Friendly Fire in the European Union? AG Sharpston’s opinion on the validity of the revised firearms Directive

Niels Kirst (University Paris II – Panthéon-Assas)                             

The recent opinion by Advocate General Sharpston (hereafter: “AG”), which was released on 11th April 2019, concerned the validity of Directive 2017/853, the so-called firearms Directive. The Czech Republic claimed that the European Parliament and the Council used the wrong legal basis, the internal market harmonisation clause (Article 114 TFEU), for adopting this Directive.

The case is interesting for three reasons. First, the case deals with question of legal basis, and has therefore gained significant attention from EU lawyers. Second, it is yet another case in which the Czech Republic is acting jointly with Hungary and the Republic of Poland (which intervened to support the Czech Republic) to defend their common interest (see also the pending Case C-715/17 Commission v Poland, on relocation of asylum-seekers). On the other side, France and the Commission intervened to support the Council and the European Parliament. Third, Directive 2017/853, which was contested by the Czech Republic, amended Directive 91/477, which was the first legislative measure setting a minimum standard regarding civilian firearms acquisition and possession in the European Union (hereafter: “EU”). (The 1991 Directive had been previously amended in 2008)

There is a specific prehistory to the case. After the terrorist attacks in Paris and Copenhagen, the Juncker Commission proposed tightening the gun laws in the European Union. This was met by much scepticism on the Czech side. Why is this the case? The Czech Republic’s gun laws differ tremendously from those of most Member States of the European Union. The history of liberal gun possession in the Czech Republic stretches back to the 18th century. Therefore, the Czech Republic had a great interest to oppose the Directive, also given the fact that it is the 7th largest post-war arm exporter in the world.

Having said that, the Directive was finally approved under the ordinary legislative procedure on the 25th April 2017 with qualified majority voting in the Council, with only the Czech Republic, Luxembourg and Poland voting against the Directive. Beforehand it had been approved in the first reading by the European Parliament. While Poland voted against the Directive, due to stringent norms, Luxembourg voted against the Directive, since it wanted a stronger regulation of firearms. (Note that the Directive only sets minimum standards, so Member States can opt unilterally for higher standards, as the UK does, for example) Among other things, the revised Directive prohibits many semi-automatic weapons.

The first plea: wrong legal basis

Preliminary remarks

The first claim of the Czech Republic was that the Directive infringes the principle of conferral of powers upon the European Union, which is enshrined in Article 5(2) TEU. This Directive was adopted on the basis of the EU’s internal market powers (Article 114 TFEU), but the Czech Republic alleged that the aim of the Directive was not minimum harmonisation in the internal market concerning guns, but instead the prevention of crime and terrorism. Therefore, the Directive had to be adopted under Article 84 TFEU, which deals with crime prevention, and forms part of the Treaty provisions on the area of freedom, justice and security. Article 84 TFEU does not allow harmonisation of national law.

Article 114 TFEU

In a first step, the AG analysed the particularities of Article 114 TFEU, which is designed to allow the EU legislator to adopt legislation with the aim of achieving the objectives of the internal market. The precedents which are highly relevant for this case were British American Tobacco and Philip Morris Brands. Both cases concerned the question, if consumer health may be protected on a European Union level by means of legislation with Article 114 TFEU as legal basis. In analogy, the AG draws attention towards Article 114 (3) TFEU, which defines that questions of consumer safety shall be taken into account when harmonising the laws (para 47).

Having said that, the AG also drew attention to Germany v Parliament and Council in which the Court found that such a harmonisation under Article 114 TFEU is not without limits, as regards a ban on advertising of tobacco products.

The yardstick question for the AG was whether the Directive eliminates obstacles to free movement, while not exceeding the competences under Article 114 TFEU (para 50). The AG rejected the argument by the Czech Republic, Hungary and Poland that recitals 2 and 23 in the preamble to the Directive, which mention crime prevention as an objective, alter the scope in a way that it cannot be regarded as falling under the auspices of the internal market any longer (para 54).

Directive 2017/853

In a second step the AG analyzed the substantive legal purpose and the provisions of the Directive. The AG clarified that what matters are the ultimate legal effects of the Directive and not the recitals (para 65). Further, the AG laid out, by citing Digital Rights Ireland (discussed here), that the fight against serious crime constitutes an objective of general interest of the EU (para 66).

In her analysis the AG followed a four-pronged approach. First, the AG found that firearms are intrinsically dangerous goods, therefore any legislation concerning firearms must contain a security aspect (para 67). Second, the Directive enhances mutual confidence among the Member States in cross-border trade (para 68). Third, the Directive aims to harmonize technical barriers to trade, which may include technical specifications (para 69). Fourth, the Directive provides for a improved cooperation among Member States (para 70).

By this analysis, the AG derived the conclusion that the content of the Directive does not harmonize crime prevention in any material sense (para 71), clarifying that the Directive has to be assessed in the light of the 1991 Directive and that a mere change of recitals does not indicate that the aims of the internal market are removed.

The second plea: proportionality

The second plea of the Czech Republic was the alleged lack of proportionality of the Directive. The Czech Republic argued that the measures adopted are manifestly disproportionate to the objectives pursued, on two grounds. First, the Commission failed to conduct an impact assessment, event though the Commission pledged to do so in an interinstitutional agreement on better law-making. Second, the Directive interferes disproportionately with the right to property, which is a fundamental right in the EU legal order.

The question arose, if an interinstitutional agreement, as far as it concerns an impact assessment obligation, is legally binding on EU institutions. This question is general importance for the EU. Hungary argued in support of the Czech Republic that an interinstitutional agreement shall be legally binding, while the Parliament, the Council and the Commission maintained that the obligation to carry out an impact assessment in an interinstitutional agreement is not binding.

The AG dissected these questions starting by lying out that firearms are intrinsically dangerous, and that the EU legislator decided to regulate the entire lifecycle of a weapon in the internal market (para 87). This is important to keep in mind, when verifying if the articles of the Directive are proportionate to the aims. The arguments of the parties were among others that without an impact assessment it cannot be assessed, if the provisions of the Directive are actually proportionate.

Impact assessments are referred to in the inter-institutional agreement on better law-making, adopted on the basis of Article 295 TFEU, and the Court had earlier found, in Commission v Council (para 49), that such agreements among the institutions can be binding on them. However, in this case the AG found that there are no such obligations to conduct an impact assessment in each and every case. An omitted impact assessment cannot be a valid ground to annul a fully lawful Directive.

