Last Updated on October 3, 2020 by LawEuro
Information Note on the Court’s case-law 219
June 2018
Centrum för rättvisa v. Sweden – 35252/08
Judgment 19.6.2018 [Section III]
Article 8
Article 8-1
Respect for correspondence
Proportionality and safeguards of Swedish legislation on signals intelligence: no violation
[This case was referred to the Grand Chamber on 4 February 2019]
Facts – The applicant is a Swedish not-for-profit organisation who represents clients in litigation against the State and otherwise, who claim that their rights and freedoms under the Convention and under Swedish law have been violated. Due to the nature of its function as a non-governmental organisation scrutinising the activities of State actors, it believes that there is a risk that its communication through mobile telephones and mobile broadband has been or will be intercepted and examined by way of signals intelligence.
Law – Article 8: The contested legislation on signals intelligence instituted a system of secret surveillance that potentially affected all users of mobile telephone services and the internet, without their being notified about the surveillance. No domestic remedy provided detailed grounds in response to a complainant who suspected that he or she had their communications intercepted. Therefore, the mere existence of the contested legislation amounted in itself to an interference with the exercise of the applicant’s rights under Article 8. The relevant legislation was reviewed as it stood at the time of the examination by the Court. The measures permitted by Swedish law pursued legitimate aims in the interest of national security by supporting Swedish foreign, defence and security policy. While States enjoyed a wide margin of appreciation in deciding what type of interception regime is necessary to protect national security, the discretion afforded to them in operating an interception regime was necessarily narrower. In Roman Zakharov v. Russia [GC], the Court had identified minimum safeguards that both bulk interception and other interception regimes had to incorporate in order to be sufficiently foreseeable to minimise the risk of abuses of power. Adapting those minimum safeguards where necessary to reflect the operation of a bulk interception regime dealing exclusively with national security issues, the Court assessed the impugned interference from the standpoint of the following criteria:
(i) Accessibility of domestic law – All legal provisions relevant to signals intelligence had been officially published and were accessible to the public.
(ii) Scope of application of signals intelligence – The eight purposes for which signals intelligence could be conducted were adequately indicated in the Signals Intelligence Act. Signals intelligence conducted on fibre optic cables could only concern communications crossing the Swedish border in cables owned by a communications service provider. Communications between a sender and a receiver in Sweden were not to be intercepted, regardless whether the source had been airborne or cable-based. The National Defence Radio Establishment (FRA) could also intercept signals as part of its development activities which could lead to data not relevant for the regular foreign intelligence being intercepted and read. However, the development activities were essential for the proper functioning of the foreign intelligence and the information obtained could be used only in conformity with the purposes established by law and the applicable tasking directives. Provisions applicable to the regular foreign intelligence work were also relevant to the development activities and to any interception of communications data. The Data Protection Authority had found no evidence that personal data had been collected for other purposes than those stipulated for the signals intelligence activities. While the Police authorities were allowed to issue detailed tasking directives for signals intelligence, the Foreign Intelligence Act clearly excluded the use of foreign intelligence to solve tasks in the area of law enforcement or crime prevention. Consequently, the law indicated the scope of mandating and performing signals intelligence conferred on the competent authorities and the manner of its exercise with sufficient clarity.
(iii) Duration of secret surveillance measures – The Signals Intelligence Act clearly indicated the period after which a permit would expire and the conditions under which it could be renewed but not the circumstances in which interception had to be discontinued. Nevertheless, any permit was valid for a maximum of six months and a renewal required a review as to whether the conditions were still met. Although the Foreign Intelligence Inspectorate was not tasked with inspecting every signals intelligence permit, it could decide that an intelligence interception should cease, if during an inspection it was evident that the interception was not in accordance with a permit. The permits concerned the collection of intelligence related to threats to national security and did not target individuals suspected of criminal conduct. The FRA continuously reviewed whether the specific personal data it had intercepted was still needed for its signals intelligence activities. In these circumstances, the safeguards in place adequately regulated the duration, renewal and cancellation of interception measures.
(iv) Authorisation of secret surveillance measures – While the privacy protection representative could not appeal against a decision by the Foreign Intelligence Court or report any perceived irregularities to the supervisory bodies, the presence of the representative at the court’s examinations compensated, to a limited degree, for the lack of transparency concerning that court’s proceedings and decisions. Additionally, the FRA’s signals intelligence was subject to a system of prior authorisation whereby the FRA had to submit for independent examination an application for a permit to conduct surveillance in respect of each intelligence collection mission. The task of examining whether the mission was compatible with applicable legislation and whether the intelligence collection was proportional to the resultant interference with personal integrity was entrusted to a body whose presiding members were or had been judges. Furthermore, the supervision of the Foreign Intelligence Court was extensive as the FRA, in its applications, had to specify not only the mission request in question and the need for the intelligence sought but also the signal carriers to which access was needed and the search terms that would be used. The judicial supervision performed by the Foreign Intelligence Court was of crucial importance in that it limited the FRA’s discretion by interpreting the scope of mandating and performing signals intelligence. Finally, the FRA itself could decide to grant a permit, if it was feared that the application of a permit from the Foreign Intelligence Court might cause delay or other inconveniences of essential importance for one of the specified purposes of the signals intelligence. However, such a decision had to be followed by an immediate notification to and a subsequent rapid review by the Foreign Intelligence Court where the permit could be changed or revoked. Therefore, the provisions and procedures relating to the system of prior court authorisation, on the whole, provided important guarantees against abuse.
