Data Protection Insider, Issue 48

– ECtHR Revisits Case Law on Bulk Surveillance: Centrum för Rättvisa v. Sweden –

On 25th May, the ECtHR rendered two seminal judgements concerning bulk telecommunications surveillance. They are revisions by the Grand Chamber of two earlier Chamber judgments submitted by Centrum för Rättvisa against Sweden and by Big Brother Watch against the UK. The present story focuses on the Swedish case – see below for a discussion of Big Brother Watch and Others. According to the facts of the case, the applicant – a legal entity under Swedish law working in the field of rights and freedoms – claims that the Swedish legal system and practice on bulk interception of electronic communications by the intelligence services breaches its Article 8 ECHR rights. The Court first confirmed that the challenged signal intelligence legislation and practice constitute an interference with Article 8 ECHR. Before delving into the case at hand, the Court noted explicitly that it needs to develop its case law in order to distinguish bulk from targeted surveillance. It thus decided that the already established safeguards in relation to targeted surveillance ‘will have to be adapted to reflect the specific features of a bulk interception regime (…).’ The Court established that bulk surveillance regimes have to be subject to ‘“end-to-end safeguards”, meaning that, at the domestic level, an assessment should be made at each stage of the process of the necessity and proportionality of the measures being taken; that bulk interception should be subject to independent authorisation at the outset, when the object and scope of the bulk operation are being defined; and that the operation should be subject to supervision and independent ex post facto review.’ It compiled a list of criteria for examining bulk surveillance: ‘(1) The grounds on which bulk interception may be authorised; (2) The circumstances in which an individual’s communications may be intercepted; (3) The procedure to be followed for granting authorisation; (4) The procedures to be followed for selecting, examining and using intercept material; (5) The precautions to be taken when communicating the material to other parties; (6) The limits on the duration of interception, the storage of intercept material and the circumstances in which such material must be erased and destroyed; (7) The procedures and modalities for supervision by an independent authority of compliance with the above safeguards and its powers to address non-compliance; (8) The procedures for independent ex post facto review of such compliance and the powers vested in the competent body in addressing instances of non-compliance.’ It clearly ruled that the processing of communication metadata is not less intrusive than the processing of content data and that the selectors used to intercept communications are a decisive factor in determining the scope of interference with Article 8 ECHR. The Court ruled in casu that the Swedish system of signal intelligence violated Article 8 ECHR because of the insufficient safeguards and guarantees against abuse. In particular, the Court considered the following two issues were decisive: (1) the lack of safeguards as concerns the onward transfer of the obtained intelligence to other Swedish authorities and foreign governments; and (2) the insufficient safeguards offered by the system of ex post facto control. More precisely, the system did not guarantee independent control and transparency to the public. We note that there are two concurring opinions attached to the judgment which provide an additional, very poignant critical analysis of bulk interception in general, with cross-reference to a concurring opinion attached to the Big Brother judgment, and with regards to the Swedish interception system in particular. Their main gist is that the Court was in a way minimalistic in its judgment and that it should have been stricter in examining the Swedish system and in setting out the minimum safeguards both in general and in casu. Thus, the judgment was deemed to be relatively vague and lenient on the Swedish government, having overlooked critical aspects in its analysis. We note that the critical points as mentioned in the concurring.Opinions might be due to the fact that bulk surveillance is a very contentious topic in Europe and the Court might have been looking for some political compromise in its judgment.

 

ECtHR Revisits Case Law on Bulk Surveillance: Big Brother Watch and Others  –

On 25th May, the Grand Chamber of the ECtHR passed down its judgment in the case of Big Brother Watch and Others v. The United Kingdom. The case concerned complaints from both journalists and NGOs concerning three UK surveillance regimes. As the press release observes, these were: ‘(1) the bulk interception of communications; (2) the receipt of intercept material from foreign governments and intelligence agencies; (3) the obtaining of communications data from communication service providers’. The applicants believed that, under these regimes, data about them had been obtained by UK intelligence agencies and that this collection constituted a contravention of Articles 8 and 10 of the Convention. Originally – in 2018 – the Chamber had heard the case and delivered its judgment. Following this judgment, the applicants requested the case be referred to the Grand Chamber. The Grand Chamber found a violation of both Articles:

