Centrum för Rättvisa v Sweden (Application no 35252/08) (19 June 2018)
In June this year, the European Court of Human Rights (ECHR) ruled that a scheme providing for the bulk interception of electronic signals in Sweden for foreign surveillance purposes, was consistent with the rights set out in the European Convention of Human Rights (Convention). The decision cements the high threshold required for the protection of the right to respect for private and family life, the home and correspondence under article 8 of the Convention.
Centrum för Rättvisa, the applicant in this matter, is a non-profit foundation representing clients in litigation against the State, who claim that their rights and freedoms have been violated under the Convention and Swedish law. The applicant claimed that legislation permitting the bulk interception of electronic signals in Sweden for foreign intelligence purposes breached its privacy rights. It further alleged that because of the sensitive nature of its activities, there is a risk that its communications through mobile telephones and mobile broadband has been or will be intercepted and examined by way of signals intelligence.
Signals intelligence is broadly defined as intercepting, processing, analysing and reporting intelligence from electronic signals. In Sweden, the Signals Intelligence Act authorises the Swedish National Defence Radio Establishment (FRA), a Government agency organised under the Ministry of the Defence, to conduct signals intelligence. For all signals intelligence, the FRA must apply for a permit to the Foreign Intelligence Court.
In this matter, the applicant had not exhausted domestic remedies and could not give a concrete example of any of its communications having been intercepted. However, the ECHR still considered that it was justified in its decision to examine the Swedish legislation on signals intelligence. This was because there was, in practice, no available remedy in Sweden in response to a complainant who suspected that his or her communications had been intercepted. The right to an effective remedy by a national authority is enshrined in article 13 of the Convention.
In addition, the ECHR submitted that the Swedish legislation amounted to a system of secret surveillance that potentially affected all users of mobile telephones and the internet, without any notification. It also acknowledged the potentially harmful effects that the operation of a signals intelligence scheme could have on the protection of privacy.
However, the ECHR also acknowledged, by reference to the Report of the Venice Commission and other instruments, the importance for national security operations in safe-guarding against global terrorism and serious cross-border crime, as well as the increased sophistication of communications technology. As such, the State's margin of appreciation in which to set up a bulk interception regime to identify security threats, was considered a wide one.
The ECHR did caveat the wide margin of appreciation, noting that the State's discretion in operating an interception system was much narrower than that described above. The ECHR determined that it needed to be satisfied that there were adequate and effective guarantees against abuse. Following a careful assessment of the minimum safeguards that should be set out in law to avoid abuse of power, the ECHR held that the system revealed no significant shortcomings in its structure and operation. It also found that the Swedish system of signals intelligence provided adequate and sufficient guarantees against arbitrariness and the risk of abuse.
In determining that sufficient safeguards were in place for the operation of an interception system, the ECHR considered a range of factors. First, it determined that the scope of interception – permissible for communications crossing the Swedish border and not within Sweden itself – and the treatment of intercepted data were clearly defined in law. Then it held that the duration of the measures were clearly regulated, being valid for 6 months only and requiring renewal. The ECHR also acknowledged that a judicial body (the Foreign Intelligence Court) and several independent bodies were sufficiently tasked with supervision and review of the system and, on request, the inspectorate had to investigate individual complaints of intercepted communications alongside the Parliamentary Ombudsmen and Chancellor of Justice.
In addition the ECHR determined that the relevant legislation met the "quality of law" requirement. Furthermore, it held that the structure and operation of the system were proportionate to the aim sought to be achieved. Ultimately, no violation of Article 8 of the Convention was found. Given those findings, the ECHR held that there was no need to examine the applicant's complaint under article 13.
The decision signals somewhat of a divergence between ECHR law and law of the European Union. For example, the Court of Justice of the European Union (CJEU) in Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources & Ors (C-293/12)  QB 127 (ECJ (Grand Chamber)) held that the indiscriminate and very general nature of the bulk collection and processing of personal data, even to protect people against serious crimes, entails significant risks for human rights and freedoms and requires that "derogations and limitations in relation to the protection of personal data must apply in so far as it is strictly necessary". A significantly lower threshold was applied in Centrum för Rättvisa v. Sweden. Thus Centrum för Rättvisa v. Sweden raises questions about whether European law will fragment over the issue of data protection and privacy law.
The full text of the ECHR's judgment can be found here.
Charlette Bunn is an Associate at Allens.