What will it take to end mass surveillance in the EU?

This post originally appeared on openDemocracy.

When the media reports containing startling revelations about the scale and scope of electronic surveillance conducted by the US National Security Agency (NSA) appeared in June 2013, Europe’s response was mixed. It quickly became clear that while European officials and Members of the European Parliament took the revelations and their impact on fundamental rights very seriously, no such response was forthcoming from national governments.

Many European politicians were justifiably outraged over the continuing flood of revelations about the US’ pervasive electronic surveillance programmes since June 2013. It rapidly became clear that the NSA programmes had swept up the communications of countless innocent European and other citizens without recourse against violations of privacy and freedom of expression rights.

Given the importance of the privacy rights established in the Charter of Fundamental Rights of the EU, which include an explicit right to the protection of personal data, the EU institutions’ actions were appropriate. The treaties that underpin the EU’s authority further emphasise that the Union’s international relations must be “guided by” basic democratic principles and respect for human-rights laws.

Even if the Union were to attempt to adopt measures restricting secret surveillance, those measures would very likely not be enforceable

However, the same treaties that mandate that the EU consider human rights when conducting its foreign affairs also tie the Union’s hands when it comes to the regulation of national-security matters. The Treaty on European Union provides that “national security remains the sole responsibility of each Member State,” meaning that the Union cannot legislate in this area. Furthermore, the treaties explicitly deprive the Court of Justice of the EU (CJEU) of jurisdiction over cases involving a Member State’s efforts to safeguard its internal security. This means that even if the Union were to attempt to adopt measures restricting secret surveillance, those measures would very likely not be enforceable (as secret surveillance is assumed to be conducted for reasons of national security).

The European Commission responded immediately to the Snowden revelations and demanded clarification about the surveillance activities from US authorities. An EU-US dialogue was rapidly set up, but EU Member States were quick to curtail the EU-US discussions to exclude intelligence and national security matters – the sole responsibility of national governments.

Countries must bring greater transparency, proportionality and oversight to their electronic surveillance practices

Meanwhile, the European Parliament acted quickly and set up an inquiry into the electronic surveillance allegations, to be conducted by the Civil Liberties Committee (LIBE). CDT was the first civil society organization to give evidence to the inquiry, in September 2013. In our testimony to the inquiry we called for a trans-Atlantic process to develop a comprehensive understanding of the criteria that states should apply to government surveillance, especially where national security surveillance is concerned. We said that countries must bring greater transparency, proportionality and oversight to their electronic surveillance practices. Human rights principles, laid down in the European Convention on Human Rights and the International Covenant on Civil and Political Rights must be better respected in both jurisdictions, and an agreement on privacy between the two sides should be reached. This agreement should clearly define what constitutes adequate government access to data.

While the surveillance revelations exposed significant details about US surveillance programmes, they also revealed that many European states are employing similar tactics, even if on a smaller scale. Many recall that French President Hollande vocally called for an immediate stop to US spying on Europeans, but quickly muted his tone when the bulk collection programme of French intelligence was revealed. Similarly in Germany, NSA spying was a campaign issue during the September 2013 elections, and some politicians argued that EU-US trade talks should be suspended because of NSA practices. However, the revelations also demonstrated that German intelligence programmes were as technically advanced and invasive as those of the NSA, and that the two countries run electronic surveillance in close cooperation. In the UK, the government was not particularly shy about its massive surveillance capabilities, but insisted that there is proper oversight that fully respects citizens’ privacy.

The European Parliament inquiry resulted in a resolution adopted in March 2014. The resolution is non-binding, but not irrelevant. It is an important political statement and it included several sensible recommendations. Notably, it demands an end to the bulk collection of data – echoing demands made by both private companies and civil society groups. Further, it calls on a number of Member States to bring their intelligence surveillance laws and practices into line with European and international human rights norms. It also proposed setting up a high-level group at European level to monitor progress. The parliamentary inquiry clearly demonstrated that the privacy problems associated with the surveillance practices could not be reduced to a simple ‘US agencies are spying on European citizens’ narrative. Expanding government access to citizens’ data, opaque and obscure laws, and insufficient judicial and democratic oversight are international problems, requiring international solutions

However, European governments have neither responded to the Parliament’s recommendations, nor to demands put forward by European civil society groups. In fact, several countries such as France and the UK have taken stepsto strengthen surveillance capabilities through legislative or administrative means.

There have been repeated calls by civil society groups and others for enhanced transparency about the ways by which European governments access personal data. These efforts were discussed at a recent ‘Transparency Summit’ co-hosted by CDT. European communications companies are increasingly publishing information about the mechanisms through which government agencies obtain access to their infrastructure.

Companies should redouble their efforts to inform their customers and users about government access to their data

Civil society groups should continue to file requests for information, and companies should redouble their efforts to inform their customers and users about government access to their data, and insist that the Member States comply promptly and meaningfully with data access requests.

However, at present, the information published about surveillance practices remains insufficient to create the necessary political pressure, and no government in Europe is being challenged seriously by its opposition on surveillance issues. In Germany, the public and political reactions to the surveillance revelations have been stronger than in other European countries. But even there, the larger issue—indiscriminate surveillance of ordinary citizens—did not generate the strongest response. Instead, it was the allegations of US spying on the German government and state institutions that generated most embarrassment and controversy.

Notwithstanding all of these challenges, attempts are being made to fight over-intrusive intelligence surveillance through litigation. Some civil society organizations have brought challenges against secret surveillance practices before their national courts; one example is a case that British, American and Pakistani NGOs have just argued before the UK’s Investigatory Powers Tribunal, claiming that GCHQ is not legally empowered to engage in mass communications surveillance. Litigants in the national courts, however, often face constraints that severely hinder their ability to present their cases, including (among other problems) an inability to view classified documents or a prohibition on pleading the case in open court.

Therefore, the real power to bring the intelligence agencies to account lies in cases brought at a European level. The European Court of Human Rights (ECtHR) not only has by far the best-developed case-law of any international court where secret surveillance is concerned, it also does not face the competence restrictions that the CJEU does—it’s free to consider the compliance of national security-related matters with human rights (and frequently does so). In the post-Snowden era, litigants in the UK, Hungary, and Estonia have already brought cases before the ECtHR that challenge various aspects of secret surveillance; the UK case, Big Brother Watch and Others v. the United Kingdom, is especially significant since it arose directly from the Snowden revelations.

The CJEU, too, may have a role to play in this respect, notwithstanding the treaty-based restrictions on its jurisdiction over national security matters (see above). For example, the pending case of Schrems v. Data Protection Commissioner, which the Irish High Court recently referred to the Court, essentially raises the issue of whether national Data Protection Authorities in Europe have the power to examine if US-based internet service providers such as Facebook have the ability—in light of the NSA’s widespread and large-scale activities—to protect users’ privacy rights.

It is too early to tell if the different legal challenges will be successful. But clearly, the status quo is untenable.

It is too early to tell if the different legal challenges will be successful. But clearly, the status quo is untenable. There are currently no European standards for electronic surveillance for national security: on oversight, judicial review, storage, data minimization, sharing etc. Citizens have no way to know if their communications are intercepted by an intelligence agency, or if it has been shared with another. Companies that provide communications and internet-based services across Europe and globally will continue to face conflicting legal mandates from different countries, and encounter difficulties in regaining users’ trust in the services they provide.

Here is an ironic situation. After all the ire and outrage expressed by European Union officials and MEPs about US spying on European citizens, we may face a situation where we know more about US surveillance than we do about European programmes. It may be that the judicial oversight and legal safeguards that apply to the NSA–insufficient as they may be–are better than those governing European intelligence agencies. This is an unusual state of affairs indeed.

Europe has a very active and relatively powerful human rights court that has set reasonably clear and firm standards for secret surveillance. And yet, EU Member States remain as intransigent as ever, and the prospect of meaningful public debate and reform of electronic surveillance schemes remains distant. One would think that the current state of affairs might be so embarrassing for European politicians who like to boast about Europe leading the world in protection of personal data, that they would take action.

In reality however, it is more likely that it will take a court judgment that is so clear and unambiguous that it leaves governments no alternative but to rein in electronic surveillance.

Read more from our ‘Joining the dots on state surveillance’ series here.