Data Retention is still here to stay, for now…

Matthew White, Ph.D candidate, Sheffield Hallam University.

Introduction

On 30 January 2018, human rights NGO Liberty tweeted that the:

Court of Appeal has ruled the Government IS breaking the law by collecting the nation's internet activity and phone records and letting public bodies grant themselves access with no suspicion of serious crime and no independent sign-off.

This was in reference to the Court of Appeal’s (CoA) judgment in Tom Watson and Others v Secretary of State for the Home Department [2018] EWCA Civ 70 with regards to access to communications data under the Data Retention and Investigatory Power Act 2014 (DRIPA 2014). Many regard this as a ruling the Snoopers Charter or mass surveillance as unlawful. This post critically analyses the CoA’s judgment with regards to general data retention, access to communications data on the basis of prior review by a court or an independent administrative body and notifications.

Background

The background to this case dates from 2014 in which the Court of Justice of the European Union (CJEU) in Joined Cases C‑293/12 and C‑594/12, Digital Rights Ireland (analysis here) invalidated Directive 2006/24/EC (the Data Retention Directive (DRD)) for its incompatibility with Articles 7 (privacy) and 8 (data protection) of the Charter of Fundamental Rights (CFR). This led to the introduction of DRIPA 2014, and subsequent challenges in the High Court (HC) and CoA on its compatibility with Digital Rights Ireland, which ultimately led to a preliminary reference (joined by a reference in Tele2 from a Swedish Court) to the CJEU for clarification (analysis here). In Joined Cases C-203/15 and C-698/15, Tele2 and Watson the CJEU ruled that Articles 7, 8, 11 (freedom of expression) and 52(1) (limitations of rights) preclude Member States from adopting laws which permit the general and indiscriminate retention ‘of all traffic and location data of all subscribers and registered users relating to all means of electronic communication’ [134(1)]. The CJEU also ruled that the access to retained communications data should be subject to prior review by a court or an independent administrative body and only on the basis of fighting serious crime [134(2)].

Court of Appeal’s judgment

In the leading judgment, Lord Lloyd-Jones summarises the background to this case [1-3] (also see above), and quickly distinguishes between the Swedish reference and its own in highlighting that the CJEU’s answers in paragraph 134(2) and (3) reflect their reference. His Lordship does so by highlighting the difference between UK and Swedish legislation [4]. His Lordship also highlighted several developments since Tele2 and Watson, namely that DRIPA 2014 had been repealed and replaced by the Investigatory Powers Act 2016 (IPA 2016), which is also subject to challenge, with Privacy International seeking to clarify the extent in which the CJEU’s ruling applies in the national security context (analysis here) and the UK Government seeking to amend the IPA 2016 to conform with the CJEU’s ruling with regards to serious crime and prior review for access by a court/independent administrative body [6].

The question before the CoA was again DRIPA 2014’s compatibility with the CJEU’s rulings on data retention [7]. Both parties and the CoA agreed that the CJEU’s jurisprudence establishes access to retained communications data is restricted to the objective of fighting serious crime and that access should be subject to prior review by a court/independent administrative body [9]. The CoA declined to grant any declaratory relief with regards the CJEU’s rulings in the national security context as this was already subject to a preliminary reference by the Investigatory Powers Tribunal (IPT) [10-12]. The CoA, did however, grant declaratory relief with regards to DRIPA 2014 for being inconsistent with European Union (EU) law with regards to serious crime and access to communications data [13].

With regards to data being retained within the EU, the CoA declined to make a definitive statement on the hope that the CJEU will clarify the matter with regards to the IPT’s reference [14-19]. Watson et al urged the CoA to declare that DRIPA 2014 had failed to make provisions for ex post facto notifications [20]. The CoA, however, declined for three reasons: a) it was not previously an issue in the national proceedings; b) it was not in the CJEU’s ratio in Tele2 and Watson; and c) the CJEU will in any event consider this based on the IPT’s reference.

On the issue of the relationship between data to be retained, and the threat to public security, Lord Lloyd-Jones initially intended to grant declaratory relief on the grounds that DRIPA 2014 did not contain any limitations to comply with the CJEU’s ruling, but declined to do so [22-24]. Lord Lloyd-Jones recalled three reasons as to why this was justified:

First, it was not argued that DRIPA 2014 was unlawful because it did not require there to be an identifiable public whose data was likely to reveal direct or indirect links to serious crimes. The CJEU’s ruling on general data retention was in response to the Swedish legislation. The High Court in Davis and Others v Secretary of State for the Home Department and Others [2015] EWHC 2092 felt that the CJEU (in Digital Rights Ireland) could not have meant general data retention was unlawful, only that adequate safeguards had to be in place for access.

Second, the CJEU’s reasoning on general data retention reflects Swedish law’s catch all (all services, data and users) data retention, and the analysis and conclusions cannot be automatically applied to DRIPA 2014. Third, this is a live issue which is pending for a February hearing.

Thus, the CoA unanimously held that DRIPA 2014 was inconsistent with EU law for not limiting data retention for the purposes of fighting serious crime and access to said data was not subject to prior review by an independent administrative body [27].  

Was the Swedish Court’s question on blanket indiscriminate data retention not applicable in the UK context?

This post has highlighted how throughout this judgment, the CoA consistently held that the prohibition of general data retention does not automatically apply to DRIPA 2014, because the answer from the CJEU was in response to a reference from a Swedish court asking about Swedish legislation. This premise acts on the assumption that DRIPA 2014 could not permit general data retention. This requires closer scrutiny. It must first be noted, that when the CJEU made its ruling, it highlighted its ruling applied to national legislation, thus, contrary to what the CoA seem to suggest, this does not directly apply only to Sweden, but to all EU Member States implementing data retention legislation.

When the CJEU ruled that blanket indiscriminate data retention of all services, all users and all data (catch all) was not permissible under EU law, I highlighted that this would have made a power found within cl.1 of the draft Communications Data Bill (dCDB) unlawful (Matthew White, ‘Protection by Judicial Oversight, or an Oversight in Protection?’ (2017) Journal of Information Rights, Policy, and Practice 2:1, 24). This was due to the fact that cl.1 contained the same power that the Swedish reference was seeking to clarify, a catch all power.

