is no longer limited by scale or duration. […] As such, the State now has greater capability to conduct simultaneous, invasive, targeted and broad-scale surveillance than ever before. ²

What is bulk data interception?

Bulk data interception is defined as “the gathering of large chunks of internet traffic from around the world” in situations where the target is unknown, and the intent of the measure is to discover rather than to investigate.³ The data gathered can include, besides the content of the communication, the circumstances of its transmission, including the “who”, “when” and “where”.⁴ It is closely linked to mass surveillance, which “involves the acquisition, processing, generation, analysis, use, retention or storage of information about large numbers of people, without any regard to whether they are suspected of wrongdoing.”⁵

Such practices – as well as targeted surveillance measures – infringe on the right to privacy (Article 17 ICCPR, Article 8 ECHR), as authorities gain access to intimate private and professional data. In addition, the knowledge – or even suspicion – of being surveilled undermines the right to freedom of expression (Article 19 ICCPR, Article 10 ECHR), as the fear of unwillingly disclosing online activity or the identity of journalistic sources creates a chilling effect and leads to self-censorship, in particular in repressive environments.

International legal standards

Various UN bodies have expressed concern over the human rights impact of surveillance measures. For instance, the UN Human Rights Committee has stated that “[s]urveillance, whether electronic or otherwise, interceptions of telephonic, telegraphic and other forms of communication, wire-tapping and recording of conversations should be prohibited.”⁶ It further stated that to comply with the requirements of Article 17 ICCPR, the right to privacy, the “integrity and confidentiality of correspondence should be guaranteed de jure and de facto.”⁷

Communications surveillance has been described as a “highly intrusive act” which can only be justified in the most exceptional circumstances and must be accompanied by sufficient safeguards.⁸ Beyond this – as criticised by the UN Special Rapporteur on counter-terrorism in 2014 – “[b]ulk access technology is indiscriminately corrosive of online privacy and impinges on the very essence of the right guaranteed by article 17 [ICCPR]”⁹ as it “eradicates the possibility of any individualized proportionality analysis.”¹⁰ Aligned with this assessment, the UN Office of the High Commissioner for Human Rights (OHCHR) has also stressed that indiscriminate mass surveillance, and communications interception, collecting, storing and analysing of all users, is “not permissible under international human rights law, as an individualized necessity and proportionality analysis would not be possible in the context of such measures.”¹¹ According to the OHCHR, “the mere possibility of communications information being captured” and thus the very existence of a mass surveillance programme, interferes with the right to privacy.¹²

Regional standards: EU

For almost a decade, mass surveillance measures have been subject to interpretation by European courts. The Court of Justice of the European Union (CJEU), in particular, has dealt with the topic of data retention measures extensively in a number of landmark judgments, raising concerns about, inter alia, the fact that the retained data allows authorities to draw very precise conclusions about the private life of the individuals concerned.¹³

• In its judgment regarding the case Digital Rights Ireland/Seitlinger and Others (2014), the CJEU invalidated the Data Retention Directive (EU Directive 2006/24/EC), which, inter alia, required telecommunications providers to retain all users’ traffic and location data for prolonged periods. The CJEU invalidated the Directive on the basis that it interfered with the right to respect for private and family life and the protection of personal data in a “particularly serious” and disproportionate manner.¹⁴
• Two years later, in Tele2 Sverige AB/Watson and Others (2016), the CJEU built on these findings, holding that EU law precluded domestic legislation imposing an obligation on electronic communications services to generally and indiscriminately retain traffic and location data for the purpose of fighting crime.¹⁵ The CJEU at the same time clarified that the targeted retention of data, limited to what is strictly necessary, and imposed by clear and precise legislation containing sufficient safeguards is not precluded by EU law.¹⁶
• In the case of Privacy International (2020), the CJEU reiterated the prohibition of general and indiscriminate retention of data. The case required it to consider the application of EU law to domestic legislation requiring communications service providers to retain data and/or forward it to national security and intelligence services.¹⁷ The CJEU expanded on its findings in the Tele2 case, holding that EU law precludes domestic legislation which requires electronic communication service providers to generally and indiscriminately transmit traffic and location data to security and intelligence agencies for the purpose of safeguarding national security.¹⁸ In the joined case of La Quadrature du Net and Others (2020), the CJEU held that an order requiring general and indiscriminate location and traffic data retention can be justified where the state is facing a serious, genuine and present or foreseeable threat to national security.¹⁹ While this order must be limited in time to what is strictly necessary, it may be extended if the threat persists.²⁰

