European University Institute
What follows below, is this author’s account of the electronic massive surveillance conducted mainly by the National Security Agency (NSA) of the United States, in collaboration with the authorities of an unknown number of countries. The text is based on my appearance, on 14 October 2013, before the Civil Liberties Committee of the European Parliament, in the course of an inquiry into the matter. Although the framework of my assessment relates primarily to international law – the International Covenant on Civil and Political Rights in particular – there are also important points about constitutional law.
Most of the technical details about the programmes for the collection of communications data, including internet data, by the United States of America (including the NSA) and the United Kingdom (including the GCHQ) are yet incomplete, even if the so-called Edward Snowden revelations and their further substantiation by investigative journalists already provide sufficient factual information for a legal assessment as to the compliance with international law by the two countries just mentioned.
The short answer to the question of lawfulness is that both the United States and the United Kingdom have been involved, and continue to be involved, in activities that are in violation of their legally binding obligations under the International Covenant on Civil and Political Rights of 1966. The Covenant (or the ICCPR) is one of the main United Nations human rights treaties, binding upon 167 states in the world. It includes a specific provision that prohibits unlawful or arbitrary interference with anyone’s privacy.
Neither the United States nor the United Kingdom have accepted the right of individual complaint under the Covenant, which would allow the pertinent quasi-judicial body of independent experts, the Human Rights Committee, to assess whether the country violated the Covenant in respect of a specific individual. There are, nevertheless, two other mechanisms through which the same Committee can address treaty compliance by these two countries. Both have accepted the procedure for inter-state complaints under article 41 of the Covenant. Even if this procedure has never been resorted to, the current context of two Western democracies involved in what appears to be a massive interference with the privacy rights of nationals and residents of many other countries of the world, coupled with the unavailability of individual redress, would provide an instance where for instance Latin American or European countries should seriously consider triggering the inter-state complaint procedure. Independently of that option, both countries are subject to the single mandatory monitoring mechanism under the Covenant, the duty to submit periodic reports for the consideration by the Human Rights Committee which will in its Concluding Observations assess compliance or non-compliance. By coincidence, both the United States and the United Kingdom are subject to this review in 2014 and the US as soon as in March.
The central privacy provision in the ICCPR is brief, as it for instance lacks a fully articulated test for permissible limitations. But this does not mean that there would not be a clear and binding legal norm, capable of being applied through institutionalised practices of interpretation and the resulting interpretations gradually accumulating as subsequent practice, explicitly or tacitly accepted by the states parties.
ICCPR Article 17 prohibits arbitrary or unlawful interference with anyone’s privacy or correspondence, and it establishes for all states parties a positive obligation to create a legal framework for the effective protection of privacy rights against interference or attacks, irrespective of whether such interference or attacks come from the state itself, foreign states, or private actors.
In 1988, indeed already a quarter of a century ago, the Human Rights Committee adopted a General Comment (No. 16) on Article 17. Usually General Comments codify the Committee’s interpretations of a specific treaty provision, based on earlier practice including the consideration of state reports and of individual complaints. By 1988 such material under Article 17 was quite limited and therefore the General Comment could not possibly address all current concerns related to privacy rights.
In my capacity as United Nations Special Rapporteur on human rights and counter-terrorism (2005-2011), I issued one annual report to the main intergovernmental human rights body of the United Nations, the Human Rights Council, of direct relevance for the current debate. The thematic report on the right to privacy in the fight against terrorism (UN document A/HRC/13/37) was considered by the Human Rights Council in March 2010. The report includes a proposal that the Human Rights Committee would replace its existing General Comment on Article 17 with a new one, building upon the work of the Committee since 1988.