Section 1(2)(a) and (b) of DRIPA 2014 and s.87(a) and (b) of the IPA 2016 must be considered together. Both sets of powers allowed or allows retention notices to be issued on a (public) telecommunications operator or any description of operators to retain all data or any description of data. I had previously argued that Tele2 and Watson may prove unproblematic for such powers because there was discretion on which telecommunications operators could be obligated to retain and what data they could retain (26). I further pointed out, due to the CJEU’s insistence on geographical data retention in Tele2 and Watson [111] (which in and of itself is problematic for human rights protection (36, 37)) it could be argued, the ability to require retention would not be based on operator, but by location and therefore, could require a variety of operators to retain in a given area (26). These are the sorts of arguments I would assume could be invoked by the Home Secretary if need be.

However, I also noted that ‘it is still theoretically possible for all operators in the UK to be required to retain all data of users and subscribers’ (26) because retention notices apply to any description of operators to retain all or any description of data. This could be considered a general obligation because it could affect all telecommunications operators and then be classed as a general obligation. Lord Kerr in his dissenting opinion in Beghal v Director of Public Prosecutions [2015] UKSC 49 noted that it ‘is the potential reach of the power rather than its actual use by which its legality must be judged [102].’ Instead of a catch all power like cl.1 of the dCDB or Swedish law, the powers in DRIPA 2014 and the IPA 2016 would be a power that can catch all. When considering DRIPA 2014, the HC in Davis and Others came to the same conclusion where they noted that:

Mr Eadie accepted that the consequence of this policy stance is that we should test the validity of DRIPA on the assumption that the retention notices issued under it may be as broad in scope as the statute permits, namely a direction to each CSP to retain all communications data for a period of 12 months. The case was argued on both sides on that basis. We shall refer in this judgment to a system under which the State may require CSPs to retain all communications data for a period as a "general retention regime" [65].

One could challenge this reasoning on account of it matters not whether the contents of a retention notice are known because it’s the power in question that is tested. This is precisely the position of the European Court of Human Rights (ECtHR) with regards to secret surveillance. In Roman Zakharov v Russia (ECHR, 4 December 2015) the ECtHR’s Grand Chamber (GC) clarified its position on when an individual can claim to be a victim of a violation under Article 8 (private and family life, home and correspondence) of the European Convention of Human Rights (ECHR). The GC maintained that an applicant can claim to be a victim by the mere existence of secret surveillance measures for example, where ‘legislation directly affects all users of communication services by instituting a system where any person can have his or her communications intercepted’ [171]. The GC continued that, when such surveillance cannot be verified, the menace of surveillance itself can interfere with the Article 8 rights of all users and potential users [ibid]. In summary, the GC clarified its jurisprudence where it has been consistently ruled that it is what the law permits that can be subject to challenge, not the actual use of the law (unless argued by the applicants).

For the reasons highlighted above, it is argued that the CoA are playing semantics with the powers found within Swedish legislation, and the powers found within DRIPA 2014, as they permit the same thing, namely all operators, data and users can be affected by data retention. Therefore, the CoA’s reliance on the CJEU’s position on general data retention only applied to and reflected Swedish law is untenable.

The CoA also relied upon the HC’s interpretation of Digital Rights Ireland in Davis and Others that the CJEU ruled that general data retention would only be lawful if appropriate safeguards were in place. This is ironic considering the CoA disagreed with this position in Secretary of State for the Home Department v Davis MP and Others [2015] EWCA Civ 1185 [90]. What is also striking, is that, unless the CoA have invented a TARDIS to prevent the CJEU’s judgment in Tele2 and Watson from occurring, they seem to rely on the HC’s position prior to Tele2 and Watson. Simply put, in 2015, the HC did not believe the CJEU meant general data retention was unlawful in and of itself, in 2016, the CJEU said, ‘Yes, we did, so we shall say it again.’ Thus, for the CoA to rely on what is best described as an outdated HC position is at best, ignorant and at worst, disingenuous.

The final reason on part of the CoA is also unconvincing. They declined on the basis that Part 4 of the IPA 2016 is under challenge and thus would not be privy to evidence of both sides. This is despite the operational case for data retention being in the public domain, and the counter arguments relatively easy to find. The position the CoA took allowed it to sidestep the real issue, whether general data retention is compatible with human rights. General data retention has never been compatible with human rights since at least 2008 when the ECtHR GC in S and Marper App nos. 30562/04 and 30566/04 (ECHR, 4 December 2008) ruled that general data retention, even on a specific group of individuals (suspects and convicts) violated Article 8. Tele2 and Watson (despite its many flaws 24, 34-41) is just the next logical step with regards to communications data.

Prior Review by a Court or Independent Administrative Body

The finding that DRIPA 2014 was inconsistent with EU law for not prescribing prior review by a court or an independent administrative body for access to communications data is to be welcomed. This is not a criticism of the CoA’s finding per se, but a criticism of the idea that this safeguard remedies the problems caused by data retention. Part 4 of the IPA 2016 allows retention notices to be approved by Judicial Commissioners (JC) under s.89. This mechanism has already been criticised because JC will only act based on the Secretary of State’s conclusions, there is no obligation for the Secretary of State to make a full and frank disclosure of their evidence for retention (thus can be misled), they can only make an assessment on judicial review principles (thus not a merit based or human rights review), nor are they institutionally independent from the Investigatory Powers Commission (IPC) (28-32).

Another problem is that the JC can authorise data retention that can catch all. As the GC in Roman Zakharov noted:

[T]he implementation in practice of measures of secret surveillance of communications is not open to scrutiny by the individuals concerned or the public at large, it would be contrary to the rule of law for the legal discretion granted to the executive or to a judge to be expressed in terms of an unfettered power [230].  

The power to retain in DRIPA 2014 and IPA 2016 are virtually unfettered, even if it applies to a single telecommunications operator, and even if this power was authorised by a judge (37-39). Essentially, giving a judge the power to authorise retention or access would only be sufficient based on what they can authorise to be retained or accessed. If this power is unfettered, it matters not if the judge increases the independence of the authorisation process. Thus, despite the CoA’s finding, DRIPA 2014 would still be in violation of fundamental rights.

