The International Journal of Human Rights

ISSN: 1364-2987 (Print) 1744-053X (Online) Journal homepage: https://www.tandfonline.com/loi/fjhr20

‘The right to privacy and the future of mass

surveillance’

Eliza Watt

To cite this article: Eliza Watt (2017) ‘The right to privacy and the future of mass surveillance’, The
International Journal of Human Rights, 21:7, 773-799, DOI: 10.1080/13642987.2017.1298091

To link to this article: https://doi.org/10.1080/13642987.2017.1298091

Published online: 23 May 2017.

Submit your article to this journal

Article views: 4803

View related articles

View Crossmark data

Citing articles: 2 View citing articles

Full Terms & Conditions of access and use can be found at

https://www.tandfonline.com/action/journalInformation?journalCode=fjhr20
THE INTERNATIONAL JOURNAL OF HUMAN RIGHTS, 2017
VOL. 21, NO. 7, 773–799
https://doi.org/10.1080/13642987.2017.1298091

‘The right to privacy and the future of mass surveillance’

Eliza Watt
School of Law, University of Westminster, London, UK

ABSTRACT ARTICLE HISTORY

This article considers the feasibility of the adoption by the Council of Received 1 November 2016
Europe member states of a multilateral binding treaty, called the Accepted 19 February 2017
Intelligence Codex, aimed at regulating the working methods of
KEYWORDS
state intelligence agencies. The Codex is the result of deep privacy; cyber surveillance;
concerns about mass surveillance practices conducted by the non-discrimination;
United States’ National Security Agency and the United Kingdom Intelligence Codex; soft law
Government Communications Headquarters. The article explores
the reasons for such a treaty. To that end, it identifies the
discriminatory nature of the United States’ and the United
Kingdom’s domestic legislation, pursuant to which foreign cyber
surveillance programmes are operated, which reinforces the need
to broaden the scope of extraterritorial application of the human
rights treaties. Furthermore, it demonstrates that US and UK
foreign mass surveillance interferes with the right to privacy of
communications and cannot be justified under Article 17 ICCPR
and Article 8 ECHR. As mass surveillance seems set to continue
unabated, the article supports the calls from the Council of
Europe to ban cyber espionage and untargeted cyber surveillance.
The response to the proposal of a legally binding Intelligence
Codex from the 47 Council of Europe governments has been so
far muted, however a soft law option may be a viable way forward.

1. Introduction
Peacetime espionage is by no means a new phenomenon in international relations.1 It has
always been a prevalent method of gathering intelligence from afar, including through
electronic means.2 However, foreign cyber surveillance on the scale revealed by Edward
Snowden performed by the United States National Security Agency (NSA), the United
Kingdom Government Communications Headquarters (GCHQ) and their Five Eyes part-
ners3 is a relatively recent activity. It can be defined as targeted and untargeted intercep-
tion, bulk collection and storage of digital communications (content and metadata4).
Foreign cyber surveillance comprises both transnational and extraterritorial surveillance.5
It is conducted through the use of a variety of tools and programmes, such as PRISM and
Tempora. The latter, predominantly used by the UK intelligence services, allows accessing
of global communications through tapping of the fibre-optic underwater cables, giving
GCHQ the ability to monitor up to 600 million communications every day.6 The NSA’s

CONTACT Eliza Watt [email protected]

© 2017 Informa UK Limited, trading as Taylor & Francis Group
774 E. WATT

PRISM enables direct access to the customer data from nine internet firms, including
Google, Microsoft and Yahoo.7
This article examines the legality of foreign cyber surveillance by NSA and GCHQ from
the perspective of international human rights law, specifically the right to privacy under
Article 17 of the International Covenant on Civil and Political Rights 1966 (ICCPR)8
and Article 8 of the European Convention on Human Rights 1950 (ECHR).9 Since
these activities are likely to continue, important questions regarding the future protection
of the privacy of millions of people worldwide must be addressed both nationally and
internationally. The United Nations (UN) together with regional human rights bodies
and organisations have voiced concerns, but these seem to be to no avail. This article
therefore explores the viability of a legally binding, multilateral cyber surveillance treaty
to regulate the practices of intelligence gathering at home and abroad. Such a treaty,
called the ‘Intelligence Codex’, has recently been proposed by the Committee on Legal
Affairs and Human Rights of the Parliamentary Assembly of the Council of Europe
(PACE).10 It is a multilateral ‘no-spy’ regional instrument among European countries,
which aims to lay down rules governing cooperation for the purposes of fighting terrorism
and organised crime.11 It has been put to the ministers of the 47 Council of Europe
member states, but has already met with one rejection, from the Netherlands. The
Dutch government viewed the idea of banning the use of states’ investigatory powers
against each other, for instance, for political purposes, as unrealistic, having the potential
to ‘irresponsibly limit intelligence collection’.12
This article takes a different view and considers the Codex as a step in the right direc-
tion. The ensuing discussion is divided into five sections. Section one outlines the domestic
legal bases authorising foreign cyber surveillance and demonstrates that they unjustly dis-
criminate on the basis of nationality. Section two makes a case for the extraterritorial
application of human rights treaties in the context of cyber surveillance abroad. Section
three shows how cyber surveillance amounts to an interference with the right to privacy
of communications and section four finds no justifications for such interference, as set
out in Article 17 ICCPR and Article 8(2) ECHR. This leads to the inevitable conclusion
in section five that foreign cyber surveillance should no longer be permitted to operate
in an international regulatory legal vacuum. To that end, this section supports the idea
of a legally binding agreement as proposed by the Council of Europe.

2. Cyber surveillance programmes and their domestic legal bases

The activities of the NSA and GCHQ are secretive by definition. However, the global con-
demnation of the US and the UK’s sponsored surveillance has caused the US government
to admit the existence of PRISM. Whilst the UK confirmed that it has been the recipient of
data from PRISM via its intelligence sharing relationship with the US,13 the government
has adopted a ‘neither confirm nor deny’ policy towards Tempora.14
PRISM operates pursuant to Section 702 of the Foreign Intelligence Surveillance Act
(FISA).15 This provision was introduced by the FISA Amendment Act (FAA) 2008,
which revised the previous surveillance rules. The FAA adopts different approaches
depending on whether the targets of surveillance are ‘United States persons’,16 or ‘non-
United States’ persons17 and may be summarised as follows: (a) US persons can be tar-
geted only upon showing probable cause to believing that he/she is an agent of a
 THE INTERNATIONAL JOURNAL OF HUMAN RIGHTS 775

foreign power,18 whereas non-US persons can be targeted showing a lower ‘reasonable
belief’ standard; (b) US persons may only be targeted if there is a judicial warrant from
the Foreign Intelligence Surveillance Court (FISC), whereas non-US persons can be tar-
geted without FISC-approved individual warrants; (c) the minimisation requirements
for communications of US persons do not extend fully to non-US persons located
outside the US.19
The UK surveillance powers to intercept foreign communications are set out primarily
in the Regulation of Investigatory Powers Act 2000 (RIPA), soon to be replaced by the
Investigatory Powers Act 2016.20 The RIPA too makes a distinction, but between ‘internal’
and ‘external’ communications. ‘Internal interceptions’ may only be conducted on the
basis of individual warrants,21 which must name or describe a person, or single set of pre-
mises to be intercepted.22 Conversely, the interception of ‘external communications’,23
that is, the ‘means of communications sent or received outside the British Islands’,24 is
very loosely controlled. A warrant does not need to identify a specific person, or premises
but need only contain the description of intercepted material. There is no upper limit to
the number of external communications that may be intercepted on the basis of s. 8(4)
RIPA and warrants granted pursuant to this section can last for either three or six
months and be renewed indefinitely.
The discriminatory nature of s. 702 FAA 2008 and s. 8 RIPA 2000 is clear, but it is just a
part of a wider US and its Five Eyes partners policy stance post 11 September 2001, which
places emphasis on citizenship as a basis for fundamental rights.25 This therefore requires
that the rights of non-citizens be clarified under international law. The fundamental rec-
ognition that all persons by virtue of their essential humanity are equal and should enjoy
all human rights without discrimination is contained in Article 2(1) of the Universal
Declaration of Human Rights26; Articles 227 and 2628 of the ICCPR; Articles 129 and
230 of the International Covenant on Economic Social and Cultural Rights 1976
(ICESCR); and Article 1431 of the ECHR. The UN Human Rights Committee (HRC), a
body of independent experts that monitors the implementation of the ICCPR by its
state parties, is tasked with providing a guide to the covenant’s interpretation. This the
committee does through issuing non-country specific and non-legally binding general
comments, with the purpose to, inter alia, promote the effective implementation of the
covenant, clarify its requirements and stimulate the activities of state parties as well as
international organisations in the promotion and protection of human rights.32 In
General Comment No. 15 in relation to the rights under the ICCPR, the HRC explained
that the rights in the covenant apply to everyone, irrespective of their nationality and the
general rule is that each one of these rights must be guaranteed without discrimination
between citizens and aliens.33 The ICESCR likewise established that governments shall
take progressive measures to the extent of available resources to protect the rights of every-
one regardless of their citizenship.34 Thus, the fundamental principle dictates that human
rights are presumptively owed to citizens and non-citizens alike, unless a particular treaty
(or customary rule) allows for differential treatment. Both the ICCPR and the ICESCR
permit states to draw distinctions between citizens and non-citizens, but only with
respect to three categories of rights, namely political rights, freedom of movement and
economic rights in developing countries.35 Thus, under Article 25 ICCPR, the right to par-
ticipate in public affairs, to vote, to hold office and to have access to public services is guar-
anteed to citizens only.36 Similarly, Article 12(4) ICCPR provides that no one shall be
776 E. WATT

arbitrarily deprived of the right to enter his own country,37 whilst the ICESCR Article 2(3)
allows developing counties to ‘determine to what extent they would guarantee the econ-
omic rights recognised in the present Covenant to non-nationals’.38 States therefore
may not draw distinction between citizens and non-citizens as to social and cultural
rights, with exception of the right to public participation and of movement. Having
said that, international law, as well as state practice consistently sanction discrimination
and distinctions on the basis of nationality, which means that some discrimination on
these grounds would be permissible.39 The HRC in its General Comment No. 18 clarified
this by stating that
not every differentiation of treatment will constitute discrimination, if the criteria for such a
differentiation are reasonable and objective and if the aim is to achieve a purpose, which is
legitimate under the [International] Covenant [of Civil and Political Rights]40

and is proportional to the achievement of that objective.41 The ‘objective and reasonable
justification’ is also a criterion that the European Court of Human Rights (ECtHR), an
international court that rules on applications alleging violations of the ECHR, requires
a state to satisfy in order to show that the difference in treatment was not discriminatory.
In Burden v. United Kingdom42 the Strasbourg Court held that
a difference of treatment is discriminatory if it has no objective and reasonable justification;
in other words, if it does not pursue a legitimate aim and if there is not a reasonable relation-
ship of proportionality between the means employed and the aim sought to be realised. The
Contracting State enjoys a margin of appreciation in assessing whether and to what extent
differences in otherwise similar situations justify a different treatment.43

States are obliged to ensure that measures taken in the struggle against terrorism do not
discriminate in purpose, or effect on grounds of nationality, and the principle of non-dis-
crimination must be observed in all matters, in particular in those concerning liberty,
security and dignity of the person, equality before the courts and due process of law, as
well as international cooperation in judicial and police matters.44 In guaranteeing
certain rights to citizens only, the US and the UK laws breach the provisions of non-dis-
crimination and equal treatment under the ICCPR and the ECHR, which, as will be shown
below, cannot be justified on objective and reasonable grounds. Indeed,
the unique position of the United States (and the United Kingdom) with regards to the phys-
ical infrastructure of the internet and the fact that the private companies based in the US
collect and store huge amounts of data of persons residing anywhere in the world makes
the exclusion of ‘non-US [and UK] persons’ from any legal protection against mass surveil-
lance simply intolerable – it may well lead to the destruction of the internet as we know it.45

This reinforces the need to broaden the scope of the extraterritorial application of these
states’ human rights obligations to apply to foreign cyber surveillance, as discussed next.

