Saturday, 13 October 2018

The compatibility of Ireland’s Public Health (Alcohol) Bill with EU law

Dr. Ollie Bartlett, Maynooth University

This month the Irish Public Health (Alcohol) Bill completed its passage through the houses of the Oireachtas, after two years and nine months of debate. The Bill introduces five main interventions: minimum pricing of alcoholic beverages; stricter labelling of alcoholic beverages; restrictions on alcohol advertising; the structural separation of alcoholic beverages from other products in retail outlets; and restrictions on the sale and supply of alcoholic beverages. Its purpose is to combat alcohol related harm in Ireland, which has reached worryingly high levels.

Health Minister Simon Harris has been obliged to defend various aspects of the Bill in the Irish press, and has described the eventual passage of the legislation as ‘groundbreaking’. This short contribution will focus on assertions that certain parts of the legislation are not compatible with European Union law. Such assertions (usually made by those with vested interests in the alcohol trade) attempt to deploy a vision of the EU internal market as a guarantor of commercial freedoms, in order to intimidate national governments into watering down public health protections. This contribution will address the inaccuracy of these assertions in relation to the Irish Public Health (Alcohol) Bill. In doing so it will identify how governments might also misinterpret European public health law and policy, and how this can lead to regulatory failure.

Opponents could argue, and have argued, that any substantive aspect of the Bill will be liable to unduly restrict trade in alcoholic beverages, and should therefore be seen as an unjustified breach of Article 34 TFEU, which prohibits measures having equivalent effect to a quantitative restriction upon trade in goods. However, Article 36 TFEU (which provides for exceptions to Article 34), together with consistent CJEU case law (for example, Aragonesa,  Bacardi France, Ahokainen and Leppik, Rosengren and Scotch Whisky Association) indicate that, provided an alcohol control measure is proportionate, it can be adopted despite the fact that it places a restriction on trade.

All five interventions in the Bill can be justified as proportionate. Minimum pricing rules can be compatible with EU law as the Scotch Whisky judgement suggested in the context of Scottish minimum unit pricing (MUP). Context is key for MUP, and Irish MUP will not automatically be legal as a result of this decision, but under the terms of the decision, and given the extensive and clear impact assessment conducted by the Irish government, as well as the already very high tax rates on alcohol in Ireland, it should not be difficult to demonstrate that MUP is an appropriate and necessary measure in this jurisdiction too.

There was a last minute and intense debate on the inclusion of cancer warnings on alcoholic beverage labels. This proposal has perhaps been the most harshly criticised, as trade restrictive, stigmatising for Irish products and detrimental to the operation of the internal market. Mandatory health warnings on alcoholic beverages have not been directly addressed by the CJEU. Having said this, labelling and information provision have regularly been viewed by the CJEU as a proportionate form of public health intervention (for example, Van der Veldt, Commission v Germany, Neptune Distribution), and indeed the CJEU has stated that ‘labelling is one of the means that least restricts the free movement of products within the [EU]’. Furthermore, it can be argued that given the remarks made by the CJEU on the carcinogenic nature of tobacco in the Philip Morris case, and the strong evidence on the carcinogenic nature of alcohol (the third leading risk factor for disease and death in Europe behind smoking and high blood pressure), it is not unreasonable that the decision to warn of the risk of alcohol related cancer on warning labels, using a method of intervention that does not impair the substance of intellectual property or business rights, would be seen as proportionate. Cancer warning labels might stretch the limits of what is necessary to achieve the objectives of public health protection, but they arguably do not - given the existence of evidence on positive effects and Member States’ commitment at WHO level to consider stronger alcohol labelling requirements - go beyond these limits.

Arguments that such labelling requirements would put Ireland at an economic disadvantage are less forceful when one considers that nine other countries around the world have introduced stricter alcohol labelling proposals. Arguments that Irish products will be stigmatised are misguided given that the rule applies to the sale of products in Ireland, not Irish exports. Lastly, arguments that stricter labelling requirements will have severe operational consequences for industries are something of a hyperbolic smokescreen, considering that there are currently no common rules on alcohol labelling due to the exemption of alcohol from food labelling regulations, the industry themselves have specifically rejected the opportunity to create a harmonised alcohol labelling scheme within the EU, and there is already diversity in EU countries’ labelling requirements, including

Targeted advertising restrictions have also been upheld as proportionate by the CJEU. The restrictions proposed by the Bill do not amount to a total prohibition on the advertising of alcohol, and indeed that is not their intention. Consistent CJEU case law has demonstrated that if advertising interventions are limited and targeted in scope, then they will be proportionate. Retail restrictions that serve public health purposes will likely fall within the exception to Article 34 TFEU that was created by the Keck decision – any non-discriminatory ‘selling arrangement’ will fall outside the scope of Article 34 TFEU altogether. Indeed, recent tobacco case law indicates that the CJEU will classify public health interventions concerning the retail of unhealthy products as selling arrangements, and do not appear especially motivated to interfere in the Member States’ legislative choices in this regard. The same argument applies to the restrictions on sale and supply of alcohol, which primarily concern price promotions, for example buy one get one free offers. Such restrictions would likely fall within the scope of a selling arrangement, and would therefore also fall outside the scope of Article 34.

