The Right to Privacy
| Site: | Saylor Academy |
| Course: | CS406: Information Security |
| Book: | The Right to Privacy |
| Printed by: | Guest user |
| Date: | Wednesday, May 14, 2025, 10:51 AM |
Description
Privacy is protected by law in many countries and by international law. Read section 5.3, which discusses privacy rights and the laws that protect privacy. Make note of what is considered to be privacy and what is protected by the US constitution, by the United Nations (UN), and by the European Union (EU).
1. The right to privacy
Privacy is a value, an interest, a right or a good. It can be analysed from an ethical perspective (as a value, a virtue or duty), from an economic perspective (as a utility, a preference or an interest), and from the perspective of political theory (as
a public and a private good). In this work, we will focus on the legal perspective, tracing positive law on the subject of privacy. Below, we will discuss the right to privacy from the perspectives of constitutional, international and supranational
law, ending with a discussion of art. 8 of the ECHR.
Source: Mel Bochner, https://lawforcomputerscientists.pubpub.org/pub/doreuiyy/release/7
This work is licensed under a Creative Commons Attribution 3.0 License.
1.1. The right to privacy: constitutional law
The right to privacy is a subjective right, attributed by objective law. The most obvious branch of objective law that attributes the subjective right of privacy is constitutional law, which often contains a section that aims to protects citizens against overly invasive powers of the state. Historically, human rights initially played out in the vertical relationship between state and citizens, not in the horizontal relations between private parties. The industrial revolution of the 19th century gave rise to powerful economic actors whose ability to infringe privacy, freedom of information and non-discrimination increasingly match the powers of the state.
This has led courts to recognise a so-called horizontal effect of constitutional rights such as privacy. This entails that protection against such infringements is a duty of the state, meaning that citizens can sue the state for failing to impose prohibitions to infringe these rights upon powerful players in the private sector. This is called indirect horizontal effect, because it cannot be invoked directly against private parties. Depending on national jurisdiction, courts may also attribute direct horizontal effect, when qualifying a violation of privacy by e.g. a company as a tortuous act in the context of private law. In that case, violation of privacy can be invoked directly against e.g. a private company.
In many states outside the Council of Europe, the Constitution provides the main protection against infringements of the right to privacy. For instance in the US, even though neither the 1787 US Constitution, nor the 1791 Amendments to the US Constitution (known as the Bill of Rights) explicitly refer to a right to privacy. In the course of the 20th century the Supreme Court of the US has nevertheless interpreted various articles of the Bill of Rights as safeguarding an individual right to privacy, notably based on the IV Amendment:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
This Amendment protects against:
- "unreasonable searches and seizures" by the police,
- which require "a warrant"
- that may only be issued in the case of probable cause (concrete and objectifiable suspicion) and
- must contain a reasonably detailed description of what may be searched or seized.
We can read these protections in terms of legal conditions and legal effect, by stating that "searches and seizures" by government officials are only lawful if:
- there is probable cause
- a warrant has been issued
- which contains limitations as to what is allowed
As we have already seen in section 2.1.2 and 5.1.2, the question here is (1) whether this right protects against violation of property rights (trespass) or also against violation of reasonable expectations of privacy that do not depend on property and (2) whether search and seizure of e.g. a mobile phone falls within the scope of the IV Amendment, as a phone is neither part of a person, a house, paper or effects.
In the US, constitutional protection of the right to privacy (which is also "read into" other parts of the Bill of Rights) thus depends on national law, rather than international law. This has consequences for its applicability in the case of those who have no legal status in the US, as it may be unclear whether the Bill of Rights even applies to them. Another consequence is that the enforcement of rights against the state is dependent on that same state. In contrast, the European Convention of Human Rights (ECHR) offers a more layered architecture of legal protection, which is at least in part dependent on a European court that is not part of the state against which it aims to protect.
