A long-running series of lawsuits dating back to 2013 has culminated in a judgement against the United Kingdom’s Government Communications Headquarters (GCHQ) by the European Court of Human Rights (ECHR). GCHQ is being taken to task for a mass surveillance program first revealed by the Edward Snowden leak, marking the first ruling against the UK government of this nature since the program came to light.
Though the UK has since completed its withdrawal from the EU, the ruling has implications both for it and for countries throughout Europe. EU members that run mass surveillance programs will need to seek independent authorization from the outset and be subject to ongoing supervision and review that ensures appropriate “end-to-end safeguards” that protect individual privacy are in place. However, it does not invalidate the sort of “bulk interception” that allows governments to tap directly into fiber optic internet cables and vacuum up irrelevant information.
Mass surveillance gets added legal supervision in UK and EU, but is not off the table
The ruling against GCHQ centers on the fact that adequate safeguards to protect privacy were not in place, rather than the fact that mass surveillance occurred.
The lawsuits have been in the court system since 2013, when the Snowden leaks revealed that GCHQ maintained a suite of digital tools used not only to intercept instant messaging data and call records but also to manipulate various aspects of social media platforms and web sites. The UK had not previously had any court rulings directed against it related to the public exposure of these tools and data collection programs.
The EU privacy court did not reject the idea of bulk interception of this nature, but specified that it needed certain safeguards to filter out subjects that are not under investigation. The court found “deficiencies” in the mass surveillance scheme, beginning with the authorization process. The GCHQ did not have to specify the categories of information it was selecting for when applying for search warrants, and search terms linked to individuals could be examined without prior internal authorization. Any bulk interception activities now require initial authorization by a body independent of the secretary of state with a screening process that checks for the required privacy safeguards, and a new ongoing supervision process has been ordered that includes an independent retroactive review.
The court acknowledged the potential for abuse that is inherent with these mass surveillance programs, but made clear that it has no interest in banning them. The majority opinion called bulk interception practices “vitally important” for the national security of EU member states. The dissenting opinion called for a ban on non-targeted bulk interception that involves the collection and storage of subjects not under investigation. While privacy advocates tended to agree that the ruling did not go far enough, some were heartened by the fact that the court ruling publicly acknowledges that clandestine mass surveillance programs of this nature have existed for decades and forces governments to openly contend with the privacy and expression rights issues inherent to them.
Potential challenge to snooper’s charter
The decision also revives the prospect of a challenge to the UK’s Investigatory Powers Act (IPA), a 2016 law that some critics refer to as the “snooper’s charter” due to mass domestic surveillance by MI5 to the point that the agency said that it is no longer sure exactly what data it has. Civil rights group Liberty lost a 2019 challenge to the IPA due to a judge ruling that it does not violate human rights. An appeal to the decision had been pending the results of this case.
One additional loss for privacy advocates in this ruling is that the court determined that sharing of the fruits of mass surveillance programs with overseas intelligence partners, such as the United States and Australia, was legal and required no further safety measures placed on it.
However, there was also a win in that the court specifically noted that protection for confidential journalistic sources and information (such as documents leaked by whistleblowers) was too weak. New safeguards have been introduced that are specific to cases in which the government is seeking to unmask a journalist’s source or related information is intercepted incidentally.
While the UK government has some ability to directly intercept calls and digital messages, the larger problem was the mass collection and storage of the metadata of residents that were not under any sort of investigation. Bulk surveillance is capable of scooping up the times and recipients of calls and messages, GPS locations of mobile devices and web browsing histories of end users on a massive scale without directly intercepting communications. The government attempted to argue that the bulk collection of metadata was less sensitive than accessing communications, a notion that the court ruling rejected.