Thus, is relatively clear that four of the five interventions included in the Bill are compatible with EU internal market law. Furthermore, a coherent argument can be made that the Bill’s labelling provisions will also be compatible with internal market law. EU law supports the Irish government’s prerogative to adopt such measures, and indeed in the comments issued by the Commission on the Bill, concerns were raised regarding the labelling provisions, but they were not criticised as opponents of the Bill have asserted. Rather, the Commission used the comments to reassert Ireland’s right to adopt proportionate public health measures.

Assertions regarding the incompatibility of the Bill with EU law fail to take account of the fact that the internal market is founded and has been developed upon the understanding that the responsibility of governments to protect their populations from various threats will often conflict with the commitment to protect free trade. The European Union Treaties explicitly provide that Member States can limit economic freedoms in a proportionate manner where a pressing social concern warrants intervention, and the CJEU has reinforced this time and again in the alcohol context. Moreover, both the right to health and the right to conduct a business are equally protected as a matter of EU fundamental rights law, and the CJEU has held that the right to health will outweigh the commercial rights of certain industries that contribute to public health epidemics.

Those that criticise the Public Health (Alcohol) Bill wrongly assume that the internal market requires Member States to prioritise the rights and interests of business, and to deal with social issues in a way that best suits the business community. This is not the case – the internal market guarantees free movement, but does not guarantee businesses a trump card to play when they feel their interests are being infringed. Far from preventing the Member States from protecting their populations, EU law protects the Member States’ right and responsibility to do so in a proportionate manner - even if this would lead to a certain amount of disruption to the status quo of transnational trade.  

Even Member States sometimes misinterpret the cues given by EU public health law and policy, and this can lead to instances of regulatory failure – where mutual inaction by two regulatory actors results in an issue not being addressed. For example, one of the most salient debates on the Public Health (Alcohol) Bill concerns the minimum unit pricing provisions, and their implementation. Simon Harris has until very recently repeatedly insisted that the MUP provisions enacted in the Bill would not be implemented until similar provisions were brought into effect in Northern Ireland, based upon the belief that Irish public health policy should not produce negative effects for the transnational trade in alcoholic beverages in border counties. The special nature of the Irish border and the desire of the Irish government to make public health policy on an all-island basis may make political sense, but as a matter of law the CJEU has repeatedly held that ‘the fact that one Member State imposes less strict rules than another Member State does not mean that the latter’s rules are disproportionate’.

EU law does not require Ireland to ensure that its policy choices are consistent with the policy choices in other Member States, and does not require that, once a barrier to trade has been justified, it is not implemented on account of possible trade distorting effects. The Irish government should bear in mind that internal market law permits each Member State to protect its own population in whatever way it sees fit, irrespective of choices made by other Member States, as long the barriers to trade it erects are proportionate. Simon Harris’ recent softening of his previous stance, through statements that Ireland cannot wait ‘forever’ to implement MUP, is therefore to be welcomed.

However, some elements of the Bill have not escaped the trap of regulatory failure. While the provisions on alcohol advertising are already commendably strong, they could have been even stronger. Amendments were proposed in the final rounds of Dáil debate that would have increased the protection the legislation offered to children against online alcohol advertising. This would have given effect to a considerable body of evidence that suggests that children are vulnerable to digital and other non-traditional forms of alcohol advertising, which are hardly regulated at all by any Member State. However, Simon Harris rejected these amendments. Despite fully agreeing with their sentiments, the health minister rejected them on the basis that tackling online advertising is a task best suited for EU level action, and that Ireland should therefore not act until the EU has acted. Unfortunately this logic does not take account of the fact that the EU have already recently refused to increase the stringency of online alcohol advertising regulation. The Audiovisual Media Services Directive reforms leave EU provisions governing cross-border alcohol advertising unchanged, and even relax some of the rules on the provision of advertising services, to the detriment of children’s health protection. The Commission has repeatedly insisted that it will not propose harmonising legislation to regulate cross-border alcohol trade.

In order for this to ever happen, Member States must commit to regulating the alcohol industry in their own territories. The conferral of competence upon the EU to regulate the internal market depends on the existence of barriers to trade, which can only exist if Member States have enacted sufficiently diverse regulations. Currently, regulation of online alcohol advertising is consistent across Member States in its virtual non-existence. The existence of at least some variation in national regulation would certainly put greater pressure on the Commission to adopt common rules, and would add some weight to the Member States’ political call for a European Union alcohol strategy. Thus, the Irish government’s position that Member States should wait for the EU to act has unfortunately led to a regulatory failure on an important public health issue.

In summary, the Public Health (Alcohol) Bill is a bold piece of legislation that seeks to act on the substantial evidence base on alcohol related harm in Ireland. It is within the discretion of the Irish government to adopt, and contains interventions which make justified restrictions to free movement. Assertions that parts of it are not compliant with EU law fail to take account of the fact that EU internal market law preserves the right of the Member States to protect their populations as much as it protects the freedoms of traders. Misinterpretations of this prerogative, or of the reality of EU level public health policy, can potentially lead to inaction and regulatory failure. The Irish government has taken an important step towards reducing the burden of alcohol related harm in Europe, and other Member State governments should be encouraged to follow.

