European Court of Human Rights (Application no. 33696\/19)<\/p>\n
The case concerns the statutory requirement for \u201cInternet communication organisers\u201d to store all communications data for a duration of one year and the contents of all communications for a duration of six months, and to submit those data to law-enforcement authorities or security services in circumstances specified by law, together with information necessary to decrypt electronic messages if they are encrypted.<\/p>\n
The European Court of Human Rights<\/strong> notes at the outset that the present case concerns the statutory requirement for ICOs to store the content of all Internet communications and related communications data, give law-enforcement authorities or security services access to those data at their request, and decrypt electronic messages if they are encrypted.<\/p>\n As regards the storage by ICOs of Internet communications and related communications data, the Court reiterates that the mere storing of data relating to the private life of an individual amounts to an interference within the meaning of Article 8. The subsequent use of the stored information has no bearing on that finding. However, in determining whether the personal information retained by the authorities involves any of the various private\u2011life aspects, the Court will have due regard to the specific context in which the information at issue has been recorded and retained, the nature of the records, the way in which these records are used and processed and the results that may be obtained.<\/p>\n The Court finds that the storage by the applicant\u2019s ICO of the contents of all his Internet communications and related communications data interfered with his right to respect for his private life and correspondence. This storage amounts to an interference with his Article 8 rights, irrespective of whether the retained data were then accessed by the authorities. The storage, although carried out by private persons \u2013 the ICOs \u2013 is required by law; it follows that the interference is attributable to the Russian State.<\/p>\n The Court further observes that the interference complained of relates not only to the storage of the data described above but also to the potential for national authorities to access those data.<\/p>\n It is true that there is no evidence that the authorities accessed the applicant\u2019s data stored by Telegram. Since it is impossible for an individual or a legal person to know for certain whether their data has been accessed, it is appropriate to analyse the question whether the applicant may claim that he is a victim of interference with his rights under Article 8 owing to the mere existence of laws permitting authorities to do so with reference to the same criteria as the ones used in relation to secret surveillance.<\/p>\n In Roman Zakharov (cited above), the Court has examined Russian legislation on secret surveillance and found that, having regard to the secret nature of the surveillance measures, the broad scope of their application, affecting all users of communications networks, and the lack of effective means to challenge the alleged application of secret surveillance measures at domestic level, the mere existence of legislation permitting secret surveillance constitutes an interference with a user\u2019s private life. It finds no reasons to hold otherwise in the present case, as the Government have confirmed that access to retained Internet communications and related communications data is governed by the same legal regime which was examined in Roman Zakharov. The mere existence of the contested legislation therefore amounts in itself to an interference with the exercise of the applicant\u2019s rights under Article 8.<\/p>\n Lastly, as regards the ICOs\u2019 statutory obligation to decrypt communications if they are encrypted, the Court observes that the parties\u2019 observations on this issue are limited to end\u2011to-end encrypted communications, that is, in the case of Telegram, communications through \u201csecret chats\u201d. The parties did not make any submissions in respect of the encryption scheme used in \u201ccloud chats\u201d and the Court will therefore not examine it.<\/p>\n The applicant argued that it was technically impossible to provide the authorities with encryption keys associated with specific users of the Telegram messenger application. In order to enable the decryption of end\u2011to\u2011end encrypted communications it would be necessary to weaken the encryption technology used by the Telegram messenger application. However, because these measures could not be limited to specific individuals, they would affect everyone indiscriminately. This argument is based on the submissions by the Telegram company in the domestic proceedings. The applicant\u2019s position is corroborated by the third\u2011party interveners and is also supported by international material. The Government, by contrast, did not provide any arguments or information capable of refuting the applicant\u2019s submissions that the measures ICOs would have to take to comply with the statutory obligation to decrypt end-to-end encrypted communications would affect all users of their services. The Court accordingly accepts that the applicant was affected by the contested legal provisions.