Additionally, the CJEU clarified requirements for targeted retention as well as retention of IP addressed and other data allowing the identification of users, classifying some types of data as “less sensitive”.²¹

• It its recent decision in the case SpaceNet/Telecom Deutschland (2022), the CJEU again confirmed that EU law precludes the requirement of preventive, general and indiscriminate data retention to combat serious crime and prevent serious threats to public security.²² It further elaborated on a number of measures which, insofar as they are established by clear and precise rules containing sufficient safeguards, are not precluded, including:²³

• Instructions to generally and indiscriminately retain traffic and location data for the purpose of safeguarding national security where there is a serious, genuine, present and foreseeable threat to national security, insofar as an effective review process is in place and the instruction is limited in time to what is strictly necessary;
• Targeted retention of traffic and location data, which is limited in time and scope, for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security;
• In addition, the CJEU elaborates on the circumstances under which the indiscriminate and general retention of IP addresses, data relating to the civil identity of users and expedited retention of traffic and location data in the possession of service providers may be justified under EU law.

Regional standards: CoE

The European Court of Human Rights (ECtHR) has also assessed the legality of different domestic bulk interception systems in several landmark cases.

Initially, in the 2006 judgment in the case Weber and Saravia v. Germany, the ECtHR held that states generally enjoy a “fairly wide margin of appreciation” in respect to measures concerning national security and the prevention of crimes.²⁴

A few years later, the ECtHR had to examine the Russian secret telecommunications regime in light of the ECHR in Zakharov v. Russia. The Grand Chamber found a violation of Article 8 ECHR, arguing that the domestic provisions lacked “adequate and effective guarantees against arbitrariness and the risk of abuse which is inherent in any system of secret surveillance”.²⁵ Similarly, the ECtHR found that the Hungarian anti-terror legislation did not contain sufficient safeguards and expressed its concern over the fact that virtually anyone in Hungary could be surveilled.²⁶

In a groundbreaking judgment on bulk surveillance, the ECtHR’s First Section ruled in Big Brother Watch v. UK in 2018 that bulk interception by intelligence agencies is not in and of itself incompatible with the right to privacy.²⁷

This finding was later confirmed by the Grand Chamber, which found that bulk interception measures can be justified under certain circumstances, such as for gathering intelligence data and to counter terrorism and espionage.²⁸ The ECtHR held that while bulk interception regimes do not per se violate the Convention rights, they must contain end-to-end safeguards as well as sufficient protection for journalistic sources.²⁹

In the case of Centrum för Rättvosa v. Sweden, decided on the same day, the ECtHR’s Grand Chamber found that the Swedish bulk interception regime violated Article 8 ECHR, but also explicitly held that “bulk interception is of vital importance to Contracting States in identifying threats to their national security” and “no alternative or combination of alternatives would be sufficient to substitute for the bulk interception power.”³⁰

The Court has since examined further domestic mass surveillance and data retention systems and found violations of the ECHR.³¹

Litigating bulk data interception cases: Victim status

The term “standing” is usually understood as a person’s or organisations ability to bring a case to a particular court. While its requirements differ between jurisdictions, an applicant is usually asked to establish why they are affected by the matter or what interest they represent. Often, they will be required to demonstrate a sufficient connection between an issue and their interest in it.

