The world was a different place when, in October 2015, the Court of Justice of the European Union (CJEU) struck down the “Safe Harbour” data-sharing agreement that allowed the transfer of European citizens’ data to the US. The Court’s decision concluded that the indiscriminate nature of the surveillance programs carried out by U.S. intelligence agencies, exposed two years earlier by NSA-contractor-turned-whistleblower Edward Snowden, had made it impossible to ensure that the personal data of E.U. citizens would be adequately protected when shared with American companies. The ruling thus served to further solidify the long-standing conventional wisdom that Continental Europe is better at protecting privacy than America.
However, Europe’s ability to continue to take this moral high ground is rapidly declining. In recent months, and in the wake of a series of terrorist attacks across Europe, Germany, France and the United Kingdom — Europe’s biggest superpowers — have passed laws granting their surveillance agencies virtually unfettered power to conduct bulk interception of communications across Europe and beyond, with limited to no effective oversight or procedural safeguards from abuse.
The same political leaders and legislators that once rebuked the NSA on the ethics of its mass surveillance practices, seem to now be taking a page out of the NSA’s playbook. This post surveys these three national legal frameworks, highlighting their troubling similarities, with the aim of showing how legislators from these countries are treading a dangerous line of surveillance expansion and overreach, paving the way for more European countries to follow in their footsteps. Indeed, European countries are increasingly chiming in to an ever-growing chorus of supporters for wholesale global surveillance in the name of perceived security. This rhetoric finds especially fertile ground in modern-day Europe, which has been engulfed by populist messaging surrounding the refugee crisis, immigration and heightened security threats. However, rushed and vague mass surveillance laws, while they might increase public approval ratings in the short term, are not a true panacea to the fundamental flaws in European intelligence cooperation that were exposed by the recent attacks.
Moreover, such laws may not only fail to solve the problems they seek to address, but rather they could help foster new problems. As Marc Trévidic, the former chief terrorism investigator for the French judicial system, said about the French legislation:
“If an intelligence law is not well-conceived and rational, it could easily become a formidable weapon of repression. An intelligence law should not only protect citizens against terrorism, but also against the State. We in France are doing neither. There is a total absence of control in this law.”
This is even more worrying in the context of foreign mass surveillance where the victims of potential overreach are non-citizens with even fewer statutory protections and avenues for redress.
To understand how these new laws endanger privacy protections across Europe, it’s important to examine the legislation carefully, including, the new powers granted, the oversight mechanisms available, and the protections put in place for privileged communications, for example, conversations between an attorney and a client or communications subject to diplomatic inviolability.
On Nov. 29, the UK adopted the Investigatory Powers Act (IPA), nicknamed by privacy experts as the “Snoopers Charter,” because it authorizes the Government Communications Headquarters (GCHQ) to engage in bulk interception, acquisition, and equipment interference of ‘overseas-related’ communications and communications systems, comprising of communications “sent or received by individuals who are outside the British Islands.”
Powers Authorized: Bulk interception warrants authorize the interception of “overseas-related communications” throughout the course of their transmission by means of a telecommunications system, and the obtaining of secondary data from those communications. Bulk acquisition warrants require a telecommunications operator to disclose specified communications data (metadata) that it already possesses, or to obtain communications data that it does not yet possess in order to later disclose it. Lastly, bulk equipment interference warrants authorize the acquisition of “communications and equipment data directly from computer equipment overseas.” It is important to clarify that bulk warrants are not traditional warrants, in the sense that they grant the agency requesting them the authority to conduct a large number of operations under a single warrant. It is in this context, that all three types of bulk warrants authorize U.K. intelligence services the power to engage in mass collection of foreign metadata, mass interception of communications, and mass hacking of computer networks and systems worldwide.
Oversight Mechanisms: The issuing process is identical for each type of bulk warrant. First, the head of an intelligence service, or any official designated by her, must submit a request to the Secretary of State. The Secretary may then issue a bulk warrant, subject to a necessity and proportionality analysis. The decision to issue a warrant is then reviewed by a Judicial Commissioner, before it is granted. This is known, in U.K. jargon as the “double lock” mechanism (described by proponents of the legislation as a dual executive-judicial pre-authorization process for its foreign bulk warrants). Bulk warrants cease to have effect at the end of 6 months, subject to a renewal process by the Secretary of State under the same conditions for the issuance of the warrants. Renewals may continue unabatedly in the same manner.