3. Extraterritorial application of the ICCPR and ECHR and cyber

surveillance
Article 17 ICCPR and Article 8 ECHR apply extraterritorially, which means that states
must respect the right to privacy whenever individuals are within their territory as well
as their jurisdiction.46 However, the US has long denied that it has obligations to
 THE INTERNATIONAL JOURNAL OF HUMAN RIGHTS 777

respect and protect human rights outside its borders (territory), despite views to the con-
trary expressed by most international human rights courts and bodies.
The jurisdictional scope of application of the ECHR and the ICCPR are set out in
Article 147 and Article 2(1)48 respectively. The US has consistently held a narrow stance
regarding extraterritorial application of the covenant since its statement to the Human
Rights Committee in 1995.49 This position has been based on Article 31(1) of the
Vienna Convention on the Law of the Treaties (VCLT), which requires that treaties
should be read ‘in accordance with the ordinary meaning … of [their] terms’. 50 The US
approach is that obligations under the ICCPR will only arise if both conditions in
Article 2(1) ICCPR are satisfied, that is an individual must be ‘within its territory’ and
‘subject to its jurisdiction’, which rules out the extraterritorial application of the ICCPR
altogether. This interpretation, in particular in relation to foreign cyber surveillance,
must be rejected in favour of the more expansive view taken by international bodies,
according to which a state must ensure human rights within its territory and anywhere
it has ‘effective control’ of either the territory, or a person. There are a number of
reasons for this. First, the narrow approach favoured by the US has been repeatedly criti-
cised by the Human Rights Committee in its 1994,51 2006 and 2014 reports.52 Second, the
HRC endorsed the extraterritorial application of the covenant, also relying on Article 31
VCLT, but unlike the US, the committee invoked its ‘object and purpose’ to determine that
the conditions contained in Article 2(1) ICCPR should not be determined conjunctively,
but disjunctively. According to its General Comment No. 31, states must respect and
ensure the rights laid down by the covenant to anyone within the power or effective
control of that state party, even if not situated within its territory.53 Additionally, the
HRC considered that ‘state parties are required to give effect to the obligations under
the Covenant in good faith’ pursuant to Article 26 of the VCLT.54 The HRC adopted
this expansive approach in several cases, such as Lopez Burgos v. Uruguay,55 Montego v.
Uruguay56 and in Munaf v. Romania.57 Recently, the HRC in its General Comment No.
3558 concerning Article 9 ICCPR59 confirmed that ‘[s]tate [p]arties have an obligation
to respect and ensure the rights under Article 9 to all persons who may be within the ter-
ritory and to all persons subject to their jurisdiction’.60 When considering the US cyber
surveillance activities in its 2014 report, the HRC clearly found that foreign surveillance
implicates ICCPR, stating that the US should ‘take all necessary measures to ensure
that its surveillance activities, both within and outside the United States, conform to its
obligations under the Covenant, including Article 17’.61 Third, the established jurispru-
dence of other international courts, such as the International Court of Justice (ICJ) and
the ECtHR also support the wider, extraterritorial application of human rights treaties.
In the Legal Consequences of the Construction of a Wall in the Occupied Palestinian Ter-
ritories Advisory Opinion62 and the Case Concerning Armed Activities on the Territory of
the Congo,63 the ICJ concluded that the ICCPR was applicable ‘in respect to acts done by a
State in the exercise of its jurisdiction outside its own territory’.64 By far the most devel-
oped and varied jurisprudence on the issue of extraterritoriality however is that of the
ECtHR interpreting Article 1 ECHR. The approach taken by the Strasbourg Court in
Al-Skeini v. United Kingdom65 clarified its earlier stance on the issue.66 The court reaf-
firmed two basic models of state jurisdiction: the spatial model (jurisdiction as effective
overall control by a state over an area, or territory)67 and the personal model (jurisdiction
as an exercise of authority, or control by state agents over an individual),68 emphasising
778 E. WATT

however that extraterritorial application of ECHR can only be exceptional and needs to be
justified by reference to general international law.69 Post Al-Skeini cases attest to a more
expansive view towards the question of extraterritorial application of the convention, with
regard to both the personal (Jaloud v. the Netherlands)70 and the spatial model (the so-
called Nagorno-Karabakh cases).71 These cases are a clear indication of the trend in the
ECtHR jurisprudence towards a clearer, more factual and importantly more permissive
approach,72 which also is in line with other human rights bodies.73
Neither the HRC, nor the ECtHR has yet pronounced directly on the extraterritorial
application of the ICCPR and ECHR to cases of cyber surveillance.74 Nevertheless, they
may well be persuaded to do so, especially in the light of recent explicit acknowledgements
from both the HRC and the UN General Assembly that extraterritorial surveillance raises
human rights concerns.75 In particular, the UN High Commissioner for Human Rights’
report on The Right to Privacy in the Digital Age76 noted the circumstances when
human rights obligations may be engaged in the context of extraterritorial surveillance.
This will arise in relation to any person, irrespective of their nationality, or physical
location whenever a state exercises effective control over the technical, or physical
means through which privacy rights are interfered with, for example by direct tapping
or penetration of the infrastructure, irrespective of whether or not the state exercises
power or effective control over the individual rights bearer as such.77 The US Upstream78
and the UK Tempora programmes are designed to do exactly that and therefore in all
probability engage these countries’ obligations under the ICCPR (UK and US) and the
ECHR (UK). The same applies to the US PRISM, as it allows direct access to the
servers of third parties that physically control the data, including Google, Microsoft and
Yahoo. In addition, Special Rapporteur Ben Emmerson QC was clear on this point,
observing that the ‘[state’s jurisdiction] is not only engaged where State agents place
data interceptors on fibre-optic cables travelling through their jurisdictions, but also
where a State exercises regulatory authority over the telecommunications or Internet
Service Providers that physically control the data’.79

4. Cyber surveillance as an interference with the right to privacy of

communications
Article 17 ICCPR prohibits ‘arbitrary or unlawful interference with privacy, home or cor-
respondence’80 and obliges all state parties to create legal frameworks for the effective pro-
tection of privacy, including adequate complaint systems and remedies for the violation of
this right. The HRC made it clear that ‘confidentiality of correspondence should be guar-
anteed de jure and de facto’.81 Correspondence ‘should be delivered to the addressee
without interception and without being opened or otherwise read’.82 The committee’s
interpretation of the scope of the term ‘correspondence’ clearly covers NSA/GCHQ
cyber surveillance of digital communications, as the term includes all electronic communi-
cations, such as email,83 instant messages, together with telephonic and telegraphic com-
munications.84 Electronic surveillance, wire-tapping and the recording of conversations is
prohibited.85 In addition, the gathering and holding of personal information on compu-
ters, data banks and other devices, whether by public authorities or private individuals,
must be subject to appropriate state regulation and safeguards.86 The HRC interpreted
the phrase ‘interference’ broadly, to include any measure that either directly or indirectly
 THE INTERNATIONAL JOURNAL OF HUMAN RIGHTS 779

infringes on an individual’s privacy interests.87 For these reasons, it is very likely that both
NSA and GCHQ surveillance practices interfere with privacy because the mere collection
and storage of data, including that which is publically accessible, constitutes an interfer-
ence falling within the ambit of Article 17 ICCPR.
Similarly, Article 8 ECHR protects everyone’s private life, home and correspon-
dence from interference by a public authority, except on specific grounds provided
in subparagraph 2.88 The extent of interference with the right to privacy in the
context of states’ secret surveillance operations has been subject to an extensive
analysis of the ECtHR on a number of occasions. A series of early cases dealing
with the interception of telephone conversations applying various surveillance tech-
niques by law enforcement agencies helped to develop a number of principles.
Such cases as Klass and Others v. Germany,89 Malone v. United Kingdom,90
Halford v. United Kingdom91 and Liberty and Others v. United Kingdom92 estab-
lished, inter alia, that wire-tapping of telephone conversations, together with the
use of covert surveillance technologies invariably engages Article 8, since the
notion of ‘private life’ and ‘correspondence’ extends to the interception of telephone
communications and ‘metering’ practices.93 In Liberty the ECtHR explicitly stated
that email communications are also included in the ambit of ‘private life’ and ‘cor-
respondence’.94 The court also ruled on the collection and storage of personal data
by public authorities.95 Additionally, in Weber and Saravia v. Germany96 and
Kennedy v. UK97 the ECtHR held that the legislation, which by its mere existence
entails a threat of surveillance for all those to whom it might be applied, impacted
on freedom of communication between the users of the telecommunications services
and thereby amounted in itself to an interference with the exercise of the rights
under Article 8 ECHR. Most recently, the ECtHR engaged with domestic mass sur-
veillance regimes in Roman Zakharov v. Russia98 and Szabo and Vissy v. Hungary.99
In Zakharov, the Grand Chamber of the ECtHR held that the Russian system for
permitting surveillance across mobile networks in the interests of crime prevention,
which required the network operators to install equipment allowing the interception
of all telephone communications without prior judicial authorisation, violated Article
8. Szabo concerned surveillance powers of the Hungarian intelligence agency con-
tained in the Police Act 1994 (s. 7/E(3)), including interception of electronic or
computerised communications without the consent of the person concerned on
anti-terrorist grounds. These powers were subject to ministerial, rather than judicial
authorisation. They were not linked to a particular crime and required a warrant to
relate only to premises, persons concerned, or ‘a range of persons’, being therefore
potentially executable against any person. Given the fact that the scope of the
measures could include virtually everyone in Hungary, that the ordering was entirely
in the guise of the executive without an assessment of whether interception was
strictly necessary, that new technologies enabled the Hungarian government to inter-
cept vast amounts of data concerning even persons outside the original range of
operations, together with an absence of any effective remedial measures, the court
concluded that there had been a violation of Article 8.100 These latest judgments
reinforce the ECtHR antagonism towards mass surveillance and signal its willingness
to take a hard line in the currently pending cases against the UK government,
including Big Brother Watch.101
780 E. WATT

5. Can mass cyber surveillance be justified?

In one word: no. Any justification put forward by the US and UK authorities must satisfy
the requirements of Article 17 ICCPR and Article 8(2) ECHR. Unlike Article 8(2), Article
17 does not provide specific grounds limiting the right to privacy. However, as other non-
absolute rights, Article 17 may be limited by proportionate measures designed to achieve a
valid aim.102 Based on the practice of the HRC,103 as well as the wording of Article 8(2)
and its interpretation by the ECtHR, the test for permissible limitations boils down to
three main criteria, namely (a) ‘in accordance with the law’; (b) legitimate aim and (c)
necessity and proportionality.