  • In relation to Article 8 and bulk interception, whilst the Court recognised, in principle, that bulk interception regimes may be legitimate, the Court also recognised that these should be subject to certain minimum safeguards. Here, the Court stayed close to its discussion of minimum safeguards in Centrum för Rättvisa v. Sweden – see above. In this regard, the Court found the UK regime was deficient in a number of areas – including that there was no adequate independent authorisation.
  • In relation to Article 8 and the receipt of data from foreign surveillance authorities, the Court found no violation.
  • In relation to Article 8 and the collection of data from communication service providers, the Court found a violation and agreed with the Chamber’s judgment that the collection in question was not in accordance with the law.
  • In relation to Article 10 and the bulk interception regime, the Court found a violation and observed: ‘[the regime in operation] did not address the weaknesses identified by the Court in its analysis of the regime under Article 8 of the Convention, nor did [it] satisfy the requirements identified by the Court…In particular, there was no requirement that the use of selectors or search terms known to be connected to a journalist be authorised by a judge or other independent and impartial decision-making body invested with the power to determine whether it was “justified by an overriding requirement in the public interest” and whether a less intrusive measure might have sufficed to serve the overriding public interest…. Moreover, there were insufficient safeguards in place to ensure that once it became apparent that a communication which had not been selected for examination through the deliberate use of a selector or search term known to be connected to a journalist nevertheless contained confidential journalistic material, it could only continue to be stored and examined by an analyst if authorised by a judge or other independent and impartial decision‑making body invested with the power to determine whether its continued storage and examination was “justified by an overriding requirement in the public interest”’.
  • In relation to Article 10 and the receipt of data from foreign intelligence services, the Court found no violation. The Court agreed with the original Chamber judgment and observed that: ‘[there is no] separate issue over and above that arising out of Article 8 of the Convention’
  • In relation to Article 10 and the collection of data from communications service providers, the Court agreed with the Chamber’s judgment and found ‘a violation of Article 10…on account of the fact that the operation of the regime…was not “in accordance with the law”’.

 

ECtHR Rules in L. v. Italy on Privacy and Gender Based Violence in Criminal Proceedings

On 27th May, the ECtHR ruled in the case of J.L. v Italy. ‘The case concerned criminal proceedings against seven men who had been charged with the gang rape of the applicant and had been acquitted by the Italian courts.’ In this regard: ‘Relying on Article 8…the applicant complained that the national authorities had failed to protect her right to respect for her private life and for her personal integrity in the context of the criminal proceedings’. Here, the applicant complained about both the questioning throughout the criminal proceedings as well as ‘the arguments on which the judges had relied in reaching their decisions’. In turn: ‘Relying on Article 14…taken together with Article 8, the applicant complained of discrimination on grounds of sex, alleging that the acquittal of her presumed assailants and the negative attitude of the national authorities during the criminal proceedings could be attributed to sexist bias.’ The Court found a violation of Article 8 – in view of which the Court did not feel it necessary to subsequently consider the complaint under Article 14. Whilst the Court highlighted issues with aspects of defence lawyers’ questioning during the criminal procedures, the finding of a violation related to the content of the Florence Court of Appeal’s judicial decision. In this regard: ‘the Court noted several passages in the…judgment which referred to the applicant’s personal and private life and which breached her rights under Article 8…[The Court] did not see how the applicant’s family situation, her relationships, her sexual orientation or her clothing choices, and the subject matter of her artistic and cultural activities, [each discussed in the decision] could be relevant for assessing her credibility and the criminal liability of the defendants. Thus, it could not be considered that this interference with the applicant’s private life and image had been justified by the need to ensure that the defendants could enjoy their defence rights.’ Building on the above, the following observations were also offered: i) ‘[t]he Court considered that the positive obligations to protect the presumed victims of gender-based violence also imposed a duty to protect their image, dignity and private life, including through the non-disclosure of personal information and data that were unrelated to the facts…. [and a]ccordingly, judges’ entitlement to express themselves freely in decisions, which was a manifestation of the judiciary’s discretionary powers and of the principle of judicial independence, was limited by the obligation to protect the image and private life of persons coming before the courts from any unjustified interference’; ii) ‘[t]he Court found that the language and arguments used by the court of appeal conveyed prejudices existing in Italian society regarding the role of women and were likely to be an obstacle to providing effective protection for the rights of victims of gender-based violence, in spite of a satisfactory legislative framework’; and iii) ‘[t]he Court was convinced that criminal proceedings and sanctions played a crucial role in the institutional response to gender-based violence and in combatting gender inequality. It was therefore essential that the judicial authorities avoided reproducing sexist stereotypes in court decisions, playing down gender-based violence and exposing women to secondary victimisation by making guilt-inducing and judgmental comments that were capable of discouraging victims’ trust in the justice system.’ The case is available only in French. In this regard, we should add that, owing to linguistic limitations, this report has been produced based on the press release about the case, rather than directly from the case itself.