In case of urgent actions, the AG argued, an impact assessment is not always possible. Further, the Court had already confirmed, in the case of Poland v European Parliament and Council (para 159), that an impact assessment itself is not binding on either the Parliament or the Council. The key take-away is that an omitted impact assessment should not restrict possible actions by the institutions.

The second argument by the parties concerned the right to property. The AG determined that there is no fundamental right to own firearms in the EU, nor does such a right form part of the ‘common constitutional traditions’ of the Member States. The AG went on by stating that the right to property as laid out in Article 17 of the Charter is a qualified right, and not an absolute right. Therefore, the Directive does not deprive citizens of the Union of their right to property.

The third plea: legal certainty

In its third plea the Czech Republic argued that the Directive infringed the principle of legal certainty. Its two main arguments were that i) some of the Directive’s provisions are not sufficiently clear and precise enough and ii) the Directive would force Member States to adopt domestic legislation, which will have a retroactive effect, infringing the principle of legitimate expectations.

The AG reiterated that the principle of legal certainty is a general principle of EU law, as seen in the case of Spain v Council (para 124). Having said that, the AG regarded the wording of the Articles as sufficiently clear and precise enough to meet the requirements of legal certainty. Concerning the possible retroactive effects of the Directive, the AG first reiterated that also the principle of legitimate expectations is a general principle of EU law, as seen in Agrargenossenschaft Neuzelle. However, since there was no assurance by the administration that the classifications of weapons would not be changed in the future, the requirements to invoke that principle are not fulfilled.

Finally, the AG reiterated that these principles cannot be stretched to the point of preventing a new rule to apply to situations which arose under earlier rules (para 132). Consequently, the AG rejected the claims of the Czech Republic concerning legal certainty and legitimate expectations.

The fourth plea: equal treatment

In its last plea, the Czech Republic argued that Article 6(6) of the Directive (the so-called Swiss exception) should be annulled, since it violates the principle of non-discrimination. Switzerland is a Schengen associate; therefore, all Schengen-related legislation (such as the Directive) also applies to Switzerland. Having said that, there are certain areas in which Switzerland enjoys an exception from Schengen-related rules. This Directive is one of those cases, since Switzerland has a reserve army based on conscription, and there is an exception for States which have had such a system for more than 50 years.

In a preliminary step the AG reiterated that the principle of equal treatment is a general principle of EU law, as seen in Arcelor Atlantique et Lorraine and Others. However, the AG concluded its common ground that only Switzerland has such a system of conscription, further, Member States (and Schengen associates) differ in their culture and tradition, therefore, this article cannot be regarded as discriminatory towards other Member States and Schengen associates.

Comments

The opinion gives much food for thought and discusses numerous general principles of EU law. Surely, the opinion will not be welcomed in the Czech Republic. As a key take-away, it is important to note that the institutions might be capable to act without an impact assessment in urgent situations, even when they have subscribed to an inter-institutional agreement under Article 295 TFEU.

Furthermore, the opinion, if followed by the Court, can be seen as a further integration in the area of European Union criminal law. Guns are one of the predominant tools for committing criminal acts, and by tightening the requirements for gun holders in the Member States, the EU legislator aims to impact upon on crime prevention in the European Union.

Finally, the opinion gives guidance on the importance of the right to property in the EU’s legal order, confirming that the right to property as laid down in Article 17 of the Charter is a qualified right and not absolute. Further, the AG illustrates that there is no such thing as a fundamental right to possess guns in the European Union legal order (para 104). It will be interesting to see if the Court follows the opinion of the AG.

Barnard & Peers: chapter 11, chapter 12, chapter 25

Photo credit: EuropeWord

Crushing terrorism online – or curtailing free speech? The proposed EU Regulation on online terrorist content

Professor Lorna Woods, University of Essex

On 12th September 2018, the Commission published a proposal for a regulation (COM(2018) 640 final) aiming to require Member States to require certain internet intermediaries to take proactive if not pre-emptive action against terrorist content on line as well as to ensure that state actors have the necessary capacity to take action against such illegal content. It is described as “[a] contribution from the European Commission to the Leaders’ meeting in Salzburg on 19-20 September 2018”. The proposal is a development from existing voluntary frameworks and partnerships, for example the EU Internet Forum, and the non-binding Commission Recommendation on measures to effectively tackle illegal content online ((C(2018)1177 final), 1st March 2018) and its earlier Communication on tackling illegal content online (COM(2017) 555 final). In moving from non-binding to legislative form, the Commission is stepping up action against such content; this move may also be seen as part of a general tightening of requirements for Internet intermediaries which can also be seen in the video-sharing platform provisions in the revised Audiovisual Media Services Directive and in the proposals regarding copyright. Since the proposal has an “internal market” legal base, it would apply to all Member States.

The Proposal

Article 1 of the proposed Regulation sets out its subject matter, including its geographic scope.  The scope of the proposed regulation is directed to certain service providers, “hosting service provider” in respect of specified content “illegal terrorist content”.  Terms are defined in Article 2. Article 2(1) defines “hosting service provider” (HSP) as “a provider of information society services consisting in the storage of information provided by and at the request of the content provider and in making the information stored available to third parties”. The definition of illegal terrorist content found in Article 2(5) is one (or more) of the following types of information:

(a) inciting or advocating, including by glorifying, the commission of terrorist offences, thereby causing a danger that such acts be committed;

(b) encouraging the contribution to terrorist offences;

(c) promoting the activities of a terrorist group, in particular by encouraging the participation in or support to a terrorist group within the meaning of Article 2(3) of Directive (EU) 2017/541

(d) instructing on methods or techniques for the purpose of committing terrorist offences.

The format does not matter: thus terrorist content can be found in text, images, sound recordings and videos.

Article 3 specifies the obligations of the HSPs. In addition to a specific obligation to prohibit terrorist content in their terms and conditions, HSPs are obliged to take appropriate, reasonable and   proportionate actions against terrorist content, though those actions must take into account fundamental rights, specifically freedom of expression.

Article 4 introduces the idea of a removal order, and requires that the competent authorities of the Member States are empowered to issue such orders; requirements relating to removal orders are set out in Article 4(3).  It does not seem that the issuing of such orders require judicial authorization, though the Regulation does envisage mechanisms for HSPs or the “content provider” to ask for reasons; HSPs may also notify issuing authorities when the HSP views the order as defective (on the basis set out in Article 4(8)), or to notify the issuing authority of force majeure. Article 4(2) states:

Hosting service providers shall remove terrorist content or disable access to it within one hour from receipt of the removal order.