Based upon the text of article 17 of the ICCPR, the old General Comment, as well as other practice by the Human Rights Committee (including on individual complaints under article 17, as well as a parallel General Comment No. 27 on article 12 related to freedom of movement), the report presents an analytically rigorous test for permissible limitations upon privacy rights (including data protection). This test includes the following cumulative conditions for the determination whether an interference with privacy rights is justified, or whether it amounts to a violation of the ICCPR:
(a) Any restrictions must be provided by the law;
(b) The essence of a human right is not subject to restrictions;
(c) Restrictions must be necessary in a democratic society;
(d) Any discretion exercised when implementing the restrictions must not be unfettered;
(e) For a restriction to be permissible, it is not enough that it serves one of the enumerated legitimate aims; it must be necessary for reaching the legitimate aim;
(f) Restrictive measures must conform to the principle of proportionality; they must be appropriate to achieve their protective function; they must be the least intrusive instrument amongst those which might achieve the desired result; and they must be proportionate to the interest to be protected; and
(g) Any restrictions must be consistent with the other rights guaranteed in the Covenant.
It is submitted here that the application of this test results in the conclusion that the electronic mass surveillance by the NSA, as divulged through the so-called Snowden revelations and to a certain extent confirmed by US authorities, did result in breaches of the legal obligations of the United States under ICCPR Article 17 and cannot be justified as permissible limitations. In other words, the surveillance constituted an unlawful or arbitrary interference with privacy or correspondence. This assessment follows independently from multiple grounds, as most of the NSA’s mass surveillance programmes fail to comply with several separate elements of the permissible limitations test. While each and every one of those failures may not be applicable to all elements of the separate programmes within the NSA’s electronic surveillance architecture, it is to be emphasized that under a proper permissible limitations test one failure is enough to result in a negative conclusion.
Ad a): On the basis of publicly available information, it is possible to conclude that the whole mass electronic surveillance architecture of the NSA generally fails already on the grounds that in order to be permissible, any interference into privacy rights would require a proper legal basis. This is not the case. The surveillance has been based on vague and broad provisions of the Foreign Intelligence Surveillance Act (FISA). While the requirement of a legal basis for restrictions does not always require parliamentary legislation as the only acceptable form of such legal basis, and therefore judicial case law can in principle supplement vague or ambiguous legislation and allow an assessment that — all things considered — a proper legal basis existed, this cannot be extended to a situation where neither the publicly available law (FISA) nor the secret case law by a secret court provides to individuals accurate and precise information about the situations where their privacy and correspondence might be subject to surveillance. Accessibility and foreseeability of the legal basis are fundamental elements of the requirement of proper legal basis, so that individuals are able to adjust their conduct to the requirements of the law.
The requirement of a proper legal basis is also the first one of the three constitutional dimensions of the issue: while international law generally does not require any specific level of legal hierarchy to be used at the domestic level, national constitutions would routinely require that only laws passed by Parliament may provide a proper legal basis for interferences with fundamental rights, including the right to privacy.
Ad b): In the field of privacy it is possible to discuss a distinction between intrusions into the core area of privacy, where no restrictions should be allowed, and more peripheral areas where permissible limitations are legitimate. For instance, certain categories of sensitive personal information (health, sexuality etc) or certain highly sensitive relationships (lawyer-client, priest-parishioner, husband-wife) can be referred to as realms where the core of privacy is at issue. In the context of communications surveillance, a distinction can be made between metadata and content, so that surveillance about the existence, the location, and the timing of communication between two persons could be more legitimately (and with lesser safeguards) made subject to surveillance than accessing the actual substantive content of the communication in question. While this traditional argument as such still has some merit, it does not mean that any collection and analysis of metadata would always be permissible as it merely relates to the periphery of privacy. The more systematic, wide and sophisticated the collection, retention and analysis of metadata becomes, the closer it moves towards the core of privacy, so that in the end comprehensive collection and analysis of ‘mere’ metadata can be used to interfere in the core of privacy, for instance divulging the sexual orientation of the person by analysing his personal contacts, the locations he visits and his internet browsing profile. Hence, the sophistication of the NSA’s mass surveillance programmes allows the conclusion that already the degree of intrusion through the mass collection of metadata affected the inviolable core of privacy. Equally important, the surveillance was not limited to metadata but metadata analysis was often just a filtering mechanism to identify persons whose content data would also be accessed. Besides, when a person was not identified as being protected by US constitutional law principles of privacy, his or her content data was a legitimate target even without any prior filtering.
