The blow dealt to Hungary’s surveillance practices this week by the European Court of Human (ECtHR) Rights could usher in a wave of similar rulings from around the EU.
On Tuesday (12 January) the ECtHR ruled that Hungary’s surveillance of private individuals on anti-terror grounds was illegal. The court took issue with the lack of parliamentary oversight and means for judicial redress in the surveillance programme.
Last October, the European Court of Justice knocked down the 15-year-old Safe Harbour data transfer agreement between the EU and the US, citing the US government’s untargeted surveillance programmes.
In particular, the court objected to the lack of legal means for people to challenge those practices and demand access to their personal data.
This week’s ECtHR case against Hungary marks the first major European court ruling since Safe Harbour on government surveillance in the EU.
The decision comes after heated criticism of the Hungarian government for its restrictions on media and NGOs.
“It’s a big achievement for us that it’s proven now that the Hungarian constitution gives a much lower level of privacy protection than the European minimum standard,” said Mate Szabo, who filed the case with the ECtHR along with one other person.
Hungary has three months to ask for the case to be referred to the ECHR’s grand chamber. If Tuesday’s decision remains final, Hungary would have to change its laws to create safeguards and oversight for its surveillance activities.
A spokesperson for the Hungarian permanent representation to the EU declined to comment and said the government is still examining the court ruling.
Fight against terrorism
Following the recent terrorist attacks, some EU politicians have spoken out in favour of beefing up intelligence agencies and cutting back doors into encryption technologies.
But while politicians debate those measures they say could stem terrorist attacks, a number of cases challenging government surveillance have piled up at the ECHR.
Over the last few years, EU judges haven’t shown much support for government surveillance.
“After a year of terror attacks in Europe, it is a very encouraging thing that the ECHR didn’t want to lower the level of protection of privacy,” said Szabo, who is now director of programmes at the Hungarian Civil Liberties Union.
Tomaso Falchetta, legal officer at London-based NGO Privacy International, said the court’s objections in Szabo’s case “do not sit well with the laws and practices of many European states, which are increasingly resorting to ‘cutting-edge technologies’ to conduct mass monitoring of communications in the name of preventing terrorism.”
Privacy International sent a written intervention to the ECtHR in the case.
Pending cases at ECHR
Several cases still awaiting the ECtHR judges relate to Edward Snowden’s revelations about government surveillance.
Three cases pending judgement were filed between 2013 and 2015 against the UK for its cooperation with the US government’s surveillance programmes. They all reference Snowden by name.
In its most recent annual report, the ECHR lists a total backlog of about 69,900 pending cases at the end of 2014. EurActiv was unable to confirm the number of pending cases concerning privacy.
Some privacy experts say the Szabo case could set a precedent and draw more complaints about surveillance in other EU member states.
“It’s significant because it’s a judgement finding inadequate oversight in an EU member state and it could be replicated in some other member states,” said TJ McIntyre, chairman of NGO Digital Rights Ireland.
In 2014, the European Court of Justice (ECJ) ruled in Digital Rights Ireland’s case against Irish authorities, making the European data retention directive invalid.
According to McIntyre, the ECtHR’s ruling this week in Szabo’s case suggests the court’s track record on data privacy is increasingly on par with the ECJ.
“It’s a telling indication that the Court of Human Rights is taking a strong stance against invasive surveillance and mass surveillance in particular,” he said.
Existing European rules on data protection were adopted in 1995, when the Internet was still in its infancy.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
Since then, the data protection debate took a new twist with revelations about US eavesdropping activities.
Whistleblower Edward Snowden revealed in 2013 that the NSA had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.
European politicians reacted angrily to the news and called for stricter measures to ensure privacy.