Towers, European Court of Justice at Luxembourg. Wikicommons/sprklg. Some rights reserved.The proliferation of mass surveillance practices in recent years has posed a number of tough challenges for the protection of human rights in democratic societies, most notably for the right to privacy.
These challenges have been exacerbated by the considerable diversity in the legal and constitutional protection of privacy across the globe, with states engaging in far-reaching surveillance activity (such as the United States as demonstrated by the Snowden revelations) providing a fragmented and limited constitutional framework for the protection of privacy, especially regarding non-citizens.
At the same time, privacy protection framed strictly from a national/territorial perspective is increasingly inadequate to address the globalisation of surveillance, as evidenced by the proliferation of extraterritorial surveillance practices by states. In view of these challenges and gaps in human rights protection, I want to argue here that the development of a global privacy regime should now be an urgent priority for the global community.
There are four key principles to underpin such a global privacy regime. These principles are inspired by the current state of the protection of privacy in the European Union, and in the Council of Europe as developed by the Court of Justice of the European Union and by the European Court of Human Rights.
Europe is currently the leading actor in the field of the protection of privacy, with legislators — and in particular courts — addressing head-on the fundamental human rights challenges posed by executive action authorising mass surveillance.
Four key principles
- Firstly, the right to privacy should apply to everyone, to all individuals irrespective of their nationality.
The extension of privacy protection to everyone will serve to place meaningful limits to foreign surveillance and address the challenge of addressing global and extraterritorial systems of surveillance with territorial laws.
- Secondly, the right to privacy should cover not only the processing of personal data, but should target and limit the very collection of such data and its storage and transfer.
This is particularly important as regards the collection of every day personal data stemming from legitimate transactions such as booking a flight, arranging a bank transfer or making a phone call. A broad conceptualisation and articulation of the right to privacy, which would encompass but not be limited to the right to data protection, is key in this context.
- Thirdly, a global privacy regime must ensure effective remedies and meaningful avenues for redress for individuals claiming to be affected by surveillance activities.
The Court of Justice of the European Union in Schrems and the European Court of Human Rights in Zakharov have both espoused approaches which enable standing and grant a remedy to individuals who cannot necessarily demonstrate that they have been affected individually by surveillance but who raise the prospect of a risk of a breach of their privacy rights due to surveillance. This approach can form the basis of a minimum standard approach on standing at the global level.
- Fourthly, the establishment of national independent privacy supervisors should be rolled out across the globe.
The European Union model is worthy of emulating here. The European Union model is worthy of emulating here as independent supervision provides with a rigorous avenue of scrutiny of compliance by the executive and the legislature with key privacy provisions, as well as strengthens the right to an effective remedy by providing an avenue for affected individuals to bring privacy complaints before independent supervisory authorities with independent investigative and decision-making powers.
Formal and informal avenues of cross-border and international cooperation between independent authorities can also be explored in order to address challenges of cross-border, extraterritorial and increasingly globalised surveillance. These four principles, which will be developed further below, will form the framework for the development of more detailed rules at global level, but adherence to them has the potential to establish a global privacy regime ensuring both a high level of privacy protection and a high level of legal certainty in an increasingly global level-playing field.
Principle 1: Everyone must enjoy the right to privacy
Compared with countries such as the United States, European Union law and ECHR law provide a higher level of protection ratione personae, ie in answering the question of who has privacy rights.
The two key human rights instruments which form the backbone of EU constitutional law in the field — the European Convention on Human Rights and the European Union Charter of Fundamental Rights — extend the right to privacy (and, in the case of the Charter, the right to data protection), to everyone, without limiting protection to citizens of the European Union Member States (Article 8 ECHR; Articles 7 and 8 of the Charter of Fundamental Rights.)
This approach to privacy is important as it creates equality and a level-playing field in the protection of privacy between citizens and aliens, and helps to address gaps in protection arising in particular from extraterritorial surveillance practices that states may employ.
Principle 2: The right to privacy must be broadly defined
The second area where European Union law provides a higher level of privacy protection than countries such as the United States involves the substance and content of the right to privacy.
The ruling of the Court of Justice in Digital Rights Ireland demonstrates clearly that mass, generalised surveillance is unlawful under European Union law. The ruling of the Court of Justice in Digital Rights Ireland demonstrates clearly that mass, generalised surveillance is unlawful under European Union law. In reaching this conclusion, the Court has adopted the three-step test of assessing human rights compliance adopted by the European Court of Human Rights in Strasbourg: the Court assessed in turn interference of mass surveillance with the right to privacy; its necessity in a democratic society; and its proportionality to the aim pursued.
Mass surveillance does not pass the proportionality test. Proportionality in this context provides a stronger privacy safeguard than the Fourth Amendment ‘reasonableness’ test. The establishment of privacy-specific constitutional rights (Article 8 ECHR and Articles 7 and 8 of the Charter) further contributes to the achievement of a high level of substantive privacy protection in European Union law.
As evidenced by the ruling of the Court of Justice in Schrems, the clear limits that European Union law places on mass surveillance and the resulting high level of privacy protection in the European Union are required to apply extraterritorially when personal data is transferred from the European Union to third countries.
The right to privacy here serves to limit not only the processing of personal data (which is a key outcome of data protection law) but also, at an earlier stage, the very collection of such data for surveillance purposes.
Moreover, in a long series of case-law on data retention, national constitutional courts in Europe and the Court of Justice have linked the protection of privacy against mass surveillance to upholding the rule of law and maintaining the relationship of trust between the citizen and the state. This democratic dimension of the right to privacy must be taken into account and serve as a limit to mass surveillance practices.
Principle 3: Everyone must have a right to an effective remedy for privacy violations
The third area where European Union and ECHR law provides a high level of protection involves the provision of remedies and avenues for judicial redress to individuals whose privacy rights have been affected. In the case of Schrems, European Union law has made it possible for individuals who claim to be potentially affected by mass surveillance (in the case of Schrems by being a Facebook subscriber concerned about the potential access to his personal data by US security services) to be provided with a remedy before national courts and before the Court of Justice of the European Union.
An extensive approach to standing has also been endorsed by the European Court of Human Rights. In its recent ruling in Zakharov, the Court stressed the need to ensure that the secrecy of surveillance measures does not result in the measures being effectively unchallengeable and outside the supervision of the national judicial authorities and of the Court.
‘the Court accepts that an applicant can claim to be the victim of a violation occasioned by the mere existence of secret surveillance measures, or legislation permitting secret surveillance measures, if the following conditions are satisfied. Firstly, the Court will take into account the scope of the legislation permitting secret surveillance measures by examining whether the applicant can possibly be affected by it, either because he or she belongs to a group of persons targeted by the contested legislation or because the legislation directly affects all users of communication services by instituting a system where any person can have his or her communications intercepted. Secondly, the Court will take into account the availability of remedies at the national level and will adjust the degree of scrutiny depending on the effectiveness of such remedies…. where the domestic system does not afford an effective remedy to the person who suspects that he or she was subjected to secret surveillance, widespread suspicion and concern among the general public that secret surveillance powers are being abused cannot be said to be unjustified. In such circumstances the menace of surveillance can be claimed in itself to restrict free communication through the postal and telecommunication services, thereby constituting for all users or potential users a direct interference with the right guaranteed by Article 8. There is therefore a greater need for scrutiny by the Court and an exception to the rule, which denies individuals the right to challenge a law in abstracto, is justified. In such cases the individual does not need to demonstrate the existence of any risk that secret surveillance measures were applied to him. By contrast, if the national system provides for effective remedies, a widespread suspicion of abuse is more difficult to justify. In such cases, the individual may claim to be a victim of a violation occasioned by the mere existence of secret measures or of legislation permitting secret measures only if he is able to show that, due to his personal situation, he is potentially at risk of being subjected to such measures.’(paragraph 171. Emphasis added).
