Q&A: European Court of Human Rights Rules UK Mass Surveillance Laws Violate Rights (from 2018)

Achieved result

Updated on 24 May 2021

Following a case initiated by Privacy International and nine other CSOs, as well as two other cases, the First Section of the European Court of Human Rights (ECtHR) ruled that the UK government's mass interception program violates the rights to privacy and freedom of expression because of insufficient safeguards and lack of oversight. That decision laid the groundwork for influencing the UK government to adjust current legislation and practices in compliance with the Court's findings. Changes are on hold pending the Grand Chamber of the ECtHR judgment on 25 May 2021.

Long Read
Q&A: European Court of Human Rights Rules UK Mass Surveillance Laws Violate Rights

Yesterday, the European Court of Human Rights issued its judgement in Big Brother Watch & Others V. the UK. Below, we answer some of the main questions relating to the case.

What's the ruling all about?

In a nutshell, one of the world's most important courts, the European Court of Human Rights, yesterday found that certain UK laws about how intelligence agencies can spy on our internet communications breach our human rights. These surveillance laws have meant that the UK intelligence agencies can sweep up huge amounts of our internet communications (what is referred to in the law as a rather technical and harmless sounding 'bulk interception'). This can include social media posts, emails sent and received, internet searches, websites you visit, and apps that you use.

Privacy International was one of the organisations which filed the case - so we're fairly happy about its outcome.

How does this kind of spying on internet traffic breach human rights exactly?

A bit of background. Modern human rights laws were drafted after the Second World War, and from the outset, there was a recognition that not all human rights are equal: some rights, like the right to not be tortured, are absolute, meaning that no country is ever allowed to torture people under any circumstances. Other rights however, like the right to freedom of speech, are qualified, meaning that in some circumstances, a government is allowed to interfere with that right - but it needs a very good reason for doing so. For example, you're allowed to say almost whatever you want about your government (if you live in a proper democracy) without being censored, but if you're inciting violence with your free speech, the government would be able to argue that it's within its powers to restrict your ability to exercise your rights in this circumstance.

Like freedom of speech, the right to privacy is also a qualified right. This is why we went to the European Court of Human Rights - because while the UK government thinks its OK to interfere with the privacy of millions of people, we don't think it is.

So, what happened yesterday was that Court decided in our favour in several respects - the UK's mass internet spying laws ARE a breach of our human rights, including our right to privacy and freedom of speech.


So how does the UK spy on people's internet use?

In a bunch of different ways, but the main ways which were being examined by the Court were 'bulk interception' powers and the UK's intelligence sharing arrangements.

The internet is basically a massive network of connected computers speaking to one another. To read this webpage, your device has to 'ask' Privacy International's server to show you this content, which it typically sends along telecoms cables (though depending on your network, sometimes satellites). Of course, you could be reading this anywhere in the world: in that case, this internet traffic is likely travelling along international underwater cables at lightspeed - indeed, because of the way the internet works, sometimes it might be quicker for this internet traffic to travel across several continents, even if you're reading this in the UK which is where PI is based! Because a lot of the online services people use are also based in the US (think Amazon or Google), it means that if someone in the UK were to visit a US website or app use them, or indeed anywhere else in the world, their traffic would also travel along these international cables. What this means is that a huge proportion of global internet traffic is travelling along these submarine cables.

In the UK, these major cables carry internet traffic into and out of the country - and it's them which the intelligence agencies are tapping. But instead of tapping them as they might a phone line (ie wiretapping someone's calls if there's some specific suspicion that that person is engaging in criminal activity) they're collecting it all - the internet traffic of millions of people. This is what's known as 'bulk interception'.

It's important to remember an important fact about these cables - if you want to use the internet regularly, your data WILL travel through these cables whether you like it or not. 


What's the issue with 'intelligence sharing'?

