In a dangerous combination of circumstances, the bulk interception powers granted to Swedish intelligence are both vast and poorly regulated. In a longstanding complaint with the ECtHR that is awaiting its conclusion in the coming months, the public interest law firm Centrum för rättvisa has argued that the Swedish bulk interception regime violates freedom of communication and the right to privacy. In settling if, or under what conditions, European governments may pry into people’s personal lives and confidential correspondence, the Grand Chamber will now define the true substance of these civil liberties in the digital age.
Today, European states face numerous and advanced threats from terrorists and other hostile actors. Secret surveillance of digital communication forms part of how states counter these threats. Without proper limits and adequate safeguards against abuse, however, the use of such government surveillance risks intruding upon the very basic rights and freedoms that the states seek to protect. Untargeted and suspicionless bulk surveillance in particular has been surrounded by controversy for more than a decade. The controversy culminated in 2013, when the former NSA contractor Edward Snowden revealed that the US, together with several European governments, was carrying out bulk surveillance on a global scale.
In Centrum för rättvisa v. Sweden and Big Brother Watch and Others v. the United Kingdom, the Grand Chamber of the European Court of Human Rights (the “Court”) is now about to weigh in on the issue of bulk surveillance for the first time.
The Swedish context
Sweden’s National Defence Radio Establishment (Försvarets radioanstalt, or the “FRA”)has been conducting signals surveillance in support of Sweden’s foreign, security, and defence policy since the Second World War. In 2008, however, the Swedish parliament passed a controversial set of laws, collectively referred to as the “FRA Act”, which drastically expanded the mandate of the FRA.
Through this act, the FRA was not only authorised to intercept cable-bound communications in bulk, it was also, to that end, given direct access to the fibre-optic cables that traverse the Swedish border, acting as digital arteries for virtually all electronic communications going in and out of Sweden. The amount of intimate, private, and privileged data that suddenly risked being caught by the FRA’s signals intelligence net was unprecedented.
Shortly after the FRA Act had been adopted, the Stockholm-based public interest law firm Centrum för rättvisa lodged a complaint before the European Court of Human Rights, arguing that the bulk interception regime had a chilling effect on the freedom of communication and clearly fell short of the requirements for the protection of privacy and correspondence under Article 8 of the European Convention on Human Rights (the “Convention”).
Amendments to the FRA Act
The legal challenge to the FRA Act informed and intensified the public debate and generated additional pressure on the Swedish Government and Parliament to strengthen the protection of privacy and correspondence. As a result, the act was subsequently amended less than a year after it had entered into force. Its previously lax legal constraints to bulk collection were tightened and the oversight and control mechanisms were enhanced.
Most notably, a body for prior judicial control of the surveillance operations was established (the Foreign Intelligence Court) and a new oversight body with the primary task of overseeing foreign intelligence activities was introduced (the Foreign Intelligence Inspectorate). Yet, the system still contained several glaring deficiencies which, as will be discussed below, arguably provided fertile ground for arbitrary interference with the right to respect for private life and correspondence.
Chamber ruling
In June 2018, the Court finally delivered judgment in the case of Centrum för rättvisa v. Sweden, holding that the Swedish system revealed no significant shortcomings in its structure and operation and hence did not amount to a violation of the Convention. At the same time, the Court stressed that the relevant Swedish law and practice gave “some cause for concern with respect to the possible abuse of the rights of individuals” (§ 150), and that there was “scope for improvement” (§ 180).
Referral of the case to the Grand Chamber
In September 2018, Centrum för rättvisa requested that the case be referred to the Grand Chamber of the Court. We argued, inter alia, that the judgment in our case and that of Big Brother Watch, where the UK regime was found to be in violation of the Convention, had created an inconsistency in the case-law on bulk surveillance. The split between the two judgments seemed to be the formulation of the applicable test for Convention compliance, and whether, or to what extent, deficiencies in one area could be offset by stronger safeguards in another. This inconsistency, we held, clearly demonstrated the need for further judicial examination by the Grand Chamber in order to re-evaluate and clarify the safeguards that apply to bulk interception regimes. In February 2019, our request was accepted by the Court and a hearing was held in Strasbourg on 10 July 2019.
Centrum för rättvisa’s submissions before the Grand Chamber
While the Swedish bulk interception regime has certainly seen improvements since its enactment, it still contains several problematic shortcomings. In our written submissions before the Grand Chamber, we have expounded on these more in depth. In the following, I wish to focus on the five key deficiencies of the Swedish bulk interception regime that we highlighted in our oral submissions.
1) Lack of adequate safeguards to limit the duration of surveillance
There is a lack of appropriate limits on the duration of a particular bulk surveillance mission. In the context of criminal investigations under Swedish law, the prosecutor or the District Court shall immediately cancel a warrant if the required conditions for it have ceased to exist. There is no equivalent legal obligation relating to the FRA. A surveillance mission may thus continue for several months until the warrant eventually expires on its own, even though the justification for it may have long lapsed. On account of exactly such a shortcoming, the Court has previously found in Roman Zakharov v. Russia that the Russian secret surveillance regime failed to provide sufficient guarantees against arbitrary interference. We have asked the Court to repeat and reinforce its finding in this regard in relation to the Swedish regime.
2) Lack of protection for data relating to legal persons
The FRA effectively enjoys unfettered discretion over the processing of data relating to legal persons. If intercepted material does not contain, or is altered as not to contain, personal data, it may be kept indefinitely, be used for purposes incompatible with the original purpose of collection, and be freely passed on to foreign governments and international organisations. As a result, privileged correspondence pertaining to e.g. law firms, businesses, religious and non-confessional organisations, public watchdogs, and press associations are left open to arbitrary interference.
The one notable exception to the FRA’s discretion in this context is that collected data must be immediately destroyed if it contains communications between a suspect in a criminal investigation and their defence counsel.[1] Regrettably though, no other communications covered by legal professional privilege are similarly shielded from the FRA’s purview.
This patent lack of protection is, we submit, manifestly incompatible with the right to respect for correspondence afforded to both natural and legal persons under Article 8 of the Convention.[2]
3) Inadequate supervisory control
The relevant oversight bodies are not as effective as they should be, mostly due to their lack of power to stop and remedy breaches of law and hold those responsible to account. The Swedish framework thus falls short of the minimum standards for effective supervision articulated in Roman Zakharov (§ 282). The most striking shortcoming is that the designated oversight body, the Foreign Intelligence Inspectorate, must rely primarily on submitting remarks to the FRA and on reporting matters to the Government or other authorities. In effect, as long as operations are compatible with a warrant from the Foreign Intelligence Court, the Foreign Intelligence Inspectorate has no power to issue legally binding decisions on the FRA at all. This is so even if the FRA is in breach of the Swedish constitution or the Convention.
4) Lack of effective remedies
Individuals do not have recourse to adequate and effective remedies for unlawful surveillance. Since the activities of the FRA are cloaked in absolute secrecy, there is no possibility for individuals to be advised of surveillance measures taken against them without their knowledge. Under such circumstances, it follows implicitly from the Court’s case-law, that individuals should instead have recourse to a remedial body that can examine individual complaints without any requirement on the individual to produce evidence.[3] There are arguably three such remedies under the Swedish regime: the Foreign Intelligence Inspectorate, the Chancellor of Justice and the Parliamentary Ombudsman. None of them are, however, capable of taking appropriate remedial action.
Although the Foreign Intelligence Inspectorate may examine individual complaints, its remedial powers are limited. It is under no obligation to inform the individual of its findings, it may not grant compensation, and it is only empowered to order that a particular operation shall cease or that unlawfully processed data shall be destroyed in a limited set of circumstances. Consequently, it cannot be deemed an effective remedy.
The Chancellor of Justice and the Parliamentary Ombudsman may also examine individual complaints. These bodies are, however, merely tasked with general oversight of public authorities and do not have any specific responsibilities to supervise secret surveillance.[4] The Chancellor of Justice may, to be sure, grant compensation if it is evident that an individual is entitled to compensation from the Government, but neither body has the power to order operations to cease or data to be destroyed. To date, all complaints concerning the FRA have been dismissed by the Chancellor of Justice without any action taken. Similarly, in a letter to Centrum för rättvisa from April 2019, the Parliamentary Ombudsman stated that in 22 years, the only action the office has ever taken in response to a complaint against the FRA was to make a single phone call.
For these reasons, the existing remedies are ineffective both individually and collectively. This is particularly problematic in the context of untargeted bulk interception, where prior review is inevitably carried out at a more abstract level compared to targeted interception. Failure to incorporate effective remedial mechanisms in a bulk interception regime cannot, we submit, under any circumstances be considered compatible with the Convention.
5) Virtually unfettered discretion when communicating data to foreign partners
The FRA and the Swedish Government enjoy virtually unfettered discretion when transferring intercepted communications to foreign governments and international organisations. There is no legal obligation to ensure that transferred information is afforded adequate protection. There is no legal obligation to impose appropriate safeguards, such as limiting the subsequent use of the information. Indeed, there is no legal obligation for the Government or the FRA to have any regard to the interests of the individual at all.
Our position, therefore, is that Sweden’s procedures for international transfers simply cannot constitute a practice compatible with the Convention. While we do, of course, accept the important role of intelligence sharing arrangements in promoting mutual intelligence and security interests, such arrangements cannot take place without robust safeguards for fundamental rights.
Conclusion
Having laid out our case before the Grand Chamber, we now look forward to receiving the Court’s final judgment. Whether the Court will deliver its judgment in 2019 or sometime during next year is up for speculation. In any event, the outcome of the case will have wide-ranging implications for individuals and states alike. In settling if, or under what conditions, European governments may pry into the personal lives and activities of private and legal persons, the Grand Chamber will now define the true substance of the right to privacy and freedom of communication in the digital age.
The five shortcomings highlighted above demonstrate that the Swedish bulk interception regime fails to pass muster already under the existing Convention standards. This should not, however, prevent the Grand Chamber from setting out robust additional safeguards that keep apace with the rapid advancements in surveillance technology, and that make clear whether and how bulk interception activities can be safeguarded against intentional or inadvertent abuse.
If bulk interception activities are at all capable of falling within the State’s margin of appreciation, they inevitably lie, we submit, on its outermost edge and must be restricted accordingly. The rights and democratic values at play here are at the heart of the Convention and of the Council of Europe. These rights and ideals must be protected, even when, and perhaps especially when, we counter threats from terrorists and other hostile actors that do not share our values.
[1] Section 7 of the Signals Intelligence Act.
[2] See, for instance, Liberty and Others v. the United Kingdom, §§ 55–57, where all of the applicants were legal persons.
[3] See Big Brother Watch, § 379; Kennedy v. the United Kingdom, §§ 167 and 169; and Roman Zakharov, § 298.
[4] As the Court noted in Segerstedt-Wiberg and Others v. Sweden, § 118.
Picture source: CherryX on Wikipedia.org. CC BY-SA 3.0.