by Asaf Lubin
Asaf Lubin is a J.S.D.
Candidate at Yale Law School and a Robert L. Bernstein
International Human Rights Fellow with Privacy
The world was a different place when, in October 2015, the Court
of Justice of the European Union (CJEU)
down the "Safe Harbour" data-sharing agreement that allowed the
transfer of European citizens' data to the US.
The Court's decision concluded that
the indiscriminate nature of the surveillance programs carried out
by U.S. intelligence agencies, exposed two years earlier by NSA-contractor-turned-whistleblower
had made it impossible to ensure that the personal data of E.U.
citizens would be adequately protected when shared with American
The ruling thus served to further
solidify the long-standing conventional
that Continental Europe is better at protecting privacy than
However, Europe's ability to continue to take this moral high ground
is rapidly declining.
In recent months, and in the wake of a series of terrorist
across Europe, Germany, France and the United Kingdom - Europe's
biggest superpowers - have passed laws granting their surveillance
agencies virtually unfettered power to conduct bulk interception of
communications across Europe and beyond, with limited to no
effective oversight or procedural safeguards from abuse.
The same political leaders and legislators that once rebuked
on the ethics of its mass surveillance practices, seem to now be
taking a page out of the NSA's playbook.
This post surveys these three national legal frameworks,
highlighting their troubling similarities, with the aim of showing
how legislators from these countries are treading a dangerous line
of surveillance expansion and overreach, paving the way for more
European countries to follow in their footsteps.
Indeed, European countries are increasingly chiming in to an
ever-growing chorus of supporters for wholesale global surveillance
in the name of perceived security.
This rhetoric finds especially fertile ground in modern-day Europe,
which has been engulfed by populist messaging surrounding the
refugee crisis, immigration and heightened security threats.
However, rushed and vague mass surveillance laws, while they might
increase public approval ratings in the short term, are not a true
panacea to the fundamental
in European intelligence cooperation that were exposed by the recent
Moreover, such laws may not only fail to solve the problems they
seek to address, but rather they could help foster new problems.
former chief terrorism investigator for the French judicial system,
about the French legislation:
intelligence law is not well-conceived and rational, it could
easily become a formidable weapon of repression. An intelligence
law should not only protect citizens against terrorism, but also
against the State.
We in France
are doing neither. There is a total absence of control in this
This is even more
worrying in the context of foreign mass surveillance where the
victims of potential overreach are non-citizens with even fewer
statutory protections and avenues for redress.
To understand how
these new laws endanger privacy protections across Europe, it's
important to examine the legislation carefully, including, the new
powers granted, the oversight mechanisms available, and the
protections put in place for privileged communications, for example,
conversations between an attorney and a client or communications
subject to diplomatic inviolability.
On Nov. 29, the UK adopted the
(IPA), nicknamed by privacy experts as the "Snoopers Charter,"
because it authorizes the Government Communications Headquarters
(GCHQ) to engage in bulk interception, acquisition, and equipment
interference of 'overseas-related' communications and communications
systems, comprising of communications,
received by individuals who are outside the British Islands."
interception warrants authorize the interception of
"overseas-related communications" throughout the course of
their transmission by means of a telecommunications system,
and the obtaining of secondary data from those
acquisition warrants require a telecommunications operator
to disclose specified communications data (metadata) that it
already possesses, or to obtain communications data that it
does not yet possess in order to later disclose it.
equipment interference warrants authorize the acquisition
"communications and equipment data directly from
computer equipment overseas."
important to clarify that bulk warrants are not traditional
warrants, in the sense that they grant the agency requesting
them the authority to conduct a large number of operations
under a single warrant.
It is in
this context, that all three types of bulk warrants
authorize U.K. intelligence services the power to engage in,
mass collection of foreign metadata
mass interception of
mass hacking of computer networks and
process is identical for each type of bulk warrant. First,
the head of an intelligence service, or any official
designated by her, must submit a request to the Secretary of
Secretary may then issue a bulk warrant, subject to a
necessity and proportionality analysis. The decision to
issue a warrant is then reviewed by a Judicial Commissioner,
before it is granted.
known, in U.K. jargon as the "double lock" mechanism
(described by proponents of the legislation as a dual
executive-judicial pre-authorization process for its foreign
warrants cease to have effect at the end of 6 months,
subject to a renewal process by the Secretary of State under
the same conditions for the issuance of the warrants.