Barnard & Peers: chapter 12, chapter 21
Photo credit:

Monday, 8 October 2018

The next phase of the European Border and Coast Guard: towards operational effectiveness

Mariana Gkliati, PhD researcher at Leiden University working on the accountability of Frontex for human rights violations during its operations

Two years after the establishment, in record time, of the European Border and Coast Guard (EBCG), the Commission’s new proposed Regulation opens the way for a standing corps of 10,000 border guards, with its own equipment and greater executive powers.

The proposal was presented during the State of the Union Address on 12 September 2018. President Jean-Claude Juncker, in his speech before the European Parliament, announced the adoption of 18 concrete initiatives, among which migration and borders reform occupied a central spot. Apart from the strengthening of the EBCG, these proposals include a reinforced role for the European Asylum Agency, EASO, a stricter EU returns policy, as well as measures for safe and legal pathways for regular migration to Europe.

The intentions of the Commission were expressed by Commissioner Avramopoulos himself in quite straight lines: ‘more Europe where more Europe is needed’.

Frontex is perhaps the most vivid representation of this message. The agency has been vested with new powers and competences almost every two years since its establishment in 2004, while its operational capacity has been growing steadily, with a spike in both personnel and budget after 2015.

Budget and Personnel

*(I produced this table with information collected mainly from annual reports, partly with the help of student assistant, Nilson Milheiro Anselmo)

This gradual approach was a necessary reconciliation between the Commission’s original vision of fully-integrated border management led by a fully-fledged corps of border guards on the one hand, and the sovereignty concerns of member states on the other.

In 2016 the member states felt that the time was ripe to accept a name that symbolically limits the absolute sovereign control over their borders bringing them closer to a fully integrated scheme of border management, and the European Border and Coast Guard (EBCG) was established. It was apparent already then that this was not a completely new EU agency but rather ‘Frontex reloaded’ with ever more powers and competences and a generous budget.

Already two years later, the EBCG is moving to the next phase, and the word that best describes that phase is ‘effectiveness’. The Commission aims for a strengthened and fully equipped European Border and Coast Guard that is effective and efficient enough to address the ‘capability-expectations gap’ that has resulted from the agency’s dependence on the member states for contributions in border guards and equipment.

This is where President Juncker drew the line between the past and the future of integrated border management: ‘Temporary solidarity is not good enough’ he stated. ‘We need lasting solidarity – today and forever more’.

Main changes

The effectiveness goal is to be achieved mainly with a increased operational capacity in terms of staff and equipment, expanded operational competences, and a sharp budgetary increase.

Standing corps of 10,000 border guards

Perhaps the most monumental change brought by the new Regulation is the establishment of a ‘standing corps of 10,000 operational EU staff with executive power and their own equipment’.

In order to address the vital operational issue of availability of human resources, the EBCG Regulation set in 2016 an absolute minimum of 1,500 seconded border guards and other experts that should be available at any time in order to ensure the effectiveness of the agency on short notice. This comes in addition to the European Return Intervention teams, currently involving 550 return experts. In fact, Frontex had more than 1,700 officers deployed at the EU borders in 2018 assisting with functions such as surveillance, registration, document checks, fingerprinting and security checks. The agency’s own staff has also been growing steadily, as shown in the table below. The agency started with 70 employees in 2006, while there were almost 500 people working in Warsaw in 2017. In the first months of 2018 the agency requited another 162 new staff, which means that one in three working in Warsaw were hired in 2018 alone. The goal is that by 2020 the agency will have 1,500 own staff, which will grow to 3,000 by 2027.

Today’s availability is still not adequate to fill the operational needs of the agency in a predictable and expeditious manner, as it has to rely for its work mainly on border guards provided by the member states on a voluntary basis. The standing corps of 10,000 will constitute a ‘reliable intervention force’ of agency staff and seconded or deployed officers, i.e. border guards and return experts.

The intention is the gradual proportional increase of the agency’s own staff and long-term deployments. The number of short-term deployments will gradually decrease in favor of statutory Agency staff  and staff seconded by member states for long-term duration, as shown in the scheme below.

The foundations for this amendment have already been set over the years, and member states are even more likely to support it because of the envisaged financial support system that will allow member states to replace the deployed personnel and maintain the capacity of their national border authorities. Furthermore, the costs of their salary and overall deployment will be covered by the agency.

Executive powers

The standing corps will have executive powers similar to the border guards and return specialists of the member states. They will be able to authorise or refuse entry at border crossing points, stamp travel documents, patrol borders, and intercept persons crossing irregularly. In addition, they will perform identity checks using the False and Authentic Documents Online system, which the agency will take over from the Council General Secretariat. Finally, the power to carry weapons will extend from the deployed national border guards to all members of the standing corps including agency staff.

Own Equipment

Another step closer to improving the stability, flexibility and autonomy of the agency is the acquisition by the agency of its own equipment. ‘We need more planes, more vessels, more vehicles’, stated President Juncker.