When issuing a bulk interception warrant, the Secretary of State must furthermore consult the operator in question, and consider a number of other matters that could have an effect on the operator, such as the benefits of the warrant, the likely number of people affected, its technical feasibility and its immediate costs. Notably, there are no notification or reporting requirements for bulk warrants, nor does the Act specify the remedies available to those residing overseas should the powers provided be abused. Additionally, telecommunications providers who knowingly fail to comply with the warrants are guilty of an offense and may be fined, with the relevant individuals imprisoned. Yet those same telecommunications providers have limited ability to challenge bulk warrants since they are prohibited from revealing they have received one.
Privileged Communications: The bulk warrants allow for the collection of privileged communications, including those by foreign public officials in European institutions, foreign parliamentarians, lawyers, and journalists, with no restrictions. With regards to the examination of those materials, different levels of protection apply to different privileged data. For items subject to legal privilege, examination of the materials is constrained by requirements of “exceptional and compelling circumstances.” For confidential journalistic materials, the requirement is only that the IP Commissioner be informed as soon as is reasonably practicable. For other privileged materials, as related to privileged people outside the U.K., there are no safeguards on examination.
GCHQ’s mass surveillance programs are under review by the European Court of Human Rights (ECtHR) in three different pending cases. In one, led in cooperation with Privacy International, the agency’s Tempora program to tap underwater fibre optic telecommunication lines, as well as its intelligence sharing with the NSA under the Five Eyes Arrangement, are being challenged for their compatibility with European human rights standards.
On Oct. 21, Germany adopted the Communications Intelligence Gathering Act. The act authorizes the Federal Intelligence Service (BND) to gather and process communications of foreign nationals abroad. Some of the world’s largest internet exchange points (IXPs) are situated in Germany, thus making the country a central hub for significant portions of the world’s internet traffic. While the Act authorizes for interceptions against foreigners to be conducted only from within Germany’s territory, a legislative move which might seem limiting, in actuality in light of Germany’s unique geographical position, it authorizes the BND to tap these exchange points in a broader effort to maximize global surveillance. In fact, the operator of one of these commercial IXPs, De-Cix, has recently brought a case before the Leipzig administrative court, challenging BND’s demands to allow the mass monitoring of international communications flowing through its hub.
Powers Authorized: Data may only be gathered from telecommunications networks that have previously been designated in a directive issued by the Federal Chancellery. The first power granted to the BND is the power to conduct “Tests of Relevance.” Under these powers, the BND is entitled to gather and analyze information, including personal data, to the extent that this is necessary to determine “relevant keywords” (akin to “selectors” in NSA terms) or “relevant telecommunications networks.” These tests shall be directed by the head of the BND with no oversight by the executive or judiciary. Personal data gathered in the course of these tests may only be used for the purposes listed above, or if there are factual indications that it can be used to “avert a serious threat to the life, limb, or freedom of a person or the security of the Federal Republic of Germany.” Once stored, such data must be deleted no later than two weeks (if collected for the purpose of identifying relevant keywords) or four weeks (if collected for the purpose of identifying relevant telecommunications networks).
Once relevant telecommunications networks and keywords are identified, the BND may begin to gather the content of communications relying on them. A recent judgment of the German Constitutional Court found that this list of keywords and search parameters, which the BND used to track millions of surveillance targets worldwide, and which were allegedly shared with the NSA, would not be disclosed to the German Parliament’s Special Parliamentary Fact-Finding Commission established following the Snowden revelations. The Court’s ruling was based on the conclusion that the confidentiality of the selectors list outweighed the public’s right to know and the parliament’s duty of oversight.
Oversight Mechanisms: In accordance with the law the directives of the Federal Chancellery shall be issued in writing, upon application by the head of the BND, or his or her representative, and shall stipulate the reason and duration of the measure and the telecommunications networks affected. The directives shall be limited to a maximum nine months, but may be prolonged for a further nine months by the Federal Chancellery. The German law establishes a three-member administrative committee, titled the “Independent Panel,” comprised of two judges and one federal public prosecutor at the Federal Court of Justice. The Panel reviews and may revoke the surveillance directives issued by the Federal Chancellery.
Privileged Communications: The law allows for the collection and analysis of privileged communications, including those by foreign parliamentarians, lawyers, and journalists, with no restrictions. Some general limitations are put in place, in the context of communications of EU institutions, or the public authorities and citizens of its Member States. Nonetheless, none of these limitations significantly hinders the ability of the BND to employ surveillance measures when it deems them necessary. For example, the use of keywords that may lead to the targeted gathering of communications of European heads of State and other public officials may be authorized if those are necessary to prevent the “circulation of weapons of war” or to gather data about matters in third countries “that are of particular relevance for the security of Federal Republic of Germany.”
