In a set of rulings today, the European Court of Human Rights found that the mass surveillance scheme used by the GCHQ—the United Kingdom’s signals intelligence agency—violated the European Convention on Human Rights (ECHR), unlawfully intruding on the private and family life and freedom of expression of British and European citizens.
The Court found that sharing intelligence information gathered from bulk surveillance—as GCHQ does with the NSA and other members of the “Five Eyes” intelligence and security alliance—does not violate the human rights charter. But the judges did warn that using such intelligence sharing to bypass restrictions on surveillance of a member state’s own citizens would be a violation of the charter.
In the ruling, the judges found that there was insufficient oversight through the UK’s Investigatory Powers Tribunal (the UK equivalent of the US’ Foreign Intelligence Surveillance Court) over the UK’s bulk interception, filtering, and search of communications by the GCHQ. The judges also found that there were insufficient safeguards put in place to govern access to communications data. While the case has no direct impact on US intelligence gathering, the case could have a ripple effect because of the close connections between US and UK intelligence and law enforcement organizations.
The suit was brought by Big Brother Watch, Amnesty International, the American Civil Liberties Union, and a number of other civil liberties organizations from Europe and North America, as well as the Bureau of Investigative Journalism and others. “The decision sends a clear message that similar surveillance programs, such as those conducted by the NSA, are also incompatible with human rights,” claimed ACLU attorney Patrick Toomey. “Governments in Europe and the United States alike must take steps to rein in mass spying and adopt long-overdue reforms that truly safeguard our privacy.”
No damages were awarded, other than for the court costs of some of the applicants who brought the suit. And the court did not find that the surveillance itself was illegal. However, the ruling did find that individuals’ privacy rights applied from the moment communications and data were captured by surveillance systems—not just when they were viewed or processed by human analysts. And the ruling also found that surveillance violated freedom of expression because of its potential chilling effects on journalists.
The Court found that the way the UK government collected data from communications service providers was in violation of Article 8 of the ECHR (private and family life rights). It also found that both the method of bulk interception of communications and the process for obtaining communications metadata from service providers violated Article 10 (freedom of expression) because of “insufficient safeguards in respect of confidential journalistic material.” And of particular concern to the court was the lack of any oversight into what Internet traffic was collected or what filters were used to determine which traffic was of interest.
“While there is no evidence to suggest that the intelligence services are abusing their powers, the Court is not persuaded that the safeguards governing the selection of bearers for interception and the selection of intercepted material for examination are sufficiently robust to provide adequate guarantees against abuse,” the Court’s ruling stated. “Of greatest concern… is the absence of robust independent oversight of the selectors and search criteria used to filter intercepted communications.”
The parts of UK law that were found to be problematic by the Court are similar to aspects of the PATRIOT Act in the US that have enabled the most controversial parts of US mass surveillance. The Court rejected the UK government’s claim that metadata collection was less intrusive than collecting contents of communications. “The Court recognizes how revealing metadata can be to people’s lives,” Toomey told Ars. “It can expose things the government wouldn’t otherwise have access to.”
Mass surveillance in and of itself, however, was not found to be a violation of the charter. “In reaching this conclusion, the Court found that the operation of a bulk interception regime did not in and of itself violate the Convention,” a spokesperson for the court said in a statement on the case, “but noted that such a regime had to respect criteria set down in its case-law.”
While the court’s ruling applied to surveillance regimes set down by the UK’s Regulation of Investigatory Powers Act of 2000—not the new Investigatory Powers Act passed in 2016, which has not yet come into full effect—some of the provisions ruled to be in violation of the charter remain in the new law. Other mass-surveillance cases, including one against the French government’s Intelligence Act of July 24, 2015, are still pending. But the precedent set here will likely force other governments in Europe to re-examine their surveillance laws.
