Access Now testifies on mass surveillance at European Parliament


On December 2nd, 2015, Access Now policy analyst Estelle Massé delivered a speech at the European Parliament during an event organised by the GUE/NGL group on Mass surveillance and internal security in the EU. Here is the full text of the speech.

Thank you very much for the invitation to speak today on the state of surveillance and its impact on civil liberties. Access Now has worked since 2009 to fight mass surveillance and other practices or legislation that put users around the world at risk. We operate a 24/7 digital security helpline to provide direct assistance to activists, journalists, or users on the ground that need help securing their communications. I am myself part of our international policy team which provides analysis to lawmakers and advances solutions for protecting human rights online. Being based in Brussels and working at EU level, I have spent a large part of the year pushing against legislative proposals from member states seeking to extend surveillance powers.

In the aftermath of the attacks in Paris and Copenhagen in January, and most recently once again in Paris, the response of several EU member states was to rapidly enact surveillance legislation. France is at the head of this unfortunate list, followed closely by the UK. France has historically been a country with a strong tradition of defending human rights. The proud record from the French Revolution and the Enlightenment that inspired many human rights declarations around the world has been blurred in the past two years, which have been particularly liberticide.

Ostensibly in response to terrorist threats, France has passed no fewer than four separate laws extending its surveillance powers since December 2014: the Military Programming law, the Anti-Terrorism law, the Intelligence law, and the International Surveillance law. Together, these laws have made France an all-seeing state, capable of monitoring the population, collecting and retaining personal data for excessive periods, snooping on the private communications of individuals in France or abroad, and the list goes on. Given France’s ever-expanding surveillance authorities, many have seen the government’s immediate response to the most recent attacks as relatively measured and calm. The reality may simply be that there are not many more surveillance powers for the government to seek.

Despite this, France adopted on November 20 new legislation on the state of emergency, which will be in place for the next three months, that has extended the French surveillance state to extremes never before seen in the digital age. The list is quite broad but among other things, this law authorises warrantless house searches night or day, unless the house is occupied by a lawyer or a member of Parliament and warrantless searches of electronic devices where data can be accessed and copied.

In addition to this, on November 24, France notified the European Court of Human Rights of its intention to derogate from certain rights guaranteed by the European Convention (ECHR) and by UN international standards. These derogations, authorised under specific conditions set in the ECHR, could apply to the freedom of expression, the freedom of assembly and association, the right to privacy, or the right to a fair trial. If that is the case, it could mean that France might not be in compliance with the EU Charter of Fundamental Rights.

But the biggest change might be yet to come. François Hollande, the French President, has announced a proposal to modify the French constitution to “adapt the State’s response to emergency situations.” The Prime Minister has been tasked with preparing this proposal, and it is expected to be released in the next few weeks.

Somewhat similar measures are being proposed in the UK through the draft Investigatory Powers Bill, a replacement and extension of DRIPA — the Data Retention and Investigatory Powers Act . Access Now submitted comments to the House of Commons Sciences and Technology Committee to raise concerns and provide facts on a critical part of the bill which foresees bulk data collection, massive interception, hardware and software interference, and an excessive retention period in contradiction with the EU Court of Justice ruling on data retention from April 2014.

This landmark ruling overturned the privacy invasive Data Retention Directive, and the Court confirmed that the legislation disproportionately infringes the right to privacy, putting an end to eight years of human rights violations in the EU — or at least, this was the expected effect. In practice, ever since the Directive was invalidated, we have been faced with a patchwork of reactions in the EU. Eleven member states have seen their national laws overturned in courts, while a few of them, including France, Germany, and the UK, enacted new legislation. Many others wait patiently for guidance from the Commission which has yet to come.

Two court cases on data retention are currently pending at the CJEU. The first is from Sweden, wherein a Swedish telecoms company — Tele2 — is fighting to stop the retention of customer data, challenging the current national rules for law enforcement access to this data. In the second, the UK Court of Appeals has sent the DRIPA case to Luxembourg for clarification. The questions referred to the Court in the DRIPA case are, however, highly political. In a context where the UK government is contemplating leaving the European Union and the European Convention of Human Rights, the UK Court is questioning whether the EU’s highest court acted as a legislator and overstepped its authority by expanding rights, instead of interpreting them.

Despite this contentious context, in these cases the Court has the opportunity to clarify the impact of its ruling on the development of data retention laws in the EU.

There is also the broader context to consider. In a recent communication following the Paris attacks, the Council of the European Union suggests that there is a lack of cohesion among member states regarding interpretation of the decision on the Data Retention Directive. In order to address these differences, the Council is asking EU member states to decide whether they would like the EU Commission to propose a new Data Retention framework. However, looking at the Commission’s track record in these matters and the current political climate, it is not clear that any new framework would adequately protect human rights.

After the Paris attacks, EU Justice ministers also gathered to discuss next steps, and explored issues including new rules on firearms, control of external borders, information sharing, terrorist financing, and the criminal justice response to terrorism and violent extremism — the same issues they had already discussed after the attacks in January. Policymakers also issued a new call for the swift adoption of the EU Passenger Name Record (PNR) directive — privacy invasive legislation — despite the fact that authorities knew about all the flights taken by the Paris attackers, and the perpetrators traveled mainly in cars. There is no evidence that PNR would have helped prevent the attacks, yet it remains a threat to fundamental privacy.

EU legislators must learn from past mistakes. Citizens had to wait eight years for the Data Retention Directive to be invalidated, and 15 years for the Safe Harbour to be suspended. While the Court is becoming the fundamental rights watchdog, repairing mistakes from the legislature, it is impossible for citizens to get reparation for the many years that their human rights have been violated.

Our democracies are based on the protection of universal human rights. This protection must be ensured throughout the legislative process, at every level, and not left to judicial power. We have learnt the hard way that fast-tracked, short-sighted legislation harms users’ rights, undermines legal certainty, and weakens the basis of our societies. Consider the government reactions to previous attacks — including those in Mumbai in 2008 and New York in 2001. At the time, authorities sought additional powers to fight emerging threats. Unfortunately, the measures taken did not necessarily provide greater security, and often clamped down on the human rights of their citizens. Years later, we are still trying to roll back many of those hastily made decisions.

As many French, I felt helpless in front of these attacks and acknowledge the need for reforms. Changing our way of life in response to these attacks would make us live in fear, not freedom. We must respond by being more vigorous in defense of our values and principles. Today, more than ever, we need leadership to address our security challenges. The answer must be one that upholds human rights. If not reformed, the surveillance measures already adopted in the EU will continue to interfere with users’ right to privacy and freedom of expression.

Any new legislation should protect these rights. Governments can choose to implement the global “necessary and proportionate” principles for surveillance using the policy implementation guide that has been developed for them. For instance, communications surveillance should only be requested when there is no less intrusive means that can be used and if there is a necessity for search.

There is a way to ensure that people who represent a threat to others are apprehended rapidly, without doing harm to human rights. It is not about more data but more cooperation between law enforcement agencies. In most of the attacks that took place in the EU in the past, the attackers were known from at least one national intelligence services but the information was not shared.

We must learn from past mistakes. We need leadership not just to keep us safe, but also to protect our most cherished values and human rights.

Thank you very much.