The ECtHR, as mandated by Article 34 ECHR, accepts applications from those “claiming to be a victim of a violation by one of the High Contracting Parties of the rights set forth in the Convention or the Protocols thereto.” While this includes not only direct victims also those who would suffer harm or have a valid interest in the case,³² the ECtHR has made clear that:

The Convention does not provide for the institution of an action poularis and that its task is not normally to review the relevant law and practice in abstracto, but to determine whether the manner in which they were applied or affected the applicant gave a rise to a violation of the Convention. ³³

Therefore, the ECtHR generally requires applicants to explain how they were victims of a specific act that they claim violated their rights. However, under certain circumstances, “potential victims” can apply to the ECtHR. This includes individuals suspecting to have been targeted by covert (surveillance) measures. As these individuals cannot know whether such a measure was used, the ECtHR accepts that “the mere existence of secret measures or of legislation permitting secret measures” can may sufficient.³⁴ This the case where the applicant can possibly have been affected by the legislation in question and there are no sufficient and effective domestic remedies available.³⁵

Similar approaches are taken by some domestic court. For example, the Federal Constitutional Court of Germany accepted the submission that the applicants, who had complained of the 2007 retention obligations in the Telecommunications Act, used telecommunication services in their private and professional capacity, accepting their standing based on the “reasonable likelihood” of being affected of such measures.³⁶ The Constitutional Court continued to follow this line of argument in subsequent cases, where there was a sufficient probability of the applicants having been targeted with measures under the provisions complained of when there were insufficient ex post facto disclosure obligations.³⁷

Spyware

Targeted surveillance describes surveillance which focusses on obtaining information about the communications of a specific individual, such as a person who is already a suspect in a criminal case.”³⁸ A prominent example is the use of spyware, a malicious type of software which “interferes with a device’s normal operation to collect information without alerting the user”.³⁹

The most intrusive type of spyware currently known to the public is Pegasus spyware, which is manufactured by the Israeli cyber-arms company NSO Group and is exclusively sold to governments. In 2021, the Organised Crime and Corruption Project (OCCPR), released a report which outlined the use of Pegasus spyware on, inter alia, journalists, human rights defenders, activists and political figures worldwide.

Pegasus spyware can be installed covertly on an individual’s device, often their mobile phone. Once installed, the spyware turns the device into a full-time surveillance tool, granting unrestricted access to the stored data, as well as the device’s camera, microphone, messages, photos, passwords, calls, and geolocation.

Methods of implantation on a device include the clicking on a malicious link by the user or the use of a wireless transmitter in close proximity to the phone. However, one of the most concerning revelations about Pegasus spyware is its capability to infect a device through the so-called “zero click”-method, which does not require any act by the user or any “jailbreaking” of the system.

Once a device is infected, it is extremely difficult to detect the spyware as well as its actions, for instance whether there has been an extraction of data.

1. International standards

Various international bodies have expressed serious concern over the use of spyware, including the UN Human Rights Committee.⁴⁰ As pointed out by the UN OHCHR, the development and use of pervasive surveillance tools is “profoundly alarming”, threatening the rule of law and eroding pluralistic democracies.⁴¹

The targeting of journalists, human rights defenders and others with this spyware tool constitutes a serious interference with the right to privacy (Article 17 ICCPR)⁴²which, in particular when carried out for political reasons, can never be justified.⁴³

In addition, the use of Pegasus spyware violates freedom of expression, protected on the international level by Article 19 ICCPR. Infecting a personal communication device with spyware permits “insights into the thinking processes of individuals subject to hacking, as well as their political and religious views and beliefs”.⁴⁴ This is especially true in the journalistic context as the protection of journalistic sources is circumvented and the mere existence of spyware creates a chilling effect.⁴⁵

2. Regional standards: EU

In the EU, targeted surveillance measures – with the exception of national security measures excluded from its scope by Article 4² TEU – must comply with applicable Union primary and secondary law, in particular the EU Charter, the ePrivacy Directive and the Law Enforcement Directive.⁴⁶ Article 52¹ EU Charter requires all acts limiting fundamental rights to confirm with the requirements of proportionality and necessity. ⁴⁷

Due to the quality and quantity of data stored on smartphones, the EU Data Protection Supervisor, considers it “highly unlikely that spyware such as Pegasus, which de facto grants full unlimited access to personal data, including sensitive data, could meet the requirements of proportionality” as “the interference with the right to privacy is so severe that the individual is in fact deprived of it” and that the protection of third parties and those who are afforded special protection, such as lawyers, is not guaranteed.⁴⁸

