Matthew White, Ph.D candidate, Sheffield Hallam University.
Introduction
On 30 January 2018, human rights
NGO Liberty tweeted that
the:
This was in reference to the
Court of Appeal’s (CoA) judgment in Tom Watson and Others v Secretary of State
for the Home Department [2018] EWCA Civ 70 with regards to access to
communications data under the Data
Retention and Investigatory Power Act 2014 (DRIPA 2014). Many regard this
as a ruling the Snoopers
Charter or mass
surveillance as unlawful. This post critically analyses the CoA’s judgment
with regards to general data retention, access to communications data on the
basis of prior review by a court or an independent administrative body and
notifications.
Background
The background to this case dates
from 2014 in which the Court of Justice of the European Union (CJEU) in Joined
Cases C‑293/12 and C‑594/12, Digital Rights Ireland (analysis here)
invalidated Directive
2006/24/EC (the Data Retention Directive (DRD)) for its incompatibility
with Articles 7 (privacy) and 8 (data protection) of the Charter
of Fundamental Rights (CFR). This led to the introduction of DRIPA 2014,
and subsequent challenges in the High Court (HC) and CoA on its compatibility
with Digital Rights Ireland, which
ultimately led to a preliminary reference (joined by a reference in Tele2 from a Swedish Court) to the CJEU
for clarification (analysis here).
In Joined
Cases C-203/15 and C-698/15, Tele2 and
Watson the CJEU ruled that Articles 7, 8, 11 (freedom of expression)
and 52(1) (limitations of rights) preclude Member States from adopting laws
which permit the general and indiscriminate retention ‘of all traffic and
location data of all subscribers and registered users relating to all means of
electronic communication’ [134(1)]. The CJEU also ruled that the access to
retained communications data should be subject to prior review by a court or an
independent administrative body and only on the basis of fighting serious crime
[134(2)].
Court of Appeal’s judgment
In the leading judgment, Lord
Lloyd-Jones summarises the background to this case [1-3] (also see above), and
quickly distinguishes between the Swedish reference and its own in highlighting
that the CJEU’s answers in paragraph 134(2) and (3) reflect their reference.
His Lordship does so by highlighting the difference between UK and Swedish
legislation [4]. His Lordship also highlighted several developments since Tele2 and Watson, namely that DRIPA 2014
had been repealed and replaced by the Investigatory
Powers Act 2016 (IPA 2016), which is also subject to challenge, with Privacy
International seeking to clarify the extent in which the CJEU’s ruling applies
in the national security context (analysis here)
and the UK
Government seeking to amend the IPA 2016 to conform with the CJEU’s ruling
with regards to serious crime and prior review for access by a
court/independent administrative body [6].
The question before the CoA was
again DRIPA 2014’s compatibility with the CJEU’s rulings on data retention [7].
Both parties and the CoA agreed that the CJEU’s jurisprudence establishes
access to retained communications data is restricted to the objective of
fighting serious crime and that access should be subject to prior review by a
court/independent administrative body [9]. The CoA declined to grant any
declaratory relief with regards the CJEU’s rulings in the national security
context as this was already subject to a preliminary reference by the
Investigatory Powers Tribunal (IPT) [10-12]. The CoA, did however, grant
declaratory relief with regards to DRIPA 2014 for being inconsistent with
European Union (EU) law with regards to serious crime and access to
communications data [13].
With regards to data being retained
within the EU, the CoA declined to make a definitive statement on the hope that
the CJEU will clarify the matter with regards to the IPT’s reference [14-19].
Watson et al urged the CoA to declare
that DRIPA 2014 had failed to make provisions for ex post facto notifications
[20]. The CoA, however, declined for three reasons: a) it was not previously an
issue in the national proceedings; b) it was not in the CJEU’s ratio in Tele2 and Watson; and c) the CJEU will
in any event consider this based on the IPT’s reference.
On the issue of the relationship
between data to be retained, and the threat to public security, Lord
Lloyd-Jones initially intended to grant declaratory relief on the grounds that
DRIPA 2014 did not contain any limitations to comply with the CJEU’s ruling,
but declined to do so [22-24]. Lord Lloyd-Jones recalled three reasons as to
why this was justified:
First, it was not argued that
DRIPA 2014 was unlawful because it did not require there to be an identifiable
public whose data was likely to reveal direct or indirect links to serious
crimes. The CJEU’s ruling on general data retention was in response to the
Swedish legislation. The High Court in Davis and Others v Secretary of State for
the Home Department and Others [2015] EWHC 2092 felt that the CJEU (in Digital Rights Ireland) could not have
meant general data retention was unlawful, only that adequate safeguards had to
be in place for access.