<\/p>\n The Court concludes that the continuous storage of the applicant\u2019s Internet communications and related communications data by Telegram, the authorities\u2019 potential access to these data and Telegram\u2019s obligation to decrypt them if they are encrypted, pursuant to the Information Act and its implementing regulations, amounted to an interference with the applicant\u2019s Article 8 rights.<\/p>\n The Court observes in addition that in the present case personal data are stored for the purposes of allowing the competent national authorities the opportunity to conduct targeted secret surveillance of Internet communications. The issues relating to the storage of personal data and to secret surveillance are therefore closely linked in the present case.<\/p>\n The Court finds that although the case falls to be examined primarily from the standpoint of the storage of the applicant\u2019s personal data, it must also be considered, where appropriate, in the light of the Court\u2019s case-law on secret surveillance. The applicable safeguards are in any event essentially similar and should offer effective guarantees against the inherent risk of abuse and keep the interference with the rights protected by Article 8 to what is \u201cnecessary in a democratic society\u201d.<\/p>\n The Court reiterates that any interference can only be justified under Article 8 \u00a7 2 if it is in accordance with the law, pursues one or more of the legitimate aims to which paragraph 2 of Article 8 refers and is necessary in a democratic society in order to achieve any such aim. The wording \u201cin accordance with the law\u201d requires the impugned measure to have some basis in domestic law. It must also be compatible with the rule of law, which is expressly mentioned in the Preamble to the Convention and inherent in the object and purpose of Article 8. The law must therefore be accessible to the person concerned and foreseeable as to its effects.<\/p>\n The protection of personal data is of fundamental importance to a person\u2019s enjoyment of his or her right to respect for private and family life, as guaranteed by Article 8 of the Convention. The domestic law must afford appropriate safeguards to prevent any such use of personal data as may be inconsistent with the guarantees of this Article. The need for such safeguards is all the greater where the protection of personal data undergoing automatic processing is concerned, not least when such data are used for police purposes, and especially where the technology available is continually becoming more sophisticated. The protection afforded by Article 8 of the Convention would be unacceptably weakened if the use of modern technologies in the criminal-justice system were allowed at any cost and without carefully balancing the potential benefits of the extensive use of such technologies against important private-life interests.<\/p>\n In the context of the collection and processing of personal data, it is essential to have clear, detailed rules governing the scope and application of measures, as well as minimum safeguards concerning, inter alia, duration, storage, usage, access of third parties, procedures for preserving the integrity and confidentiality of data and procedures for their destruction, thus providing sufficient guarantees against the risk of abuse and arbitrariness. The domestic law should notably ensure that retained data are relevant and not excessive in relation to the purposes for which they are stored, and preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored. The domestic law must also afford adequate guarantees that retained personal data were efficiently protected from misuse and abuse. The core principles of data protection require the retention of data to be proportionate in relation to the purpose of collection and insist on limited periods of storage.<\/p>\n In the context of secret surveillance, where a power vested in the executive is exercised in secret, the risks of arbitrariness are evident. To meet the requirement of \u201cforeseeability\u201d, the domestic law must be sufficiently clear to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures. Moreover, since the implementation in practice of measures of secret surveillance of communications is not open to scrutiny by the individuals concerned or the public at large, it would be contrary to the rule of law for the discretion granted to the executive or to a judge to be expressed in terms of an unfettered power. Consequently, the law must indicate the scope of any such discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity to give the individual adequate protection against arbitrary interference. For a detailed description of safeguards that should be set out in law for it to meet the \u201cquality of law\u201d requirements and to ensure that secret surveillance measures are applied only when \u201cnecessary in a democratic society\u201d, see Roman Zakharov, \u00a7\u00a7 231-34, and Big Brother Watch and Others, \u00a7\u00a7 335-39, both cited above.<\/p>\n Lastly, the Court reiterates that confidentiality of communications is an essential element of the right to respect for private life and correspondence, as enshrined in Article 8. Users of telecommunications and Internet services must have a guarantee that their own privacy and freedom of expression will be respected, although such a guarantee cannot be absolute and must yield on occasion to other legitimate imperatives, such as the prevention of disorder or crime or the protection of the rights and freedoms of others.