1.2. The right to privacy: international law
Protection of human rights requires a resilient system of checks and balances, i.e. a series of institutional safeguards to ensure that the state does not claim unreasonable exceptions and faces a stringently independent judiciary to keep the powers of the state "in check". As noted above, the need to protect subjects of the state against the state, gave rise to international human rights law, which provides an extra layer of checks and balances. Privacy is explicitly protected by art. 17 of the United Nations (UN) International Covenant on Civil and Political Rights (ICCPR) of 1966, and by art. 8 of the European Convention of Human Rights (ECHR) of 1950, two examples of international law. Both articles are similar, we quote art. 8 ECHR to give the reader a first taste:
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
The UN ICCPR has global application, with currently 178 signatories and 172 ratifications, but its enforcement mechanisms are relatively weak compared to the ECHR. In art. 34, the ECHR provides citizens of the 48 contracting parties with an individual right to complain to the European Court of Human Rights (ECtHR):
The Court may receive applications from any person, non-governmental organisation or group of individuals claiming to be the victim of a violation by one of the High Contracting Parties of the rights set forth in the Convention or the protocols thereto. The High Contracting Parties undertake not to hinder in any way the effective exercise of this right.
The ECHR, however, does not have global application, as it only applies within the jurisdiction of the Council of Europe.
1.3. The right to privacy: supranational law
Since 2009, when the EU Charter of Fundamental Rights of the EU (CFREU) came into force, the protection of human rights has gained even more traction, adding a second European Court with competence to test legislation, decisions and actions against a catalogue of human rights. This protection, offered at the level of supranational law, is applicable whenever MSs "are implementing Union law" (art. 51 CFREU). As human rights developed with the rise of the modern state, they further developed with the rise of supranational jurisdiction. The prevailing powers of the institutions of the EU demand countervailing powers in the form of supranational fundamental rights.
1.4. Art. 8 European Convention of Human Rights
In this section we will discuss one of the most crucial legal rights of this book. The right to privacy that is articulated in art. 8 ECHR is not only relevant for bodily integrity, decisional privacy, and the other aspects of privacy, but also directly affects issues of cybercrime and copyright. This is due to the fact that cybercrimes may violate privacy (hacking, data breaches), or that copyright holders may violate privacy when disseminating their works (photographs, texts) but also because the investigative measures that aim to detect cybercrime and violations of copyright often infringe upon the right to privacy as protected in art. 8.
Here, we develop a first analysis of the legal conditions it stipulates, how they are explained by the ECtHR and the legal effects it generates.
Art. 8 consists of 2 paragraphs. The first paragraph concerns the question of whether privacy is infringed, the second paragraph clarifies under what conditions an infringement is justified.
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
The legal effect generated by this paragraph is "an infringement of privacy", and this infringement depends on the following alternative legal conditions:
- Private life is not respected
- Family life is not respected
- The protection of one’s home is not respected
- The confidentiality of one’s correspondence is not respected
The ECtHR takes the view that these concepts require a broad rather than a narrow interpretation, bringing a wide variety of situations, events, relationships and contexts under the protection of art. 8.
Private life can be at stake in the context of work, meaning that a search of an office space may be an infringement of privacy. Family life is at stake when a state prohibits members of a family to live together, for instance in the case a refusal to provide a residence permit for a partner from another state, or of a parent wishing to further develop a relationship with their child despite not being married to the other parent. Protection of the home may become relevant when a person has taken residence in a house they neither own nor rent, meaning that the need to respect one’s home is not dependent upon ownership or contract. The confidentiality of communication has been interpreted to include letters, telephone and more recently all types of internet-enabled communication that is not public. Privacy, as protected by art. 8, clearly concerns physical, spatial, contextual, decisional, communicative and informational privacy, and though art. 8 addresses the contracting states, its indirect horizontal effect has been recognised by the ECtHR, requiring states to ensure proper protection against violations by others than the state. Note that the individual complaint right of the ECHR can only be invoked against a state, not against a company. To invoke direct horizontal effect, a person needs to sue the tortfeasor in a national court.