At first, such equipment was made available by the member states on an ad hoc basis, but in 2007, Frontex created the Centralised Record of Available Technical Equipment (CRATE), to which states contribute on a voluntary basis, in accordance with the needs specified by the agency. CRATE was replaced in 2016 by the Technical Equipment Pool, which serves as a record of all technical equipment available to the agency, whether that is owned by a member state or the agency or co-owned by both. However, while the contributions on paper seem to almost fully cover the agency’s needs, the actual availability of the pledged assets by the member states is more problematic, especially during the busier summer months.

Therefore there is a growing emphasis on developing the agency’s own capabilities. As of 2017, Frontex had €10 million per year in its disposal (EUR 40 million in total for 2017-2020) to acquire its own equipment, while co-ownership with a member state, renting, leasing, and long-term deployments were identified as additional options in the EBCG Regulation in 2016.

The agency has already started acquiring smaller pieces of equipment and running relevant leasing and rental projects, while now the goal is to move to larger items, such as vessels and planes. The Commission has now earmarked €2.2 billion of the EU budget for 2021-2027 to allow Frontex to acquire, but also to maintain and operate the necessary air, maritime and land assets.


The budget allocated for Frontex notes a sharp increase. An additional €2.3 billion is proposed for 2019-2020, which is followed by €11.3 billion proposed for the 2021-2027 period. This increase is in conformity with the general direction of the last years, especially since 2015, as shown in the Table. However, the allocated budget has always counted millions rather than billions. The highest allocation until now was in 2017 with €302 million.

Power to Intervene

The ‘right to intervene’ was one of the most controversial aspects of the 2016 EBCG Regulation. According to this right, the agency may launch an emergency intervention, even without the consent of the member state, if the latter does not take the measures identified by the agency in the vulnerability assessment, if the member state is faced with a crisis at its borders. If the member state does not cooperate with the implementation of the suggested measures, it’s threatened with the reintroduction of internal border checks.

Precisely because of the sensitive nature of the issue, the initial proposal was watered-down in 2016. While initially the agency could intervene on its own, in the final compromise the measures proposed by the agency can be implemented by the Council upon the proposal of the Commission.

The 2018 proposal moves one step closer to the initial conception, with the right to intervene being left to the Commission excluding the participation of the Council.


Returns have been the fastest growing activity of the agency. Frontex acquired further competences in 2016, mainly including organising and coordinating joint return operations. This resulted to 14,884 persons being  returned in 2017. Returns reached 8,966 from January to August 2018. However, the agency could not enter into the merits of return decisions or provide supporting information.

With the 2018 proposal the agency may now prepare return decisions itself and provide its own return escorts. It may also assist in the acquisition of travel documents, the identification of irregular migrants, and in the development of national return management systems. The central tasks of hosting an operation remain with the member state.

Finally, Frontex will be able to assist non-EU states with their return activities elsewhere, which include mixed return operations with the participation of member states.

Third Countries

Apart from assisting non-EU countries in their own return activities, the cooperation with third countries is strengthened even further. The option to launch an operation in a third neighboring country was introduced in 2016. The new proposal allows a border control operation to be launched in any third country not limited to neighboring countries.

Further, the establishment of ‘disembarkation centres’ on third countries is proposed for migrants intercepted at high sea. The concept of regional disembarkation is developed in contact with UNHCR and the IOM. Notably, Libya has for the moment turned down the idea.

Controlled Centres

Frontex will participate in the deployment of migration management support teams in hotspots and controlled centres. Such centres, to be set up by member states on a voluntary basis, will act as a cetralised location for EU migration management activities and aim to facilitate and accelerate the processing of asylum claims and  the execution of return decisions. All necessary steps should be concluded within a maximum of eight weeks.

Frontex will work there hand in hand with EASO, which also receives an enhanced mandate, assisting in the identification of beneficiaries of international protection and in returns, while EASO will support in the processing of asylum applications.

Supranationalisation and accountability

Even though the enhancement of the powers and competences of Frontex seems to come as a response to ad hoc incentives, such as the ‘migration crisis’ in 2016 or the need for greater effectiveness today, these changes are in fact far from incidental. They reflect the Commission’s longer-term vision for progressive integration that will result in a European Border Guard vested with full operational powers, effectively replacing the national border authorities.

In this respect the Commission proceeds to progressively ask for the increase of the number of available border guards and budget, but it also pushes for amendments that failed to pass the trilateral dialogues already in 2016, such as the right to intervene without the consent of the member state. This is a big leap towards supranationalisation that member states have so far been unwilling to take.

Greater autonomy and control over the operation, however, also moves Frontex closer to the realm of accountability. With growing executive powers and operational mandate, and direct control over the deployed personnel and equipment comes an even greater need for accountability.

This is especially so given the new mandate of the agency, for instance in the area of returns, where Frontex will have the power to prepare return decisions. The Commission emphasizes that the final decision remains upon the member state. However, the complaints concerning EASO, and the beyond its mandate influence on the asylum decision-making process in Greek hotspots, sets a disturbing precedence that should not be underestimated in the case of the EBCG.

Frontex operations are particularly sensitive to human rights violations, and with the individual complaints mechanism, established in 2016, falling remarkably short of the standards of an effective remedy, accountability for Frontex still remains an open end.

