After “Prism” (and US Patriot Act section 215): EDRI and FREE submission to US and EU Institutions.



the European Digital Rights Initiative (EDRi) &

Fundamental Rights European Experts Group

(FREE Group)


the United States Congress,

the European Parliament and  Commission

& the Council of the European Union,

& the Secretary-General & the Parliamentary Assembly

of the Council of Europe


the surveillance activities of the United States and certain European States’ national security and “intelligence” agencies

August 2013

Note on the choice of addressees:

EDRi and FREE are submitting this appeal to the addressees mentioned on the cover page for the following reasons:

                      The US Congress is ultimately responsible for providing democratic oversight over the activities of the US Executive.  It has established a Privacy and Civil Liberties Oversight Board (PCLOB) consultation on FISA and the PATRIOT Act.  However, while we are sending a copy of this submission to that consultation, this document is addressed to the Speaker of the House of Representatives and the President pro tempore of the Senate because we argue that the issues raised can only be addressed properly by the establishment of a special investigation committee of Congress, with appropriate support and powers.  We also wish to stress that, whatever the defects in the scope of protection afforded to non-US citizens under the US Constitution, the USA, as parties to the UN International Covenant on Civil and Political Rights and the Council of Europe Cybercrime Convention, are bound under international law to extend privacy protection to non-US citizens and to observe the principles of legality, necessity and proportionality also in their surveillance activities.

                      The European Parliament is responsible for providing democratic oversight over the activities of the European Union, and has taken a keen interest in the issues raised, as has the European Commission, which forms the executive branch of the EU.  However, the European Council (representing the governments of the EU Member States) has been less demanding.  We are calling for all of them to seek to establish the full truth about the relevant laws and practices, in both Europe and the USA.  We are aware of the “national security” exemptions in the main EU treaties, but these are not and should not be absolute, or seen as granting Member States total exemption from scrutiny in this regard.  The EU Charter on Fundamental Rights, which has fundamental status in the EU (even in relation to UN Security Council decisions) and explicitly demands full protection of personal data, cannot be simply ignored in this context.  Ultimately, it is for the European Court of Justice to determine the scope of the exemption, but we already note that the US’ NSA’s activities are manifestly not limited to national security as defined in international law.  We are therefore urging the EU bodies to address the issues to the fullest extent possible within their legal competences.

                      The Council of Europe (CoE), as the oldest, broadest European institution, has the main responsibility for upholding human rights and the rule of law throughout the territory of its 47 Member States.  Its mandate, in particular in relation to human rights and the upholding of the European Convention on Human Rights, does not exclude matters relating to national security.  On the contrary, the standards that we cite in our submission have been mainly developed by the European Court of Human Rights in its case-law under the Convention.  All European States are legally obliged to “secure” full protection of these rights and freedoms.  Within the Council of Europe, responsibility for the upholding of these standards is shared between the Secretary-General and the Committee of Ministers (representing the CoE Member States), the Parliamentary Assembly of the Council of Europe (PACE), and the Court.

Effective action on the issues addressed in this submission will require the involvement of all of the above.  For that reason, we address this submission to all of them.

I.                   General:

1.                  The activities of national security agencies in Europe and the USA, and the arrangements under which they cooperate, have been outside the scope of effective democratic oversight and outside clear legal frameworks for too long; they must be brought under the Rule of Law.

2.                  For Europe, that means those activities must be made to comply, in law and in practice, with the relevant minimum European human rights standards developed by the European Court of Human Rights under the European Convention on Human Rights (ECHR) summarised below, at II, and in Attachment 1.  At present, it appears that several European States are not complying with these standards.

3.                  These European constitutional standards are in line with the global (UN) standards enunciated by the Human Rights Committee acting under the UN International Covenant on Civil and Political Rights (ICCPR) and others, briefly noted in Attachment 2.  All European States and the USA are parties to the ICCPR in particular.

4.                  For the USA, this means that it, too, should bring its activities in line with these standards.  As a first step, US surveillance law and practice (in relation to surveillance of both US citizens and non-US/European citizens) must be made totally clear, and any divergence from those standards must be made public.  Only that will allow for sensible discussions on how to bring those activities into line with international standards.  Current US law as far as currently known is summarised below, at IV, and in Attachment 3.

II.                European requirements:                         

(For more detail, see Attachment 1)

5.                  If an agency of any European State is given powers under the laws of that State to gather information on (the communications- or other data of) anyone, be that within Europe or not, then that activity must be regarded as being done “within the jurisdiction” of the State concerned.[1]  This means that, in relation to any surveillance activity by any European State, on anyone, wherever they are, the State in question must comply with the minimum European standards, set out in Attachment 1, which are directly derived from the ECHR case-law.

6.                  Moreover, from a European perspective, any spying on Europeans and non-Europeans living in Europe, by any non-European State, anywhere in the world, should meet the same minimum European-constitutional and the similar UN standards, set out in Attachment 2.

7.                  Non-European national security agencies should not seek or gain direct access to any personal data held in Europe (e.g., by asking US companies to “pull” data from their Europe-based servers, or to allow US agencies to query the data in Europe, and hand over the results):  that infringes the sovereignty of the relevant European States (PCIJ, Lotus judgment, pp. 18-19).[2]  Instead, they should seek such access through bi- or multilateral assistance treaties, under arrangements similar to Mutual Legal Assistance Treaties (MLATs) for law enforcement agencies;  and those treaties should in substance and process conform to the minimum European-constitutional and international standards.

8.                  Failure of a European State to prevent improper spying by non-European countries constitutes a breach of that country’s “positive obligations” under the ECHR.  Active support for, complicity in, or even passive condoning of such spying would breach the State’s primary obligations under the ECHR.

9.                  In addition, European States and the European Union should ensure that personal data on Europeans and non-Europeans living in Europe, if held on US-based “cloud” servers, will be accessible to the US national security agencies only on the basis of clear and published provisions of treaty arrangements that also meet those European-constitutional and international standards.

III.              USA requirements:                                               

(For more detail, see Attachment 3)

10.              The First and Fourth Amendments to the US Constitution in principle guarantee the right to free speech and freedom from unreasonable searches to US citizens.  However, even domestically, this protection is weakened by the “third party” doctrine on personal data and the relaxed “pen/trap” rules on searches.  Secret rulings of the FISA Court reportedly further erode these rights, arguably in unconstitutional ways.  Those rulings are being challenged in the US courts.  Here, we may note that current US law and practice, even with regard to spying on US citizens, falls short of European and international standards.

11.              Moreover, it has become clear that non-US citizens outside the USA do not enjoy even the limited protections of the First and Fourth Amendments:  they can be spied upon arbitrarily by US agencies, without any meaningful substantive or procedural limitations, in clear breach of international standards on privacy generally, and on privacy and freedom of expression on the Internet in particular.  Under international human rights law, those guarantees should be afforded to “everyone” affected by the measures.

