There have been two significant surveillance case law updates in May/June 2021. The first is the case of Big Brother Watch & Ors v United Kingdom which considered the compatibility of the UK’s bulk surveillance regime with the European Convention on Human Rights (ECHR). 

The case concerned complaints by journalists and human rights organisations in regard to three different surveillance regimes: (1) the bulk interception of communications; (2) the receipt of intercept material from foreign governments and intelligence agencies; and (3) the obtaining of communications data from communication service providers. The applicants argued that the nature of their activities meant that their electronic communications and/or data were likely to have been intercepted by the UK intelligence services or obtained by those services from communications service providers or foreign intelligence agencies.

At the relevant time, the regime for bulk interception and obtaining communications data from communication service providers had a statutory basis in the Regulation of Investigatory Powers Act 2000. This has since been replaced by the Investigatory Powers Act 2016. The findings of the Grand Chamber relate solely to the provisions of the 2000 Act, which had been the legal framework in force at the time the events complained of had taken place.

The Court considered that, owing to the multitude of threats States face in modern society, operating a bulk interception regime did not in and of itself violate the Convention. However, such a regime had to be subject to “end-to-end safeguards”, meaning that, at the domestic level, an assessment should be made at each stage of the process of the necessity and proportionality of the measures being taken; that bulk interception should be subject to independent authorisation at the outset, when the object and scope of the operation were being defined; and that the operation should be subject to supervision and independent ex post facto review. 

Having regard to the bulk interception regime operated in the UK, the Court identified the following deficiencies: bulk interception had been authorised by the Secretary of State, and not by a body independent of the executive; categories of search terms defining the kinds of communications that would become liable for examination had not been included in the application for a warrant; and search terms linked to an individual (that is to say specific identifiers such as an email address) had not been subject to prior internal authorisation. 

The Court also found that the bulk interception regime had breached Article 10, as it had not contained sufficient protections for confidential journalistic material.

The regime for obtaining communications data from communication service providers was also found to have violated Articles 8 and 10 as it had not been in accordance with the law.

However, the Court held that the regime by which the UK could request intelligence from foreign governments and/or intelligence agencies had had sufficient safeguards in place to protect against abuse and to ensure that UK authorities had not used such requests as a means of circumventing their duties under domestic law and the Convention 

The second key case is that of Centrum För Rättvisa v Sweden. In that case, the Court also held that there had been a violation of Article 8 ECHR. The case concerned the alleged risk that the applicant foundation’s communications had been or would be intercepted and examined by way of signals intelligence, as it communicated on a daily basis with individuals and companies in Sweden and abroad by email, telephone and fax, often on sensitive matters.

The Court found, in particular, that although the main features of the Swedish bulk interception regime met the Convention requirements on quality of the law, the regime nevertheless suffered from three defects:

1) The absence of a clear rule on destroying intercepted material which did not contain personal data;

2) The absence of a requirement in the Signals Intelligence act or other relevant legislation that, when making a decision to transmit intelligence material to foreign partners, consideration was given to the privacy interests of individuals; and

3) The absence of an effective ex post facto review. 

As a result of these deficiencies, the system did not meet the requirement of ‘end-to-end’ safeguards. It overstepped the margin of appreciation left to the respondent State in that regard, and overall did not guard against the risk of arbitrariness and abuse, leading to a violation of Article 8 of the Convention.

Both cases exemplify the growing trend towards Courts taking a highly technical and considered view of what exactly constitutes appropriate, deliberate and justifiable surveillance. Governments will need to ensure their methods are in accordance with Article 8 ECHR and alongside their own national policy.