Finland: Legalized Mass surveillance on the Horizon?
Article by Nomi Byström, Executive Director of Electronic Frontier Finland, license: CC BY-SA 4.0 – read also articles on surveillance in the Netherlands and Switzerland by local data protection organisations.
Digitalization inspires the good, the bad and the ugly. We have witnessed initiatives for some of which the sky is the limit. Or to be more precise, the space. A proposal by a working group on fair and intelligent transport led by Jorma Ollila, chairman of Royal Dutch Shell, and formerly chief executive of the Finnish mobile phone maker Nokia, proposed GPS satellite tracking of cars to determine road-user charges. The invasive implications on the right to privacy of this kind of surveillance of all cars, unprecedented by any standards, would have been extraordinary. It would certainly have violated the Personal Data Act.
Regarding data protection, after the Court of Justice of the European Union (CJEU) in April 2014 found the Data Retention Directive to gravely interfere with the fundamental rights to respect for private life and to the protection of personal data, Finland was urged to wake up to examine its own legislation. The Minister of Education, Science and Communications noted that changes need to be made to regarding telecommunications service providers retaining subscriber data.
Gearing up for the internet surveillance law
However, without doubt, the number one digital – and national – bone of contention in Finland is the new proposed internet surveillance law. Unlike for example its neighbours Sweden or Russia, no such legislation exists. First and foremost it is the security authorities that have called for legislation to grant them the right to carry out cyber surveillance. There, nevertheless, has been no unanimity even on the name of the planned law, let alone its contents.
With the Snowden revelations, there is profound anxiety that Finland could end up sliding down the slippery slope and follow the path of the United States or England. Questions abound: how extensive powers will be granted to the Finnish Defence forces and especially, Supo (Wikipedia), the country’s Security Intelligence Service? At the moment Supo has no legal authority to monitor internet traffic. Moreover, with the planned new law, what will happen to the right to privacy and the freedom of expression? According to the country’s Constitution (Section 10.2), “The secrecy of correspondence, telephony and other confidential communications is inviolable.” This right is not absolute, though, the same Section (10.3.) contains the limitations to the secrecy of confidential communications that are allowed: only those that are provided by law as "necessary in the investigation of crimes that jeopardise the security of the individual or society or the sanctity of the home, at trials and security checks, as well as during the deprivation of liberty.” Will Finland even resort to altering the Constitution in favor of the proposed law?
And the worries do not end here, for there may even be wider implications. Could Finland end up in a situation where it would violate the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union? Nor should the country ignore the two landmark rulings made by the CJEU. Earlier it had declared the Data Retention Directive invalid; on October 6 of this year it did so to the Commission’s US Safe Harbour Decision. And last but not least, as the economic woes of the country see no end: is Finland going to risk its international reputation as a trustworthy hub of data traffic?
The previous government began preparing for the draft law and this year a report by the Ministry of Defence working group was published on January 14. The Guidelines for developing Finnish legislation on conducting intelligence recommends that both military and civilian authorities in charge of national security should be granted powers to conduct cross-border intelligence. An independent authorization process is to be made part of the cyber intelligence. In addition, an independent system of supervision should be created to this end. The report notes that “it would appear that it is not possible to draft legislation relating to telecommunications interception and access without amending the Constitution.” Over a hundred and fifty organizations, ministries, professors, parties, individuals, etc. were approached to give their statement, including Electronic Frontier Finland (Effi).
Effi gave its legal opinion regarding the report. It welcomes that intelligence, necessary for defence, will be brought within the scope of legislation. Effi also welcomes that the report does not deny the right of individual to protect them from surveillance (for example by banning encryption) or impose backdoors on companies. However, the report contains several red flags due to the fact that the report recommends a route that would lead to de facto access to the entirety of online traffic. This would be in conflict with the Constitution, entail violations of fundamental rights enshrined in international conventions and create a chilling effect on people due to the sense of being constantly monitored. The rule of law and respect for data protection, privacy and confidential communications must be ensured. This, according to Effi, signifies that intelligence is to distinguish between military and civilian intelligence. Supo is to be granted the legal right to conduct carry out surveillance of online communications solely in situations where criminal activity is suspected.
Effi has eight essential points for the planned legislation. Since the law proposes what amounts to mass surveillance, it should not ignore fundamental rights or be in contradiction with international conventions. Moreover, relevant rulings are to be respected, first and foremost the judgment by the Court of Justice of the European Union in the joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others of April 8, 2014 where the court found the Data Retention Directive to be invalid due to its incompatibility with the EU Charter of Fundamental Rights, especially its Article 7 (Respect for private and family life) and Article 8 (Protection of personal data). Likewise in the historic Case C-362/14 Maximillian Schrems v Data Protection Commissioner, the Court observed: “In particular legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter (…).” (Point 94) Moreover, “(…) legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter (…).” (Point 95)
Second, to control warrantless surveillance, Effi recommends that the internet operator, on the basis of a warrant, would permit access to internet traffic within defined limits. And, third it is essential that those who conduct surveillance are themselves kept under effective supervision in order to ensure that they do not overstep their authority. It is recommended that that supervisory body consists of members of the judiciary, political representation and the Data Protection Ombudsman.
Fourth, to provide transparency it is essential that accurate and detailed statistics will be published on the conducted cyber intelligence. The statistics should at least comprise the following: total amount of warrants within a specified time period; the size of the domain, amount of data, individuals and time period that each warrant has covered. Additionally, there should be available surveillance information that the supervisory body can check as to its veracity. Statistics can be massaged. Hence it is of paramount importance that the supervisory body has the duty to continually compare actual surveillance with the provided statistics and can provide, for example, a year public report. It need not be reminded how the vociferous claims on how the US National Security Agency (NSA) mass surveillance has thwarted terror 54 plots were withdrawn after having been proven to be baseless.
The fifth and sixth points emphasize the protection of fundamental rights. Exchange of information is part and parcel of intelligence. However, this should be strictly regulated and controlled so that grave violations of fundamental rights, as has happened in the case of the Five Eyes (alliance consisting of the United States, United Kingdom, Australia, New Zealand and Canada) where intelligence agencies have spied on one another’s citizens and exchanged and shared the data with each in order that they can avoid observing domestic legislation that restricts surveillance of their own citizens. Accordingly, sixth, the law is to permit Supo to carry out surveillance of online communications strictly confined to situations where criminal activity is suspected.
Seventh, to avoid a vicious circle of escalating methods of surveillance, any permission that may be granted to an intelligence agency is to be limited to access solely to real time data traffic, not to the data subjects or endpoints. Especially encryption, increasingly favored by companies such as Apple and Google to protect the privacy users, is a tempting excuse for more invasive mass surveillance, and escalation of ever more invasive surveillance is to be prevented. The rights to privacy and data protection are to be maintained.
The eighth and final point stresses that data security, rather than surveillance is the way forward to ensure that the right to privacy and trust in technology are not eroded. Internet surveillance creates fundamental ethical challenges, and paradoxically, may lead to a greater sense of insecurity rather than what is proposed to be ensured. What a chilling effect on democracy the legislation will have if everyone has to fear that the internet traffic is being monitored. No less, Finland’s reputation as a safe haven ensuring data security may be damaged, even beyond repair. Nor should the needs of business and industry be ignored. Both are very concerned that the law could threaten both: undermine competitiveness and attractiveness for investments.
The devil is not in the detail but out in the open
On the basis of statements, a follow-up report by the working group was published on June 30 and it emphasizes the urgency of the need to develop legislation due to international considerations. While not failing to acknowledge Effi’s input amongst others, the latter report suffers from a very similar flaw as its January predecessor. The devil is not in the detail, but missing guarantees of respect for fundamental rights. And on August 20, the Finnish Government officially launched the preparation of the legislation. Until then, there remained a dim possibility that no mass surveillance law would be enacted.
Now the core issue is: even with prospective new legislation – the precise contents of which at the time of writing still remains unknown – there is no escaping the fact that the country is bound and must respect its international human rights obligations as well as the EU Charter of Fundamental Rights. And while even the Finnish Constitution may end up being changed, they will not.