EHRM, 25-05-2021, nr. 35252/08

As noted by the Chamber, it has not been disputed by the parties that the Swedish signals intelligence activities have a basis in domestic law (see paragraph 111 of the Chamber judgment). It is further undisputed that the impugned signals intelligence regime pursues legitimate aims in the interest of national security by supporting Swedish foreign, defence and security policy and identifying external threats to the country. Therefore, following the approach outlined above, it remains to be considered whether the domestic law was accessible and contained adequate and effective safeguards and guarantees to meet the requirements of ‘foreseeability’ and ‘necessity in a democratic society’.

Bulk interception of electronic signals within foreign intelligence in Sweden is regulated in several pieces of legislation, the main ones being the Foreign Intelligence Act and the associated Ordinance, the Signals Intelligence Act and Ordinance, the Foreign Intelligence Court Act and the FRA Personal Data Processing Act and Ordinance. Additional relevant provisions on, in particular, some aspects of the functioning of the applicable supervision mechanisms and remedies are to be found in the Foreign Intelligence Inspectorate Instructions Ordinance, the Parliamentary Ombudsmen Instructions Act and the Chancellor of Justice Supervision Act (see paragraphs 14–74 above).

It has not been disputed that all these provisions are publicly available. The Court would accept, therefore, that the domestic law was adequately ‘accessible’.

Turning next to the question whether the law contained adequate and effective safeguards and guarantees to meet the requirements of ‘foreseeability’ and ‘necessity in a democratic society’, the Court will address in subsections (β) — (i) each of the eight requirements set out in paragraph 275 above.

In the present case it will do so simultaneously with respect to the interception of the contents of electronic communications and related communications data. This approach is justified by the fact, undisputed between the parties, that under the Swedish signals intelligence regime, the same legal provisions, procedures and safeguards concerning the interception, retention, examining, use and storing of electronic signals apply without distinction both to communications data and to the content of communications. Under the Swedish regime no particular separate issue arises, therefore, with regard to the use of communications data in bulk interception operations.

As noted by the Chamber, according to the Signals Intelligence Act signals intelligence may be conducted only to monitor:

The preparatory works to the Signal Intelligence Act contain further elaboration of the meaning of these eight purposes (see paragraph 23 above). In the Court's view, the level of detail and the terms used circumscribe the area in which bulk interception may be used with sufficient clarity, having regard, in particular, to the fact that the impugned regime aims at uncovering unknown foreign threats whose nature may vary and evolve with time.

The Court observes that while section 4 of the Foreign Intelligence Act excludes the conduct of signals intelligence within foreign intelligence to solve tasks in the area of law enforcement or crime prevention, one of the eight purposes listed above concerns ‘serious cross-border crime’ such as, according to the preparatory works, ‘drug or human trafficking of such severity that it may threaten significant national interests’ (see paragraph 23 above).

The preparatory works clarify that the aim in this regard is to survey terrorism or other cross-border crime from the perspective of Sweden's foreign and security policy, not to combat criminal activity operatively (ibid). It is undisputed that information obtained through the impugned regime of signals intelligence cannot be used in criminal proceedings. As explained by the Government, tasking directives for signals intelligence may not be issued to investigate criminal offences and when the FRA reports intelligence to other agencies it stipulates that the intelligence may not be used in criminal investigations. In the light of the above, the Court does not share the concerns expressed by the applicant regarding the fact that since 1 March 2018 certain police departments may issue tasking directives and that the Security Police might be granted access to the FRA's analysis material (see above paragraphs 193 in fine and 196 in fine). It finds convincing the Government's clarification that access may only be granted to ‘data that constitutes the analysis results’ so as to allow strategic assessments and that the prohibition on using signals intelligence within foreign intelligence for the purposes of investigating criminal offences fully applies (see paragraph 214 above).

In sum, the grounds upon which bulk interception can be authorised in Sweden are clearly circumscribed so as to permit the necessary control at the authorisation and operation stage and ex post facto supervision.

In a bulk interception regime the circumstances in which communications might be intercepted will be very broad, as it is the communications bearers that are targeted rather than the devices from which the communications are sent, or the senders or recipients of the communications. The circumstances in which communications may be examined will be narrower, but compared to targeted interception this category will still be relatively wide, since bulk interception may be used for a more varied range of purposes, and communications may be selected for examination by reference to factors other than the identity of the sender or recipient.

As regards interception, signals intelligence conducted on fibre optic cables may only concern communications crossing the Swedish border. Also, and regardless of whether the source is airborne or cable-based, communications between a sender and a receiver in Sweden may not be intercepted (see paragraph 25 above). The Government have admitted, however, that separating ‘domestic’ from ‘foreign’ traffic is not always possible in the initial interception stages, as confirmed in the 2011 report of the Signals Intelligence Committee (see paragraphs 77–80 above; see also the reports of the Data Protection Authority, paragraphs 75–76 above).

It is true that the FRA may also intercept signals as part of its development activities, which may lead to data not relevant for the regular foreign intelligence being intercepted. It appears from the report of the Signals Intelligence Committee (see paragraphs 77–80 above), that signals intercepted as part of the FRA's development activities can be used, including by being ‘read’ and stored, for technological development purposes regardless of whether they fall within the categories defined under the eight foreign intelligence purposes.

