Thursday 24 May 2018


Data Retention incompatible with EU law: Victory? Victory you say?





*Photo credit: https://www.beencrypted.com/  



Matthew White, PhD candidate Sheffield Hallam University



Introduction



On 27 April 2018, the High Court in Liberty v Secretary of State for the Home Department and Others [2018] EWHC 975 (Admin) ruled that Part 4 (retention of communications data) of the Investigatory Powers Act 2016 (IPA 2016) was incompatible with the European Union’s (EU) Charter of Fundamental Rights (CFR). They did so in holding that access to retained communications data was not limited to the purpose of serious crime, and it was not subject to prior review by a court or an independent administrative body. Liberty regarded this ruling as a landmark victory for privacy rights. This blog post questions this assertion by critically analysing the High Court’s judgment with regards to the specific aspect of data retention.



Ignore the European Convention on Human Rights at your peril:



In the second paragraph of the High Court’s judgment, it was acknowledged that the judicial review proceedings concerned not only the CFR but the European Convention on Human Rights (ECHR). The High Court, however, proceeded to only consider the former. This omission will become more important throughout this post.





Does not concern the content of communications?



The High Court acknowledged that retention notices under s.87(1) of the IPA 2016 affects a wide range of private information to do with communications, but not their content e.g. emails and texts [3]. Emails and texts are of course, but one example of content, however, some argue that communications data are equally (Elisabet Fura and Mark Klamberg, ‘The Chilling Effect of Counter-Terrorism Measures: A Comparative Analysis of Electronic Surveillance Laws in Europe and the USA’ (2012) Wolf Legal Publishers, Oisterwijk 463, 467) or more revealing (Alberto Escudero-Pascual and Gus Hosein, ‘Questioning lawful access to traffic data’ (2004) Communications of the ACM 47:3 77, 82). This is precisely why the UN Office of the High Commissioner for Human Rights (OHCHR) felt such distinction is no longer tenable (para 19). It was even demonstrated by iiNet that content is embedded in communications data in sites like Twitter and Facebook.



Moreover, the High Court considered s.87(1) of the IPA 2016 in isolation to, for example, s.87(4)(d) which prevents retention notices from requiring telecommunications operators to retain data which is not used by them for any lawful purpose. Lawful purpose is not defined in the IPA 2016, but s.46(4)(a) of the IPA 2016 allows (by regulation, s.46(1) and (2)) any business to conduct interception if it constitutes a legitimate practice reasonably required for the purpose, in connection with the carrying on of any relevant activities for the purpose of record keeping. Section 46(2)(b) includes communications relating to business activities, and this could allow interception for ‘business purposes.’ This would square with the Home Office’s position in 2009 where they noted that deep packet inspection (DPI) ‘is a term used to describe the technical process whereby many communications service providers currently identify and obtain communications data from their networks for their business purposes’ (p15). DPI enables Internet Service Providers (ISPs) to access information addressed to the recipient of the communication only, this requires the interception of communications data and content (para 32). This could legitimise practices such as those that occurred in the Phrom scandal where BT, TalkTalk and Virgin Media made a deal with Phorm to covertly intercept traffic of their customers. Whether it does or does not permit Phorm-like activities, is not the pressing issue at hand, it’s the allowance of intercepted data to be retained (para 125, p1104) which would constitute a lawful purpose under s.87(4)(d) of the IPA 2016. This highlights that the High Court’s focus on s.87(1) blinds them to the realities of communications data being just as, if not more serious than content, and in any event, content could be retained.



Appropriate remedy and the potential chaos that could ensue?



