Q&A: Grand Chamber of the European Court of Human Rights rules UK mass surveillance laws violate privacy and freedom of expression rights

On 25 May 2021, the European Court of Human Rights issued its judgment in Big Brother Watch & Others v. the UK. Below, we answer some of the main questions relating to the case.

After our initial reaction, below we answer some of the main questions relating to the case.

NOTE: This post reflects our initial reaction to the judgment and may be updated.

What’s the ruling all about?

In a nutshell, one of the world’s most important courts, the Grand Chamber of the European Court of Human Rights, found that certain UK laws about how intelligence agencies can spy on our internet communications breach our rights to privacy and freedom of expression. These surveillance laws have meant that the UK intelligence agencies can sweep up huge amounts of our internet communications (what is referred to in the law as a rather technical and harmless sounding ‘bulk interception’) in secret and without any oversight. This can include social media posts, emails sent and received, internet searches, websites you visit, and apps that you use.

Privacy International was one of the 16 organisations which filed the case - so we’re fairly happy about its outcome.

So how does the UK spy on people’s internet use?

In a bunch of different ways, but the main ways which were being examined by the Court were ‘bulk interception’ powers, the UK’s intelligence sharing arrangements and obtaining of communications data from communications service providers.

How does bulk interception work?

The internet is basically a massive network of connected computers speaking to one another. To read this webpage, for example, your device has to ‘ask’ Privacy International’s server to show you this content, which it typically sends along telecoms cables (though depending on your network, sometimes satellites). Of course, you could be reading this anywhere in the world: in that case, this internet traffic is likely travelling along international underwater cables at lightspeed - indeed, because of the way the internet works, sometimes it might be quicker for this internet traffic to travel across several continents, even if you’re reading this in the UK which is where PI is based! Because a lot of the online services people use are also based in the US (think Amazon or Google), it means that if someone in South Africa, or indeed anywhere else in the world, were to visit a US website or app to use them, their traffic would also travel along these international cables. What this means is that a huge proportion of global internet traffic is travelling along these submarine cables.

In the UK, these major cables carry internet traffic into and out of the country - and it’s them which the intelligence agencies are tapping. But instead of tapping them as they might with a phone line (ie wiretapping someone’s calls if there’s some specific suspicion that that person is engaging in criminal activity) they’re collecting it all - the internet traffic of millions of people. This is what’s known as ‘bulk interception’.

This kind of collection amounts to mass surveillance. For more information on how bulk interception works see here.

What’s the issue with ‘intelligence sharing’?

In addition to the UK’s own bulk interception, the UK government also has sharing arrangements with the US and other English speaking countries (Australia, Canada, New Zealand) known as the ‘Five Eyes’. Though much of this arrangement is shrouded in secrecy, public sources indicate they are, by default, sharing intelligence collected by national agencies with one another. So as the US National Security Agency (NSA) carries out its own submarine cable tapping programmes, it is sharing it automatically with the UK. The pay off, of course, is that the UK has to give the US access to all the intelligence it gathers.

The problem with sharing intelligence with foreign agencies - which can obviously be really useful - is that it is not properly regulated against abuses. This isn’t about them sharing details of a few suspects - we’re talking about countries giving each other access to everything they collect. This raises the same concerns we have around mass surveillance, whether initiated by the government’s own intelligence agencies or by someone else. And because countries’ laws tend to generally only protect their own citizens from being spied upon, it potentially allows agencies to sidestep protections by spying on one another’s populations and then sharing it. In this way it could provide agencies with backdoor access - and that’s why it needs to be properly regulated and overseen.

Find out more about ‘Secret Global Surveillance Networks: Intelligence Sharing Between Governments and the Need for Safeguards’ here.

Who brought this case?

Between 2013 and 2015, 16 organisations and individuals brought three separate cases challenging UK’s mass surveillance practices before the European Court of Human Rights. These cases were then joined together by the Court.

Applicants to these three cases were:

• The American Civil Liberties Union (ACLU), Amnesty International, Bytes for All, the Canadian Civil Liberties Association, the Egyptian Initiative for Personal Rights, the Hungarian Civil Liberties Union, the Irish Council for Civil Liberties, the Legal Resources Centre (South Africa), Liberty and Privacy International.
• Big Brother Watch, Open Rights Group, English PEN and Dr Constanze Kurz
• The Bureau of Investigative Journalism and Alice Ross.

How did we get here?

Whistleblowers and journalists have been reporting about some of these mass surveillance programmes for years. In 2013 former NSA contractor Edward Snowden leaked documents to several of the world’s leading newspapers, providing more details about how these programmes function. So, using these revelations, we were able to file a complaint at the Investigatory Powers Tribunal – a tribunal which the UK government set up to hear complaints against the intelligence agencies. Our complaint was subsequently joined with several other campaign organisations who filed similar challenges.

During these challenges, the Tribunal - which is allowed to hear evidence from the intelligence agencies in secret without us knowing about it - found that because the law which is supposed to govern intelligence sharing with the US was secret, it was unlawful. This means in effect that all the sharing the UK had been doing prior to the law being made public was illegal. Later in 2015, the Tribunal also found that the communications of two campaign groups who were also complainants in the case, Amnesty International and the Legal Resources Centre (South Africa), had been intercepted by the UK Government.

Despite this, the Tribunal ruled that both bulk interception and the no longer secret intelligence sharing agreements were in principle lawful. We strongly disagreed with this. So, together with 9 other campaign groups, we filed a submission to the European Court of Human Rights in 2015.