 

EDPB Holds Their 49th Plenary Session 

On 19th May, the EDPB held their 49th Plenary Session. During the session, the Board adopted the following documents:

  • ‘Opinion 16/2021 on the draft decision of the Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe’;
  • ‘Opinion 17/2021 on the draft decision of the French Supervisory Authority regarding the European code of conduct submitted by the Cloud Infrastructure Service Providers (CISPE)’;
  • ‘Statement on the Data Governance Act in light of legislative developments’;
  • ‘Recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions’;
  • ‘Opinion 18/2021 on the draft Standard Contractual Clauses submitted by the LT SA (Article 28(8) GDPR)’;
  • ‘Response to Mr. de Serpa Soares, Under-Secretary-General for Legal Affairs and UN Legal Counsel’;
  • ‘Response to Access Now on the process to identify a controller’s main establishment under the GDPR’;
  • ‘Letter to the European Commission on the protection of personal data in the AML-CFT legislative proposals’.

The EDPB note that the first two Opinions concern ‘the first draft decisions on transnational Codes of Conduct’ which have been submitted to and examined by the Board. All the documents are already made public and can be freely accessed on the EDPB website.

 

 

EDPS Launches Two Investigations concerning International Transfers

On 27th May, the EDPS announced the launch of two investigations concerning international transfers of personal data in light of the Schrems II ruling. One investigation concerns ‘the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by European Union institutions, bodies and agencies (EUIs)’ and aims to ‘assess EUIs’ compliance with the “Schrems II” Judgement when using [these] services provided by Amazon Web Services and Microsoft under [these contracts] when data is transferred to non-EU countries, in particular to the US.’ The other investigation concerns ‘the use of Microsoft Office 365 by the European Commission’ and aims ‘to verify the European Commission’s compliance with the Recommendations previously issued by the EDPS on the use of Microsoft’s products and services by EUIs.’ The EDPS launches these investigations as part of the ‘strategy for EU institutions to comply with the “Schrems II” Judgement so that ongoing and future international transfers are carried out according to EU data protection law’. The investigations follow an initial reporting exercise on EUI’s international transfers, which revealed to the EDPS ‘certain types of contracts that require particular attention’. There is a long way to go in these investigations and the international transfers landscape is itself subject to significant change. Nevertheless, the investigations touch on critical issues in the international transfers discussion and their progress in thus well worth keeping an eye on.

 

Clearview AI Challenged in Europe

A software, known as Clearview AI, which crawls the internet to collect any available photograph of persons online and is then used by law enforcement authorities to fight crime, is under fire in Europe. More precisely, five complaints with data protection authorities have been filed against the US-based company for violating the GDPR and Directive 2016/680. The complaints have been submitted in France, Austria, Italy, Greece and the UK by data protection NGOs in the respective countries. Their claims centre predominantly around the proposition that Clearview AI’s data processing does not have a legal basis under the GDPR and under Directive 2016/680 and that it breaches certain of the core data protection principles in the GDPR. The Austrian complaint explicitly requests the DPA to fully investigate the matter, to impose a ban on the processing by Clearview AI of any personal data from a data subject in the EU – not only of the complainant – and to impose a fine on Clearview AI. These are not the first challenges to the company in Europe, as previously the Swedish DPA and the DPA of Hamburg have taken isolated enforcement actions against the company and/or the law enforcement authorities which used Clearview AI’s software. With these five complaints, the complainants now seek a more coordinated and tougher data protection approach against the company across the whole of Europe. The five DPAs now have three months to respond to the complaints.

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply