More substantive rulings have been forthcoming from the European Court of Human Rights, which rules on cases relating to the member states of the European Council according to the European Convention on Human Rights. The difficulty with taking mass surveillance cases to court, though, is that courts do not like considering cases in the abstract; as a result, there need to be specific complainants. But given the high levels of secrecy surrounding surveillance, communications users may not know if they are the targets of surveillance. On the other hand, investigatory tribunals such as the IPT require lower burdens of proof, as they both investigate and determine complaints. The court has addressed this problem by deciding to rule on complaints from people or organisations that are potentially at risk of being subjected to surveillance. It has also found Russia and Hungary guilty of contravening the European Convention on Human Rights through their surveillance practices, expressing concern in the case of Russia about insufficient oversight, and the potential for abuses when security services have direct, warrantless access to communications networks.34 In the Russian case, brought by the editor Roman Zakharov, the court made a strong statement against mass surveillance, stating that it ‘considers that a system, such as the Russian one, which enables the secret services and the police to intercept directly the communications of each and every citizen without requiring them to show an interception authorisation to the communications service provider, or to anyone else, is particularly prone to abuse. The need for safeguards against arbitrariness and abuse appears therefore to be particularly great.’35
In the case of Hungary, the European Court expressed concern about the overbroad powers wielded by the security services in conducting anti-terrorism surveillance, subjecting nearly all citizens to surveillance with no proper oversight, especially judicial oversight.36 The court also recognised the right of users to be informed that their communications had been subjected to surveillance. However, unlike the ruling in the Russian case, this one took an ambiguous approach towards whether mass surveillance in principle should be considered unlawful, leaving the door open to its accepting the necessity of mass processing of data in future, provided certain safeguards were put in place.37
These rulings followed in the wake of two landmark rulings by the European Court of Justice (which rules on cases relating to EU members – the UK will no longer be subject to it once it leaves the EU). The first case found that the EU legislature had exceeded the legal requirement of proportionality when a data retention directive mandated the indiscriminate storage of metadata by public electronic communications companies for a period of between six and twenty-four months. It found that the very act of storage impacted on the right to privacy, even if the data had not been processed; however, the court remained silent on the appropriateness of data retention for law enforcement purposes.38 The second case (involving an Austrian lawyer called Maximillian Schrems based in Ireland) found that the transfer of data to a country that did not have adequate privacy protections could not be condoned legally, even if the destination country claimed that it provided a ‘safe harbour’ for received data. In possibly the strongest legal statement yet against mass surveillance, as well as a slap on the wrist for the Irish Data Protection Commissioner, the court argued the following: ‘In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the [EU] Charter [of Fundamental Rights].’39 While this judgment related to communications content, it was silent on the mass surveillance of metadata.
Legal precedents are still emerging from the US. A negative precedent was set shortly before the Snowden revelations in the Clapper judgment, in a major setback to civil society attempts to litigate around mass surveillance programmes. The US Supreme Court rejected a challenge to the FISA Amendment Act, which broadened the grounds for the surveillance of international phone calls and emails, although the judges were split along ideological lines.40 The applicants included Amnesty International, the ACLU and a range of other civil society and journalism organisations. The majority opinion of the court argued that the applicants could not prove that they had suffered particularised, imminent harm from surveillance, and they were reminded that as the plaintiffs, they were under an obligation to provide concrete evidence of surveillance. As a result, they lacked standing to litigate on these matters, and the case was dismissed.41 This setback underscored the more conservative approach of US judges to judicial oversight of executive surveillance powers, and put civil society organisations in an impossible position. Without clear and demonstrable ‘victims’, these organisations could not turn to the courts for relief; yet excessive secrecy prevents such information from coming into the public domain on national security matters.
After the Snowden leaks began, divisions opened up in the judiciary about mass surveillance, and consequently the legal position has remained unsettled. Immediately after the leaks revealed the existence of a top secret court order requiring the US company Verizon Wireless to collect the telephone records of millions of US customers, some of these customers (including the ACLU) brought a lawsuit against President Barack Obama, the NSA and others, alleging that the bulk collection of their phone and internet metadata was illegal. Federal Judge Richard J. Leon upheld their case, delivering a stinging rebuke of the NSA’s bulk collection programme as being most likely unconstitutional, describing it as ‘almost Orwellian’, and ruling that in this case the plaintiffs did have standing as they could demonstrate a clear interest. However, the judgment was reversed and remanded back to the district court. In 2015, the US Court of Appeals for the Federal Circuit rejected this ruling and found that the bulk collection of metadata was illegal on the grounds that innocent people were targeted.42 This was the most significant court victory in the US to date, and suggested that the courts had been revitalised by the Snowden revelations. In response, the House of Representatives passed the US Freedom Act, which limited bulk collection, and restricted law enforcement agencies to more targeted surveillance, although other provisions have arguably broadened their surveillance powers.43 The year before, the Obama administration also issued a presidential policy directive announcing policy reforms aimed at limiting the circumstances under which signals intelligence could be collected to genuine national security situations, and not for purposes of curtailing dissent; however, this directive has been criticised as weak and easy to revoke by another President.44 At the time of writing, other legal challenges to the US government’s surveillance powers were still unfolding. While it remains to be seen what the election of Donald Trump as the new US President, and the shift from a Democratic to a Republican administration, will mean for the fight for accountable surveillance, it could well entail a reversion to more conservative judgments that are more deferential to the executive.
With respect to the US FISC, privacy advocates have attempted to address its bias towards the very spy agencies it is meant to preside over, by arguing that FISC should include a special public advocate. This person would have the powers to interrogate cases before the courts, engage in discovery of relevant evidence, brief the court on matters relevant to current cases (including technically complex matters), and appeal against adverse rulings. Such an advocate would make sure that court decisions were debated vigorously even if the court processes took place behind closed doors.45 Privacy advocates have noted that the European Commission for Democracy through Law has argued that an internal privacy advocate in a secret court process could raise arguments on behalf of people who have nothing to do with the investigations at hand, but whose metadata was nevertheless being intercepted. In the case of content, the agencies might use selectors that could be attributed to an individual, and in those cases the advocate could ensure that the court strengthened its justification requirements.46 As surveillance issues have become highly technical, a public advocate could also introduce expert technical evidence into court to inform proceedings on matters with which the judges might not be conversant.47 Furthermore, in its standards for democratic oversight of intelligence agencies, a team linked to the University of Amsterdam’s Institute for Information Law have argued that oversight needs to incorporate the adversary principle, which they point out is a basic rule of law principle. The introduction of a public advocate into the system could be one way of incorporating this principle