In a similar approach, the European Parliament has condemned “the use of spyware by Member State governments, and members of government authorities or state institutions for the purpose of monitoring, blackmailing, intimidating, manipulating and discrediting opposition members, critics and civil society, eliminating democratic scrutiny and the free press, manipulating elections and undermining the rule of law by targeting judges, prosecutors and lawyers for political purposes.”⁴⁹

3. Regional standards: CoE

On 23 October 2023, the CoE’s Parliamentary Assembly issued a resolution expressing its deep worry about “mounting evidence that Pegasus and similar spyware have been used illegally or for illegitimate purposes by several member states, including against journalists, political opponents, human rights defenders and lawyers” and condemned its use for political purposes.⁵⁰

Even before the revelations about the intrusiveness of Pegasus spyware, ECtHR’s Grand Chamber has acknowledged that against the backdrop or rapid technical advancement, domestic law must be sufficiently clear “to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures.”⁵¹

The ECtHR has yet to deliver its first judgment on a case concerning the use of Pegasus spyware. However, its caselaw gives some insights into how it approaches such matters.

The use of intrusive spyware against journalists goes to the heart of their right to private and family life (Article 8 ECHR), as well as their freedom of expression (Article 10 ECHR), as it gives access to a range of sensitive information and correspondence and creates a chilling effect for those contributing to public debate. Its use fails to meet the conditions of the so-called three-part test, in particular the requirements of necessity and proportionality. Lastly, Pegasus spyware circumvents the protection of journalistic sources, without which, as stressed by the ECtHR, sources may be deterred from speaking to the press, which in turn cannot fulfil its public watchdog role.⁵²

Searches and Device Seizures

Digital devices such as phones, cameras, laptops, and storage devices have become essential tools for journalists in conducting their work. They are used, for instance to conduct for research, recording, communicating with confidential sources and other journalists, and for publishing content. However, such devices often become subject to seizures and searches by authorities, in particular in situations perceived as sensitive, such as when covering protests⁵³ or at national borders⁵⁴. As civil society organisations are documenting growing number of seizures and (forensic) searches of journalists’ digital equipment,⁵⁵ safeguarding digital security remains an important factor to ensure the functioning of the press. Practical tips for journalists covering protests can be found here.

Through searches and seizures, authorities obtain access to protected materials, including the identity of journalistic sources, thus endangering their safety and creating a chilling effect. The search of mobile devices is particularly intrusive due to the quantity and the sensitivity of the data accessed. Such measures infringe on the right to privacy (Article 8 ECHR) and freedom of expression (Article 10 ECHR) and can only be justified if they meet the cumulative criteria of the so-called three-part test. In addition, the search of journalists’ home, workplace and the seizure of their material must be accompanied by adequate and effective procedural safeguards.⁵⁶

The ECtHR has clarified that:

Journalists should enjoy a broad scope of protection, including a range of freedoms that are of functional relevance to the pursuit of their activities, such as: protection of confidential sources; protection against searches of professional workplaces and private domiciles and the seizure of materials, protection of news and information-gathering processes […] ⁵⁷

Special attention must be paid to the protection of journalistic sources,⁵⁸ a principle which, in the words of the ECtHR, is “one of the cornerstones” of press freedom and essential to enable the press to fulfil its public-watchdog role.⁵⁹

The ECtHR has applied these numerous cases, confirming for instance that the search of a journalist’s laptop at a border crossing violated Article 8 ECHR due to the lack of effective and adequate safeguards in Russian domestic legislation and practice.⁶⁰ In Sorokin v. Russia, the ECtHR found a violation of Article 10 ECHR after a journalist’s flat and his electronic devices, which contained information related to his work, were searched without any procedural safeguards to protect the confidentiality of his sources.⁶¹ In Nagla v. Latvia, the ECtHR stressed that:

The right of journalists not to disclose their sources cannot be considered a mere privilege to be granted or taken away depending on the lawfulness or unlawfulness of their sources, but is part and parcel of the right to information, to be treated with the utmost caution.⁶²