In September last year, a Chamber of the European Court of Human Rights delivered its judgment in Wieder and Guarnieri v. the United Kingdom (nos. 64371/16 and 64407/16), which became final in December. The judgment is an important contribution to the ever-growing international case law on the extraterritorial application of human rights. Briefly, the Court held that the interception, storing or processing of data of any individual that implicates their right to privacy will be within the jurisdictional scope of the European Convention if such surveillance activities are done on the state’s own territory, even if the individual concerned is located outside it.
This is, to my mind, exactly the right result. Ten years ago, I published an article on privacy in the digital age in the Harvard International Law Journal, which extensively dealt with the application of human rights to electronic surveillance activities conducted by states against individuals abroad. I argued for an expansive approach: that the right to privacy applied to any surveillance activity affecting the interests of individuals, no matter where they were located. This was either because no jurisdiction threshold applied at all to potential violations of negative obligations (my preferred position), or because the personal notion of jurisdiction as state authority, power or control over the individual victim collapsed into the proposition that any act that interfered with the individual’s privacy was an exercise of such authority, power or control. In other words, by engaging in such conduct the state simultaneously exercised jurisdiction over the individuals affected and potentially violated their right to privacy.
In the years since, the European Court decided several major surveillance cases, most notably Big Brother Watch, but in all of them it managed to avoid addressing the extraterritoriality issue. This enabled some governments to argue that the Convention does not apply at all to extraterritorial surveillance activities. Indeed, the UK government was supported in so arguing by a judgment of the UK’s specialized Investigatory Powers Tribunal. Other human rights courts and treaty bodies haven’t yet had the opportunity to decide cases on extraterritorial surveillance, although their approach to other comparable situations has grown more and more expansive, for instance in environmental cases. Amongst domestic courts, the Federal Constitutional Court of Germany took the opposite route from that of the UK’s IPT, by holding that all German surveillance activities abroad had to comply with fundamental rights guarantees – but this was a ruling based on the German Basic Law, not the European Convention. (For more background and an overview of these developments, see here).
Yet, again, the European Court has been evasive. In part this is because there are so many mutually linked extraterritoriality issues, from climate change to armed conflict, with huge practical and political implications across the board if an expansive approach was adopted. In my Harvard ILJ piece I thus predicted that there would be one category of extraterritorial surveillance cases which the Court will find more palatable and easier to deal with (124-127), because it would enable it to do the right thing and apply the right to privacy to foreign surveillance while avoiding immediate implications for other situations.
These are cases in which, due to the capabilities of new technologies, the location of an interference with an individual’s privacy is within the state’s own territory (or territory that it otherwise controls), even though the location of the individual itself is outside the state’s territory. In other words, the locations of the victim and of the interference with their rights are different. Consider, for example, a scenario in which the UK was to intercept an email I sent from Serbia to someone in the United States, but the email transited the UK’s territory because it was routed through servers on UK soil, or because it passed through undersea cables terminating in the UK. The data packet was thus intercepted by UK authorities while it passed through the UK. The interference with my privacy happened in the UK, but for all that time I was located in Serbia.
I argued that in such cases our intuitions would favour the applicability of the Convention:
For example, I normally live and work in the United Kingdom, but I travel relatively frequently. If the U.K. police searched my flat in Nottingham or if they hacked into my office computer while I was out of the country, surely the ICCPR and the ECHR would apply and my privacy rights would be engaged? If they seized my U.K. bank account while I was outside the United Kingdom, surely my property rights under Protocol No. 1 to the ECHR would be engaged? And so forth.
While those intuitions could be examined from several different legal perspectives, it seemed clear that ‘surveillance programs in which the interference with privacy takes place within an area under the state’s control, even though the individual is not located in this area, may be more open to challenge than those programs in which both the interference and the individual are outside areas controlled by the state.’
This is now exactly what happened in Wieder and Guarnieri:
- To date, the Court has not had the opportunity to consider the question of jurisdiction in the context of a complaint concerning an interference with an applicant’s electronic communications. In Bosak and Others v. Croatia (nos. 40429/14 and 3 others, 6 June 2019) the Court did not consider whether the interception of the communications of the two applicants who were living in the Netherlands fell within Croatia’s jurisdiction for the purposes of Article 1 of the Convention, perhaps because those applicants’ telephone conversations were intercepted and recorded by the Croatian authorities on the basis of secret surveillance orders lawfully issued against another applicant, who lived in Croatia and with whom they had been in contact. While the question of jurisdiction was alluded to in Weber and Saravia v. Germany (dec.), no. 54934/00, § 72, ECHR 2006-XI and in Big Brother Watch and Others (cited above, § 272), in neither case was it necessary to decide the issue.
