The End of Mass Surveillance?

Mass surveillance, introduced hastily under the pretence of guaranteeing security, is hopefully seeing the beginning of its end in many countries. A perfect example of technological step forward that was made because we could, but actually should not have, mass surveillance was set back only after several protracted legal battles in Europe. It was also an attempt by some to fundamentally reconfigure the relationship between the state and the individual (because without privacy there can be no constitutional democracy, no free elections, no freedom of speech, no human dignity).

The Court of Justice of the European Union (CJEU) showed in several decisions that privacy as a fundamental right is here to stay. The Court started with the quite unprecedented nullification of the Data Retention Directive (Joined Cases C-293/12 and C‑594/12 Digital Rights Ireland) in April 2014:

As regards the necessity for the retention of data required by Directive 2006/24, it must be held that the fight against serious crime, in particular against organised crime and terrorism, is indeed of the utmost importance in order to ensure public security and its effectiveness may depend to a great extent on the use of modern investigation techniques. However, such an objective of general interest, however fundamental it may be, does not, in itself, justify a retention measure such as that established by Directive 2006/24 being considered to be necessary for the purpose of that fight.

…

As for the question of whether the interference caused by Directive 2006/24 is limited to what is strictly necessary, it should be observed that, in accordance with Article 3 read in conjunction with Article 5(1) of that directive, the directive requires the retention of all traffic data concerning fixed telephony, mobile telephony, Internet access, Internet e-mail and Internet telephony. It therefore applies to all means of electronic communication, the use of which is very widespread and of growing importance in people’s everyday lives. Furthermore, in accordance with Article 3 of Directive 2006/24, the directive covers all subscribers and registered users. It therefore entails an interference with the fundamental rights of practically the entire European population.

It then continued just one month later to establish a strong pro-privacy stance in the Google Spain decision (C-131/12) in which it established “the right to be forgotten” and forced Google to remove certain search results if people legitimately request it.

The latest blow to mass surveillance came earlier this month, when the CJEU declared the EU-US Safe Harbor arrangement void in the Schrems case (C-362/14). Safe Harbor had been used by many US corporations to process the personal data of EU citizens as the US itself lacks as strong privacy laws as the EU requires (which are the toughest in the world). The case, which was brought by Austrian student and privacy activist Maximilian Schrems against the Irish data protection body for their reluctance to take on Facebook resulted in the CJEU stepping in an declaring the whole Safe Harbor arrangement invalid [1].

Apple, Google, Facebook, Microsoft and a lot of others have all been impacted and have made alternative arrangements. Many of them have come out in the support of stronger privacy rights. Microsoft Chief Legal Counsel Brad Smith writes:

But privacy rights cannot endure if they change every time data moves from one location to another. Individuals should not lose their fundamental rights simply because their personal information crosses a border. While never stated quite this directly, this principle underlies every aspect of the European Court’s decision, and it makes sense.

Add to this the daily reality that personal data is often moved not by individuals, but by companies and governments. Typically, individuals are not even aware of where their information is being moved or stored. It is untenable to expect people to rely on a notion of privacy protection that changes every time someone else moves their information around. No fundamental right can rest on such a shaky foundation.[2]

Apple CEO Tim Cook has explained their approach to privacy:

We do think that people want us to help them keep their lives private. We see that privacy is a fundamental human right that people have. We are going to do everything that we can to help maintain that trust. …

Our view on this comes from a values point of view, not from a commercial interest point of view. Our values are that we do think that people have a right to privacy. And that our customers are not our products. We don’t collect a lot of your data and understand every detail about your life. That’s just not the business that we are in.[3]

Cook’s mentioning that “our customers are not our products” is a dig against Alphabet (formerly known as Google) and, of course, Facebook, which are the companies that have built a huge business by enticing a big part of the world’s population to trust them with their private data. Those companies are the ones with the most to lose from the resurrection of the right to privacy. Facebook is already grasping at straws by claiming somehow that better privacy protections endanger the security of users[4]. Google has in the past tried to undermine the privacy concerns against it by riding the freedom of information horse, but has recently also started to take things more seriously as it understands that its business model is threatened. Google’s SVP Rachel Whetstone even offered a rare mea culpa early this year at a speech in Bavaria:

Finally, let me turn to privacy. I want to start by making clear Google hasn’t always got this right. It’s not just about the errors we have made–with products like Buzz or the mistaken collection of WiFi data–but about our attitude too. These have been lessons learned the hard way. But as our swift implementation of the Right to be Forgotten has shown, they are indeed lessons we have learned. [5]

There are plenty of politicians, (security) officials, companies and others who took the decision to ignore the right to privacy and contributed to the creation and utilisation of mass surveillance which has resulted in probably the most large-scale infringement of human rights so far in history. Meanwhile this cost has had no significant benefits: it has not made anyone safer or prevented crimes and even if it did manage to prevent some in the future, it would not be close to the worth the cost to our values, democracy, society and economy.

While it may have seemed to some (including Estonian president and chief tech evangelist Toomas Hendrik Ilves [6]) that so-called Little Sister (i.e. private businesses) is more dangerous to privacy than Big Brother, then now they have been proven wrong. Preserving privacy in the digital age is as much in the interests of tech companies as it is for the consumers and it is still the governments that we should be most worried about. The fight will continue, but in more balanced way because there is more awareness of the cost of mass surveillance. There are a number of court cases pending and there are stronger and stronger voices globally that something has to be done in order to guarantee better privacy protections for everyone.

Thankfully there are those who have dared to start this fight against great pressures. Edward Snowden of course, along with Glenn Greenwald, the Guardian and others deserve thanks from all of humanity for what they did at great personal cost. But we also should be very thankful to the judges who have done their job and used their powers for good. They have proven themselves as the last bastions of rule of law, democracy and human rights (even of our political leaders terribly failed us) and saved us from immediate privacy dystopia. We should all thank them and the people and organisations who brought the cases and continue to do so. They are heroes who have helped and continue to help to nudge humankind to a better future.

Post scriptum: My own small contribution to the fight against mass surveillance was the application I submitted to the Chancellor of Justice (the only independent constitutional rights watchdog) in Estonia to check whether mass telecommunications data retention is unconstitutional (as this was introduced resulting from the now invalid data retention directive). After long deliberations, the Chancellor sadly did not think that data retention is necessarily illegal, but nevertheless considered that privacy safeguards need to be strengthened and requested that the Ministry of Justice conduct a comprehensive analysis of the legislation. See her opinion here (in Estonian).

Further reading:

1. Behind the European Privacy Ruling That’s Confounding Silicon Valley, New York Times, 9 October 2015.
2. Smith, Brad. The collapse of the US-EU Safe Harbor: Solving the new privacy Rubik’s Cube, Microsoft on the Issues, 20 October 2015.
3. Apple CEO Tim Cook: ‘Privacy Is A Fundamental Human Right’, Interview on NPR, 1 October 2015.
4. Facebook Goes On Privacy Offensive in Europe, WSJ, 13 October 2015.
5. Whetstone, Rachel. Privacy, security, surveillance: getting it right is important, Google Europe blog, 13 February 2015.
6. President Ilves: we should worry about the “little sister” instead of the “big brother”