Second, the CJEU’s reasoning on
general data retention reflects Swedish law’s catch all (all services, data and
users) data retention, and the analysis and conclusions cannot be automatically
applied to DRIPA 2014. Third, this is a live issue which is pending for a
February hearing.
Thus, the CoA unanimously held
that DRIPA 2014 was inconsistent with EU law for not limiting data retention
for the purposes of fighting serious crime and access to said data was not
subject to prior review by an independent administrative body [27].
Was the Swedish Court’s question on blanket indiscriminate data
retention not applicable in the UK context?
This post has highlighted how
throughout this judgment, the CoA consistently held that the prohibition of
general data retention does not automatically apply to DRIPA 2014, because the
answer from the CJEU was in response to a reference from a Swedish court asking
about Swedish legislation. This premise acts on the assumption that DRIPA 2014
could not permit general data retention. This requires closer scrutiny. It must
first be noted, that when the CJEU made its ruling, it highlighted its ruling
applied to national legislation, thus, contrary to what the CoA seem to
suggest, this does not directly apply only to Sweden, but to all EU Member States
implementing data retention legislation.
When the CJEU ruled that blanket
indiscriminate data retention of all services, all users and all data (catch
all) was not permissible under EU law, I highlighted that this would have made
a power found within cl.1 of the draft
Communications Data Bill (dCDB) unlawful (Matthew White, ‘Protection
by Judicial Oversight, or an Oversight in Protection?’ (2017) Journal of
Information Rights, Policy, and Practice 2:1, 24). This was due to the fact that
cl.1 contained the same power that the Swedish reference was seeking to
clarify, a catch all power.
Section 1(2)(a) and (b) of DRIPA
2014 and s.87(a) and (b) of the IPA 2016 must be considered together. Both sets
of powers allowed or allows retention notices to be issued on a (public)
telecommunications operator or any
description of operators to retain all
data or any description of data. I had previously
argued that Tele2 and Watson may
prove unproblematic for such powers because there was discretion on which
telecommunications operators could be obligated to retain and what data they
could retain (26). I further pointed out, due to the CJEU’s insistence on
geographical data retention in Tele2 and
Watson [111] (which in and of itself is problematic
for human rights protection (36, 37)) it could be argued, the ability to
require retention would not be based on operator, but
by location and therefore, could require a variety of operators to retain
in a given area (26). These are the sorts of arguments I would assume could be
invoked by the Home Secretary if need be.
However, I also noted that ‘it
is still theoretically possible for all operators in the UK to be required to
retain all data of users and subscribers’ (26) because retention notices
apply to any description of operators to retain all or any description of data.
This
could be considered a general obligation because it could affect all
telecommunications operators and then be classed as a general obligation.
Lord Kerr in his dissenting opinion in Beghal v Director of Public Prosecutions [2015] UKSC 49 noted
that it ‘is the potential reach of the power rather than its actual use by
which its legality must be judged [102].’ Instead of a catch all power like
cl.1 of the dCDB or Swedish law, the powers in DRIPA 2014 and the IPA 2016
would be a power that can catch all.
When considering DRIPA 2014, the HC in Davis and Others
came to the same conclusion where they noted that:
Mr Eadie
accepted that the consequence of this policy stance is that we should test the validity of DRIPA on the
assumption that the retention notices issued under it may be as broad in scope
as the statute permits, namely a direction to each CSP to retain all
communications data for a period of 12 months. The case was argued on both
sides on that basis. We shall refer in
this judgment to a system under which the State may require CSPs to retain all
communications data for a period as a "general retention regime"
[65].
One could challenge this
reasoning on account of it matters not whether the contents of a retention
notice are known because it’s the power in question that is tested. This is
precisely the position of the European Court of Human Rights (ECtHR) with
regards to secret surveillance. In Roman Zakharov v Russia (ECHR, 4 December 2015) the ECtHR’s
Grand Chamber (GC) clarified its position on when an individual can claim to be
a victim of a violation under Article 8 (private and family life, home and
correspondence) of the European Convention of Human Rights (ECHR). The GC
maintained that an applicant can claim to be a victim by the mere existence of secret surveillance
measures for example, where ‘legislation directly affects all users of
communication services by instituting a system where any person can have his or
her communications intercepted’ [171]. The GC continued that, when such
surveillance cannot be verified, the menace of surveillance itself can
interfere with the Article 8 rights of all users and potential users [ibid]. In
summary, the GC clarified its jurisprudence where it has been consistently
ruled that it is what the law permits that can be subject to challenge, not the
actual use of the law (unless argued by the applicants).
For the reasons highlighted
above, it is argued that the CoA are playing semantics with the powers found
within Swedish legislation, and the powers found within DRIPA 2014, as they
permit the same thing, namely all
operators, data and users can be affected by data retention. Therefore, the
CoA’s reliance on the CJEU’s position on general data retention only applied to
and reflected Swedish law is untenable.
The CoA also relied upon the HC’s
interpretation of Digital Rights Ireland
in Davis and Others that the CJEU
ruled that general data retention would only be lawful if appropriate
safeguards were in place. This is ironic considering the CoA disagreed with
this position in Secretary of State for the Home Department v
Davis MP and Others [2015] EWCA Civ 1185 [90]. What is also striking, is
that, unless the CoA have invented a TARDIS to prevent the CJEU’s judgment in Tele2 and Watson from occurring, they
seem to rely on the HC’s position prior to Tele2
and Watson. Simply put, in 2015, the HC did not believe the CJEU meant
general data retention was unlawful in and of itself, in 2016, the CJEU said,
‘Yes, we did, so we shall say it again.’ Thus, for the CoA to rely on what is
best described as an outdated HC position is at best, ignorant and at worst,
disingenuous.
The final reason on part of the
CoA is also unconvincing. They declined on the basis that Part 4 of the IPA
2016 is under challenge and thus would not be privy to evidence of both sides.
This is despite the operational case for data retention being in the public
domain, and the counter arguments relatively easy to find. The position the
CoA took allowed it to sidestep the real issue, whether general data retention
is compatible with human rights. General data retention has never been
compatible with human rights since at least 2008 when the ECtHR GC in S and Marper App nos. 30562/04 and 30566/04 (ECHR, 4 December 2008)
ruled that general data retention, even on a specific group of individuals
(suspects and convicts) violated Article 8. Tele2
and Watson (despite
its many flaws 24, 34-41) is just the next logical step with regards to
communications data.
Prior Review by a Court or Independent Administrative Body
The finding that DRIPA 2014 was
inconsistent with EU law for not prescribing prior review by a court or an independent
administrative body for access to communications data is to be welcomed. This
is not a criticism of the CoA’s finding per se, but a criticism of the idea
that this safeguard remedies the problems caused by data retention. Part 4 of
the IPA 2016 allows retention notices to be approved by Judicial Commissioners
(JC) under s.89. This mechanism has already been criticised
because JC will only act based on the Secretary of State’s conclusions, there is no obligation for the Secretary of State to
make a full and frank disclosure of their evidence for retention (thus can be
misled), they can only make an assessment on judicial review principles (thus
not a merit based or human rights review), nor are they institutionally
independent from the Investigatory Powers Commission (IPC) (28-32).
Another problem is that the JC
can authorise data retention that can catch all. As the GC in Roman Zakharov noted:
[T]he implementation
in practice of measures of secret surveillance of communications is not open to
scrutiny by the individuals concerned or the public at large, it would be contrary to the rule of law for
the legal discretion granted to the executive or to a judge to be expressed in terms of an unfettered power
[230].
The power to retain in DRIPA 2014
and IPA 2016 are virtually
unfettered, even if it applies to
a single telecommunications operator, and even
if this power was authorised by a judge (37-39). Essentially, giving a
judge the power to authorise retention or access would only be sufficient based
on what they can authorise to be
retained or accessed. If this power is unfettered, it matters not if the judge
increases the independence of the authorisation process. Thus, despite the
CoA’s finding, DRIPA 2014 would still be in violation of fundamental rights.