- The applicants in the present case have not suggested that they were themselves at any relevant time in the United Kingdom or in an area over which the United Kingdom exercised effective control. Rather, they contend either that the acts complained of – being the interception, extraction, filtering, storage, analysis and dissemination of their communications by the United Kingdom intelligence agencies pursuant to the section 8(4) regime (see paragraph 56 above) – nevertheless fell within the respondent Government’s territorial jurisdiction, or, in the alternative, that one of the exceptions to the principle of territoriality applied.
- In Big Brother Watch and Others the Court identified four stages to the bulk interception process: the interception and initial retention of communications and related communications data; the searching of the retained communications and related communications data through the application of specific selectors; the examination of selected communications/related communications data by analysts; and the subsequent retention of data and use of the “final product”, including the sharing of data with third parties (ibid, § 325). Although it did not consider that the interception and initial retention constituted a particularly significant interference, in its view the degree of interference with individuals’ Article 8 rights increased as the bulk interception process progressed (ibid, § 330). The principal interference with the Article 8 rights of the sender or recipient was therefore the searching, examination and use of the intercepted communications.
- In the context of the section 8(4) regime each of the steps which constituted an interference with the privacy of electronic communications, being the interception and, more particularly, the searching, examining and subsequent use of those intercepted communications, were carried out by the United Kingdom intelligence agencies acting – to the best of the Court’s knowledge – within United Kingdom territory.
- It is the Government’s contention that any interference with the applicants’ private lives occasioned by the interception, storage, searching and examination of their electronic communications could not be separated from their person and would therefore have produced effects only where they themselves were located – that is, outside the territory of the United Kingdom (see paragraph 77 above).
- However, such an approach is not supported by the case-law of the Court. Although there are important differences between electronic communications, for the purposes of Article 8 of the Convention, and possessions, for the purposes of Article 1 of Protocol No. 1, it is nevertheless the case that an interference with an individual’s possessions occurs where the possession is interfered with, rather than where the owner is located (see, for example, Anheuser-Busch Inc. v. Portugal [GC], no. 73049/01, ECHR 2007‑I). Similarly, in the specific context of Article 8, it could not seriously be suggested that the search of a person’s home within a Contracting State would fall outside that State’s territorial jurisdiction if the person was abroad when the search took place. While some of the elements of a person’s private life (for example, physical integrity) may not readily be separated from his or her physical person, that is not necessarily the case for all such elements. For example, in Von Hannover v. Germany (no. 59320/00, ECHR 2004-VI) the Court appeared to accept that the interference with the applicant’s private life which flowed from the publication by German magazines of photographs of her took place in Germany, where the photographs had been published and viewed by the magazines’ readership (ibid., §§ 53 and 76-81), even though the applicant lived in France and had her official residence in Monaco (ibid., § 8), and the photographs in question had been taken in Austria, France and Monaco (ibid., §§ 11-17). Similarly, in Arlewin v. Sweden (no. 22302/10, §§ 63 and 65, 1 March 2016) the Court found that injury to the applicant’s privacy and reputation occasioned by the broadcast of a television programme took place in Sweden, where the programme was broadcast, and not in the United Kingdom, where the broadcaster had its head office.
- Turning to the facts of the case at hand, the interception of communications and the subsequent searching, examination and use of those communications interferes both with the privacy of the sender and/or recipient, and with the privacy of the communications themselves. Under the section 8(4) regime the interference with the privacy of communications clearly takes place where those communications are intercepted, searched, examined and used and the resulting injury to the privacy rights of the sender and/or recipient will also take place there.
- Accordingly, the Court considers that the interference with the applicants’ rights under Article 8 of the Convention took place within the United Kingdom and therefore fell within the territorial jurisdiction of the respondent State. As such, it is not necessary to consider whether any of the exceptions to the territoriality principle are applicable.
Note how the Court chooses to frame this case as not about being about extraterritorial application at all. But this is wrong. Under Article 1 of the Convention, it is the victim of the alleged violation that has to be within a state’s jurisdiction. As soon as that victim is not located within the state’s territory, we are necessarily talking about the Convention’s extraterritorial application. That the location of the interference does not align with the location of the individual does not change that assessment. The Court frames the case this way simply to avoid the implications that covering extraterritorial surveillance through the personal conception of jurisdiction in particular could have.
That said, the framing aside, the Court’s approach is to my mind entirely correct. And its implications are huge, despite being limited to this particular context. It is not just the territorial interception of communications of an individual located abroad that would be covered under this approach. The same applies for any processing of the information acquired, even if the interception itself took place abroad. Thus, for example, if the UK hacked the phone of a person in China, but processed the information so acquired within the UK – as it almost invariably would do – then the search and examination of this data would be covered by the Convention even if the interception itself was not.