In Zakharov, the European Court of Human Rights has provided a meaningful route towards upholding the right to an effective remedy with regard to privacy violations resulting from state surveillance. It has allowed standing where applicants can evoke the mere existence of secret surveillance measures, with individuals not needing to demonstrate the existence of any risk that surveillance measures were applied to them if national systems do not provide an effective remedy for individuals to challenge such surveillance.
The approach of the European Court of Human Rights is in stark contrast to the ruling of the United States Supreme Court in the case of Clapper (Clapper, Director of National Intelligence, et al. v. Amnesty International USA et al., 568 U.S. (2013)), where the Supreme Court rejected the respondents’ standing plea based on the claim that they have suffered injury, which is traceable to Section 702 of the Foreign Intelligence Surveillance Act of 1978 (FISA, 50 U.S.C. para.1881a) because there is an objectively reasonable likelihood that their communications with their foreign contacts will be intercepted under para.1881a at some point, ruling that the respondents’ claims are highly speculative.
Principle 4: The requirement of independent supervision
The enjoyment of the right to an effective remedy is closely linked to the fourth area where European Union law provides a high level of constitutional protection of privacy compared to US law, namely the area of independent privacy supervision.
Independent supervision with regard to data protection law is firmly enshrined in EU constitutional law after Lisbon in both the Treaty on the Functioning of the European Union (TFEU) and in the European Union Charter of Fundamental Rights (Articles 16 TFEU and 8(2) of the Charter respectively).(See Hielke Hijmans.)
It is a European Union constitutional requirement which features prominently in transatlantic negotiations on the establishment of a level-playing field of protection, with the United States being seen as not providing an equivalent level of independent supervision.
Independent supervision has a dual role. It is essential to ensure rigorous and independent scrutiny of the compliance of Member States with EU constitutional and secondary legislation on data protection. However, it is also an avenue — via the powers of independent authorities to investigate individual complaints concerning breaches of data protection law — for the provision of an effective remedy for individuals whose privacy rights have been adversely affected.
This dual role of independent supervisory authorities in ensuring a meaningful and high level of protection has been confirmed in the ruling of the Court of Justice of the European Union in Schrems. There, the Court emphasised the powers of independent authorities to review the substance of individual complaints, even in the existence of a general decision presuming that the level of data protection in a third country (in that case in the United States) is ‘adequate’, with the Court linking such review with upholding the rule of law in the European Union (paragraphs 38-66, in particular paragraphs 58-60). The existence of an independent authority at the national level… has thus in this case proven essential in giving a voice to these individuals and providing remedies at both national and European Union level.
At the same time, the very existence of an independent authority at the national level has effectively provided the complainant with standing and an effective remedy at the national and at the Union level: Mr Schrems complained about the potential misuse of his Facebook personal data in the United States to the Irish independent supervisory authority, the Data Protection Commissioner. Upon rejection of his claim by the Commissioner, he brought an action challenging the Commissioner’s decision before the Irish High Court, which then decided to send the question in the form of a preliminary reference to the Court of Justice of the European Union — giving thus rise to the seminal ruling in Schrems.
The existence of an independent authority at the national level, where individuals can lodge complaints regarding potential breaches of their rights, has thus in this case proven essential in giving a voice to these individuals and providing remedies at both national and European Union level. The action of an individual citizen in Schrems, lodging a general claim before an independent authority (a claim which, under the reasoning of the US Supreme Court in Clapper would most likely be considered ‘speculative’), has resulted in a ruling by the Court of Justice of the European Union which has established a very high benchmark for the protection of privacy at European Union and transatlantic level.
This article is published in association with the Criminal Justice Centre at the Department of Law, Queen Mary University of London. The CJC’s members are drawn from both the legal profession and academia, researching the impact of securitisation on human rights. The Centre is one of the coordinating institutions of the European Criminal Academic Network.