Human Rights and Security: An inherent tension?

Constantinos Lycourgos

The establishment of adequate human rights protection was one of the greatest accomplishments of the 20th century. It was achieved through the generalization of the declarations of fundamental rights within national Constitutions, through international conventions, most notably the European Convention on Human Rights, and through the establishment of relevant judicial remedies. However, today, as a consequence of the 9/11 attacks in New York, followed in the recent years by a number of terrorist attacks on our continent, fear has spread in Europe and created the need to fight terrorism by adopting far-reaching and sometimes questionable measures, which bring limitations to our fundamental rights.

One may ask whether we really live in an exceptionally dangerous environment. Statistics show that this is not the case. Europe is much safer than most other parts of the world. And even if we were to limit our examination to Europe itself, we would notice that violent crime has sharply decreased in the last 30 years. However, citing from a recent presentation of one of the very few people worldwide whose job is precisely to reconcile the goal of security and the protection of human rights, namely the British Independent Reviewer of Terrorism Legislation, “the aim of terrorism is ‘a lot of people watching, not a lot of people dead’”. Recent terrorist attacks have been so spectacular that a lot of people have definitely been watching. The feeling has been growing that terrorists can strike anytime, anywhere and any one. Eurobarometer polls show that, in European people’s minds, the two most important issues facing the EU at the moment are immigration and terrorism. Whether this is fully justified or not is of little importance. Besides, the announcements made quite regularly by authorities in countries like France, Belgium and Germany that new attacks have been avoided by arresting those involved show that the problem may be much bigger and the danger not limited to the attacks that have actually materialized.

Security being a priority for the people, it is also an obvious priority for European governments. The securitarian trend is particularly obvious in France, where a state of emergency has been in place for more than a year now. But modern terrorism is international, both in its scope and its mode of operation. As a consequence, mechanisms aiming at preventing and combatting it are established not only at national level but also through regional and international cooperation. Relevant measures have been adopted in particular by the European Union, these appearing as necessary also for an additional reason, namely the disappearance of national borders within the Schengen area, which allows workers, tourists, but also criminals and terrorists to move without controls from one member state to the other.

Common mechanisms to combat serious crime have been put in place, through Europol and Eurojust. A European arrest warrant has been established, and common decisions are regularly taken for the freezing of assets of persons suspected of having ties with terrorist organizations. Furthermore, a directive was adopted, providing harmonized rules on the retention of electronic communications data, the ultimate aim of which was to give law-enforcement authorities, through their access to that data, an additional tool for combating serious crime, including terrorism.  It is the case law of the European Court of Justice (the ECJ) relating to the judicial review of such measures that I would like to briefly present today.

Let me say, first of all, that it is, in my view, symbolically very important, that the measures adopted by the EU for the purpose of combating terrorism fall within the framework of the Union’s ‘area of freedom, security and justice’. Freedom, security and justice: these three elements need to go together. Security is of course important. As mentioned earlier by President Costa, security is a human right. Measures taken to preserve security actually aim at preserving the first among human rights, namely the right to life, enshrined in articles 2 of both the ECHR and the Charter of Fundamental Rights of the EU.

However, security must never be dissociated from liberty and both of them from justice or, in other words, from the rule of law. Disproportionate emphasis on security leads to the idea that security supersedes liberty and other fundamental rights. It also leads to the idea that liberty or the rule of law become a problem and can be disregarded. Faced with such dilemmas, the ECJ has established a case-law resolutely in favor of fundamental rights, which, however, does not ignore the need to take measures which protect security. Given the short time that we have and the need to leave sufficient time for discussion, I will limit myself to the presentation of four important cases: the two Kadi cases,[1] Digital Rights Ireland[2] and Tele2 Sverige.[3]

The first Kadi judgment is particularly important for the external relations of the EU and for the relationship between international and EU law. Its importance for the matter that interests us today relates mainly to the preservation of the rule of law and the affirmation by the ECJ of the rights of the defense and the right to effective judicial review, in the context of orders for the freezing of assets of persons having links with international terrorism. The line that was broadly followed by the Court was very well summarized by Advocate General Poiares Maduro in his opinion on the case: “The fact that the measures at issue are intended to suppress international terrorism [says the AG] should not inhibit the Court from fulfilling its duty to preserve the rule of law. […] Especially in matters of public security, the political process is liable to become overly responsive to immediate popular concerns, leading the authorities to allay the anxieties of the many at the expense of the rights of a few. This is precisely when courts ought to get involved […] Their responsibility is to guarantee that what may be politically expedient at a particular moment also complies with the rule of law without which, in the long run, no democratic society can truly prosper.”

The basic facts of the Kadi case were the following: Mr. Kadi was placed by the Security Council Sanctions Committee on a list of persons considered to be associated with Al-Qaida. A Security Council resolution adopted under Chapter VII of the Charter of the United Nations required that the assets of those persons be frozen. The EU transposed this UN sanction through a regulation that Mr. Kadi attacked before the Union’s Courts. At first instance the General Court refused to review the EU regulation, considering that it was bound by the Security Council resolution.