Two weeks after the November 2015 terrorist attacks in Paris, during which 130 people were killed, France adopted the International Electronic Communications Law. The law officially recognizes the powers of the French Directorate General for External Security (DGSE) to intercept, collect, and monitor communications “sent or received abroad.” This encompasses all those communications which are associated with “subscription numbers or identifiers” that are not traceable to the national territory of France. France has long been suspected of being involved in global electronic communications surveillance, codenamed by the media as “Franchelon,” a take on Echelon, a mass surveillance program launched in the late 1960s by the NSA in cooperation with its Five Eyes’ partner organizations.
Powers Authorized: The Prime Minister may authorize the bulk interception of foreign communications at the request of the Minister of Defense, the Minister of the Interior, or the Minister of Finance, or anyone whom they designate. Such foreign communications can be stored for up to 12 months, and metadata for up to 6 years. Moreover, encrypted information can be stored for up to 8 years and in cases of “strict necessity” may be stored for even longer periods.
Oversight Mechanisms: The National Commission for the Control of Security Interceptions (whose French acronym is CNCIS) was restructured under the new law and is now composed of nine members including two judges, two members of the State Council, four representatives of Parliament, and an expert in electronic communications appointed on proposal of the Communications and Postal Authority. The CNCIS is merely informed of all authorizations made by the Prime Minister under the Act, and there is no requirement to consult it prior to authorization. While the CNCIS may launch investigations at its own initiative or following the complaint of any individual, no statutory guidance is provided on the elements it should take into consideration in its reviews nor on the powers it has following a finding that an interception authorization was improper.
Privileged Communications: The law allows for the collection and analysis of privileged communications, including those of foreign public officials in European institutions and other intergovernmental organizations, foreign parliamentarians, lawyers, and journalists, with no restrictions.
There are currently 13 different complaints pending before the ECtHR surrounding the new law, challenging both the expansive domestic snooping powers it authorizes and the above-discussed foreign surveillance capacities.
Dangerous Precedent Setting for the Continent and Beyond
All three laws share a number of disturbing similarities. First, the laws allow for mass foreign surveillance on broad and ambiguous grounds. As the Human Rights Committee has already found in relation to the French legislation, for a law to meet the principles of legality, necessity, and proportionality, it must state “specific and legitimate objectives” and list “exact circumstances in which such interferences may be authorized and the categories of persons likely to be placed under surveillance.” Similarly, the ECtHR noted in Kennedy that while the standard of foreseeability “does not require States to set out exhaustively by name the specific offences which may give rise to interception,” it does oblige them to provide “sufficient detail” of the nature of the offenses in question (para. 159). Surveillance laws therefore must be adequately precise in their terms to give citizens an indication of the circumstances that might give rise to a surveillance measure. Grounds such as the “prevention of serious crime,” the “prevention of terrorism,” or the “prevention of the proliferation of weapons of mass destruction” are specific enough to meet the above requirements.
On the other hand, all three laws also include more ambiguous and open ended categories such as the catch-all “national security” ground in the UK law, or the over-encompassing “foreign affairs” grounds in both the German law (“intelligence that is important for foreign and security policy”) and the French law (foreign surveillance necessary to defend and promote “France’s major interests in foreign policy, the implementation of the European and international commitments of France, and the prevention of all forms of foreign interference”).
In this regard, specific attention should be given to the question of whether advancing economic interests constitutes a legitimate objective for foreign surveillance. While the German law expressly prohibits economic espionage, the French legislation expressly permits it (“economic, industrial, and scientific interests”) and the U.K. legislation leaves an opening for it (“economic well-being”; “safeguarding prosperity”). According to Wikileaks, Hillary Clinton’s Campaign Manager John Podesta, in a policy brief on U.S.-German Surveillance relations concluded that “If Germany were to propose to the US a bilateral engagement to prohibit industrial espionage as the starting point for multi-lateral agreements or standards, the response from Washington would likely be positive.”
This position is in line with the approach laid down in the U.S.-China “common understanding” against cyber economic espionage adopted in 2015, as well as PPD-28 which authorizes “the collection of foreign private commercial information or trade secrets” only to the extent it is necessary to protect the national security of the United States or its partners and allies. Any collection done for the sole purpose of promoting the competitive advantage of the U.S. business sector is expressly prohibited by the Directive. Setting aside the looming future of PPD-28 or any understanding between the U.S. and China under a Trump administration, this stark divergence between the German and French laws signals that the fight against the legitimacy of foreign “economic espionage” has far from been won.