Once the legal effect of an infringement has been established by the ECtHR, it will investigate whether the state has a valid justification.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
The legal effect of a valid justification is that, despite the infringement, art. 8 is not violated. This effect depends on the following cumulative legal conditions:
- The infringement has one of more of the following legitimate aims: national security, public safety or the economic well being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others;
- The infringement is in accordance with the law
- The infringement is necessary in a democratic society.
The second paragraph of art. 8 requires a triple test, meaning that all three legal conditions must be met. These conditions can be formulated as follows, taking into account relevant case law. Any infringing measures taken by the state must:
- have a legitimate aim
- have a basis in law and
- be proportional in relation to the aim served.
The articulation of legitimate aims in art. 8.2 is rather inclusive, which means that the ECtHR seldom finds reason to endorse the claim that the state lacked a legitimate aim.
Many of the cases where ECtHR (the Court) finds that art. 8 has been violated concern the condition that the infringement must be "in accordance with the law". This basically refers to the legality principle of constitutional law (3.3). The Court has - over the course of the years - developed 3 criteria to decide whether an infringement has a proper basis in law. The legal competence to take infringing measures must:
- be accessible, knowable for citizens to whom it will apply
- the infringements must be foreseeable, which means sufficiently specified
- the quality of the law must include sufficient safeguards that limit the exercise of the competence in time and space, specifying the extent to which privacy may be infringed, and notably requiring independent oversight (e.g. warrants) in the case of more serious infringements
Note that the Court will not merely check legislative or regulatory provisions, but test practical arrangements and actual safeguards to establish whether the infringing measures were taken "in accordance with the law". Throughout its case law, the ECtHR demands that the rights attributed in the ECHR are both "practical and effective", stating that:
[t]he Convention is intended to guarantee not rights that are theoretical or illusory but rights that are practical and effective (…).
If privacy is infringed with a legitimate aim, based on a legal competence that is accessible, foreseeable, while having sufficient safeguards, the final test is a proportionality test. This entails that the ECtHR investigates whether the measure was necessary in a democratic society, which requires - according to the Court - a pressing social need to resort to such measures. Under this criterion the Court will examine the gravity, invasiveness and seriousness of the infringement in relation to the importance and seriousness of the aim served. This criterion basically requires that the measures taken can reasonably be expected to be effective, because a measure that is not effective cannot be necessary. The proportionality test includes a subsidiarity test; if another measure which is less infringing is feasible or sufficiently effective, the measure is not proportional.
1.5. Case law art. 8 ECHR regarding surveillance
When developing computing architectures, whether in the context of data bases, streaming data, machine-to-machine communication, knowledge discovery in data bases, machine learning or cryptographic infrastructures, computer scientists lay the foundations for ICIs that enable the processing, storage, interlinking and inferencing of behavioural and other personal data. This may regard online clickstream behaviour, location and mobility data, energy usage behaviours, biometric gait behaviour, and a plethora of communication data, including both content and metadata. Governments, tasked with the investigation and prosecution of criminal offences and the protection of national and public security, have many incentives to gain access to such data. Apart from the struggle against serious crime and threats to national security, governments need to collect taxes, attribute social benefits, take precautionary measures regarding public health, and safeguard the economic welfare of the country. All these tasks fall within the scope of the legitimate aims enumerated in art. 8.2 ECHR. This raises the question under what conditions surveillance measures can be qualified as "in accordance with the law" and if so, when they are considered "proportional" to the targeted aim.
Surveillance measures by the police may regard post-crime investigatory measures (to identify an offender after a crime has been committed) or pre-crime investigations (to prevent potential offending, or to foresee likely offences). To understand how the Court deals with various types of electronic surveillance, we will discuss two cases of post-crime surveillance and two cases of pre-crime surveillance (including surveillance by the intelligence services, which falls outside the domain of criminal law). This entails extensive quotation of the relevant case law, to show how the Court reasons, taking into account that the Court’s judgments binds the contracting parties and thus provide "practical and effective" legal protection to those under the jurisdiction of the ECHR.
