European courts have interpreted privacy in a holistic manner, addressing not only the challenges of mass surveillance to data protection and the right to a private life, but also defending privacy as vital to the relationship of trust between the individual and the state in any democracy.
The reconfiguration of the security landscape in recent years has resulted in the transformation of the relationship between the individual and the state. A catalyst in this transformation has been the growing link between securitisation and pre-emptive surveillance, and the new focus of security governance on the assessment of risk.
Central in this context is a focus on the future in which the aim of pre-emptive surveillance is to identify and predict risk and danger. The pre-emptive turn in surveillance has been based largely upon the collection, processing and exchange of personal data, which has in turn been marked by three key features. The first feature involves the purpose of data collection and processing. This is no longer focused solely on data related to the commission of specific, identified criminal offences, but concentrates instead on the use of personal data to predict risk and pre-empt future activity.
The second feature concerns the nature of the data in question. On the one hand, pre-emptive surveillance focuses increasingly on the collection of personal data generated by ordinary, everyday life activities. This includes records of financial transactions, of airline travel (PNR) reservations and of mobile phone telecommunications. The focus on monitoring everyday life results in mass surveillance, marked by the collection and storage of personal data in bulk.
The third feature of pre-emptive surveillance concerns the actors of surveillance. A key element in this context, linked with the focus on the monitoring of everyday life, is the privatisation of surveillance: banks and other financial and non-financial institutions, airlines and mobile phone companies are legally obliged to collect, store and reactively or proactively transfer personal data to state authorities. This privatisation of surveillance has been accompanied by the expansion of state actors of surveillance, with maximum access to databases having been allowed to security agencies, regardless of the initial purpose of the transfer of personal data or of the database involved.
The combination of these three features of pre-emptive surveillance extends considerably the reach of the state and poses grave challenges to fundamental rights. Surveillance is occurring on a generalised, massive scale, via the proliferation of channels of data collection, processing and exchange and the generalisation and deepening of data collection. Everyday and sensitive personal data is now being collected en masse. This has led to what has been called ‘the ‘disappearance of disappearance’- a process whereby it is increasingly difficult for individuals to maintain their anonymity, or to escape the monitoring of social institutions. [1]
State authorities thereby have access to a wealth of personal data enabling practices such as profiling and data mining. This impact of state intervention on the individual is intensified when one considers the potential of combining personal data from different databases collected for different purposes in order to create a profile of risk or threat.
In addition to the substantive privacy challenges these developments pose, risk assessment in these terms also challenges the place of the citizen in a democratic society. The use of personal data in these terms leads to a process whereby individuals embarking on perfectly legitimate everyday activities are constantly being assessed and viewed as potentially dangerous without having many possibilities of knowing about or contesting any such assessment. And as has been noted, predictive determinations about one’s future behaviour are much more difficult to contest than investigative determinations about one’s past behaviour. [2]
Legal responses to the challenges posed by pre-emptive surveillance have largely focused on the introduction of a series of data protection safeguards in the various legislative instruments allowing for mass surveillance. However, the reach of these safeguards has been limited and the effectiveness of data protection monitoring mechanisms introduced (such as the scrutiny provided by Europol or by an EU official based in the US in the context of the EU-US TFTP Agreement) have been of questionable efficiency. [3]
More broadly, there are two main limitations to the effectiveness of data protection in addressing the challenges posed by pre-emptive surveillance single-handed. The first limitation stems from the limited capacity of data protection to question the political choice to maximise and generalise the collection and processing of personal data as such. As has been noted, data protection differs from privacy as it does not aim to create zones of non-interference by the state, but rather operates on a presumption that public authorities can process personal data. [4] Data protection thus rarely questions the legality and legitimacy of the very collection and transfer of personal data.
The second limitation of data protection in relation to privacy is the specificity of data protection, which is linked in turn to the changing focus of protection: while data protection is centres on the various categories of personal data, with the specific information collected and processed being its reference point, privacy focuses onthe personin terms of identity and the Self, aiming to provide a far more holistic framework for assessing the impact of surveillance on the relationship between the individual and the state.
Meanwhile, the value of privacy in addressing the challenges posed by pre-emptive surveillance has been highlighted in a number of recent judicial decisions, with the judiciary emerging as the leading institutional actor in reconfiguring the field. Courts have now had to deal with pre-emptive surveillance measures embracing both the collection of data by the state and the collection of data by the private sector. In the case of Marper [5] the European Court of Human Rights examined the compatibility with the European Convention on Human Rights (ECHR) of the systemic and indefinite retention of DNA profiles and cellular samples of persons who have been acquitted, or in respect of whom criminal proceedings have been discontinued in the UK.
