Public Surveillance before the European Courts
Progressive legitimisation or a shift towards a more pragmatic approach?
Following 9/11 and the subsequent terrorist attacks on European soil, a significant expansion of state surveillance, counter-terrorism regimes in Europe and worldwide has taken place. While such regimes demonstrated the increasing appetite of law-makers and the executive for normalisation of surveillance, at the same time, a significant development towards the opposite direction started to emerge from the two main European Courts – the Court of Justice of the EU (CJEU) and the European Court of Human Rights (ECtHR): a powerful pushback against the normalisation of state surveillance. This pushback coming from the judiciary has produced several celebrated victories for fundamental rights over surveillance. Indeed, the jurisprudence of the CJEU was seen as initiating a progressive trend, marking continuous victories of EU fundamental rights against not only the EU legislature, but also Member States’ policy makers and even third countries’ surveillance regimes, such as the USA.
However, the recent decisions by the CJEU in La Quadrature du Net and the ECtHR in Big Brother Watch and Others v. the UK reveal a different picture: both Courts are now moving towards a legitimisation of surveillance in the public sphere. Does this mean that the progressive trend that emerged after 9/11 has reached its limits? More importantly, are European courts now normalising surveillance?
This post unpacks the implications of this new judicial trend by addressing the above questions. I argue that such a trend – properly circumscribed – might signify a less naïve approach to surveillance.
The CJEU data retention ‘saga’
The CJEU has delivered a series of landmark decisions on state surveillance measures. This expansive jurisprudence commenced in 2014 with Digital Rights Ireland, where the CJEU invalidated the Data Retention Directive ruling that indiscriminate bulk metadata retention is incompatible with EU law. It continued in 2015 with Schrems I, in which the Court found that the US authorities’ access to personal data transferred from EU Member States under the Safe Harbour scheme went beyond what was strictly necessary and proportionate to the protection of national security. It further culminated in 2017 with Tele2 and Watson, where the Court held that the Digital Rights Ireland principles applied to national laws implementing the invalidated Data Retention Directive. It continued in 2018 with Ministerio Fiscal, in which the CJEU clarified that different types of data retention measures entail different levels of interference to fundamental rights. In Schrems II, delivered in 2020, the Court annulled the Privacy Shield adequacy decision holding that US national security requirements cannot be given primacy over EU data protection principles. Finally, in Privacy International, the CJEU reiterated that indiscriminate bulk retention is prohibited, even when this is undertaken for national security purposes.
This long line of cases shows what I consider a trend of judicial pushback against the normalisation of surveillance. The judgments of the CJEU are far from perfect (I have criticised different aspects of them, here and here), but they do establish clear red lines of what is considered prohibited public surveillance.
La Quadrature du Net and Big Brother Watch: A judicial shift?
The La Quadrature du Net judgment was rendered on the same day as Privacy International. But, while the latter continues the CJEU’s expansive data protection jurisprudence, La Quadrature du Net marked an important departure from the Court’s prohibitive approach to bulk data retention to a more nuanced one that cracks the door open for a variety of different permissible surveillance measures, if these are carried out under certain criteria and applicable safeguards. Indeed, the most important contribution of La Quadrature du Net was the establishment of a long list of permissible data retention measures that paints a comprehensive but complex picture of acceptable law enforcement tools and makes several major concessions to Member States’ security authorities – including allowing for general, indiscriminate preventive data retention when confronted with a ‘serious’ threat to national security ‘which is shown to be genuine and present or foreseeable’.
A similar trend is evident in the jurisprudence of the ECtHR. For instance, in Big Brother Watch and Centrum för Rättvisa v. Sweden delivered in May 2021, the starting point of the Grand Chamber of the ECtHR’s analysis was that bulk interception regimes are ‘a valuable technological capacity to identify new threats in the digital domain’. The ECtHR also opted for a more nuanced approach to bulk surveillance, prescribed by several procedural guarantees regarding authorization, retention, access and oversight. In particular, the Grand Chamber set out several so-called ‘end-to-end safeguards’ that provide adequate and effective guarantees against arbitrariness and abuse. More recently, in Ekimdzhiev and others v. Bulgaria, the ECtHR continued along these lines, emphasising that such procedures should not only exist on paper, they should also operate in practice.
A judicial normalization of surveillance or a more pragmatic approach?
These guarantees, conditions and safeguards demonstrate a more proceduralized approach to surveillance. They also signal a backtracking from red lines (in particular, regarding the prohibition of bulk surveillance), towards a gradual acceptance. This new approach might be good news for national governments as it presents relatively ‘easy fixes’ to the inherent problems of bulk data retention.
However, in the words of Judge Pinto De Albuquerque it also ‘fundamentally alters the existing balance in Europe between the right to respect for private life and public security interests’ by progressively re-legitimizing bulk data retention on the condition that effective guarantees are applicable. In this respect, it is hard to agree with his argument that ‘the Strasbourg Court lags behind the Luxembourg Court, which remains the lighthouse for privacy rights in Europe’. Instead, it seems that the two Courts are converging rather than diverging in their recent jurisprudence concerning the data retention saga.
Moreover, the list of permissible surveillance measures laid down by the CJEU in La Quadrature du Net is so prescriptive that the Court seems to be assuming a quasi-legislative role. Indeed, it appears to expand its assessment of data retention both vertically (entering the Member States’ realm) and horizontally (entering the legislator’s realm). At first glance, one could criticise the CJEU for overstepping its boundaries. However, a deeper analysis reveals the complexity of the questions that underpin metadata surveillance: If data retention cannot be harmonised at the EU level, then how would EU fundamental rights be ensured at the national level where data retention measures are fragmented and vary between different Member States? Would a more laissez-faire approach not be equally problematic for both fundamental rights and overall legal certainty concerns?
It seems, therefore, that a more pragmatic judicial approach to surveillance might be needed. This might be interpreted by some as opening the path towards a normalisation of surveillance. However, I argue that we should be cautious here, especially under the current political circumstances that find Europe in a turning point in its history after the Russian military invasion of Ukraine. It would be naïve to criticise the European Courts for adopting a more proceduralized approach to surveillance based on conditions and safeguards rather than prohibitive red lines. Such an approach might also present less risk to the Courts finding their judgments circumvented – or altogether ignored by the executive.
Conclusion
A new judicial trend can be observed that marks the beginning of a more nuanced approach to surveillance that opens the door for bulk data retention measures when these are required for counter-terrorism purposes.
This re-evaluation of data retention models seems to be based on what this post referred to as the ‘proceduralization of surveillance’. Instead of red lines and prohibitive rules, data retention measures are now gradually permitted on the basis of a set of procedures, criteria, and safeguards under which they should operate. This is a significant departure from previous case-law that signals a progressive re-alignment of the CJEU with the ECtHR.
Overall, Courts do not have an easy task when attempting to find a compromise between law enforcement and intelligence services’ requirements and fundamental rights. It often happens that their judgments anger both national governments and privacy advocates equally. The future will show whether the progressive re-legitimization of public surveillance through its circumcision under conditions, safeguards and oversight will open the gates for an electronic ‘Big Brother’ in Europe, or lead the way towards a less absolute, more pragmatic (and perhaps less naïve) approach to surveillance. What is for sure is that the data retention saga is not over yet.