Post-crime surveillance:
In 1984, in Malone v UK, the ECtHR determined that the UK was in breach of art. 8, where it allowed the interception of telephone conversations by the police upon warrant issued by the Secretary of State. The Court determined that for such a measure to be "in accordance with the law", it must not merely have a basis in domestic law (meaning a legal competence), but must also be foreseeable and sufficiently limited as required by the rule of law:
68. Since the implementation in practice of measures of secret surveillance of communications is not open to scrutiny by the individuals concerned or the public at large, it would be contrary to the rule of law for the legal discretion granted to the executive to be expressed in terms of an unfettered power. Consequently, the law must indicate the scope of any such discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity, (…).
When applying this interpretation, the Court finds that:
79. The foregoing considerations disclose that, at the very least, in its present state the law in England and Wales governing interception of communications for police purposes is somewhat obscure and open to differing interpretations. The Court would be usurping the function of the national courts were it to attempt to make an authoritative statement on such issues of domestic law (see, mutatis mutandis, the Deweer judgment of 27 February 1980, Series A no. 35, p. 28, in fine, and the Van Droogenbroeck judgment of 24 June 1982, Series A no. 50, p. 30, fourth sub-paragraph). The Court is, however, required under the Convention to determine whether, for the purposes of paragraph 2 of Article 8 (art. 8-2), the relevant law lays down with reasonable clarity the essential elements of the authorities’ powers in this domain.
Detailed procedures concerning interception of communications on behalf of the police in England and Wales do exist (see paragraphs 42-49, 51-52 and 54-55 above). What is more, published statistics show the efficacy of those procedures in keeping the number of warrants granted relatively low, especially when compared with the rising number of indictable crimes committed and telephones installed (see paragraph 53 above). The public have been made aware of the applicable arrangements and principles through publication of the Birkett report and the White Paper and through statements by responsible Ministers in Parliament (see paragraphs 21, 37-38, 41, 43 and 54 above).
Nonetheless, on the evidence before the Court, it cannot be said with any reasonable certainty what elements of the powers to intercept are incorporated in legal rules and what elements remain within the discretion of the executive. In view of the attendant obscurity and uncertainty as to the state of the law in this essential respect, the Court cannot but reach a similar conclusion to that of the Commission. In the opinion of the Court, the law of England and Wales does not indicate with reasonable clarity the scope and manner of exercise of the relevant discretion conferred on the public authorities. To that extent, the minimum degree of legal protection to which citizens are entitled under the rule of law in a democratic society is lacking.
(iii) Conclusion
80. In sum, as far as interception of communications is concerned, the interferences with the applicant’s right under Article 8 (art. 8) to respect for his private life and correspondence (see paragraph 64 above) were not "in accordance with the law".
In this case, Malone claimed that not only the interception of the content of his telephone converstaions violated his right to privacy under the Convention, but also the capture of what we would now call metadata. The Court states with regard to this capture, which is known as "metering":
83. The process known as "metering" involves the use of a device (a meter check printer) which registers the numbers dialled on a particular telephone and the time and duration of each call (see paragraph 56 above). In making such records, the Post Office - now British Telecommunications - makes use only of signals sent to itself as the provider of the telephone service and does not monitor or intercept telephone conversations at all. From this, the Government drew the conclusion that metering, in contrast to interception of communications, does not entail interference with any right guaranteed by Article 8 (art. 8).
87. Section 80 of the Post Office Act 1969 has never been applied so as to "require" the Post Office, pursuant to a warrant of the Secretary of State, to make available to the police in connection with the investigation of crime information obtained from metering. On the other hand, no rule of domestic law makes it unlawful for the Post Office voluntarily to comply with a request from the police to make and supply records of metering (see paragraph 56 above). The practice described above, including the limitative conditions as to when the information may be provided, has been made public in answer to parliamentary questions (ibid.). However, on the evidence adduced before the Court, apart from the simple absence of prohibition, there would appear to be no legal rules concerning the scope and manner of exercise of the discretion enjoyed by the public authorities. Consequently, although lawful in terms of domestic law, the interference resulting from the existence of the practice in question was not "in accordance with the law", within the meaning of paragraph 2 of Article 8 (art. 8-2) (see paragraphs 66 to 68 above).