IV.             How to address the issues:  our demands

12.              The ultimate aim should be for both the US and the European legal systems to offer high-level privacy/data protection to “everyone”, in line with the established European minimum standards (set out in Attachment 1), that are also in line with UN standards (set out in Attachment 2); and for those standards to be adhered to in practice by the USA, all European States, and the EU, whether acting independently or jointly.

To this end, we demand urgent action from both the US and the European institutions.

Demands for review and redress from the USA:

i.                    Clarity about the law, and honesty about practice:

13.              We demand complete transparency in relation to the scope and detail of US spying activities, and of the bi- and multilateral arrangements between the USA and other States and international organisations, in particular “5EYES”[3], Atlantic and/or European ones, relating to this activity, under which data on the communications and Internet activities of European citizens are intercepted, held, recorded and/or monitored and analysed.

14.              We demand complete clarity about the limitations of the US legal system, and in particular as concerns the apparent fact that it provides insufficient protection to US citizens, and effectively none to non-US citizens.  Following such a full clarification, urgent measures should be taken to bring the US surveillance system fully into line with international human rights- and privacy/data protection standards.

ii.                  The way to achieve this:                    

15.              While we appreciate the establishment of the PCLOB consultation, we do not believe that this is the appropriate forum or process to achieve the required full transparency, or that it will lead to US law and practice being brought fully into line with the requirements of international law.

16.              To be more specific:  we are joining US civil liberty organisations in calling on the US Congress to establish a properly staffed special investigatory committee, on the lines of the 1970s CHURCH Commission, with the power to subpoena witnesses and documents; and to make arrangements to ensure that European institutions, States and NGOs can fully participate in the investigation carried out by this special committee, and indeed in the drawing up of the mandate for this committee.

iii.                The changes to be made

17.              Senior European politicians have called for the extension of US legal protections afforded under US constitutional and federal law to (communications) data on US citizens, to (communications) data on European citizens held in the USA or accessed from the USA by US agencies, just as data on US citizens, held in Europe, is already protected under European human rights- and data protection law.

18.              Reciprocity is indeed an important element in international relations.  However, in the present context, this fails to recognise that while, in respect of their data, Europeans currently enjoy hardly any protection under US laws, the protection accorded to US citizens under those laws is also deficient, and falls below European and wider international minimum requirements.  Raising the level of US legal protection for data on Europeans to the level of protection of data on US citizens therefore still leaves European citizens and US citizens subject to a regime that falls short of international standards.  That is not enough.

19.              We are joining civil liberty organisations in the USA in calling for fundamental changes in US law, to ensure proper protection under the law against non-transparent and undemocratic surveillance.  New laws must be introduced at federal level to provide much stricter rules, open judicial warrants and rulings, and full democratic control, in accordance with international human rights and privacy/data protection standards.  Specifically, we demand that when such laws are in place, they should afford equal protection to US and non-US citizens.

20.              Until this is achieved, the USA cannot be said to offer “adequate” protection to data, in relation to any of the areas for which the European Commission has (wrongly) held it to offer such protection:  the “Safe Harbor”, the disclosure of PNR data, and the making available of SWIFT data (see below, para. 29).

Demands for review and redress from Europe:

i.                    Clarity about the law, and honesty about practice:

21.              European States are not blameless when it comes to surveillance:  in spite of a much stronger legal regime on paper (under the ECHR), it appears that practice in some (perhaps many) European States also fall seriously short of the European-legal (ECHR) requirements.  Several States, in particular the UK, also seem to have worked closely with the USA (in particular, in ECHELON) in establishing a global surveillance network that appears to blatantly violate European and international law.  We need complete clarity about the laws in the EU- and Council of Europe Member States, and complete clarity about the treaties entered into by European States, and full, honest disclosure about the practices of the national security agencies and –bodies of the EU- and Council of Europe Member States too.


The way to obtain this:                        EU:

22.              The European Parliament has a crucial role to play.  We welcome the European Parliament’s decision to establish a committee of enquiry within the Civil Liberties Committee, and urge it to be broad, to encompass all the threats posed to the rights of European citizens by foreign and EU Member States’ surveillance activities.

23.              We also – but very cautiously and with serious reservations – note the establishment of an EU-US “expert group” to look at these matters.  However, we oppose the excessively limited mandate of this group, and demand full transparency about its composition and activities.  We demand civil society involvement and complete openness for the work of this group.  Without that, its findings and the arrangements it might propose are likely to be incomplete, will lack credibility and, consequently, will be unacceptable.


Although this should be obvious, for the avoidance of any doubt, the EU should make clear, as a matter of urgency, that any disclosure of data on European citizens that is subject to European data protection law (such as financial or airline data, or Europol/Eurojust/etc. data) to, or any access to such data by, national Member States’ national security agencies (NSAs), and a fortiori by third country agencies, is subject to the European data protection rules governing the processing of such data.

Council of Europe

25.              We note the fact that the Council of Europe, which Europe’s main human rights guarantor, is not excluded from addressing matters relating to national security that may affect the human rights of European citizens and indeed of “everyone” affected by measures of CoE Member States.  On the contrary, the European standards set out in Attachment 1 have been developed by the European Court of Human Rights in what is now established case-law, applicable to all Council of Europe Member States (which includes all EU Member States), and indeed to the EU itself (albeit, for now, still indirectly, through “general principles of Union law” and the EU Charter).

26.              Specifically, we call on the Secretary-General of the Council of Europe to exercise his power under Article 52 ECHR to demand of all CoE Member States full disclosure of “the manner in which [their] internal law[s] ensure[s] the effective implementation of” Article 8 of the ECHR in relation to surveillance of electronic communications- and Internet data by their national security agencies; and on the CoE Commissioner of Human Rights, PACE, and NGOs to be fully involved in this enquiry.

iii.                The changes to be made

27.              Until the full truth has been established, and full, appropriate remedial action has been taken to bring the activities of all relevant US agencies in line with international standards, there can be no close cooperation between US and European agencies, or between US and European State’s agencies on the previous, essentially unregulated basis.

28.              Immediate changes:  Given that, as noted above, in para. 20, in the light of the recent revelations, the USA cannot be said to offer “adequate” protection to data in relation to the “Safe Harbor”, the disclosure of PNR data, and the passing on of SWIFT data, the current arrangements are in clear and blatant breach of the primary law of the European Union and, consequently, the EU is legally obliged to immediately suspend all US-related European data protection “adequacy” decisions.

29.              Changes to the General Data Protection Regulation:  Pending adoption of adequate legislation in the USA, European data protection law should ensure that European citizens are clearly warned that, if they provide data to US companies, or to global Internet companies that have links to the USA, use servers in the USA, or are otherwise subject to US FISA and other surveillance orders, their data will not be safe from arbitrary, intrusive surveillance by US agencies.  This is already proposed by senior EU officials and legislators in relation to the General Data Protection Regulation currently in the process of being adopted.  We endorse that proposal.