Barnard & Peers: chapter 26
JHA4: chapter I:3
Photo credit: European Parliament

Thursday, 4 October 2018

Mobile phone theft and EU eprivacy law: the CJEU clarifies police powers

Lorna Woods, Professor of Internet Law, University of Essex


This week’s CJEU judgment in Case C-207/16 Ministerio Fiscal is part of the jurisprudence on the ePrivacy Directive, specifically Article 15 which broadly allows Member States to permit intrusions into the confidentiality of communications for certain specified reasons.  Article 15 is part of the legal framework for the mass retention of communications data from Digital Rights Ireland (Case C-293/12 and 594/12), EU:C:2014:238) (“DRI”) on and in which the Court has affirmed that retention schemes could be justified only in the case of “serious crime” (Tele2/Watson (Joined Cases C-203/15 and C-698/15), ECLI:EU:C:2016:970).  This left the question of what “serious crime” might be, and whether there would be EU law standards circumscribing the scope of this term. It is this question that the reference here seeks to address, though it should be noted that the facts in issue were very different from those in the earlier cases.


The reference arose in the context of a police investigation relating to the theft of a wallet and a mobile phone.  The police wished to identify the new phone number associated with the stolen phone, as well as the details of persons associated with that new number.  However, Spanish law required that – to access such information – the police must be investigating a serious crime and the domestic courts here found that the facts giving rise to the investigation did not constitute a serious crime according to Spanish law. The reference to “serious crime” can be found in the Court’s case law in DRI, which – considering the right to private life and to data protection in Article 7 and 8 of the EU Charter of Fundamental Rights, set that as a minimum threshold for the retention of communications data en masse by telecommunications operators.

The national court referred a question on the meaning of Article 15(1) of the ePrivacy Directive (Directive 2002/58/EC, as amended) in the light of this jurisprudence.  Article 15 allows Member States to restrict some of the rights granted by the ePrivacy Directive in the interests of, inter alia, the prevention, investigation, detection and prosecution of criminal offences.  The national court asked whether the use of length of sentence available for a crime can be used to determine whether ‘it is also necessary to identify in the criminal conduct particular levels of harm to individual and/or legally protected interests’?  If length of sentence period alone suffices, is there a minimum in order to comply with the requirements of DRI?


The first issue before the Court was that of its jurisdiction to hear the question. Both the Spanish and UK governments argued that the Court did not have jurisdiction because criminal law is excluded from the scope of the Data Protection Directive (Art 3(2)) and the ePrivacy Directive (Art 1(3)).  The Court referred, however, to its previous judgments in this field, to hold that legislative measures derogating from the rights in the ePrivacy Directive based on Article 15 still come within its scope even if the measures pursue objectives which overlap substantially with the fields excluded from the ePrivacy Directive by Article 1(3). [para 34]  It concluded, relying on Tele 2/Watson, that the scope of the ePrivacy Directive:

extends not only to a legislative measure that requires providers of electronic communications services to retain traffic and location data, but also to a legislative measure relating to the access of the national authorities to the data retained by those providers [para 35].

The Court also dismissed other submissions on admissibility made by the Spanish government, re-iterating its long-standing position that ‘where the questions put by national courts concern the interpretation of a provision of EU law, the Court is, in principle, bound to give a ruling’ [para 45].

The Court considered the two questions referred by the Spanish court together. The Court specified that the question in issue did not relate to the compliance of the communications service providers with the law but ‘whether, and to what extent, the objective pursued by the legislation .. is capable of justifying the access of the public authorities, such as the police, to the data…’ [para 49]. The Court reiterated the approach taken by its Advocate-General to hold that there would be an interference through such access, even if such interference was not serious, nor the data accessed sensitive.

The Court noted that the list of objectives for the purpose of Article 15 ePrivacy Directive is exhaustive and that the authorities’ need for access must genuinely correspond to one of those objectives.  Article 15 does not, however, limit access to the fight against serious crime – it refers to criminal offences generally. The reference to “serious” comes from the Court’s case law where it was dealing with situations involving a serious interference with the right to private life.

By contract, when the interference that such access entails is not serious, that access is capable of being justified by the objective of preventing, investigating, detecting and prosecuting ‘criminal offences’ generally [para 57].

The Court then redefined the object of its considerations to the question of whether the interference in this case was ‘serious’.  Since the data sought related only to a short period of time and could not be cross referenced with other data, precise conclusions regarding the private lives of the persons in issue could not be drawn. Therefore there was not a serious interference with the individuals’ right to private life.


This judgment could be described as tactical.  The Court has re-iterated that it does have jurisdiction in these areas covered by Article 15. Although earlier jurisprudence on the ePrivacy Directive distinguished between the commercial operators’ obligation to retain data (falling within the internal market) and access by the police to those data, the Court did not limit its power of review in Tele2/Watson along those lines, and it followed that Tele2/Watson approach here.  Access to the data by state authorities requires processing by the telecommunications operators (see para 37). 

