Lorna Woods, Professor of Internet Law, University of Essex
Introduction
This is the Grand Chamber’s take
on a challenge to the UK’s RIPA regime originally decided by a chamber
(judgment 13 September 2018). It is the culmination of a long series of
challenges to the UK regime, following the publication of information revealing
that the UK (and other Governments) had engaged in bulk surveillance of
people’s communications as well as in intelligence sharing. The judgment arose
from three applications originally filed before the Strasbourg Court: Big Brother Watch and Others v. the United
Kingdom (App no. 58170/13); Bureau of
Investigative Journalism and Alice Ross v. the United Kingdom (App no.
62322/14); and 10 Human Rights
Organisations and Others v. the United Kingdom (App no. 24960/15) (and on
which I
commented). Similar questions were
also in issue in Centrum
för Rättvisa v. Sweden (App no. 35252/08), another Grand Chamber judgment
handed down on the same day but based in a longstanding challenge to Swedish
surveillance laws from 2008 which had been found by a chamber of the court not
to violate Article 8 ECHR (the right to privacy).
It raises questions about the
extent to which such surveillance is permissible and under what conditions –
and is about the extent to which the safeguards identified before digitization
and which were generally applied in relation to interception of communications
can apply to intelligence gathering based on data analytics, where issues of
meta data are directly considered as well as concerns about the content of
communications. The particular problem is that surveillance has historically
been considered from the perspective of individual surveillance, where a person
may be the subject of surveillance when there are reasonable grounds for
suspicion. The very nature of bulk data acquisition and intelligence gathering
means that there is no such suspicion.
As many commentators have
remarked, it is the first mass electronic surveillance case to be decided
against the UK after the Edward Snowden revelations and, significantly, it also
considered meta data (communications data) as well as content. While the Court
found the UK government to be in violation of Article 8 on some points, it is
not a complete ‘win’ for privacy activists. Notably, this judgment and that in Centrum för Rättvisa, sets the
conditions for bulk collection of data; in so doing, has it – as the Court of
Justice of the EU apparently has following La
Quadrature du Net (Case C-511/18) -accepted the possibility the
principle of mass survellance, with the loss of anonymity not just online but –
with smart homes, cars and cities – potentially everywhere?
Facts
The UK Government Communications
Headquarters (GCHQ) was running three surveillance systems:
-
bulk interception of (foreign) communications
(which was then winnowed down through automated means to sets of information
that would be analysed by the security services);
-
intelligence sharing among the ‘Five Eyes’ (the
United States, Canada, Australia, New Zealand as well as the UK), specifically
in collaboration with the PRISM and Upstream programs run by the American NSA;
and
-
acquisition of communications data from internet
service providers.
The regime at that time was based
on the Regulation of Investigatory Powers Act 2000 (RIPA), which has now been
replaced by the Investigatory Powers Act 2016 (IPA); the Court decided matters
on the basis of the law as was and not in the light of the IPA (though the IPA
shares some features with the RIPA regime). In addition to statutory
provisions, RIPA envisaged that codes of practice would provide more detail as
to actual practice. As regards the sharing of intelligence, the Counter Terrorism
Act 2008 allowed for the disclosure of information to each arm to exercise any
of their functions, subject to any limitations imposed by virtue of the Data Protection
Act 1998 (now itself replaced by the Data Protection Act 2018) and the Human
Rights Act. The Official Secrets Act also applies. The U.K.-U.S. Communication Intelligence
Agreement governs the exchange of intelligence information relating to
“foreign” communications between the UK and the US, with the code of practice
containing more detail as to treatment of foreign intelligence.
The applications – which included
journalists and human rights organisations and which might be understood to be
particularly affected by the threat of surveillance -were heard together. The
10 Human Rights Organisations had started their action in the IPT; the other
applicants claimed there was no effective remedy. The Chamber decision found a violation of
Article 8 and Article 10 in relation to the bulk interception regime in s 8(4)
RIPA, and the regime for obtaining communications data, but found no violation
as regards the information sharing.
Judgment
There are three aspects to the
judgment regarding Article 8. The consideration
of the bulk interception (and the possibility of analysing associated
communications data); the receipt of data from foreign intelligence services;
and the acquisition of communications data from service providers. These also
gave rise to claims under Article 10.
