UK spy agency GCHQ breached human rights laws with its bulk interception of online communications regime, the European Court of Human Rights (ECHR) ruled this week. But while this might appear another blow to the UK’s hopes of securing an EU data adequacy agreement, the intricacies of the judgement mean it might instead have the opposite effect.
The case was first brought by civil liberties groups including Big Brother Watch, Amnesty International and Liberty in 2013, based on whistleblower Edward Snowden’s revelations about GCHQ’s global surveillance operations that collected data from millions.
The judgement found the bulk interception regime violated the right to privacy and freedom of expression, and didn’t provide sufficient safeguards for confidential journalistic material. But, importantly, it ruled that operating a bulk interception regime did not itself violate the European convention on human rights – a sticking point for rights campaigners but a boon for European intelligence agencies.
GCHQ bulk surveillance ruling: strengthening the case for data adequacy?
“As regards the UK adequacy, this judgment can only strengthen the UK case,” says Juraj Sajfert, researcher in the Law, Science, Technology and Society group at Vrije Universiteit Brussel. “The UK can argue that its mass surveillance regime is not per se violating the European Convention of Human Rights and that it will, or already did, easily bring itself in line with the Strasbourg court’s requirements. The violations the Grand Chamber find are of a rather technical nature and can be fixed easily.”
This is indeed what the UK government is arguing. Because the legal challenge was first staged in 2013, GCHQ’s surveillance regime and the legislation surrounding it have been updated since then – ostensibly to make it more compatible with human rights.
A government spokesperson told the Guardian in a statement: “The UK has one of the most robust and transparent oversight regimes for the protection of personal data and privacy anywhere in the world… The 2016 Investigatory Powers Act has already replaced large parts of the 2000 Regulation of Investigatory Powers Act (RIPA) that was the subject of this challenge.”
The UK is keen to secure a data adequacy deal with the EU, to allow unfettered flows of personal data between the two for commercial purposes. For both, the economic cost of not securing one – and having to rely on complex and expensive transfer instruments instead – would be great. The UK government calculated that EU personal data-enabled services exports to the UK amounted to nearly £42bn in 2018, and exports from the UK to the EU were worth £85bn.
Yet to secure an adequacy agreement, the UK must prove it offers an “essentially equivalent” data protection regime as the EU. While the UK has similar protections under UK GDPR and the Data Protection Act, the wide-ranging surveillance powers of its spy agencies, enshrined in the Snooper’s Charter (Investigatory Powers Act 2016), has repeatedly clashed with the EU’s data laws. As reported by Tech Monitor, the issue is so contentious it has led to a rift between the European Parliament and the European Commission.
For EU members, the data collection activities of spy agencies are classed under “national security” and considered the competence of each nation alone. But for outside countries, such as the post-Brexit UK, this activity falls under the remit of what is taken into account for data adequacy. The UK and other countries such as the US have argued that this is unfair because EU member countries aren’t held to the same standards.
But the ECHR’s ruling that bulk interception of communications is not unlawful in itself, doesn’t necessarily exonerate the UK. The judgement creates tension between the ECHR and the Court of Justice of the European Union (CJEU), says Sajfert. The 2020 CJEU judgement on the very similar Privacy International case ruled bulk communications interception regimes unlawful. “This tension between the two highest European jurisdictions will put even more pressure on the [European] Commission now that it is about to adopt the UK adequacy decisions,” says Sajfert.
The EU has proved itself willing to twice invalidate the bespoke data-sharing agreements it had with the US, due to data failings found by the CJEU. “And there is little reason to say that the UK practices exposed in those disclosures were any ‘better’ than the US ones,” says Daniel Cary, partner at law firm Deighton Pierce Glynn. “Certainly, the way the UK intelligence agencies have conducted themselves mean that were there to be a political incentive to make an issue of this it could become one.”
Coming soon: an electronic ‘Big Brother’ in Europe?
Some fear the judgement in the most recent case could throw the doors open to more bulk surveillance in Europe. One of the partially dissenting judges, Paulo Pinto de Albuquerque, claimed the ruling paved the way for an electronic “Big Brother” in Europe.
“I think judge Pinto de Albequerque is right,” says Sajfert. “This judgment fits within the trend in Europe we can observe in the last five years, both on legislative and on judicial level… rather than banning a certain practice at the outset, the trend is allowing it and then burdening it with a number of procedural and technical safeguards. However, once the genie is out of the bottle these safeguards often become just a bit more paperwork and rubber-stamping.”
Join Our Newsletter
Want more on technology leadership?
Sign up for Tech Monitor's weekly newsletter, Changelog, for the latest insight and analysis delivered straight to your inbox.