The regulation also envisages referral orders; these do not necessitate the removal of content, nor – unlike the position for removal orders – does it specify deadlines for action. On receipt of a referral order, a HSP should assess the notified content for compatibility with its own terms and conditions. It is obliged to have in place a system for carrying out such assessments. There is also an obligation in Article 6 for HSPs in appropriate circumstances to take (unspecified) effective and proportionate proactive measures and must report upon these measures. Article 6 also envisages the possibility that competent authorities may – in certain circumstances – require a hosting service provider to take specified action.

Article 7 requires hosting service providers to preserve data for certain periods.  The hosting service provider is also required to provide transparency reports as well as to operate within certain safeguards specified in Section III, including transparency reporting, human oversight of decisions, complaints mechanisms and information to content providers – these are important safeguards to ensure that content is not removed erronously.  Section IV deals with cooperation between the relevant authorities and with the HSPs.  Cooperation with European bodies (e.g. Europol) is also envisaged.  As part of this, HSPs are to establish points of contact.

The Regulation catches services based in the EU but also those outside it which provide services in the EU (with jurisdiction in relation to Article 6 (proactive measures), 18 (penalties) and 21 (monitoring) going to the Member State in which the provider has its main establishment) and should designate a legal representative. The Member State in which the representative is based has jurisdiction (for the purposes of Articles 6, 18 and 21). Failure so to designate means that all Member States would have jurisdiction.  Note that as the legal form of the proposal is a Regulation, national implementing measures would not be required more generally.

Member States are required to designate competent authorities for the purposes of the regulation, and also to ensure that penalties are available in relation to specified articles such penalties to be effective, proportionate and dissuasive.  The Regulation also envisages a monitoring programme in respect of action taken by the authorities and the HSPs.  Member States are to ensure that their competent authorities have the necessary capacity to tackle terrorist content online.

Preliminary Comments

The proposal is in addition to the Terrorism Directive, the implementation date for which is September 2018.  That directive includes provisions requiring the blocking and removal of content; is the assumption that – even before they are require legally to be in place – these provisions are being seen as ineffective.

This is also another example of what seems to be a change in attitude towards intermediaries, particularly those platforms that host third party content.  Rather than the approach from the early 2000s – exemplified in the e-Commerce Directive safe harbour provisions – that these providers are and to some extent should be expected to be content-neutral, it now seems that they are being treated as a policy tool for reaching content viewed as problematic.  From the definition in the Regulation, it seems that some of the HSPs could have – provided they were neutral -fallen within the terms of Article 14 e-Commerce Directive: they are information society service providers that provide hosting services.  The main body of the proposed regulation does not deal with the priority of the respective laws but in terms of the impact on HSPs, the recitals claim

“any measures taken by the hosting service provider in compliance with this Regulation, including any proactive measures, should not in themselves lead to that service provider losing the benefit of the liability exemption provided for in that provision.  This Regulation leaves unaffected the powers of national authorities and courts to establish liability of hosting service providers in specific cases where the conditions under Article 14 of Directive 2000/31/EC for liability exemption are not met”.

This reading in of what is effectively a good Samaritan saving clause follows the approach that the Commission had taken with regard to its recommendation – albeit in that instance without any judicial or legislative backing.  Here it seems that the recitals of one instrument (the Regulation) are being deployed to interpret another (the e-Commerce Directive). 

The recitals here also specify that although Article 3 puts HSPs under a duty of care to take proactive measures, this should not constitute ‘general monitoring’; such general monitoring is precluded according to Article 15 e-Commerce Directive. How this boundary is to be drawn remains to be seen. Especially as the regulation envisages prevention of uploads as well as swift take-downs. Further, recital 19 also recognises that

“[c]onsidering the particularly grave risks associated with the dissemination of terrorist content, the decisions adopted by the competent authorities on the basis of this Regulation could derogate from the approach established in Article 15(1) of Directive 2000/31/EC, as regards certain specific, targeted measures, the adoption of which is necessary for overriding public security reasons”.

This is a new departure in the interpretation of Article 15 e-Commerce Directive.

The Commission press release suggests the following could be caught: social media platforms, video streaming services, video, image and audio sharing services, file sharing and other cloud services, websites where users can make comments or post reviews. There is a limitation in that the content hosted should be made available to third parties. Does this mean that if no one other than the content provider can access the content, the provider is not an HSP?  This boundary might prove difficult in practice.  The test does not seem to be one of public display so services where users who are content providers can choose to let others have access (even without the knowledge of the host) might fall within the definition. What would be the position of a webmail service where a user shared his or her credentials so that others within that closed circle could access the information? Note that the Commission is also envisaging services whose primary purpose is not hosting but which allows user generated content– e.g. a news website or even Amazon – also fall within the definition. 

The scope of HSP is broad and may to some extent overlap with that of video-sharing platforms or even audiovisual media service providers for the purposes of the Audiovisual Media Services Directive (AVMSD).  Priorities and conflicts will need to be ironed out in that respect. The second element of this broadness is that the HSP provisions are not just applying to the big companies, the ones to some extent already cooperating with the Commission, but also to small companies. In the view of the Commission terrorist content may be spread just as much by small platforms as large.  Similar to the approach in the AVMSD, the Commission claims that the regulatory burden will be proportionate as the proportionality with mean the level of risk as well as the economic capabilities would be taken into account. 

In line with the approach in other recent legislation (e.g. GDPR, video-sharing platforms provisions in AVMSD) the proposal has an extraterritorial dimension. HSPs would be caught if they provide a service in the EU.  The recitals clarify that “the mere accessibility of a service provider’s website or of an email address and of other contact details in one or more Member States taken in isolation should not be a sufficient condition for the application of this Regulation” [rec 10]; instead a substantial connection is required [rec 11]. Whether this will have a black out effect similar to the GDPR remains to be seen; it may depend on whether the operator is aware enough of the law; how central the hosting element is and how large a part of its operations the EU market is.