The Court observes, however, that signals intercepted in the context of the FRA's development activities do not interest the authorities for the data they might contain but only for the possibility they afford to analyse the systems and routes through which information is transmitted. In the Court's view, the respondent Government's explanation about the need for such an arrangement (see paragraph 207 above) is satisfactory. The examples given (the need to monitor the traffic between certain countries in order to identify bearers with relevant traffic; the need to identify trends such as new types of signals and signals protection) appear convincing: the authorities must be able to react to the evolution in technology and communication practices and, for that reason, may need to monitor very large segments of the international signals traffic. The degree of interference with individuals' Article 8 rights engendered by such activities appears to be of a very low intensity having regard to the fact that the data thereby obtained is not in a form destined to generate intelligence.

In addition, it is undisputed that any information that may happen to emerge from signals intercepted for technological development purposes cannot be used as intelligence information unless such use is in conformity with the eight purposes and the applicable tasking directives (see paragraph 79 above). Moreover, development activities can be undertaken only under a permit issued by the Foreign Intelligence Court and are supervised by the Inspectorate, including for compliance with the law and the tasking directives approved by the Foreign Intelligence Court. In these circumstances the Court is satisfied that the legal framework within which the FRA's development activities are conducted contains safeguards capable of preventing attempts to circumvent the legal restrictions related to the grounds for which signals intelligence may be used.

In view of the above the Court can accept that the legal provisions on bulk interception in Sweden set out with sufficient clarity the circumstances in which communications may be intercepted.

Under Swedish law, every signals intelligence mission to be conducted by the FRA must be authorised in advance by the Foreign Intelligence Court. Where this procedure might cause delay or other inconveniences of essential importance for one of the specified purposes of the signals intelligence, the FRA may itself grant a permit and notify the Foreign Intelligence Court immediately, which triggers the permit's rapid review by that court. The court has the power to modify or revoke it if necessary (see paragraphs 30–33 above).

There is no doubt that the Foreign Intelligence Court meets the requirement of independence from the executive. In particular, its president and vice-presidents are permanent judges and, while all members are appointed by the Government, they have legally defined four-year terms of office. Also, it is undisputed that neither the Government or Parliament nor other authorities may interfere with the court's decision-making, which is legally binding.

As noted by the Chamber, for reasons of secrecy the Foreign Intelligence Court has never held a public hearing and all its decisions are confidential. However, Swedish law provides for the mandatory presence of a privacy protection representative at that court's sessions, except in urgent cases. The representative, who is a judge, a former judge or an attorney, acts independently and in the public interest but not in the interest of any affected private individual. He or she has access to all the case documents and may make statements (see paragraph 34 above). In the Court's view, having regard to the imperative need for secrecy, in particular at the stages of initial authorisation and conducting signals intelligence, the arrangement described above contains relevant safeguards against arbitrariness and must be accepted as an inevitable limitation on the authorisation procedure's transparency.

The Court further observes that when applying for a permit the FRA must specify the need for the intelligence sought, the communications bearers to which access is needed and the selectors — or at least the categories of selectors — that will be used. This should lead to examination whether the mission is compatible with applicable legislation, including the eight purposes for which signals intelligence may be undertaken, and whether the intelligence collection is proportional to the resultant interference with private life (see paragraphs 30–33 above).

Importantly, section 3 of the Signals Intelligence Act requires that the selectors must be formulated in such a way that the interference with personal integrity is limited as far as possible (see paragraph 26 above), which implies necessity and proportionality analysis. Compliance with this requirement at the authorisation phase is within the competence of the Foreign Intelligence Court. That court's decision, taken in proceedings with the participation of a privacy protection representative, is binding. This is an important safeguard built into the Swedish bulk interception system.

The Court further observes that Swedish law provides for a form of special prior authorisation of strong selectors in that the Foreign Intelligence Court verifies whether, as required by section 3 of the Signals Intelligence Act, the use of selectors directly related to a specific natural person is of ‘exceptional importance’ for the intelligence activities. The interpretation of section 3 of the Signals Intelligence Act in the practice of the Foreign Intelligence Court has not been explained to the Court, nor how section 3 interacts with section 5 of the same Act, which indicates that the judicial authorisation may at least in some cases concern ‘categories of selectors’ rather than individual selectors. If such a case would occur, namely individual selectors not being approved by the Foreign Intelligence Court, the question would arise whether a process of prior internal authorisation providing for separate and objective verification is in place (see paragraph 269 above). However, having regard to the independence of the Foreign Intelligence Court and the applicable procedural guarantees in proceedings before it, the ‘exceptional importance’ standard at the authorisation stage is capable of providing relevant enhanced protection against the arbitrary use of selectors linked to identified individuals.

The Swedish system of authorisation has its inherent limits. For example, it may be difficult for the Foreign Intelligence Court to appreciate the proportionality aspect where only categories of selectors are specified in the FRA's request for a permit, or where the indicated selectors are several thousand in number or are expressed as technical combinations of numbers or letters.

However, for the purposes of the Court's analysis, at this stage the relevant point is that the Swedish authorisation system offers a judicial ex ante review of permit requests which is comprehensive, in the sense that the aim of the mission and the bearers and categories of selectors to be used are subject to control, and is sufficiently detailed in respect of secret bulk signals intelligence as part of foreign intelligence. Such a review offers a significant safeguard against, notably, the launch of abusive or clearly disproportionate bulk interception operations. Importantly, it also sets the framework within which a concrete operation must unfold and the limits whose observance then becomes the object of the applicable supervision and ex post facto control mechanisms.

