Privacy, Human Rights Advocates Challenge Legality of US, UK E-Spying

Scheinin, formerly U.N. special rapporteur on human rights and counter-terrorism, said many of the technical details for the surveillance programs are still not fully known, but it’s possible to say that the U.S. and U.K. are involved in activities that violate their responsibilities under the ICCPR, one of the main U.N. human rights treaties. That instrument contains a specific provision (Article 17) barring unlawful or arbitrary interference with anyone’s privacy, he said. Moreover, although neither the U.S. nor U.K. has accepted the right of individual complaint under the covenant, which would allow independent experts in the Human Rights Committee (HRC) to assess whether a government has violated the ICCPR in relation to a specific person, that committee can address treaty compliance under the inter-state complaint provision, which both countries have agreed to, he said. In addition, both nations are required under the ICCPR to submit periodic compliance reports to the HRC. “By coincidence, the United States is up for such review later this week, and the United Kingdom next year,” he said.

As U.N. Special Rapporteur, Scheinin presented a report to the U.N. Human Rights Council in March 2010 that set out a test for permissible limits on privacy and data protection rights, he told LIBE members. Those are: (1) Any restrictions must be provided by law. (2) The essence of a human right isn’t subject to restrictions. (3) Restrictions must be necessary in a democratic society. (4) Any discretion exercised when implementing the restrictions must not be unfettered. (5) For a restriction to be permissible, it must be necessary for reaching its legitimate aim. (6) Restrictive measures must be proportional and as unintrusive as possible. (7) Any restrictions must be consistent with other rights guaranteed in the ICCPR.

"Application of this test results in the conclusion that the electronic mass surveillance by the NSA, as divulged through the so-called [Edward] Snowden revelations and to a certain extent confirmed by US authorities, did result in breaches of the legal obligations of the United States under ICCPR,” Scheinin’s written statement said. Among other problems, the NSA’s entire mass electronic surveillance architecture generally fails on the ground that to be permissible, any intrusion into privacy rights would require a proper legal basis, which isn’t the case, he said. The spying has been based on “vague and broad provisions of the Foreign Intelligence Surveillance Act (FISA)” and its secret case law, he said.

And the mere breadth and width of the e-surveillance architecture, coupled with the publicly available results achieved toward the actual prevention of terrorism or other crime, justifies the conclusion that, as operated, the programs weren’t necessary in a democratic society, Scheinin said. FISA authorizes surveillance not only for anti-terrorism activities but also for aiding “the conduct of the foreign affairs” of the U.S., a legitimate national interest but not a pressing social need that justifies interfering with the privacy of ordinary people, he said. NSA mass surveillance wasn’t subject to proper oversight, didn’t include an appropriate guarantee of proportionality, and was open for abuse, he said. In addition, the U.S. position that privacy protections extend only to its own citizens and not foreigners goes against the extraterritorial effect of the ICCPR, he said.

Scheinin recommended that EU lawmakers study the U.S.’s forthcoming statement to the HRC, expected Nov. 1. They should consider whether one or more EU governments should file an inter-state complaint against the U.S., he said, saying it wouldn’t surprise him if some Latin American countries are considering such a move. Citizens can address complaints to the HRC, he said. It has posed several questions related to NSA surveillance architecture and one can expect at a minimum an “expression of grave concern” from it, he said.

Korff, who deals with human rights and data protection issues, reviewed European Court of Human Rights case law on transnational surveillance and the standards it applies to surveillance. A system of secret surveillance for the protection of national security “can undermine or even destroy democracy under the cloak of defending it,” his written comments (http://bit.ly/19P7j4G) said. ECHR minimum standards require that governments by law strictly limit the offenses for which surveillance can be ordered and the categories of people who can be monitored, he said. There must be strict procedures and time limits on surveillance; strong and effective safeguards against abuse; and strong parliamentary oversight, he said. Those principles must be applied to anyone affected by surveillance measures taken by a Council of Europe member, wherever they are, he said.