While criminal law, in principle, is a matter for Member States, the definition of terrorist content relies on a European definition – though whether this definition is ideal is questionable.  For companies that operate across borders, this is presumably something of a relief (and as noted above, the proposal is based on Article 114 TFEU, the internal market harmonisation power).  The Commission also envisages this a mechanisms limiting the possible scope of the obligations – only material that falls within the EU definition falls within the scope of this obligation – thereby minimising impact on freedom of expression (Proposal p. 8).  Whether national standards will consequently be precluded is a different question.  Note that the provisions in the AVMSD that focus on video sharing platforms were originally envisaged as maximum harmonisation but, as a result of amendments from the Council, retuned to minimum harmonisation (the Council amendments also introduced provisions on terrorist content into the AVMSD based on the same definition).

The removal notice is a novelty aimed at addressing differential approaches in the Member States in this regard (an on-going problem within the safe harbour provisions of the e-Commerce Directive), but also to ensure that such take down requests are enforceable.  Note, however, that it is up to each Member State to specify the competent authorities, which may give rise to differences between the Member States, perhaps also indicating differences in approach.  The startling point is probably the very short timescale: 1 hour (a complete contrast to the timing for example specified in the UK’s Terrorism Act 2006).  The removal notices have been a source of concern.  This is not very long which will mean that - especially with non-domestic providers and taking into account time differences - HSPs will need to think how to man such a requirement (unless the HSPs plan to automate their responses to notices), especially if the HSP hopes to challenge ‘unsatisfactory’ notices (Art 4(8)). 

Given the size of the penalties in view, industry commentators have suggested that all reported content will be taken down.  This is certainly would be a concern in relation to situations where the HSPs had to identify terrorist content (ie ascertain not just that it was in a certain location but also that it met the legal criteria) themselves.  Is it not the case that this criticism is fully appropriate here.  Here, HSPs are not having to decide whether or not the relevant content is terrorist or not- the notice will make that choice for them.  Further, the notice is made not by private companies with a profit agenda but instead by public authorities (presumably) orientated to the public good and with some experience in the topic as well as in legal safeguards.  Furthermore, the authority must include reasons. Indeed, the Commission is of the view that referrals are limited to the competent authorities which will have to explain their decisions ensures the proportionality of such notices (Proposal p. 8). Nonetheless, a one hour time frame is a very short period of time.

Another ambiguity arises in the context of referral notices. It seems that the objective here is to put the existing voluntary arrangements on a statutory footing but with no obligation on the HSP to take the content down within a specified period. Rather the HSP is to assess whether the content referred is compatible with the HSPs terms of service (not whether the content is illegal terrorist content).  Note this is a different from the situation where the HSP discovers the content itself and there has been no official view as to whether the content falls within the definition of terrorist content or not. This seems rather devoid of purpose: relevant authorities have either decided that the content is a problem (in which case the removal notice seems preferable as the decision is made by competent authorities not private companies) or the notice refers to content which is not quite bad enough to fall with the content prohibited by the regulation but the relevant authorities would still like it down, with the responsibility for that decision being pushed on to the HSP. Such an approach seems undesirable.

Article 6 requires HSPs to take effective proactive measures.  These are not specified in the Regulation, and may therefore allow the HSPs some leeway to take measures that seem appropriate in the light of each HSP’s own service and priorities, though it seems here that there may also be concerns about the HSPs’ interpretation of relevant terrorist content.  It is perhaps here that criticisms about the privatisation of the fight against terror comes to the fore.  Note, however that Article 6(4) allows a designated authority to impose measures specified by the authority on the HSP.  Given that this is dealt with at the national level, some fragmentation across the EU may arise; there seems to be no cooperation mechanism or EU coordination of responses under Article 6(4).

There is also the question of freedom of expression. Clearly state mandated removal of content should be limited, but it is the intention that HSPs have no freedom to remove objectionable content for other reasons. At some points, the recitals suggest precisely this: “hosting service providers should act with due diligence and implement safeguards, including notably human oversight and verifications, where appropriate, to avoid any unintended and erroneous decision leading to removal of content that is not terrorist content” [rec 17]. Presumably the intention is that HSPs should take steps to avoid mistakenly considering content to be terrorist.  They clearly are under obligations to take other forms of content down, e.g. child pornography and hate speech. 

More questionable is the position with regard other types of content: the controversial and the objectionable, for example.  As private entities human rights obligations do not bite on them in the same way as they do with regards to States, so there may be questions about the extent to which a content provider can claim freedom of expression against an unwilling HSP (e.g. for Mastodon, the different instances have different community standards set up by that community - should those communities not be entitled to enforce those standards (providing that they are not themselves illegal)?).  There may moreover be differences between the various Member States as to how such human rights have horizontal effect and the deference given to contractual autonomy.  With regard to the video sharing platforms, it seems that room is given to the platforms to enforce higher standards if they so choose; there is not such explicit provision here.

A final point to note is the size of the penalties that are proposed.  The proposal implicitly distinguished between one-off failings and a ‘systematic failure to comply with obligations’.  In the latter cases, penalties of up to 4% of global turnover- in this there are similarities to the scale of penalties under the GDPR.  This seems to be developing into a standard approach in this sector.

Barnard & Peers: chapter 25, chapter 9

JHA4: chapter II:5

Photo credit: Europol

The Privacy International case in the IPT: respecting the right to privacy?

Matthew White, PhD candidate at Sheffield Hallam University.

Introduction

On 21 December 2016, the Grand Chamber (GC) of the Court of Justice of the European Union (CJEU) in Cases C-203/15 and C-698/15 Tele2 and Watson ruled that blanket indiscriminate data retention was incompatible with European Union (EU) law. With that judgment, Professor Lorna Woods highlighted that this did not mean that the CJEU’s interpretation of the requirements of the Charter of Fundamental Rights (CFR) was ‘limited only to this set of surveillance measures.’ Hence, on 9 September 2017, the Investigatory Powers Tribunal (IPT) in Privacy International v the Secretary of State for Foreign and Commonwealth Affairs and Others handed down a judgment regarding the lawfulness under EU law of the acquisition and use of Bulk Communications Data (BCD) under s.94 of the Telecommunications Act 1984 (TA 1984) [4], including a request to the CJEU to answer further questions on EU law. This blog post concerns itself not with the preliminary reference itself, but the underlying flawed logic of the IPT’s reasoning with regards to fundamental rights protection.

The IPT’s faulty premise plagues its judgement from the beginning

The IPT highlighted that the issue before them was the balance between steps taken by the State, through Security & Intelligence Agencies (SIAs) and to ‘protect its population against terror and threat to life against the protection of privacy of the individual’ [6]. The premise of the IPT is deeply flawed from the outset thus impacting upon its reasoning. Daniel Solove has highlighted that ‘protecting the privacy of the individual seems extravagant when weighed against the interests of society as a whole’ (Daniel Solove, (2009) Understanding Privacy, Harvard University Press, p89). When privacy is confined to individualistic notions (particularly of ‘bad guys’), the argument for the departure of its protection becomes easier to justify, no less when that justification is protecting an entire nation.