At the same time the Court stepped away from the difficult question, through its reformulation of what the referring court asked.  In so doing, it avoided the issue not just of what “serious crime” is, but that of whether “serious crime” is an autonomous EU concept.  In this the Court followed its Advocate General (Opinion 3 May 2018, ECLI:EU:C:2018:300) who went as far as to argue that “criminal law” should not be an autonomous concept of EU law.  While it avoided this question, and indirectly answered the question as to whether access to communications data for anything less than serious crime is permissible under EU law, it has not helped the Spanish court which is faced with a national law that specifically refers to a threshold of seriousness. Moreover, in emphasising its proportionality argument to suggest that the access for less serious crimes could be permissible, there is a danger that this may be read as saying that national laws should so allow access – an interpretation which would oversteps the bounds of its competence just as much as defining “serious crime” would.

The judgment re-iterates that Articles 7 and 8 of the Charter are engaged whether or not the interference is deemed serious or not; equally, the ruling recognises that there may be different levels of intrusion that need greater or lesser justifications.  Here the data sought was limited in type, and related to a limited period of time. The question of what is intrusive, especially in the context of the use of predictive analytics, has not yet been fully answered. 

The Court’s emphasis on its previous caselaw, notably Tele2/Watson as well as DRI, may be seen as trying to build a consistent approach within this case law and also reaffirming the principles laid down in those cases.  This judgment can then be seen as a re-affirmation of the approach in Tele2/Watson, which might be significant in the light of pending references seeking to ask the court to resile from its position there, notably the questions referred by the IPT in the Privacy International litigation (Case C-623/17, pending) regarding the scope of exclusive Member State competence as regards national security.

One final point is about the implications of the Court’s ruling on recent English caselaw – the Court of Appeal in Watson ([2018] EWCA Civ 70) and the Divisional Court in Liberty ([2018] EWHC 975 (Admin)).  In Liberty, the Government argued, successfully, that a category of communications data in the Investigatory Powers Act, “entity data”, did not fall within the ePrivacy Directive and therefore the ruling in Tele2/Watson as it was neither "traffic data" or "location data" within Article 2.  The Court declared the matter acte clair and refused to make a reference to the Court of Justice (Liberty, paras 154-55).  Yet, the very data that the Spanish authorities were seeking in the case before the Court of Justice were those that would identify the users of a phone, not the details of those users’ communications. The Spanish Government put forward a similar argument, but the Court declared this to be “irrelevant” [para 40]. Expressly following its Advocate General, the Court held that the ePrivacy Directive “governs all processing of personal data in connection with the provision of electronic communications services” [para 41].  This holding throws some doubt on the Divisional court’s view both as to the scope of the ePrivacy Directive and certainly the fact that the interpretation of the directive is acte clair.

Barnard & Peers: chapter 9
JHA4: chapter II:7

Photo credit: PixelVulture

Friday, 21 September 2018

Crushing terrorism online – or curtailing free speech? The proposed EU Regulation on online terrorist content

Professor Lorna Woods, University of Essex

On 12th September 2018, the Commission published a proposal for a regulation (COM(2018) 640 final) aiming to require Member States to require certain internet intermediaries to take proactive if not pre-emptive action against terrorist content on line as well as to ensure that state actors have the necessary capacity to take action against such illegal content. It is described as “[a] contribution from the European Commission to the Leaders’ meeting in Salzburg on 19-20 September 2018”. The proposal is a development from existing voluntary frameworks and partnerships, for example the EU Internet Forum, and the non-binding Commission Recommendation on measures to effectively tackle illegal content online ((C(2018)1177 final), 1st March 2018) and its earlier Communication on tackling illegal content online (COM(2017) 555 final). In moving from non-binding to legislative form, the Commission is stepping up action against such content; this move may also be seen as part of a general tightening of requirements for Internet intermediaries which can also be seen in the video-sharing platform provisions in the revised Audiovisual Media Services Directive and in the proposals regarding copyright. Since the proposal has an “internal market” legal base, it would apply to all Member States.

The Proposal

Article 1 of the proposed Regulation sets out its subject matter, including its geographic scope.  The scope of the proposed regulation is directed to certain service providers, “hosting service provider” in respect of specified content “illegal terrorist content”.  Terms are defined in Article 2. Article 2(1) defines “hosting service provider” (HSP) as “a provider of information society services consisting in the storage of information provided by and at the request of the content provider and in making the information stored available to third parties”. The definition of illegal terrorist content found in Article 2(5) is one (or more) of the following types of information:

(a) inciting or advocating, including by glorifying, the commission of terrorist offences, thereby causing a danger that such acts be committed;
(b) encouraging the contribution to terrorist offences;
(c) promoting the activities of a terrorist group, in particular by encouraging the participation in or support to a terrorist group within the meaning of Article 2(3) of Directive (EU) 2017/541
(d) instructing on methods or techniques for the purpose of committing terrorist offences.

The format does not matter: thus terrorist content can be found in text, images, sound recordings and videos.

Article 3 specifies the obligations of the HSPs. In addition to a specific obligation to prohibit terrorist content in their terms and conditions, HSPs are obliged to take appropriate, reasonable and   proportionate actions against terrorist content, though those actions must take into account fundamental rights, specifically freedom of expression.