30.              New treaty arrangements on cooperation between national security agencies:  The post-WWII treaties and arrangements on “national security” and “intelligence” cooperation (including the definitions of these matters) are totally outdated.  We need a complete overhaul of the national and inter-State arrangements on “national security” and “intelligence” cooperation.  The old treaties  – UKUSA, 5EYES, NATO and others –  should be openly discussed and reviewed, and fundamentally changed to bring them into line with the international standards we have adduced.  Without that, we do not live in the free and democratic societies we are made to believe we live in.

– o – O – o –

EDRi and FREE are grateful to Professor Douwe Korff of London Metropolitan University for drafting this paper.


Rue Belliard 20, B-1040 Brussels,

Tel:+32 2 274 25 70



European Digital Rights (EDRi)


European Digital Rights is an association of 35 digital civil rights organisations from 21 European countries. We work together to defend civil rights in the information society.





11 Rue Darwin
1190 Bruxelles


The Fundamental Rights European Experts Group (FREE Group)


 The Fundamental Rights European Expert Group is an NGO whose focus is on monitoring, teaching and advocating in the European Union freedom security and justice related policies.


Attachment 1:


The case-law of the European Court of Human Rights under the European Convention on Human Rights (ECHR) shows the following considerations and requirements of European human rights law relating to surveillance:[4]

                 A system of secret surveillance for the protection of national security may undermine or even destroy democracy under the cloak of defending it.

                 The mere existence of legislation which allows a system for the secret monitoring of communications entails a threat of surveillance for all those to whom the legislation may be applied.

                 In view of these risks, there must be adequate and effective guarantees against abuse.

                 The first of these guarantees is that such systems must be set out in statute law, rather than in subsidiary rules, orders or manuals.  The rules must moreover be in a form which is open to public scrutiny and knowledge.  Secret, unpublished rules in this context are fundamentally contrary to the Rule of Law; surveillance on such a basis would ipso facto violate the Convention.

The following are the “minimum safeguards” that should be enshrined in such (published) statute law, and adhered to in practice:

·                the offences and activities in relation to which surveillance may be ordered should be spelled out in a clear and precise manner;

·                the law should clearly indicate which categories of people may be subjected to surveillance;

·                there must be strict limits on the duration of any ordered surveillance;

·                there must be strict procedures to be followed for ordering the examination, use and storage of the data obtained through surveillance;

·                there must be strong safeguards against abuse of surveillance powers, including strict purpose/use-limitations (e.g., preventing the too-easy disclosure of intelligence data for criminal law purposes) and strict limitations and rules on when data can be disclosed by NSAs to LEAs, etc.;

·                there must be strict rules on the destruction/erasure of surveillance data to prevent surveillance from remaining hidden after the fact;

·                persons who have been subjected to surveillance should be informed of this as soon as this is possible without endangering national security or criminal investigations, so that they can exercise their right to an effective remedy at least ex post facto; and

·                the bodies charged with supervising the use of surveillance powers should be independent and responsible to, and be appointed by, Parliament rather than the Executive.

Under the ECHR, these principles must be applied to anyone who is affected by surveillance measures taken by any Council of Europe Member State under domestic law.

In addition, European States have a “positive obligation” to protect their citizens from surveillance contrary to the above, perpetrated by any other State.  A fortiori, they are under a legal obligation not to actively support, participate or collude in such surveillance by a non-European State.

– o – O – o –

Attachment 2:


Attachment 1 above summarises the European Court of Human Rights’ standards set for “national security” surveillance.  Here, we briefly note that the same standards are also reflected in law and guidance issued at the global level by the United Nations, and by other international organisations, albeit not always in the same detail.

The primary instrument in this respect is the UN International Covenant on Civil and Political Rights (ICCPR or “the Covenant”), the most important binding global human rights treaty, to which all European States and the USA (indeed, almost all UN Member States) are parties.  It is applied and interpreted by the Human Rights Committee, which has issued important relevant guidance.

Further important guidance has been provided in the 1996 Johannesburg Principles on National Security, Freedom of Expression and Access to Information (drafted by Article 19 and other NGOs but endorsed by the UN Special Rapporteur on Freedom of Opinion and Expression) and more recently in statements and reports by that Special Rapporteur and special rapporteurs from other international organisations.  Also relevant is the guidance issued by the Organisation for Security and Co-operation in Europe (the OSCE), to which again all European countries and the USA (and Canada) are parties.

Here, it may suffice to note that all of these stress the same core principles as are stressed by the European Court of Human Rights:

                  –    “national security” must be defined narrowly (see the “Tenth Anniversary Joint Declaration” by the UN Special Rapporteur on Freedom of Opinion and Expression, together with the OSCE Representative on Freedom of the Media, the Organization of American States (OAS) Special Rapporteur on Freedom of Expression and the African Commission on Human and Peoples’ Rights (ACHPR) Special Rapporteur on Freedom of Expression and Access to Information; also the Johannesburg Principles, Principle 2(a) as well as Principle 1.2);

                   –   any interference with the freedom to seek, receive and impart information by any medium (including the Internet), including e-communications- and Internet surveillance, must be based on “law”, i.e., on clear and specific, published legal rules (and published legal interpretations of the rules):  an interference with privacy and communications can be “arbitrary” – and thus in breach of international human rights law, including the ICCPR –  even if it is in accordance with domestic law;

                    –  the law must limit any such the interference to what is “necessary” and “reasonable” or “proportionate”; and

                     – the law must provide for an “accessible and effective remedy” against the interference.

On all of the above, see General Comment 16 on Article 17 ICCPR, paras. 3 and 4; General Comment 31 on General Legal Obligations Imposed on States Parties to the Covenant, para. 15ff.;  and the reports by the Special Rapporteur passim).

                    –  the requirements of “law”, “necessity” and “proportionality” also apply in relation to measures taken to protect national security (Johannesburg Principles, Principles 1.1.(a) & (b), 2(a) & (b)).

Moreover, in assessing the questions of “necessity” and “proportionality” in particular, the Human Rights Committee and the UN Special Rapporteurs will take into account exactly the same kinds of factors as are listed in the case-law of the European Court of Human Rights.

Two related matters deserve special mention in the present context:  the application of international human rights law to the extraterritorial accessing (or “pulling”) of data from servers in another country;  and the duty to extend the rights enshrined in the ICCPR to all individuals without distinction as to nationality or other status.  Specifically:

                 Article 2(1) of the ICCPR requires all States Parties “to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the present Covenant, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.