5.1. In Accordance with the law

Article 17 ICCPR prohibits ‘unlawful’ interference, meaning that ‘no interference can take
place except in cases envisaged by the law’,104 which itself must comply with the objectives
of the covenant105 and ‘be formulated with sufficient precision to enable an individual to
regulate his or her conduct accordingly and it must be made accessible to the public. A law
may not confer unfettered discretion.’106 The provision of ‘in accordance with the law’ in
Article 8(2) ECHR similarly requires that surveillance measures must have ‘some basis in
domestic law’, be accessible to the person concerned, be foreseeable as to its effects107 and
be relatively detailed.108
The use of surveillance programmes, including Tempora, does not meet these stan-
dards. First, there are very few states that have so far enacted primary legislation explicitly
authorising such programmes.109 For example, there is no UK statute to date specifically
authorising interception of communications involving the tapping of the undersea fibre-
optic cables. The RIPA, aimed at the interception of domestic and foreign telephone com-
munications, has been simply adapted to the new reality of intercepting all internet traffic.
As long as one end of a communication is outside the UK, the RIPA warrants authorising
‘external’ communications. However, the distinction between ‘external’ and ‘internal’
communications in the context of digital communications is purely theoretical and
makes no real difference in practice as to what information may be collected. As a
result, the exact legal bases for these powers are unknown and not readily accessible,
whilst their use is vague and unforeseeable. The UK government has acknowledged
during the 2014 litigation against it in the Investigatory Powers Tribunal that it
considers that an ‘external communication’ occurs every time a UK based person accesses a
website located overseas, posts on a social media site overseas such as Facebook, uses overseas
cloud storage or uses an overseas email provider such as Hotmail or Gmail. Searches on
Google are counted as external communications.110

Furthermore, the UK powers to bulk intercept external communications seem to have

been used to monitor also domestic data. Indeed, at one point GCHQ was reportedly
obtaining 85% of all UK domestic traffic, including internet, via the international cables
(using Tempora).111 Second, thus far the UK government has not satisfactorily justified
the difference in treatment when collecting ‘internal’ and ‘external’ communications to
establish that the latter practice is not discriminatory in line with the requirement of pro-
portionality set out by the HRC in its General Comment No. 18112 and the ECtHR in
Burden v. UK.113 Therefore, the same principles regarding ‘in accordance with the law’
 THE INTERNATIONAL JOURNAL OF HUMAN RIGHTS 781

recently reiterated in Zakharov and Szabo in relation to domestic powers of surveillance

must also apply to foreign or external communications. On these bases alone, the contin-
ued practice of intercepting all external communications under the RIPA fails this test, as
there is no regard for the procedural safeguards against arbitrary interference by public
authorities. For example, as bulk interception by its very nature does not specify the
target, this breaches the obligation to identify the categories of people liable to interception
and provides no limits on its duration. In Szabo the ECtHR specifically noted that under s.
7/E Police Act 1994 it was possible for virtually any person in Hungary to be subjected to
secret surveillance, as the legislation did not describe the categories of persons who in
practice may be targeted. The only requirement was for the authorities to name the indi-
viduals, or the ‘range of persons’ to be intercepted to the responsible government minister,
without demonstrating their actual or presumed relation to any terrorist threat. Third, The
UK government has already been challenged on the legality of the interception of external
communications based on the Interception of Communications Act 1985 (ICA) in Liberty
v. UK.114 The ICA did not indicate with sufficient clarity the scope or manner of the exer-
cise of surveillance and was therefore not ‘in accordance with the law’. Its successor, the
RIPA, is strikingly similar and will almost certainly fall foul of Article 8 on the same
grounds.
Likewise, s. 702 FAA, designed ostensibly for an interception of foreign targets, does not
satisfy the legality requirement, as it establishes a regime that allows the US government to
conduct mass surveillance, including the communications of American citizens, without a
warrant, or particularised suspicion.115
Clearly, the scope of what has been collected under Article 8(4) RIPA and s. 702 FAA is
unclear, as both statutes confer very broad discretion on the state agencies, allowing them
not only to conduct untargeted surveillance abroad, but also to circumvent the require-
ments for legitimate use of surveillance powers at home. In that sense both provisions
lack the necessary qualities of law.

5.2. Legitimate aim

A state must justify any interference on the basis of the specified legitimate aim. Article 17
ICCPR does not enumerate an exhaustive list of public policy objectives that may form the
basis of such a justification. Nevertheless, the prevention, suppression and investigation of
acts of terrorism have been held to amount to a legitimate aim for the purposes of
Article 17.116
Unlike Article 17 ICCPR, Article 8(2) ECHR does provide a list of legitimate aims,
among them the interest of national security and economic well-being of the
country.117 As a general principle, the existence of legislation granting powers of secret
surveillance over communications, including email, is necessary in the interest of national
security.118 In addition, it has been held that the enhanced capacity of states to monitor all
internet traffic has been recognised as a valid ‘basis of an arguable justification for mass
surveillance of the Internet’ in the interest of prevention and suppression of global acts
of terrorism.119 However, states do not enjoy an unlimited discretion to subject persons
within their jurisdictions to secret surveillance and may not, in the name of the struggle
against espionage and terrorism, adopt whatever measures they deem appropriate.120
Indeed, such measures are only tolerable in so far as the means provided for by the
782 E. WATT

legislation to achieve these aims remain within the bounds of what is necessary in a demo-
cratic society.121 Lately, in Zakharov, the ECtHR’s Grand Chamber rejected surveillance
authorised on ‘national, military, economic or ecological security grounds’ as being insuf-
ficient, requiring that any authorisation must be based on a ‘reasonable suspicion against a
person concerned’.122 This means that when authorising surveillance measures, an author-
ising body must be capable of verifying whether there are factual indications for suspecting
that person of planning, committing or having committed a criminal act or acts endanger-
ing national security.123 The ‘reasonable suspicion’ approach was not only endorsed, but
also further elaborated on by the ECtHR in Szabo. The phrase ‘necessary in a democratic
society’ now requires that any secret surveillance must be strictly necessary in two senses:
(a) as a general consideration for the safeguarding of democratic institutions; and (b) as a
particular consideration for the obtaining of vital intelligence in an individual
operation.124
The official justifications by the US and UK governments regarding untargeted foreign
surveillance are rare and mainly based on national security grounds, in particular fighting
and preventing terrorism and crime.125 As such, these grounds are too broad and unspe-
cific and therefore do not meet the criteria of ‘reasonable suspicion’. Instead, they bear all
the hallmarks of ‘fishing expeditions’ that the ECtHR is particularly adverse to.126

5.3. Necessity and proportionality of mass surveillance

States must demonstrate that any interference with the right to privacy under Article 17
ICCPR and Article 8(2) ECHR is a necessary means to achieving a legitimate aim. Estab-
lishing that the interference is necessary requires from a state to show not only that the
interference with a person’s right meets a pressing social need, but that it is also propor-
tionate to the legitimate aim pursued.127 This means that the interference cannot be
greater than is necessary to address that pressing social need.128 Additionally, the
measure in question must be the least intrusive instrument amongst those which might
achieve their protective function.129
In the case of intrusion into internet privacy rights, proportionality involves balancing
the extent of the intrusion against the specific benefits accruing to investigations under-
taken by a public authority in the public interest.130 The principle of proportionality
seems not to be satisfied in cases of the use of mass surveillance programmes by both
the US and the UK authorities under Article 17 ICCPR. One reason is that the official
success rate in fighting/preventing terrorism appears insignificant in relation to the
scale of surveillance operations. The figures declared by the Obama administration justi-
fying their use of PRISM set the number of prevented terrorist threats at at least 50,131 but
these claims have been subsequently discredited. In Klayman v. Obama132 it was declared
that the US government was unable to ‘cite a single case in which analysis of the NSA’s
bulk metadata collection actually stopped an imminent terrorist attack’.133 In addition,
the US President’s Review Group on Intelligence and Communications Technologies evi-
denced that mass surveillance impedes law enforcement efforts and recommended that
significant steps should be taken to protect the privacy of non-US persons.134 In particular,
it refuted the administration’s claims regarding the number of lives saved as a result of
metadata collection, advising that bulk surveillance programmes should be shut
down.135 Moreover, according to the PACE report, mass surveillance does not appear
 THE INTERNATIONAL JOURNAL OF HUMAN RIGHTS 783

to have contributed to the prevention of terrorist attacks, contrary to earlier assertions

made by senior intelligence officials.136
A similar conclusion can be reached in the light of the ECtHR’s jurisprudence regarding
the assessment of proportionality. In Leander v. Sweden137 the ECtHR accepted that states
should enjoy wide discretion, both in assessing the existence of a pressing social need and
in choosing the means of achieving the legitimate aim of protecting national security.
However, in Klass138 and later in Zakharov,139 the ECtHR emphasised that states do
not enjoy an unlimited discretion to subject persons within their jurisdictions to secret
surveillance and may not, in the name of the struggle against espionage and terrorism,
adopt whatever measures they deem appropriate. Mass data collection programmes there-
fore appear to offend the requirement that intelligence agencies must select the measure
that is the least intrusive on human rights and thereby undermine the very essence of
the right to privacy.140
Recently, in Privacy International v. Secretary of State for Foreign and Commonwealth
Affairs, the UK Investigatory Powers Tribunal held that the UK intelligence agencies,
including GCHQ, operated an unlawful collection and retention regime of the data of
UK citizens for over a decade.141 The claim concerned the acquisition, use, retention, dis-
closure, storage and deletion of Bulk Communications Data (BCD) obtained under s. 94 of
the Telecommunications Act 1984 and Bulk Personal Data Sets (BPDs) obtained under a
variety of legal powers.142 The tribunal found that the two regimes that operated between
1998 and 2015 breached Article 8 ECHR, as they were neither accessible, nor foreseeable.
Furthermore, there was no statutory oversight of the BCD, whilst that relating to the BPD
lacked adequate judicial oversight.143 The tribunal also stated that the two systems lacked
adequate oversight until after July 2015 with ‘no Codes of Practice relating to either the
BCD or BPD or anything approximating to them’.144 The tribunal did not consider the
issue of necessity and proportionality under Article 8 ECHR. Nevertheless, its conclusion
of the unlawfulness of both bulk metadata collection and the cataloguing of almost the
entire UK population’s personal data does not sit well with the powers of acquisition
and retention of communications data and bulk personal data sets under the Investigatory
Powers Act 2016.145
It could therefore be concluded that PRISM, Tempora and other such programmes do
not seem to have legal basis in domestic law, fail to satisfy the requirement of legitimate
aim and are disproportionately intrusive. For these reasons they are in all probability
unlawful under Article 17 ICCPR and Article 8 ECHR.