Privacy is not just an Individual Right

Many (including Solove) have argued that privacy has a common, public and/or social value (Priscilla M. Regan, Legislating Privacy, Technology, Social Values and Public Policy, The University of North Carolina Press, 1995; Kirsty Hughes, ‘The social value of privacy, the value of privacy to society and human rights discourse’ in Beate Roessler and Dorota Mokrosinska (eds), Social Dimensions of Privacy Interdisciplinary Perspectives (Cambridge University Press). Privacy is a prerequisite for liberal democracies because it sets limits on surveillance by acting as a shield for groups and individuals (Alan F. Westin, Privacy and Freedom, New York: Atheneum (1967), p24). It is also important in that, in terms of voter autonomy and its attraction of talented people to public office (Hughes, p228-229). Privacy is also important for social relations (ibid, p229), even more so in that privacy invasive technologies can affect social life more generally (Beate Roessler and Dorota Mokrosinska, p2). A failure to protect social relations, is a failure to protect the democratic state (Francesca Malloggi. “The Value of Privacy for Social Relationships.” Social Epistemology Review and Reply Collective 6, no. 2 (2017): 68-77, p70).

These Powers do NOT just affect Individuals

Another problem with the IPT’s premise is that to argue that such measures as BCD acquisition/use only affect an individual’s privacy is simply not true. It should be obvious by the very name and nature of the powers that they are not targeted on individuals (para 2.1), something which the Respondents in Privacy International even attested to [9(ii)]. The draft BCD Code of Practice under the Investigatory Powers Act 2016 (IPA 2016) notes that ‘if the requirements of this chapter are met then the acquisition of all communications data generated by a particular CSP (Communications Service Provider e.g. BT, Google, iCloud) could, in principle, be lawfully authorised’ (para 3.5). Thus, any suggestion that the issue at hand only concerns an individual is palpably false. As the Grand Chamber (GC) of the European Court of Human Rights (ECtHR) in S and Marper v United Kingdom noted that the:

[M]ere storing of data relating to the private life of an individual amounts to an interference within the meaning [of Article 8]…subsequent use of the stored information has no bearing on that finding [67]. 

Due to the nature of the BCD powers, to say they only affect the individual is to ignore the reality of such sweeping powers which constitute mass interference of a ‘substantial portion, or even all of the relevant population’ [256] and do have chilling effects on totally innocent people (Rozemarijn van der Hilst, (2009), ‘Human Rights Risks of Selected Detection Technologies Sample Uses by Governments of Selected Detection Technologies’ p20; German Forsa Institute, Meinungen der Bunderburger zur Vorratsdatanspeicherung, 28 May 2008). Just like blanket data retention, BCD acquisition/use would ‘relate to all communications effected by all users, without requiring any connection whatsoever with’ [180] national security. 

Article 8 is not limited to Privacy

As ‘private life’ in Article 8 of the European Convention on Human Rights (ECHR) is not susceptible to exhaustive definition [66], this means that the notion is much wider than that of privacy (p12). This encompasses a sphere within which every individual can freely develop and fulfil his personality, both in relation to others and with the outside world (ibid). Private life also includes one’s physical and psychological integrity [58], autonomy [ibid] as well as a right to a form of informational self-determination [137], physical, social [159] and ethnic identity [58], professional activities [29], a certain degree of anonymity [42] and the protection of personal data (S and Marper, [103]).

This does not even begin to consider how such concepts overlap (p10-11). Nor is Article 8 limited to private life, as ‘correspondence’ [44] and the potential for ‘home’ [41] and family life (p21) (even more so now under the new regime of the IPA 2016 in light of the Internet of Things etc) are equally important in the surveillance context. The measure ‘strikes at freedom of communication between users of the postal and telecommunication services’ [41] because we increasingly use the internet to ‘establish and support personal relationships, bank, shop, to gather the news, to decide where to go on holiday, to concerts, museums or football matches. Some use it for education and for religious observance – checking the times and dates of festivals or details of dietary rules.’ Very few aspects of our lives are untouched by the internet (Paul Bernal, ‘Data gathering, surveillance and human rights: recasting the debate’ (2016) Journal of Cyber Policy, 1:2 243, p247).

Correspondence becomes particularly important when it affects legal professional privilege (LPP) and journalistic sources. This was a criticism of data retention laws in that it did not provide any exceptions for professional secrecy (Tele2 and Watson, [105]). The ECtHR in Kopp v Switzerland noted that Swiss law violated Article 8 because it provided ‘no guidance on how authorities should distinguish between protected and unprotected attorney-client communications’ [73-75]. BCD acquisition/use suffers from the same drawbacks.  

Thus, when the IPT refers merely to individual privacy, it does so without acknowledging the breadth and multifaceted nature of Article 8, or how surveillance measures impact on them in various ways, which limits their ability to give a thorough assessment resulting in a possible divergence from the ECtHR.

Confining the discussion to Privacy foregoes the broader context of Fundamental Rights Protection

[i]t is hard to imagine, for example, being able to enjoy freedom of expression, freedom of association, or freedom of religion without an accompanying right to privacy (Benjamin J. Goold, ‘Surveillance and the Political Value of Privacy’ (2009) 1:4 Amsterdam Law Forum 3, p4).

When Article 8 is confined to the narrow aspect of the privacy of a suspected terrorist, not only does it overlook the breadth of Article 8 (mentioned above) but it does not even entertain other fundamental rights that might be at stake. This is also a view the then Independent Reviewer of terrorism legislation, David Anderson acknowledged (para 2.12) and Paul Bernal (Paul Bernal). The CJEU were also aware of this to some degree in Tele2 and Watson where they noted that the data retention could have an effect on the use of means of electronic communication and, consequently, on the exercise by the users thereof of their freedom of expression, guaranteed in Article 11 of the CFR [101], which is essentially equivalent to Article 10 ECHR.

Article 10 ECHR: Freedom of Expression

Article 10 applies to communications via the internet [34] (in French), regardless of the message conveyed [55] and irrespective of its nature [47]. The ECtHR regards freedom of expression as constituting ‘one of the essential foundations of a democratic society and one of the basic conditions for its progress and for each individual’s self-fulfilment’ [100]. Not only does this highlight freedom of expressions value to democracy, it highlights one of the various ways in which Article 10 interplays with Article 8 i.e. self-development [117].