                 In the view of the Human Rights Committee:

This means that a State party must respect and ensure the rights laid down in the Covenant to anyone within the power or effective control of that State Party, even if not situated within the territory of the State Party. … [T]he enjoyment of Covenant rights is not limited to citizens of States Parties but must also be available to all individuals, regardless of nationality or statelessness, such as asylum seekers, refugees, migrant workers and other persons, who may find themselves in the territory or subject to the jurisdiction of the State Party. (General Comment 31, emphasis added)

                 Although the Committee has not yet issued any further views or general comments on the matter, it must be assumed that if a State gives itself legal powers to access (or “pull”) data on individuals, when those data are situated outside its physical territory, that State is “exercising jurisdiction” (to be specific: “enforcement jurisdiction”) extra-territorially, in the State where those data are located.  As noted in the body of this paper with reference to the Lotus case, if this happens without the consent of the other State, it violates the sovereignty of that other State.  Here, it should be noticed that that aside, such extra-territorial action by the first State would also mean that that State is asserting “jurisdiction” over those data.  In respect of their data, the individuals concerned are made to be “subject to [the State’s] jurisdiction”.

                 In any such extra-territorial cross-border accessing (or “pulling”) of data, the State in question must therefore comply with all the general requirements of the Covenant (clear, foreseeable “law”; “legitimate aim”, “necessity” and “proportionality”), and with the requirement of Article 2(1), that it affords the protection of Article 17 to the persons affected irrespective of their nationality or other status.

In sum:  The UN standards are fully concordant with the European ones set out in Attachment 1.

– o – O – o –

Attachment 3:


In the USA, communications data and personal information on US citizens (and on some minor categories of non-US citizens living in the USA) are in principle granted protection under the First and Fourth Amendments to the US Constitution, providing protection of free speech and freedom from unreasonable searches.


1.                  There is no general, cohesive, broadly-applicable federal privacy law.  Rather, there is only a largely incoherent and sectorally-based patchwork for federal and state laws, which provide serious privacy protection only in certain areas and respects. See: Chris Hoofnagle, Country Study on the USA, prepared for a wider EU study on New Challenges to Data Protection, at:

2.                  The Electronic Communications Privacy Act (ECPA) allows for the monitoring of communications “meta” data (data on the devices involved in the communications, time, duration, location, etc., but not the contents of communications) on the basis of a “pen register or trap and trace device” warrant, that will be issued on the basis of simple certification by a government attorney that such information is “relevant” to an “ongoing criminal investigation”; there is no need to show “probable cause”, and there is no meaningful judicial oversight. This is because in Smith v. Maryland, the Supreme Court ruled that use of a pen register does not constitute a search, and is thus not protected under the Fourth Amendment.  The surveillance carried out under ECPA, even on US citizens, is extensive and includes massive amounts of e-communications data.  For further details, see: Douwe Korff, Presentation on behalf of EDRi at the EU – USA Privacy Conference, Washington DC, 19 March 2012, available at:

3.                  The PATRIOT Act and FISA Acts allow even more extensive surveillance over US citizens.  Even on their face, the rules in these Acts fall far short of international-legal requirements.  However, the rules have been even further weakened, to the extent that they now reportedly provide hardly any constraint at all, even in respect of US citizens, in relation to national security and “foreign intelligence” matters, by means of secret rulings by the secretive FISA Court.  See: New York Times, 6 July 2013, In secret, court vastly broadens powers of NSA, at:

4.                  The constitutionality of these secret FISA Court rulings is doubtful, and they are being challenged in the US courts.  See: and  5.

                  In any case, and most worrying to Europeans, the First Amendment does not protect the relevant rights of non-US citizens not in the USA (so-called “excludable aliens”):  “[T]he interests in free speech and freedom of association of foreign nationals acting outside the borders, jurisdiction, and control of the United States do not fall within the interests protected by the First Amendment.”

(DKT Memorial Fund Ltd. v. Agency for Int’l Dev., 1989, quoted in Chevron Corporation v. Steven Donziger et al., U.S. District Judge Kaplan order of June 25, 2013).

6.                  Non-US citizens not resident in the USA similarly do not benefit from the protection of the Fourth Amendment, which does no apply if the person affected by a “search” does not have a “significant voluntary connection with the United States (US v. Verdugo-Urquidez, 1979).  Like the First Amendment, the Fourth Amendment only protect “the people”, i.e., US citizens and some eligible (US-resident) aliens.

7.                  Finally, the FISAA §1881a allows US agencies, including in particular the NSA, to capture and trawl through any data, including e-communications and Internet data, of or on any non-US citizen with essentially no constraints.  All that is required is that the capturing and trawling does not inadvertently relate for more than 50% to US citizens, and that the data that are being looked for are “of interest” to “foreign affairs matters” of the USA:  the exercise of these essentially arbitrary powers is not limited to serious offences or terrorism, or to threats to US (or US allies’) national security.  See the report by Caspar Bowden et al. to the European Parliament, Fighting Cybercrime and Protection Privacy in the Cloud, 2012, and the subsequent article by him and Judith Rauhofer, Protecting their own:  Fundamental rights implications for EU data sovereignty in the cloud, 2013, available at, respectively:

In sum:  The US Constitutional Amendments’ protections (as applied) and US Federal and State laws fall short of international standards.  Under ECPA and the PATRIOT and FISA Acts, as further weakened by the secret rulings of the FISA Court, even US citizens enjoy little protection against widespread and intrusive surveillance by US national security agencies in relation to over-broadly-defined “intelligence” matters, in particular in relation to “meta” communications data and Internet data.  In relation to US citizens, this may be unconstitutional.  But non-US citizens outside the USA enjoy not even the (already too low) protection accorded to US citizens:  they can effectively be spied upon arbitrarily, without any meaningful substantive or procedural limitations.  Moreover, the US surveillance activities under FISAA in particular do not appear to be limited to matters of “national security”, properly (restrictively) defined, for neither US citizens or non-US citizens.

– o – O – o –

[1]               Note that this is the case, even if the exercise of that jurisdiction would violate the sovereignty of another State, e.g., because it concerned data in another country (cf. the Lotus case, referred to in para. 7):  the fact that the act was contrary to international law of course does not mean that the State perpetrating the act is not bound by its human rights obligations; that would be perverse.  The point we make here is that in the circumstances described, the State is bound to comply with the European Convention on Human Rights, because the acts concerned are “within its jurisdiction”.  While generally territorial in nature, this concept also covers acts carried out by State bodies within their home country (or territories of the State overseas) under domestic legislation that affects individuals in other countries.

[2]               This is also the view of the vice-president of the European Commission, Viviane Reding, who issued a statement on 25 July 2013, saying:  “The [EU’s new General Data Protection Regulation] will also provide legal clarity on data transfers outside the EU: when third country authorities want to access the data of EU citizens outside their territory, they have to use a legal framework that involves judicial control. Asking the companies directly is illegal. This is public international law.” See: (emphasis added)

[3] The alliance of intelligence operations between the USA, UK, Australia, Canada and New Zealand.

[4]               See the cases of Klass v. Germany (Judgment of 6 September 1978), Weber and Saravia v. Germany (Admissibility Decision of 29 June 2006), Liberty and Others v. the UK (Judgment of 1 July 2008), and Kennedy v. the UK (Judgment of 18 May 2010).  See in particular the summaries in Weber and Saravia, paras. 93 – 95, and in Kennedy, paras. 151 – 154 (which quote Weber and Saravia, paras 93 – 95, thus reemphasising that the approach there summarised is now regarded as settled case-law).

