reports about the number of times they had been approached to share personal information, the government was not following suit and releasing similar reports.26 According to documents leaked by Snowden, in the US an internal audit found that the NSA broke privacy rules thousands of times.27 To all intents and purposes, national security has trumped informational privacy laws.
In addition to seeking legal protections through ensuring the enactment of data protection laws, privacy advocates have mounted legal challenges to enforce privacy rights, initially through complaints-receiving bodies on surveillance matters and, if these did not succeed, through the courts. This strategy has yielded mixed results, with the most positive being achieved in Europe, through the European Court of Human Rights. In the UK, several legal challenges have succeeded, and many of these have been brought by NGOs such as Privacy International and Liberty. Much of their work has focused on lodging complaints with the IPT, and then appealing against unsatisfactory decisions. As a result of the Snowden revelations and of sustained advocacy by NGOs, the number of complaints received by the IPT has grown by over 250 per cent, and increasing public scrutiny of this formerly little-known body has placed it under pressure to hold more hearings in public and communicate its findings more widely.28
Overall, though, the IPT has been unwilling to reconsider the intelligence agencies’ arguments for mass surveillance powers. Privacy International, joined by several internet companies, has brought a complaint about GCHQ’s use of bulk hacking outside the country, but this was not successful as the IPT refused to rule on the matter, leading to its being referred to the European Court. However, during the case GCHQ did admit that it undertook hacking to obtain information, modify target devices and carry out intrusive activities, which it had previously refused to confirm or deny.29 Privacy International, the National Council of Civil Liberties and other organisations have also filed separate complaints about mass surveillance and intelligence-sharing with the UK government. The IPT ruled that intelligence-sharing between the US and the UK – where the UK accessed information from the PRISM and UPSTREAM programmes – was illegal because the rules governing these activities had not been made available publicly, but that once some of them were, the sharing was rendered legal, making this case the first in which the IPT had ruled against the UK intelligence agencies.30
This victory showed that with persistence, gains can be won even from institutions that appear to be captured by the very agencies they were meant to oversee. However, the organisations disputed the IPT’s argument that the release of some of the relevant rules automatically rendered such intelligence-sharing lawful, especially given the fact that during the case GCHQ itself admitted to requesting and receiving bulk data without a warrant.31 The IPT’s unwillingness to rule on the GCHQ’s current activities meant that the agency continued to enjoy massive powers to collect the personal data of large numbers of people without even a reasonable suspicion of their having been involved in a crime, and in secret. Another victory was when the IPT found that GCHQ and MI5 had secretly and illegally harvested massive amounts of personal information from various databases between 1998 and 2015, as these activities were not subject to sufficient supervision, but again stopped short of saying that the surveillance itself was unlawful, thereby confirming a trend in the tribunal’s judgments to shy away from this all-important question.32 The UK government has also been very canny in responding to IPT judgments: if a power is not authorised sufficiently in law, then the government merely changes the law to give the power a legal backdrop, without addressing the substantive issues about whether that power is appropriate in the first place.33
More substantive rulings have been forthcoming from the European Court of Human Rights, which rules on cases relating to the member states of the European Council according to the European Convention on Human Rights. The difficulty with taking mass surveillance cases to court, though, is that courts do not like considering cases in the abstract; as a result, there need to be specific complainants. But given the high levels of secrecy surrounding surveillance, communications users may not know if they are the targets of surveillance. On the other hand, investigatory tribunals such as the IPT require lower burdens of proof, as they both investigate and determine complaints. The court has addressed this problem by deciding to rule on complaints from people or organisations that are potentially at risk of being subjected to surveillance. It has also found Russia and Hungary guilty of contravening the European Convention on Human Rights through their surveillance practices, expressing concern in the case of Russia about insufficient oversight, and the potential for abuses when security services have direct, warrantless access to communications networks.34 In the Russian case, brought by the editor Roman Zakharov, the court made a strong statement against mass surveillance, stating that it ‘considers that a system, such as the Russian one, which enables the secret services and the police to intercept directly the communications of each and every citizen without requiring them to show an interception authorisation to the communications service provider, or to anyone else, is particularly prone to abuse. The need for safeguards against arbitrariness and abuse appears therefore to be particularly great.’35
In the case of Hungary, the European Court expressed concern about the overbroad powers wielded by the security services in conducting anti-terrorism surveillance, subjecting nearly all citizens to surveillance with no proper oversight, especially judicial oversight.36 The court also recognised the right of users to be informed that their communications had been subjected to surveillance. However, unlike the ruling in the Russian case, this one took an ambiguous approach towards whether mass surveillance in principle should be considered unlawful, leaving the door open to its accepting the necessity of mass processing of data in future, provided certain safeguards were put in place.37
These rulings followed in the wake of two landmark rulings by the European Court of Justice (which rules on cases relating to EU members – the UK will no longer be subject to it once it leaves the EU). The first case found that the EU legislature had exceeded the legal requirement of proportionality when a data retention directive mandated the indiscriminate storage of metadata by public electronic communications companies for a period of between six and twenty-four months. It found that the very act of storage impacted on the right to privacy, even if the data had not been processed; however, the court remained silent on the appropriateness of data retention for law enforcement purposes.38 The second case (involving an Austrian lawyer called Maximillian Schrems based in Ireland) found that the transfer of data to a country that did not have adequate privacy protections could not be condoned legally, even if the destination country claimed that it provided a ‘safe harbour’ for received data. In possibly the strongest legal statement yet against mass surveillance, as well as a slap on the wrist for the Irish Data Protection Commissioner, the court argued the following: ‘In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the [EU] Charter [of Fundamental Rights].’39 While this judgment related to communications content, it was silent on the mass surveillance of metadata.
Legal precedents are still emerging from the US. A negative precedent was set shortly before the Snowden revelations in the Clapper judgment, in a major setback to civil society attempts to litigate around mass surveillance programmes. The US Supreme Court rejected a challenge to the FISA Amendment Act, which broadened the grounds for the surveillance of international phone calls and emails, although the judges were split along ideological lines.40 The applicants included Amnesty International, the ACLU and a range of other civil society and journalism organisations. The majority opinion of the court argued that the applicants could not prove that they had suffered particularised, imminent harm from surveillance, and they were reminded that as the plaintiffs, they were under an obligation to provide concrete evidence of surveillance. As a result, they lacked standing to litigate on these matters, and the case was dismissed.41 This setback underscored the more conservative approach of US judges to judicial oversight of executive surveillance powers, and put civil society organisations in an impossible position. Without clear and demonstrable ‘victims’, these organisations could
