Published in July 2018.
This module is a resource for lecturers
Exercises and case studies
This section contains suggestions for in-class or pre-class educational exercises, while a post-class assignment for assessing student understanding of the Module is suggested in a separate section.
The exercises in this section are most appropriate for classes of up to 50 students, where students can be easily organized into small groups in which they discuss cases or conduct activities before group representatives provide feedback to the entire class. Although it is possible to have the same small group structure in large classes comprising a few hundred students, it is more challenging and the lecturer might wish to adapt the facilitation techniques to ensure sufficient time for group discussions as well as providing feedback to the entire class. The easiest way to deal with the requirement for small group discussion in a large class is to ask students to discuss the issues with the four or five students sitting close to them. Given time limitations, not all groups will be able to provide feedback in each exercise. It is recommended that the lecturer makes random selections and tries to ensure that all groups get the opportunity to provide feedback at least once during the session. If time permits, the lecturer could facilitate a discussion in plenary after each group has provided feedback.
All exercises in this section are appropriate for both graduate and undergraduate students. However, as students' prior knowledge and exposure to these issues varies widely, decisions about appropriateness of exercises should be based on their educational and social context.
Exercise 1: Exploring the meaning and significance of 'metadata'
Play the following short YouTube film which explains what metadata is and its accompanying privacy concerns:
" The NSA and surveillance ... made simple - animation", The Guardian (27 November 2013).
Allow a few minutes of reflection and comment by your students on their initial thoughts about metadata. Was this already familiar to them, or were they surprised about what they have just learned?
Exercise 2: Group discussion on surveillance and privacy
Sarland experienced several consecutive terrorist attacks. In response to these events, it passed a law regulating the provision of communication services by telephone companies. The law obligates individuals to provide their biometric details to the telephone company as a condition for entering into a contract. It requires telephone companies to collect information on the users. The companies are to keep a database with the client's name, biometric data, associated account, a record of telephone calls, the locations from which the individual made the calls, the times of the day during which the individual made the telephone call and the record of the conversation. The law allows law enforcement agents to use artificial intelligence programmes to scan the sets of data held by telephone companies to identify suspicious patterns. To enable the law enforcement officials to achieve this, the law requires the companies to disclose to the government its encryption protocols. A separate clause stipulates that the law enforcement officials should obtain a court order to be entitled to request the telephone company to disclose the information associated with the client's account. Ask the students to work in teams and to comment on the following:
- Whether the law complies with international human rights standards.
- Advise the government how it can amend the law to appropriately balance the need to protect its citizens and their right to privacy.
Exercise 3: Produce a podcast (see Teaching Guide)
Ask your students, whether individually or in small groups, to produce a podcast on issues arising out of this class. It should not be too long - depending on factors such as the size of the class, what access to IT resources students have, whether students do their own or group podcasts, 2-5 minutes maximum should be about right.
You could use the outputs of this exercise in different ways. For example, the podcasts could be made available to all students as an additional teaching resource (indeed, with your students' permission, you may even embed a few of the best ones within your own teaching on these issues). They could be used to encourage e.g. group work or independent research. They could also be used as part of student assessment against pre-defined assessment criteria.
Students could examine many different issues, such as:
- The inherent tensions existing between national security imperatives and the right to privacy.
- Explanation of national/regional/international legal frameworks and jurisprudence on the right to privacy more generally.
- Explanation of national/regional/international legal frameworks and jurisprudence on the right to privacy and surveillance more specifically.
- Undertake comparative analysis of e.g. legislative provision and/or case law existing within different States/geographical regions, including your own.
- Discuss common themes of privacy concern that can arise in relation to surveillance in a counter-terrorism context.
- Examine existing mechanisms for ensuring greater accountability and transparency, including their associated strengths and weaknesses.
Case study 1: Rationales for the protection of the right to privacy
Contrast the way in which different regional human rights bodies justify the need for public authorities to respect the right to privacy.