(v) Procedures to be followed for storing, accessing, examining, using and destroying the intercepted data – Personnel at the FRA treating personal data were security cleared and, if secrecy applied to the personal data, subject to confidentiality. They were under an obligation to handle the personal data in a safe manner and could face criminal sanctions if personal data were mismanaged. Furthermore, the FRA had to ensure that personal data was collected only for certain expressly stated and justified purposes, determined by the direction of the foreign intelligence activities through tasking directives. The personal data treated also had to be adequate and relevant in relation to the purpose of the treatment and no more than was necessary for that purpose could be processed. All reasonable efforts had to be made to correct, block and destroy personal data which was incorrect or incomplete in relation to the purpose. Several provisions regulated the situations when intercepted data had to be destroyed. While it was necessary for the FRA to store raw material before it could be manually processed, the Court stressed the importance of deleting such data as soon as it was evident that it lacked pertinence for a signals intelligence mission. In sum, the legislation provided adequate safeguards against abuse of treatment of personal data and thus served to protect individuals’ personal integrity.
(vi) Conditions for communicating the intercepted data to other parties – The legislation did not indicate that possible harm to the individual concerned had to be considered, only in very broad terms mentioned that the data could be communicated to “other states or international organisations” and there was no provision requiring the recipient to protect the data with similar safeguards as those applicable under Swedish law. Also the situation where data could be communicated – when necessary for “international defence and security cooperation” – opened up a wide scope of discretion. While those factors gave some cause for concern with respect to the possible abuse of the rights of individuals, they were sufficiently counterbalanced by the supervisory elements.
(vii) Supervision of the implementation of secret surveillance measures – The Court found no reason to question the independence of the Foreign Intelligence Inspectorate. The supervision of the Inspectorate was efficient, open to public scrutiny and of particular value in ensuring that signals intelligence was performed in a manner which offered adequate safeguards against abuse. Furthermore, if the Data Protection Authority found personal data was or could be processed illegally, it took remedial action through remarks to the FRA and could also apply to an administrative court to have illegally processed personal data destroyed. The supervisory elements provided by the Foreign Intelligence Inspectorate and the Data Protection Authority fulfilled the requirements on supervision in general. Moreover, the Parliamentary Ombudsmen and the Chancellor of Justice had general supervisory responsibilities in regard to the FRA.
(viii) Notification of secret surveillance measures and available remedies – While the requirement to notify the subject of secret surveillance measures concerned natural persons and was thus not applicable to the applicant, and as it was, in any event, devoid of practical significance due to secrecy, the Court found it pertinent to examine the issue of notification together with the remedies available in Sweden.
The remedies available for complaints relating to secret surveillance did not include the recourse to a court, save for an appeal against the FRA’s decisions on disclosure and corrective measures, remedies found to be ineffective. Furthermore, there did not appear to be a possibility for an individual to be informed of whether his or her communications had actually been intercepted or, generally, to be given reasoned decisions. Nevertheless, there were several remedies by which an individual could initiate an examination of the lawfulness of measures taken during the operation of the signals intelligence system, notably through requests to the Foreign Intelligence Inspectorate, the Parliamentary Ombudsmen and the Chancellor of Justice. The aggregate of remedies, although not providing a full and public response to the objections raised by a complainant, had to be considered sufficient in the present context. In reaching that conclusion, the Court attached importance to the earlier stages of supervision of the regime, including the detailed judicial examination by the Foreign Intelligence Court of the FRA’s requests for permits to conduct signals intelligence and the extensive and partly public supervision by several bodies, in particular the Foreign Intelligence Inspectorate.
***
In sum, although there was scope for improvement in some areas, the Swedish system of signals intelligence, examined in abstracto, revealed no significant shortcomings in its structure and operation, which were proportionate to the aim pursued, and provided adequate and sufficient guarantees against arbitrariness and the risk of abuse. That finding did not preclude a review of the State’s liability under the Convention where, for example, the applicant had been made aware of an actual interception.
Conclusion: no violation (unanimously).
(See also Kennedy v. the United Kingdom, 26839/05, 18 May 2010, Information Note 130; and Roman Zakharov v. Russia [GC], 47143/06, 4 December 2015 Information Note 191)
Leave a Reply