Note that the ECtHR established that the practice of "metering" is lawful under UK law, but in violation of art. 8.2 ECHR. Both the interception and the metering violate art. 8.2 because they are not "in accordance with the law" as required by a treaty that binds the UK. This means that the UK has violated its legal obligations under the Convention and is now bound to ensure that these types of surveillance measures are based on a domestic law that both constitutes and sufficiently restricts its legal powers.
In 1990, in Huvig & Kruslin v France, the ECtHR determined that art. 8 was breached. The case concerned the interception of telephone conversations, as in the Malone case. The Court extensively refers to its contentions in the Malone judgment as to the requirement of such interceptions being "in accordance with the law". It then states:
35. Above all, the system does not for the time being afford adequate safeguards against various possible abuses. For example, the categories of people liable to have their telephones tapped by judicial order and the nature of the offences which may give rise to such an order are nowhere defined. Nothing obliges a judge to set a limit on the duration of telephone tapping. Similarly unspecified are the procedure for drawing up the summary reports containing intercepted conversations; the precautions to be taken in order to communicate the recordings intact and in their entirety for possible inspection by the judge (who can hardly verify the number and length of the original tapes on the spot) and by the defence; and the circumstances in which recordings may or must be erased or the tapes be destroyed, in particular where an accused has been discharged by an investigating judge or acquitted by a court. The information provided by the Government on these various points shows at best the existence of a practice, but a practice lacking the necessary regulatory control in the absence of legislation or case-law.
36. In short, French law, written and unwritten, does not indicate with reasonable clarity the scope and manner of exercise of the relevant discretion conferred on the public authorities. This was truer still at the material time, so that Mr Kruslin did not enjoy the minimum degree of protection to which citizens are entitled under the rule of law in a democratic society (see the Malone judgment previously cited, Series A no. 82, p. 36, § 79). There has therefore been a breach of Article 8 (art. 8) of the Convention.
Note that in the Huvig & Kruslin judgment, the Court further details the nature of the restrictions that must be laid down by law, compared to the more general formulation in the Malone judgment.
Pre-crime surveillance (including surveillance by the intelligence services):
In 1978, in Klass v Germany, the ECtHR decided a case regarding surveillance measures taken by the secret services in Germany. I will quote the most relevant considerations from the judgment, which should clarify how the Court argues points of law and thus shapes the interpretation of legal conditions:
All five applicants claim that Article 10 para. 2 of the Basic Law (Grundgesetz) and a statute enacted in pursuance of that provision, namely the Act of 13 August 1968 on Restrictions on the Secrecy of the Mail, Post and Telecommunications (.., hereinafter referred to as "the G 10"), are contrary to the Convention.
They do not dispute that the State has the right to have recourse to the surveillance measures contemplated by the legislation; they challenge this legislation in that it permits those measures without obliging the authorities in every case to notify the persons concerned after the event, and in that it excludes any remedy before the courts against the ordering and execution of such measures.
Their application is directed against the legislation as modified and interpreted by the Federal Constitutional Court (Bundesverfassungsgericht).
The Court first discusses the admissibility of the complaint, raising the question whether the applicant is a victim of violation by one of the MSs.
33. (…) Article 25 (art. 25) [now art. 34, mh] does not institute for individuals a kind of actio popularis for the interpretation of the Convention; it does not permit individuals to complain against a law in abstracto simply because they feel that it contravenes the Convention. In principle, it does not suffice for an individual applicant to claim that the mere existence of a law violates his rights under the Convention; it is necessary that the law should have been applied to his detriment.