- The European Court of Human Rights (ECtHR) held in Botta v. Italy* that "[p]rivate life, in the Court's view, includes a person's physical and psychological integrity; the guarantee afforded by Article 8 of the Convention is primarily intended to ensure the development, without outside interference, of the personality of each individual in his relations with other human beings."
- The Inter-American Court on Human Rights (IACtHR) in the case of Fontevecchia and D'Amico v. Argentina** treated the right to privacy as "among other dimensions, the freedom to make decisions related to various areas of a person's life, a peaceful personal space, the option of reserving certain aspects of private life, and control of the dissemination of personal information to the public".
* Case of Botta v. Italy (Application No. 153/1996/772/973), Chamber Judgement of 24 February 1998, European Court of Human Rights, para. 32.
** Case of Fontevecchia and D'Amico v. Argentina, Judgment of 29 November 2011, Inter-American Court of Human Rights, Case no. 238 Series C, para. 48.
Case study 2: Data retention
ECJ judgment on the European Data Retention Directive *
In 2006, the European Union adopted legislation (the Data Retention Directive) intended to harmonize member States' provisions concerning the retention of data which are generated or processed by providers of communications services. The Directive as adopted as a mechanism for facilitating the investigation and prosecution of the most serious crimes, especially terrorism and organised crime. It provides that the service providers must retain traffic and location data as well as related data necessary to identify the subscriber or user for all fixed telephony, mobile telephony, Internet access, Internet email and Internet telephony traffic. By contrast, it does not permit the retention of the content of the communication or of information consulted. The Data Retention Directive was challenged before the Court of Justice of the European Union (CJEU) as a disproportionate interference with the right to privacy. CJEU observed that, while the Directive does not permit the acquisition of knowledge of the content of the electronic communications as such, the collection and retention of traffic and location metadata constitutes a serious interference with the right to privacy.
CJEU then proceeded to examine this interference with the right to privacy in the light of the requirements of a legitimate aim and of proportionality. It noted that the purpose of the retention of the data is their possible transmission to the competent national authorities for the investigation, prosecution and adjudication of serious crime, which genuinely satisfies an objective of general interest (at para. 41).
Although the retention of the data was thus justified by a legitimate aim, CJEU concluded that it was not sufficiently circumscribed to be considered strictly necessary, and therefore failed the proportionality test and constituted a violation of the right to privacy. The reasons for this finding included that:
- The Directive failed to lay down objective criteria which would ensure that the competent national authorities have access to the data and can use them only for the purposes of prevention, detection or criminal prosecutions concerning offences that may be sufficiently serious to justify such an interference (at para. 61).
- Regarding the duration of data retention period, the Directive imposed a minimum retention period of at least six months and a maximum of 24 months. It failed, however, to provide objective criteria based on which the period of retention must be determined in order to ensure that it is limited to what is strictly necessary (at para. 64).
- The Directive it does not provide for any exception, with the result that it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy (at para. 58). Nor was the Court of the view that the collection of a wide array of information was strictly necessary to prevent the commission of crimes. This would have required the Directive to have specified objective criteria for ensuring that the competent authorities only used the information in question to detect and prevent the commission of particular criminal offences (at para. 62).
- Finally, the Directive did not provide for adequate safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data (at para. 66).
Since this judgment and in response to it, the EU Commission has been "monitor[ing] developments at national level, in particular as regards the assessment by Member States of their data retention legislation".**
* Digital Rights Ireland and Seitlinger and others v. Ireland , Joined Cases C-293/12 and C-594/12, Judgment of 8 April 2014, Court of Justice of the European Union, para. 69.
See further, Yassin Abdullah Kadi and Al Barakaat International Foundation v. Council and Commission , Cases C-402/05 P and C-415/05 P,Judgment of 3 September 2008, Court of Justice of the European Union; Big Brother Watch v. the United Kingdom (Application No. 58170/13), European Court of Human Rights, hearing pending. Statement of facts available.