Lack of notification was already incompatible with the European Convention on Human Rights

In declining to grant declaratory relief with regards to notification, it can be argued that the CoA have failed under their obligations under s.6 of the Human Rights Act 1998 (HRA 1998) to act in a way that is compatible with the ECHR. With regards to notifications, the ECtHR in Association for European Integration and Human Rights and Ekimdzhiev v Bulgaria App no. 62540/00 (ECHR, 28 June 2007) found that Bulgarian law violated Article 8 and 13 (effective remedy) for not having a notification system. The ECtHR noted that ‘as soon as notification can be made without jeopardising the purpose of the surveillance after its termination, information should be provided to the persons concerned’ [90]. Boeham and de Hert note that the ‘clear recognition of an (active) notification duty after surveillance measures have ended in the Ekimdzhiev v. Bulgaria case constitutes a remarkable development in the framework of the safeguards against abuse which are necessary in surveillance cases’ (Franziska Boehm and Paul de Hert, ‘Notification, an important safeguard against the improper use of surveillance - finally recognized in case law and EU law’ (2012) 3:3 European Journal of Law and Technology).

The position of the ECtHR was reaffirmed in Roman Zakharov [287], but reference was made to UK law in that there is an alternative to notification i.e. IPT jurisdiction [234, 288], however, I have previously referred to doubts raised by Boehm and de Hert which is worth quoting in full. Boehm and de Hert questioned whether UK law was ‘capable of responding to the challenges arising out of the use of new surveillance techniques’ (Franziska Boehm and Paul de Hert, The rights of notification after surveillance is over: ready for recognition? (Yearbook of the Digital Enlightenment Forum, IOS Press 2012), pp. 19-39, 37).

Boehm and de Hert continue that in light of powers such as data retention and ‘fishing expeditions’ that target a greater number of people without suspicion, a notification duty appears to be an effective tool to prevent abuse (ibid, 37-8). Finally, Boehm and de Hert note that the Belgian Constitutional Court has now adopted the notification principle as a requirement to comply with Article 8 (ibid, 38).

Thus, whether or not CJEU requires notification, this justification can be found within the jurisprudence of the ECHR. Boehm and de Hert’s approach would be consistent with this jurisprudence of the ECHR in terms of it being a living instrument ‘which must be interpreted in the light of present-day conditions and of the ideas prevailing in democratic [73]’ in that mass surveillance would deprive the:

[S]ubject of an opportunity to seek redress for unlawful interferences with his or her Article 8 rights and rendered the remedies available under the national law theoretical and illusory rather than practical and effective [288].

The IPA 2016 does contain a notification process under s.231, but this is wholly inadequate as it quite plainly admits, that a violation of the ECHR is not sufficient in and of itself to justify a notification. This could be any ECHR right, not just a breach of privacy, data protection or freedom of expression, but the right to life (Article 2), freedom from torture (Article 3) etc. This would render s.231 at the very least, in violation of Article 8 and 13 (39-40). Granted, this was not argued before the CoA, it remains that this was an opportunity where the CoA could have used existing case law to find that DRIPA 2014 had in fact breached human rights, with or without any consideration for EU law and the principles set out in Tele2 and Watson.

Conclusions

In an amazing display of legal gymnastics, the CoA avoided the most central issue in the data retention debate, the compatibility of general data retention with fundamental rights. The CoA did so by not acknowledging that DRIPA 2014 did and the IPA 2016 now allows general data retention. Instead, the CoA relied upon the semantics of distinguishing a catch all power, and a power that can catch all, which of course, in any event, amount to the same thing. In finding that DRIPA 2014 was only unlawful insofar as it lacked prior review by a court/independent administrative body to access communications data and that this was not restricted to serious crime overlooks the central issue of this data being retained the first place. It is one thing the ensure greater independence with regards to the authorisation of surveillance measures, but is another thing to overlook what those authorisations allow, whether it be the retention or access of communications data. To do so would simply polish a turd, rather than flush it, as general data retention has always been a turd that has needed flushing since at least 2008. Although the question of data retention within the IPA 2016 is subject to judicial review before the HC, the CoA had the opportunity to faithfully apply Tele2 and Watson to DRIPA 2014, but instead of addressing the issue, it acted as though the issue did not exist.

Barnard & Peers: chapter II:7

Art credit: Lightning Broadband 

The Privacy International case in the IPT: respecting the right to privacy?

Matthew White, PhD candidate at Sheffield Hallam University.

Introduction

On 21 December 2016, the Grand Chamber (GC) of the Court of Justice of the European Union (CJEU) in Cases C-203/15 and C-698/15 Tele2 and Watson ruled that blanket indiscriminate data retention was incompatible with European Union (EU) law. With that judgment, Professor Lorna Woods highlighted that this did not mean that the CJEU’s interpretation of the requirements of the Charter of Fundamental Rights (CFR) was ‘limited only to this set of surveillance measures.’ Hence, on 9 September 2017, the Investigatory Powers Tribunal (IPT) in Privacy International v the Secretary of State for Foreign and Commonwealth Affairs and Others handed down a judgment regarding the lawfulness under EU law of the acquisition and use of Bulk Communications Data (BCD) under s.94 of the Telecommunications Act 1984 (TA 1984) [4], including a request to the CJEU to answer further questions on EU law. This blog post concerns itself not with the preliminary reference itself, but the underlying flawed logic of the IPT’s reasoning with regards to fundamental rights protection.

The IPT’s faulty premise plagues its judgement from the beginning

The IPT highlighted that the issue before them was the balance between steps taken by the State, through Security & Intelligence Agencies (SIAs) and to ‘protect its population against terror and threat to life against the protection of privacy of the individual’ [6]. The premise of the IPT is deeply flawed from the outset thus impacting upon its reasoning. Daniel Solove has highlighted that ‘protecting the privacy of the individual seems extravagant when weighed against the interests of society as a whole’ (Daniel Solove, (2009) Understanding Privacy, Harvard University Press, p89). When privacy is confined to individualistic notions (particularly of ‘bad guys’), the argument for the departure of its protection becomes easier to justify, no less when that justification is protecting an entire nation.