Bulk Intercept
The analysis of the bulk
communications involves a number of stages, each one narrowing the dataset but
at the same time, intensifying the level of scrutiny on that information. The
Court identified the following stages (para 325):
-
the interception and initial retention of communications and related communications data;
-
the application of specific ‘selectors’ (whether
stong selectors – eg an email address - or complex queries);
-
the examination of the resulting selected
communications and communications data and retention of data;
-
use of ‘final product’, including sharing that
information.
While the mere holding of such
information by the State in and of itself has long been held to be an intrusion
into Article 8 rights, the Court portrayed the four stages as a process in
which the degree of interference increases as the analysis progresses (paras
330-331). While bulk surveillance was not per se prohibited by the ECHR, the
entire process must be subject to “end-to-end safeguards”.
The Court considered whether
there was a need to develop the case law given the developments in
technology. In Weber and
Saravia and Liberty & Ors the
Court had applied the principles developed in relation to targeted interception
– targeted interception, however, has a much narrower impact that bulk
surveillance. The Court identified a
number of differences between targeted and bulk interception:
-
bulk interception was predominantly directed
towards international communications (para 244);
-
bulk interception was predominantly aimed at
intelligence gathering (rather than investigating crime) (para 345);
-
insofar as individuals were targeted, there
devices were not monitored but rather ‘strong selectors’ were used to fish out
their communications from the mass of communications intercepted (para 346).
This meant that the safeguards
already in place, although they provide a useful framework, should be adapted.
Specifically, rules that envisaged a particular person or group of persons
would not work here – eg the
requirement to define
clearly in domestic
law the categories
of people liable
to have their
communications intercepted and
the nature of
offences which might
give rise to
such an order or the requirement
to have “reasonable suspicion” of the persons put under surveillance (para 348).
Nonetheless, domestic law should still set out with sufficient clarity and
detail the grounds upon which bulk interception might be authorised and any
circumstances in which an individual’s communications might be intercepted.
Supervision and review become more important (para 349). The domestic regime
should ensure that an assessment of necessity and proportionality is made at
each stage of the measures being taken; that bulk interception should be
subject to independent authorisation at the outset, when the object and scope
of the bulk operation are being defined; and that the operation at each stage
should be subject to supervision and independent ex post facto review (para
350). Affected individuals should have access to an effective remedy. When assessing
a regime, the Court would take into account its operation in practice including
instances of actual abuse (para 360).
Note that the Court was not
persuaded that the acquisition of related communications data through bulk
interception was necessarily less intrusive than the acquisition of content.
The same safeguards should therefore be used to assessed bulk collection and
analysis of communications data as content.
The starting point for analysis
is the typical three stage test (lawful, legitimate aim and necessary in a
democratic society), but the Court blends the lawful and necessity questions
together which it claims is established (citing Roman
Zakharov – a Grand Chamber decision discussed here
- and Kennedy). The Court produced a
framework that was wider -in the assessment of the Court - than the six Weber criteria (para 361):
-
the grounds on which bulk interception may be
authorised;
-
circumstances in which an individual’s
communications may be intercepted;
-
the procedure for granting authorisation;
-
procedures for selecting, examining and using
intercept material;
-
precautions when communicating material to other
parties;
-
limits on duration of interception, storage of
intercept material and circumstances in which that material must be
erased/destroyed;
-
supervision by an independent authority (with
powers to address non-compliance);
-
independent ex post review.
The Court also took the
opportunity to provide more detail on data sharing. Any data shared must have
been collected and stored in a Convention compliant manner. Additional
safeguards relating to the transfer must be in place: the circumstances in
which data are to be shared should be set out in domestic law; the receiving
state should have safeguards in place capable of preventing abuse, including
secure storage and restriction on onward disclosure. Heightened safeguards are
required as regards material requiring special confidentiality (eg journalistic
material). In principle the same tests apply to communications data, which it
viewed as no less intrusive as content, though the safeguards need not be
exactly the same given the different way content and communications data were
likely to be analysed.
