Evropský soud pro lidská práva (European Court of Human Rights – ECHR) vydal minulý týden velice zajímavé rozhodnutí, které se týká sledování občanů Velké Británie, když míru odposlechů shledává jako porušující Evropskou konvenci na ochranu lidských práv (European Convention of Human Rights), zejména její část, která se týká práva na svobodu projevu a zajištění soukromí – hlavní argumenty z rozhodnutí jsou označeny v podrobném textu v analýze níže. Toto rozhodnutí může přitom vážně zkomplikovat ochotu Evropské komise vydat stanovisko „adequacy decision“, které by umožnilo Velké Británii být důvěryhodnou zemí z pohledu GDPR a související legislativy. Předešlo by se tak obdobné míře kritiky, které čelí například americká dohoda „Bezpečný štít – Privacy Shield“ a nebo praktiky odposlechů NSA „National Security Agency“).
Více informací se lze dočíst v původní tiskové zprávě zveřejněné Evropským soudem pro lidská práva, kterou zveřejňujeme níže v původním anglickém znění:
In a landmark judgment published last week, the European Court of Human Rights ruled that several aspects of U.K. secret surveillance programs violated Article 8 (right to respect for private life) and Article 10 (freedom of the press) of the European Convention on Human Rights.
Filed in the wake of Edward Snowden’s national security revelations, complaints in Big Brother Watch and Others v. the United Kingdom concerned three surveillance tactics used by the U.K. government: bulk interception of communications, intelligence-sharing with foreign governments and acquisition of communications data from communications service providers. Although the ECHR has previously looked at bulk interception, Big Brother Watch is the first case in which the ECHR specifically considered the extent to which interception and examination of communications data (rather than the content itself) interfere with a person’s private life.
In reaching its decision, the ECHR analyzed a complex maze of domestic and European laws governing the operation and function of surveillance in the U.K. Examining national laws and regulations in the U.K., the court looked closely at the Regulation of Investigatory Powers Act of 2000 and the Interception of Communications Code of Practice. The ECHR also assessed the obligations of member states under EU law by analyzing applicable laws and previous decisions by EU courts. While the Investigatory Powers Act of 2016 will make significant changes to U.K. surveillance once in full force, the ECHR did not consider the provisions at the time of its assessment.
In its judgment, the ECHR held that the surveillance regimes governing bulk interception and acquisition of communications data from communication service providers violated Articles 8 and 10 due to insufficient independent oversight and inadequate safeguards. However, the court found that the intelligence sharing program under the RIPA did not violate the convention.
Violations under Article 8
Article 8 protects an individual’s right to respect for private and family life both in the home and in communications. According to the court, interception of communications represents “one of the gravest intrusions” into an individual’s private life. Interference by public authorities requires a legitimate purpose and is limited to what is lawful and “necessary in a democratic society.” While governments generally have wide discretion in deciding what actions are necessary to protect national security, surveillance schemes must minimize potential abuse of power by meeting six baseline requirements set forth in the Weber and Saravia v. Germany case.
The ECHR’s holding in Big Brother Watch focuses on two important protections that are absent from the U.K. government’s bulk interception program under the RIPA: sufficient independent oversight of the “selectors and search criteria used to filter intercepted communications” and adequate safeguards “applicable to the selection of related communications data for examination.” The absence of these provisions in the programs cited by Big Brother Watch made them incapable of limiting the interference to that which is “necessary in a democratic society” and accordingly violated an individual’s right to privacy under Article 8.
The court additionally held that Chapter II of the RIPA provided inadequate safeguards regarding the acquisition of communications data from communications service providers. According to the ECHR’s judgment, EU law requires that “any regime permitting the authorities to access data retained by the [Communication Service Providers] limits access to the purpose of combating a ‘serious crime’, and that access is subject to prior review by a court of independent administrative body.” As the U.K. regime permitted access for the general purpose of combating crime without a limitation to “serious crime” and that access was not subject to prior review, the ECHR found that RIPA failed to meet the “in accordance with the law” requirement of Article 8.
How does the court’s holding under Article 8 change things?
Broadening of privacy protections for communications data
The ECHR broadened the protection of privacy beyond just contents of communications intercepted by the U.K. government. The court expressed concern that bulk data was not covered by the laws in force at that time. With no safeguards and oversight in place, Government Communications Headquarters had unrestricted access to some data, namely “related communications data.” According to the court, such data included very personal information about citizens such as location, IP addresses, information identifying the sender or recipient, file transfer logs, and email headers. The ECHR was concerned about ability to use the intercepted data to draw an intimate picture of a person through the mapping of social networks, location tracking, internet browsing tracking, mapping of communication patterns, and insight into who a person interacted with. While recognizing validity in the government’s argument that “related communication data” helps determine whether the subject was in the British Islands at the time of the communication (which is one of the requirements for interception of external communication), the Court found “related communication data” is no less important than the contents of the communication.
The Big Brother Watch decision filled a gap in the law by requiring independent oversight and safeguards in every step of the process. The court first identified that the bulk surveillance mechanism for external communication inevitably includes internal communication, i.e., communication between two persons in the U.K. As modern internet technologies have blurred the distinction between internal and external communications, the government is able to override the requirements for the interception of internal communications (which are afforded higher protection), by meeting a lower standard for interception of external communication. In the absence of proper safeguards, collection, storage and examination of such data violates Article 8.
Balancing governmental interests and interests of private individuals
Surveillance programs are not illegal per se under Article 8 and the ECHR recognizes that agencies have a “wide margin of appreciation in deciding what type of interception regime is necessary to protect national security.” However, agencies do not have unrestricted control over the operation of such programs. Calculating the degree of intrusion on private rights under Article 8 involves balancing governmental interests against the privacy rights of individuals. The holding in Big Brother Watch indicates that the absence of safeguards in surveillance schemes may allow agencies to intrude too far into an individual’s private life. For example, the court found that exempting all “related communications data” from safeguards available under the RIPA creates an unfair balance between competing public and private interests. More broadly, the court reflects that, when an agency has wide discretion to intercept communications, bulk interception regimes do require more rigorous safeguards for the selection and examination of intercepted materials.
Violations under Article 10
Article 10 of the European Convention on Human Rights protects an individual’s right to freedom of expression. In finding violations under Article 10, the ECHR focused on the absence of sufficient safeguards for confidential journalistic material. An interference is incompatible with Article 10 “unless it is justified by an overriding requirement in the public interest.” As with the regime’s unrestricted access to related communications data, the Court found the bulk interception regime insufficient under Article 10 since there were no “above the waterline” requirements that would limit the agency’s ability to search and examine confidential journalistic material. The regime for acquiring communications data from communications service providers was similarly found to be problematic under Article 10 due to insufficient safeguards limiting access to the data.
The Big Brother Watch decision has been hailed as a “victory for the fundamental rights to privacy and freedom of expression over surveillance.” It’s most significant impact may be, however, the acknowledgment that metadata should not be treated any differently than communications content in terms of privacy safeguards.
Zdroj: tisková zpráva ECHR