It transpires from the material in the Court's possession that in Sweden the interception of cable-based electronic signals is automated and the interception of such signals over the airways may be either automated or manual. Automated interception over the airways is a process that is identical to the process of interception of signals passing through cross-border cables.

As regards the use of non-automated interception and searches of electronic signals over the airways, the Swedish Government clarified before the Grand Chamber that it is primarily used for near real-time reporting of foreign military activities and is done by an operator who listens in real time to military radio transmissions on selected radio frequencies or looks at a screen where the energy from a signal in electronic form is visualised and then records relevant parts for analysing and reporting. The applicant did not comment in reply.

Even assuming that the interception of foreign military radio frequencies may affect Article 8 rights in rare cases, the Court notes that this aspect of the Swedish signals intelligence regime is covered by the same procedures and safeguards as applicable to interception and use of cable-based communications.

Turning to the procedure for examination of the intercepted material, the Court notes that, as explained by the respondent Government, the FRA processes the data through automated and manual means, using, among other techniques, cryptoanalysis, structuring and language translation. Thereafter, the processed information is analysed by an analyst in order to identify intelligence therein. The next step consists in the elaboration of a report which is disseminated to selected recipients of foreign intelligence (see paragraphs 18 and 29 above).

In the Court's view, it is significant that at the examination stage the FRA is under an obligation to discard intercepted domestic communications immediately once identified (see paragraph 38 above).

Despite the fact that the distinction between domestic and foreign communications may not be waterproof and the prohibition to intercept the former apparently cannot prevent it from happening in the automatic stage of capturing signals, the exclusion of domestic traffic from the scope of signals intelligence must be seen as a significant limitation on the authorities' discretion and as a safeguard against abuse. The limitation in question sets the framework within which the authorities are allowed to operate and provides the existing pre-authorisation, supervision and control mechanisms with an important criterion related to the operation's lawfulness and the protection of the rights of individuals. In particular, it is clear that the choice of communications bearers and categories of selectors — which is subject to control by the Foreign Intelligence Court (see paragraph 30 above) — must be in conformity with the above-mentioned exclusion of domestic communications.

As already noted above (see paragraph 300), the practice of the Foreign Intelligence Court regarding the pre-authorisation of selectors or categories of selectors directly linked to identifiable individuals has not been presented to the Court. The Court notes, however, the Government's position that logs and records are systematically kept by the FRA throughout the process, from the collection of data to the final reporting, communicating to other parties and destruction. All searches made by analysts are recorded. When the search is made in a data compilation containing personal data the record includes the selectors used, the time, the name of the analyst and the justification for the search, including the detailed tasking directive which is the reason for the search. In addition to the logs, records are kept of decisions taken in the course of the signals intelligence process.

The applicant did not dispute the above but considered that (i) it had not been shown that logs were sufficiently detailed and (ii) the FRA's record-keeping practices, not being prescribed by law, were at the mercy of internal procedures and discretion.

The Court considers that the obligation to keep logs and detailed record of each step in bulk interception operations, including all selectors used, must be set out in domestic law. The fact that in Sweden it appears in internal instructions only is undoubtedly a shortcoming. However, having regard, in particular, to the existence of oversight mechanisms covering all aspects of the FRA's activities, there is no reason to consider that detailed logs and records are not kept in practice or that the FRA could proceed to changing its internal instructions arbitrarily and removing its obligation in that regard. While it is true that in 2010 and 2016 the Swedish Data Protection Authority criticised an aspect of the FRA's practices of keeping logs, this only concerned the manner in which the FRA monitored logs used to detect unwarranted use of personal data (see paragraph 76 above). Furthermore, the Government clarified that since 1 January 2018 logs which were previously kept by separate ‘system owners’ within the FRA are being sent to a central function, thus improving their monitoring. This change had been reported to the Swedish Data Protection Authority, which had not requested further action and had closed the file.

Swedish law affords specific protection of personal data, including data that may reveal aspects of natural persons' private life or communications. In the context of signals intelligence, the FRA Personal Data Processing Act imposes on the FRA the obligation to ensure that personal data is collected only for the authorised purposes expressly determined through tasking directives and within the limits of the permit issued by the Foreign Intelligence Court. As noted by the Chamber, the personal data treated also has to be adequate and relevant in relation to the purpose of the treatment. No more personal data than what is necessary for that purpose may be processed. All reasonable efforts have to be made to correct, block and obliterate personal data which is incorrect or incomplete in relation to the purpose (see paragraph 40 above). The FRA staff treating personal data are security cleared, subject to confidentiality and under an obligation to handle the personal data in a safe manner. Also, they could face criminal sanctions if tasks relating to the treatment of personal data are mismanaged (see paragraph 42 above).

The applicant criticised the fact that the safeguards mentioned in the preceding paragraph only apply to intercepted material containing ‘information that is directly or indirectly related to a natural living person’. The applicant deduced from this fact that legal persons were left unprotected.

The Court observes, however, that there is nothing to suggest that the protection guaranteed by the FRA Personal Data Processing Act and the FRA Personal Data Processing Ordinance does not apply to the content of communications exchanged by legal persons such as the applicant whenever those include ‘information that is directly or indirectly related to a natural living person’. Furthermore, it must be noted that most legal requirements and safeguards provided for in the above-mentioned legislation would normally be of value to natural persons only. For example, the Act in question prohibits processing of personal data solely because of what is known of a person's race or ethnicity, political, religious or philosophical views, membership of a union, health or sexual life. It provides for a special requirement limiting the keeping of material containing personal data and for sanctions for mismanagement of personal data. It guarantees specific monitoring of personal data treatment and sets out the powers of the Data Protection Authority in this regard. In other words, the Act in question adds another layer of protection, tailored to the specificities of personal data, to the already existing safeguards that are applicable to information concerning natural and legal persons alike.