Privacy is not just an Individual Right

Many (including Solove) have argued that privacy has a common, public and/or social value (Priscilla M. Regan, Legislating Privacy, Technology, Social Values and Public Policy, The University of North Carolina Press, 1995; Kirsty Hughes, ‘The social value of privacy, the value of privacy to society and human rights discourse’ in Beate Roessler and Dorota Mokrosinska (eds), Social Dimensions of Privacy Interdisciplinary Perspectives (Cambridge University Press). Privacy is a prerequisite for liberal democracies because it sets limits on surveillance by acting as a shield for groups and individuals (Alan F. Westin, Privacy and Freedom, New York: Atheneum (1967), p24). It is also important in that, in terms of voter autonomy and its attraction of talented people to public office (Hughes, p228-229). Privacy is also important for social relations (ibid, p229), even more so in that privacy invasive technologies can affect social life more generally (Beate Roessler and Dorota Mokrosinska, p2). A failure to protect social relations, is a failure to protect the democratic state (Francesca Malloggi. “The Value of Privacy for Social Relationships.” Social Epistemology Review and Reply Collective 6, no. 2 (2017): 68-77, p70).

These Powers do NOT just affect Individuals

Another problem with the IPT’s premise is that to argue that such measures as BCD acquisition/use only affect an individual’s privacy is simply not true. It should be obvious by the very name and nature of the powers that they are not targeted on individuals (para 2.1), something which the Respondents in Privacy International even attested to [9(ii)]. The draft BCD Code of Practice under the Investigatory Powers Act 2016 (IPA 2016) notes that ‘if the requirements of this chapter are met then the acquisition of all communications data generated by a particular CSP (Communications Service Provider e.g. BT, Google, iCloud) could, in principle, be lawfully authorised’ (para 3.5). Thus, any suggestion that the issue at hand only concerns an individual is palpably false. As the Grand Chamber (GC) of the European Court of Human Rights (ECtHR) in S and Marper v United Kingdom noted that the:

[M]ere storing of data relating to the private life of an individual amounts to an interference within the meaning [of Article 8]…subsequent use of the stored information has no bearing on that finding [67]. 

Due to the nature of the BCD powers, to say they only affect the individual is to ignore the reality of such sweeping powers which constitute mass interference of a ‘substantial portion, or even all of the relevant population’ [256] and do have chilling effects on totally innocent people (Rozemarijn van der Hilst, (2009), ‘Human Rights Risks of Selected Detection Technologies Sample Uses by Governments of Selected Detection Technologies’ p20; German Forsa Institute, Meinungen der Bunderburger zur Vorratsdatanspeicherung, 28 May 2008). Just like blanket data retention, BCD acquisition/use would ‘relate to all communications effected by all users, without requiring any connection whatsoever with’ [180] national security. 

Article 8 is not limited to Privacy

As ‘private life’ in Article 8 of the European Convention on Human Rights (ECHR) is not susceptible to exhaustive definition [66], this means that the notion is much wider than that of privacy (p12). This encompasses a sphere within which every individual can freely develop and fulfil his personality, both in relation to others and with the outside world (ibid). Private life also includes one’s physical and psychological integrity [58], autonomy [ibid] as well as a right to a form of informational self-determination [137], physical, social [159] and ethnic identity [58], professional activities [29], a certain degree of anonymity [42] and the protection of personal data (S and Marper, [103]).

This does not even begin to consider how such concepts overlap (p10-11). Nor is Article 8 limited to private life, as ‘correspondence’ [44] and the potential for ‘home’ [41] and family life (p21) (even more so now under the new regime of the IPA 2016 in light of the Internet of Things etc) are equally important in the surveillance context. The measure ‘strikes at freedom of communication between users of the postal and telecommunication services’ [41] because we increasingly use the internet to ‘establish and support personal relationships, bank, shop, to gather the news, to decide where to go on holiday, to concerts, museums or football matches. Some use it for education and for religious observance – checking the times and dates of festivals or details of dietary rules.’ Very few aspects of our lives are untouched by the internet (Paul Bernal, ‘Data gathering, surveillance and human rights: recasting the debate’ (2016) Journal of Cyber Policy, 1:2 243, p247).

Correspondence becomes particularly important when it affects legal professional privilege (LPP) and journalistic sources. This was a criticism of data retention laws in that it did not provide any exceptions for professional secrecy (Tele2 and Watson, [105]). The ECtHR in Kopp v Switzerland noted that Swiss law violated Article 8 because it provided ‘no guidance on how authorities should distinguish between protected and unprotected attorney-client communications’ [73-75]. BCD acquisition/use suffers from the same drawbacks.  

Thus, when the IPT refers merely to individual privacy, it does so without acknowledging the breadth and multifaceted nature of Article 8, or how surveillance measures impact on them in various ways, which limits their ability to give a thorough assessment resulting in a possible divergence from the ECtHR.

Confining the discussion to Privacy foregoes the broader context of Fundamental Rights Protection

[i]t is hard to imagine, for example, being able to enjoy freedom of expression, freedom of association, or freedom of religion without an accompanying right to privacy (Benjamin J. Goold, ‘Surveillance and the Political Value of Privacy’ (2009) 1:4 Amsterdam Law Forum 3, p4).

When Article 8 is confined to the narrow aspect of the privacy of a suspected terrorist, not only does it overlook the breadth of Article 8 (mentioned above) but it does not even entertain other fundamental rights that might be at stake. This is also a view the then Independent Reviewer of terrorism legislation, David Anderson acknowledged (para 2.12) and Paul Bernal (Paul Bernal). The CJEU were also aware of this to some degree in Tele2 and Watson where they noted that the data retention could have an effect on the use of means of electronic communication and, consequently, on the exercise by the users thereof of their freedom of expression, guaranteed in Article 11 of the CFR [101], which is essentially equivalent to Article 10 ECHR.

Article 10 ECHR: Freedom of Expression

Article 10 applies to communications via the internet [34] (in French), regardless of the message conveyed [55] and irrespective of its nature [47]. The ECtHR regards freedom of expression as constituting ‘one of the essential foundations of a democratic society and one of the basic conditions for its progress and for each individual’s self-fulfilment’ [100]. Not only does this highlight freedom of expressions value to democracy, it highlights one of the various ways in which Article 10 interplays with Article 8 i.e. self-development [117].

Another way in which Articles 10 and 8 interlink is that of anonymity, where Lord Neuberger noted that in the context of anonymous speech, Article 8 reinforces Article 10 (para 25). Within that context, Neuberger continued that Article 8 rights are of fundamental importance (ibid, para 42). Political reporting and investigative journalism attract a high level of protection under Article 10 [129]. The then Special Rapporteur for the United Nations of freedom of expression, Frank La Rue highlighted that that restrictions on anonymity can have a chilling effect, which dissuades the free expression of information and ideas (para 49).