6. The future of mass surveillance

The future of the internet as a medium for free and open exchange of information globally
has been seriously undermined, as evidenced by the political fallout. To begin with, rev-
elations that the NSA spied on even its closest allies have affected state-to-state relation-
ships, with the Brazilian, German and Indian authorities expressing their outrage in the
immediate aftermath of the Snowden disclosures.146 The trend for more ‘technological
sovereignty’ and ‘data nationalization’ has also intensified, with both Brazil and the Euro-
pean Union (EU) recently announcing plans to lay $185 million of fibre-optic cables
between them to thwart US surveillance.147
784 E. WATT

A number of international and regional institutions have also acted swiftly in condemn-
ing unfettered mass surveillance. The UN General Assembly (UN GA), the HRC and the
UN Office of the High Commissioner for Human Rights (OHCHR) have gone to a con-
siderable effort to address these issues. The UN GA adopted two Resolutions on the right
to privacy: 68/167148 and 69/166,149 both affirming that people’s rights protected offline
should also be safeguarded online. The OHCHR presented a report in June 2014 which
spelled out the violations of privacy in the context of Article 17 ICCPR, stating that gov-
ernmental surveillance ‘is emerging as a dangerous habit rather than an exceptional
measure’.150 In 2015 the HRC adopted Resolution 28/16 appointing a Special Rapporteur
on the Right to Privacy, Professor Joseph Cannataci, with the mandate to report on alleged
violations of this right including in connection with the challenges arising from new
technologies.151

6.1. Regulation of the activities of intelligence agencies

The first concrete proposal to date from an international organisation addressing the
working methods of intelligence services in the sphere of digital communications came
from the Council of Europe (CoE) in the form of the Intelligence Codex. Four simple
rules were suggested for governing cooperation among the intelligence agencies. First,
any form of mutual political, economic espionage must be prohibited without excep-
tion.152 Second, any intelligence activity on the territory of another member state
should only be carried out with that state’s approval and within a statutory framework,
that is for a specific reason of preventing crime/terrorism.153 Third, the tracking, analysing
and storing of mass data is strictly prohibited if that data is from a non-suspected individ-
ual from a friendly state. Only information pertaining to legitimately targeted individuals
may be collected on an exceptional basis for specific individual purposes, whilst any data
that is stored but not needed must be immediately destroyed.154 Finally, the intelligence
agencies should be banned from forcing telecommunication and internet companies to
grant them unfettered access to their massive databases of personal data without a
court order.155
There can be no doubt that a binding treaty, such as the proposed Codex, is necessary.
The CoE has provided a number of reasons as to why such an instrument is desirable.
These include rebuilding trust among transatlantic partners – member states of the
CoE – as well as between citizens and their governments as being of utmost importance.156
Moreover,
the political problems caused by ‘spying on friends’ and the possible collusion between intel-
ligence services for the circumvention of national restrictions show the need for states to
come up with a generally accepted ‘codex’ for intelligence agencies that would put an end
to unfettered mass surveillance and confine surveillance practices to what is strictly
needed for legitimate security purposes.157

That being the case, the question is how feasible is the adopting of such a treaty? To date,
states have shown no real appetite to regulate peacetime espionage (be that in its tra-
ditional or cyber form) through hard law instruments.158 As a consequence, international
law has been rather ambivalent regarding regulation of electronic surveillance, which falls
within the broader concept of peacetime espionage.159 However, the Snowden disclosures
 THE INTERNATIONAL JOURNAL OF HUMAN RIGHTS 785

highlighted that there has been a marked shift in focus in relation to who is the subject of
surveillance in recent decades. Historically, signals intelligence efforts were concentrated
on gathering data about decision-making in foreign governments.160 Collecting infor-
mation on private individuals was costly and not widespread. Consequently, public
pressure to curtail espionage was minimal as it was not seen to affect average citizens
abroad.161 This has dramatically changed and may encourage at least some states to con-
sider agreeing the rules on how, when and why foreign governments may intercept their
citizens’ communications. Having said that, a global international legal framework for sur-
veillance coming to fruition any time soon is very much in doubt. This is partly due to the
long-standing disagreements relating to how cyberspace and the internet is to be governed
represented by two competing ideologies. On the one hand, Russia and China support a
sovereignty-based governance model, with greater state controls and an enhanced role for
the UN organisations, preferably the International Telecommunications Union.162 On the
other hand, the US and its allies propagate a multi-stakeholder approach, with continued
input of diverse parties, such as governments, non-governmental organisations (such as
the Internet Corporation for Assigned Names and Numbers and the Internet Engineering
Task Force), the private sector, civil society, academia and individuals.163 The long-stand-
ing disagreements about cyberspace governance resulted in the breakdown of proceedings
at the 2012 World Conference on International Telecommunications in Dubai and high-
lights deep divisions among states about the relationship between cyberspace and
sovereignty.164
This does not necessarily mean that a multilateral treaty could not be achieved on a
smaller scale, originating in the CoE. The CoE has a successful track-record regarding
the negotiation of international treaties, as demonstrated by the Convention on Cyber-
crime 2001 (the Budapest Convention)165 and Convention for the Protection of Individ-
uals with Regard to Automatic Processing of Personal Data (Convention 108),166 both
dealing with activities conducted in the cyber environment. They began life as regional,
European instruments, but in time became international, albeit not universal, since they
allow for accession by non-European countries. Thus, the Budapest Convention has
been ratified by 49 parties, among them four non-CoE states who signed it (the US,
Canada, Japan and South Africa) and five, including the US which also ratified it.167 Simi-
larly, the ‘globalization’ of Convention 108 beyond its European origins has been under-
way since the start of this decade, when Uruguay acceded to it in 2013.168 The Republic of
Mauritius ratified Convention 108 and its Additional Protocol on 17 June 2016.169 Four
other non-European countries (Cape Verde, Morocco, Senegal and Tunisia) are in
various stages of the process.170 The Intelligence Codex too could not only become a
regional treaty, but also provide an opportunity to non-European states to become a
party to it and thus have a wider reach than Europe.
Thus far, the Codex has met with only one unfavourable response (the Netherlands)
out of the 47 CoE member states. In the absence of more adverse reactions from all the
member states it is difficult to speculate what the future of the Codex may be. The
Codex is contained in Resolution 2045(2015) and Recommendation 2067(2015) propos-
ing that the Committee of Ministers (the CoE decision-making body composed of foreign
ministers of the contracting parties) initiates it. However, PACE resolutions and rec-
ommendations are non-legally binding.171 Recommendations contain proposals
addressed to the Committee of Ministers and their implementation is within the
786 E. WATT

competence of the foreign ministers of all member states comprising the committee. They
may either support the Codex and begin the process of negations, or reject it, as was the
case with the Dutch authorities.172 If the Codex is rejected, the attempt to exert influence
by the PACE on CoE member states to ban mass surveillance will undoubtedly be under-
mined. However, in view of the deep concerns and condemnation of these practices by the
PACE, opting out could lead to triggering Article 52 ECHR procedures.173 Pursuant to this
provision, the Secretary General, a senior official of the CoE, may require all 47 CoE
member states to report on how their mass surveillance practices comply with the
ECHR and make their replies public. This could lead to more political pressure being
put on governments to carefully consider the stance they may take regarding the proposed
Codex. This is particularly pertinent in the case of all those countries where draconian
counter terrorism measures have been recently enacted, or are in the process of being
adopted, such as the UK.174 An example of the effectiveness of the Article 52 ECHR initiat-
ive is the inquiry into secret detentions and illegal transfers of detainees involving CoE
member states in 2005.175 The PACE Reports uncovered evidence of human rights viola-
tions and helped to put pressure on governments, leading to high-profile international and
national enquiries, which sought to bring those responsible to justice and led to develop-
ments of international law.176 The PACE has already requested that the Committee of
Ministers draft its suggested Intelligence Codex and draw up guidelines for the 47 Euro-
pean governments the CoE represents.177 Furthermore, the author of the Mass Surveil-
lance report, Rapporteur Omtzigt recommended that an Article 52 inquiry be launched
in the wake of the ‘BND/NSA scandal’ in 2015.178 The allegations that the foreign intelli-
gence agency of Germany (the BND) conducted surveillance on its European allies for the
NSA caused Rapporteur Omtzigt to reiterate that ‘the Intelligence Codex lying down the
rules of fair play applicable to the secret services of like-minded countries is urgently
needed’ and urged national parliaments to start serious negotiations on the issue.179 Omt-
zigt’s concerns that the surveillance powers will grow further, whilst political oversights
keep diminishing, resulting in a ‘runaway surveillance machine’,180 is a warning that all
European states must heed.
The UK plays a significant role within the Five Eyes alliance and its intelligence gather-
ing capabilities are among the most advanced in Europe. The UK’s stance on signing up to
the Intelligence Codex must be assessed in the context of that country’s 2016 decision to
leave the EU (Brexit), particularly in relation to the future relationship that the UK will
forge with the EU in security and intelligence-gathering matters. Britain could be amen-
able to the Codex for two reason. First, the objective of the Codex is to lay down rules gov-
erning cooperation and obtaining data, based on lawful surveillance measures. The Codex
seeks to forbid unlawful practices (such as mass surveillance), not ban intelligence gather-
ing altogether. Signing up to the Codex could help towards regaining public trust and pol-
itical credibility at home and abroad, much undermined by the Snowden revelations.
Second, although it is likely that post Brexit, the EU countries will continue to seek
access to at least some of the information gathered by the UK intelligence services, the
same is true of the UK. Britain relies on EU crime and intelligence databases and benefits
from access to EU intelligence, as acknowledged by Prime Minister May.181 The prime
minister, in her speech on Brexit in October 2016 at the Conference of the Conservative
Party, envisaged that the new agreement with the EU will ‘include cooperation on law
enforcement and counter terrorism work’.182 Were Britain to join the Codex, one
 THE INTERNATIONAL JOURNAL OF HUMAN RIGHTS 787