This approach, which takes into account the special sensitivity of personal data, does not seem to be problematic and does not mean that the communications of legal persons are left unprotected by safeguards. Contrary to the applicant's claim, there is nothing in the relevant legislation suggesting that intercept material not containing personal data can be used for purposes incompatible with the original purpose of the interception, as approved by the Foreign Intelligence Court.

In sum, the Court is satisfied that the legislation on selecting, examining and using intercepted data provides adequate safeguards against abuse that may affect Article 8 rights.

As regards communication of data from the FRA to other Swedish Government bodies, the Court observes that the very purpose of signals intelligence is to obtain information that is useful for the mission of relevant sectors of Government. The circle of domestic authorities that may be given such information in Sweden is narrow and includes above all the Security Police and the Armed Forces. The FRA may grant these bodies direct access to data that constitutes the results of analysis in a data compilation, to enable them to make assessments of terrorist threats at strategic level. This is done, in particular, in the framework of a tripartite working group of analysts from the FRA, the Security Police and the Armed Forces, called the National Centre for Assessment of Terrorist Threats. The Court considers that the above regime is clearly circumscribed and does not appear to generate a particular risk of abuse.

The Court further notes that the Chamber expressed concerns as regards the Swedish arrangements on communicating data to foreign Governments or international organisations, pointing to three issues: (a) that the legislation does not require consideration of possible harm to the individual concerned when making a decision about sharing; (b) that there is no provision requiring the recipient State or organisation to protect the data with the same or similar safeguards as those applicable under Swedish law and; (c) that the possibility to communicate data when necessary for ‘international defence and security cooperation’ opens up for a rather wide scope of discretion. The Chamber nevertheless considered that the supervisory mechanisms sufficiently counterbalanced these regulatory shortcomings (see paragraph 150 of the Chamber judgment).

Before the Grand Chamber the Government essentially disputed that there were areas of concern, emphasising that international cooperation was limited to exchanges with trusted foreign partners and was monitored by the Inspectorate, whereas the applicant considered that the discretion granted to the FRA was too broad and that the existing supervisory mechanisms did not counterbalance the identified shortcomings, there being no legal requirements in respect of which compliance could be supervised (see the parties' positions in more detail in paragraphs 200, 201, 215 and 216 above).

The Court points out at the outset that in the present case it is not dealing with a concrete occurrence of, for example, the disclosure or use, by a foreign Government or organisation, of personal data transmitted to them by the Swedish authorities. Indeed, no examples about such disclosures or use have been submitted to the Court. Nonetheless, insofar as the possibility of transmitting intelligence to foreign parties is part of the Swedish bulk interception regime and activities whose very existence can be seen as interfering with Article 8 rights, the Court, having regard to the applicant's complaints, must review the Swedish intelligence transmission regime and its functioning for their compliance with the requirements of quality of the law and necessity in a democratic society. The applicant's complaints relate solely to the sending of intelligence to foreign parties and do not concern the receipt of foreign intelligence and its use by the Swedish authorities.

It is undisputed that Contracting States may need to transmit to foreign services intelligence obtained through bulk interception of communications for a variety of reasons, including warning foreign Governments about threats, soliciting their help in identifying and dealing with threats or enabling international organisations to act in exercise of their mandate. International cooperation is crucial for the effectiveness of the authorities' efforts to detect and thwart potential threats to Contracting States' national security.

The Court observes that the possibility for the FRA to share intelligence it has obtained with foreign partners is provided for in Swedish law, which also sets out the relevant general purpose (see paragraphs 49 and 74 above). It is to be observed, however, that the level of generality of the terms used cannot but lead to the conclusion that the FRA may send intelligence abroad whenever this is considered to be in the national interest.

Having regard to the unpredictability of situations that may warrant cooperation with foreign intelligence partners, it is understandable that the precise scope of intelligence sharing cannot be circumscribed in law through, for example, exhaustive and detailed lists of such situations or the types of intelligence or content that can be transmitted. The applicable legal regulation and practice must operate, however, in a manner capable of limiting the risk of abuse and disproportionate interference with Article 8 rights.

In this regard the Court notes, first, that in so far as the intelligence transmitted to foreign services is in the form of information obtained by the FRA through its bulk interception activities, it is necessarily the product of legally regulated procedures to which all relevant safeguards apply. This includes the procedural guarantees, such as the authorisation by the Foreign Intelligence Court and the supervision by the Inspectorate (see paragraphs 295–302 above and 345–353 below), and the substantive limitations, such as those regarding the grounds on which interception of signals can be ordered, the searching, in particular through selectors identifying an individual, and all further examination (see paragraphs 284–288 and 303–316 above). As already seen, the above mentioned procedures involve an assessment of necessity and proportionality with regard to, in particular, Article 8 Convention rights. Therefore, the safeguards internally applicable in Sweden in the process of obtaining the intelligence that may later be transmitted to a foreign partner also limit, at least to a certain extent, the risk of adverse consequences that may ensue after the transmission has taken place.

The Court also notes that the supervision mechanisms provided for under the Personal Data Processing Act, specifically tailored to the protection of personal data, apply to all activities of the FRA (see paragraphs 56 above).

