Privacy & Information Security Law Blog

On May 25, 2021, the Grand Chamber of the European Court of Human Rights handed down its judgement in the case of Big Brother Watch and Others v. the United Kingdom, determining that the former surveillance regime in the UK violated Article 8 of the European Convention on Human Rights (“ECHR”), i.e., the right to respect for private and family life.

The regime, which was created under the Regulation of Investigatory Powers Act 2000 (“RIPA”) but has since been replaced by the Investigatory Powers Act 2016 (“IPA”), was found to violate Article 8 with respect to the rules permitting bulk interception and the obtaining of communications data from communication service providers. The Grand Chamber also determined that the surveillance regime violated freedom of expression under Article 10 of the ECHR in both of these respects.

Importantly, the Grand Chamber concluded that bulk interception does not in itself violate the ECHR, given the “multitude of threats States face in modern society.” However, bulk interception must be subject to end-to-end safeguards, meaning that assessments should be undertaken regarding the necessity and proportionality of the measures used. The bulk interception should also be subject to independent authorization before it commences, at the point at which the purpose and scope of the measures are being determined. In addition, the Grand Chamber found that the use of bulk interception should be subject to supervision and independent, ex post facto review.

The case was brought by journalists and human rights activists, who also objected to the regime’s rules around receipt of material intercepted by foreign governments and intelligence services. On this latter objection, the Grand Chamber determined that there had not been any violation of the ECHR, as there were sufficient safeguards in place to protect against abuse and to ensure that UK authorities had not used such requests to circumvent their duties under domestic law and the ECHR.

The Grand Chamber found that the regime under RIPA was deficient in permitting bulk interception to be authorized by the Secretary of State rather than an independent body. Applications for warrants had also failed to include categories of search terms defining the kinds of communications that would become liable for examination. Further, search terms linked to individuals, i.e., specific identifiers, had not been subject to prior internal authorization. With respect to Article 10, the Grand Chamber found that RIPA did not contain sufficient protections for confidential journalistic material.

RIPA has been replaced by the IPA, and the Grand Chamber did not directly evaluate the legality of the IPA’s provisions in its judgement. The European Data Protection Board  recently drew attention to the IPA in its Opinion on the draft UK adequacy decision issued by the European Commission on February 19, 2021, raising several concerns about the scope of the IPA and the level of protection it provides. The IPA also is currently subject to challenge by the human rights organization Liberty with respect to the bulk interception powers it provides to police and security services.