Executive Power

Mark Klamberg on EU Metadata Collection

By Benjamin Wittes
Sunday, September 29, 2013, 1:03 PM

Mark Klamberg of Uppsala University Department of Law in Sweden writes in with the following guest post on European laws governing metadata collection and how it compares with U.S. law on the subject. It's a very interesting comparison:

Summary

Electronic surveillance is an important tool for law enforcement and may contribute to counter-terrorism efforts. This blog post is based on a text I wrote with Elisabeth Fura. It deals with systems of electronic surveillance which involves the retention and/or access to large quantities of data and communications contents. This includes data retention of traffic data and signals intelligence, the latter occasionally described as mass surveillance or strategic monitoring. We conclude that the Fourth Amendment to the United States Constitution offers a greater substantive protection than does Article 8 of the European Convention for the protection of Human Rights (ECHR) to the extent that searches and seizures require probable cause and a warrant. But there’s a catch: The Fourth Amendment’s heightened substantive protection requires that the measure in question be covered by the notions of “search” or “seizure,” which may explain why law enforcement agencies which use warrantless surveillance tend to define the notions “search” or “seizure” narrowly. This has implications for the content/non-content distinction. The constitutional protection under the Fourth Amendment, in other words, has an all-or-nothing character. In comparison, Article 8 of the ECHR does not require probable cause or a warrant but it has a broader scope. Thus, there is no problem with expanding the scope and more-limited protections of Article 8 to traffic data, as well as communications content.

The laws on signals intelligence and metadata collection in Europe and the USA

The NSA practice of bulk metadata collection is not unique. Similar programs exist in Europe. Considering the massive debate in USA on the matter it may be worth comparing the laws on signals intelligence and metadata collection in Europe and the USA. At the outset, it should be noted that relevant laws may be found in at least three different kinds of regimes. I will compare these regimes with relevant US law.

EU Law on data retention

The EU (with 28 member states) has adopted the Data Retention Directive with the purpose of harmonizing the law within the EU for retention of data to be used for the prevention, investigation, detection, and prosecution of criminal offences. The directive requires Member States to ensure that communications providers retain, for a period of between 6 months and 2 years, necessary data as specified in the Directive

  • to trace and identify the source of a communication;
  • to trace and identify the destination of a communication;
  • to identify the date, time and duration of a communication;
  • to identify the type of communication;
  • to identify the communication device;
  • to identify the location of mobile communication equipment.

This obligation concerns fixed network telephony, mobile telephony, internet access, internet e-mail and internet telephony. Access to, and use of, data by national authorities (for example law enforcement agencies) is to be regulated by the member states (and not by the EU). EU data protection directive does not apply to processing operations concerning public security, defence, State security and the activities of the State in areas of criminal law, such protection is regulated by the member states.

US law on data retention

The Stored Communications Act (SCA) was enacted as part of the Electronic Communications Privacy Act in 1986. The SCA establishes mandatory data preservation, under which providers must preserve stored data for up to 180 days on government request. There has been pressure in the US to introduce legislation on ISP retention similar to the EU Data Retention Directive. In 2009 Rep. Lamar Smith (R-Texas) and Sen. John Cornyn (R-Texas) jointly introduced legislation requiring Internet service providers to retain subscriber information for up to two years. This and other attempts to introduce ISP retention have failed.

In addition, the Snowden files have revealed that the NSA collects phone records in bulk relying 50 USC § 1861 (Section 215 of the Patriot Act). It appears as the same provision was used until 2011 to collect data on internet communication when it was discontinued. It is unknown if the data retained by the NSA is retained only for counterterrorism purposes or for detection prevention and/or investigation of other crimes.

Preliminary thoughts on data retention

EU law provides for more extensive retention when it comes to retention of data on internet communication. However, US law is more intrusive in the sense that phone records are not only retained by communications provides but also by the NSA. A key question is why phone records are retained both by communication providers and the NSA. The reason the government has given is that the providers do not retain the data long enough, the NSA retains data for 5 years, the companies do not. However, one could ask if this is the only reason. Another reason could arguably be that by centralizing retention to a state agency, analysis and processing becomes easier and faster.

The European Convention for the protection of Human Rights

Second, article 8 of the European Convention on Human Rights (47 state parties including all EU member states plus states such as Russia and Turkey) provides for the protection of the individual’s right to respect for his private and family life, his home and his correspondence. The European Court of Human Rights (ECtHR) has dealt with several complaints concerning electronic surveillance, including three complaints concerning signals intelligence or “strategic monitoring” directed against international communication, Weber and Saravia v. Germany, Liberty and Others v. the United Kingdom and Kennedy v. the United Kingdom. The German law was accepted by the Court. United Kingdom was found to be in violation of article 8 in Liberty and Others while the subsequently amended law passed in Kennedy.

