Bulk Interception: Latest European Court of Human Rights Ruling

June 18, 2018

 

The case of Centrum
för rättvisa v. Sweden
(application
no. 35252/08) concerned a complaint brought by a public interest law firm
alleging that legislation permitting the bulk interception of electronic
signals in Sweden for foreign intelligence purposes breached its privacy
rights.

The Court considered that the
relevant legislation amounted to a system of secret surveillance that potentially
affected all users of mobile telephones and the Internet, without their being
notified. Also, there was no domestic remedy providing detailed grounds in
response to a complainant who suspected that his or her communications had been
intercepted. On that basis, the Court found it justified to examine the
legislation in the abstract. The law firm could claim to be a victim of a violation
of the Convention, although it had not brought any domestic proceedings or made
a concrete allegation that its communications had actually been intercepted.
The mere existence of the legislation amounted in itself to an interference
with its rights under Article 8.

The Court went on to say
that, although there were some areas for improvement, overall the Swedish
system of bulk interception provided adequate and sufficient guarantees against
arbitrariness and the risk of abuse. In particular, the scope of the signals
intelligence measures and the treatment of intercepted data were clearly
defined in law, permission for interception had to be by court order after a
detailed examination, it was only permitted for communications crossing the Swedish
border and not within Sweden itself, it could only be for a maximum of six
months, and any renewal required a review. Furthermore, there were several
independent bodies, in particular an inspectorate, tasked with the supervision
and review of the system. Lastly, the lack of notification of surveillance
measures was compensated for by the fact that there were a number of complaint mechanisms
available, in particular via the inspectorate, the Parliamentary Ombudsmen and
the Chancellor of Justice.

When coming to that
conclusion, the Court took into account the State’s discretionary powers in protecting
national security, especially given the present-day threats of global terrorism
and serious cross-border crime.

Principal
facts

The applicant, Centrum för
rättvisa, is a non-profit foundation which was set up in 2002 and represents
clients in rights litigation, in particular against the State. It is based in
Stockholm. The applicant foundation believes that, because of the sensitive
nature of its activities, there is a risk that its communications through
mobile telephones and mobile broadband has been or will be intercepted and
examined by way of signals intelligence.

Signals intelligence can be defined as
intercepting, processing, analysing and reporting intelligence from electronic
signals. In Sweden the collection of electronic signals is one form of foreign intelligence
and is regulated by the Signals Intelligence Act. This legislation authorises
the National Defence Radio Establishment (FRA), a Government agency organised
under the Ministry of the Defence, to conduct the signals intelligence.

For all signals intelligence, the FRA
must apply for a permit to the Foreign Intelligence Court, which is regulated
by the Foreign Intelligence Court Act and composed of a permanent judge and
other members appointed on four-year terms. The court’s activities are in
practice covered by complete secrecy.

The Foreign Intelligence Court is
overseen by the Foreign Intelligence Inspectorate and the Data Protection
Authority.

Decision
of the Court

Even though the applicant
foundation had not exhausted domestic remedies and could not give a concrete
example of its communications having been intercepted, the Court nonetheless
considered it justified for it to examine the Swedish legislation on signals
intelligence. This was because there was, in practice, no remedy in Sweden
providing detailed grounds in response to a complainant who suspected that his
or her communications had been intercepted and the legislation amounted to a system
of secret surveillance that potentially affected all users of mobile telephones
and the Internet, without their being notified. The mere existence of the
legislation amounted in itself to an interference with the foundation’s rights
under Article 8.

The Court found that it was
clear that the surveillance system, as it stood at the present moment in time,
had a basis in domestic law and was justified by national security interests. Indeed,
given the present-day threats of global terrorism and serious cross-border
crime, as well as the increased sophistication of communications technology,
the Court held that Sweden had considerable power of discretion (‘wide margin of
appreciation’) to decide on setting up such a system of bulk interception. The
State’s discretion in actually operating such an interception system was,
nevertheless, narrower and the Court had to be satisfied that there were
adequate and effective guarantees against abuse.

Following a careful
assessment of the minimum safeguards that should be set out in law to avoid abuse
of power, as developed in its case-law (see the 2014 Grand Chamber judgment
Roman Zakharov v Russia),
the Court was of the opinion that the system revealed no significant shortcomings
in the system’s structure and operation. Overall, while the Court found certain
shortcomings in the system, notably the regulation of the communication of
personal data to other States and international organisations and the practice
of not giving public reasons following a review of individual complaints, it
noted that the regulatory framework had been reviewed several times with a view
notably to enhancing protection of privacy and that it had in effect developed
in such a way that it minimised the risk of interference with privacy and
compensated for the lack of openness of the system.

More specifically, the scope
of the interception (which was only permitted for communications crossing the
Swedish border and not within Sweden itself) and the treatment of intercepted
data were clearly defined in law; the duration of the measures were clearly
regulated (any permit is valid for a maximum of six months and renewal requires
a review); the authorisation procedure was detailed and entrusted to a judicial
body, the Foreign Intelligence Court; there were several independent bodies, in
particular the Foreign Intelligence Inspectorate and the Data Protection Authority,
tasked with the supervision and review of the system; and, on request the
inspectorate had to investigate individual complaints of intercepted
communications, as did the Parliamentary Ombudsmen and the Chancellor of
Justice.

The Court therefore found
that the Swedish system of signals intelligence provided adequate and sufficient
guarantees against arbitrariness and the risk of abuse. The relevant
legislation met the ‘quality of law’ requirement and the ‘interference’
established could be considered as being ‘necessary in a democratic society’.
Furthermore, the structure and operation of the system were proportionate to
the aim sought to be achieved.

There had accordingly been no
violation of Article 8 of the Convention.

Given those findings, the
Court considered that there were no separate issues under Article 13 and held
that there was no need to examine the foundation’s complaint in that respect.

Comment

The very fact that the Court thought that the Swedish regime
for interception was imperfect suggests that the UK might have more leeway in
gaining ‘data adequacy’ status than some have envisaged. But a ECtHR decision
is not necessarily going to accord with one from the CJEU on similar facts,
even if it should.

The distinction made between signals crossing the Swedish
border and internal communications seems hard to justify. Indeed, it is hard to
believe that anyone knows for sure when communications such as emails cross the
border.