<\/p>\n The Court considers that in the present case the questions of lawfulness and of the existence of a legitimate aim cannot be dissociated from the question of whether the interference was \u201cnecessary in a democratic society\u201d. It will therefore examine them together below.<\/p>\n The retention and storage of Internet communications and related communications data in the present case had a legal basis in the Information Act, which must be read in conjunction with the legal provisions governing the law-enforcement authorities\u2019 access to the data stored and their further use, as set out in the Information Act, the Code of Criminal Procedure and the Operational-Search Activities Act.<\/p>\n The Court further notes that while technological capabilities have greatly increased the volume of communications traversing the global Internet, the threats being faced by Contracting States and their citizens have also proliferated. These include, but are not limited to, global terrorism, drug trafficking, human trafficking and the sexual exploitation of children. Many of these threats come from international networks of hostile actors with access to increasingly sophisticated technology enabling them to communicate undetected. The Court is satisfied that the contested legal provisions pursued the legitimate aims of protecting national security, preventing disorder and crime and protecting the rights and freedoms of others.<\/p>\n Therefore, it remains to be considered whether the domestic law contained adequate and effective safeguards and guarantees to meet the requirements of \u201cquality of law\u201d and \u201cnecessity in a democratic society\u201d.<\/p>\n The Court notes that in the current, increasingly digital age, technological capabilities have greatly increased the volume of Internet communications so that a significant part of communications take digital form. The contested legislation requires the continuous automatic retention and storage of the contents of all Internet communications for a duration of six months and the related communications data for a duration of one year. It applies to all Internet communication services used to transmit voice, textual, visual, sound, video or other electronic communications. It affects all users of Internet communications, even in the absence of a reasonable suspicion of involvement in criminal activities or activities endangering national security, or of any other reasons to believe that retention of data may contribute to fighting serious crime or protecting national security. It covers the contents of all communications and all communications data without any circumscription of the scope of the measure in terms of territorial or temporal application or categories of persons liable to have their personal data stored. The Court is struck by the extremely broad duty of retention provided by the contested legislation and concludes that the interference is exceptionally wide-ranging and serious.<\/p>\n Taking into account the seriousness of the interference, the Court will examine with particular attention whether the domestic law provides adequate and sufficient safeguards against abuse relating to the access by the law-enforcement authorities to the Internet communications and related communications data stored by ICOs pursuant to the Information Act.<\/p>\n As regards the statutory requirement to give law-enforcement authorities or security services access to the stored data at their request, the Court reiterates that access to the data in individual cases must be accompanied, mutatis mutandis, by the same safeguards as secret surveillance. It takes note of the Government\u2019s argument that access has to be authorised by a court. It observes, however, that in Russia the law\u2011enforcement authorities are not required under domestic law to show the judicial authorisation to the communications service provider before obtaining access to a person\u2019s communications. Indeed, pursuant to orders issued by the government, ICOs must install equipment giving the security services direct access to the data stored. The law-enforcement authorities thus have direct remote access to all Internet communications and related communications data.<\/p>\n The Court considers that the requirement to show an authorisation to the communications service provider before obtaining access to a person\u2019s communications is an important safeguard against abuse by the law\u2011enforcement authorities, ensuring that proper authorisation is obtained in all cases of secret surveillance. The manner in which the access to the stored data is organised in Russia gives the security services technical means to circumvent the authorisation procedure and to access stored Internet communications and communications data without obtaining prior judicial authorisation. Although the possibility of improper action by a dishonest, negligent or overzealous official can never be completely ruled out whatever the system, the Court considers that a system, such as the Russian one, which enables the secret services to access directly the Internet communications of each and every citizen without requiring them to show an interception authorisation to the communications service provider, or to anyone else, is particularly prone to abuse. The need for safeguards against arbitrariness and abuse appears therefore to be particularly great.