At the present time, there are no cases being adjudicated by the ECtHR concerning implementation of the EU data retention directive. However, there are two pending cases concerning the EU data retention directive before the European Court of Justice (ECJ - the EU court to be distinguished from the ECtHR) against Austria (C-594/12 Seitlinger and Others) and Ireland (C-293/12 Digital Rights Ireland). The ECJ has in its previous case law ruled that EU legislation must be in conformity with constitutional standards of the EU members states, including the European Convention on Human Rights. Moreover, the German constitutional court has ruled that the German implementation of the EU data retention directive was unconstitutional, but this does not mean that the court declared the EU directive unconstitutional as such. Romania’s constitutional court took one step further and declared the EU directive unconstitutional as such. These means that Romania's constitutional court puts Romanian law above EU law, which contradicts the entire legal system of the EU. It remains to be seen how the ECJ and the ECtHR will deal with these cases.

Based on the text of article 8 and the Court's case law, the following legal framework applies. Communication by telephone, facsimile and e-mail is covered by the notions of “private life” and “correspondence” and are thus protected by article 8. The ECtHR distinguishes between content and traffic data, but both categories of information are protected by Article 8, (see Malone v. the United Kingdom). However, metering, recording of telephone numbers dialed (traffic data), does not per se violate Article 8 if, for example, if it is done by the telephone company for billing purposes (see P.G. and J.H. v. the United Kingdom).

When is interference legitimate under article 8? Interference is permissible only if the measure is (1) “in accordance with the law”; (2) pursues certain interests; and (3) is “necessary in a democratic society.”

First, interference must be “in accordance with the law,” which requires that the measure should have some basis in domestic law. It also refers to the quality of the law in question, requiring that it should be (1) accessible to the person concerned, who must, moreover, be able to (2) foresee its consequences for him or her, and (3) compatible with the rule of law.

Publication of the law is a way to fulfill the requirement that the law is accessible. In Liberty and Others the Court found that the U.K. Law, the 1985 Act did not set out in a form accessible to the public any indication of the procedure to be followed for selecting, examination, sharing, storing and destroying intercepted material. Thus, the law did not fulfill the requirement “in accordance with the law.” With the requirement on foreseeability follows that the norm has to be formulated with sufficient precision to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to measures of surveillance.

The second requirement under Article 8(2) provides that the interference must pursue certain listed interests in order to be legitimate: national security, public safety or the economic well-being of the country, prevention of disorder or crime, protection of health or morals, or the protection of the rights and freedoms of others. The Court rarely challenges the aim referred to by states. The disputes more often concern whether the measure has a legal basis and/or is “necessary in a democratic society.”

Finally, an interference will be considered “necessary in a democratic society” for a legitimate aim if it answers a “pressing social need” and, in particular, if it is proportionate to the legitimate aim pursued and if the reasons adduced by the national authorities to justify it are “relevant and sufficient.” While it is for the national authorities to make the initial assessment in all these respects, the final evaluation of whether the interference is necessary remains subject to review by the Court for conformity with the requirements of the Convention. A margin of appreciation is left to the competent national authorities in this assessment. The breadth of this margin varies and depends on a number of factors including the nature of the Convention right in issue, its importance for the individual, the nature of the interference and the object pursued by the interference. The margin will tend to be narrower where the right at stake is crucial to the individual’s effective enjoyment of intimate or key rights. National security is an area where States are allowed a wide margin. However, the Court has affirmed the risk that a system of secret surveillance in the struggle against terrorism, espionage and for the protection of national security may undermine or even destroy democracy under the cloak of defending it. Therefore the Court must be satisfied that there exist adequate and effective guarantees against abuse.

The Fourth Amendment to the United States Constitution

In comparison with article 8 of the ECHR, the Fourth Amendment concerns searches and seizures, and it does not use the term "privacy." However the two frameworks are still comparable, since they both require that a search or seizure must be in accordance with law and define the circumstances for which purposes interference with communications are legitimate.

In Katz v. United States, the Supreme Court ruled that the Fourth Amendment covered a person’s “reasonable expectation of privacy,” which included telephone conversations. The reasonable expectation of privacy test is a way to distinguish measures covered by the Fourth Amendment from measures that it does not regulate. However, it is arguably difficult to know what makes an expectation of privacy constitutionally “reasonable.”

In United States v. Miller, federal law enforcement officials issued subpoenas to two banks to produce a customer’s financial records. The Supreme Court concluded that the customer lacked a reasonable expectation of privacy in the financial records maintained by his bank. According to the Court, “the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities.” In other words, by disclosing information to a third party such as a bank or a communications service provider, the subject gives up all of his Fourth Amendment rights in the information revealed, including data retained in a database or an information network.