Hadn’t this case already been decided by the European Court of Human Rights?

Yes. On 13 September 2018, the case was decided by the First Section of the European Court of Human Rights (ECtHR) - one of five ‘sections’ which make up the ECtHR. There is no right to appeal within the ECtHR, however, in exceptional cases, parties may apply for a case to be referred to the Grand Chamber after it has been decided by one of the sections.

Together with our co-applicants, we applied for and were granted a referral to the Grand Chamber in February 2019.

The Grand Chamber is composed of 17 judges, and only hears cases which raise a serious question on the interpretation or application of the Convention, or alternatively a serious issue of general importance. You could think of it as an exceptional avenue of appeal within the ECtHR. Its rulings are final.

The Grand Chamber has heard only one mass surveillance case before, Zakharov v Russia. This is the first time the Grand Chamber has examined the UK Government’s bulk surveillance powers.

You can watch a very short video explainer we made about the ECHR here

Was the lower chamber’s ruling entirely wrong?

No. In fact, we agreed with the First Section’s findings that the UK government’s mass interception program violated the rights to privacy and freedom of expression. In particular, we were pleased to see the First Section hold that the UK’s regime for authorising bulk interception was incapable of keeping the “interference” [with privacy] to what is “necessary in a democratic society”. We also agreed that intelligence sharing constitutes an interference with the right to privacy.

How does this kind of spying on internet traffic breach human rights exactly?

A bit of background. Modern human rights laws were drafted after the Second World War, and from the outset, there was a recognition that not all human rights are equal: some rights, like the right to not be tortured, are absolute, meaning that no country is ever allowed to torture people under any circumstances. Other rights however, like the right to freedom of speech, are qualified, meaning that in some circumstances, a government is allowed to interfere with that right - but it needs a very good reason for doing so. For example, you’re allowed to say almost whatever you want about your government (if you live in a proper democracy) without being censored, but if you’re inciting violence with your free speech, the government would be able to argue that it’s within its powers to restrict your ability to exercise your rights in this circumstance.

Like freedom of speech, the right to privacy is also a qualified right. This is why we went to the European Court of Human Rights - because while the UK government thinks it’s OK to interfere with the privacy of millions of people, we don’t think it is.

So, the Court decided in our favour in several respects - the UK’s mass internet spying laws ARE a breach of our human rights, including our right to privacy and freedom of speech.

Is it all good news?

The Grand Chamber has confirmed that the UK’s bulk interception regime violated right to privacy and freedom of expression. The judgment goes further than the European Court of Human Rights’ 2018 ruling, by providing for new and stronger safeguards, adding a new requirement of prior independent or judicial authorisation for bulk interception. Authorisation must be meaningful, rigorous and check for proper ‘end-to-end safeguards’.

However, it did not go far enough and did not rule that the bulk interception per se was unlawful. While the Court found that the UK’s bulk interception practices were unlawful because of insufficient safeguards and lack of oversight, it did not say that bulk interception itself was unlawful. This means that, in principle, it would be acceptable for a government to spy on its people on a mass scale, as long as there were oversight mechanisms and safeguards in place.

Stay tuned for our longer analysis to the judgment!

Ok so what now?

The 25 May 2021 ruling is an important win for privacy and freedom for everyone, not only in the UK but across Europe and the world. The judgment offers some pieces of the puzzle for stronger protections in the future, but it is not the end.

Though it’s about what transpired before, this case is about the rules of the road for the future of surveillance in democratic societies under the rule of law. And the court knew that.

Its interpretation of the European Convention on Human Rights will have an impact on all 47 member states of the Council of Europe, all of which are parties to the Convention. We expect those countries to review their surveillance laws and practices in light of this judgment and bring them to line with the Court’s jurisprudence.

On the same day, the Grand Chamber of the European Court of Human Rights found a violation of the right to privacy on another case related to bulk signals-intelligence gathering. Centrum för rättvisa, a public interest law firm, alleged that the Swedish legislation permitting the bulk interception of electronic signals in Sweden for foreign intelligence purposes breached the right to privacy. This is another victory for civil society in one of the world’s most important courts.

When we took our challenge in 2013, it was in relation to the UK’s legal framework at the time. Following civil society’s efforts, legal pressure and independent reviews of the UK’s surveillance powers initiated by the publication of documents leaked by Snowden - as well as the Home Office’s urge to push through more surveillance powers - the UK introduced a new Act governing surveillance powers. The Investigatory Powers Act 2016 (IPA) enshrines in law and actually extends many of the surveillance powers and techniques revealed by Snowden.

The UK bulk powers regulated at the moment by the Investigatory Powers Acts 2016 have also been challenged by Liberty, a UK campaigning organisation and co-applicant to this case. We will support them any way we can in their efforts to push for a stronger regulatory framework. Find out more here.

Nice. How can I help?

Having strong laws and technology which protect privacy is incredibly important, but the most important thing is that people are aware of the issues and are able to influence powerful companies and governments. You can read more about the case, how such surveillance works, and some of the issues it raises here.

To keep up to date on the case and all our work, you can sign up to our mailing list here - don’t worry, you can choose the topics you are most interested in… and we take proper care of your data!

As we are a charity with limited funds, any support you can give us through a donation would be most appreciated - you can do so here.

To reiterate however, to really ensure that we don’t sleepwalk into a world of ubiquitous state and corporate surveillance, it is essential that people put pressure on governments and corporations - so if there’s one thing you can do, it’s make your voice heard.