The Court found that such blanket and indiscriminate retention of data is disproportionate and thus non-compliant with Article 8 of the Convention. The ruling is important in rejecting the retention of DNA data by the state per se: according to the Court, the mere retention and storing of personal data by public authorities, however obtained, is to be regarded as having a direct impact on the private-life interest of the individual concerned, irrespective of whether subsequent use is made of the data. [6]
A number of constitutional courts in Europe have declared the unconstitutionality of domestic data retention legislation implementing the EU data retention Directive. A common thread which can be discerned in the reasoning of constitutional courts is the emphasis on the adverse impact of breaches of privacy on the relationship between the individual and the state more broadly. The Romanian Constitutional Court has noted that data retention addresses all legal subjects, regardless of whether they have committed criminal offences or whether they are the subject of a criminal investigation, which is likely to overturn the presumption of innocence and to transform all users of electronic communication services or public communication networks a priori into people susceptible of commiting terrorist crimes or other serious crimes. According to the Romanian Court, continuous data retention is sufficient to generate in the mind of the persons involved legitimate suspicions regarding respect for their privacy and the perpetration of abuses by the state. [7]
Following up on these rulings by national constitutional courts on data retention, the Court of Justice, in its landmark ruling in the case of Digital Rights Ireland, [8] has annulled the EU data retention Directive on the grounds that the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter.
The Court stressed the impact of mass surveillance on privacy by noting that data retention entails interference with the fundamental rights of practically the entire European population as it affects, in a comprehensive manner, all persons using electronic communications services, but without the knowledge of persons whose data are being retained, even indirectly, in a situation which is liable to give rise to criminal prosecutions. [9] The Court’s powerful ruling puts an end to unlimited mass surveillance and raises questions on the constitutionality of other EU laws allowing for such surveillance in the context of transatlantic counter-terrorism cooperation, including the EU-US PNR and TFTP Agreements.
It is thus the judiciary, and not the legislator, who has developed a meaningful protection of privacy in the face of growing practices of mass surveillance globally. The highest courts in Europe (national constitutional courts, the European Court of Human Rights and the Court of Justice of the European Union) have all interpreted privacy in a holistic manner, addressing not only the specific challenges of mass surveillance to data protection and the right to private life, but also viewing privacy as part of what strengthens citizenship and upholds democracy, by preserving the relationship of trust between the individual and the state and avoiding the so-called ‘chilling effect’ of mass surveillance. [10]
This judicial approach to privacy is key to the development of a new global consensus in the field. The UN General Assembly has called for further work to be done on the protection and promotion of the right to privacy in the context of domestic and extraterritorial surveillance and/or the interception of digital communications and the collection of personal data, including on a mass scale.[11] European courts have led the way in developing principles underpinning any future policy and legislative developments in the field. The hope for improved legal standards in the future does not obviate the need for the continuous influence of the judiciary in questioning mass surveillance and upholding privacy and free speech in a democratic society.
This is a revised and updated version of V. Mitsilegas, ‘The Value of Privacy in an Era of Security. Embedding Constitutional Limits on Pre-emptive Surveillance’ in International Political Sociology, 2014, vol.8, 104-108.
Read more from our 'Joining the dots on state surveillance' series here.
[1] K.D. Haggerty and R.V. Ericson, ‘The Surveillant Assemblage’ in British Journal of Sociology 2000, 619.
[2] D.J. Solove, ‘Data Mining and the Security-Liberty Debate’ in University of Chicago Law Review 2008, 359.
[3] V. Mitsilegas ‘Transatlantic Counter-terrorism Cooperation and European Values. The Elusive Quest for Coherence’ in D. Curtin and E. Fahey (eds), A Transatlantic Community of Law, Cambridge University Press, 2014, pp.289-315.
[4] P. de Hert and S. Gutwirth, ‘Privacy, Data Protection and Law Enforcement. Opacity of the Individual and Transparency of Power’, in E. Claes, A. Duff and S. Gutwirth (eds.), Privacy and the Criminal Law, Intersentia 2006, 77-78.
[5] Case of S. And Marper v. The UK, Application nos. 30562/04 and 30566/04.
[6] Paragraph 121.
[7] Decision no. 1258 from 8 October 2009.
[8] C-293/12, Digital Rights Ireland.
[9] Paragraphs 56, 58.
[10] Privacy and Civil Liberties Oversight Board, Report on the Telephone Records Program Conducted Under Section 215 of the USA Patriot Act and on the Operations of the Foreign Intelligence Surveillance Court, January 23, 2014, 13.
[11]Resolution 68/167, The Right to Privacy in a Digital Age, adopted on 18.12.2013, A/RES/68/167.