Article 9 ECHR: Freedom of Religion, Thought and Conscience

Like Article 10, Article 9 is regarded as one of the foundations of a democracy [34]. Article 9 entails the freedom to manifest one’s religion can be done in public or in private [78]. It also includes the absolute and unconditional right to hold a belief [ibid, 79]. The right to manifest one’s belief has a negative aspect, in that an individual has a ‘right not to be obliged to disclose his or her religion or beliefs and not to be obliged to act in such a way that it is possible to conclude that he or she holds’ [41]. BCD acquisition/use makes this entirely possible (para 1.1), causing a notable chilling effect.

Article 11 ECHR: Freedom of Association/Assembly

The GC of the ECtHR has referred to freedom of assembly, like Article 9 and 10 as one of the foundations of a democratic society [91]. Similarly, freedom of association is of utmost importance because it ‘enables individuals to protect their rights and interests in alliance with others’ (p4). The Steering Committee on Media and Information Society (Sterling Committee) in their to human rights for Internet users when referring to Article 11 noted that users have ‘the right to peacefully assemble and associate with others using the Internet’ (para 61). Just as noted above with other Convention Rights, surveillance has harmful effects on freedom of association (see also Valerie Aston, ‘State surveillance of protest and the rights to privacy and freedom of assembly: a comparison of judicial and protester perspectives’ (2017) EJLT 8:1).

The enjoyments of the rights contained in Articles 9-11, which are foundations for democracy (especially online) are underpinned by Article 8.

How the premise impacts upon the IPT’s reasoning

Given the above mentioned, it is important to discuss how the lack of consideration for the potential effects on other fundamental rights affects the IPT’s reasoning.

It’s not all about Utility

The IPT discussed the evidence for supporting BCD acquisition/use, ranging from Anderson’s report, the case studies within them, Mi5 witness statements (Privacy International, [11-17]). The IPT makes reference to the critical value of BCD acquisition/use and the need for the haystack, in order to find the needle. A quick counter to the second point is ‘[i]f you’re looking for a needle in a haystack, how does it help to add hay?’ The problem with the needle in the haystack argument is that it could be used to justify any amounts of data to be stored/used, even all that is available.

Furthermore, this part of the judgement concerns what the IPT considers to be ‘The Facts’ yet on closer examination, not everything highlighted by the IPT are facts. For example, the IPT refers to the Respondents’ witnesses speaking persuasively and refers to an Mi5 witness. If the IPT were to regard witness statements as facts, then for example, Bruce Schneier’s, or former National Security Agency (NSA) official William Binney’s denunciation of mass surveillance should be given equal weight. There is no suggestion that this is what was (or should have been) presented before the IPT, but it highlights the weight given to opinions by the IPT. Discussing only the evidence of the Respondent also demonstrates the problematic information asymmetry in the surveillance context where:

[I]nformation asymmetrification provides a foundation on which the existence of elites is built and possibilities of strengthening that asymmetry will be enthusiastically sought (Geoffrey Lightfoot and Tomasz Piotr Wisniewski, ‘Information asymmetry and power in a surveillance society’ (2014) Information and Organization 24 214–235, p230).

Regarding the first point, the value of a measure does not necessarily make it necessary [48]. The IPT considers that although BCD acquisition/use is essential, this does not completely resolve the question of proportionality (Privacy International, [16]). Lord Kerr in his dissenting opinion in Beghal v DPP quite rightly noted that ‘powers which can be used in an arbitrary or discriminatory way are not transformed to a condition of legality simply because they are of proven utility’ [93]. Although the IPT did find s.94 not to be compliant with Article 8 prior to its avowal, this follows a trend of watering down the prescribed by/in accordance with law requirements noted in Kennedy v United Kingdom in where for the IPT, honesty appears to be synonymous with legality.

Moreover, the supporting evidence for BCD acquisition/use does not refer to what type of communications data was used, how it was used, or why it was key. The IPT noted that nothing in the evidence they examined contradicts what was set out in paragraphs 11-16. This is problematic for two reasons, if the IPT only considered evidence from the Respondent, then it would make sense that there is less likelihood that evidence presented would contradict arguments put forward, and thus becomes a one-sided argument. Secondly, as Bruce Schneier noted ‘no method of surveillance or inquiry will ever stop a lone gunman.’ Although, the murder of Fusilier Lee Rigby involved two assailants, the Intelligence and Security Committee (ISC) noted that Mi5 ‘put significant effort into investigating [Michael Adebolajo] and employed a broad range of intrusive techniques. None of these revealed any evidence of attack planning.’ What this demonstrates is the contrary view that all the surveillance in the world did not prevent individuals ‘such as the Fort Hood shooter, or Anders Behring Breivik, or the Charlie Hebdo attackers.’ Therefore, the IPT draws attention to its obscured view given that it has inquisitorial powers (s.68(2)(b) of the Regulation of Investigatory Powers Act 2000 (RIPA 2000)) and could have sought information regarding counter arguments.

No Genuine Intrusion?

When the IPT discussed the operation of s.94 TA 1984, they noted that access to BCD is either targeted or more likely to involve electronic trawling of masses of data which are not ‘read’ to find the needle in the haystack (Privacy International, [19]). The IPT continues that a ‘miniscule quantity of the data trawled is ever examined. There is thus no genuine intrusion to any save that miniscule proportion’ (ibid). This reasoning of the IPT is almost as if the UK exists in a vacuum when it comes to the findings of the GC in S and Marper. The IPT’s reasoning is that only when communications data is accessed/examined, then follows genuine intrusion. This is why confining the issue to privacy proves problematic because the GC in S and Marper noted that the protection of personal data is of fundamental importance to the enjoyment of private and family life. This protection begins as soon as the data is processed and retained, thus marks the genesis of genuine intrusion, any subsequent use has no bearing on this. The IPT’s reasoning follows the sentient being argument which suggests that privacy is only interfered with when private data is read by an intelligence officer. Following this argument would lead to the logical conclusion of sowing the seeds of the total destruction of private life and data protection as surveillance becomes increasingly automated e.g. by analogy automatic number plate recognition (ANPR) [169-170], see also CJEU Opinion on PNR [121-132]. Using last century’s arguments (if one could even call it that) are not suitable today.

