By Charlotte Dietrich and Thorsten Wetzling
It has become increasingly difficult for democracies to reconcile the concept of security — as an intrinsically national competency — with the realities of an interconnected world. Transnational data flows and international intelligence cooperation have created privacy and human rights challenges that cannot be solved unilaterally.
Two landmark judgements in Europe shook up the international intelligence community this year. At the transatlantic level — following the Court of Justice of the European Union’s (CJEU) invalidation of the Privacy Shield agreement in its ‘Schrems II’ decision — the EU Commission and US government face new negotiations amidst real uncertainty as to whether the ongoing legality of data transfers between the countries can be ensured. In Germany, after a judgement by the Constitutional Court declaring important parts of the foreign intelligence law unconstitutional, the government and legislature now need to inject the existing legislation with a long list of safeguards the Court found to be missing.
Both judgements make a similar point: In a globalised, interconnected world the fundamental rights of individuals cannot be restricted to nationality, or residence. Moreover, these rights should be enforceable even when it comes to the area of national security and intelligence. Against the backdrop of these two court decisions in Europe, we make the case here for a larger, global call to action to better promote and protect the right to privacy when it comes to national security.
The right to privacy is a universally recognised human right. Large-scale communications surveillance by intelligence agencies can cause particularly severe infringements of this right. Millions of us are affected without knowing about it. In addition, surveillance can have chilling effects on democratic life and undermine other fundamental rights such as freedom of the press, assembly, and opinion. Because of this inherent danger, democracies need to make sure that intelligence practice is bound by the rule of law and sufficiently overseen. This is constant work in practice and needs to get better.
Intelligence in a globalised world: a democratic challenge
International intelligence cooperation has grown and intensified significantly over the past few years Intelligence alliances such as Five Eyes, SIGINT Seniors Europe, or Maximator and the Club de Berne show that the intelligence community is becoming ever more tightly interconnected. New technology and transnational threats prompt closer working relations and extensive data sharing among intelligence and security agencies. The German foreign intelligence service BND alone engages in about 450 intelligence collaborations. A large-scale interconnected surveillance network has grown in the shadows of our democracies.
By contrast, the practice of intelligence oversight remains almost exclusively a domestic affair. To date, there are few effective institutions for international oversight cooperation. Rather, national overseers adhere, by and large, to strict national confines when they authorise, review, and control activities— often with technological equipment and prowess far inferior to that of those being controlled.
Despite the Snowden revelations in 2013, surveillance powers have been expanded in most countries rather than curtailed. Bulk surveillance, i.e. the untargeted interception, collection, management, and transfer of telecommunications data, has developed into a standard intelligence practice. The European Court of Human Rights (ECtHR) called the practice a “valuable means” of counterterrorism in its Big Brother Watch decision in 2018, and so did the German Constitutional Court. The practice of bulk communications surveillance is thus likely to stay and expand. While safeguards may apply within national boundaries, most countries’ intelligence law fails to protect foreign nationals abroad from their intelligence services.
This makes it even more important to recall that in our interconnected world, everyone is a foreigner somewhere. Next to safeguards and oversight concerning bulk surveillance of citizens or residents, we need far better rules in national surveillance legislation and, if possible, international covenants to better protect “non-nationals” abroad from surveillance. Moreover, it is no longer sufficient to oversee only what takes place at the national level, data transfers also need far greater scrutiny.
Towards an alliance of democracies with harmonised standards on state surveillance?
We argue that a harmonisation of standards among democracies can be a powerful tool to ensure intelligence remains on democratic grounds and at the same time avoid loopholes in an increasingly internationalised intelligence environment.
In ‘Schrems II’, the CJEU held that personal data transferred outside of the EU must be guaranteed an equivalent level of protection to that set out by the General Data Protection Regulation (GDPR). It ruled that neither the scale of US intelligence activities nor the level of protection and possibility for effective and enforceable individual redress are conforming to such standards. The CJEU, thus, set out that appropriate safeguards against disproportionate government access to data as well as enforceable rights and effective legal remedies are crucial and should be extended to non-nationals. The German constitutional court underlined this in its May 2020 judgement: When conducting bulk surveillance, Germany’s foreign intelligence service must now respect the fundamental right to privacy of foreign nationals abroad and judicial oversight must be strengthened to ensure this.
We see a unique opportunity in these recent court decisions in Europe to promote common standards against disproportionate government access to communications data and the professionalisation of oversight. Admittedly, the Snowden revelations in 2013 have triggered important reforms to intelligence legislations in many democracies but we are still a long way from making those rights and standards more interdependent as the digital era would require. 
The only existing international legal instrument that addresses data processing and data transfers also in the context of national security is Convention 108+ of the Council of Europe. It is a legally binding international agreement on the protection of privacy open to all countries and currently open to ratification.
The respect of civil rights and liberties is the backbone of democracies. To undermine these fundamental rights is to undermine democracy – abroad but also at home. This is detrimental to the national security of every democratic state. Some argue that Schrems II offers an opportunity to create an ‘Alliance of Democracies’ with shared values and interdependent rights. This alliance would offer a robust alternative to authoritarian countries such as China and Russia. They point out that the respect of the rights of citizens of allied countries is crucial for deeper intelligence cooperation and national security. Thus, we submit, common standards among democracies can indeed be beneficial rather than dangerous to the national security of individual countries.
Much is at stake following ‘Schrems II’ — not just for EU-US relations but also more broadly concerning the principles that should guide the transfer of data across jurisdictions. How personal data can and will be protected against disproportionate interference by the state will be a decisive question for the next decade of human rights protection.
Given that this is a problem in all nations and given that technology has evolved to render us far more interdependent while data flows instantly across the globe, it is high time to identify and agree on adequate safeguards so that disproportionate access becomes less likely. In that regard, the recent two court decisions have brought much needed further clarification.
 Jacobs, Bart. 2020. Maximator: European signals intelligence cooperation, from a Dutch perspective, Intelligence and National Security, 35:5, 659-668.
 There have, in the past, been several calls to create such common standards and comprehensive international legal instruments framing intelligence operations, such as an ‘Intelligence Codex’ proposed by the Parliamentary Assembly of the Council of Europe back in 2015. The UN special rapporteur on privacy Joe Cannataci published a draft text for a ‘Legal Instrument on Government-led Surveillance and Privacy’ in 2018. Finally, the European Intelligence Oversight Working Group states in its last report : “[…]common standards and definitions could help define under which circumstances data exchange is regarded as necessary and proportionate, and which minimum level of data protection needs to be in place to sufficiently safeguard individual rights.”
 A modernised version of Convention 108, Convention 108+ was opened for ratification in 2018 as an answer to the growing use of information and communication technologies and the increasing globalisation of processing operations and personal data flows. It explicitly refers to national security cases. In article 11, paragraph 3 the Convention sets out that there is a need for independent and effective review and supervision when data is processed for national security and defence purposes. See: Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data, 17-18 May 2018.The views expressed above belong to the author(s).