After PRISM : 181 ONGs ask for less surveillance and improved data protection global standards…

International Principles on the Application of Human Rights to Communications Surveillance


Final version 10 July 2013

As technologies that facilitate State surveillance of communications advance, States are failing to ensure that laws and regulations related to communications surveillance adhere to international human rights and adequately protect the rights to privacy and freedom of expression. This document attempts to explain how international human rights law applies in the current digital environment, particularly in light of the increase in and changes to communications surveillance technologies and techniques. These principles can provide civil society groups, industry, States and others with a framework to evaluate whether current or proposed surveillance laws and practices are consistent with human rights.

These principles are the outcome of a global consultation with civil society groups, industry and international experts in communications surveillance law, policy and technology.


Privacy is a fundamental human right, and is central to the maintenance of democratic societies. It is essential to human dignity and it reinforces other rights, such as freedom of expression and information, and freedom of association, and is recognised under international human rights law.[1] Activities that restrict the right to privacy, including communications surveillance, can only be justified when they are prescribed by law, they are necessary to achieve a legitimate aim, and are proportionate to the aim pursued.[2]

Before public adoption of the Internet, well-established legal principles and logistical burdens inherent in monitoring communications created limits to State communications surveillance. In recent decades, those logistical barriers to surveillance have decreased and the application of legal principles in new technological contexts has become unclear. The explosion of digital communications content and information about communications, or “communications metadata” — information about an individual’s communications or use of electronic devices — the falling cost of storing and mining large sets of data, and the provision of personal content through third party service providers make State surveillance possible at an unprecedented scale.[3]

Meanwhile, conceptualisations of existing human rights law have not kept up with the modern and changing communications surveillance capabilities of the State, the ability of the State to combine and organize information gained from different surveillance techniques, or the increased sensitivity of the information available to be accessed.

The frequency with which States are seeking access to both communications content and communications metadata is rising dramatically, without adequate scrutiny.[4]

When accessed and analysed, communications metadata may create a profile of an individual’s life, including medical conditions, political and religious viewpoints, associations, interactions and interests, disclosing as much detail as, or even greater detail than would be discernible from the content of communications.[5] Despite the vast potential for intrusion into an individual’s life and the chilling effect on political and other associations, legislative and policy instruments often afford communications metadata a lower level of protection and do not place sufficient restrictions on how they can be subsequently used by agencies, including how they are data-mined, shared, and retained.

In order for States to actually meet their international human rights obligations in relation to communications surveillance, they must comply with the principles set out below. These principles apply to surveillance conducted within a State or extraterritorially.

The principles also apply regardless of the purpose for the surveillance — law enforcement, national security or any other regulatory purpose. They also apply both to the State’s obligation to respect and fulfil individuals’ rights, and also to the obligation to protect individuals’ rights from abuse by non-State actors, including corporate entities.[6] The private sector bears equal responsibility for respecting human rights, particularly given the key role it plays in designing, developing and disseminating technologies; enabling and providing communications; and – where required – cooperating with State surveillance activities. Nevertheless, the scope of the present Principles is limited to the obligations of the State.

Changing technology and definitions

“Communications surveillance” in the modern environment encompasses the monitoring, interception, collection, analysis, use, preservation and retention of, interference with, or access to information that includes, reflects, arises from or is about a person’s communications in the past, present or future. “Communications” include activities, interactions and transactions transmitted through electronic mediums, such as content of communications, the identity of the parties to the communications, location-tracking information including IP addresses, the time and duration of communications, and identifiers of communication equipment used in communications.

Traditionally, the invasiveness of communications surveillance has been evaluated on the basis of artificial and formalistic categories. Existing legal frameworks distinguish between “content” or “non-content,” “subscriber information” or “metadata,” stored data or in transit data, data held in the home or in the possession of a third party service provider.[7]

However, these distinctions are no longer appropriate for measuring the degree of the intrusion that communications surveillance makes into individuals’ private lives and associations. While it has long been agreed that communications content deserves significant protection in law because of its capability to reveal sensitive information, it is now clear that other information arising from communications – metadata and other forms of non-content data – may reveal even more about an individual than the content itself, and thus deserves equivalent protection. Today, each of these types of information might, taken alone or analysed collectively, reveal a person’s identity, behaviour, associations, physical or medical conditions, race, color, sexual orientation, national origins, or viewpoints; or enable the mapping of the person’s location, movements or interactions over time,[8] or of all people in a given location, including around a public demonstration or other political event. As a result, all information that includes, reflects, arises from or is about a person’s communications and that is not readily available and easily accessible to the general public, should be considered to be “protected information”, and should accordingly be given the highest protection in law.

In evaluating the invasiveness of State communications surveillance, it is necessary to consider both the potential of the surveillance to reveal protected information, as well as the purpose for which the information is sought by the State. Communications surveillance that will likely lead to the revelation of protected information that may place a person at risk of investigation, discrimination or violation of human rights will constitute a serious infringement on an individual’s right to privacy, and will also undermine the enjoyment of other fundamental rights, including the right to free expression, association, and political participation. This is because these rights require people to be able to communicate free from the chilling effect of government surveillance. A determination of both the character and potential uses of the information sought will thus be necessary in each specific case.

When adopting a new communications surveillance technique or expanding the scope of an existing technique, the State should ascertain whether the information likely to be procured falls within the ambit of “protected information” before seeking it, and should submit to the scrutiny of the judiciary or other democratic oversight mechanism. In considering whether information obtained through communications surveillance rises to the level of “protected information”, the form as well as the scope and duration of the surveillance are relevant factors. Because pervasive or systematic monitoring has the capacity to reveal private information far in excess of its constituent parts, it can elevate surveillance of non-protected information to a level of invasiveness that demands strong protection.[9]

The determination of whether the State may conduct communications surveillance that interferes with protected information must be consistent with the following principles.

The Principles

Legality: Any limitation to the right to privacy must be prescribed by law. The State must not adopt or implement a measure that interferes with the right to privacy in the absence of an existing publicly available legislative act, which meets a standard of clarity and precision that is sufficient to ensure that individuals have advance notice of and can foresee its application. Given the rate of technological changes, laws that limit the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process.

Legitimate Aim: Laws should only permit communications surveillance by specified State authorities to achieve a legitimate aim that corresponds to a predominantly important legal interest that is necessary in a democratic society. Any measure must not be applied in a manner which discriminates on the basis of race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.

Necessity: Laws permitting communications surveillance by the State must limit surveillance to that which is strictly and demonstrably necessary to achieve a legitimate aim. Communications surveillance must only be conducted when it is the only means of achieving a legitimate aim, or, when there are multiple means, it is the means least likely to infringe upon human rights. The onus of establishing this justification, in judicial as well as in legislative processes, is on the State.