In other words, bringing back onto the state’s territory any data that implicates privacy interests of individuals would trigger the application of their right to privacy under the Convention. So would any examination of that data on the state’s territory, whether done by an automated system or by a human analyst, even if the data was kept in the cloud and its precise location was difficult to determine. The same goes for any information obtained from third parties, e.g. through intelligence sharing by other states, including those not parties to the Convention. However, cyber operations that simply destroy data located abroad could not be covered under this principle, although they should be covered under (at least my own view of) the personal conception of jurisdiction.
Bottom line – the Court’s approach here is so broad that we arrive at the same position as the one adopted by the German Constitutional Court: whenever European intelligence agencies acquire or process data implicating the interests of individuals, they have to respect their right to privacy and may interfere with that right subject to the legality, legitimacy, necessity and proportionality justification test. They cannot simply assert that the Convention does not apply at all.
This is, of course, a Chamber judgment, and not a Grand Chamber one. But it is still authoritative, especially because the Chamber was unanimous. Readers will correct me if I’m wrong, but it seems the UK government didn’t even attempt to refer this case to the Grand Chamber – likely a strategic choice. It remains to be seen how domestic courts in the UK will implement this judgment in their own jurisprudence, and whether the Grand Chamber will eventually mainstream this approach, as it should. For now, though, pursuant to Wieder and Guarnieri European intelligence agencies will need to apply the justification test under Article 8 of the Convention for all of their activities affecting individual rights and interests, both at home and abroad. (Those activities that do not implicate such interests – e.g. collecting intelligence about an adversary state’s plans or military assets – simply remain outside the scope of human rights law altogether.)
Wieder and Guarnieri v UK: A Justifiably Expansive Approach to the Extraterritorial Application of the Right to Privacy in Surveillance Cases
Written by Marko MilanovicIn September last year, a Chamber of the European Court of Human Rights delivered its judgment in Wieder and Guarnieri v. the United Kingdom (nos. 64371/16 and 64407/16), which became final in December. The judgment is an important contribution to the ever-growing international case law on the extraterritorial application of human rights. Briefly, the Court held that the interception, storing or processing of data of any individual that implicates their right to privacy will be within the jurisdictional scope of the European Convention if such surveillance activities are done on the state’s own territory, even if the individual concerned is located outside it.
This is, to my mind, exactly the right result. Ten years ago, I published an article on privacy in the digital age in the Harvard International Law Journal, which extensively dealt with the application of human rights to electronic surveillance activities conducted by states against individuals abroad. I argued for an expansive approach: that the right to privacy applied to any surveillance activity affecting the interests of individuals, no matter where they were located. This was either because no jurisdiction threshold applied at all to potential violations of negative obligations (my preferred position), or because the personal notion of jurisdiction as state authority, power or control over the individual victim collapsed into the proposition that any act that interfered with the individual’s privacy was an exercise of such authority, power or control. In other words, by engaging in such conduct the state simultaneously exercised jurisdiction over the individuals affected and potentially violated their right to privacy.
In the years since, the European Court decided several major surveillance cases, most notably Big Brother Watch, but in all of them it managed to avoid addressing the extraterritoriality issue. This enabled some governments to argue that the Convention does not apply at all to extraterritorial surveillance activities. Indeed, the UK government was supported in so arguing by a judgment of the UK’s specialized Investigatory Powers Tribunal. Other human rights courts and treaty bodies haven’t yet had the opportunity to decide cases on extraterritorial surveillance, although their approach to other comparable situations has grown more and more expansive, for instance in environmental cases. Amongst domestic courts, the Federal Constitutional Court of Germany took the opposite route from that of the UK’s IPT, by holding that all German surveillance activities abroad had to comply with fundamental rights guarantees – but this was a ruling based on the German Basic Law, not the European Convention. (For more background and an overview of these developments, see here).
Yet, again, the European Court has been evasive. In part this is because there are so many mutually linked extraterritoriality issues, from climate change to armed conflict, with huge practical and political implications across the board if an expansive approach was adopted. In my Harvard ILJ piece I thus predicted that there would be one category of extraterritorial surveillance cases which the Court will find more palatable and easier to deal with (124-127), because it would enable it to do the right thing and apply the right to privacy to foreign surveillance while avoiding immediate implications for other situations.
These are cases in which, due to the capabilities of new technologies, the location of an interference with an individual’s privacy is within the state’s own territory (or territory that it otherwise controls), even though the location of the individual itself is outside the state’s territory. In other words, the locations of the victim and of the interference with their rights are different. Consider, for example, a scenario in which the UK was to intercept an email I sent from Serbia to someone in the United States, but the email transited the UK’s territory because it was routed through servers on UK soil, or because it passed through undersea cables terminating in the UK. The data packet was thus intercepted by UK authorities while it passed through the UK. The interference with my privacy happened in the UK, but for all that time I was located in Serbia.