In the Court's view, despite the above considerations, the absence, in the relevant signals intelligence legislation, of an express legal requirement for the FRA to assess the necessity and proportionality of intelligence sharing for its possible impact on Article 8 rights is a substantial shortcoming of the Swedish regime of bulk interception activities. It appears that, as a result of this state of the law, the FRA is not obliged to take any action even in situations when, for example, information seriously compromising privacy rights is present in material to be transmitted abroad without its transmission being of any significant intelligence value. Furthermore, despite the fact that the Swedish authorities obviously lose control over the shared material once it has been sent out, no legally binding obligation is imposed on the FRA to analyse and determine whether the foreign recipient of intelligence offers an acceptable minimum level of safeguards (see paragraph 276 above).

The Government's answer to these concerns was essentially that intelligence cooperation with foreign services inevitably functions on the basis of a shared interest in preserving the secrecy of information and that this practical reality limited the risks of abuse.

The Court finds the above-mentioned approach insufficient as a safeguard. The Government have not identified any obstacles against setting out clearly in domestic law an obligation for the FRA or another relevant body to balance the necessity of transmitting intelligence abroad against the need to protect the right to respect for private life. By comparison, the Court notes that, for example, the relevant regime in the United Kingdom includes an obligation to take reasonable steps to ensure that the foreign authorities would maintain the necessary procedures to safeguard the intercepted material and to ensure that it is disclosed, copied, distributed and retained only to the minimum extent necessary (see paragraph 7.5 of the United Kingdom Interception of Communications Code of Practice, quoted in Big Brother Watch and Others, cited above, § 96).

It is true that in 2014 the Inspectorate undertook a general review of the FRA's cooperation with other States and, between 2009 and 2017, repeatedly inspected other relevant aspects of its activities, including the treatment of personal data and the communication of its reports (see paragraph 53 above). However, since the Inspectorate's role is to exercise control for lawfulness, in the absence of an express legal obligation for the FRA to consider privacy concerns or seek at least some safeguards in this regard from foreign partners before sending them intelligence, it is not unreasonable to consider, as the applicant did, that the Inspectorate does not monitor possible risks or disproportionate consequences of intelligence sharing on Article 8 Convention rights. The respondent Government have failed to convince the Court that this is done in practice on the basis of, for example, constitutional or other general fundamental rights provisions. It follows that, unlike the Chamber, the Grand Chamber cannot accept that the shortcomings in the regulatory framework are sufficiently counterbalanced by the supervisory elements of the Swedish regime.

In sum, the absence of a requirement in the Signals Intelligence Act or other relevant legislation that consideration be given to the privacy interests of the individual concerned when making a decision about intelligence sharing is a significant shortcoming of the Swedish regime, to be taken into account in the Court's assessment of its compatibility with Article 8 of the Convention.

The duration of bulk interception operations is, of course, a matter for the domestic authorities to decide. There must, however, be adequate safeguards, such as a clear indication in domestic law of the period after which an interception warrant will expire, the conditions under which a warrant can be renewed and the circumstances in which it must be cancelled (see Roman Zakharov, cited above, § 250).

Under section 5(a) of the Signals Intelligence Act a permit may be granted for a maximum of six months. This period may be extended, for six months at a time, following a new full examination of the relevant conditions for the granting of a permit by the Foreign Intelligence Court. Therefore, as noted by the Chamber, Swedish law gives a clear indication of the period after which a permit will expire and of the conditions under which it may be renewed.

As also noted by the Chamber, however, there is no provision obliging the FRA, the authorities mandated to issue detailed tasking directives or the Foreign Intelligence Court to cancel a signals intelligence mission if the conditions for it have ceased to exist or the measures themselves are no longer necessary.

Before the Grand Chamber, the applicant considered that the lack of provision for the cancellation of permits when no longer needed opened the door to excessive and inappropriate surveillance for several months until the warrant eventually expired on its own. In the applicant's view, this shortcoming was very significant, given the sheer volume of information that could be obtained through bulk interception in that time. The Government stated that an interception operation would be discontinued if it was no longer needed, if a tasking directive was revoked or if it was not in accordance with the permit.

The Court is of the view that an express provision on discontinuation of bulk interception when no longer needed would have been clearer than the existing arrangement in Sweden according to which, apparently, permits may or may not be cancelled when circumstances warranting such a cancellation come to light in the period before the expiry of their six months' validity.

The significance of this shortcoming should, however, not be overestimated, in the Court's view, for two main reasons. First, Swedish law provides for relevant mechanisms, such as the possibility for the requesting authority to revoke a tasking directive and for supervision by the Inspectorate, both of which can lead to the cancellation of a bulk interception mission when the conditions for it have ceased to exist or it is no longer needed. Second, by the nature of things, in the context of signals intelligence within foreign intelligence the implementation of a legal requirement to cancel a permit when no longer needed must in all likelihood be heavily dependent on internal operative assessments involving secrecy. Therefore, in the specific context of bulk interception for foreign intelligence purposes, the existence of supervision mechanisms with access to all internal information must generally be seen as providing similar legislative safeguards against abuse related to the duration of interception operations.

For the reasons set out above, the Court finds that Swedish law satisfies the requirements concerning duration of bulk interception of communications.

The Chamber made the following findings concerning the circumstances in which intercept data must be erased and destroyed, at paragraphs 145 and 146 of its judgment:

The Grand Chamber endorses this analysis in principle but also considers it important to point to the fact that it has insufficient information about certain aspects of the manner in which the rules on destruction of intercept material are applied in practice.