34. (…) The question arises in the present proceedings whether an individual is to be deprived of the opportunity of lodging an application with the Commission because, owing to the secrecy of the measures objected to, he cannot point to any concrete measure specifically affecting him. (…)
36. The Court points out that where a State institutes secret surveillance the existence of which remains unknown to the persons being controlled, with the effect that the surveillance remains unchallengeable, Article 8 (art. 8) could to a large extent be reduced to a nullity. It is possible in such a situation for an individual to be treated in a manner contrary to Article 8 (art. 8), or even to be deprived of the right granted by that Article (art. 8), without his being aware of it and therefore without being able to obtain a remedy either at the national level or before the Convention institutions. (…) The Court finds it unacceptable that the assurance of the enjoyment of a right guaranteed by the Convention could be thus removed by the simple fact that the person concerned is kept unaware of its violation. (…)
38. Having regard to the specific circumstances of the present case, the Court concludes that each of the applicants is entitled to "(claim) to be the victim of a violation "of the Convention, even though he is not able to allege in support of his application that he has been subject to a concrete measure of surveillance.
This entails that the Court makes an exception to the requirement that applicants must claim and demonstrate to be a victim of violation in concrete terms. Depending on the specific circumstances of the case at hand, the Court may decide to conduct an abstract test of relevant legislation, attributing the status of "victims" of what is now art. 34 ECHR, to those who may have been a victim of secret surveillance measure.
The Court then quotes relevant legislation, notably Art. 10 of the Basic Law of Germany:
(1) Secrecy of the mail, post and telecommunications shall be inviolable.
(2) Restrictions may be ordered only pursuant to a statute. Where such restrictions are intended to protect the free democratic constitutional order or the existence or security of the Federation or of a Land, the statute may provide that the person concerned shall not be notified of the restriction and that legal remedy through the courts shall be replaced by a system of scrutiny by agencies and auxiliary agencies appointed by the people’s elected representatives.
The Court begins by investigating whether the legislation that is contested by the applicants, constitutes an interference with art. 8.1 of the ECHR:
41. The first matter to be decided is whether and, if so, in what respect the contested legislation, in permitting the above-mentioned measures of surveillance, constitutes an interference with the exercise of the right guaranteed to the applicants under Article 8 para. 1 (art. 8-1). (…)
Furthermore, in the mere existence of the legislation itself there is involved, for all those to whom the legislation could be applied, a menace of surveillance; this menace necessarily strikes at freedom of communication between users of the postal and telecommunication services and thereby constitutes an "interference by a public authority" with the exercise of the applicants' right to respect for private and family life and for correspondence.
As is often the case, the Court takes a broad view of the scope of the first paragraph and decides that the legislation constitutes an infringement. The next question is whether the infringement is justified:
42. The cardinal issue arising under Article 8 (art. 8) in the present case is whether the interference so found is justified by the terms of paragraph 2 of the Article (art. 8-2).
The Court first tests whether the infringement is i"n accordance with the law":
43. In order for the "interference" established above not to infringe Article 8 (art. 8), it must, according to paragraph 2 (art. 8-2), first of all have been "in accordance with the law".
This requirement is fulfilled in the present case since the "interference "results from Acts passed by Parliament, including one Act which was modified by the Federal Constitutional Court, in the exercise of its jurisdiction, by its judgment of 15 December 1970 (see paragraph 11 above).
In addition, the Court observes that, as both the Government and the Commission pointed out, any individual measure of surveillance has to comply with the strict conditions and procedures laid down in the legislation itself".
This leads the Court to test whether the interference has a legitimate aim:
45. The G 10 defines precisely, and thereby limits, the purposes for which the restrictive measures may be imposed. It provides that, in order to protect against "imminent dangers" threatening "the free democratic constitutional order", "the existence or security of the Federation or of a Land", "the security of the (allied) armed forces" stationed on the territory of the Republic or the security of "the troops of one of the Three Powers stationed in the Land of Berlin", the responsible authorities may authorise the restrictions referred to above (see paragraph 17)".
46. The Court, sharing the view of the Government and the Commission, finds that the aim of the G 10 is indeed to safeguard national security and/or to prevent disorder or crime in pursuance of Article 8 para. 2 (art. 8-2). In these circumstances, the Court does not deem it necessary to decide whether the further purposes cited by the Government are also relevant.
