Friday, November 10, 2023

The "essence" of the fundamental rights to privacy and data protection in the context of state surveillance

The EDPS has just published a comprehensive study by Prof. Gloria González Fuster on the essence of the fundamental rights to privacy and to protection of personal data, and marked the publication of the study with a one day seminar on the issue earlier this week. As the event wasn't public I won't summarise what the other panellists said, though I'm sure they won't object if I refer to some of their excellent prior work either directly on the topic or touching on it (Prof. Takis TridimasProf. Cecilia RizcallahProf. Maria Grazia PorceddaProf. Kathleen Gutman; Prof. Herke Kranenborg (paywalled); Prof. Nóra Ní Loideáin; Prof. Hielke Hijmans).

For my part, I offered some practical thoughts on applying these concepts to state surveillance which I've summarised below.

To set the scene: identifying the "essence" of these fundamental rights is significant because of Article 52(1) of the Charter of Fundamental Rights which provides that "Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms". As the President of the CJEU, Koen Lenaerts, has explained:

Respect for the essence of fundamental rights is laid down in Article 52(1) of the Charter of Fundamental Rights of the European Union, as one of the conditions that must be fulfilled in order for a limitation on the exercise of a fundamental right to be justified. Accordingly, where an EU measure fails to take due account of the essence of a fundamental right, that measure is incompatible with the Charter and must be annulled or declared invalid. Similarly, where a national measure implementing EU law—within the meaning of Article 51(1) of the Charter—fails to respect the essence of a fundamental right, that measure is to be set aside.

While generally fundamental rights can be restricted if a limitation is a necessary and proportionate measure to achieve an objective of general interest or to protect the rights and freedoms of others, a measure which trenches on the essence of the right cannot be justified in this way. As President Lenaerts puts it:

Once it is established that the essence of a fundamental right has been compromised, the measure in question is incompatible with the Charter. This is so without it being necessary to engage in a balancing exercise of competing interests. As the Schrems I judgment shows, a measure that compromises the essence of a fundamental right is automatically disproportionate.

The caselaw on the "essence" of fundamental rights is, however, notoriously terse in its reasoning, especially in relation to state surveillance. That said, we can pick out four key findings:

First, the caselaw recognises a content/metadata distinction: In Digital Rights Ireland legislation requiring telecommunications companies to indiscriminately retain traffic and location data on all users was held not to violate the essence of the right to privacy under Article 7 of the Charter on the basis that "the directive does not permit the acquisition of knowledge of the content of the electronic communications as such". (Tele2 restates this point.) Conversely in Schrems I the CJEU held (regarding US law) that "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter".

Second, it seems clear that the caselaw requires an individual legal remedy for wrongful surveillance to include deletion of illegally obtained surveillance material; in Schrems I the CJEU held that: "legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter". (Schrems II makes a similar finding in relation to the Privacy Shield ombudsman mechanism without explicitly addressing the point.)

Third, the CJEU seems to have implicitly accepted that indiscriminate state access to metadata would not violate the essence of the fundamental rights to privacy and data protection: in Privacy International the Court assessed UK bulk collection of communications data on a proportionality basis without mentioning the question of whether bulk collection violated the essence of these rights.

Fourth, the caselaw accepts (in the two PNR cases) that indiscriminate state access to travel data does not in itself violate the essence of the fundamental rights to privacy and data protection, at least so long as that data is "limited to certain aspects of that private life" and does not "allow for a full overview of the private life of a person" (Opinion 1/15; Ligue des droits humains).

Overall, therefore, the notion of the essence of rights has played a limited role in relation to EU and Member State surveillance measures, and the CJEU has been unwilling to hold that even what it describes as "very far-reaching [and] particularly serious" interference with these rights (indiscriminate telecommunications data retention) constitutes an interference with the essence. While there are many cases invalidating EU/Member State surveillance measures on proportionality grounds, there are none which find that such measures violate the essence of the rights to privacy or data protection.

Why this reluctance? It may be that preserving institutional capital plays a role: a finding that a particular form of surveillance violates the essence of a right would be very difficult to walk back in the case of Member State pushback, while a finding of disproportionality is more easily finessed in future cases. The one area where the CJEU has found a surveillance tactic to violate the essence of a right - generalised state access to the contents of communications - is precisely the area which has not presented a significant clash with Member States, as their bulk interception activities have largely been shielded from scrutiny by the CJEU by the general exclusion of national security measures from the scope of EU law. Instead, direct Member State activities in this area have generally been assessed by the more lenient standards of the ECHR, under which the ECtHR has held that bulk interception is in principle compatible with Article 8 (Big Brother WatchCentrum För Rättvisa).

My sense is that this position - in which the CJEU has not had to confront wider issues around the essence of the rights to privacy and data retention, particularly in relation to bulk interception - is about to come to an end.

Multiple current controversies are set to put issues about the essence of these rights in front of national courts and ultimately the CJEU. The Encrochat and SkyECC investigations are already presenting significant issues about the legality of bulk collection of communications from all users of particular services. The proposed CSAM Regulation would mandate indiscriminate examination of all communications on particular services and is certain to be challenged on that basis. The fallout from state use of spyware such as Pegasus across Europe continues. (Indeed, the EDPS has already described such spyware as threatening the essence of the right to privacy.) The EDPB has also described growing use of widescale facial recognition in public places as likely to violate the essence of the right to data protection.

What these situations have in common (with a possible exception in relation to state spyware, depending on the exact context) is that they are certainly within the scope of EU law and therefore do not benefit from the national security cloak of invisibility. It may be that some of these cases can be dealt with solely under the Law Enforcement Directive, the e-Privacy Directive, the forthcoming AI Act, or other relevant legislative measures, but it seems inevitable that the CJEU will ultimately have to address whether these types of large scale surveillance are compatible with the "essence" of the Charter rights to privacy and data retention.

Finally, I should mention an issue about procedural approaches to identifying the essence of these rights in the context of state surveillance. Some of the caselaw (such as Digital Rights Ireland and the PNR decisions) suggests that there is no breach of the essence of the right to data protection provided that the law provides some data protection safeguards, albeit that those safeguards might not be adequate. Other judgments (particularly Schrems I and II) place particular focus on the right to effective judicial protection under Article 47 of the Charter. However it seems to me that to concentrate on procedural safeguards risks conflating assessing the essence of the right with assessing the legality of the interference with the right. Article 52(1) of the Charter already provides that limitations on rights must be "provided for by law". This closely resembles Article 8(1) ECHR which provides that restrictions on the right to privacy must be "in accordance with the law" - a formula which has been used by the ECtHR in cases from Klass v. Germany onwards to read in safeguards such as independent oversight of surveillance as essential components of legality of surveillance systems. If the legality assessment already requires some procedural safeguards, then is it redundant to treat those safeguards as also making up (part of) the essence of these rights? To put it another way, what are the additional procedural or oversight elements that comprise the essence of these rights which are not required by the principle of legality?