Last Updated on February 13, 2024 by LawEuro
European Court of Human Rights (Application no. 33696/19)
The case concerns the statutory requirement for “Internet communication organisers” to store all communications data for a duration of one year and the contents of all communications for a duration of six months, and to submit those data to law-enforcement authorities or security services in circumstances specified by law, together with information necessary to decrypt electronic messages if they are encrypted.
The European Court of Human Rights notes at the outset that the present case concerns the statutory requirement for ICOs to store the content of all Internet communications and related communications data, give law-enforcement authorities or security services access to those data at their request, and decrypt electronic messages if they are encrypted.
As regards the storage by ICOs of Internet communications and related communications data, the Court reiterates that the mere storing of data relating to the private life of an individual amounts to an interference within the meaning of Article 8. The subsequent use of the stored information has no bearing on that finding. However, in determining whether the personal information retained by the authorities involves any of the various private‑life aspects, the Court will have due regard to the specific context in which the information at issue has been recorded and retained, the nature of the records, the way in which these records are used and processed and the results that may be obtained.
The Court finds that the storage by the applicant’s ICO of the contents of all his Internet communications and related communications data interfered with his right to respect for his private life and correspondence. This storage amounts to an interference with his Article 8 rights, irrespective of whether the retained data were then accessed by the authorities. The storage, although carried out by private persons – the ICOs – is required by law; it follows that the interference is attributable to the Russian State.
The Court further observes that the interference complained of relates not only to the storage of the data described above but also to the potential for national authorities to access those data.
It is true that there is no evidence that the authorities accessed the applicant’s data stored by Telegram. Since it is impossible for an individual or a legal person to know for certain whether their data has been accessed, it is appropriate to analyse the question whether the applicant may claim that he is a victim of interference with his rights under Article 8 owing to the mere existence of laws permitting authorities to do so with reference to the same criteria as the ones used in relation to secret surveillance.
In Roman Zakharov (cited above), the Court has examined Russian legislation on secret surveillance and found that, having regard to the secret nature of the surveillance measures, the broad scope of their application, affecting all users of communications networks, and the lack of effective means to challenge the alleged application of secret surveillance measures at domestic level, the mere existence of legislation permitting secret surveillance constitutes an interference with a user’s private life. It finds no reasons to hold otherwise in the present case, as the Government have confirmed that access to retained Internet communications and related communications data is governed by the same legal regime which was examined in Roman Zakharov. The mere existence of the contested legislation therefore amounts in itself to an interference with the exercise of the applicant’s rights under Article 8.
Lastly, as regards the ICOs’ statutory obligation to decrypt communications if they are encrypted, the Court observes that the parties’ observations on this issue are limited to end‑to-end encrypted communications, that is, in the case of Telegram, communications through “secret chats”. The parties did not make any submissions in respect of the encryption scheme used in “cloud chats” and the Court will therefore not examine it.
The applicant argued that it was technically impossible to provide the authorities with encryption keys associated with specific users of the Telegram messenger application. In order to enable the decryption of end‑to‑end encrypted communications it would be necessary to weaken the encryption technology used by the Telegram messenger application. However, because these measures could not be limited to specific individuals, they would affect everyone indiscriminately. This argument is based on the submissions by the Telegram company in the domestic proceedings. The applicant’s position is corroborated by the third‑party interveners and is also supported by international material. The Government, by contrast, did not provide any arguments or information capable of refuting the applicant’s submissions that the measures ICOs would have to take to comply with the statutory obligation to decrypt end-to-end encrypted communications would affect all users of their services. The Court accordingly accepts that the applicant was affected by the contested legal provisions.
The Court concludes that the continuous storage of the applicant’s Internet communications and related communications data by Telegram, the authorities’ potential access to these data and Telegram’s obligation to decrypt them if they are encrypted, pursuant to the Information Act and its implementing regulations, amounted to an interference with the applicant’s Article 8 rights.
The Court observes in addition that in the present case personal data are stored for the purposes of allowing the competent national authorities the opportunity to conduct targeted secret surveillance of Internet communications. The issues relating to the storage of personal data and to secret surveillance are therefore closely linked in the present case.
The Court finds that although the case falls to be examined primarily from the standpoint of the storage of the applicant’s personal data, it must also be considered, where appropriate, in the light of the Court’s case-law on secret surveillance. The applicable safeguards are in any event essentially similar and should offer effective guarantees against the inherent risk of abuse and keep the interference with the rights protected by Article 8 to what is “necessary in a democratic society”.
The Court reiterates that any interference can only be justified under Article 8 § 2 if it is in accordance with the law, pursues one or more of the legitimate aims to which paragraph 2 of Article 8 refers and is necessary in a democratic society in order to achieve any such aim. The wording “in accordance with the law” requires the impugned measure to have some basis in domestic law. It must also be compatible with the rule of law, which is expressly mentioned in the Preamble to the Convention and inherent in the object and purpose of Article 8. The law must therefore be accessible to the person concerned and foreseeable as to its effects.
The protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life, as guaranteed by Article 8 of the Convention. The domestic law must afford appropriate safeguards to prevent any such use of personal data as may be inconsistent with the guarantees of this Article. The need for such safeguards is all the greater where the protection of personal data undergoing automatic processing is concerned, not least when such data are used for police purposes, and especially where the technology available is continually becoming more sophisticated. The protection afforded by Article 8 of the Convention would be unacceptably weakened if the use of modern technologies in the criminal-justice system were allowed at any cost and without carefully balancing the potential benefits of the extensive use of such technologies against important private-life interests.
In the context of the collection and processing of personal data, it is essential to have clear, detailed rules governing the scope and application of measures, as well as minimum safeguards concerning, inter alia, duration, storage, usage, access of third parties, procedures for preserving the integrity and confidentiality of data and procedures for their destruction, thus providing sufficient guarantees against the risk of abuse and arbitrariness. The domestic law should notably ensure that retained data are relevant and not excessive in relation to the purposes for which they are stored, and preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored. The domestic law must also afford adequate guarantees that retained personal data were efficiently protected from misuse and abuse. The core principles of data protection require the retention of data to be proportionate in relation to the purpose of collection and insist on limited periods of storage.
In the context of secret surveillance, where a power vested in the executive is exercised in secret, the risks of arbitrariness are evident. To meet the requirement of “foreseeability”, the domestic law must be sufficiently clear to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures. Moreover, since the implementation in practice of measures of secret surveillance of communications is not open to scrutiny by the individuals concerned or the public at large, it would be contrary to the rule of law for the discretion granted to the executive or to a judge to be expressed in terms of an unfettered power. Consequently, the law must indicate the scope of any such discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity to give the individual adequate protection against arbitrary interference. For a detailed description of safeguards that should be set out in law for it to meet the “quality of law” requirements and to ensure that secret surveillance measures are applied only when “necessary in a democratic society”, see Roman Zakharov, §§ 231-34, and Big Brother Watch and Others, §§ 335-39, both cited above.
Lastly, the Court reiterates that confidentiality of communications is an essential element of the right to respect for private life and correspondence, as enshrined in Article 8. Users of telecommunications and Internet services must have a guarantee that their own privacy and freedom of expression will be respected, although such a guarantee cannot be absolute and must yield on occasion to other legitimate imperatives, such as the prevention of disorder or crime or the protection of the rights and freedoms of others.
The Court considers that in the present case the questions of lawfulness and of the existence of a legitimate aim cannot be dissociated from the question of whether the interference was “necessary in a democratic society”. It will therefore examine them together below.
The retention and storage of Internet communications and related communications data in the present case had a legal basis in the Information Act, which must be read in conjunction with the legal provisions governing the law-enforcement authorities’ access to the data stored and their further use, as set out in the Information Act, the Code of Criminal Procedure and the Operational-Search Activities Act.
The Court further notes that while technological capabilities have greatly increased the volume of communications traversing the global Internet, the threats being faced by Contracting States and their citizens have also proliferated. These include, but are not limited to, global terrorism, drug trafficking, human trafficking and the sexual exploitation of children. Many of these threats come from international networks of hostile actors with access to increasingly sophisticated technology enabling them to communicate undetected. The Court is satisfied that the contested legal provisions pursued the legitimate aims of protecting national security, preventing disorder and crime and protecting the rights and freedoms of others.
Therefore, it remains to be considered whether the domestic law contained adequate and effective safeguards and guarantees to meet the requirements of “quality of law” and “necessity in a democratic society”.
The Court notes that in the current, increasingly digital age, technological capabilities have greatly increased the volume of Internet communications so that a significant part of communications take digital form. The contested legislation requires the continuous automatic retention and storage of the contents of all Internet communications for a duration of six months and the related communications data for a duration of one year. It applies to all Internet communication services used to transmit voice, textual, visual, sound, video or other electronic communications. It affects all users of Internet communications, even in the absence of a reasonable suspicion of involvement in criminal activities or activities endangering national security, or of any other reasons to believe that retention of data may contribute to fighting serious crime or protecting national security. It covers the contents of all communications and all communications data without any circumscription of the scope of the measure in terms of territorial or temporal application or categories of persons liable to have their personal data stored. The Court is struck by the extremely broad duty of retention provided by the contested legislation and concludes that the interference is exceptionally wide-ranging and serious.
Taking into account the seriousness of the interference, the Court will examine with particular attention whether the domestic law provides adequate and sufficient safeguards against abuse relating to the access by the law-enforcement authorities to the Internet communications and related communications data stored by ICOs pursuant to the Information Act.