Second, the laws all share a lack of adequate oversight and safeguards from abuse. The U.K. government, for example, has taken pride in solidifying the ‘double lock’ mechanism. However, the law limits the scope of review by the Judicial Commissioners, which means that judges will not be given full authority to assess the merits of proposed surveillance measures. Moreover, in the case of bulk warrants the authorization requests can be formulated in such broad and vague ways that making judicial assessments on the merits of the application becomes essentially impossible. The German Independent Panel, which reviews the surveillance directives, also offers only limited oversight. Not only could this process be circumvented in situations where the Federal Chancellery believes the objective of the measure might be “frustrated or significantly impeded,” but moreover, as was already determined by the UN Special Rapporteur on the Right to Privacy, the Panel lacks “sufficient staff or resources to oversee mass surveillance operations.” Even more egregious, the French law does not establish any mandatory pre-authorization or consultation process and only allows for post factum investigations by an administrative committee, conducted on its own initiative and lacking statutory bite.
Deprived of local structured oversight, the laws in essence shift the onus of control from domestic parliaments, commissioners, and courts to European regional bodies, further broadening the gap between the positions taken by the judges in Luxembourg and Strasbourg and those offered at the national level.
The judgment of the CJEU in the Watson case, announced late December, exemplifies this trend. The Court found that “general and indiscriminate” retention of metadata, under a recently expired U.K. legislation called the Data Retention and Investigatory Powers Act (DRIPA), violated EU directives and the Charter of Fundamental Rights of the European Union. DRIPA has since been replaced by the IPA which only expanded on its data retention regime, and is thus likely to be subjected to judicial scrutiny. The case was heard by 15 CJEU judges, who addressed directly the government’s claims on the importance of bulk powers in the age of global terrorism. The judges noted that:
“while the effectiveness of the fight against serious crime, in particular organised crime and terrorism, may depend to a great extent on the use of modern investigation techniques, such an objective of general interest, however fundamental it may be, cannot in itself justify that national legislation providing for the general and indiscriminate retention of all traffic and location data should be considered to be necessary for the purposes of that fight” (para. 103).
This ruling offers a push back against mass collection and interception of communications, such as that promoted in the three laws, and widens the chasm between policies in the EU and EC levels and the laws and regulations of their member States.
This is of particular concern, when taken in light of the fact that all three laws explicitly allow for spying on EU institutions. Moreover, the laws set limited to no protections on the collection and analysis of privileged communications including those of foreign public officials, parliamentarians, journalists, lawyers, and doctors both inside and outside the borders of Europe. In the case of Kopp, which concerned the tapping of the phone lines of a lawyer and his law firm by the Swiss Government, the ECtHR expressly noted the need for establishing distinct and clear protections and safeguards by law for the interception of such privileged communications (paras. 71-75).
Finally, while the German law does establish some general provisions on interstate sharing of intelligence, both the U.K. and the French laws leave such intelligence cooperation arrangements intentionally outside of the scope of primary regulation. As Privacy International argued before the ECtHR in a pending case, minimum safeguards are required when a government accesses information intercepted by a foreign government or when it shares such information with foreign agencies. Failure to set statutory parameters for such arrangements, let alone disclose them to oversight bodies and the general public, further exacerbates the possibility for abuse.
Across Europe, from Poland to Austria, from Italy to Sweden, parliaments have been adopting expansive domestic and foreign surveillance legislation in recent months and years. This wave of legislation, pushed by populist agendas and public outrage in the wake of recent terrorist attacks on European soil, is a flagrant disregard to decades of jurisprudence by the ECtHR and more recent jurisprudence by CJEU, and it puts in danger privacy protections across the continent. The leaders of Germany, France and the UK are setting a dangerous precedent which echoes within the European Community and far beyond it: Mass surveillance by governments has become the new normal.
To show how much has changed, it’s worth remembering the speech German Chancellor Angela Merkel gave to the German Parliament, just three years ago, in January 2014, when she warned Western governments against promoting surveillance policies that collect everything that is “technically possible.” She noted that these foreign mass surveillance programs not only “sow distrust,” but send the wrong signal to “billions of people living in undemocratic States.” The end result, she concluded, “is not more security but less.”
Privacy International (PI) is a London-based charity which advocates for strong national, regional, and international laws that protect privacy and investigates and litigates to ensure that surveillance is consistent with the rule of law. We wish to thank Tilly Berkhout, a former intern with PI, for her assistance in the research towards this post.
By: Asaf Lubin