The recent NSA and GCHQ revelations have caused significant concern and outcry across the world. The reactions range from claims of constitutional rights breaches to accusations of naivety about international intelligence operations. We wanted to find out what the legal basis of the alleged activities is and talked to an expert in the field, Professor Ian Walden of Queen Mary, University of London.
It is alleged that the US NSA and the British GCHQ have been conducting wide-ranging surveillance activities including monitoring EU institutions and private communications in many European countries? Is there any legal basis for this or would such activities be outright illegal? Which legal framework does apply? Where exactly are the legal conflicts?
There are laws in both the US and the UK that permit the interception of communications content and the gathering of related communications data (i.e. the attributes of a communication session, e.g. number calling/called, time/date etc.). The legal regime under US law is considerably more complex than that in the UK. In the US, there are different rules governing domestic lawful intercept by law enforcement agencies (Electronic Communications Privacy Act of 1986) and the of gathering foreign intelligence information (Foreign Intelligence Surveillance Act of 1978). Both regimes have been significantly amended over recent years, since the terrorist attacks on 11 September 2001, particularly expanding the reach of the National Security Agency over foreign materials. The UK regime is primarily contained in the Regulation of Investigatory Powers Act 2001 (RIPA). In both the US and the UK, the regimes enable the authorisation of both targeted (i.e. person or place) interception and non-targeted interception; the latter in respect of foreign (US) or external (UK) communications. These non-targeted provisions are seemingly the basis for both the NSA and GCHQ’s activities. Both regimes can authorise such surveillance for traditional crime prevention and national security purposes, as well as for less clearly defined purposes, i.e. ‘the economic well-being of the UK’ (RIPA) and the ‘conduct of the foreign affairs of the US’ (FISA). The range of service providers that can be required to provide information to law enforcement or the intelligence services is considerably wider in the US than the UK, e.g. covering cloud computing as well as traditional telecommunication services. The authorisation procedures for such activities differ between the US and UK; the former either involves an executive (i.e. Presidential) or judicial order, while the UK operates on the basis of a executive order (e.g. Home Secretary). Finally, both regimes also have different oversight regimes, the US has a special court for foreign intelligence (FISA), while the UK has an Interception of Communications Commissioner. Overall, on the basis of the information that we have to date, it is likely that there is a claimed legal basis for the reported activities. However, the veracity of such claims needs to be challenged and examined, while there are calls for the rules to be reformed to better limit and control the activities of the NSA and GCHQ.
If GCHQ has been spying on European allies, isn’t this a major breach of European law? If yes, what law exactly is being breached and what would the normal consequences be?
It depends what you mean by spying on ‘European allies’, whether the governments themselves or the activities of their citizens. If the former, it may be lawful under UK law, but illegal under the laws of the other European state. To the extent that such activities are justified for reasons of ‘national security’, then European Union law would not be applicable. Instead, rules of public international law, such as diplomacy, are more likely to be applicable. If the latter, then national and European data protection rules are likely to be applicable, although again the European rules do not apply to matters of national security.
In several EU member states there is a severe public outcry. In Germany it is alleged that up to 500 million private communications a month have been monitored which would be a breach of German constitutional rights. How would you deal with a situation in which an official body of one EU member state is in breach of the constitution of another member state?
As noted in my answer to 2., such activities may be lawful in the UK and unlawful in the targeted jurisdiction. I am not sure what the jurisdictional competence of the German constitutional court is, but I would imagine that it would not be able to find a foreign state or person in breach of the constitution, since such matters are generally directed against the public institutions of the German state. However, I cannot claim to have any expertise in these particular matters.