Certainly, the Inspectorate's supervision powers include the monitoring of the FRA's practice on destroying intercept material and this aspect of its activities has already been the subject of inspections (see paragraph 53 above). This is an important safeguard for the proper application of the existing rules.

However, before the Grand Chamber the applicant pointed to the fact that the limits on the storing of intercept material and the requirements mentioned by the Chamber about destroying it did not apply to material which does not contain personal data. The Government did not address this issue specifically.

In the Court's view, while there is clear justification for special requirements regarding the destruction of material containing personal data, there must also be a general legal rule governing the destruction of other material obtained through bulk interception of communications, where keeping it may affect, for example, the right of respect for correspondence under Article 8, including concerning legal persons as the applicant. As a very minimum, as also stressed by the Chamber, there should be a legal requirement to delete intercepted data that has lost pertinence for signals intelligence purposes. The Government have not shown that the Swedish regulatory framework covers this aspect. However, while observing that there is only a narrow set of circumstances in which it could happen that none of the specific rules on destruction of intercept material noted in the preceding paragraphs would apply, the Court notes this point as a procedural shortcoming in the regulatory framework.

Finally, the Court does not have sufficient information as to the manner in which the necessity to keep or destroy material containing personal data is assessed in practice and as to whether unprocessed intercept material is always stored for the maximum period of one year or the necessity of continued storage is regularly reviewed, as it should be. This makes it difficult to arrive at comprehensive conclusions covering all aspects of the storage and deletion of intercept material. In the context of its analysis on the ex post facto review in the Swedish bulk interception system, the Court will return to the question what conclusions could be drawn from the fact that it has insufficient information on the above point and other aspects of the functioning of the Swedish system.

In sum, for the purposes of the present stage of the analysis, while the Court noted in the preceding paragraph a procedural shortcoming that needs to be addressed, it considers that, as a whole, the circumstances in which the intercept material has to be destroyed are clear under Swedish law.

Under Swedish law the task of overseeing foreign intelligence activities in general and signals intelligence in particular is entrusted mainly to the Foreign Intelligence Inspectorate. Further supervisory functions, albeit with lesser powers, are exercised by the Data Protection Authority.

Noting that the Inspectorate's board is presided over by permanent judges or former judges and that its members, appointed for terms of at least four years by the Government, are selected from candidates proposed by the party groups in the Parliament, the Court is satisfied that the Inspectorate's role is that of an independent control mechanism.

The Inspectorate has wide-ranging powers covering the operation of signal intelligence activities from beginning to end. In particular, it is tasked with granting the FRA access to communications bearers after verifying that the requested access corresponds to the permit issued by the Foreign Intelligence Court (Chapter 6, section 19a of the Electronic Communications Act). The Inspectorate reviews all other aspects of the FRA's activities, including the interception, analysis, use and destruction of material. Importantly, it can scrutinise the selectors used (section 10 of the Signals Intelligence Act) and enjoys access to all relevant documents of the FRA (see paragraphs 50–53 above).

It appears therefore that the Inspectorate has the powers and tools necessary to assess not only compliance with the formal requirements of Swedish law but also to examine aspects of the proportionality of the interference with individual rights that may be occasioned by signals intelligence activities. It is noteworthy in this regard that its inspections included numerous detailed examinations of, in particular, the selectors used (see paragraph 53 above).

The applicant pointed to the fact that some of the acts issued by the Inspectorate are in the form of opinions and recommendations, rather than legally binding decisions, and apparently considered that this weakened substantially the real impact of the Inspectorate's work.

The Court notes that under section 10 of the Signals Intelligence Act the Inspectorate, when it finds evidence of improper signals collection, has the power to decide, with legally binding effect, that the collection must cease or that recordings or notes of collected data must be destroyed. On certain other issues, such as potential civil liability of the State with respect to a person or organisation or where there is an indication that a criminal offence may have been committed, the Inspectorate has a duty to report to the competent authorities with which the power to take legally binding decisions lies. The Court considers the above arrangement to be satisfactory. While it is true that there appears to be no legal possibility under Swedish law for the enforcement of the Inspectorate's recommendations when it seeks the evolution or correction of practices by the FRA, the Court observes that, according to the conclusions of the National Audit Office which audited the Inspectorate in 2015, the FRA had routines in place for handling the Inspectorate's opinions, the latter's suggestions were dealt with in a serious manner and, when called for, gave rise to reforms. The action decided by the Inspectorate had been taken, with the exception of one case when the FRA had referred the matter to the Government (see paragraph 54 above).

Furthermore, the information available to the Court concerning the inspections conducted by the Inspectorate confirms that not only in theory but also in practice it actively reviews FRA's actions both on a general systematic basis and also by themes. In particular, over a period of eight years the Inspectorate has undertaken 102 inspections, including detailed examinations of the selectors used, the destruction of intelligence, the communication of reports, cooperation with other States and international organisations, the processing of personal data and the overall compliance with the legislation, directives and permits relevant to the signals intelligence activities. These resulted in several opinions and suggestions to the FRA and one opinion submitted to the Government. The effect of the Inspectorate's activity is illustrated by the fact that, for example, when it suggested in 2011 some amendments to the FRA's internal rules concerning destruction of data, these were introduced the same year (see paragraph 53 above).