Another way in which Articles 10 and 8 interlink is that of anonymity, where Lord Neuberger noted that in the context of anonymous speech, Article 8 reinforces Article 10 (para 25). Within that context, Neuberger continued that Article 8 rights are of fundamental importance (ibid, para 42). Political reporting and investigative journalism attract a high level of protection under Article 10 [129]. The then Special Rapporteur for the United Nations of freedom of expression, Frank La Rue highlighted that that restrictions on anonymity can have a chilling effect, which dissuades the free expression of information and ideas (para 49).

Article 9 ECHR: Freedom of Religion, Thought and Conscience

Like Article 10, Article 9 is regarded as one of the foundations of a democracy [34]. Article 9 entails the freedom to manifest one’s religion can be done in public or in private [78]. It also includes the absolute and unconditional right to hold a belief [ibid, 79]. The right to manifest one’s belief has a negative aspect, in that an individual has a ‘right not to be obliged to disclose his or her religion or beliefs and not to be obliged to act in such a way that it is possible to conclude that he or she holds’ [41]. BCD acquisition/use makes this entirely possible (para 1.1), causing a notable chilling effect.

Article 11 ECHR: Freedom of Association/Assembly

The GC of the ECtHR has referred to freedom of assembly, like Article 9 and 10 as one of the foundations of a democratic society [91]. Similarly, freedom of association is of utmost importance because it ‘enables individuals to protect their rights and interests in alliance with others’ (p4). The Steering Committee on Media and Information Society (Sterling Committee) in their to human rights for Internet users when referring to Article 11 noted that users have ‘the right to peacefully assemble and associate with others using the Internet’ (para 61). Just as noted above with other Convention Rights, surveillance has harmful effects on freedom of association (see also Valerie Aston, ‘State surveillance of protest and the rights to privacy and freedom of assembly: a comparison of judicial and protester perspectives’ (2017) EJLT 8:1).

The enjoyments of the rights contained in Articles 9-11, which are foundations for democracy (especially online) are underpinned by Article 8.

How the premise impacts upon the IPT’s reasoning

Given the above mentioned, it is important to discuss how the lack of consideration for the potential effects on other fundamental rights affects the IPT’s reasoning.

It’s not all about Utility

The IPT discussed the evidence for supporting BCD acquisition/use, ranging from Anderson’s report, the case studies within them, Mi5 witness statements (Privacy International, [11-17]). The IPT makes reference to the critical value of BCD acquisition/use and the need for the haystack, in order to find the needle. A quick counter to the second point is ‘[i]f you’re looking for a needle in a haystack, how does it help to add hay?’ The problem with the needle in the haystack argument is that it could be used to justify any amounts of data to be stored/used, even all that is available.

Furthermore, this part of the judgement concerns what the IPT considers to be ‘The Facts’ yet on closer examination, not everything highlighted by the IPT are facts. For example, the IPT refers to the Respondents’ witnesses speaking persuasively and refers to an Mi5 witness. If the IPT were to regard witness statements as facts, then for example, Bruce Schneier’s, or former National Security Agency (NSA) official William Binney’s denunciation of mass surveillance should be given equal weight. There is no suggestion that this is what was (or should have been) presented before the IPT, but it highlights the weight given to opinions by the IPT. Discussing only the evidence of the Respondent also demonstrates the problematic information asymmetry in the surveillance context where:

[I]nformation asymmetrification provides a foundation on which the existence of elites is built and possibilities of strengthening that asymmetry will be enthusiastically sought (Geoffrey Lightfoot and Tomasz Piotr Wisniewski, ‘Information asymmetry and power in a surveillance society’ (2014) Information and Organization 24 214–235, p230).

Regarding the first point, the value of a measure does not necessarily make it necessary [48]. The IPT considers that although BCD acquisition/use is essential, this does not completely resolve the question of proportionality (Privacy International, [16]). Lord Kerr in his dissenting opinion in Beghal v DPP quite rightly noted that ‘powers which can be used in an arbitrary or discriminatory way are not transformed to a condition of legality simply because they are of proven utility’ [93]. Although the IPT did find s.94 not to be compliant with Article 8 prior to its avowal, this follows a trend of watering down the prescribed by/in accordance with law requirements noted in Kennedy v United Kingdom in where for the IPT, honesty appears to be synonymous with legality.

Moreover, the supporting evidence for BCD acquisition/use does not refer to what type of communications data was used, how it was used, or why it was key. The IPT noted that nothing in the evidence they examined contradicts what was set out in paragraphs 11-16. This is problematic for two reasons, if the IPT only considered evidence from the Respondent, then it would make sense that there is less likelihood that evidence presented would contradict arguments put forward, and thus becomes a one-sided argument. Secondly, as Bruce Schneier noted ‘no method of surveillance or inquiry will ever stop a lone gunman.’ Although, the murder of Fusilier Lee Rigby involved two assailants, the Intelligence and Security Committee (ISC) noted that Mi5 ‘put significant effort into investigating [Michael Adebolajo] and employed a broad range of intrusive techniques. None of these revealed any evidence of attack planning.’ What this demonstrates is the contrary view that all the surveillance in the world did not prevent individuals ‘such as the Fort Hood shooter, or Anders Behring Breivik, or the Charlie Hebdo attackers.’ Therefore, the IPT draws attention to its obscured view given that it has inquisitorial powers (s.68(2)(b) of the Regulation of Investigatory Powers Act 2000 (RIPA 2000)) and could have sought information regarding counter arguments.

No Genuine Intrusion?

When the IPT discussed the operation of s.94 TA 1984, they noted that access to BCD is either targeted or more likely to involve electronic trawling of masses of data which are not ‘read’ to find the needle in the haystack (Privacy International, [19]). The IPT continues that a ‘miniscule quantity of the data trawled is ever examined. There is thus no genuine intrusion to any save that miniscule proportion’ (ibid). This reasoning of the IPT is almost as if the UK exists in a vacuum when it comes to the findings of the GC in S and Marper. The IPT’s reasoning is that only when communications data is accessed/examined, then follows genuine intrusion. This is why confining the issue to privacy proves problematic because the GC in S and Marper noted that the protection of personal data is of fundamental importance to the enjoyment of private and family life. This protection begins as soon as the data is processed and retained, thus marks the genesis of genuine intrusion, any subsequent use has no bearing on this. The IPT’s reasoning follows the sentient being argument which suggests that privacy is only interfered with when private data is read by an intelligence officer. Following this argument would lead to the logical conclusion of sowing the seeds of the total destruction of private life and data protection as surveillance becomes increasingly automated e.g. by analogy automatic number plate recognition (ANPR) [169-170], see also CJEU Opinion on PNR [121-132]. Using last century’s arguments (if one could even call it that) are not suitable today.