matter that the government would have to consider is how to reconcile the powers it has
granted to the intelligence community under the Investigatory Powers Act 2016 with the
recent decisions of the Court of Justice of the European Union (CJEU) in such cases as
Digital Rights Ireland183 and Tele2 Sverige AB v. Post och184 (the Watson case). In that
case the CJEU affirmed that the general and indiscriminate retention of data pursuant
to the now expired UK Data Retention and Investigatory Powers Act 2014 (DRIPA)
was incompatible with EU law as it ‘exceeded the limit of what is strictly necessary and
cannot be considered to be justified within a democratic society’.185 The judgment may
be significant for the Investigatory Powers Act 2016 as it contains similar data retention
powers to DRIPA 2014 and may have to be amended by either primary or secondary
legislation.
If the proposal for a legally binding Intelligence Codex fails, an alternative solution
could be a voluntary Intelligence Codex.186 Such a soft law option may be a viable alterna-
tive to law-making by treaty for a number of reasons. First, it may be easier for states to
reach agreement, especially if they are not ready to assume legal obligations but wish to
undertake some kind of commitment short of a legally binding one. Second, soft law
instruments are flexible and as such will normally be easier to supplement, amend or
replace than treaties.187 A voluntary Intelligence Code could therefore have a strong
effect, ‘because those that do not abide by it could be accused of wrongful actions by
their allies, thus eroding their credibility as cooperation partners’.188 In this sense, the
voluntary Codex could be law-making in a similar way to multilateral treaties because it
would evidence at least an element of good faith commitment, a desire to influence
state practice, or express some of law-making intention.189 However, as demonstrated
by the recently annulled Safe Harbour agreement, non-legally binding schemes are
easier to circumvent than hard law instruments.190 Arguably, a multilateral binding agree-
ment would be more effective to close loopholes that states can currently exploit in order
to circumvent legal limits placed on their intelligence programmes. This is particularly the
case in relation to ‘collusion for circumvention’, which still allows intelligence agencies to
push the boundaries of their data collection powers at home by relying on data collected by
their allies or third parties.191
What would be an advantage of a hard law Intelligence Codex over and above the exist-
ing international human rights architecture? There are at least two reasons in support of
the Codex, first the need for up-to-date norms under Article 17 ICCPR, and second, to
supplement the jurisprudence of the ECtHR on Article 8 ECHR. These points will be dis-
cussed below.

6.1.1. The need to modernise Article 17 ICCPR

Needless to say, each state should prefer a world in which its officials and citizens were less
often subject to foreign surveillance.192 However, to achieve reduced surveillance through
an internationally binding treaty states must have clearly defined norms. This at present
appears lacking, as the existing international law under Article 17 ICCPR, in particular its
General Comment No. 16 issued in 1988, has not kept pace with the rapid developments
in surveillance and information technologies. As a consequence, the law on privacy is out-
dated and needs to be modernised.
The past practice of the HRC set a precedent for revising or replacing general com-
ments.193 The HRC has been motivated by the need to provide greater detail and more
788 E. WATT

authoritative guidance on the content of a particular article, as well as the need to ensure
that general comments reflect the changing realities and incorporate developments in the
law.194 General Comment No. 16 is no exception. Although it sets out the core concepts
contained in Article 17, it has lagged behind the technology developments in modern com-
munications and surveillance practices. Consequently, new general comment on Article 17
ICCPR must provide explicit articulation of what is the right to privacy of communi-
cations in the digital sphere and spell out the content of this right to ensure its effective
protection and enforcement. Currently General Comment No. 16’s shortcomings relate
to the lack of explicit recognition of such matters as banning untargeted, mass surveil-
lance;195 bulk metadata collection and retention;196 protecting metadata;197 intelligence
services/law enforcement access to communications data held by third-party service pro-
viders and internet companies including in a ‘cloud’; the relationship between private
companies and governments; biometric data gathering (through, for example, finger-
printing, facial recognition software) and transborder access to non-publically available
data, circumventing the requirements of the Mutual Legal Assistance Treaties. In addition,
some matters must be settled beyond doubt, such as the extraterritorial application of
human rights and equal treatment of citizens and foreigners, as well as specifying the cir-
cumstances when the right to privacy may be restricted.198

6.2. The need to supplement the ECtHR jurisprudence under Article 8 ECHR
The PACE report indicated that the Intelligence Codex would adopt the safeguards
devised by the ECtHR for surveillance.199 However, these safeguards provide only
minimum standards200 that member states must adhere to and need to be reinforced by
detailed rules in at least four areas, namely (a) legality – in relation to the so-called
‘contact chaining’; (b) legitimate aim; (c) judicial authorisation; and (d) complaints mech-
anism – user notification.

6.2.1. Legality
In such cases as, for example, Klass,201 Malone,202 Weber,203 Liberty,204 Rotaru v
Romania,205 Zakharov206 and Szabo,207 the Strasbourg Court has developed minimum
standards which domestic law must meet in order to be compatible with Article 8 outlined
in part 4(a) above,208 among them the requirement to specify the categories of people
liable to have their communication intercepted. In gathering information, state authorities
often build a human network around an individual of interest to them by gathering tele-
phone and/or internet metadata related to other persons with whom that individual may
be in contact and who are usually one or two stops (‘hops’) away from him/her. This is
known as ‘contact chaining’. National legislation would usually set out these powers in
terms of ‘relevance’ for the investigation of terrorism or crime.209 The Strasbourg Court
has not yet addressed this issue in the context of interception of internet metadata,210
yet in this case the ‘relevance’ criterion gives potential for expanding the net of surveillance
greatly to cover huge numbers of people without any connection whatsoever to crime or
terrorism.211 Contact chaining must therefore be regulated by placing strict limits on the
power to query collected bulk metadata.
 THE INTERNATIONAL JOURNAL OF HUMAN RIGHTS 789

6.2.2. Legitimate aim

The Zakharov and Szabo cases illustrate the court’s acknowledgement that the legal
threshold of ‘national security’ is dangerously broad, especially in the context of
mobile/electronic communications, which contrasts with its earlier more permissive
approach in Weber and Kennedy. The ECtHR now favours a stringent test based on
reasonable suspicion and this criterion should be adopted in the Codex, as a legal require-
ment for all surveillance powers. As for allowing the collection of signals intelligence for
‘economic well being of the country’, it has been feared that this may give rise to the suspi-
cion of economic espionage.212 The problem is that there seem to be no limits set out by
the ECtHR jurisprudence regarding when data may be collected pursuant to this ground.
One view was that to avoid nations acting for nefarious purposes cloaked in ‘economic
well being’, this criterion must be accompanied by clear prohibition of economic espio-
nage, buttressed by effective oversight and prohibitions on letting government depart-
ments, or administrative agencies concerned with promoting trade, task the signals
intelligence agencies.213

6.2.3. Judicial authorisation

In order to comply with the ECHR a secret surveillance programme must be subject to
independent supervision, which may be either judicial or non-judicial.214 In past cases,
the ECtHR held that judicial authorisation is ‘in principle desirable’ and ‘offer[s] the
best guarantee of independence, impartiality and a proper procedures’,215 but stopped
short of requiring this in all circumstances. In Klass the ECtHR found that oversight by
a non-judicial body was allowed, where that body is sufficiently ‘independent of the auth-
orities carrying out the surveillance’.216 Yet, the issue of impartiality in cases where auth-
orisation has been in the guise of non-judicial bodies, such as an official of the Post Office,
gave the court reasons for concern.217 An opportunity to require that all states must
provide that only judicial authorisation would suffice arose lately in Zakharov, but the
court held that ‘control by an independent body, normally a judge with special expertise,
should be the rule and substitute solution, the exception warranting close scrutiny’.218
Szabo was yet another confirmation that judicial control of secret surveillance is prefer-
able, but not obligatory.219 In the sphere of mass surveillance, the key defect therefore
of the current authorisation regime is the court’s repeated reticence to make the require-
ment of judicial authorisation mandatory across jurisdictions.

6.2.4. Complaints mechanism

Under Article 13 ECHR individuals have a right to an effective remedy in their national
courts in cases where a public authority has infringed their convention rights.220 Part of
this entitlement is the right of citizens to be informed of their data being collected and/
or that they have been the subject of surveillance, known as user notification.221
However, the issue of whether and when an individual may expect to be informed is far
from settled. In Klass, the ECtHR found that states are not required to disclose that
they have ordered or conducted surveillance in a particular case, nor must they notify a
person after the surveillance has ceased.222 The ECtHR considered that is was not feasible
in practice to require post-interception notification in all cases.223 In the subsequent cases
the ECtHR showed a clear tendency towards the establishment of this as a right.224 For
example, in Ekimdzhiev v. Bulgaria225 the ECtHR held that the missing notification of
790 E. WATT

the individual after surveillance violated both Article 8 and Article 13 ECHR, but fell short
of finding that notification was a necessary requirement of domestic surveillance laws in
general, stating that authorities should issue a notification to an individual who had been
secretly monitored.226

7. Conclusion
This article has demonstrated that untargeted mass foreign surveillance is unlawful under
international human rights law. However, although in principle the right to privacy of
communications under Article 17 ICCPR and Article 8 ECHR applies to extraterritorial
surveillance, it has become apparent that there are a number of shortfalls in these frame-
works as they are either outdated and/or require additional legal standards. Equally, the
move towards greater legislative surveillance powers in some European countries, particu-
larly the UK Investigatory Powers Act 2016, as a result of an increased number of terrorist
attacks, suggests that the calls from UN organisations and human rights bodies have been
ignored. Consequently, the problem of untargeted foreign cyber surveillance remains
inadequately dealt with. One solution is that proposed by the CoE, which called on its
member states to agree on a multilateral Intelligence Codex for their intelligence services,
which would put an end to the unfettered mass surveillance and confine surveillance prac-
tices to that which is strictly needed for legitimate security purposes. The Codex would lay
down precisely what is allowed and what is prohibited between allies and partners, clarify
what the intelligence agencies can do, how they cooperate and how allies should refrain
from spying on each other.227 Much consideration would have to be given to such a frame-
work in terms of its implementation and enforcement on the national level not to mention
circumscribing how the intelligence agencies are to operate to comply with the require-
ments of Article 8 ECHR. Nevertheless, this article considers the Codex a step in the
right direction. It not only has a significant symbolic value, since it is the first attempt
to engage in an international dialogue relating to espionage, but also may result in an
agreement reached on a voluntary basis. In this sense, it is a positive development.