Nations, including non-European ones, that carry out surveillance on the communications or other data of individuals and organizations in other countries, European or otherwise, without the latter governments’ consent, “act in violation of public international law,” because they're violating state sovereignty, Korff said. Moreover, European countries have a “positive obligation” to safeguard their citizens from surveillance contrary to the rule perpetrated by any other country, he said. They have a legal obligation not to actively support, participate or collude in such surveillance by a non-European country, he said. The kind of spying everyone now knows has taken place, especially from the U.K., fundamentally conflicts with European data protection principles, he told committee members. Korff echoed European Data Protection Supervisor Peter Hustinx’s statement that the mass surveillance poses an “existential challenge to our fundamental rights and liberties” (CD Oct 9 p12).

International lawyers working for the U.K. or U.S. governments would argue on the other side that surveillance outside their own borders doesn’t constitute exercise of “jurisdiction,” Scheinin told us Tuesday. That means that global Internet and telecommunications would be “free game for anyone who has the technological capacity and that there would be no right to privacy in the electronic sphere,” he said. That’s a drastic consequence of a simple legal argument, he said. Scheinin said his view is that if a nation has the technical capacity to intrude upon privacy, and intentionally does so, that’s a form of subjecting an individual, whether a foreigner or a national, to its jurisdiction. An even weaker counterargument to Scheinin and Korff’s stance is that FISA and the U.K. Regulation of Investigatory Powers Act 2000 have all along provided a legal basis for the surveillance, even if no one knew about it or could read it from the wording of the statutes, Scheinin said.

Mass e-surveillance is primarily a problem of U.S. law, said ECHR Judge Bostjan Zupancic. The Patriot Act and other legislation on which the spying is based must be analyzed by the U.S. Supreme Court, he said. Stressing he spoke personally, he said that under ECHR law, people aggrieved by the privacy breaches must exhaust all national remedies before bringing their cases to the ECHR which, like the U.S. high court, would take years to decide the cases.

Zupancic predicted that individuals in some EU countries would be more likely to succeed in challenges before their national courts than before the ECHR. Since this is principally a question of the constitutionality of national law, the human rights court doesn’t have the power to strike down domestic legislation on which massive surveillance activities are based, he said. But he also held out hope that citizens seeking redress in the ECHR would have “standing” to sue, saying it will likely be enough to show that someone is probably a victim of the spying because everyone else is.

Big Brother Watch, Open Rights Group, writers’ group English PEN and Constanze Kurz, a surveillance techniques expert, late last month challenged U.K. spying in an application filed in the ECHR (http://bit.ly/GPu5wC). It alleged that the secret interception of communications by the U.K. government -- via Prism or Tempora -- “goes to the heart of the freedoms” protected by the European Human Rights Convention. The aim isn’t to bring about the end of surveillance, but to ensure it’s done properly, Big Brother Watch Director Nick Pickles told LIBE members. The next LIBE hearing is Nov. 7, a committee spokeswoman said.

Revelations about Prism and similar programs could slow the rollout of European cloud computing services, the EC said in an Oct. 15 memo (http://bit.ly/194CJ43). Its European Cloud Partnership Steering Board in July discussed possible fallout from the information, with members calling for “urgent action” to address concerns about Prism’s effect on the cloud, it said.

Two post-Prism issues must be addressed, the EC said. Users already worry about security and confidentiality of information in the cloud, and Prism has aggravated the situation, it said. “Trust in cloud computing is suffering,” which risks depressing the rate of takeup and Europe lagging behind in adoption, it said. Another issue is that some are now calling for national or regional clouds. The EC “is strongly against a ‘Fortress Europe''’ approach because a fragmented cloud market will be a setback for the digital single market, a connected continent, and for customers and suppliers, it said. The EC urged speedy adoption of its proposed data protection regulation to help build a single market for cloud computing.