The IPT maintains the approach of significantly downplaying the severity of interference caused by storing and using communications data. The IPT had previously accepted a false analogy from the Respondent of equating GPS data (a particular type of communications data) with communications data in general to argue that it is not as serious as interception (Matthew White, ‘Protection by Judicial Oversight, or an Oversight in Protection?’ (2017) Journal of Information Rights, Policy and Practice 2:1, p9). This was argued that when giving weight to this position:

[I]t did so by considering a case of an isolated specific type of data, which cannot be used to justify an argument that interference is less severe whilst ignoring the cumulative total of the different types of communications data (ibid).

Malte Spitz of the German Green party published data that was retained under Germany’s data retention laws in which Zeit Online created an interactive map detailing Spitz’s movements. Biermann continued that this data revealed:

[W]hen Spitz walked down the street, when he took a train, when he was in an airplane. It shows where he was in the cities he visited. It shows when he worked and when he slept, when he could be reached by phone and when was unavailable. It shows when he preferred to talk on his phone and when he preferred to send a text message. It shows which beer gardens he liked to visit in his free time. All in all, it reveals an entire life.

Advocate General (AG) Saugmandsgaard Øe in Tele2 and Watson noted that that in the individual context a general data retention obligation would facilitate equally serious interference as targeted surveillance measures, including those which intercept the content of communications [254]. AG Saugmandsgaard Øe continued that the risks associated with access to communications data ‘may be as great or even greater than those arising from access to the content of communications’ [259]. For example, replying to an email saying ‘lmao’ my not reveal much to an observer, but the observer could learn what email address the message was sent from and to, the time and date that message was sent, the location of when it was sent, what browser was being used and what device was being used etc. This simple analogy demonstrates why yet again the IPT are incorrect to downplay the revealing nature of communications data given that people get killed based on it. This seriousness only intensifies when the acquisition/use is in bulk.

Powerful Submissions?

The IPT highlighted the powerful submissions (hence very persuasive (Privacy International, [51])) made by the Respondent:

The use of bulk acquisition and automated processing produces less intrusion than other means of obtaining information.

The balance between privacy and the protection of public safety is not and should not be equal. Privacy is important and abuse must be avoided by proper safeguards, but protection of the public is preeminent.

The existence of intrusion as a result of electronic searching must not be overstated, and indeed must be understood to be minimal.

There is no evidence of inhibition upon, or discouragement of, the lawful use of telephonic communication. Indeed the reverse is the case.

Requirements or safeguards are necessary but must not, as the Respondents put it, eviscerate or cripple public protection, particularly at a time of high threat [50].

It is important to deal with these points individually (some of which are already dealt with above).

The Respondents maintain that BCD acquisition/use is less intrusive than other methods of gathering information without explaining what other methods are more intrusive or why and why this is the least restrictive measure to obtain the objective [260].

As noted above, this is not just an issue of narrow privacy, but an issue of other applicable fundamental rights protected by the ECHR. The premise of the balance between privacy and public safety i.e. security is a miscast (Paul Bernal, p244), misleading (ibid) and false (see here, here and here) one to begin with. It ignores factors that demands for security can actually reduce security therefore, safety (Paul Bernal, p224; Harold Abelson et al, Keys under doormats: mandating insecurity by requiring government access to all data and communications. Journal of Cybersecurity, 2015, 1–11, p5) and otherwise prove ineffectual (see here and here). It also suggests that privacy should always be on the back foot when the issue concerns the protection of the public, when the irony is that it’s the publics’ data that is being acquired and used (see social dimension of privacy above which protects against utilitarian calculation of majoritarian societal interests and/or political whims (Kirsty Hughes, p 227)). It also assumes that when Convention Rights are a stake, the only question that needs to be answered is whether the appropriate balance has been struck, forgoing legality and necessity.

These types of arguments would seemingly fall into the narrow nothing-to-hide-like argument that looks for singular type of injury, be it some grave physical violence, a loss of substantial money or something severely embarrassing (Daniel Solove. Nothing to Hide: The False Tradeoff between Privacy and Security (2011). Yale University Press, p29). This of course also ignores both European Courts on the severity of the mere storage of data interfering with private/family life/freedom of expression/association [107] and data protection.

Contrary to what the Respondents assert, there is evidence for chilling effects due to surveillance measures, some highlighted above. Moreover, assessing chilling effects should not just be measured by inhibitions, but actual methods of protecting online activity. There was An increase in Virtual Private Network (VPN) (this essentially aims hide online activity) subscriptions in Australia when their national data retention laws came into force and in the UK when the IPA 2016 and Digital Economy Act 2017 (DEA 2017) were in passing. Or by the increasing the use of ad blockers, which 11 million devices in the UK now have. As Edward Snowden revealed ‘government surveillance efforts are sometimes bolstered by online advertising practices.’ Moreover, Solove contends that the value of protecting against chilling effects is not measured simply by its effects on individuals exercising their rights, but its harms to society because among other things ‘they reduce the range of viewpoints expressed and the degree of freedom with which to engage in political activity’ (Daniel J. Solove, ‘’I’ve Got Nothing to Hide’ and Other Misunderstandings of Privacy’ (2007) San Diego Law Review 44 745, p746). It is true that the uptake in technology has increased e.g. smartphones but this does not necessarily disprove the idea of chilling effects etc. This is due to ignoring the fact that many may not be fully aware of what information is being collected (Sandra Braman, 2006, Tactical memory: The politics of openness in the construction of memory Sandra Braman. First Monday, 11(7); Connor Sheridan, (2016) "Foucault, Power and the Modern Panopticon". Senior Theses, Trinity College, Hartford, CT 2016. Trinity College Digital Repository, p48; Majority of Brits Unaware of Online Surveillance) where awareness leaves open the possibility of resistance (Andrew Roberts, Privacy, Data Retention and Domination: Digital Rights Ireland Ltd v Minister for Communications, (2015) 78(3) MLR 522–548, p545). This resistance could be not using the technology, to finding ways to circumvent surveillance law (self-regulatory), protests (Hintz, A. & Dencik, L. (2016). The politics of surveillance policy: UK regulatory dynamics after Snowden. Internet Policy Review, 5(3), p8) (political), or legal action all designed to protect fundamental rights.