Notes
1. Geoffrey B. Demarest, ‘Espionage in International Law’, Denver Journal of International Law
and Policy 24 (1996): 321, 326. Demarest defines espionage as ‘the consciously deceitful col-
lection of information, ordered by a government or organisation hostile to or suspicious of
those the information concerns, accomplished by humans authorised by the target to do the
collecting’.
2. Russell Buchan, ‘The International Legal Regulation of State-Sponsored Cyber Espionage’, in
International Cyber Norms: Legal, Policy and Industry Perspective, ed. Anna Maria Osula and
Henry Roigas (Tallinn: NATO CCD COE Publications, 2016), 65–86.
3. Privacy International, ‘The Five Eyes’, https://www.privacyinternational.org/node/51. The
Five Eyes alliance is a secretive, global surveillance arrangement of states comprising the
United States National Security Agency, the United Kingdom Government Communications
Headquarters, Canada’s Communications Security Establishment Canada, the Australian
Signals Directorate and New Zealand’s Government Communications Security Bureau.
4. Privacy International, ‘Metadata’, https://www.privacyinternational.org/node/53. Metadata
is information about the communication and includes, inter alia, the location that the
 THE INTERNATIONAL JOURNAL OF HUMAN RIGHTS 791

communication derived from, the device that sent it, the time it was sent and information
about the recipient.
5. Ashley Deeks, ‘An International Legal Framework for Surveillance’, Virginia Journal of Inter-
national Law 55 (2015): 292–367, 299–300. Transnational surveillance refers to the surveil-
lance of communications that cross state borders, including those that begin and end
overseas but incidentally pass through the collecting state. Extraterritorial surveillance
refers to the surveillance of communications that take place entirely overseas.
6. Committee on Legal Affairs and Human Rights of the Parliamentary Assembly of the
Council of Europe, ‘Mass Surveillance. Who is Watching the Watchers?’ (Doc. 13734,
2015), 6.
7. Ibid.
8. International Covenant on Civil and Political Rights (adopted 16 December 1966, entered
into force 23 March 1976) 999 UNTS 171 (ICCPR), art. 17.
9. Convention for the Protection of Human Rights and Fundamental Freedoms (opened for
signature 4 November 1950, entered into force 3 September 1953) 213 UNTS 222 (ECHR),
art. 8.
10. Parliamentary Assembly of the Council of Europe Resolution 2045 (21 April 2015).
11. Ibid., para. 17.4.
12. Matthijs Koot, ‘Dutch Government Rejects Idea of No-Spy Agreements Between European
Countries’ (13 March 2015), https://blog.cyberwar.nl/2015/03/dutch-minister-of-the-
interior-rejects-eu-pace-proposal-omtzigt-of-anti-spy-treaty-between-european-countries/.
13. Liberty, ‘Liberty’s Evidence to the Intelligence and Security Committee’s Inquiry into Privacy
and Security’ (February 2014), 3, https://www.liberty-human-rights.org.uk/sites/default/files/
Liberty%20evidence%20to%20the%20ISC%20inquiry%20into%20privacy%20and%
20security%20(Feb%202014).pdf.
14. Ibid.
15. 50 U.S.C § 1881(a).
16. 50 U.S.C § 1881(c). United States persons are defined as American citizens or non-citizens
who are legal permanent residents in the US.
17. 50 U.S.C § 1881(a).
18. Richard A. Clarke et al., The NSA Report. Liberty and Security in the Changing World. The
President’s Review Group on Intelligence and Communications Technologies (Princeton, NJ:
Princeton University Press 2013), 86–7.
19. Ibid.
20. UK Parliament, Investigatory Powers Act 2016. Royal Assent (Hansard) 29 November 2016.
21. Regulation of Investigatory Powers Act 2000 s. 5.
22. RIPA 2000 s. 8(1).
23. RIPA 2000 s. 8(4)–(6).
24. RIPA 2000 s. 20.
25. Marko Milanovic, ‘Foreign Surveillance and Human Rights, Part 1: Do Foreigners Deserve
Privacy?’ (EJIL: Talk! 25 November 2013), http://www.ejiltalk.org/foreign-surveillance-
and-human-rights-part-1-do-foreigners-deserve-privacy/.
26. Universal Declaration of Human Rights (adopted 10 December 1948 UNGA Res. 217 A(III)
(UDHR) art. 2(1).
27. ICCPR, art. 2(1).
28. Ibid., art. 26.
29. International Covenant on Economic Social and Cultural Rights (adopted 16 December
1966, entered into force 3 January 1976) UNTS 993 (ICESCR) art. 1.
30. Ibid., art. 2.
31. ECHR, art. 14.
32. Ghandi, The Human Rights Committee and the Right of Individual Communication: Law and
Practice (Aldershot: Ashgate Publishing, 1998), 25.
33. UNHRC, ‘General Comment No. 15. The Position of Aliens under the Covenant’ (1986) UN
Doc. HRI/Gen/1/Rev.9/(Vol.1) paras 1–2.
792 E. WATT

34. ICESCR, art. 2.

35. UNHRC, ‘General Comment No. 15’, para. 18.
36. ICCPR, art. 25.
37. Ibid., art. 12(4).
38. ICESCR, art. 2(3).
39. UNHRC, ‘General Comment No. 15’, paras 23–30.
40. UNRC, ‘General Comment No. 18: Non-Discrimination’ (1989) UN Doc. HRI/GEN/1/Rev.1
para. 13.
41. UNCHR (Sub-Commission), ‘Report by Special Rapporteur David Weissbrodt 2003/23’
(2003) UN Doc. E/CN.4/Sub.2/2003/23.
42. Burden v. United Kingdom (App. No. 133378/05) (2008) ECHR 357 [GC].
43. Ibid., para. 60.
44. UNCHR (Sub-Commission), ‘Report by Special Rapporteur David Weissbrodt 2003/23’,
para. 28.
45. Council of Europe Committee on Legal Affairs and Human Rights, ‘Mass Surveillance-
Report of the Parliamentary Assembly’ (2015) Doc. 13734 45.
46. American Civil Liberties Union, ‘Privacy Rights in the Digital Age. A Proposal for a New
General Comment on the Right to Privacy under Article 17 of the International Covenant
on Civil and Political Rights: A Draft Report and General Comment by the American
Civil Liberties Union’ (2014), 28, https://www.aclu.org/sites/default/files/assets/jus14-
report-iccpr-web-rel1.pdf.
47. ECHR, art. 1.
48. ICCPR, art. 2(1).
49. UNHRC, ‘Summary Record of the 1405th Meeting’ (24 April 1995) UN Doc. CCPR/C/SR/
1405. The US government’s position was made clear in para. 20: ‘The Covenant was not
regarded as having extraterritorial application (…) Article 2 of the Covenant expressly
stated that each State party undertook to respect and ensure the rights recognized “to all indi-
viduals within its territory and subject to its jurisdiction”. That dual requirement restricted
the scope of the Covenant to persons under the United States jurisdiction and within
United States territory.’
50. Vienna Convention on the Law of the Treaties (adopted 22 May 1969) (1969) 1155 UNTS
331 (VCLT) art. 31(1).
51. UNHRC, ‘Report of the Human Rights Committee’ (1995) UN Doc. A/50/40 para. 284: ‘[the
HRC] does not share the view [of the US government] that the Covenant lacks extraterritorial
reach under all circumstances [because] such a view is contrary to the consistent interpret-
ation of the Committee … that in special circumstances, persons may fall under the subject-
matter jurisdiction of a State Party even when outside that State’s territory’.
52. UNHRC, ‘Concluding Observations on the US Report Under the ICCPR’ (2006) UN Doc.
CCPR/C/USA/CO/3; UNHRC, ‘Concluding Observations on the Fourth Periodic Report
of the United States of America’ (2014) UN Doc. CCPR/C/USA/CO/4. Both reports state
in para. C.4 that: ‘The Committee regrets that the State Party continues to maintain its pos-
ition that the Covenant does not apply with respect to individuals under its jurisdiction but
outside its territory, despite the contrary interpretation of article 2(1) supported by the Com-
mittee’s established jurisprudence, the jurisprudence of the International Court of Justice and
State practice.’
53. UNHRC, ‘General Comment No. 31. The Nature of the General Legal Obligations Imposed
on State Parties to the Covenant’ (2004) UN Doc. CCPR/C/21/Rev.1/Add.1326 May 2004.
54. Vienna Convention on the Law of the Treaties.
55. Lopez Burgos v. Uruguay (1979) UNHRC Communication No. 52/1979 UN Doc. CCPR/C/
13/D/52/1979.
56. Montego v. Uruguay (1981) UNHRC Communication No. 106/1981 UN Doc. Supp. No. 40
(A 138/40).
57. Munaf v. Romania (2006) UNHRC Communication No. 1539/06 UN Doc. CCPR/C/96/D.
 THE INTERNATIONAL JOURNAL OF HUMAN RIGHTS 793

58. UNHRC, ‘General Comment No. 35. Article 9-Liberty and Security of Person’ (2014) UN
Doc. CCPR/C/GC/35.
59. ICCPR, art. 9.
60. UNHRC, ‘General Comment No. 35’, para. 63.
61. UNHRC, ‘Concluding Observations on the Fourth Periodic Report of the Unites States of
America’, para. 22(a).
62. Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territories
(Advisory Opinion) 2004 ICJ Reports 163.
63. Case Concerning Armed Activities on the Territory of the Congo (Democratic Republic of
Congo v. Uganda) (Request for the Indication for Provisional Measures: Order) [2000] ICJ
Reports 111.
64. Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territories, para.
111; DRC v. Uganda, ibid.
65. Al-Skeini and Others v. United Kingdom (App. No. 55721/07) [2011] ECHR 1093.
66. Bankovic and Others v. Belgium and Others (App. No. 52207/99) [2001] ECHR 890; Ilaşcu
and Others v. Moldova and Russia (App. No. 48787/99) (2005) 40 EHRR; Loizidou v.
Turkey (App. No. 15318/89) (1995) 23 EHRR 513; Issa and Others v. Turkey (App. No.
31821/96) (2005) 41 EHRR 27.
67. Al-Skeini and Others v. United Kingdom, paras 138–9.
68. Ibid., paras 133–7.
69. Ibid.
70. Jaloud v. the Netherlands (App. No. 47708/08) (2014) EHRR.
71. Chiragov and Others v. Armenia (App. No. 13216/05) (2015); Sargsyan v. Azerbaijan (App.
No. 40167/06) (2015). The court adopted an expansive approach when applying the spatial
model in these two cases. In its evaluation of the evidence confirming Armenian control over
the Nagorno-Karabakh for example, the court found a high level of Armenian influence in
the region (including military, political and financial) and consequently effective control
over it.
72. Marko Milanovic, ‘Jurisdiction and Responsibility: Trends in the Jurisprudence of the Stras-
bourg Court’, in The ECHR and General International Law, ed. Anne van Aaken and Iulia
Motoc (Oxford: Oxford University Press, forthcoming).
73. UNHRC General Comment No. 35; UNHRC, ‘Concluding Observations on the Fourth Per-
iodic Report of the United States of America’.
74. There are three currently pending cyber surveillance cases before the ECtHR, alleging breach
of Article 8 ECHR by GCHQ following Edward Snowden revelations: Bureau of Investigative
Journalism and Alice Ross v. UK (App. No. 62322/14); Big Brother Watch and Others v. UK
(App No 58179/13); 10 Human Rights Organizations v. UK (App. No. Index No. IOR 60/
1415/2015).
75. UNHRC, ‘Concluding Observations on the Fourth Periodic Report of the United States of
America’, para 22.
76. UNGA, ‘Report of the Office of the United Nations High Commissioner for Human Rights
the Right to Privacy in the Digital Age’, UN Doc. A/HRC/27/37 30 (2014).
77. Ibid., para. 34: ‘[…] digital surveillance […] may engage a State’s human rights obligations if
that surveillance involves the State’s exercise of power or effective control in relation to digital
communications infrastructure, wherever found, for example through direct tapping or pen-
etration of that infrastructure. Equally, where the State exercises regulatory jurisdiction over a
third party that physically controls the data, that State would have obligations under the
Covenant.’
78. The Washington Post, ‘NSA Slide Shows Surveillance of Undersea Cables’ (2013), https://
www.washingtonpost.com/business/economy/the-nsa-slide-you-havent-seen/2013/07/10/
32801426-e8e6-11e2-aa9f-c03a72e2d342_story.html. Upstream collection programmes
allow access to very high volumes of data both inside and outside the US and have been
described as the ‘collection of communications on fibre cables and infrastructure as data
794 E. WATT