The IPT maintains the approach of significantly downplaying the severity of interference caused by storing and using communications data. The IPT had previously accepted a false analogy from the Respondent of equating GPS data (a particular type of communications data) with communications data in general to argue that it is not as serious as interception (Matthew White, ‘Protection by Judicial Oversight, or an Oversight in Protection?’ (2017) Journal of Information Rights, Policy and Practice 2:1, p9). This was argued that when giving weight to this position:

[I]t did so by considering a case of an isolated specific type of data, which cannot be used to justify an argument that interference is less severe whilst ignoring the cumulative total of the different types of communications data (ibid).

Malte Spitz of the German Green party published data that was retained under Germany’s data retention laws in which Zeit Online created an interactive map detailing Spitz’s movements. Biermann continued that this data revealed:

[W]hen Spitz walked down the street, when he took a train, when he was in an airplane. It shows where he was in the cities he visited. It shows when he worked and when he slept, when he could be reached by phone and when was unavailable. It shows when he preferred to talk on his phone and when he preferred to send a text message. It shows which beer gardens he liked to visit in his free time. All in all, it reveals an entire life.

Advocate General (AG) Saugmandsgaard Øe in Tele2 and Watson noted that that in the individual context a general data retention obligation would facilitate equally serious interference as targeted surveillance measures, including those which intercept the content of communications [254]. AG Saugmandsgaard Øe continued that the risks associated with access to communications data ‘may be as great or even greater than those arising from access to the content of communications’ [259]. For example, replying to an email saying ‘lmao’ my not reveal much to an observer, but the observer could learn what email address the message was sent from and to, the time and date that message was sent, the location of when it was sent, what browser was being used and what device was being used etc. This simple analogy demonstrates why yet again the IPT are incorrect to downplay the revealing nature of communications data given that people get killed based on it. This seriousness only intensifies when the acquisition/use is in bulk.

Powerful Submissions?

The IPT highlighted the powerful submissions (hence very persuasive (Privacy International, [51])) made by the Respondent:

The use of bulk acquisition and automated processing produces less intrusion than other means of obtaining information.

The balance between privacy and the protection of public safety is not and should not be equal. Privacy is important and abuse must be avoided by proper safeguards, but protection of the public is preeminent.

The existence of intrusion as a result of electronic searching must not be overstated, and indeed must be understood to be minimal.

There is no evidence of inhibition upon, or discouragement of, the lawful use of telephonic communication. Indeed the reverse is the case.

Requirements or safeguards are necessary but must not, as the Respondents put it, eviscerate or cripple public protection, particularly at a time of high threat [50].

It is important to deal with these points individually (some of which are already dealt with above).

The Respondents maintain that BCD acquisition/use is less intrusive than other methods of gathering information without explaining what other methods are more intrusive or why and why this is the least restrictive measure to obtain the objective [260].

As noted above, this is not just an issue of narrow privacy, but an issue of other applicable fundamental rights protected by the ECHR. The premise of the balance between privacy and public safety i.e. security is a miscast (Paul Bernal, p244), misleading (ibid) and false (see here, here and here) one to begin with. It ignores factors that demands for security can actually reduce security therefore, safety (Paul Bernal, p224; Harold Abelson et al, Keys under doormats: mandating insecurity by requiring government access to all data and communications. Journal of Cybersecurity, 2015, 1–11, p5) and otherwise prove ineffectual (see here and here). It also suggests that privacy should always be on the back foot when the issue concerns the protection of the public, when the irony is that it’s the publics’ data that is being acquired and used (see social dimension of privacy above which protects against utilitarian calculation of majoritarian societal interests and/or political whims (Kirsty Hughes, p 227)). It also assumes that when Convention Rights are a stake, the only question that needs to be answered is whether the appropriate balance has been struck, forgoing legality and necessity.

These types of arguments would seemingly fall into the narrow nothing-to-hide-like argument that looks for singular type of injury, be it some grave physical violence, a loss of substantial money or something severely embarrassing (Daniel Solove. Nothing to Hide: The False Tradeoff between Privacy and Security (2011). Yale University Press, p29). This of course also ignores both European Courts on the severity of the mere storage of data interfering with private/family life/freedom of expression/association [107] and data protection.

Contrary to what the Respondents assert, there is evidence for chilling effects due to surveillance measures, some highlighted above. Moreover, assessing chilling effects should not just be measured by inhibitions, but actual methods of protecting online activity. There was An increase in Virtual Private Network (VPN) (this essentially aims hide online activity) subscriptions in Australia when their national data retention laws came into force and in the UK when the IPA 2016 and Digital Economy Act 2017 (DEA 2017) were in passing. Or by the increasing the use of ad blockers, which 11 million devices in the UK now have. As Edward Snowden revealed ‘government surveillance efforts are sometimes bolstered by online advertising practices.’ Moreover, Solove contends that the value of protecting against chilling effects is not measured simply by its effects on individuals exercising their rights, but its harms to society because among other things ‘they reduce the range of viewpoints expressed and the degree of freedom with which to engage in political activity’ (Daniel J. Solove, ‘’I’ve Got Nothing to Hide’ and Other Misunderstandings of Privacy’ (2007) San Diego Law Review 44 745, p746). It is true that the uptake in technology has increased e.g. smartphones but this does not necessarily disprove the idea of chilling effects etc. This is due to ignoring the fact that many may not be fully aware of what information is being collected (Sandra Braman, 2006, Tactical memory: The politics of openness in the construction of memory Sandra Braman. First Monday, 11(7); Connor Sheridan, (2016) "Foucault, Power and the Modern Panopticon". Senior Theses, Trinity College, Hartford, CT 2016. Trinity College Digital Repository, p48; Majority of Brits Unaware of Online Surveillance) where awareness leaves open the possibility of resistance (Andrew Roberts, Privacy, Data Retention and Domination: Digital Rights Ireland Ltd v Minister for Communications, (2015) 78(3) MLR 522–548, p545). This resistance could be not using the technology, to finding ways to circumvent surveillance law (self-regulatory), protests (Hintz, A. & Dencik, L. (2016). The politics of surveillance policy: UK regulatory dynamics after Snowden. Internet Policy Review, 5(3), p8) (political), or legal action all designed to protect fundamental rights.

This is the ‘the ends justify the means’ justification. Not every interference or derogation from the principle of protection of fundamental rights are necessary in a democratic society.