<\/p>\n The Government have confirmed that access to retained Internet communications and related communications data is governed by the same legal regime which was examined in Roman Zakharov in the context of interceptions of mobile telephone communications. In that case the Court found that Russian legal provisions governing secret surveillance measures did not meet the \u201cquality of law\u201d requirement because they did not provide for adequate and effective guarantees against arbitrariness and the risk of abuse. They were therefore incapable of keeping the \u201cinterference\u201d to what was \u201cnecessary in a democratic society\u201d. It found, in particular, that the circumstances in which public authorities were empowered to resort to secret surveillance measures for the purposes of detecting, preventing and investigating criminal offences or protecting Russia\u2019s national, military, economic or ecological security were not defined with sufficient clarity. The authorisation procedures were not capable of ensuring that secret surveillance measures were ordered only when \u201cnecessary in a democratic society\u201d. The supervision of interceptions did not comply with the requirements of independence, powers and competence which were sufficient to exercise effective and continuous control, public scrutiny and effectiveness in practice. The effectiveness of the remedies was undermined by the absence of notification at any point of secret surveillance, or adequate access to documents relating to secret surveillance.<\/p>\n The Court does not see any reason to reach a different conclusion in the present case. It therefore finds that the domestic law does not provide for adequate and sufficient safeguards against abuse relating to the access by the law-enforcement authorities to the Internet communications and related communications data stored by ICOs pursuant to the Information Act.<\/p>\n Lastly, as regards the requirement to submit to the security services information necessary to decrypt electronic communications if they are encrypted, the Court observes that international bodies have argued that encryption provides strong technical safeguards against unlawful access to the content of communications and has therefore been widely used as a means of protecting the right to respect for private life and for the privacy of correspondence online. In the digital age, technical solutions for securing and protecting the privacy of electronic communications, including measures for encryption, contribute to ensuring the enjoyment of other fundamental rights, such as freedom of expression. Encryption, moreover, appears to help citizens and businesses to defend themselves against abuses of information technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information. This should be given due consideration when assessing measures which may weaken encryption.<\/p>\n As noted above, it appears that in order to enable decryption of communications protected by end-to-end encryption, such as communications through Telegram\u2019s \u201csecret chats\u201d, it would be necessary to weaken encryption for all users. These measures allegedly cannot be limited to specific individuals and would affect everyone indiscriminately, including individuals who pose no threat to a legitimate government interest. Weakening encryption by creating backdoors would apparently make it technically possible to perform routine, general and indiscriminate surveillance of personal electronic communications. Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users\u2019 electronic communications. The Court takes note of the dangers of restricting encryption described by many experts in the field.<\/p>\n The Court accepts that encryption can also be used by criminals, which may complicate criminal investigations. However, it takes note in this connection of the calls for alternative \u201csolutions to decryption without weakening the protective mechanisms, both in legislation and through continuous technical evolution\u201d.<\/p>\n The Court concludes that in the present case the ICO\u2019s statutory obligation to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users; it is accordingly not proportionate to the legitimate aims pursued.<\/p>\n The Court concludes from the foregoing that the contested legislation providing for the retention of all Internet communications of all users, the security services\u2019 direct access to the data stored without adequate safeguards against abuse and the requirement to decrypt encrypted communications, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society. In so far as this legislation permits the public authorities to have access, on a generalised basis and without sufficient safeguards, to the content of electronic communications, it impairs the very essence of the right to respect for private life under Article 8 of the Convention. The respondent State has therefore overstepped any acceptable margin of appreciation in this regard. There has accordingly been a violation of Article 8 of the Convention<\/strong>.<\/p>\n CASE OF PODCHASOV v. RUSSIA (European Court of Human Rights) 33696\/19. Full text of the document<\/a>.<\/p>\n