flows past’ and are conducted under the following four major surveillance programmes: Fair-
view, Blarney, Stormbrew and Oakstar.
79. UNGA, ‘Report of the Special Rapporteur on the Promotion and Protection of Human Rights
and Fundamental Freedoms whilst Countering Terrorism Ben Emmerson QC’ (23 Septem-
ber 2014) UN Doc. A/69/397 para. 41.
80. ICCPR, art. 17.
81. UNHRC, ‘General Comment No. 16: Article 17 (Right to Privacy). The Right to Respect of
Privacy, Family, Home, and Correspondence and Protection of Honour and Reputation’ (8
April 1988) UN Doc. HRI/GEN/1/Rev para. 8.
82. Ibid.
83. UNHRC, ‘Concluding Observations on Sweden’ (2009) UN Doc. CCPR/C/SWE/CO/6.
84. UNHRC General Comment No. 16, para. 8.
85. Ibid.
86. Ibid., para. 10.
87. UNHRC Tooten v. Australia (Communication No. 488/1992) UN Doc. CCPR/C/50/D/488/
1992 (1994).
88. ECHR, art. 8.
89. Klass and Others v. Germany (App. No. 5029/71) (1978) 2 EHRR 214.
90. Malone v. United Kingdom (App. No. 8691/79) (1985) 7 EHRR 14.
91. Halford v. United Kingdom (App. No. 20605/92) (1997) 24 EHRR 523.
92. Liberty and Others v. United Kingdom (App. No. 58243/00) (2009) 48 EHRR 1.
93. Malone v. United Kingdom. ‘Metering’ in Malone involved the use of a metre to register the
number dialled, the time, and the duration of each telephone call.
94. Liberty and Others v. United Kingdom.
95. See for example: Leander v. Sweden (App. No. 9248/81) (1987) 9 EHRR 433; S and M Marper
v. UK (App. No. 30562/04) (2008) ECHR 1581; Shimovolos v. Russia (App. No. 30194/09)
(2011).
96. Weber and Saravia v. Germany (App. No. 54934/00) (2006).
97. Kennedy v. the United Kingdom (App. No. 26839/05) (2010).
98. Roman Zakharov v. Russia (App. No. 47143/06) (2015) ECHR 1065.
99. Szabo and Vissy v. Hungary (App. No. 37138/14) (2016).
100. European Court of Human Rights Registry, ‘Hungarian Legislation on Secret Anti-Terrorist
Surveillance Does Not Have Sufficient Safeguards Against Abuse’ (2016), http://statewatch.
org/news/2016/jan/echr-case-SZAB-%20AND-VISSY-v-%20HUNGARY-prel.pdf.
101. See note 74.
102. Sara Joseph and Melissa Castan, The International Covenant on Civil and Political Rights.
Cases, Materials and Commentary (Oxford: Oxford University Press, 2014), 538.
103. UNHRC General Comment No. 16, paras 3, 4, 8; UNHRC, ‘General Comment 27. Freedom
of Movement (Article 12)’ (1999) UN Doc. CCPR/C/21/Rev.1/Add.9 paras 14–15; Tooten v.
Australia, para. 8.3.
104. UNHRC, ‘General Comment No. 16’, para. 10.
105. Ibid., para. 3.
106. UNHRC, ‘General Comment No. 34. Article 19: Freedoms of Opinion and Expression’
(2011) UN Doc. CCPR/C/GC/34 para. 25.
107. Zakharov v. Russia.
108. Ibid., para. 231. Zakharov reiterated the court’s requirements set out in its earlier jurispru-
dence, in such cases as Huvig v. France (App. No. 11105/84) (1990) 12 EHRR528; Klass v.
Germany; Amman v. Switzerland (App. No. 27798/95) (2000) 30 EHRR 843; Weber v.
Germany. The domestic statute must specify: (a) the categories of people liable to intercep-
tion; (b) the nature of the offences which may give rise to an interception order; (c) limits of
its duration (d) the procedures to be followed for examining, using and storing the data
obtained; (e) the precautions to be taken when communicating the data to other parties,
and (f) circumstances in which data obtained may, or must be erased or destroyed.
 THE INTERNATIONAL JOURNAL OF HUMAN RIGHTS 795

109. Special Rapporteur Ben Emmerson, QC: UNGA, ‘Report of the Special Rapporteur on the
Promotion and Protection of Human Rights and Fundamental Freedoms whilst Countering
Terrorism Ben Emmerson QC’, para. 37.
110. Liberty v. GCHQ [2014] UKIPT rib 13_77-H. https://www.liberty-human-rights.org.uk/sites/
default/files/The%20Intelligence%20Services%20open%20response%20to%20Liberty’s%
20and%20Privacy%20International’s%20claims%2015th%20November%202013.pdf.
111. The Guardian, ‘MI5 Feared GCHQ Went “Too Far” Over Phone and Internet Monitoring’
(2013), https://www.theguardian.com/uk/2013/jun/23/mi5-feared-gchq-went-too-far.
112. UNRC, ‘General Comment No. 18’.
113. Burden v. United Kingdom.
114. Liberty v. UK.
115. Electronic Frontier Foundation, ‘Section 702 of the Foreign Intelligence Surveillance Act
(FISA): Its Illegal and Unconstitutional Use’, https://www.eff.org/files/filenode/702_one_
pager_final_adv.pdf. The FISC approved PRISM orders directed at specific companies
have been used to access Americans’ communications, so long as the order targets at least
51% of foreign people.
116. Special Rapporteur Ben Emmerson QC: UNGA, ‘Report of the Special Rapporteur on the
Promotion and Protection of Human Rights and Fundamental Freedoms whilst Countering
Terrorism Ben Emmerson QC’, para. 33.
117. Convention for the Protection of Human Rights and Fundamental Freedoms.
118. Klass v. Germany, para. 48; Leander v. Sweden, para. 59.
119. Special Rapporteur Ben Emmerson QC: UNGA, ‘Report of the Special Rapporteur on the
Promotion and Protection of Human Rights and Fundamental Freedoms whilst Countering
Terrorism Ben Emmerson QC’, para. 34.
120. Klass v. Germany, para. 49.
121. Ibid., paras 46 and 49.
122. Zakharov v. Russia, para. 260.
123. Ibid.
124. Szabo v. Hungary, para. 98.
125. US House of Representatives Permanent Select Committee on Intelligence, ‘Hearing of the
House Permanent Select Committee on Intelligence on How Disclosed NSA Programs
Protect Americans and Why Disclosure Aids Our Adversaries’ (2013), https://www.hsdl.
org/?view&did=739351; The Huffington Post, ‘Barak Obama Justifies PRISM NSA Surveil-
lance Programme Saying it Has Saved Lives’ (2013), http://www.huffingtonpost.co.uk/
2013/06/19/prism-obama-germany-merkel_n_3464613.html.
126. Vinci Construction and GTM Genic Civil et Services v. France (App. No. 63629/10 & 60567/
10) (2015). ‘Fishing expeditions’ are searches, or investigations undertaken in the hope of dis-
covering information, whereby data are mined to identify possible terrorist/criminal activity
rather than the actual activity. In Vinci the ECtHR held that unannounced inspections,
searches and seizures of computer files for the purposes of an official investigation by the
French competition authority violated Article 6(1), right to fair trial, as well as Article 8.
127. Bernadette Rainey et al., The European Convention on Human Rights (Oxford: Oxford Uni-
versity Press, 2014), 325.
128. Ibid.
129. UNHRC General Comment No. 34, para. 34.
130. UNGA, ‘Report of the Special Rapporteur on the Promotion and Protection of Human Rights
and Fundamental Freedoms whilst Countering Terrorism Ben Emmerson QC’, para. 51.
131. Joan McCarter, ‘President Obama: “Lives Have Been Saved”’ (2013), http://www.dailykos.
com/story/2013/6/19/1217312/-President-Obama-Lives-have-been-saved-by-NSA-
surveillance.
132. Klayman v. Obama 957 F Supp 2d. 1 (2013).
133. Reuters, ‘US Court Hands Win to NSA over Metadata Collection’ (2015), http://www.reuters.
com/article/us-usa-court-surveillance-idUSKCN0QX1QM20150828. The decision that the
796 E. WATT