The UK regime did not provide sufficient
“end to end” safeguards. In assessing the safeguards, the Court took into
account the breadth of the grounds on which surveillance could take place; the
UK’s rules ‘were formulated in relatively broad terms’ (para 371). The Court
specifically focussed on the absence of independent authorisation, the failure
to include the categories of selectors in the application for a warrant (which
had implications for the necessity assessment), and the failure to subject
selectors linked to an individual to prior internal authorisation both as
regards content but also related communications data. Although the Court
assessed the oversight provided by the Commissioner and the IPT as effective
and robust respectively, these did not compensate for the shortcomings.
Note that in the parallel Swedish
case, the Court applied a similar framework to find that the Swedish regime was
also deficient. So, it found ‘the absence of a clear rule on destroying
intercepted material which does not contain personal data, the absence of a
requirement in the Signals Intelligence Act or other relevant legislation that,
when making a decision to transmit intelligence material to foreign partners,
consideration is given to the privacy interests of individuals; and the absence
of an effective ex post facto review’ (Centrum
för Rättvisa, para 369).
The complaint under Article 10
was considered separately, with the Court’s starting point being the importance
of journalism. It emphasised the detrimental impact of compelled source
disclosure, as well as the more serious intrusion of searching of journalists’
homes and workplaces. Safeguards must ‘be attended with the right to protection
of journalistic sources must be attended with legal procedural safeguards
commensurate with the importance of the principle at stake’, referring back to
its decision in Sanoma Uitgevers
(para 444). Crucially, independent review must take place prior to disclosure.
In the older case of Weber, the
interference with the journalist’s expression rights had not been seen as
particularly serious; the journalists had not been targeted by the
surveillance. The court determined that confidential journalistic material
could have been accessed by the intelligence services either intentionally, through
the deliberate use of selectors or search terms connected to a journalist or
news organisation, or unintentionally, as a “bycatch” of the bulk interception
operation. While the former category must be authorised in accordance with the
approach in Sanoma Uitgevers, for the
latter category because interference with journalistic material was not
intended, it could not be predicted and therefore ex ante authorisation would
not be possible.
The Court noted the technological
developments since Weber, finding
that the intrusion now would be more significant than at the time of Weber. Robust safeguards are therefore
required so that when it becomes apparent that confidential journalistic
material is in issue, that material could only continue to be stored and
examined by an analyst if authorised by a judge or other independent and
impartial decision‑making body with the power to determine whether its
continued storage and examination was “justified by an overriding requirement
in the public interest” (para 450). In both aspects, despite specific
provisions in the relevant code of practice, the UK regime was deficient.
Data-sharing
The complaint was considered from
the perspective of solicited intercept material from the NSA. The applicants
did not challenge the Chamber’s decision as regards the effectiveness of the
IPT. Avoiding questions about Article 1 ECHR and the issue of a State’s
jurisdiction, the Court focused on the initial request and subsequent receipt
of intercept material, together with any subsequent use thereof. The Court
noted the risk of States seeking to circumvent controls; there must be a clear
basis in domestic law for such requests (found in the Code), and guarantees
against the risk of abuse specifically relating to examination, use and storage,
any onward transmission as well as erasure/destruction. The Grand Chamber found that, since the
treatment of foreign intelligence was essentially the same as the treatment
accorded to domestically generated material, the United Kingdom had in place adequate
safeguards for the examination, use and storage of the content and
communications data received from intelligence partners, as well as for the
onward transmission of this material and for its erasure and destruction. It
also noted the extra layer of protection provided by the Commissioner and the
IPT. It found no violation of Article 8. The claims under Article 10 were
likewise dismissed.
Communications Data
The Chamber’s finding that a
regime which suffers the same flaws as a regime accepted to be incompatible
with EU law, then having priority over domestic law, must also fail the in accordance
with the law test was not challenged as regards Article 8. The Grand Chamber
also agreed with this reasoning. An Article 10 challenged had also been brought
against the regime. This was also considered not to be in accordance with the
law; again the Grand Chamber followed this reasoning to find a violation of
Article 10.
Dissent
While the findings of violation
were unanimous, the Court was not unanimous as regards to the finding of no
violation being split by 12 votes to 5. Three judges shared a partly concurring
opinion; judge Pinto De Albuquerque wrote a partly concurring but partly
dissenting opinion and Judges Lemmens,
Vehabovic, Ranzoni and Bosnjak produced a partly dissenting opinion.