On appeal, however, the ECJ, expressly noting that, at the time, the protection of fundamental rights at the level of the UN was insufficient,[4] reviewed the lawfulness of the EU regulation transposing the SC measures. Noting that the protection of fundamental rights forms part of the very foundations of the Community legal order[5] and that the respect for human rights is a condition of the lawfulness of all Community acts,[6] the Court held that the obligations imposed by an international agreement or, in that specific case, by a SC resolution adopted under Chapter VII of the UN Charter, could not have the effect of prejudicing the constitutional principles of the EU Treaties, which include the principle that all EU acts must respect fundamental rights, that respect being subject to the Court’s review.[7] The Court clarified that its judgment on the legality of the EU regulation would be relevant only for the EU legal order and would not entail any challenge to the primacy of the SC resolution in international law.[8]

Having overcome the obstacle presented by the SC resolution, the Court went on to review the compliance of the EU regulation with fundamental rights. The Court held that the EU authorities cannot, in the case of persons suspected of links with a terrorist organization, be required to communicate to those persons in advance the grounds of their inclusion in a list for the freezing of assets.[9] It admitted that, even afterwards, overriding considerations relating to safety or the conduct of international relations may militate against the communication of certain matters to them.[10] However, by referring to the case law of the ECtHR, it concluded that it is none the less the task of the EU Courts to apply, in the course of the judicial review they carry out, techniques which accommodate, on the one hand, legitimate security concerns about the nature and sources of information taken into account in the adoption of the act concerned and, on the other, the need to accord the individual a sufficient measure of procedural justice.[11]

In the specific case, the evidence used against Mr. Kadi had not been communicated to him and, consequently, he had not been heard in that connection. The Court thus found that his rights of defense had not been observed and the principle of effective judicial protection had been infringed, this leading to an unjustified restriction of his right to property through the freezing of his assets.[12]

Through this first Kadi judgment, the Court of Justice showed very clearly that considerations relating to security cannot lead to abolishing the rule of law, nor to basic procedural rights being disregarded. However, respect for those rights should not, on the other hand, make it impossible to take measures against the financing of terrorism. We have therefore seen that the Court admitted that the persons concerned would only be afforded a right to be heard after having been included in the list for the freezing of their assets and that, even then, some evidence could remain confidential if disclosing it could pose a safety threat or could affect international relations. It is therefore a balancing exercise that the Court tried to do in that as well as in following cases. We can see it also through the fact that, despite its annulment of the relevant regulation as far as it concerned Mr. Kadi, the Court ordered that the regulation’s effects be maintained for three months, so that the EU authorities would have the opportunity to eventually list again Mr. Kadi through a procedure that would respect fundamental rights.

The same can be seen in the second Kadi judgment, of July 2013. For lack of time I will not go into any detail, but once again, despite improvements, the procedure for listing Mr. Kadi was found to be insufficiently protective of his rights. In this second judgment, the Court had the opportunity to go into more detail on the procedure that should apply where confidential evidence that could not be fully disclosed was involved. May I simply say that, on the basis of this case law, the rules of procedure of both the General Court and the Court of Justice have been adapted so as to provide for the treatment of confidential evidence.

Let me now turn to the two other judgments that I would like to present today, where the ECJ examined the rules on the retention of communications data. This time the issue was not about the rights of persons suspected of being related in any way to terrorist groups, but about massive surveillance schemes. The dilemma put to the Court of Justice was quite precisely the one we are examining today: on the one hand, were the right to privacy and the right to protection of personal data, which are both protected by the EU Charter of Fundamental Rights, the protection of personal data being also achieved through secondary EU legislation (most notably the data protection directive and the e-privacy directive, on the privacy of electronic communications). On the other hand, the rules on the retention of communications data were presented both by the EU institutions and by national governments as an important tool for combating serious crime, including terrorism, and even for preventing terrorist attacks. Faced with such a dilemma, emphasis was placed by the Court on the need to respect the principle of proportionality: an interference with the right to privacy and with the right to the protection of personal data is possible if it is justified for the purpose of achieving an objective of general interest, such as that of combating serious crime and protecting public security, provided that the interference with those rights is limited to what is strictly necessary for that purpose.[13]

So, what were the two cases exactly about?

In the first case, Digital Rights Ireland,[14] the Court examined the validity of the Union’s data retention directive. Adopted in 2006, the Data Retention Directive required that electronic communication service providers retain data on all telephone, mobile and internet communications for at least six months, so that public authorities could access them for the purpose of the investigation, detection and prosecution of serious crime.

The Court held that the  retention  of  data  required  by  the  directive  could  be  considered to be appropriate for attaining the objective pursued by it. However, the wide-ranging and particularly serious interference of the directive with the fundamental rights at issue was not sufficiently circumscribed to ensure that that interference was actually limited to what was strictly necessary.[15] The Court noted that the data which telecom service providers were obliged to retain, even though it did not give access to the content of the communication itself, included data allowing to trace and identify the source of a communication and its destination, to identify the date, time, duration and type of a communication, to identify users’ communication equipment, and to identify the location of mobile communication equipment. Those data made it possible, in particular, to know the identity of the person with whom a subscriber or registered user had communicated and by what means, and to identify the time of the communication as well as the place from which that communication took place. Those data, taken as a whole, could therefore allow very precise conclusions to be drawn concerning the private lives of the persons whose data had been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.