Lack of notification was already incompatible with the European
Convention on Human Rights
In declining to grant declaratory
relief with regards to notification, it can be argued that the CoA have failed
under their obligations under s.6 of the Human Rights Act
1998 (HRA 1998) to act in a way that is compatible with the ECHR. With
regards to notifications, the ECtHR in Association for European Integration and Human Rights and Ekimdzhiev v
Bulgaria App no. 62540/00 (ECHR, 28 June 2007) found that Bulgarian law
violated Article 8 and 13 (effective remedy) for not having a notification
system. The ECtHR noted that ‘as soon as notification can be made without jeopardising
the purpose of the surveillance after its termination, information should be
provided to the persons concerned’ [90]. Boeham and de Hert note that the ‘clear
recognition of an (active) notification duty after surveillance measures have
ended in the Ekimdzhiev v. Bulgaria
case constitutes a remarkable development in the framework of the safeguards
against abuse which are necessary in surveillance cases’ (Franziska Boehm and
Paul de Hert, ‘Notification, an
important safeguard against the improper use of surveillance - finally
recognized in case law and EU law’ (2012) 3:3 European Journal of Law and
Technology).
The position of the ECtHR was
reaffirmed in Roman Zakharov [287],
but reference was made to UK law in that there is an alternative to
notification i.e. IPT jurisdiction [234, 288], however, I have previously
referred to doubts raised by Boehm and de Hert which is worth quoting in full.
Boehm and de Hert questioned whether UK law was ‘capable of responding to the
challenges arising out of the use of new surveillance techniques’ (Franziska
Boehm and Paul de Hert, The rights of notification
after surveillance is over: ready for recognition? (Yearbook of the
Digital Enlightenment Forum, IOS Press 2012), pp. 19-39, 37).
Boehm and de Hert continue that
in light of powers such as data retention and ‘fishing expeditions’ that target
a greater number of people without suspicion, a notification duty appears to be
an effective tool to prevent abuse (ibid, 37-8). Finally, Boehm and de Hert
note that the Belgian Constitutional Court has now adopted the notification
principle as a requirement to comply with Article 8 (ibid, 38).
Thus, whether or not CJEU
requires notification, this justification can be found within the jurisprudence
of the ECHR. Boehm and de Hert’s approach would be consistent with this
jurisprudence of the ECHR in terms of it being a living instrument ‘which must be interpreted
in the light of present-day conditions and of the ideas prevailing in
democratic [73]’ in that mass surveillance would deprive the:
The IPA 2016 does contain a
notification process under s.231, but this is wholly inadequate as it quite
plainly admits, that a violation of the ECHR is not sufficient in and of itself
to justify a notification. This could be any
ECHR right, not just a breach of privacy, data protection or freedom of
expression, but the right to life (Article 2), freedom from torture (Article 3)
etc. This would render s.231 at the very least, in violation
of Article 8 and 13 (39-40). Granted, this was not argued before the CoA,
it remains that this was an opportunity where the CoA could have used existing
case law to find that DRIPA 2014 had in fact breached human rights, with or
without any consideration for EU law and the principles set out in Tele2 and Watson.
Conclusions
In an amazing display of legal
gymnastics, the CoA avoided the most central issue in the data retention
debate, the compatibility of general data retention with fundamental rights.
The CoA did so by not acknowledging that DRIPA 2014 did and the IPA 2016 now
allows general data retention. Instead, the CoA relied upon the semantics of
distinguishing a catch all power, and a power that can catch all, which of
course, in any event, amount to the same thing. In finding that DRIPA 2014 was
only unlawful insofar as it lacked prior review by a court/independent
administrative body to access communications data and that this was not
restricted to serious crime overlooks the central issue of this data being
retained the first place. It is one thing the ensure greater independence with
regards to the authorisation of surveillance measures, but is another thing to
overlook what those authorisations allow, whether it be the retention or access
of communications data. To do so would simply polish a turd, rather than flush it,
as general data retention has always been a turd that has needed flushing since
at least 2008. Although the question of data retention within the IPA 2016 is
subject to judicial review before the HC, the CoA had the opportunity to
faithfully apply Tele2 and Watson to
DRIPA 2014, but instead of addressing the issue, it acted as though the issue
did not exist.
Barnard & Peers: chapter II:7
Art credit: Lightning Broadband
No comments:
Post a Comment