This brings the Court to test the final criterion of the triple test, investigating whether the interference is necessary in a democratic society. Below an extensive quotation of (part) of the reasoning of the Court regarding the question whether the interference enabled by the legislation is proportional, considering what is at stake.
47. The applicants do not object to the German legislation in that it provides for wide-ranging powers of surveillance; they accept such powers, and the resultant encroachment upon the right guaranteed by Article 8 para. 1 (art. 8-1), as being a necessary means of defence for the protection of the democratic State.
The applicants consider, however, that paragraph 2 of Article 8 (art. 8-2) lays down for such powers certain limits which have to be respected in a democratic society in order to ensure that the society does not slide imperceptibly towards totalitarianism. In their view, the contested legislation lacks adequate safeguards against possible abuse.
49. As concerns the fixing of the conditions under which the system of surveillance is to be operated, the Court points out that the domestic legislature enjoys a certain discretion. It is certainly not for the Court to substitute for the assessment of the national authorities any other assessment of what might be the best policy in this field (…)
Nevertheless, the Court stresses that this does not mean that the Contracting States enjoy an unlimited discretion to subject persons within their jurisdiction to secret surveillance. The Court, being aware of the danger such a law poses of undermining or even destroying democracy on the ground of defending it, affirms that the Contracting States may not, in the name of the struggle against espionage and terrorism, adopt whatever measures they deem appropriate.
51. According to the G 10, a series of limitative conditions have to be satisfied before a surveillance measure can be imposed. (…)
52. The G 10 also lays down strict conditions with regard to the implementation of the surveillance measures and to the processing of the information thereby obtained.(…)
53. Under the G 10, while recourse to the courts in respect of the ordering and implementation of measures of surveillance is excluded, subsequent control or review is provided instead, in accordance with Article 10 para. 2 of the Basic Law, by two bodies appointed by the people’s elected representatives, namely, the Parliamentary Board and the G 10 Commission. (…)
54. The Government maintain that Article 8 para. 2 (art. 8-2) does not require judicial control of secret surveillance and that the system of review established under the G 10 does effectively protect the rights of the individual. The applicants, on the other hand, qualify this system as a "form of political control", inadequate in comparison with the principle of judicial control which ought to prevail.
It therefore has to be determined whether the procedures for supervising the ordering and implementation of the restrictive measures are such as to keep the "interference" resulting from the contested legislation to what is "necessary in a democratic society".
55. Review of surveillance may intervene at three stages: when the surveillance is first ordered, while it is being carried out, or after it has been terminated. As regards the first two stages, the very nature and logic of secret surveillance dictate that not only the surveillance itself but also the accompanying review should be effected without the individual’s knowledge.
Consequently, since the individual will necessarily be prevented from seeking an effective remedy of his own accord or from taking a direct part in any review proceedings, it is essential that the procedures established should themselves provide adequate and equivalent guarantees safeguarding the individual’s rights.
In addition, the values of a democratic society must be followed as faithfully as possible in the supervisory procedures if the bounds of necessity, within the meaning of Article 8 para. 2 (art. 8-2), are not to be exceeded.
One of the fundamental principles of a democratic society is the rule of law, which is expressly referred to in the Preamble to the Convention (see the Golder judgment of 21 February 1975, Series A no. 18, pp. 16-17, para. 34). The rule of law implies, inter alia, that an interference by the executive authorities with an individual’s rights should be subject to an effective control which should normally be assured by the judiciary, at least in the last resort, judicial control offering the best guarantees of independence, impartiality and a proper procedure.
56. The Court considers that, in a field where abuse is potentially so easy in individual cases and could have such harmful consequences for democratic society as a whole, it is in principle desirable to entrust supervisory control to a judge.
Nevertheless, having regard to the nature of the supervisory and other safeguards provided for by the G 10, the Court concludes that the exclusion of judicial control does not exceed the limits of what may be deemed necessary in a democratic society.
58. In the opinion of the Court, it has to be ascertained whether it is even feasible in practice to require subsequent notification in all cases.
The activity or danger against which a particular series of surveillance measures is directed may continue for years, even decades, after the suspension of those measures.
Subsequent notification to each individual affected by a suspended measure might well jeopardise the long-term purpose that originally prompted the surveillance. Furthermore, as the Federal Constitutional Court rightly observed, such notification might serve to reveal the working methods and fields of operation of the intelligence services and even possibly to identify their agents.
In the Court’s view, in so far as the "interference" resulting from the contested legislation is in principle justified under Article 8 para. 2 (art. 8-2) (see paragraph 48 above), the fact of not informing the individual once surveillance has ceased cannot itself be incompatible with this provision since it is this very fact which ensures the efficacy of the "interference".
For these reasons the Court
1. holds unanimously that it has jurisdiction to rule on the question whether the applicants can claim to be victims within the meaning of Article 25 (art. 25) of the Convention;
2. holds unanimously that the applicants can claim to be victims within the meaning of the aforesaid Article (art. 25);
3. holds unanimously that there has been no breach of Article 8, Article 13 or Article 6 (art. 8, art. 13, art. 6) of the Convention.
This extensive quotation should contribute to a better understanding of the delicate and complex nature of the issues brought before the Court. This particular case (Klass) is a landmark case that functions as a building block for the reasoning in similar cases and requires the contracting states to incorporate necessary safeguards when developing and implementing legislation that enables surveillance by intelligence agencies.
In 2006 the ECtHR decided the case of Weber & Saravia v Germany, once again testing legislation regarding so-called strategic monitoring by intelligence services. In this case the Court specifies in more detail what qualifies as "interferences" that are "accordance with the law". Though, after having conducted the triple test, the Court decided that the contested legislation did not violate art. 8 ECHR, I will quote the legal conditions summed up by the Court to attain the legal effect of such interferences qualifying as being "in accordance with the law".
95. In its case-law on secret measures of surveillance, the Court has developed the following minimum safeguards that should be set out in statute law in order to avoid abuses of power:
- the nature of the offences which may give rise to an interception order;
- a definition of the categories of people liable to have their telephones tapped;
- a limit on the duration of telephone tapping;
- the procedure to be followed for examining, using and storing the data obtained;
- the precautions to be taken when communicating the data to other parties; and
- the circumstances in which recordings may or must be erased or the tapes destroyed.
Since 2006 a number of cases have been decided on the issue of surveillance, either in the context of post-crime or pre-crime measures, as well as measures taken by the intelligence services. This includes both concrete interferences and legislation that would enable such interferences. As recounted above, the latter is not normally open to scrutiny by the Court, as it concerns an abstract test of the compatibility of domestic law against the Convention. The Court, however, can make an exception when applicants claim that the nature of the legislation or practice is such that they cannot know whether or not they have been a victim of state surveillance.
With the above analyses that closely follow the reasonings of the Court, the readers should have sufficient analytical instruments to study, for instance, the case of Big Brother Watch and Others v. the United Kingdom of 2018. This case regards complaints about the compatibility with art. 8 of the ECHR of three discrete regimes of mass surveillance in the UK. First, the regime for the bulk interception of communications under section 8(4) of Regulation of Investigatory Powers Act 2000 (RIPA); the UK-US intelligence sharing regime applied by the security service (MI5), the secret intelligence service (MI6) and the Government Communications Headquarters (GCHQ, which covers information and signals intelligence or "sigint"); and the regime for the acquisition of communications data under Chapter II of RIPA. The purpose of this work is not to provide an exhaustive overview of positive law in the realm of the right to privacy, but to provide computer scientists and students of computer science with a proper understanding of law as a scholarly discipline and a professional practice. In the end, the proof of the pudding will be in the eating. The reader is invited and encouraged to have their own tastings of legal text, discovering the major impact of legal decision-making on potential violations of e.g. the right to privacy.