The High Court highlighted the dispute between the Defendants and the Claimants as to the appropriate remedy, where the former felt no more declaratory relief was necessary [32] because it was already conceded that elements of Part 4 were inconsistent with EU law [31], [38]. There was also a dispute as to the period of suspension should the High Court disapply Part 4 [32]. Despite this acknowledgment of the Defendants, they were of the position that Part 4 should continue as it currently is until it is amended by Parliament [40-1]. The Claimants advocated for a suspended disapplication, this for the High Court:



[W]as a realistic and fair acknowledgement that, in this context, it cannot reasonably be expected that there should, immediately, be no legislation at all in place allowing retention of data that is needed to apprehend criminals or prevent terrorist attacks [42].



The High Court noted that whatever remedy it granted, it should not have the effect of ‘immediately disapplying Part 4 of the 2016 Act, with the resultant chaos and damage to the public interest which that would undoubtedly cause in this country’ [46]. The use of ‘chaos’ was in reference to the Defendants who argued that disapplication was a recipe for chaos [75].



A reason why the High Court preferred not to disapply Part 4 immediately was because there would be no data retention laws in place to aid in the fight against crime and terrorism. This is not actually true, the Budapest or Cybercrime Convention has had legal force in the UK since 1 September 2011. This mainly concerns crimes committed via computer networks, but Article 14(2)(c) allows the UK to adopt measures to collect evidence in electronic form of a criminal offence. This does not appear to limit offences to those described in Articles 2-11. Moreover, Article 16 provides for data preservation, which is the alternative to data retention. This is not the only option available to the UK as discussed below. The High Court’s position is essentially a strawman because immediate disapplication was not argued, and in any event, would not be true if Part 4 were to be disapplied.  



The High Court refers to ‘chaos’ and ‘damage’ to the public interest without explaining why and in what ways this would be possible by disapplying Part 4. The language used by the High Court needs to be critically analysed. Prior to the Data Retention and Investigatory Powers Act 2014 (DRIPA 2014), communications data retention had been voluntary under s.102(1) of the Anti-terrorism, Crime and Security Act 2001 (ACTSA 2001), though the Data Retention (EC Directive) Regulations 2007 and 2009 required data retention to a lesser extent. Previous attempts at mandatory data retention, notably the draft Communications Data Bill (dCDB) in 2013 was halted by the then Coalition partners to the Conservatives, the Liberal Democrats. There was no chaos, or damage to the public interest prior to DRIPA 2014, when data retention was voluntary nor when the dCDB was rejected. When the High Court in Davis and Others v Secretary of State for the Home Department and Others [2015] EWHC 2092 (Admin) dispplied s.1 of DRIPA 2014, albeit delayed for eight months [122], they felt it appropriate to give Parliament enough time to scrutinise and pass new laws[121], and not because of the chaos and damage that would ensue due to immediate disapplication.   



The High Court’s position seemingly acts upon the assumption that if data retention obligations are immediately disapplied, there would be no communications data to be accessed. This is simply not the case when one considers one of the biggest telecommunications operators in the world, Google, who store ‘your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls.’ The legal basis of this is questionable, but the fact remains, such communications data could still be accessed under s.61 of the IPA 2016 where a designated senior officer of a relevant public authority could obtain communications data, whether it exists at the time or not, meaning they could require a telecommunications operator to retain communications data on an forward looking basis (para 177). This authorisation process is however, subject to change, requiring authorisation by the Investigatory Powers Commissioner, but the fact remains, the power is unchanged. Moreover, Part 6, Chapter 2 of the IPA 2016 allows for the bulk collection of communications data by intelligence services.





The High Court referred to the Government swiftly enacting DRIPA 2014 [12]. What they did not mention was that following Digital Rights Ireland and the Court of Justice of the European Union’s (CJEU) invalidation of the Data Retention Directive (DRD), the Government did nothing for three months. The High Court in Davis and Others noted there was not a clear legal basis for the 2009 Regulations and thus some telecommunications operators were considering deleting retained communications data [45-6]. For three months, the Government must have known this was a possibility, but did nothing, then rushed DRIPA 2014 through Parliament with indecent haste in three days (Niklas Vainio and Samuli Miettinen, ‘Telecommunications data retention after Digital Rights Ireland: legislative and judicial reactions in the Member States’ (2015) International Journal of Law and Information Technology 23:3 290, 304).



