BIG BROTHER WATCH AND OTHERS v. THE UNITED KINGDOM JUDGMENT –
SEPARATE OPINIONS
cases where “it is clear that material requiring special confidentiality – such
as confidential journalistic material – is being transferred”99? To whom
should this be clear, to the transferring intelligence service or to the judge?
Is there any difference between independent control and independent
authorisation? The vagueness of the Court’s language seems to serve its
intentional watering-down of the specific safeguards pertaining to the
transfer itself.
31. I see no reason for this lowering of the Convention protection in case
of the sharing of bulk data, and the Court does not provide one either.
According to the consolidated Council of Europe and European Union
standards, the sharing of personal data should be limited to third countries
which afford a level of protection essentially equivalent to that guaranteed
within the Council of Europe and the European Union respectively100. The
judicial oversight should here be as thorough as in any other case. This
attentive judicial oversight is particularly warranted when a Council of
Europe member State is transferring data to a non-member State, for the
obvious reason that the future use made of that data by the non-member
State is not under the Court’s jurisdiction. Such judicial oversight should
not be limited by the “third-party rule”, according to which it is prohibited
for an intelligence authority which received data from a foreign intelligence
service to share it with a third party without the consent of the originator101.
C. Bulk interception of related communications data
32. Finally, the Court has acknowledged the highly intrusive potential of
bulk interception of related communications data102, but has failed to
Ibid.
Ibid.
100 The majority ignore the fact that Article 2 of the Additional Protocol to the Convention
for the Protection of Individuals with regard to Automatic Processing of Personal Data,
regarding supervisory authorities and transborder data flows (ETS n.º 181), states that
parties must ensure an adequate level of protection for personal data transfers to third
countries, and that derogations are admitted only when there are legitimate prevailing
interests. The Explanatory Report to that Convention adds that exceptions must be
interpreted restrictively, “so that the exception does not become the rule” (§ 31). It is
important to note that this Protocol has been ratified by 44 States, including 8 non-members
of the Council of Europe. The United Kingdom has not ratified it. In addition to this
Council of Europe standard, the European Union only allows for the transfer of personal
data to a third country which affords a level of protection essentially equivalent to that
guaranteed within the European Union (§ 234 of this judgment).
101 Venice Commission report, cited above, 2015, p. 34 (“The originator or ‘third-party
rule’ should not apply to the oversight body”), as well as FRA, Surveillance by intelligence
services, cited above, 2017, pp. 13 and 106 (“Notwithstanding the third-party rule,
EU Member States should consider granting oversight bodies full access to data transferred
through international cooperation. This would extend oversight powers over all data
available to and processed by intelligence services”).
102 Paragraph 342 of this judgment.
98
99
185