On December 4, the Grand Chamber of the European Court of Human Rights unanimously ruled that the SORM system of direct access to communications networks in Russia violated the right to privacy enshrined in Article 8 of the European Convention on Human Rights. Zakharov v. Russia is the most recent judgment on the proper limits of communications surveillance powers, and its release at a time when the United Kingdom’s Draft Investigatory Powers Bill is under consideration is not likely to be coincidental. This post will focus on three noteworthy aspects of the judgment: its clarification of requirements for standing when challenging communications surveillance laws, its treatment of data retention standards, and its conclusions regarding direct access systems.
At the heart of the Zakharov case is the SORM system of surveillance which is present in Russia and several former Soviet states. It allows law enforcement authorities to intercept the content of communications and to obtain non-content data by means of a direct connection to the networks of communications service providers (CSPs). According to the European Telecommunications Standards Institute, CSPs should facilitate the transfer of data to authorities when an order for interception is presented, but law enforcement should not have direct access to networks. European telecommunications companies and Privacy International have disclosed that direct access is employed by a range of states beyond the Eurasia region.
In his application to the European Court, the chair of a civil society organization alleged that the system of covert interception of mobile communications in Russia did not comply with Article 8, despite the fact that judicial authorization of surveillance was required by law. The case reached the Grand Chamber when the First Section relinquished jurisdiction pursuant to Article 30 of the European Convention, which may be applied when a case “raises a serious question affecting the interpretation of the Convention or the protocols thereto.” The Grand Chamber held that several aspects of Russian law were incompatible with the Convention, including that communications surveillance was permitted for a broad range of criminal offenses (including pickpocketing), surveillance was not limited to those suspected of having committed offenses, and robust oversight mechanisms and effective remedies were lacking.
Standing to challenge communications surveillance laws
In Zakharov, the Grand Chamber reconciled its two approaches to standing and affirmed that Kennedy v. United Kingdom provides the relevant standard where secret surveillance laws are concerned. Accordingly, an applicant can challenge a surveillance law in abstracto if 1) the law is sufficiently broad as to affect her due to membership in a group targeted by the law or because any user of a communications service is presumably affected, and 2) national law does not provide an effective remedy to an individual who suspects that her communications were monitored. The Court determined that this test was satisfied in Zakharov. Alternatively, where effective remedies exist, an applicant may claim that secret surveillance laws violated his rights “only if he is able to show that, due to his personal situation, he is potentially at risk of being subjected to such measures” (para. 171). This approach notably sets the bar higher for applications originating from states such as Germany or the United Kingdom.
Data retention requirements
The Court’s brief provisions on the retention of communications data are noteworthy after the uncertainty that has followed invalidation of the EU Data Retention Directive. In the Digital Rights Ireland case, the Court of Justice of the European Union found the requirement that CSPs store all non-content communications data for a minimum period of six months to be excessively broad, given that the retained data need not have been linked to the prosecution of serious crimes and no criteria limited national authorities’ access to and subsequent use of the data.
In Zakharov, the European Court deemed it reasonable that intercepted material had to be destroyed after six months if the subject was not charged with a criminal offense; if charges were brought, a judge would determine whether to retain the data. At the same time, the Court indicated that “[t]he automatic storage for six months of clearly irrelevant data cannot be considered justified under Article 8”, and the law must provide for the destruction of this data. Furthermore, Russian law was seen to give judges too much discretion to decide whether data should be stored after the conclusion of criminal proceedings (paras. 255-56). These points may provide cues to states such as Germany, the United Kingdom, and Sweden, where data retention mandates are presently being debated.
Direct access to communications networks
Finally, the European Court observed that “the requirement to show an interception authorisation to the communications service provider before obtaining access to a person’s communications is one of the important safeguards against abuse by the law-enforcement authorities, ensuring that proper authorisation is obtained in all cases of interception” (para. 269). Although Russian law generally provided for prior judicial authorization of communications surveillance, the Court concluded that in practice, this could be circumvented. It noted that Russian law prohibited maintaining records of interception, and it found that supervision of interception by judges and prosecutors was limited and not open to public scrutiny. The absence of a requirement to notify the subject when surveillance had ceased further undermined the effectiveness of any available remedies. Consequently, Russia’s SORM system was found to be inconsistent with the requirements of Article 8.
Zakharov creates a strong presumption against the conformity of direct access regimes with the European Convention on Human Rights. Presently, these systems are employed by several parties to the Convention. The Court implies that robust and independent oversight mechanisms might be found to make a direct access system consistent with Article 8. These would need to include the tracking of instances in which direct access takes place, the supervision of communications surveillance by two or more independent authorities with broad powers to investigate the facts surrounding surveillance and to order its cessation, and the subsequent notification of subjects of surveillance where feasible. Few states are likely to meet this standard.