Adequacy: Any instance of communications surveillance authorised by law must be appropriate to fulfil the specific legitimate aim identified.

Proportionality: Communications surveillance should be regarded as a highly intrusive act that interferes with the rights to privacy and freedom of opinion and expression, threatening the foundations of a democratic society. Decisions about communications surveillance must be made by weighing the benefit sought to be achieved against the harm that would be caused to the individual’s rights and to other competing interests, and should involve a consideration of the sensitivity of the information and the severity of the infringement on the right to privacy.

Specifically, this requires that, if a State seeks access to or use of protected information obtained through communications surveillance in the context of a criminal investigation, it must establish to the competent, independent, and impartial judicial authority that:

  1. there is a high degree of probability that a serious crime has been or will be committed;
  2. evidence of such a crime would be obtained by accessing the protected information sought;
  3. other available less invasive investigative techniques have been exhausted;
  4. information accessed will be confined to that reasonably relevant to the crime alleged and any excess information collected will be promptly destroyed or returned; and
  5. information is accessed only by the specified authority and used for the purpose for which authorisation was given.

If the State seeks access to protected information through communication surveillance for a purpose that will not place a person at risk of criminal prosecution, investigation, discrimination or infringement of human rights, the State must establish to an independent, impartial, and competent authority:

  1. other available less invasive investigative techniques have been considered;
  2. information accessed will be confined to what is reasonably relevant and any excess information collected will be promptly destroyed or returned to the impacted individual; and
  3. information is accessed only by the specified authority and used for the purpose for which was authorisation was given.

Competent Judicial Authority: Determinations related to communications surveillance must be made by a competent judicial authority that is impartial and independent. The authority must be:

  1. separate from the authorities conducting communications surveillance;
  2. conversant in issues related to and competent to make judicial decisions about the legality of communications surveillance, the technologies used and human rights; and
  3. have adequate resources in exercising the functions assigned to them.

Due process: Due process requires that States respect and guarantee individuals’ human rights by ensuring that lawful procedures that govern any interference with human rights are properly enumerated in law, consistently practiced, and available to the general public. Specifically, in the determination on his or her human rights, everyone is entitled to a fair and public hearing within a reasonable time by an independent, competent and impartial tribunal established by law,[10] except in cases of emergency when there is imminent risk of danger to human life. In such instances, retroactive authorisation must be sought within a reasonably practicable time period. Mere risk of flight or destruction of evidence shall never be considered as sufficient to justify retroactive authorisation.

User notification: Individuals should be notified of a decision authorising communications surveillance with enough time and information to enable them to appeal the decision, and should have access to the materials presented in support of the application for authorisation. Delay in notification is only justified in the following circumstances:

  1. Notification would seriously jeopardize the purpose for which the surveillance is authorised, or there is an imminent risk of danger to human life; or
  2. Authorisation to delay notification is granted by the competent judicial authority at the time that authorisation for surveillance is granted; and
  3. The individual affected is notified as soon as the risk is lifted or within a reasonably practicable time period, whichever is sooner, and in any event by the time the communications surveillance has been completed. The obligation to give notice rests with the State, but in the event the State fails to give notice, communications service providers shall be free to notify individuals of the communications surveillance, voluntarily or upon request.

Transparency: States should be transparent about the use and scope of communications surveillance techniques and powers. They should publish, at a minimum, aggregate information on the number of requests approved and rejected, a disaggregation of the requests by service provider and by investigation type and purpose. States should provide individuals with sufficient information to enable them to fully comprehend the scope, nature and application of the laws permitting communications surveillance. States should enable service providers to publish the procedures they apply when dealing with State communications surveillance, adhere to those procedures, and publish records of State communications surveillance.

Public oversight: States should establish independent oversight mechanisms to ensure transparency and accountability of communications surveillance.[11] Oversight mechanisms should have the authority to access all potentially relevant information about State actions, including, where appropriate, access to secret or classified information; to assess whether the State is making legitimate use of its lawful capabilities; to evaluate whether the State has been transparently and accurately publishing information about the use and scope of communications surveillance techniques and powers; and to publish periodic reports and other information relevant to communications surveillance. Independent oversight mechanisms should be established in addition to any oversight already provided through another branch of government.

Integrity of communications and systems: In order to ensure the integrity, security and privacy of communications systems, and in recognition of the fact that compromising security for State purposes almost always compromises security more generally, States should not compel service providers or hardware or software vendors to build surveillance or monitoring capability into their systems, or to collect or retain particular information purely for State surveillance purposes. A priori data retention or collection should never be required of service providers. Individuals have the right to express themselves anonymously; States should therefore refrain from compelling the identification of users as a precondition for service provision.[12]

Safeguards for international cooperation: In response to changes in the flows of information, and in communications technologies and services, States may need to seek assistance from a foreign service provider. Accordingly, the mutual legal assistance treaties (MLATs) and other agreements entered into by States should ensure that, where the laws of more than one state could apply to communications surveillance, the available standard with the higher level of protection for individuals is applied. Where States seek assistance for law enforcement purposes, the principle of dual criminality should be applied. States may not use mutual legal assistance processes and foreign requests for protected information to circumvent domestic legal restrictions on communications surveillance. Mutual legal assistance processes and other agreements should be clearly documented, publicly available, and subject to guarantees of procedural fairness.

Safeguards against illegitimate access: States should enact legislation criminalising illegal communications surveillance by public or private actors. The law should provide sufficient and significant civil and criminal penalties, protections for whistle blowers, and avenues for redress by affected individuals. Laws should stipulate that any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information. States should also enact laws providing that, after material obtained through communications surveillance has been used for the purpose for which information was given, the material must be destroyed or returned to the individual.


