Much is at stake following ‘Schrems II’ — not just for EU-US relations but also more broadly concerning the principles that should guide the transfer of data across jurisdictions. How personal data can and will be protected against disproportionate interference by the state will be a decisive question for the next decade of human rights protection. We argue that it is high time to establish common intelligence governance standards among democracies — such as the protection of non-nationals or oversight unimpeded by the Third Party Rule — to both guarantee fundamental individual rights and ensure national security.


It has become increasingly difficult for democracies to reconcile the concept of security — as an intrinsically national competency — with the realities of an interconnected world. Transnational data flows and international intelligence cooperation have created privacy and human rights challenges that cannot be solved unilaterally.

Two landmark judgements in Europe shook up the international intelligence community this year. At the transatlantic level — following the Court of Justice of the European Union’s (CJEU) invalidation of the Privacy Shield agreement in its ‘Schrems II’ decision — the EU Commission and US government face new negotiations amidst real uncertainty as to whether the ongoing legality of data transfers between the countries can be ensured. In Germany, after a judgement by the Constitutional Court declaring important parts of the foreign intelligence law unconstitutional, the government and legislature now need to inject the existing legislation with a long list of safeguards the Court found to be missing. A first draft prepared by the chancellery is currently debated in German government circles and can be found here (in German). 

Both judgements make a similar point: In a globalised, interconnected world the fundamental rights of individuals cannot be restricted to nationality or residence. Moreover, these rights should be enforceable even when it comes to the area of national security and intelligence. Against the backdrop of these two court decisions in Europe, we make the case here for a larger, global call to action to better protect the right to privacy when it comes to national security.

The right to privacy is a universally recognised human right. Large-scale communications surveillance by intelligence agencies can cause particularly severe infringements of this right. Millions of us are affected without knowing about it. In addition, surveillance can have chilling effects on democratic life and undermine other fundamental rights such as freedom of the press, assembly, and opinion. Because of this inherent danger, democracies need to make sure that intelligence practice is bound by the rule of law and sufficiently overseen. This is constant work in practice and needs to get better.


Intelligence in a globalised world: a democratic challenge

International intelligence cooperation has grown and intensified significantly over the past few years. Intelligence alliances such as Five Eyes, SIGINT Seniors Europe, or Maximator and the Club de Berne show that the intelligence community is becoming ever more tightly interconnected. New technology and transnational threats prompt closer working relations and extensive data sharing among intelligence and security agencies. The German foreign intelligence service BND alone engages in about 450 intelligence collaborations. A large-scale interconnected surveillance network has grown in the shadows of our democracies.

By contrast, the practice of intelligence oversight remains almost exclusively a domestic affair. To date, there are few effective institutions for international oversight cooperation. Rather, national overseers adhere, by and large, to strict national confines when they authorise, review, and control activities — often with technological equipment and prowess far inferior to that of those being controlled.

Despite the Snowden revelations in 2013, surveillance powers have been expanded in most countries rather than curtailed. Bulk surveillance, i.e. the untargeted interception, collection, management, and transfer of telecommunications data, has developed into a standard intelligence practice. The European Court of Human Rights (ECtHR) called the practice a “valuable means” of counterterrorism in its Big Brother Watch decision in 2018, and so did the German Constitutional Court. The practice of bulk communications surveillance is thus likely to stay and expand. While safeguards may apply within national boundaries, most countries’ intelligence law fails to protect foreign nationals abroad from their intelligence services.

This makes it even more important to recall that in our interconnected world, everyone is a foreigner somewhere. Next to safeguards and oversight concerning bulk surveillance of citizens or residents, we need far better rules in national surveillance legislation and, if possible, international covenants to better protect “non-nationals” abroad from surveillance. Moreover, it is no longer sufficient to oversee only what takes place at the national level, data transfers also need far greater scrutiny.


Two landmark judgements show the way ahead 

We argue that a harmonisation of standards among democracies can be a powerful tool to ensure intelligence remains on democratic grounds and at the same time avoid loopholes in an increasingly internationalised intelligence environment.

In ‘Schrems II’, the CJEU held that personal data transferred outside of the EU must be guaranteed an equivalent level of protection to that set out by the General Data Protection Regulation (GDPR). It ruled that neither the scale of US intelligence activities nor the level of protection and possibility for effective and enforceable individual redress conform to such standards. The CJEU, thus, set out that appropriate safeguards against disproportionate government access to data as well as enforceable rights and effective legal remedies are crucial and should be extended to non-nationals. The German constitutional court underlined this in its May 2020 judgement: When conducting bulk surveillance, Germany’s foreign intelligence service must now respect the fundamental right to privacy of foreign nationals abroad and judicial oversight must be strengthened to ensure this. Both judgements are putting an emphasis on the legality of data transfers (Schrems II) and (automated) intelligence cooperation (German Constitutional Court on BND Act). 

The German judgement provides some new additions when it comes to standards in the context of international intelligence cooperation. For instance, it established a mandatory obligation upon the executive (subject to oversight) to seek a “rule of law assurance” to ensure the respect of human rights as well as an adequate level of data protection in the recipient country (Para 236-238).

The Court also took on the so-called Third Party Rule (Originator Control Principle) that traditionally constitutes a major oversight gap in many countries. It implies that neither the data received from a partner service, nor the source of this data, can be shared with a third party without prior consent. While intelligence agencies, understandably, have to make sure to protect their sources and mitigate the risk that the data they share is misused, oversight bodies are often included in the definition of a third party which made it impossible for them to review shared data. This can lead to what has been termed ‘collusive delegation’: Democratic principles are undermined through intelligence-sharing by delegating powers to intercept material to international partners in order to circumvent domestic democratic constraints. The German Court clearly demanded from future intelligence legislation that overseers involved in the judicial overview and end-to-end oversight of data processing will be exempt from it. Thus, they need to be given full access to international cooperation agreements. 

It has furthermore introduced a distinction between bulk collection for clearly identifiable threat protection purposes and bulk collection for the primary purpose of early warning or political information gathering on adversaries. The Court also set out a number of requirements and additional safeguards for ‘automated’ data transfers to foreign intelligence partners; e.g. when the BND opens interfaces to its own raw data stream, to be filtered with the use of “foreign” selectors or when metadata is automatically forwarded abroad (Para 254-257). These requirements include a thorough review of “foreign” search terms and subsequent “hits” prior to transferral in general as well as a separate review of purpose orientation and according to lists of persons (such as journalists) or situations with higher surveillance risk. 

The need for statutory clarity was another important point the Court made. Intelligence operations need clear legal frameworks that should be spelled out in actual law and not in executive decrees (Para 174).  We believe that the process of formulating a clear and comprehensive intelligence law in Germany can provide helpful food for thought on the common search for minimum standards and requirements democratic intelligence laws should include. 


Towards an alliance of democracies with harmonised standards on state surveillance?

We see a unique opportunity in these recent court decisions in Europe to attain common standards against disproportionate government access to communications data and enable the professionalisation of oversight.  While the Snowden revelations in 2013 triggered important reforms to intelligence legislations in many democracies, we are still a long way from making those rights and standards as interdependent as the digital era would require. 

There have, in the past, been several attempts to create such common standards and comprehensive international legal instruments framing intelligence operations, such as an ‘Intelligence Codex’ proposed by the Parliamentary Assembly of the Council of Europe back in 2015. The UN special rapporteur on privacy Joe Cannataci published a draft text for a ‘Legal Instrument on Government-led Surveillance and Privacy’ in 2018. The European Intelligence Oversight Working Group, composed out of six European intelligence oversight bodies, called for common standards in its last report: “[…]common standards and definitions could help define under which circumstances data exchange is regarded as necessary and proportionate, and which minimum level of data protection needs to be in place to sufficiently safeguard individual rights”. 

To date, however, the only existing international legal instrument that addresses data processing and data transfers in the context of national security is Convention 108+ of the Council of Europe. It is a legally binding international agreement on the protection of privacy open to all countries and currently open to ratification. A modernised version of Convention 108, Convention 108+ was opened for ratification in 2018 as an answer to the growing use of information and communication technologies and the increasing globalisation of processing operations and personal data flows. It explicitly refers to national security cases. In article 11, paragraph 3 the Convention sets out that there is a need for independent and effective review and supervision when data is processed for national security and defence purposes. In the context of Schrems II, adherence to the Convention could be one requirement to determine the adequacy of the level of data protection of a country. 

The respect of civil rights and liberties is the backbone of democracies. To undermine these fundamental rights is to undermine democracy — abroad but also at home. This is detrimental to the national security of every democratic state. Henry Farrell and Abraham L. Newman argue on Lawfare that Schrems II offers an opportunity to create an ‘Alliance of Democracies’ with shared values and interdependent rights. This alliance would offer a robust alternative to authoritarian countries such as China and Russia. They point out that the respect of the rights of citizens of allied countries is crucial for deeper intelligence cooperation and national security. Thus, we submit, common standards among democracies can indeed be beneficial rather than dangerous to the national security of individual countries.


Conclusion

Much is at stake following ‘Schrems II’ — not just for EU-US relations but also more broadly concerning the principles that should guide the transfer of data across jurisdictions. How personal data can and will be protected against disproportionate interference by the state will be a decisive question for the next decade of human rights protection. 

Given that this is a problem in all countries and given that technology has evolved to render us far more interdependent while data flows instantly across the globe, it is high time to identify and agree on adequate safeguards so that disproportionate access becomes less likely. Recent court decisions have given an important impetus and some concrete indications on the way ahead. The collective search for adequate safeguards is, however, constant work in progress. All the more reason to get to work.  


An earlier version of this article was first published with the Observer Research Foundation on the occasion of the CyFy 2020 conference.