Comment
Most of the commentary has
focussed understandably on the fact that the Court did not state that the bulk
interception of communications was in itself contrary to Article 8 and on the
safeguards. These are – obviously –
important points, but there is a prior issue regarding the lawfulness test,
which relates to the complexity and availability of domestic law. The Grand
Chamber followed the Chamber in accepting that the Codes of Practice satisfied
this requirement. While Codes are now public documents, this assessment does
not fully take into account that for a considerable period much now in those
codes were “below the waterline” and information was only forthcoming as a
result of litigation.
Another question is the extent to
which the judgment takes into the impact of digitalization. The Chamber
judgment has suggested the different rules applied in different contexts, and
that not all data would have the same impact. The Grand Chamber recognised that
some updating of the analytical framework from Weber would be required (which turns out to be both a good and bad
thing), and specifically notes the impact of meta data (probably a good
thing). It is open at least to argument
to state however that the negative consequences of the revision of Weber outweighed the good.
Looking at the good, it is indubitably
true that some recognition of the change in techniques of state surveillance
facilitated by changes in technology and computing power is an important
prerequisite for ensuring effective protection of individuals’ rights. There is some way to go however before we can
state confidently that the Court has appreciated the ramifications of the
digitalisation of life and particularly data profiling. The key positive is that
the Court does not think that meta data is less sensitive than content (para
363). It emphasises that
any intrusion
occasioned by the acquisition of related communications data will be magnified
when they are obtained in bulk, since they are now capable of being analysed
and interrogated so as to paint an intimate picture of a person through the
mapping of social networks, location tracking, Internet browsing tracking,
mapping of communications patterns, and insight into who a person interacted
with (para 342)
In this, the Court joins the
Court of Justice (see eg. Tele2/Watson,
para 99). While the Court goes someway
to recognise the always-on aspect of digital surveillance (para 341), and
certainly does not go down the route of the Chamber in suggesting some data are
less impactful than others, it does not acknowledge the possibility of
combining communications data with data from other sources. The range of data
available is wide, especially given the range of smart devices. These include
for example, biometric data from fitness trackers, biometric based systems proposed
for cars note the driver’s blood pressure, heart rate and other vital to
detect, if the driver is impaired in any way. At home detail from smart energy
meters could be shared. Nor does it question the basis on which those analyses
and interrogations take place. While in its safeguards it does suggest
oversight over the circumstances in which data are chosen, it seems to take the
tools as given. This is worrying given
the emphasis that has previously been placed on the need for special safeguards
in related to automated tools and processing techniques, a point the Court of
Justice of the EU has also made (e.g Digital
Rights Ireland, para 55).
While the emphasis on the
significance of meta data is good, it should not be forgotten that the first
part of the case concerned bulk interception – so interference with content.
Against this context, the Court’s assessment that the first stage of the
surveillance process – the data gathering stage – does not constitute a
particularly serious interference is worrying (and arguably not in line with
previous case law). It certainly underplays the threat to privacy that is
implicit in the acquiring and holding of data (and Judges Lemmens, Vehabovic
and Bosnjak discuss this in their concurring opinion, paras 3-8).
A further question arises in relation to other forms of surveillance;
what if smart city devices (eg lampposts) can record our conversations as we
pass by (UK installation of microphones have apparently not been
for this purpose but to detect aggression). How comfortable are we about data
acquisition then? This reasoning may be the top of the slippery slope.
Within the EU context it should
be remembered that the Court of Justice has repeatedly emphasised that “access
on a generalised basis to the content of electronic communications” undermined
the essence of the relevant EU Charter right (article 7) and could not be
therefore be justified (see e.g. Schrems
I, para 94). This then suggests a difference in approach between the
two European courts. It would be unfortunate if the recognition of the impact
of meta data led to a lowering of standards as regards content.