I argued that in such cases our intuitions would favour the applicability of the Convention:
While those intuitions could be examined from several different legal perspectives, it seemed clear that ‘surveillance programs in which the interference with privacy takes place within an area under the state’s control, even though the individual is not located in this area, may be more open to challenge than those programs in which both the interference and the individual are outside areas controlled by the state.’
This is now exactly what happened in Wieder and Guarnieri:
Note how the Court chooses to frame this case as not about being about extraterritorial application at all. But this is wrong. Under Article 1 of the Convention, it is the victim of the alleged violation that has to be within a state’s jurisdiction. As soon as that victim is not located within the state’s territory, we are necessarily talking about the Convention’s extraterritorial application. That the location of the interference does not align with the location of the individual does not change that assessment. The Court frames the case this way simply to avoid the implications that covering extraterritorial surveillance through the personal conception of jurisdiction in particular could have.
That said, the framing aside, the Court’s approach is to my mind entirely correct. And its implications are huge, despite being limited to this particular context. It is not just the territorial interception of communications of an individual located abroad that would be covered under this approach. The same applies for any processing of the information acquired, even if the interception itself took place abroad. Thus, for example, if the UK hacked the phone of a person in China, but processed the information so acquired within the UK – as it almost invariably would do – then the search and examination of this data would be covered by the Convention even if the interception itself was not.
In other words, bringing back onto the state’s territory any data that implicates privacy interests of individuals would trigger the application of their right to privacy under the Convention. So would any examination of that data on the state’s territory, whether done by an automated system or by a human analyst, even if the data was kept in the cloud and its precise location was difficult to determine. The same goes for any information obtained from third parties, e.g. through intelligence sharing by other states, including those not parties to the Convention. However, cyber operations that simply destroy data located abroad could not be covered under this principle, although they should be covered under (at least my own view of) the personal conception of jurisdiction.
Bottom line – the Court’s approach here is so broad that we arrive at the same position as the one adopted by the German Constitutional Court: whenever European intelligence agencies acquire or process data implicating the interests of individuals, they have to respect their right to privacy and may interfere with that right subject to the legality, legitimacy, necessity and proportionality justification test. They cannot simply assert that the Convention does not apply at all.
This is, of course, a Chamber judgment, and not a Grand Chamber one. But it is still authoritative, especially because the Chamber was unanimous. Readers will correct me if I’m wrong, but it seems the UK government didn’t even attempt to refer this case to the Grand Chamber – likely a strategic choice. It remains to be seen how domestic courts in the UK will implement this judgment in their own jurisprudence, and whether the Grand Chamber will eventually mainstream this approach, as it should. For now, though, pursuant to Wieder and Guarnieri European intelligence agencies will need to apply the justification test under Article 8 of the Convention for all of their activities affecting individual rights and interests, both at home and abroad. (Those activities that do not implicate such interests – e.g. collecting intelligence about an adversary state’s plans or military assets – simply remain outside the scope of human rights law altogether.)
Share this:
Related
Categories
Tags
Leave a Comment
Comments for this post are closed
Comments
Andreas Paulus says
March 23, 2024
Dear Marko,
Thanks a lot for this great piece, as ususal. Just a side remark on German constitutional case law: That the mere interception of data in Germany creates (constitutional) jurisdiction, was already the case law in 1999 (from the judgment of 14 July 1999, 1 BvR 2226/94, headnote 2, https://www.bundesverfassungsgericht.de/SharedDocs/Entscheidungen/EN/1999/07/rs19990714_1bvr222694en.html: "The territorial scope of protection under the privacy of telecommunications [guaranteed by Art. 10 of the Basic Law] is not limited to the domestic territory. Rather, Article 10 of the Basic Law may also be applicable if telecommunications that take place abroad are intercepted and analysed on domestic territory, which sufficiently links the interference to domestic state action."). In 2020, the Federal Constitutional Court went even further, binding all exercise of German state power, acting intra- or extraterritorially, to the observance of fundamental rights, based on Art. 1 (3) of the German Grundgesetz. See BVerfG, Judgment of the First Senate of 19 May 2020 - 1 BvR 2835/17 -,
https://www.bverfg.de/e/rs20200519_1bvr283517en.html, headnote 1 and para. 89 et seq. We also argued that the European Convention did not stand in the way of such extraterritorial application, see id., paras. 97-99. Of course, we did not and could not pre-determine the development of ECtHR case law on the matter, which is welcome, in line with long-standing German case law on jurisdiction over constitutional rights.
Cheers, Andreas
Marko Milanovic says
March 23, 2024
Many thanks for this Andreas - yes, I think this judgment is in some ways a response by the European Court to the challenge that you and your colleagues in the Federal Constitutional Court gave it to do the right thing on extraterritorial surveillance!