Finally, the Inspectorate issues annual reports which are made available to the public and its activities have been the object of audits by the National Audit Office (see paragraphs 53 and 54 above).

In these circumstances, there is no reason to doubt that Swedish law and practice secure an effective supervision on signal intelligence activities in Sweden. In the Court's view, the Inspectorate's role, coupled with the judicial pre-authorisation procedure before the Foreign Intelligence Court, form together a functioning safeguard against abuse at the crucial stages of the signals intelligence process — before and during the process of interception, analysis, use and destruction of the information obtained.

It appears undisputed that, due to secrecy, no use has ever been made in practice of the theoretical possibility under the Signals Intelligence Act to notify natural persons when selectors directly related to them have been employed (see paragraphs 58, 59, 75 in fine and 80 above).

In the Court's view, it is clear that notifying affected individuals in the context of the Swedish system of signals intelligence as part of foreign intelligence, if at all technically possible, might have far-reaching consequences that are difficult to foresee in advance. As already noted (see paragraph 272 above) a remedy which does not depend on notification to the interception subject could be an effective remedy in the context of bulk interception. The Court therefore accepts the respondent State's approach in this regard as being legitimate. However, the absence of a functioning notification mechanism should be counterbalanced by the effectiveness of the remedies that must be available to individuals who suspect that their communications may have been intercepted and analysed.

The Court notes in this regard that the Signals Intelligence Act provides for ex post facto review on the initiative of individuals or legal persons without them having to demonstrate that they may have been affected by a bulk interception operation. In reaction to a request by anyone, regardless of nationality and residence, the Foreign Intelligence Inspectorate must investigate if the person's communications have been intercepted through signals intelligence and, if so, verify whether the interception and treatment of the information have been in accordance with the law. As already noted (see paragraph 350 above), the Inspectorate has the power to decide that the signals intelligence operation shall cease or that the intelligence shall be destroyed.

The applicant pointed out that there is no possibility for an individual to be informed of whether his or her communications have actually been intercepted or, generally, to be given reasoned decisions. Under the relevant domestic law the Inspectorate informs the complainant only that an investigation has been carried out (see paragraph 61 above).

It transpires from the material available to the Court (see, in particular, paragraphs 61 and 203 above) that the Inspectorate regularly examines the requests submitted to it by individuals.

However, while it is true that the Inspectorate is an independent body, the Court observes that, having regard to that body's duty to supervise and monitor the FRA's activities, which includes taking or authorising operational decisions such as those concerning access to the signal carriers, use of selectors, analysis, use and destruction of intercept material (see paragraphs 50–53 above), the Inspectorate's additional role of ex post facto review on request from individuals may lead to situations where it will have to assess its own activities in supervising bulk interception by the FRA. In the conditions of secrecy, which legitimately characterise the relevant procedures, and failing a legal obligation for the Inspectorate to provide reasons to the individual concerned, there may be doubts as to whether the Inspectorate's examination of individual complaints in such situations affords adequate guarantees of objectivity and thoroughness. It cannot be excluded that the dual role of the Inspectorate may generate conflicts of interest and, therefore, the temptation to overlook an omission or misconduct in order to avoid criticism or other consequences.

The Court does not disregard in this respect the fact that the Inspectorate is itself subject to audits (paragraph 54 above), which could in principle be seen as a relevant safeguard. It notes, however, that the Government have not provided any information demonstrating that the audits conducted so far covered the Inspectorate's investigations undertaken at the requests of individuals seeking information as to whether their communications had been intercepted by the FRA. It appears that there is no legal obligation for the National Audit Office — which is responsible for auditing a significant number of administrative bodies in various sectors — to conduct such specific audits and to do so regularly. In these circumstances and having regard to the structural issue noted in the preceding paragraph, the Court is not convinced that the potential possibility of the National Audit Office examining the Inspectorate's handling of individuals' complaints is sufficient.

Furthermore, in the Court's view, a system of ex post facto review that does not produce reasoned decisions in response to complaints submitted by individuals, or at least decisions that contain reasons accessible to security-cleared special counsel, is too dependent on the initiative and perseverance of appointed officials operating away from the public eye. With regard to the Swedish system, the Court notes that no details are communicated to the complainant as to the content and outcome of the investigation conducted by the Inspectorate and, hence, the Inspectorate seems to be afforded wide discretion. A reasoned decision has the undeniable advantage of providing publicly available guidance on the interpretation of the applicable legal rules, the limits to be observed and the manner in which the public interest and individual rights are to be balanced in the specific context of bulk interception of communications. As noted by the Court in Kennedy (cited above, § 167), the publication of such legal rulings enhanced the level of scrutiny in this area. These observations lead the Court to consider that the above-mentioned features of the Swedish system do not offer a sufficient basis for public confidence that abuses, if they occur, will be unveiled and remedied.

It is true that individuals can turn to the Parliamentary Ombudsmen and the Chancellor of Justice, who can scrutinise the authorities' actions for, inter alia, lawfulness and possible encroachment upon fundamental rights and freedoms. The Chancellor and the Ombudsmen have the power to initiate criminal or disciplinary proceedings (see paragraphs 66–68 above). While these are relevant complaint mechanisms, the Court notes that they do not seem to have been used frequently in the context of bulk interception of communications (see above, paragraph 67 in fine). In any event, it is of the view that a legal procedure before an independent body, which in so far as possible offers an adversarial process resulting in reasoned and legally binding decisions, is an essential element of an effective ex post facto review. However, these conditions were met neither by the Chancellor not the Ombudsmen.

Finally, the Court agrees with the applicant that the remedy available in the United Kingdom before the IPT (see Big Brother Watch and Others, cited above, §§ 413-15), illustrates that it is possible to reconcile legitimate security concerns and the need to ensure a reliable ex post facto control of bulk interception activities.

In sum, the Inspectorate's dual role and the absence of a possibility for members of the public to obtain reasoned decisions in some form in response to inquiries or complaints regarding bulk interception of communications, elements that are not in line with the requirements of an effective ex post facto review, must be seen as a shortcoming of the Swedish regime, to be taken into account in the Court's assessment of its compatibility with Article 8 of the Convention. In the Court's view, the above-mentioned shortcoming is particularly relevant having regard to the fact that the Court has insufficient information about the practice of the Foreign Intelligence Court on judicial pre-authorisation of strong selectors or categories of selectors (see paragraph 300 above) and on the manner in which the legal requirements on destruction of intercept material are applied in practice (see paragraph 343 above). This undoubtedly exacerbates the uncertainty for the individuals concerned as to whether arbitrariness or abuse concerning them might have occurred.

The Court is in no doubt that bulk interception is of vital importance to Contracting States in identifying threats to their national security. This has been recognised, in particular, by the Venice Commission (see paragraph 86 above). It appears that, in present-day conditions, no alternative or combination of alternatives would be sufficient to substitute for the bulk interception power.

The Court further reiterates that it is not its role to prescribe an ideal model for signals intelligence but rather to review for Convention compliance the existing legal and practical arrangements, which vary conceptually and functionally from one Contracting Party to another. In this exercise, the Swedish signals intelligence model and its safeguards against abuse must be seen as one whole.

The review of the Swedish bulk interception system in the present case has revealed that it is based on detailed legal rules, is clearly delimited in scope and provides for safeguards. The grounds upon which bulk interception can be authorised in Sweden are clearly circumscribed, the circumstances in which communications might be intercepted and examined are set out with sufficient clarity, its duration is legally regulated and controlled and the procedures for selecting, examining and using intercepted material are accompanied by adequate safeguards against abuse. The same protections apply equally to the content of intercepted communications and communications data.

Crucially, the judicial pre-authorisation procedure as it exists in Sweden and the supervision exercised by an independent body in Sweden serve in principle to ensure the application of the domestic legal requirements and the Convention standards in practice and to limit the risk of disproportionate consequences affecting Article 8 rights. Notably, regard must be had to the fact that in Sweden the limits to be observed in each bulk interception mission, as well as its lawfulness and proportionality in general, are the subject matter of judicial pre-authorisation proceedings before the Foreign Intelligence Court, which sits in the presence of a privacy protection representative defending the public interest.

The Court noted three shortcomings in the Swedish bulk interception regime: the absence of a clear rule on destroying intercepted material which does not contain personal data (see paragraph 342 above); the absence of a requirement in the Signals Intelligence Act or other relevant legislation that, when making a decision to transmit intelligence material to foreign partners, consideration is given to the privacy interests of individuals (see paragraphs 326–330 above); and the absence of an effective ex post facto review (see paragraphs 359–364 above).

As regards the first of these shortcomings, its potential for causing adverse consequences on Article 8 rights is limited by the fact that Swedish law provides for clear rules on the destruction of intercept material in a number of circumstances and, above all, when it contains personal data.

However, the Court considers that the second shortcoming may potentially lead to very significant adverse consequences for affected individuals or organisations. As noted, the above-mentioned shortcoming may allow information seriously compromising privacy rights or the right to respect for correspondence to be transmitted abroad mechanically, even if its intelligence value is very low. Such transmission may therefore generate clearly disproportionate risks for Article 8 Convention rights. Furthermore, no legally binding obligation is imposed on the FRA to analyse and determine whether the foreign recipient of intelligence offers an acceptable minimum level of safeguards.

Finally, the Inspectorate's dual role and the absence of a possibility for members of the public to obtain reasoned decisions in some form in response to inquiries or complaints regarding bulk interception of communications weakens the ex post facto control mechanism to an extent that generates risks for the observance of the affected individuals' fundamental rights. Moreover, the lack of an effective review at the final stage of interception cannot be reconciled with the Court's view that the degree of interference with individuals' Article 8 rights increases as the process advances (see paragraphs 239 and 245 above) and falls short of the requirement of ‘end-to-end’ safeguards (see paragraph 264 above).

The Court is satisfied that the main features of the Swedish bulk interception regime meet the Convention requirements on quality of the law and considers that the operation of this regime at the time of the Chamber examination was therefore in most aspects kept within the limits of what is ‘necessary in a democratic society’. It finds, however, that the shortcomings mentioned in the preceding paragraphs are not sufficiently compensated by the existing safeguards and that, therefore, the Swedish bulk interception regime oversteps the margin of appreciation left to the authorities of the respondent State in that regard. The Court reiterates that there is considerable potential for bulk interception to be abused in a manner adversely affecting the rights of individuals to respect for private life (see paragraph 261 above). Therefore, having regard to rule of law principle, which is expressly mentioned in the Preamble to the Convention and is inherent in the object and purpose of Article 8 (see Roman Zakharov, cited above, § 228), the Court considers that the Swedish bulk interception regime, when viewed as a whole, did not contain sufficient ‘end-to-end’ safeguards to provide adequate and effective guarantees against arbitrariness and the risk of abuse.