Finally, the High Court refers to the ‘public interest’ without mentioning what aspects they mean. Is it the public interest in fighting serious crime and stopping terrorism? Even if this is what the High Court meant, they did so without acknowledging that privacy in and of itself is a public interest. This is specifically mentioned in s.2(2)(d) of the IPA 2016. Regan regards privacy as having public value because it is necessary to the proper functioning of a democratic political system (Priscilla M. Regan, ‘Legislating Privacy, Technology, Social Values and Public Policy’ (The University of North Carolina Press 1995). The then Labour Government even acknowledged that ‘that the protection of privacy is in itself a public service.’ Privacy is a prerequisite for liberal democracies because it sets limits on surveillance by acting as a shield for groups and individuals (Alan F. Westin, Privacy and Freedom, New York: Atheneum (1967), 24). Moreover, privacy underpins freedom of expression, religion, thought and conscious and assembly/association. Furthermore, privacy is not just an individual right nor does data retention just affects individuals. In Riddick v Board Mills Ltd [1977] QB 881, Lord Denning succinctly put it that:



The memorandum was obtained by compulsion. Compulsion is an invasion of the private right to keep one’s documents to oneself. The public interest in privacy and confidence demands that this compulsion should not be pressed further than the course of justice requires [p896].   



This acknowledges the public interest privacy serves, and to assume this only applies to the objectives such as fighting serious crime and terrorism is to underestimate the fundamental nature and importance of privacy.



Not general and indiscriminate data retention?



The High Court when considering whether Part 4 of the IPA 2016 permitted general and indiscriminate data retention referred to the Court of Appeal’s refusal in to apply Tom Watson and Others v Secretary of State for the Home Department [2018] EWCA Civ 70 [22-6]. The Court of Appeal’s reasoning remains unconvincing and their semantic reasoning indicates what they would have held. The Claimants before the High Court argued that Part 4 permitted general and indiscriminate data retention, and thus should be referred to the CJEU, however the Defendants argued that reading the IPA 2016 as a whole, this is not the case [120].



The High Court towed the same line as the Court of Appeal in Tom Watson and Others where they noted that the CJEU were specifically referring to Swedish law [121]. The High Court then summarises their view of the CJEU’s ruling noting that Member States:



[M]ay adopt legislation which permits decisions to be taken for the targeted retention of data which is (a) sufficiently connected with the objective being pursued, (b) is strictly necessary and (c) proportionate [124].



The High Court were of the opinion that CJEU’s judgment did not require more detailed factors which may be relevant as to the application of those tests [124]. For the High Court, it would be impracticable and unnecessary to set out in detail in legislation the range of factors to be applied with matters such as national security, public safety and serious crime [124]. It must be noted that the issue of national security is a matter that will be dealt with by the CJEU based upon the Investigatory Powers Tribunal’s preliminary reference (analysis here).



Public safety, however, is not an objective that CJEU’s considers to be capable of justifying data retention, only serious crime [102], so it is unclear why the High Court even mentions this. The CJEU does refer to serious threats to public security, but this is in regards to the links between the measure and objective evidence [111]. The High Court also does not explain why it would be impracticable and unnecessary to set out in detail the range of factors to be applied, when the CJEU themselves observed that national law must be clear and precise [109]. Not only does this raise issues with the EU law, because the Part 4 does not provide clear and precise rules (Jennifer Cobbe, ‘Casting the dragnet- communications data retention under the Investigatory Powers Act’ (2018) Public Law 10, 19), but also with the ECHR. The ECtHR have ruled that it is essential to have clear, binding [60] and detailed rules, especially as the technology available for use is continually becoming more sophisticated [229]. The reason for the ECtHR’s position is explained in Szabo and Vissy v Hungary [2016] ECHR 579:



Given the technological advances since the Klass and Others case, the potential interferences with email, mobile phone and Internet services as well as those of mass surveillance attract the Convention protection of private life even more acutely [53].