Prior Authorisation

The IPT noted that Secretary of State authorisations complied with the ECHR for reasons set out in a prior judgment. The IPT were of the opinion that the ECtHR in Szabo & Vissy v Hungary were not recommending any new safeguards because Hungarian law fell below even existing principles [60]. This of course does not consider cases such as Dumitru Popescu v Romania [71-73], Iordachi and Others v Moldova [40], and Uzun v Germany [72] all endorsing the view that the body issuing authorisations for interception should be independent and that there must be either judicial control or control by an independent body over the issuing body's activity.

So, when the ECtHR in Szabo endorses the view in Iordachi that ‘control by an independent body, normally a judge with special expertise, should be the rule and substitute solutions the exception, warranting close scrutiny’ [77] it is difficult to suggest the ECtHR in Szabo were not strongly advocating for prior judicial control (Matthew White, p15). The ECtHR did acknowledge that post factum oversight may counterbalance the short comings of initial oversight (referring to the IPT in Kennedy) (Szabo, [77]). However, it has already been argued that this counterbalance is not adequate (Matthew White, p14-16).

Notification

According to the IPT, a requirement of notification is inadequate in the circumstances of national security because (a) national security is ongoing and (b) it relates to further operations and methodologies (Privacy International, [62]). The IPT also noted that this is not required for compliance with the ECHR [63]. This, however, overlooks Association for European Integration and Human Rights and Ekimdzhiev v Bulgaria where the ECtHR found violations of Article 8 and 13 (effective remedy) for among other things, a lack of a notification procedure [94] and [103]. Yet Ekimdzhiev concerned national security and the ECtHR even referred to the notification in the national security context in Germany for both individual (Klass v Germany, [11] and general surveillance measures (Weber and Saravia v Germany, [51-54] and in Leander v Sweden [31]). This is permissible due to the ECtHR establishing the principle that:

[A]s soon as notification can be made without jeopardising the purpose of the surveillance after its termination, information should be provided to the persons concerned (Ekimdzhiev, [90]).

This establishes that to the ECtHR’s mind, notification in the national security context is not inappropriate or inadequate considering this has been the practice of Germany for decades. Furthermore, the ECtHR acknowledge that it would not be desirable in all circumstances to notify, therefore leaving that possibility open whereas the IPT would prefer it kept shut. Also, in the national security context, the GC of the ECtHR in Roman Zakharov v Russia noted that notification was inextricably linked ‘to the effectiveness of remedies before the courts and hence to the existence of effective safeguards against the abuse of monitoring powers’ [234]. A point in which Paul de Hert and Franziska Boehm share.

Although the GC referred to the alternative to notification of the UK system i.e. the IPT jurisdiction (Roman Zakharov, [234]), de Hert and Boehm have questioned whether Kennedy ‘is capable of responding to the challenges arising out of the use of new surveillance techniques’ (Franziska Boehm and Paul de Hert, The rights of notification after surveillance is over: ready for recognition? (Yearbook of the Digital Enlightenment Forum, IOS Press 2012), pp. 19-39, p37). Boehm and de Hert continue that in light of powers such as data retention and ‘fishing expeditions’ that target a greater number of people without suspicion, a notification duty appears to be an effective tool to prevent abuse (ibid, p37-8). Finally, Boehm and de Hert note that the Belgian Constitutional Court has now adopted the notification principle as a requirement to comply with Article 8 (ibid, p38). The IPT highlights difficulties with the notification of BCD acquisition/use as to whether notification should be to everyone whose data is in the database, those subject to an electronic search or all those who feature in data in targeted access (Privacy International, [64])? Accepting this premise would accept the powers that are exercised to begin with, which is at the heart of this issue.

Conclusions: Be careful what you wish for

Ultimately, the IPT referred the question as to whether the Tele2 and Watson requirements apply in the national security context to the CJEU (ibid, [72]). This blog post has argued that much of the IPT’s reasoning with regards to fundamental rights protection is lacking. By confining itself to a restrictive notion of individual privacy of a person of interest, the IPT blinds itself to the broader notions of Article 8 and the other fundamental rights it underpins. Some aspects of the IPT’s reasoning (and Respondent’s arguments) is not even consistent with the very human rights system (ECHR) the Respondents are seeking to rely upon. The ECtHR have firmly noted that:

Given the technological advances since the Klass and Others case, the potential interferences with email, mobile phone and Internet services as well as those of mass surveillance attract the Convention protection of private life even more acutely (Szabo, [53]).

The GC in Roman Zakharov found that Russian law to be in violation of Article 8 because interferences with privacy rights were ordered ‘haphazardly, irregularly or without due and proper consideration’ (Roman Zakharov, [267]) in the national security context. Judge Pinto de Albuquerque noted that Roman Zakharov was a rebuke of ‘strategic surveillance’ (Szabo, Concurring Opinion of Judge Pinto de Albuquerque, [35]) which would accord a previous concurring opinion of judge Pettiti in which surveillance should not be used for ‘fishing’ exercises to bring in information (Kopp). If as the IPT say that a ‘miniscule quantity of the data trawled is ever examined’ how would this square with the position of ‘[t]he automatic storage for six months of clearly irrelevant data cannot be considered justified under Article 8’ (Roman Zakharov, [255])? Time will tell if the ECtHR follows this trend in Big Brother Watch and Others v UK, Bureau of Investigative Journalism and Alice Ross v UK and 10 Human Rights Organisations v UK. Therefore, the IPT should not convince itself of the ‘illusory conviction that global surveillance is the deus ex machina capable of combating the scourge of global terrorism’ (Szabo, Concurring Opinion of Judge Pinto de Albuquerque, [20]). Surveillance has never just been an issue of privacy, or private life or else the ECtHR would never have uttered its awareness:

[O]f the danger such a law poses of undermining or even destroying democracy on the ground of defending it, affirms that the Contracting States may not, in the name of the struggle against espionage and terrorism, adopt whatever measures they deem appropriate (Klass, [49]).

Barnard & Peers: chapter 9

Photo credit: Pixabay

A Threat to Human Rights? The new e-Privacy Regulation and some thoughts on Tele2 and Watson

Matthew White, Ph.D candidate, Sheffield Hallam University

Introduction

In a follow-up to last Christmas’s post, on 10 January 2017, the European Commission released the official version of the proposed Regulation on Privacy and Electronic Communications (e-Privacy Regs). Just as the last post concerned the particular aspect of data retention, this post will too.