** See further European Commission, 'Data Retention'.
Case study 3: Electronic (GPS) surveillance
The Uzun case *
Mr. Uzun was suspected of involvement with a terrorist group and a criminal investigation had been launched into charges that he, together with an accomplice, had participated in several bomb attacks designed to kill members of the public. The investigation by German police into the activities of the applicant involved surveillance and the use of phone taps and wireless transmitters. When the applicant and his accomplice destroyed the transmitters and stopped using the telephone, a global positioning system (GPS) device was placed in a car which they regularly used. At trial, the GPS evidence was used to corroborate information received through other surveillance methods and Mr. Uzun was convicted of attempted murder and causing explosions. Mr. Uzun submitted that the authorities' use of the GPS had breached his right to privacy in that it had enabled them to draw up a comprehensive pattern of his movements, to share that with third parties, and to initiate further investigations.
The European Court of Human Rights (ECtHR) found that, although the actions of the police had interfered with Mr. Uzun's rights, his rights had not been violated by the placing of the GPS and the collation and storage of information from it. ECtHR noted that that extensive safeguards were available (and had been properly applied in the instance case) to prevent misuse of the power of surveillance. These included: (1) the operation had been subject to judicial supervision throughout; (2) the duration of the operation had to be authorized and approved by a court; (3) an operation involving the tracking of an individual's movements with GPS could only be ordered in relation to a crime of particular gravity; and (iv) evidence obtained through use of GPS could be challenged and, if necessary, excluded at trial. Finally, ECtHR noted that the surveillance measures had been proportionatein that: (1) other investigative means had been tried and failed owing to the conduct of the applicant; (2) the investigation was into a serious matter, involving terrorist bombing; and (3) the measures had only been employed for a short period of time. Given the safeguards and proportionality of the measures applied, ECtHR considered that Mr. Uzun's right to privacy had not been violated.
* Uzun v. Germany (Merits) (Application no. 35623/05), Judgment of 2 September 2010, European Court of Human Rights.
Case study 4: Procedural safeguards for electronic surveillance
The Escher case *
In the late 1990's social conflict, including disorder and violence, arose out of issues of land reform in Paraná, a municipal state within Brazil. Several social organizations were involved in campaigning around these issues. The Military Police of Paraná requested that a specific phone number be monitored. Permission was granted by the court. A second request was subsequently submitted in relation to a phone line used by a different organization without any accompanying justification. This was also granted. Subsequently, various recorded conversations between those using the phone line were broadcast on national television.
The case was brought before the Inter-American Court of Human Rights alleging violations of the rights to judicial guarantees, privacy, freedom of association and judicial protection established in the American Convention. In its judgment, the Court emphasized the importance of independent supervision of surveillance. The Court acknowledged that Brazil had a system for judicial authorization of telephone intercepts in place, and that applications had been filed and approved by a judge in the case at hand.
The Court underscored, however, that the judge has a special role to play in dealing with ex parte applications, such as applications for surveillance measures: "In proceedings whose juridical nature requires the decision to be issued without hearing the other party, the grounds and justification must show that all the legal requirements and other elements that justify granting or refusing the measure have been taken into consideration. Hence, the judge must state his or her opinion, respecting adequate and effective guarantees against possible illegalities and arbitrariness in the procedure in question" (at para. 139).
In considering the way the Brazilian judge in the case had dealt with the applications submitted by the military police, the Court found that these requirements had not been met: "Contrary to the foregoing, [the judge] authorized the telephone interceptions with a mere annotation that she had received and examined the requests and granted them … . In her decision, the judge did not explain her analysis of the legal requirements or the elements that caused her to grant the measure, or the way in which the procedure should be carried out or its duration" (at para. 140). The Court also found that there had been insufficient safeguards to ensure that the private information was not obtained by third parties.
* Escher et al. v. Brazil, Judgment of 6 July 2009, Inter-American Court of Human Rights, Series C No. 199.