Article 4 introduces the idea of a removal order, and requires that the competent authorities of the Member States are empowered to issue such orders; requirements relating to removal orders are set out in Article 4(3).  It does not seem that the issuing of such orders require judicial authorization, though the Regulation does envisage mechanisms for HSPs or the “content provider” to ask for reasons; HSPs may also notify issuing authorities when the HSP views the order as defective (on the basis set out in Article 4(8)), or to notify the issuing authority of force majeure. Article 4(2) states:

Hosting service providers shall remove terrorist content or disable access to it within one hour from receipt of the removal order.

The regulation also envisages referral orders; these do not necessitate the removal of content, nor – unlike the position for removal orders – does it specify deadlines for action. On receipt of a referral order, a HSP should assess the notified content for compatibility with its own terms and conditions. It is obliged to have in place a system for carrying out such assessments. There is also an obligation in Article 6 for HSPs in appropriate circumstances to take (unspecified) effective and proportionate proactive measures and must report upon these measures. Article 6 also envisages the possibility that competent authorities may – in certain circumstances – require a hosting service provider to take specified action.

Article 7 requires hosting service providers to preserve data for certain periods.  The hosting service provider is also required to provide transparency reports as well as to operate within certain safeguards specified in Section III, including transparency reporting, human oversight of decisions, complaints mechanisms and information to content providers – these are important safeguards to ensure that content is not removed erronously.  Section IV deals with cooperation between the relevant authorities and with the HSPs.  Cooperation with European bodies (e.g. Europol) is also envisaged.  As part of this, HSPs are to establish points of contact.

The Regulation catches services based in the EU but also those outside it which provide services in the EU (with jurisdiction in relation to Article 6 (proactive measures), 18 (penalties) and 21 (monitoring) going to the Member State in which the provider has its main establishment) and should designate a legal representative. The Member State in which the representative is based has jurisdiction (for the purposes of Articles 6, 18 and 21). Failure so to designate means that all Member States would have jurisdiction.  Note that as the legal form of the proposal is a Regulation, national implementing measures would not be required more generally.

Member States are required to designate competent authorities for the purposes of the regulation, and also to ensure that penalties are available in relation to specified articles such penalties to be effective, proportionate and dissuasive.  The Regulation also envisages a monitoring programme in respect of action taken by the authorities and the HSPs.  Member States are to ensure that their competent authorities have the necessary capacity to tackle terrorist content online.

Preliminary Comments

The proposal is in addition to the Terrorism Directive, the implementation date for which is September 2018.  That directive includes provisions requiring the blocking and removal of content; is the assumption that – even before they are require legally to be in place – these provisions are being seen as ineffective.

This is also another example of what seems to be a change in attitude towards intermediaries, particularly those platforms that host third party content.  Rather than the approach from the early 2000s – exemplified in the e-Commerce Directive safe harbour provisions – that these providers are and to some extent should be expected to be content-neutral, it now seems that they are being treated as a policy tool for reaching content viewed as problematic.  From the definition in the Regulation, it seems that some of the HSPs could have – provided they were neutral -fallen within the terms of Article 14 e-Commerce Directive: they are information society service providers that provide hosting services.  The main body of the proposed regulation does not deal with the priority of the respective laws but in terms of the impact on HSPs, the recitals claim

“any measures taken by the hosting service provider in compliance with this Regulation, including any proactive measures, should not in themselves lead to that service provider losing the benefit of the liability exemption provided for in that provision.  This Regulation leaves unaffected the powers of national authorities and courts to establish liability of hosting service providers in specific cases where the conditions under Article 14 of Directive 2000/31/EC for liability exemption are not met”.

This reading in of what is effectively a good Samaritan saving clause follows the approach that the Commission had taken with regard to its recommendation – albeit in that instance without any judicial or legislative backing.  Here it seems that the recitals of one instrument (the Regulation) are being deployed to interpret another (the e-Commerce Directive). 

The recitals here also specify that although Article 3 puts HSPs under a duty of care to take proactive measures, this should not constitute ‘general monitoring’; such general monitoring is precluded according to Article 15 e-Commerce Directive. How this boundary is to be drawn remains to be seen. Especially as the regulation envisages prevention of uploads as well as swift take-downs. Further, recital 19 also recognises that

“[c]onsidering the particularly grave risks associated with the dissemination of terrorist content, the decisions adopted by the competent authorities on the basis of this Regulation could derogate from the approach established in Article 15(1) of Directive 2000/31/EC, as regards certain specific, targeted measures, the adoption of which is necessary for overriding public security reasons”.

This is a new departure in the interpretation of Article 15 e-Commerce Directive.

The Commission press release suggests the following could be caught: social media platforms, video streaming services, video, image and audio sharing services, file sharing and other cloud services, websites where users can make comments or post reviews. There is a limitation in that the content hosted should be made available to third parties. Does this mean that if no one other than the content provider can access the content, the provider is not an HSP?  This boundary might prove difficult in practice.  The test does not seem to be one of public display so services where users who are content providers can choose to let others have access (even without the knowledge of the host) might fall within the definition. What would be the position of a webmail service where a user shared his or her credentials so that others within that closed circle could access the information? Note that the Commission is also envisaging services whose primary purpose is not hosting but which allows user generated content– e.g. a news website or even Amazon – also fall within the definition. 