Just as the former leaked version maintained, the proposal does not include any specific provisions in the field of data retention (para 1.3). This paragraph continues that Member States are free to keep or create national data retention laws, provided that they are ‘targeted’ and that they comply with European Union (EU) taking into account the case-law of the Court of Justice of the European Union (CJEU) and its interpretation of the e-Privacy Directive and the Charter of Fundamental Rights (CFR). Regarding the CJEU’s interpretation, the proposals specifically refers to Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others, and Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB and Secretary of State for the Home Department. Aspects of the latter case is the focus of this post; the case itself has been thoroughly discussed by Professor Lorna Woods.

So, when is the essence of the right adversely affected?

Before discussing certain aspects of Tele2 and Watson, it is first important to draw attention to the provision which enables data retention in the new e-Privacy Regs. Article 11 allows the EU or its Member States to restrict the rights contained in Articles 5-8 (confidentiality of communications, permissions on processing, storage and erasure of electronic communications data and protection of information stored in and related to end-users’ terminal equipment). From Article 11, it is clear that this can include data retention obligations, so long as they respect the essence of the right and are necessary, appropriate and proportionate. In Tele2 and Watson the CJEU noted that any limitation of rights recognised by the CFR must respect the essence of said rights [94]. The CJEU accepted the Advocate General (AG)’s Opinion that data retention creates an equally serious interference as interception and that the risks associated with the access to communications maybe greater than access to the content of communications [99]. Yet the CJEU were reluctant to hold that data retention (and access to) adversely affects the essence of those rights [101]. This appears to highlight a problem in the CJEU’s reasoning, if the CJEU, like the AG accept that retention of and access to communications data is at least on par with access to the content, it makes little sense to then be reluctant to hold that data retention adversely affects the essence of those rights. The CJEU does so without making any distinction or reasoning for this differential treatment, and thus serves to highlight that perhaps the CJEU themselves do not fully respect the essence of those rights in the context of data retention.

The CJEU’s answer seems only limited catch all powers

The thrust of the CJEU’s judgment in Tele2 and Watson was that general and indiscriminate data retention obligations are prohibited at an EU level. But as I have highlighted previously, the CJEU’s answer was only in response to a very broad question from Sweden, which asked was:

[A] general obligation to retain traffic data covering all persons, all means of electronic communication and all traffic data without any distinctions, limitations or exceptions for the purpose of combating crime…compatible with [EU law]?

Therefore, provided that national laws do not provide for the capturing of all data of all subscribers and users for all services in one fell swoop, this may be argued to be compatible with EU law. Both the e-Privacy Regs and the CJEU refer to ‘targeted’ retention [108, 113]. The CJEU gave an example of geographical criterions for retention in which David Anderson Q.C. asks whether the CJEU meant that ‘it could be acceptable to perform “general and indiscriminate retention” of data generated by persons living in a particular town, or housing estate, whereas it would not be acceptable to retain the data of persons living elsewhere? This is entirely possible given the reference from Sweden and the answer from the CJEU. In essence the CJEU have permitted discriminatory general and indiscriminate data retention which would in any event respect the essence of those rights.

Data retention is our cake, and only we can eat it

A final point on Tele2 and Watson was that the CJEU held that national laws on data retention are within the scope of EU law [81]. This by itself may not raise any concerns about protecting fundamental rights, but it is what the CJEU rules later on in the judgment that may be of concern. The CJEU held that the interpretation of the e-Privacy Directive (and therefore national Member State data retention laws) “must be undertaken solely in the light of the fundamental rights guaranteed by the Charter” [128]. The CJEU has seemingly given itself exclusive competence to determine how rights are best protected in the field of data retention. It is clear from the subsequent paragraph that the CJEU seeks to protect the autonomy of EU law above anything else, even fundamental rights [129]. This is despite the ECHR forming general principles of EU law and is mentioned in Article 15(1) (refers Article 6(3) of the Treaty of the European Union (TEU) specifically referring to the ECHR as such). Article 11 of the e-Privacy Regs refers to restrictions respecting the ‘essence of fundamental rights and freedoms’ and only time will tell whether the CJEU would interpret this as only referring to the CFR. Recital 27 of the e-Privacy Regs just like Recital 10 and 30 of the e-Privacy Directive refers to compliance with the ECHR, but as highlighted previously, Recitals are not legally binding.

Is the CJEU assuming too much?

A further concern, is that had the European Commission added general principles of EU law into Article 11, the CJEU may simply have ignored it, just as it has done in Tele2 and Watson. The problem with the CJEU’s approach is that it assumes that this judgment offers an adequate protection of human rights in this context. The ECHR has always been the minimum floor, but it appears the CJEU wants the CFR to be the ceiling whether it be national human rights protection, or protection guaranteed by the ECHR. What if that ceiling is lower than the floor? The AG in Tele2 and Watson stressed that the CFR must never be inferior to the ECHR [141]. But I have argued before, the EU jurisprudence on data retention is just that, offering inferior protection to the ECHR, and the qualification by the CJEU in Tele2 and Watson does not alter this. This position is strengthened by Judge Pinto De Albuquerque in his concurring opinion in the European Court of Human Rights judgment in Szabo. He believed that:

[M]andatory third-party data retention, whereby Governments require telephone companies and Internet service providers to store metadata about their customers’ communications and location for subsequent law-enforcement and intelligence agency access, appeared neither necessary nor proportionate [6].

Of course, Judge Pinto De Albuquerque could have been referring to the type of third party data retention which requires Internet Service Providers (ISPs) to intercept data from Over The Top (OTT) services, but his description is more in line with data retention of services’ own users and subscribers.

Conclusions

Although the CJEU has prohibited general indiscriminate data retention, the CJEU does not seem to have prevented targeted indiscriminate data retention. If the European Court of Human Rights (ECtHR) were to ever rule on data retention and follow its jurisprudence and the opinion of Judge Pinto De Albuquerque, this may put EU law in violation of the ECHR. This would ultimately put Member States in a damned if they do, damned if they do not situation, comply with the ECHR, and violate EU law autonomy; comply with EU law and violate the ECHR. When the minimum standards of human rights protection in this context are not adhered to, because of EU law, the ECHR should prevail. As anything less is a threat to human rights, meaning that the (even if well intentioned) CJEU can also be.

JHA4: chapter II:7

Photo credit: goldenfrog.com