In addition to the UK's own bulk interception, the UK government also has sharing arrangements with the US and other English speaking countries (Australia, Canada, New Zealand) known as the 'Five Eyes'. Though much of this arrangement is shrouded in secrecy, public sources indicate they are, by default, sharing intelligence collected by national agencies with one another. So as the US National Security Agency (NSA) carries out its own submarine cable tapping programmes, it is sharing it automatically with the UK. The pay off, of course, is that the UK has to give the US access to all the intelligence it gathers.

The problem with sharing intelligence with foreign agencies - which can obviously be really useful - is that it is not properly regulated against abuses. This isn't about them sharing details of a few suspects - we're talking about countries giving each other access to everything they collect. This raises the same concerns we have around mass surveillance, whether initiated by the government's own intelligence agencies or by someone else. And because countries' laws tend to generally only protect their own citizens from being spied upon, it potentially allows agencies to sidestep protections by spying on one another’s populations and then sharing it. In this way it could provide agencies with backdoor access - and that's why it needs to be properly regulated and overseen.


And Privacy International took the UK Government to Court over this?

Yes! Whistle-blowers and journalists have been reporting about some of these mass surveillance programmes for years. In 2013 NSA contractor Edward Snowden leaked documents to several of the world's leading newspapers, providing more details about how these programmes function. So, using these revelations, we were able to file a complaint at the Investigatory Powers Tribunal, which the UK government set up to hear complaints against the intelligence agencies. Our complaint was subsequently joined with several other campaign organisations who filed similar challenges.

During these challenges, the Tribunal - which is allowed to hear evidence from the intelligence agencies in secret without us knowing about it - found that because the law which is supposed to govern intelligence sharing with the US was secret, it was unlawful - meaning in effect that all the sharing the UK had been doing prior to the law being made public was unlawful. Later in 2015, the Tribunal also found that the communications of two campaign groups who were also complainants in the case, Amnesty International and the Legal Resources Centre, had been intercepted by the UK Government.

Despite this, the Tribunal ruled that both bulk interception and the intelligence sharing agreements were in principle lawful. We strongly disagree with this. It is one of the most important principles in a democracy that if a government wants to spy on you, it needs a legitimate reason for doing so. So, when people say "I've got nothing to hide because I have nothing to fear", it's problematic because the starting premise should be that the government needs to justify an intrusion into your rights, not that they automatically have the power to spy on everyone just in case some of them might be doing bad things.

Such 'bulk interception' essentially allows the mass, suspicionless surveillance of everyone - making it a violation of the right to privacy. Because of this, it also undermines everyone's right to freedom of expression, because if a government is monitoring everyone's communications, it makes people think twice about expressing themselves. For journalists, in particular, such mass surveillance undermines their ability to keep sources confidential - and without confidential sources, some of the world's most important scandals would never be revealed (think Watergate).

So for of all these reasons, together with several other campaign groups and activists, we filed a submission to the European Court of Human Rights in 2015.


So, what is the European Court of Human Rights? Is it part of the EU, and does that mean that when the UK leave the EU, this new ruling won't matter?

The European Court of Human Rights (ECHR) rules on countries' adherence to human rights standards as set out in the European Convention on Human Rights. The Convention codifies all the rights to which people living in member states are entitled and were drawn up following the Second World War within the Council of Europe.

A completely separate body to the European Union, the Council of Europe has 47 member states, meaning that some 820 million people live in countries which are members of the Council. Any of those people can challenge their government's abuses at the ECHR. If anyone thinks their human rights have been violated, they can take their case to the Court.

So, because this is totally separate to the EU, when the UK leaves the EU, it this judgment will still stand because we will continue to be part of the Council of Europe.

You can watch a very short video explainer we made about the ECHR here.


So is it all good news? Are the days of mass surveillance over?