NSA mass collection of phone metadata was unconstitutional was reversed by the US Court
of Appeal for the District of Columbia in August 2015.
134. Clarke et al., The NSA Report.
135. Ibid, Recommendation 4: ‘We recommend that, as a general rule, and without senior policy
review, the government should not be permitted to collect and store all mass, undigested,
non-public personal information about individuals to enable future queries and data-
mining for foreign intelligence purposes. Any programme involving government collection
or storage of such data must be narrowly tailored to serve an important government interest.’
136. Committee on Legal Affairs and Human Rights of the Parliamentary Assembly of the
Council of Europe, ‘Mass Surveillance’.
137. Leander v. Sweden, see note 95.
138. Klass and Others v. Germany, para. 48.
139. Roman Zakharov v. Russia, para. 49.
140. UNGA, ‘Report of the Special Rapporteur on the Promotion and Protection of Human Rights
and Fundamental Freedoms whilst Countering Terrorism Ben Emmerson QC’, para. 52.
141. Privacy International v. Secretary of State for Foreign and Commonwealth Affairs [2016]
UKIPTrib 15_11-CH.
142. Privacy International, ‘Press Release: New Court Judgment Finds UK Surveillance Agencies
Collected Everyone’s Communications Data Unlawfully and in Secret, For Over a Decade’
(21 October 2016), https://www.privacyinternational.org/node/938.
143. Privacy International v. Secretary of State for Foreign and Commonwealth Affairs.
144. Ibid.
145. Investigatory Powers Act, Parts 3, 4 and 7.
146. Committee on Legal Affairs and Human Rights of the Parliamentary Assembly of the
Council of Europe, ‘Mass Surveillance’, paras 104–5. Former Brazilin President Rousseff
strongly condemned NSA surveillance at an address before the UN General Assembly in Sep-
tember 2013, whilst Germany’s Der Spiegel accused the NSA of ‘turning the internet into a
weapons system’ following the revelations of spying on Chancellor Merkel and other high-
profile Germans. On 2 July 2014 India summoned a senior US diplomat over reports that
the US had authorised the NSA to spy on the ruling party, the BJP, in 2010 when it was
in the opposition.
147. Ibid., para. 108.
148. UNGA Res. 68/167 (18 December 2013) UN Doc. A/RES/68/167.
149. UNGA Res. 69/166 (18 December 2014) UN Doc. A/RES/69/166.
150. UNGA, ‘Report of the Office of the United Nations High Commissioner for Human Rights
the Right to Privacy in the Digital Age’.
151. UNGA Res. 28/16 (24 March 2015) UN Doc. A/HRC/28L.27.
152. Council of Europe Committee on Legal Affairs and Human Rights, ‘Mass Surveillance-
Report of the Parliamentary Assembly’, 50.
153. Ibid.
154. Ibid.
155. Ibid.
156. Ibid., para. 13, 8.
157. Ibid., para. 115, 50.
158. For an overview see Deeks, ‘An International Legal Framework for Surveillance’.
159. The US FISA defines electronic surveillance to include ‘the acquisition by an electronic,
mechanical, or other surveillance devices of the contents of any wire communication to or
from a person in the United States, without the consent of any party thereto, if such acqui-
sition occurs within the Unite States’. 50 USC §1801(f)(2).
160. Deeks, ‘An International Legal Framework for Surveillance’, 23.
161. Ibid.
162. Robert M. McDowell, ‘The UN Threat to Internet Freedom’, Wall Street Journal, 21 February
2012.
 THE INTERNATIONAL JOURNAL OF HUMAN RIGHTS 797

163. Kristen E. Eichensehr, ‘The Cyber-Law of Nations’, The Georgetown Law Journal (2015):
317–80, 330.
164. Ibid., 335.
165. Cybercrime Convention [2001] European Treaty Series No. 185.
166. Convention for the Protection of Individuals with Regard to Automatic Processing of Per-
sonal Data [1981] European Treaty Series No. 108.
167. Council of Europe Chart of Signatures and Ratifications of Treaty 185 Convention on Cyber-
crime Status as of 31/07/2016. The other states are Australia, Canada, Dominican Republic,
Israel, Japan, Mauritius, Panama and Sri Lanka.
168. Graham Greenleaf, ‘Balancing Globalization’s Benefits and Commitments: Accession to Data
Protection Convention 108 by Countries Outside Europe’ (2016), http://papers.ssrn.com/
sol3/papers.cfm?abstract_id=2801054.
169. Council of Europe, Press Release, ‘Mauritius Joins the Data Protection Convention’, DC114
(2016), https://wcd.coe.int/ViewDoc.jsp?p=&id=2434411&Site=DC&BackColorInternet=
F5CA75&BackColorIntranet=F5CA75&BackColorLogged=A9BACE&direct=true.
170. Graham Greenleaf, ‘Balancing Globalization’s Benefits and Commitments: Accession to Data
Protection Convention 108 by Countries Outside Europe’.
171. Council of Europe Parliamentary Assembly, ‘The Democratic Conscience of Greater Europe’,
http://website-pace.net/en_GB/web/apce/in-brief.
172. Koot, ‘Dutch Government Rejects Idea of No-Spy Agreements Between European Countries’.
173. ICCPR, art. 52: ‘On receipt of a request from the Secretary General of the Council of Europe
any High Contracting Party shall furnish an explanation of the manner in which its internal
law ensures the effective implementation of any of the provisions of this Convention.’
174. CoE, ‘Nils Muižnieks: Human Rights in Europe Should Not Buckle under Mass Surveillance’
(12 February 2016), https://www.coe.int/en/web/media-freedom/news/-/asset_publisher/
RuR4jZRX8nrl/content/nils-muiznieks-human-rights-in-europe-should-not-buckle-under-
mass-surveillance? This includes countries such as France, The Netherlands, Austria,
Finland, the UK and Poland.
175. Council of Europe Parliamentary Assembly, ‘Timeline: The Council of Europe Investigation
into CIA Secret Prisons in Europe’, http://assembly.coe.int/nw/xml/News/News-View-en.
asp?newsid=5722&lang=2.
176. Ibid.
177. Natasha Lomas, ‘European Rights Body Again Rejects Mass Surveillance’ (22 April 2015),
https://techcrunch.com/2015/04/22/european-rights-body-again-rejects-mass-surveillance/.
178. Council of Europe Parliamentary Assembly, ‘Rapporteur on Mass Surveillance Reacts to Rev-
elations of Collusion Between NSA and BND’ (4 May 2015), http://www.assembly.coe.int/
nw/xml/News/News-VieEN.asp?newsid=5592&lang=2&cat=.
179. Ibid.
180. The Guardian, ‘Mass Surveillance in Fundamental Threat to Human Rights, Says European
Report’, 26 January 2015, https://www.theguardian.com/world/2015/jan/26/mass-
surveillance-threat-human-rights-council-europe.
181. The Guardian, ‘Would Brexit Damage British Intelligence?’, 24 March 2016, https://www.
theguardian.com/politics/2016/mar/24/brussels-brexit-really-undermine-the-uks-
intelligence-capabilities.
182. Josh May, ‘Read in Full: Teresa May’s Conservative Conference Speech on Brexit’ (2 October
2016), https://www.politicshome.com/news/uk/political-parties/conservative-party/news/
79517/read-full-theresa-mays-conservative.
183. Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others (8 April
2014).
184. Joint Cases C-203/15 and C-698/15 Tele2 Sverige AB v. Post-och telestyrelsen and Secretary of
State for the Home Department v. Tom Watson and Others (21 December 2016).
185. Ibid., para. 107.
798 E. WATT

186. Committee on Legal Affairs and Human Rights of the Parliamentary Assembly of the
Council of Europe, ‘Explanatory Memorandum by Mr Pieter Omtzigt, Rapporteur’ AS/Jur
(2015), para. 117.
187. Gennadi M. Danilenko, Law Making in the International Community (Leiden: Martinus
Nijhoff Publishers, 1993).
188. Committee on Legal Affairs and Human Rights of the Parliamentary Assembly of the
Council of Europe, ‘Explanatory Memorandum by Mr Pieter Omtzigt, Rapporteur’.
189. Malcolm D. Evans, International Law (Oxford: Oxford University Press, 2015), 120.
190. Case C-362/14 Maximilian Schrems v. Data Protection Commissioner [2015] ECJ.
191. Committee on Legal Affairs and Human Rights of the Parliamentary Assembly of the
Council of Europe, ‘Explanatory Memorandum by Mr Pieter Omtzigt, Rapporteur’.
192. Deeks, ‘An International Legal Framework for Surveillance’, 21.
193. American Civil Liberties Union, ‘Privacy Rights in the Digital Age’. In 2011 General
Comment No. 10 (written in 1983) was replaced with General Comment No. 34 on
Article 19, protecting the right to freedom of expression, whilst in 2013 General Comment
No. 8, issued in 1982, was replaced with General Comment No. 35 on Article 9, protecting
liberty and security of the person.
194. Ibid.
195. Roman Zakharov v. Russia; Szabo and Vissy v. Hungary.
196. Digital Rights Ireland Ltd, see note 183.
197. Copland v. the United Kingdom (App. No. 62617/00) (2007) ECHR; Malone v. United
Kingdom; UNHRC Report by the Special Rapporteur Frank La Rue on the Promotion and
Protection of the Right to Freedom of Opinion and Expression (17 April 2013) UN Doc.
A/HRC/23/40.
198. Special Rapporteur Frank La Rue, para. 29; UNHRC Report by Special Rapporteur Martin
Scheinin on the Promotion and Protection of Human Rights and Fundamental Freedoms
while Countering Terrorism (28 December 2009) UN Doc. A/HRC/13/37 para. 11. The
Special Rapporteurs suggested that the limitations to the right to privacy are subject to the
test of permissible limitations set forth by the HRC in its General Comment No. 27 to
Article 12 (freedom of movement).
199. PACE Mass Surveillance Report, paras 97, 80.
200. Ibid., 57.
201. Klass and Others v. Germany.
202. Malone v. United Kingdom.
203. Weber and Saravia v. Germany.
204. Liberty and Others v. United Kingdom.
205. Rotaru v. Romania (App. No. 28341/95) (2000) ECHR 2000-V.
206. Roman Zakharov v. Russia.
207. Szabo and Vissy v. Hungary.
208. See note 108.
209. For example, in the US access to stored telephony metadata will be granted on the basis of
‘reasonable articulable suspicion’ individually approved by the Foreign Intelligence Surveil-
lance Court under s. 215 Foreign Intelligence Surveillance Act.
210. European Commission for Democracy Through Law (the Venice Commission), ‘The Demo-
cratic Oversight of Signals Intelligence Agencies’ (20–21 March 2015), paras 98, 81.
211. Ibid., para. 10, 57.
212. Ibid.
213. Ibid., para. 73.
214. Weber; Klass; Zakharov; Szabo.
215. Klass, para. 87.
216. Ibid., para. 56.
217. Kopp v. Switzerland (App. No. 23224/94) (1999) 27 EHRR 91, para. 74.
218. Zakharov, para. 77.
219. Szabo, para. 75.
 THE INTERNATIONAL JOURNAL OF HUMAN RIGHTS 799

220. ECHR, art. 13.

221. Necessary and Proportionate, ‘Global Legal Analysis. Background and Supporting Inter-
national Legal Analysis for the International Principles on the Application of Human
Rights to Communications Surveillance’ (2014), 24, https://necessaryandproportionate.org/
global-legal-analysis.
222. Klass, para. 89.
223. Ibid., para. 58.
224. Weber; Association for European Integration and Human Rights and Ekimdzhiev and Bul-
garia (App. No. 62540/00) (2007); Kennedy; Uzun v. Germany (App. No. 36623/05)
(2010); Zakharov.
225. Ibid.
226. May, ‘Read in Full’, 24.
227. Committee on Legal Affairs and Human Rights of the Parliamentary Assembly of the
Council of Europe, ‘Mass Surveillance’, 30.

Acknowledgements
The author wishes to thank Professor Hélène Lambert and Professor Marco Roscini for their gui-
dance and comments on the previous draft on this article.

Disclosure statement
No potential conflict of interest was reported by the author.

Note on contributor
Eliza Watt is a visiting lecturer and a doctoral researcher at the School of Law, University of West-
minster, currently researching cyber surveillance practices of the Five Eyes intelligence agencies and
their implications for the right to privacy of communications under the relevant human rights trea-
ties. Prior to this, she worked in a private sector industry as a legal consultant following being called
to the Bar at the Honourable Society of the Inner Temple in 2008. She has obtained an LLB, LLM
and LLM from University of Westminster and King’s College London.