The ECtHR’s ruling in Malone that “envelope” information (traffic data) is protected by Article 8 may be contrasted with the approach chosen by the U.S. Courts. The Supreme Court ruled in Ex parte Jackson that the Fourth Amendment does not protect the outside of a postal package. Similarly, the Supreme Court ruled in Smith v. Maryland that the content, but not the numbers dialed from a telephone call are protected by the Fourth Amendment. The installation and use of a pen register was not a “search” and no warrant was required. Miller and Smith are the leading cases in what has become known as the “third party doctrine."

Preliminary thoughts on privacy safeguards 

The Fourth Amendment to the United States Constitution offers a greater protection than Article 8 of the European Convention for the protection of Human Rights (ECHR) to the extent that searches and seizures require probable cause and a warrant. But this protection requires that the measure in question is covered by the notions “search” or “seizure” in the first place, which may explain why law enforcement agencies which use warrantless surveillance tend to define the notions “search” or “seizure” narrowly. This has implications for the content/non-content distinction. The constitutional protection under the Fourth Amendment has an all-or-nothing character. In comparison, Article 8 of the ECHR does not require probable cause and warrant, but it has a broader scope. Thus, there is no problem with expanding the scope and more limited protections of Article 8 to traffic data, as well as communications content.

National legislation on signals intelligence in European countries

The EU does not have competence to regulate intelligence matters; it is in the domain of each member state. A reasonable assumption is that all EU member states have intelligence services with different levels of sophistication and covered by different types of legislation. Some states conduct signals intelligence operations with a very vague or non-existent legal basis. The United Kingdom, Germany and Sweden are examples where signals intelligence operations are covered by quite-extensive legislation and different degrees of oversight (UK: RIPA, Germany: G-10 law, Sweden: Signals Intelligence Law and related regulations).

The UK and Swedish operations both use "upstream collection" (using the terminology in the Snowden files), in the UK called "Tempora." Sweden had in 2008 a whistleblower who revealed that the Swedish signals intelligence agency (FRA) was retaining traffic data (metadata) in bulk. Based on the present legislation, such bulk retention of traffic data only purports to cover communications crossing Swedish borders and not communication within Sweden. However, internet communication in Sweden may be routed through nodes outside of Sweden, and in cases of uncertainty as to the "foreignness" of the communication, such data may be retained. As indicated above, the laws on signals intelligence in Germany and the UK have been approved by the European Court of Human Rights (and in the German case by its constitutional court). There is a pending complaint against Sweden, which is interesting because the previous complaints against Germany and the UK did not concern bulk metadata collection.

At a first glance, the laws in the US, UK, Germany and Sweden are very different from one another. However, when the law is interpreted and the actual practice is studied, it becomes evident that the signals intelligence agencies of the four aforementioned countries have similar programs and apply almost identical methods.

Concluding remarks: what can we learn from each other?

The US has arguably the strongest oversight with the FISA court, the President's Intelligence Oversight Board, the House Permanent Select Committee on Intelligence (HPSCI) and the Senate Select Committee on Intelligence (SSCI).

This may be compared with Sweden which also has an intelligence court (UNDOM) and an inspection body with representatives from the Government and parties in opposition (SIUN). However, all of these institutions are under very tight control of the Government, an entity that can issue requests for signals intelligence operations. The intelligence court has one chief judge, one or two deputy chief judges. The judges are appointed by the Government. One of the three nominees for the next chief judge is currently the chief legal advisor at the Ministry of Defense. The current head of the signals intelligence agency was previously the chief legal advisor at the Ministry of Defense when the legislation was drafted. The members of SIUN do represent different political parties but are appointed by the Government and report to the Government. Most of the members of SIUN are former parliamentarians, which weakens the parliamentary oversight in comparison to a system where the responsibility for oversight is conducted by a committee of parliament, i.e. parliamentarians in office. All in all, the Swedish system of checks and balances is weak when it comes to signals intelligence.

In contrast, the requirements regarding the substantive quality of law appears to be higher under the regime of the European Convention on Human Rights. Article 8 protects not only content but traffic data as well. It requires that the law be accessible and foreseeable, in others word formulated with sufficient precision to give citizens an adequate indication as to the circumstances in which and the conditions in which public authorities are empowered to resort to measures of surveillance. This becomes relevant in terms of the transparency of the law. It does not appear that the  Fourth Amendments imposes similar requirements in relation to collection of metadata. Finally, it appears that the data retention directive is sufficient for the needs of European countries, which would render centralized bulk retention of domestic phone records unnecessary.