Having therefore noted the seriousness of the interference with the rights concerned, the Court identified a number of problems:

a) the data retention targeted all individuals, all  means  of  electronic communication  and  all  traffic  data  without any  differentiation,  limitation  or  exception being made in the light of the objective of fighting against serious crime.[16]

b)regarding access to the retained data, there were several problems, the most important one being that such access by the competent national authorities was not made dependent on a prior review carried out by a court or by an independent administrative body, [17]

c) regarding the data retention period, the directive imposed a period of at least six months, without making any distinction between the categories of data on the basis of the persons concerned or the possible usefulness of the data in relation to the objective pursued.[18]. and

d) it did not provide for sufficient safeguards for the effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data that would ensure their full integrity and confidentiality.[19]

Once the Data Retention Directive was declared invalid in light of a lack of compliance with the rights to privacy and data protection, the question became: what happens to all national data retention laws in Member States?

That was dealt with in last December’s judgment in the Tele2 Sverige[20]case.

The day after the judgment in Digital Rights Ireland was handed down, Tele2 Sverige, a provider of electronic communications services established in Sweden, considering that the Swedish legislation transposing the Data Retention Directive was not in conformity with the Charter, notified its decision to cease retaining data. Moreover, it proposed to delete the data which had been retained until then. The matter was referred to the ECJ by the Swedish Administrative Court of Appeal. In parallel, a similar case was referred by the High Court of Justice of England and Wales on the compatibility with EU law of the relevant British law.

In the case of both Sweden and the UK, it was clear that the access of the authorities to the retained data was too wide. It was not limited to the investigation of serious crime, it did not require the previous authorisation of any independent authority or court and the ECJ was told that in practice access was sometimes obtained to the communications data of thousands of people at a time. Therefore, by simply applying the criteria set out in Digital Rights Ireland, it was obvious that EU rules were to be interpreted as precluding such national legislations and that both Sweden and the UK would have to amend their rules on the right to access retained data.

The major issue therefore was whether the Court would reject the mere possibility that a general and indiscriminate data retention obligation, applying to the data of all individuals in the entire territory of a Member State could be compatible with EU rules or whether it would accept such general retention of data, provided that strict rules would apply regarding the protection of, and the right of access to, the data that was retained. The advocate general in his opinion supported the latter option, but the Court, in its judgment of 21 December 2016,  retained the former, holding that, in view of the extent and seriousness of the interference with the right to privacy that the retention of communications data constitutes, a general and indiscriminate retention of data, targeting all individuals, exceeds the limits of what is strictly necessary in order to fight serious crime, and in particular organized crime and terrorism.

However, considering it important to have a balanced approach, the Court clarified that its judgment “does not prevent a Member State from adopting legislation permitting, as a preventive measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary.” [21] And then the Court goes on, in extensive obiter dicta, to give indications as to what member states could do in order to have data retention legislations which comply with fundamental rights.

As a conclusion, let me draw inspiration from one of the pronouncements of the Court in Tele2 Sverige: While the effectiveness of the fight against serious crime, in particular organised crime and terrorism, may depend to a great extent on the use of modern investigation techniques and the adoption of new measures of coercion, such an objective of general interest, however fundamental it may be, cannot justify that the rule of law and fundamental rights be ignored. It is the role of the judge to make sure that the right balance is struck between efficiency and the protection of the rights of the individual. After all, if democratic rules recede and a category of the population feels that it is unjustly treated, this is the best way to feed the very terrorism that the adopted measures aim to fight.


[1] Judgments of 3 September 2008, joined cases C-402/05 P and C-415/05 P, Kadi and Al Barakaat, and of 18 July 2013, joined cases C-584/10 P, C-593/10 P and C-595/10 P, Commission e.a. v Kadi.

[2] Judgment of 8 April 2014, joined cases C-293/12 and C-594/12, Digital Rights Ireland.

[3] Judgment of 21 December 2016, joined cases C-203/15 and C-698/15, Tele2 Sverige AB and Watson e.a.

[4] Kadi I, paras 319-325.

[5] Kadi I, para. 304.

[6] Ibid. para. 284.

[7] Ibid. paras 285 and 326.

[8] Ibid. para. 288.

[9] Ibid. para. 338.

[10] Ibid. para342.

[11] Ibid. para. 344.

[12] Kadi I, paras 348, 352 and 370.

[13] Digital Rights Ireland, para. 52.

[14] Judgment of 8 April 2014, joined cases C-293/12 and C-594/12, Digital Rights Ireland Ltd e.a.

[15] Ibid., para. 56.

[16]Ibid. para. 57.

[17] Ibid. para. 62.

[18] Ibid. paras 63 and 64.

[19] Ibid para. 66.

[20] Judgment of 21 December 2016, Joined Cases C203/15 and C698/15, Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others.

[21] Ibid. para. 108.