  1. 7iber (Amman, Jordan)
  2. Access(International)
  3. Acción EsLaRed(Venezuela)
  4. ActiveWatch – – Media Monitoring Agency (Romania)
  5. Africa Platform for Social Protection – APSP (Africa)
  6. AGEIA Densi (Argentina)
  7. (Russia)
  8. Aktion Freiheit statt Angst(Germany)
  9. Alfa-Redi  (LAC)
  10. All India Peoples Science Network (India)
  11. Alternatif Bilişim Derneği (Alternatif Bilişim) – Turkey(Turkey)
  12. Alternative Law Forum (India)
  13. Arab Digital Expression Foundation(Egypt)
  14. Article 19 (International)
  15. ASL19 (Canada/Iran)
  16. Asociación Civil por la Igualdad y la Justicia – ACIJ (Argentina)
  17. Asociación Colombiana de Usuarios de Internet  (Colombia)
  18. Asociación de Internautas Spain (Spain)
  19. Asociación Paraguaya De Derecho Informático Y Tecnológico – APADIT (Paraguay)
  20. Asociación por los Derechos Civiles – ADC (Argentina)
  21. Aspiration (United States)
  22. Associação Brasileira de Centros de inclusão Digital – ABCID(Brasil)
  23. Associació Pangea Coordinadora Comunicació per a la Cooperació (Spain)
  24. Association for Freedom of Thought and Expression – AFTE (Egypt)
  25. Association for Progressive Communications – APC (International)
  26. Association for Proper Internet Governance (Switzerland)
  27. Association for Technology and Internet – APTI(Romania)
  28. Association of Community Internet Center – APWKomitel(Indonesia)
  29. Australia Privacy Foundation – APF (Australia)
  30. Bahrain Center for Human Rights (Bahrain)
  31. Bangladesh NGOs Network for Radio and Communication – BNNRC (Bangladesh)
  32. BC Freedom of Information & Privacy Association (BC FIPA) (Canada)
  33. Benetech (USA/Global)
  34. Berlin Forum on Global Politics (BFoGP)(Germany)
  35. Big Brother Watch (United Kingdom)
  36. Bits of Freedom (Netherlands)
  37. Bolo Bhi (Pakistan)
  38. Brasilian Institute for Consumer Defense – IDEC(Brasil)
  39. British Columbia Civil Liberties Association – BCCLA (Canada)
  40. Bytes for All (Pakistan)
  41. Cairo Institute for Human Rights Studies(Egypt)
  42. Casa de Derechos de Quilmes (Argentina)
  43. Center for Digital Democracy (United States)
  44. Center for Internet & Society India (India)
  45. Center of Media Justice (United States)
  46. Centre for Community Informatics Research, Development and Training(Canada)
  47. Centro de Estudios en Libertad de Expresión y Acceso a la Información – CELE(Argentina)
  48. Centro de Tecnologia e Sociedade (CTS) da FGV  (Brasil)
  49. Centrum Cyfrowe Projekt: Polska (Poland)
  50. Citizen Lab (Canada)
  51. Citizens Network Watchdog Poland (Poland)
  52. (Austria)
  53. Collaboration on International ICT Policy in total East and South Africa (CIPESA) (Uganda / Africa )
  54. Colnodo(Colombia)
  55. Comisión Colombiana de Juristas(Colombia)
  56. Comité Cerezo México (México)
  57. Consumer Korea (South Korea)
  58. Consumers International(International)
  59. ContingenteMx  (México)
  60. (Belgium)
  61. DAWN Network  (International)
  62. DEJUSTICIA (Colombia/International)
  63. Delhi Science Forum (India)
  64. Digital Courage (Germany)
  65. Digital Rights Foundation  (Pakistan)
  66. Digitterra (International)
  67. DiploFoundation(International)
  68. Electronic Frontier Finland – EFFI (Finland)
  69. Electronic Frontier Foundation – EFF (International)
  70. Electronic Frontiers Australia – EFA  (Australia)
  71. Electronic Frontiers Italy – ALCEI  (Italy – Europe)
  72. Electronic Privacy Information Center – EPIC  (United States)
  73. European Digital Rights – EDRI  (Europe)
  74. European Information Society Institute – EISi(Slovakia)
  75. Fight for the Future  (United States)
  76. Foro Ciudadano de Participación por la Justicia y los Derechos Humanos – FOCO (Argentina)
  77. Foundation for Community Educational Media – FCEM (Thailand)
  78. Foundation for Information Policy Research – FIPR (United Kingdom)
  79. Free Network Foundation  (United States)
  80. Free Press (United States)
  81. Free Press Unlimited(Netherlands)
  82. Free Software Foundation Europe(Europe)
  83. Free Software Movement of India  (India)
  84. Freedom Against Censorship Thailand (FACT) (Thailand )
  85. Freedom of the Press Foundation (United States)
  86. Fundación Ambio (Costa Rica)
  87. Fundación Andina para la Observación y el Estudio de Medios  (Ecuador)
  88. Fundación Karisma (Colombia)
  89. Fundación Redes y Desarrollo – FUNREDES (República Dominicana – El Caribe)
  90. Fundación Vía Libre (Argentina)
  91. Global Voices Advocacy(International)
  92. Grupo de Software Libre de Cúcuta(Cúcuta, Norte de Santander, Colombia)
  93. Gulf Center for Human Rights  (Arab Gulf region)
  94. Hackerspace Rancho Electrónico (Mexico)
  95. Helsinki Foundation for Human Rights, Warsaw – HFHR (Poland)
  96. Hiperderecho (Peru)
  97. Human Rights Data Analysis Group(International)
  98. Human Rights Watch – HRW  (International)
  99. ICT Consumers Association of Kenya – ICAK(Kenya)
  100. Independent Journalism Center from Moldova(Republic of Moldova)
  101. Index on Censorship  (United Kingdom)
  102. Initiative for Freedom of Expression(Turkey)
  103. Initiative für Netzfreiheit  (Austria)
  104. Institute des Technologies de l’Information et de la Communication Pour le Developpement – INTIC4DEV (Africa)
  105. Instituto Baiano de Direito Processual Penal – IBADPP (Brasil/Bahia)
  106. Instituto Bem Estar Brasil (Brasil)
  107. Instituto NUPEF (Brasil)
  108. International Civil Liberties Monitoring Group(Canada)
  109. International Media Support – IMS  (International)
  110. International Modern Media Institute  (Iceland / International)
  111. Internet Governance Project, Syracuse University School of Information Studies (United States)
  112. Internet Society Palestine (Palestine)
  113. InternetNZ (New Zealand)
  114. Internews  (United States)
  115. IP Justice  (United States)
  116. Iraqi Network for Social Media (Iraq)
  117. Iriarte & Asociados  (Peru)
  118. ISOC Board of Trustees(International)
  119. IT for Change  (India)
  120. Iuridicum Remedium, o.s.(Czech Republic)
  121. Jonction (Mauritania, Senegal, Tanzania)
  122. Jordan Open Source Association(Jordan)
  123. Journaliste en danger (JED)  (Démocratique du Congo / Africa)
  124. Kenya ICT Action Network – KICTANet (Kenya)
  125. Kenyan Ethical and Legal Issues Network  (Kenya)
  126. La Quadrature du Net  (France/Europe)
  127. Latin American Network of Surveillance, Technology and Society Studies – LAVITS  (Latin America)
  128. Liberty  (United Kingdom)
  129. Liga Uruguaya de Defensa del Consumidor(Uruguay)
  130. Liga voor Mensenrechten vzw  (Belgium)
  131. May First / People Link  (United States/international)
  132. Media Action Grassroots Network – MAG-Net  (United States)
  133. Media Rights Agenda – MRA  (Ikeja, Lagos)
  134. MOGiS e.V. – A Voice for Victims (Germany)
  135. Movimento Mega (Brasil)
  136. Nawaat  (Tunisia)
  137. New York Chapter of the Internet Society(United States)
  138. Oneworld: Platform for Southeast Europe – OWPSEE  (Western Balkans)
  139. Open Internet Tools Project – Open ITP  (United States)
  140. Open Knowledge Foundation  (United Kingdom)
  141. Open Media and Information Companies Initiative – Open MIC  (United States)
  142. Open Net Korea (South Korea)
  143. Open Rights Group  (United Kingdom)
  144.  (Canada)
  145. Pacific Freedom Forum (Pacific Region)
  146. Pakistan Press Foundation – PPF (Pakistan)
  147. Palestinian Center for Development & Media Freedoms – MADA (Palestine)
  148. Panoptykon Foundation (Poland)
  149. Partners for Democratic Change Serbia(Serbia)
  150. People Who  (International)
  151. Privacy & Access Council of Canada(Canada)
  152. Privacy Activism  (United States)
  153. Privacy International (International)
  154. PROTEGE QV (Cameroon/ Africa)
  155. Public Association “Journalists” (Kyrgyzstan)
  156. RedPaTodos  (Colombia)
  157. Reporters Without Borders – RSF  (International)
  158. Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic – CIPPIC (Canada)
  159. SHARE Conference | SHARE Defense  (Balkan Region)
  160. Social Media Exchange  (Lebanon)
  161. Society for Knowledge Commons(India)
  162. Software Freedom Law Centre  (India)
  163. Southeast Asian Press Alliance (South East Asia)
  164. Statewatch  (United Kingdom)
  165. Sulá Batsú  (Costa Rica)
  166. Surveillance Studies Centre(Ontario, Canada)
  167. Surveillance Studies Network  (International)
  168. TagMeNot  Taiwan Association for Human Rights(Taiwan)
  169. TechLiberty (New Zealand)
  170. TEDIC  (Paraguay)
  171. Thai Netizen Network(Thailand)
  172. The New Renaissance Network(Sweden)
  173. TransMediar-Pimentalab [at] Universidade Federal de São Paulo  (Brazil)
  174. University of Campinas – Research Group CTeMe (Knowledge, Technology and Market) (Brasil)
  175. University of São Paulo’s Research Group on Access to Information Policies (GPoPAI-USP) (Brasil)
  176. Ushahidi  (International)
  177. VIBE!AT  (Austria)
  178. Voices for Interactive Choice and Empowerment(Bangladesh)
  179. West African Journalists Association (West Africa)
  180. WITNESS  (International)
  181. Zwiebelfreunde e.V.  (Germany)