What the High Court regards as unnecessary and impracticable are actually requirements of both European Courts, with the ECtHR taking that step furthering in explaining why.



The High Court then notes that the combination of the scope and application of data retention measures and the minimum safeguards are designed to achieve effective protection against the risk of misuse of personal data [125]. Granted, the High Court are repeating points made by the CJEU [109], this approach overlooks what the ECtHR have held:



The mere storing of data relating to the private life of an individual amounts to an interference within the meaning of Article 8…The subsequent use of the stored information has no bearing on that finding [67].



The misuse of personal data is secondary to it actually being retained (and generated, see s.87(9)(b) of the IPA 2016). The High Court then distinguishes Swedish law from the IPA 2016 in that it does not require a blanket requirement requiring the general retention of communications data, because it relies upon the discretion of the Secretary of State [127]. This has already been argued to be a semantic argument ‘of distinguishing a catch all power, and a power that can catch all, which of course, in any event, amount to the same thing.’ The High Court also relies on the description that the Secretary of State will only exercise this power if it is considered necessary and proportionate, which for them, is in line with EU law [128]. But this position betrays their previous reasoning on DRIPA 2014, which had the same requirements of necessity and proportionality [47], with both parties and the High Court accepting this permitted a ‘general retention regime [65].’ A reason for this position was because the contents of a retention notice cannot be verified due to disclosure not being permitted, unless the Secretary of State permits it (see s.95(2)-(4) of the IPA 2016).



The High Court then argues that it would be difficult to conceive how the tests of necessity and proportionality could require the retention of all communications data due to the wording of ‘all data’ in the IPA 2016 [129]. This reasoning is problematic, because it relies upon the ‘surely the UK would not?’ position. As Lord Kerr observed in Beghal v Director of Public Prosecutions [2015] UKSC 49 that ‘is the potential reach of the power rather than its actual use by which its legality must be judged [102].’ This is precisely why Cobbe argues:



Retention notices may be tailored to an extent, including by requiring that only data which meets a certain description or is from a certain time period is retained. But s.87 does allow for ISPs to be required to retain "all data" indiscriminately, without differentiation, limitation, or exception, and without clear safeguards for data subject to professional confidentiality (Jennifer Cobbe, see above, 19).



As others and myself have argued, s.87(2)(a) and (b) theoretically allows for the possibility ‘all operators in the UK to be required to retain all data of users and subscribers’ (Matthew White, ‘Protection by Judicial Oversight, or an Oversight in Protection?’ (2017) Journal of Information Rights, Policy, and Practice 2:1, 26) and should be treated as a blanket and indiscriminate power (Matthew White, see above, 25; Jennifer Cobbe, see above, 18; ; Andrew D. Murray, ‘Data transfers between the EU and UK post Brexit?’ (2017) International Data Privacy Law 7:3 149, 161).



In Liberty v UK [2008] ECHR 568 the then UK Government accepted that s.3(2) of the Interception of Communications Act 1985 allowed:



[I]n principle, any person who sent or received any form of telecommunication outside the British Islands during the period in question could have had such a communication intercepted [64].



For the ECtHR, such a power was virtually unfettered [64], and violated Article 8 for not being in accordance with the law [70]. Furthermore, the High Court’s reasoning acts on the assumption that the only way Part 4 could be unlawful is if it did permit or made it possible for the retention of all communications data. This is simply not true as seen in the case of Liberty above, where this did not even concern communications within the UK, moreover in S and Marper [2008] ECHR 1581 the GC ‘ruled that general data retention, even on a specific group of individuals (suspects and convicts) violated Article 8.’