As regards the statutory requirement to give law-enforcement authorities or security services access to the stored data at their request, the Court reiterates that access to the data in individual cases must be accompanied, mutatis mutandis, by the same safeguards as secret surveillance. It takes note of the Government’s argument that access has to be authorised by a court. It observes, however, that in Russia the law‑enforcement authorities are not required under domestic law to show the judicial authorisation to the communications service provider before obtaining access to a person’s communications. Indeed, pursuant to orders issued by the government, ICOs must install equipment giving the security services direct access to the data stored. The law-enforcement authorities thus have direct remote access to all Internet communications and related communications data.
The Court considers that the requirement to show an authorisation to the communications service provider before obtaining access to a person’s communications is an important safeguard against abuse by the law‑enforcement authorities, ensuring that proper authorisation is obtained in all cases of secret surveillance. The manner in which the access to the stored data is organised in Russia gives the security services technical means to circumvent the authorisation procedure and to access stored Internet communications and communications data without obtaining prior judicial authorisation. Although the possibility of improper action by a dishonest, negligent or overzealous official can never be completely ruled out whatever the system, the Court considers that a system, such as the Russian one, which enables the secret services to access directly the Internet communications of each and every citizen without requiring them to show an interception authorisation to the communications service provider, or to anyone else, is particularly prone to abuse. The need for safeguards against arbitrariness and abuse appears therefore to be particularly great.
The Government have confirmed that access to retained Internet communications and related communications data is governed by the same legal regime which was examined in Roman Zakharov in the context of interceptions of mobile telephone communications. In that case the Court found that Russian legal provisions governing secret surveillance measures did not meet the “quality of law” requirement because they did not provide for adequate and effective guarantees against arbitrariness and the risk of abuse. They were therefore incapable of keeping the “interference” to what was “necessary in a democratic society”. It found, in particular, that the circumstances in which public authorities were empowered to resort to secret surveillance measures for the purposes of detecting, preventing and investigating criminal offences or protecting Russia’s national, military, economic or ecological security were not defined with sufficient clarity. The authorisation procedures were not capable of ensuring that secret surveillance measures were ordered only when “necessary in a democratic society”. The supervision of interceptions did not comply with the requirements of independence, powers and competence which were sufficient to exercise effective and continuous control, public scrutiny and effectiveness in practice. The effectiveness of the remedies was undermined by the absence of notification at any point of secret surveillance, or adequate access to documents relating to secret surveillance.
The Court does not see any reason to reach a different conclusion in the present case. It therefore finds that the domestic law does not provide for adequate and sufficient safeguards against abuse relating to the access by the law-enforcement authorities to the Internet communications and related communications data stored by ICOs pursuant to the Information Act.
Lastly, as regards the requirement to submit to the security services information necessary to decrypt electronic communications if they are encrypted, the Court observes that international bodies have argued that encryption provides strong technical safeguards against unlawful access to the content of communications and has therefore been widely used as a means of protecting the right to respect for private life and for the privacy of correspondence online. In the digital age, technical solutions for securing and protecting the privacy of electronic communications, including measures for encryption, contribute to ensuring the enjoyment of other fundamental rights, such as freedom of expression. Encryption, moreover, appears to help citizens and businesses to defend themselves against abuses of information technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information. This should be given due consideration when assessing measures which may weaken encryption.
As noted above, it appears that in order to enable decryption of communications protected by end-to-end encryption, such as communications through Telegram’s “secret chats”, it would be necessary to weaken encryption for all users. These measures allegedly cannot be limited to specific individuals and would affect everyone indiscriminately, including individuals who pose no threat to a legitimate government interest. Weakening encryption by creating backdoors would apparently make it technically possible to perform routine, general and indiscriminate surveillance of personal electronic communications. Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users’ electronic communications. The Court takes note of the dangers of restricting encryption described by many experts in the field.
The Court accepts that encryption can also be used by criminals, which may complicate criminal investigations. However, it takes note in this connection of the calls for alternative “solutions to decryption without weakening the protective mechanisms, both in legislation and through continuous technical evolution”.
The Court concludes that in the present case the ICO’s statutory obligation to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users; it is accordingly not proportionate to the legitimate aims pursued.
The Court concludes from the foregoing that the contested legislation providing for the retention of all Internet communications of all users, the security services’ direct access to the data stored without adequate safeguards against abuse and the requirement to decrypt encrypted communications, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society. In so far as this legislation permits the public authorities to have access, on a generalised basis and without sufficient safeguards, to the content of electronic communications, it impairs the very essence of the right to respect for private life under Article 8 of the Convention. The respondent State has therefore overstepped any acceptable margin of appreciation in this regard. There has accordingly been a violation of Article 8 of the Convention.
CASE OF PODCHASOV v. RUSSIA (European Court of Human Rights) 33696/19. Full text of the document.
Leave a Reply