The more problematic development
is the approach to reasonable suspicion. The Court acknowledges that these
surveillance practices do something different from other more traditional forms
of surveillance, which tend to be reactive (ie somebody has done something bad)
and more focussed (as opposed to diffuse), most likely based on existing
evidence which suggests suspicion of specific individuals. This mass
surveillance is about intelligence gathering, and about predicting – thus
severing the link between an individual’s choices and actions and the
likelihood of that person being the subject of surveillance. Rather than assess
the surveillance by reference to existing standards – for example, the
presumption of innocence and the impact of a State carrying out surveillance (which
is recognised through the case law on the mere storing of data), the Court
abandons these standards as part of its updating in order to fit round state
choices. In so doing, it gives some legitimacy to the idea that the State may
carry out surveillance on individuals without any grounds related to that
person (para 317, 348).
This is based on the Court’s
deference to the State’s assessment that these are necessary for national
security reasons – though this assessment is not really critically examined. Indeed,
when it re-emphasised that the choice of adopting certain surveillance
techniques fell to the States, it emphasised the valuable nature of the
technique (para 386, emphasis added). Judge Pinto De Albuquerque writes
critically of the Court’s “self-imposed evidential and adjudicatory limitation”
which “leads the Court to assume the inevitability of bulk interception and,
even more so, that of a blanket, non-targeted, suspicion-less interception
regime (Opinion, para 5). He also points to the fact that previous cases –
including Zakharov – have involved
bulk intercept of communications and yet still sought to apply the first two Weber criteria that the Court here has
abandoned.
While of course a State may be
free to make these choices about approaches to surveillance in principle they
should be assessed to ensure that they are lawful and necessary in a democratic
society. The test of lawfulness and the
proportionality test implied in the ‘necessary in a democratic society’
actually ask different questions – but blending them together, as the Court has
done here, dilutes the protective nature of the proportionality test. Rather
than ask whether this is disproportionate and should not be done, the question
becomes how to put oversight in place, which accepts the fact of the
interference with the right in the first place. This criticism has been
levelled at the Court’s approach before; the Court here (in referring to Zakharov and Kennedy to justify this approach) implies that this blurring of the
three part test is both well-established and non-problematic. The Court has in
some previous cases suggested that a test of “strict necessity” should be used
for mass surveillance (Szabo
and Vissy v. Hungary, para 73) – that sort of reasoning is not evident
here.
As regards the safeguards
themselves, it is unclear which grounds justify bulk surveillance (and contrast
the position here with the EU position). It should be noted that that prior
judicial authorisation is not a prerequisite for such surveillance, even if it
might be best practice (para 320). The Court cites authorities to suggest that ex
post oversight compensates for lack of ex ante control; this is like saying it
is all right to drop an egg on the floor provided you have bucket and mop to
clean up afterwards. The end result is not the same (and Judges Lemmens,
Vehabovic and Bosnjak remind the Court of the significant harms that may
eventuate from a lack of protection in their partly concurring opinion). Significantly,
it seems that despite calling these various safeguards fundamental, a global
assessment may be made, suggesting that some regimes may be weaker on some
issues (perhaps not deal with them at all?) than others (para 370).
The approach to the sharing of
data is also worrying. On the one hand, the Court recognises the threat posed
by intelligence sharing, and the risk that safeguards may be circumvented. Yet,
it seems to imply that a lesser standard of safeguards is acceptable in this
context, and in so doing accepts the practice as well as the lower standards
applicable (contrast viewpoint of Judge Koskelo
joined by Judge Turković in the chamber judgment). It should be noted that the Court only
considers one aspect of intelligence sharing – the receipt by the UK security
and intelligence services of information. The issue of proportionality is dealt
with relatively briefly. Notably, the Court states that the requirement for
safeguards:
“... does not
necessarily mean that the receiving State must have comparable protection to
that of the transferring State; nor does it necessarily require that an
assurance is given prior to every transfer” (para 362).
How oversight is supposed to
function against what seems to be a highly flexible framework is uncertain. It
is also questionable whether or to what extent this fits with the EU’s approach
– admittedly relating to the export rather than as here import of data – under
the GDPR and Articles 7 and 8 of the Charter.
Judges Lemmens, Vehabovic, Ranzoni and Bosnjak suggested that the same
“end-to-end” safeguards should apply here.
In sum, the outcome of this case
while certainly restraining some of the potential excesses of the RIPA regime
(and possibly therefore its younger sibling, IPA), it is by no means an
unqualified victory for privacy activists.
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete