Ekimdzhiev and others v. Bulgaria (Application no. 70078/12)

A selection of key paragraphs can be found below the judgement.

356.  Although significantly improved after they were examined by the Court in Association for European Integration and Human Rights and Ekimdzhiev (cited above), the laws governing secret surveillance in Bulgaria, as applied in practice, still fall short of the minimum safeguards against arbitrariness and abuse required under Article 8 of the Convention in the following respects: 

(a)  the internal rules governing the storage and destruction of materials obtained via surveillance have not been made accessible to the public (see paragraph 296 in fine above); 

(b)  the term “objects” in section 12(1) of the 1997 Act is not defined in a way so as ensure that it cannot serve as a basis for indiscriminate surveillance (see paragraph 303 above); 

(c)  the excessive duration of the initial authorisation for surveillance on national-security grounds – two years – significantly weakens the judicial control to which such surveillance is subjected (see paragraph 305 above); 

(d)  the authorisation procedure, as it operates in practice, is not capable of ensuring that surveillance is resorted to only when “necessary in a democratic society” (see paragraphs 307 to 322 above); 

(e)  a number of lacunae exist in the statutory provisions governing the storing, accessing, examining, using, communicating and destroying of surveillance data (see paragraphs 326 to 332 above); 

(f)  the oversight system, as currently organised, does not comply with the requirements of sufficient independence, competence and powers (see paragraphs 335 to 347 above); 

(g)  the notification arrangements are too narrow (see paragraphs 349 to 351 above); and 

(h)  the dedicated remedy, a claim under section 2(1)(7) of the 1988 Act, is not available in practice in all possible scenarios, does not ensure examination of the justification of each instance of surveillance (by reference to reasonable suspicion and proportionality), is not open to legal persons, and is limited in terms of the relief available (see paragraphs 266 to 273 and 352 to 355 above). 

357.  Those shortcomings in the legal regime appear to have had an actual impact on the operation of the system of secret surveillance in Bulgaria. The recurring scandals relating to secret surveillance (see paragraphs 56, 57, 59 and 67 above) suggest the existence of abusive surveillance practices, which appear to be at least in part due to the inadequate legal safeguards (see Association for European Integration and Human Rights and Ekimdzhiev, § 92, and Roman Zakharov, § 303, both cited above). 

358.  It follows that the Bulgarian laws governing secret surveillance do not fully meet the “quality of law” requirement and are incapable of keeping the “interference” entailed by the system of secret surveillance in Bulgaria to what is “necessary in a democratic society”. 

359.  There has therefore been a breach of Article 8 of the Convention. 

419.  Although the laws governing the retention of communications data and its subsequent accessing by the authorities were significantly improved after the Constitutional Court examined them in 2015 in the wake of the CJEU’s judgment in Digital Rights Ireland and Others (see paragraph 156 above), those laws, as applied in practice, still fall short of the minimum safeguards against arbitrariness and abuse required under Article 8 of the Convention in the following respects: 

(a)  the authorisation procedure does not appear capable of ensuring that retained communications data is accessed by the authorities solely when that is “necessary in a democratic society” (see paragraphs 400 to 406 above); 

(b)  no clear time-limits have been laid down for destroying data accessed by the authorities in the course of criminal proceedings (see paragraph 408 above); 

(c)  no publicly available rules exist on the storing, accessing, examining, using, communicating and destroying communications data accessed by the authorities (see paragraph 409 above); 

(d)  the oversight system, as currently organised, does not appear capable of effectively checking abuse (see paragraphs 410 to 415 above); 

(e)  the notification arrangements, as currently operating, are too narrow (see paragraphs 416 and 417 above); and 

(f)  it does not appear that there is an effective remedy (see paragraphs 379 to 381 and 418 above). 

420.  It follows that those laws do not fully meet the “quality of law” requirement and are incapable of keeping the “interference” entailed by the system of retention and accessing of communications data in Bulgaria to what is “necessary in a democratic society”. 

421.  There has therefore been a breach of Article 8 of the Convention in this respect as well.