This is the ‘the ends justify the means’ justification. Not every interference or derogation from the principle of protection of fundamental rights are necessary in a democratic society.

Prior Authorisation

The IPT noted that Secretary of State authorisations complied with the ECHR for reasons set out in a prior judgment. The IPT were of the opinion that the ECtHR in Szabo & Vissy v Hungary were not recommending any new safeguards because Hungarian law fell below even existing principles [60]. This of course does not consider cases such as Dumitru Popescu v Romania [71-73], Iordachi and Others v Moldova [40], and Uzun v Germany [72] all endorsing the view that the body issuing authorisations for interception should be independent and that there must be either judicial control or control by an independent body over the issuing body's activity.

So, when the ECtHR in Szabo endorses the view in Iordachi that ‘control by an independent body, normally a judge with special expertise, should be the rule and substitute solutions the exception, warranting close scrutiny’ [77] it is difficult to suggest the ECtHR in Szabo were not strongly advocating for prior judicial control (Matthew White, p15). The ECtHR did acknowledge that post factum oversight may counterbalance the short comings of initial oversight (referring to the IPT in Kennedy) (Szabo, [77]). However, it has already been argued that this counterbalance is not adequate (Matthew White, p14-16).

Notification

According to the IPT, a requirement of notification is inadequate in the circumstances of national security because (a) national security is ongoing and (b) it relates to further operations and methodologies (Privacy International, [62]). The IPT also noted that this is not required for compliance with the ECHR [63]. This, however, overlooks Association for European Integration and Human Rights and Ekimdzhiev v Bulgaria where the ECtHR found violations of Article 8 and 13 (effective remedy) for among other things, a lack of a notification procedure [94] and [103]. Yet Ekimdzhiev concerned national security and the ECtHR even referred to the notification in the national security context in Germany for both individual (Klass v Germany, [11] and general surveillance measures (Weber and Saravia v Germany, [51-54] and in Leander v Sweden [31]). This is permissible due to the ECtHR establishing the principle that:

[A]s soon as notification can be made without jeopardising the purpose of the surveillance after its termination, information should be provided to the persons concerned (Ekimdzhiev, [90]).

This establishes that to the ECtHR’s mind, notification in the national security context is not inappropriate or inadequate considering this has been the practice of Germany for decades. Furthermore, the ECtHR acknowledge that it would not be desirable in all circumstances to notify, therefore leaving that possibility open whereas the IPT would prefer it kept shut. Also, in the national security context, the GC of the ECtHR in Roman Zakharov v Russia noted that notification was inextricably linked ‘to the effectiveness of remedies before the courts and hence to the existence of effective safeguards against the abuse of monitoring powers’ [234]. A point in which Paul de Hert and Franziska Boehm share.

Although the GC referred to the alternative to notification of the UK system i.e. the IPT jurisdiction (Roman Zakharov, [234]), de Hert and Boehm have questioned whether Kennedy ‘is capable of responding to the challenges arising out of the use of new surveillance techniques’ (Franziska Boehm and Paul de Hert, The rights of notification after surveillance is over: ready for recognition? (Yearbook of the Digital Enlightenment Forum, IOS Press 2012), pp. 19-39, p37). Boehm and de Hert continue that in light of powers such as data retention and ‘fishing expeditions’ that target a greater number of people without suspicion, a notification duty appears to be an effective tool to prevent abuse (ibid, p37-8). Finally, Boehm and de Hert note that the Belgian Constitutional Court has now adopted the notification principle as a requirement to comply with Article 8 (ibid, p38). The IPT highlights difficulties with the notification of BCD acquisition/use as to whether notification should be to everyone whose data is in the database, those subject to an electronic search or all those who feature in data in targeted access (Privacy International, [64])? Accepting this premise would accept the powers that are exercised to begin with, which is at the heart of this issue.

Conclusions: Be careful what you wish for

Ultimately, the IPT referred the question as to whether the Tele2 and Watson requirements apply in the national security context to the CJEU (ibid, [72]). This blog post has argued that much of the IPT’s reasoning with regards to fundamental rights protection is lacking. By confining itself to a restrictive notion of individual privacy of a person of interest, the IPT blinds itself to the broader notions of Article 8 and the other fundamental rights it underpins. Some aspects of the IPT’s reasoning (and Respondent’s arguments) is not even consistent with the very human rights system (ECHR) the Respondents are seeking to rely upon. The ECtHR have firmly noted that:

Given the technological advances since the Klass and Others case, the potential interferences with email, mobile phone and Internet services as well as those of mass surveillance attract the Convention protection of private life even more acutely (Szabo, [53]).

The GC in Roman Zakharov found that Russian law to be in violation of Article 8 because interferences with privacy rights were ordered ‘haphazardly, irregularly or without due and proper consideration’ (Roman Zakharov, [267]) in the national security context. Judge Pinto de Albuquerque noted that Roman Zakharov was a rebuke of ‘strategic surveillance’ (Szabo, Concurring Opinion of Judge Pinto de Albuquerque, [35]) which would accord a previous concurring opinion of judge Pettiti in which surveillance should not be used for ‘fishing’ exercises to bring in information (Kopp). If as the IPT say that a ‘miniscule quantity of the data trawled is ever examined’ how would this square with the position of ‘[t]he automatic storage for six months of clearly irrelevant data cannot be considered justified under Article 8’ (Roman Zakharov, [255])? Time will tell if the ECtHR follows this trend in Big Brother Watch and Others v UK, Bureau of Investigative Journalism and Alice Ross v UK and 10 Human Rights Organisations v UK. Therefore, the IPT should not convince itself of the ‘illusory conviction that global surveillance is the deus ex machina capable of combating the scourge of global terrorism’ (Szabo, Concurring Opinion of Judge Pinto de Albuquerque, [20]). Surveillance has never just been an issue of privacy, or private life or else the ECtHR would never have uttered its awareness:

[O]f the danger such a law poses of undermining or even destroying democracy on the ground of defending it, affirms that the Contracting States may not, in the name of the struggle against espionage and terrorism, adopt whatever measures they deem appropriate (Klass, [49]).

Barnard & Peers: chapter 9

Photo credit: Pixabay