Afraid not, and far from it, unfortunately. Yesterday, the Court did say four main things (and this is where it gets a bit technical):

  1. It found that how the UK government selects which cables to tap and what information to select for examination - and who watches over this process to make sure there are no abuses - was insufficient to protect our privacy. As privacy is a qualified right, the Court recognises that certain interferences with can be necessary, but in this instance the UK's laws were "incapable of keeping the 'interference' to which is 'necessary in a democratic society'." 
  2. It found that powers to interfere with journalists' communications, including with their sources, could have a broader "chilling effect...on the freedom of the press" and were therefore a violation of the right to freedom of expression.
  3. If found that the 'metadata' of communications - information about what type of communication, where it was sent from, when it was sent, and who it was sent to - was not any less intrusive than the content of the communication itself. This is important as many governments - including the UK government in this case - have argued that this metadata is less intrusive, and therefore that they can obtain and analyse metadata with fewer legal safeguards and less oversight.
  4. The Court agreed that sharing intelligence was the same as obtaining the intelligence through direct surveillance, and therefore required similar regulation and oversight, noting that "States could use intelligence sharing to circumvent stronger domestic surveillance procedures and/or any legal limits which their agencies might be subject to as regards domestic intelligence operations."

While these are all positive findings, there is a major downside. While the Court found that the UK's bulk interception practices were unlawful because of insufficient safeguards and lack of oversight, it did not say that bulk interception itself was unlawful. In essence, this means that the Court thinks that in Principe it is acceptable for a government to spy on its people on a mass scale, as long as there is someone overseeing it and there are safeguards against abuses. Summarising its reasoning, the Court argues that "[b]ulk interception is by definition untargeted, and to require 'reasonable suspicion' would render the operation of such a scheme impossible." But this is exactly why Privacy International argued that it should be made impossible.

Further, the Court found that while intelligence sharing was as intrusive as doing the surveillance directly, the UK's arrangements were lawful. In doing so, it relied heavily on a 'note' provided by the UK government during court proceedings consisting of two pages and just a few paragraphs of text. It remains unclear who drafted or adopted the 'note '(and under what legal authority), who had the power to amend it, or whether the note represented an actual policy, part of a policy, or a summary of a policy. While this note was later formalised in a UK administrative code, the restrictions it places on intelligence sharing remain woefully short and inadequate.

If you want to know more about the positive and negative aspects of the judgment, you can read our in-depth take on it here.


Ok so what now?

When we took our challenge to the Tribunal in 2013, it was in relation to the UK's legal framework at the time. Following legal pressure and independent reviews of the UK's surveillance powers initiated by the publication of documents leaked by Snowden - as well as the Home Office's urge to push through more surveillance powers - the UK has a new Act governing surveillance. The Investigatory Powers Act 2016 (IPA) enshrines in law and actually extends many of the surveillance powers and techniques revealed by Snowden, but provides some new safeguards and forms of oversight - for example a new Commissioner charged with overseeing how these new powers are used.

The UK government will now have to ensure that its current laws are in line with the Court's findings. In particular, the IPA provisions that regulate the selection of undersea cables the government will tap, and the search criteria applied to the communications obtained from those cables will need to be revised, including by providing stronger oversight. In addition, the government will need to revisit the IPA provisions governing how the agencies examine metadata related to intercepted communications and provide for stronger safeguards.

There's also the option to appeal the ruling at the Grand Chamber - the ultimate court of the ECHR. So it's possible for a party to the case to challenge some aspects of the decisions.

While today’s judgment is aimed at the UK, it also provides interpretation of the European Convention on Human Rights for the 47 member States of the Council of Europe, all of which are parties to the Convention. We expect those countries to review their surveillance laws and practices in light of this judgment and bring them to line with the Court's jurisprudence. The case has a real effect beyond the UK.


Nice. How can I help?

Having strong laws and technology which protect privacy is incredibly important, but the most important thing is that people are aware of the issues and are able to influence powerful companies and governments. You can read more about the case, how such surveillance works, and some of the issues it raises here. To keep up to date on the case and all our work, you can sign up to our mailing list here. As we are a charity with limited funds, any support you can give us through a donation would be most appreciated - you can do so here.

To reiterate however, to really ensure that we don't sleep walk into a world of ubiquitous and persistent government and corporate surveillance, it is essential that people put pressure on governments and corporations - so if there's one thing you can do, it's make your voice heard!