[1]Universal Declaration of Human Rights Article 12, United Nations Convention on Migrant Workers Article 14, UN Convention of the Protection of the Child Article 16, International Covenant on Civil and Political Rights, International Covenant on Civil and Political Rights Article 17; regional conventions including Article 10 of the African Charter on the Rights and Welfare of the Child, Article 11 of the American Convention on Human Rights, Article 4 of the African Union Principles on Freedom of Expression, Article 5 of the American Declaration of the Rights and Duties of Man, Article 21 of the Arab Charter on Human Rights, and Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms; Johannesburg Principles on National Security, Free Expression and Access to Information, Camden Principles on Freedom of Expression and Equality.

[2]Universal Declaration of Human Rights Article 29; General Comment No. 27, Adopted by The Human Rights Committee Under Article 40, Paragraph 4, Of The International Covenant On Civil And Political Rights, CCPR/C/21/Rev.1/Add.9, November 2, 1999; see also Martin Scheinin, “Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism,” 2009, A/HRC/17/34.

[3]Communications metadata may include information about our identities (subscriber information, device information), interactions (origins and destinations of communications, especially those showing websites visited, books and other materials read, people interacted with, friends, family, acquaintances, searches conducted, resources used), and location (places and times, proximities to others); in sum, metadata provides a window into nearly every action in modern life, our mental states, interests, intentions, and our innermost thoughts.

[4]For example, in the United Kingdom alone, there are now approximately 500,000 requests for communications metadata every year, currently under a self-authorising regime for law enforcement agencies who are able to authorise their own requests for access to information held by service providers. Meanwhile, data provided by Google’s Transparency reports shows that requests for user data from the U.S. alone rose from 8888 in 2010 to 12,271 in 2011. In Korea, there were about 6 million subscriber/poster information requests every year and about 30 million requests for other forms of communications metadata every year in 2011-2012, almost of all of which were granted and executed. 2012 data available at

[5]See as examples, a review of Sandy Petland’s work, ‘Reality Mining’, in MIT’s Technology Review, 2008, available at and also see Alberto Escudero-Pascual and Gus Hosein, ‘Questioning lawful access to traffic data’, Communications of the ACM, Volume 47 Issue 3, March 2004, pages 77 – 82.

[6]Report of the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, May 16 2011, available at

[7]“People disclose the phone numbers that they dial or text to their cellular providers, the URLS that they visit and the e-mail addresses with which they correspond to their Internet service providers, and the books, groceries and medications they purchase to online retailers . . . I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.” United States v. Jones, 565 U.S. ___, 132 S. Ct. 945, 957 (2012) (Sotomayor, J., concurring).

[8]“Short-term monitoring of a person’s movements on public streets accords with expectations of privacy” but “the use of longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy.” United States v. Jones, 565 U.S., 132 S. Ct. 945, 964 (2012) (Alito, J. concurring).

[9]“Prolonged surveillance reveals types of information not revealed by short-term surveillance, such as what a person does repeatedly, what he does not do, and what he does ensemble. These types of information can each reveal more about a person than does any individual trip viewed in isolation. Repeated visits to a church, a gym, a bar, or a bookie tell a story not told by any single visit, as does one’s not visiting any of these places over the course of a month. The sequence of a person’s movements can reveal still more; a single trip to a gynecologist’s office tells little about a woman, but that trip followed a few weeks later by a visit to a baby supply store tells a different story.* A person who knows all of another’s travels can deduce whether he is a weekly church goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups – and not just one such fact about a person, but all such facts.” U.S. v. Maynard, 615 F.3d 544 (U.S., D.C. Circ., C.A.)p. 562; U.S. v. Jones, 565 U.S. __, (2012), Alito, J., concurring. “Moreover, public information can fall within the scope of private life where it is systematically collected and stored in files held by the authorities. That is all the truer where such information concerns a person’s distant past…In the Court’s opinion, such information, when systematically collected and stored in a file held by agents of the State, falls within the scope of ‘private life’ for the purposes of Article 8(1) of the Convention.” (Rotaru v. Romania, [2000] ECHR 28341/95, paras. 43-44.

[10]The term “due process” can be used interchangeably with “procedural fairness” and “natural justice”, and is well articulated in the European Convention for Human Rights Article 6(1) and Article 8 of the American Convention on Human Rights.

[11]The UK Interception of Communications Commissioner is an example of such an independent oversight mechanism. The ICO publishes a report that includes some aggregate data but it does not provide sufficient data to scrutinise the types of requests, the extent of each access request, the purpose of the requests, and the scrutiny applied to them. See

[12]Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, 16 May 2011, A/HRC/17/27, para 84.