Renewals may continue unabatedly in the same manner.
issuing a bulk interception warrant, the Secretary of State
must furthermore consult the operator in question, and
consider a number of other matters that could have an effect
on the operator, such as the benefits of the warrant, the
likely number of people affected, its technical feasibility
and its immediate costs.
there are no notification or reporting requirements for bulk
warrants, nor does the Act specify the remedies available to
those residing overseas should the powers provided be
Additionally, telecommunications providers who knowingly
fail to comply with the warrants are guilty of an offense
and may be fined, with the relevant individuals imprisoned.
same telecommunications providers have limited ability to
challenge bulk warrants since they are prohibited from
revealing they have received one.
warrants allow for the collection of privileged
communications, including those by foreign public officials
in European institutions, foreign parliamentarians, lawyers,
and journalists, with no restrictions.
to the examination of those materials, different levels of
protection apply to different privileged data.
subject to legal privilege, examination of the materials is
constrained by requirements of "exceptional and compelling
confidential journalistic materials, the requirement is only
that the IP Commissioner be informed as soon as is
privileged materials, as related to privileged people
outside the U.K., there are no safeguards on examination.
surveillance programs are under review by the European
Court of Human Rights (ECtHR) in three different pending
led in cooperation with
Tempora program to
tap underwater fibre optic
telecommunication lines, as well as its intelligence sharing
with the NSA under the
Five Eyes Arrangement,
are being challenged for their compatibility with European
human rights standards.
On Oct. 21, Germany adopted the
Communications Intelligence Gathering
The act authorizes the Federal
Intelligence Service (BND) to gather and process communications
of foreign nationals abroad. Some of the world's largest internet
exchange points (IXPs) are situated in Germany, thus making the
country a central hub for significant portions of the world's
While the Act authorizes for
interceptions against foreigners to be conducted only from
Germany's territory, a legislative move which might seem limiting,
in actuality in light of Germany's unique geographical position, it
authorizes the BND to tap these exchange points in a broader effort
to maximize global surveillance.
In fact, the operator of one of these
De-Cix, has recently brought a
case before the Leipzig
administrative court, challenging BND's demands to allow the mass
monitoring of international communications flowing through its hub.
only be gathered from telecommunications networks that have
previously been designated in a directive issued by the
power granted to the BND is the power to conduct "Tests of
powers, the BND is entitled to gather and analyze
information, including personal data, to the extent that
this is necessary to determine "relevant keywords" (akin to
"selectors" in NSA terms) or "relevant telecommunications
shall be directed by the head of the BND with no oversight
by the executive or judiciary.
Personal data gathered in the
course of these tests may only be used for the purposes
listed above, or if there are factual indications that it
can be used to,
"avert a serious threat to the life, limb, or
freedom of a person or the security of the Federal Republic
such data must be deleted no later than two weeks (if
collected for the purpose of identifying relevant keywords)
or four weeks (if collected for the purpose of identifying
relevant telecommunications networks).
relevant telecommunications networks and keywords are
identified, the BND may begin to gather the content of
communications relying on them.
of the German Constitutional Court found that this list of
keywords and search parameters, which the BND used to track
millions of surveillance targets worldwide, and which were
the NSA, would not be disclosed to the German Parliament's
Special Parliamentary Fact-Finding Commission established
following the Snowden revelations.
ruling was based on the conclusion that the confidentiality
of the selectors list outweighed the public's right to know
and the parliament's duty of oversight.
accordance with the law the directives of the Federal
Chancellery shall be issued in writing, upon application by
the head of the BND, or his or her representative, and shall
stipulate the reason and duration of the measure and the
telecommunications networks affected.
directives shall be limited to a maximum nine months, but
may be prolonged for a further nine months by the Federal
law establishes a three-member administrative committee,
titled the "Independent Panel," comprised of two judges and
one federal public prosecutor at the Federal Court of
reviews and may revoke the surveillance directives issued by
the Federal Chancellery.
allows for the collection and analysis of privileged
communications, including those by foreign parliamentarians,
lawyers, and journalists, with no restrictions.
limitations are put in place, in the context of
communications of EU institutions, or the public authorities
and citizens of its Member States.
none of these limitations significantly hinders the ability
of the BND to employ surveillance measures when it deems
the use of keywords that may lead to the targeted gathering
of communications of European heads of State and other
public officials may be authorized if those are necessary to
prevent the "circulation of weapons of war" or to gather
data about matters in third countries,
are of particular relevance for the security of Federal
Republic of Germany."
Two weeks after the November 2015 terrorist
in Paris, during which 130 people were killed, France adopted the
The law officially recognizes the powers of the French Directorate
General for External Security (DGSE) to intercept, collect, and
monitor communications "sent or received abroad."
This encompasses all those communications which are associated with
"subscription numbers or identifiers" that are not traceable to the
national territory of France.
France has long been suspected of
being involved in global electronic communications surveillance,
codenamed by the media as "Franchelon,"
on Echelon, a mass surveillance program launched in the late
1960s by the NSA in cooperation with its Five Eyes' partner
Minister may authorize the bulk interception of foreign
communications at the request of the Minister of Defense,
the Minister of the Interior, or the Minister of Finance, or
anyone whom they designate.
communications can be stored for up to 12 months, and
metadata for up to 6 years.
encrypted information can be stored for up to 8 years and in
cases of "strict necessity" may be stored for even longer
Commission for the Control of Security Interceptions (whose
French acronym is CNCIS) was restructured under the new law
and is now composed of nine members including two judges,
two members of the State Council, four representatives of
Parliament, and an expert in electronic communications
appointed on proposal of the Communications and Postal
The CNCIS is
merely informed of all authorizations made by the Prime
Minister under the Act, and there is no requirement to
consult it prior to authorization.
CNCIS may launch investigations at its own initiative or
following the complaint of any individual, no statutory
guidance is provided on the elements it should take into
consideration in its reviews nor on the powers it has
following a finding that an interception authorization was
allows for the collection and analysis of privileged
communications, including those of foreign public officials
in European institutions and other intergovernmental
organizations, foreign parliamentarians, lawyers, and
journalists, with no restrictions.
currently 13 different
pending before the ECtHR surrounding the new law,
challenging both the expansive domestic snooping powers it
authorizes and the above-discussed foreign surveillance
Setting for the Continent and Beyond
All three laws share a number of disturbing similarities.
First, the laws allow for mass foreign surveillance on broad and
As the Human Rights Committee has already
in relation to the French legislation, for a law to meet the
principles of legality, necessity, and proportionality, it must
legitimate objectives" and list "exact circumstances in which
such interferences may be authorized and the categories of
persons likely to be placed under surveillance."
Similarly, the ECtHR noted in
that while the standard of foreseeability,
require States to set out exhaustively by name the specific
offences which may give rise to interception," it does oblige
them to provide "sufficient detail" of the nature of the
offenses in question.
Surveillance laws therefore must be adequately precise in their
terms to give citizens an indication of the circumstances that might
give rise to a surveillance measure.
Grounds such as,
"prevention of serious crime"
"prevention of terrorism"
"prevention of the proliferation of weapons of mass
specific enough to meet the above requirements.
On the other hand,
all three laws also include more ambiguous and open ended categories
such as the catch-all "national security" ground in,
the UK law,
or the over-encompassing "foreign affairs" grounds in both
the German law ("intelligence that is important for foreign
and security policy")
law (foreign surveillance necessary to defend and promote
"France's major interests in foreign policy, the
implementation of the European and international commitments
of France, and the prevention of all forms of foreign
In this regard, specific attention should be given to the question
of whether advancing economic interests constitutes a legitimate
objective for foreign surveillance.
While the German law expressly prohibits economic espionage,
French legislation expressly permits it ("economic, industrial, and
the U.K. legislation leaves an opening
for it ("economic well-being"; "safeguarding prosperity")
According to Wikileaks,
Hillary Clinton's Campaign Manager
John Podesta, in a policy brief on U.S.-German Surveillance relations
"If Germany were
to propose to the US a bilateral engagement to prohibit
industrial espionage as the starting point for multi-lateral
agreements or standards, the response from Washington would
likely be positive."
This position is in line with the approach laid down in the
U.S.-China "common understanding"
against cyber economic espionage
adopted in 2015, as well as PPD-28 which authorizes,
of foreign private commercial information or trade secrets",
to the extent it is necessary to protect the national security of
the United States or its partners and allies.
Any collection done for the sole
purpose of promoting the competitive advantage of the U.S. business
sector is expressly prohibited by the Directive.
Setting aside the
looming future of PPD-28
or any understanding between the U.S. and China under a Trump
administration, this stark divergence between the German and French
laws signals that the fight against the legitimacy of foreign
"economic espionage" has far from been won.