The High Court then also incorrectly claims that s.87(2)(b) of the IPA 2016 relates to a ‘description of data’ and not just to ‘all data’ [129] when the actual words are ‘any description of data’ which simply means any and/or all data could be retained. The High Court makes the same mistake with regards to telecommunications operators in that a retention notice may relate to a particular operator or to a description of operators [129] when, again the operative word in s.87(2)(a) is any description of operators. The suggestion here is that if a retention notice is issued on one telecommunications operator (because s.87(2) ‘list[s] the elements which may be used when delineating the content and scope of a retention notice so as to satisfy the necessity and proportionality tests in any particular case [129]’, this would be alright. If one uses BT as an example, with over nine million broadband subscribers, would a retention notice on BT to retain all this communications data sit well with the High Court? After all, BT is but one telecommunications operator, has a large subscriber base, but crucially not all of them, and the subscriber’s communications data does not amount to all the communications data that could be retained in the UK. In fairness, this is as much of the CJEU’s problem as it is the High Court’s, as this is where S and Marper makes a crucial distinction, that being, data retention measures that are general and indiscriminate within a group can still be unlawful.



The High Court then refers to the 12-month retention limit [130], but this only serves to highlight the constant interference with fundamental rights as retention notices will be renewed on a yearly basis. The High Court also refers to matters to which the Secretary of State must have regard to in s.88(1) of the IPA 2016 such as the benefits of the notice, number of users affected, costs etc and must also take reasonable steps to consult the relevant telecommunications operator (see s.88(2)). Regarding the former, the Secretary of State could still issue the intended retention notice irrespective of what has been regarded, and with the latter, there is no obligation to actually consult a telecommunications operator.    



The High Court then refers to the Judicial Commissioner’s (JC) role in the approval of retention notices based on the Secretary of State’s conclusions [133]. This is problematic because there ‘is no obligation on the Secretary of State to make a full and frank disclosure and therefore, the JC and IPC could be misled (accidently or deliberately) (30)’ and could ‘be given a summary a summary of a summary of a summary of a summary of the original intelligence case (30-1).’ The GC have noted that it is essential that the supervisory body has ‘access to all relevant documents, including closed materials and that all those involved in interception activities have a duty to disclose to it any material it required [281].’ This is currently not possible under the IPA 2016. The High Court then refers to the JC’s applying principles of judicial review to authorisations [133]. The question as to whether the Wednesbury principles would apply has been subject to debate (29), but the Investigatory Powers Commissioner (IPC) themselves have noted that when human rights issues arise, the necessity and proportionality tests of the ECHR and EU law will be applied instead of Wednesbury (para 17, 19). However, this statement is only advisory and admits it is not binding (para 1), thus is not a real safeguard.



The High Court then refers to the JC’s general duties under s.2 of the IPA 2016 [133]. The first of which concerns the JC having regard to whether there are less intrusive measures to achieve the objective. There is, data preservation, but this isn’t in the IPA 2016 (unless one considers s.61 to be form of data preservation). The second concerns the level of protection to sensitive information, which is much narrower than sensitive personal data in data projection instruments as it only includes legally privileged material, journalistic sources, communications with Members of Parliament etc. The JC’s cannot have regard to sensitive information because as the Bar Council and Law Society have highlighted that the problem bulk communications data retention is that it does not prevent legally privileged data from entering the ‘pool’ in the first place (para 32). With regards to journalistic sources, United Nations Educational, Scientific and Cultural Organization (UNESCO) noted that even when journalists encrypt the content, they may neglect to encrypt the communications data which means they still leave behind a digital trail when they communicate with their sources, making them identifiable (26).



The High Court then refers to the fact that a telecommunications operator can refer a retention notice back to the Secretary of State, which again would require approval by the IPC [134]. And if the IPC approves a notice on BT to retain all the communications data of their subscribers, then what? The High Court summarises Part 4 by noting that they ‘do not think it could possibly be said that the legislation requires, or even permits, a’ general retention regime [135]. However, it was never the argument that the IPA 2016 requires a general retention regime, but that it permits the Secretary of State and JC to require a general retention regime. As the ECtHR have maintained ‘it would be contrary to the rule of law for the discretion granted to the executive or to a judge to be expressed in terms of an unfettered power [230].’ The question is not ‘will they’ but ‘can they.’