And the question of an inviolable core of privacy is the second constitutional dimension of the matter. While international law may be silent or underdeveloped in defining what constitutes the core, or essential core, of a fundamental rights, the toolbox of constitutional law provides in many countries answers to the question.
Ad c and e): The mere breadth and width of the NSA e-surveillance architecture, coupled with the publicly available results achieved, towards the actual prevention of terrorism or other crime, justifies the conclusion that the programmes, as operated, were not necessary in a democratic society. Undoubtedly the prevention of terrorism or other serious crime is a legitimate social aim that could justify some degree of privacy intrusion. But that degree of intrusion must be assessed through the actual benefit towards such prevention, so that it can be shown necessary for achieving the goal. Furthermore, parts of the NSA e-surveillance architecture fail the permissible limitations test already because of the absence of a legitimate aim: FISA authorises surveillance not only for the prevention of terrorism but also for the purpose of serving the ‘conduct of the foreign affairs’ of the United States. This is a legitimate national interest to be pursued by lawful means that do not interfere with human rights but not a pressing social need that would justify interference with the privacy of ordinary people.
Ad d): Broad and vague laws, such as FISA, leave room for unfetterd discretion unless coupled with effective oversight. On the basis of information in the public domain, such as admissions by FISA judges and US legislators about their very limited practical possibility of oversight, it must be assessed that both judicial and parliamentary mechanisms of oversight failed in keeping the surveillance authorised by FISA under any effective oversight that could prevent abuses. This is the third area where constitional law in an important way supplements the international law assessment by providing rules, frameworks and accountability mechanisms for proper oversight.
Ad f) : The depth and breadth of NSA surveillance, coupled with the very limited benefit towards actual prevention of terrorism (or any other legitimate aim), shows that the resulting privacy intrusion was disproportionate when compared to the true benefits obtained. The failures to provide any privacy protection to non-citizens in the first place, as well as the use of up to three “hops” in establishing connections between individuals as grounds for targeting them for surveillance, and the outcome of large numbers of totally innocent people being targeted, support the conclusion that the programmes fail under the proportionality requirement.
Ad g): Finally, as the NSA mass surveillance architecture was based on broad and vague laws, was not subject to proper oversight and did not include a proper guarantee of proportionality, it was open for abuse, including discriminatory application resulting in violations of other human rights besides the right to privacy. For instance, the right to non-discrimination, freedom of expression, freedom of association and freedom of movement would in many cases be affected without proper justification.
There is one further issue in the assessment of the NSA programmes under the legally binding standards of the ICCPR, related to the US position that its own constitutional protection of privacy extends to foreigners only to a limited extent and not at all when they happen to be outside the territory of the United States of America. The United States may entertain a similar position as to the territorial scope of its ICCPR obligations, with reference to ICCPR Article 2, paragraph 1, which establishes the general obligation of a state party “to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the present Covenant”. Seemingly, the provision would establish the double requirement that the person is both within the geographical territory of the country and subject to its effective jurisdiction as a precondition for ICCPR protections. This would, however, be a misperception. Right from the very beginning the Human Rights Committee has in its practice acknowledged the extraterritorial effect of the ICCPR, and the fairly recent (2004) codification of the Committee’s practice in the form of General Comment No. 31 on Article 2 confirms this position.
Above, the permissible limitations test under ICCPR Article 17 was applied to the architecture of NSA mass surveillance programmes on a rather general level. Due to the multiple dimensions on which the separate programmes within the overall architecture fail to meet the various requirements under the test, it was easy to conclude that the United States is in breach of its legally binding ICCPR obligations. A detailed assessment of the various programmes within the NSA mass surveillance architecture, and of the whole range of technological solutions applied to conduct the surveillance in question, would require more factual information than was utilised for this essay. Three areas were identified where constitutional law considerations will be especially helpful in supplementing the analysis under international law.
Martin Scheinin, European University Institute, former president of the IACL.