Second, the laws all share a lack of adequate oversight and
safeguards from abuse.
The U.K. government, for example, has taken
pride in solidifying the 'double lock' mechanism.
However, the law limits the scope of review by the Judicial
Commissioners, which means that judges will not be given full
authority to assess the merits of proposed surveillance measures.
Moreover, in the case of bulk warrants the authorization requests
can be formulated in such broad and vague ways that making judicial
assessments on the merits of the application becomes essentially
The German Independent Panel, which reviews the surveillance
directives, also offers only limited oversight.
Not only could this process be circumvented in situations where the
Federal Chancellery believes the objective of the measure might be,
significantly impeded," but moreover, as was already determined
by the UN Special Rapporteur on the Right to Privacy, the Panel
staff or resources to oversee mass surveillance operations."
Even more egregious, the French law does not establish any mandatory
pre-authorization or consultation process and only allows for post
factum investigations by an administrative committee, conducted on
its own initiative and lacking statutory bite.
Deprived of local
structured oversight, the laws in essence shift the onus of control
from domestic parliaments, commissioners, and courts to European
regional bodies, further broadening the gap between the positions
taken by the judges in Luxembourg and Strasbourg and those offered
at the national level.
The judgment of the CJEU in
exemplifies this trend.
The Court found that "general and indiscriminate" retention of
metadata, under a recently expired U.K. legislation called the Data
Retention and Investigatory Powers Act (DRIPA), violated EU
directives and the Charter of Fundamental Rights of the European
DRIPA has since been replaced by the IPA which only expanded on its
data retention regime, and is thus likely to be subjected to
The case was heard by 15 CJEU judges, who addressed directly the
government's claims on the importance of bulk powers in the age of
The judges noted that:
effectiveness of the fight against serious crime, in particular
organized crime and terrorism, may depend to a great extent on
the use of modern investigation techniques, such an objective of
general interest, however fundamental it may be, cannot in
itself justify that national legislation providing for the
general and indiscriminate retention of all traffic and location
data should be considered to be necessary for the purposes of
This ruling offers
a push back against mass collection and interception of
communications, such as that promoted in the three laws, and widens
the chasm between policies in the EU and EC levels and the laws and
regulations of their member States.
This is of particular concern, when taken in light of the fact that
all three laws explicitly allow for spying on EU institutions.
Moreover, the laws set limited to no protections on the collection
and analysis of privileged communications including those of foreign
public officials, parliamentarians, journalists, lawyers, and
doctors both inside and outside the borders of Europe. In the case
which concerned the tapping of the phone lines of a lawyer and his
law firm by the Swiss Government, the ECtHR expressly noted the need
for establishing distinct and clear protections and safeguards by
law for the interception of such privileged communications (paras.
Finally, while the German law does establish some general provisions
on interstate sharing of intelligence, both the U.K. and the French
laws leave such intelligence cooperation arrangements intentionally
outside of the scope of primary regulation.
As Privacy International
argued before the ECtHR in a pending
minimum safeguards are required when a government accesses
information intercepted by a foreign government or when it shares
such information with foreign agencies.
Failure to set statutory parameters for such arrangements, let alone
disclose them to oversight bodies and the general public, further
exacerbates the possibility for abuse.
Across Europe, from
parliaments have been adopting expansive domestic and foreign
surveillance legislation in recent months and years.
This wave of legislation, pushed by populist agendas and public
outrage in the wake of recent terrorist attacks on European soil, is
a flagrant disregard to decades of jurisprudence by the ECtHR and
more recent jurisprudence by CJEU, and it puts in danger privacy
protections across the continent.
The leaders of Germany, France and the UK are setting a dangerous
precedent which echoes within the European Community and far beyond
surveillance by governments has become the 'new normal.'
To show how much has changed, it's worth remembering the speech
to the German Parliament, just three years ago, in January 2014,
when she warned Western governments against promoting surveillance
policies that collect everything that is "technically possible."
She noted that these foreign mass surveillance programs not only,
but send the wrong signal to "billions of people living in
The end result, she concluded,
"is not more
security but less..."
Privacy International (PI)
is a London-based charity which advocates for strong national,
regional, and international laws that protect privacy and
investigates and litigates to ensure that surveillance is consistent
with the rule of law.
We wish to thank
Tilly Berkhout, a former intern with PI, for her assistance in the
research towards this post.