The High Court continues that Part 4 and s.2 requires a range of factors to be taken into account before a retention notice is issued [135]. Although it was already argued that ‘catch all’ power is not necessary for Part 4 to be deemed unlawful, it is useful to play Devil’s Advocate. Can the Secretary of State issue a retention notice on all telecommunications operators to retain all communications data if they deem it necessary and proportionate? Can a JC approve this? Can this still be the case if the telecommunications operator refers this back to the Secretary of State subject to approval by the IPC? If the answer is yes, then this highlights that all the factors that the High Court refers to does not change the operation of the power itself. If the answer is no, then the High Court is ignoring the glaringly obvious implications of a power that can be applied to all or any telecommunications operator to retain any or all communications data.



The High Court then puts its previous judgment to one side (where they agreed DRIPA 2014 permitted a general retention regime) by arguing that:



Even if that assumption were to be applied in this case, it is plain from the analysis set out above, that the 2016 Act does not permit the general and indiscriminate retention of communications data. In any event, we would add that the issue of whether a UK enactment is inconsistent with EU legislation is not to be determined by evidence from either party as to how the domestic scheme is operated in practice or might be operated. Instead, the issue is an objective question of law which turns on the proper interpretation of the two pieces of legislation [136]. 



Essentially, the High Court are saying, even if the previous judgment was correct, IPA 2016 is somehow different, despite the wording of the power in DRIPA 2014 being identical. In amazing fashion, the High Court decided that it does not really matter how the law is or might be operated, but relies upon the notion of an ‘objection question of law’ and how it is interpreted. And this is why ignoring the ECHR, if it was not made clear above is problematic because the ECtHR have consistently held that:



[T]hat the mere existence of laws and practices which permitted and established a system for effecting secret surveillance of communications entailed a threat of surveillance for all those to whom the legislation might be applied. This threat necessarily affected freedom of communication between users of the telecommunications services and thereby amounted in itself to an interference with the exercise of the applicants’ rights under Article 8, irrespective of any measures actually taken against them [168].



The High Court’s position is in contrast to the position of the ECtHR in that secret surveillance can be judged in abstracto or where an individual can claim to actually be subject of a surveillance measure. All that is required is that one is able to show that they are ‘potentially at risk of being subjected to such measures [171].’ Whether retention notices apply to all telecommunications operators to retain all communications data, or to one telecommunications operator to retain all (or even some) communications data, this allows for the ‘automatic storage for six months of clearly irrelevant data’ and ‘ cannot be considered justified under Article 8 [255].’ Even six months is unacceptable to the ECtHR (which raises serious questions as to the 12-month retention limit), this position is strengthened by Advocate General Øe, who noted that:



The disadvantages of general data retention obligations arise from the fact that the vast majority of the data retained will relate to persons who will never be connected in any way with serious crime [252].



Conclusion



This blog post has highlighted many flaws in the approach of the High Court with regards data retention. Part 4 of the IPA 2016 is neither consistent with the ECHR or EU law. The High Court have fallen into the same trap as the Court of Appeal did earlier this year when distinguishing a catch all power, and a power that can catch all. This post only partially deals with the judgment as the aspects of entity data and serious crime deserve posts of their own. What is just as disappointing as this judgment is the claim that it was a landmark victory, when in actual fact, the rulings against the Defendants were concessions they already made, leaving the crucial aspect of Part 4 unscathed. A wise little green man might say ‘Victory? Victory you say? Master Liberty, not victory. The shroud of data retention persists. Continue the mass surveillance will.’


No comments:

Post a Comment