The scope of HSP is broad and may to some extent overlap with that of video-sharing platforms or even audiovisual media service providers for the purposes of the Audiovisual Media Services Directive (AVMSD).  Priorities and conflicts will need to be ironed out in that respect. The second element of this broadness is that the HSP provisions are not just applying to the big companies, the ones to some extent already cooperating with the Commission, but also to small companies. In the view of the Commission terrorist content may be spread just as much by small platforms as large.  Similar to the approach in the AVMSD, the Commission claims that the regulatory burden will be proportionate as the proportionality with mean the level of risk as well as the economic capabilities would be taken into account. 

In line with the approach in other recent legislation (e.g. GDPR, video-sharing platforms provisions in AVMSD) the proposal has an extraterritorial dimension. HSPs would be caught if they provide a service in the EU.  The recitals clarify that “the mere accessibility of a service provider’s website or of an email address and of other contact details in one or more Member States taken in isolation should not be a sufficient condition for the application of this Regulation” [rec 10]; instead a substantial connection is required [rec 11]. Whether this will have a black out effect similar to the GDPR remains to be seen; it may depend on whether the operator is aware enough of the law; how central the hosting element is and how large a part of its operations the EU market is.

While criminal law, in principle, is a matter for Member States, the definition of terrorist content relies on a European definition – though whether this definition is ideal is questionable.  For companies that operate across borders, this is presumably something of a relief (and as noted above, the proposal is based on Article 114 TFEU, the internal market harmonisation power).  The Commission also envisages this a mechanisms limiting the possible scope of the obligations – only material that falls within the EU definition falls within the scope of this obligation – thereby minimising impact on freedom of expression (Proposal p. 8).  Whether national standards will consequently be precluded is a different question.  Note that the provisions in the AVMSD that focus on video sharing platforms were originally envisaged as maximum harmonisation but, as a result of amendments from the Council, retuned to minimum harmonisation (the Council amendments also introduced provisions on terrorist content into the AVMSD based on the same definition).

The removal notice is a novelty aimed at addressing differential approaches in the Member States in this regard (an on-going problem within the safe harbour provisions of the e-Commerce Directive), but also to ensure that such take down requests are enforceable.  Note, however, that it is up to each Member State to specify the competent authorities, which may give rise to differences between the Member States, perhaps also indicating differences in approach.  The startling point is probably the very short timescale: 1 hour (a complete contrast to the timing for example specified in the UK’s Terrorism Act 2006).  The removal notices have been a source of concern.  This is not very long which will mean that - especially with non-domestic providers and taking into account time differences - HSPs will need to think how to man such a requirement (unless the HSPs plan to automate their responses to notices), especially if the HSP hopes to challenge ‘unsatisfactory’ notices (Art 4(8)). 

Given the size of the penalties in view, industry commentators have suggested that all reported content will be taken down.  This is certainly would be a concern in relation to situations where the HSPs had to identify terrorist content (ie ascertain not just that it was in a certain location but also that it met the legal criteria) themselves.  Is it not the case that this criticism is fully appropriate here.  Here, HSPs are not having to decide whether or not the relevant content is terrorist or not- the notice will make that choice for them.  Further, the notice is made not by private companies with a profit agenda but instead by public authorities (presumably) orientated to the public good and with some experience in the topic as well as in legal safeguards.  Furthermore, the authority must include reasons. Indeed, the Commission is of the view that referrals are limited to the competent authorities which will have to explain their decisions ensures the proportionality of such notices (Proposal p. 8). Nonetheless, a one hour time frame is a very short period of time.

Another ambiguity arises in the context of referral notices. It seems that the objective here is to put the existing voluntary arrangements on a statutory footing but with no obligation on the HSP to take the content down within a specified period. Rather the HSP is to assess whether the content referred is compatible with the HSPs terms of service (not whether the content is illegal terrorist content).  Note this is a different from the situation where the HSP discovers the content itself and there has been no official view as to whether the content falls within the definition of terrorist content or not. This seems rather devoid of purpose: relevant authorities have either decided that the content is a problem (in which case the removal notice seems preferable as the decision is made by competent authorities not private companies) or the notice refers to content which is not quite bad enough to fall with the content prohibited by the regulation but the relevant authorities would still like it down, with the responsibility for that decision being pushed on to the HSP. Such an approach seems undesirable.

Article 6 requires HSPs to take effective proactive measures.  These are not specified in the Regulation, and may therefore allow the HSPs some leeway to take measures that seem appropriate in the light of each HSP’s own service and priorities, though it seems here that there may also be concerns about the HSPs’ interpretation of relevant terrorist content.  It is perhaps here that criticisms about the privatisation of the fight against terror comes to the fore.  Note, however that Article 6(4) allows a designated authority to impose measures specified by the authority on the HSP.  Given that this is dealt with at the national level, some fragmentation across the EU may arise; there seems to be no cooperation mechanism or EU coordination of responses under Article 6(4).

There is also the question of freedom of expression. Clearly state mandated removal of content should be limited, but it is the intention that HSPs have no freedom to remove objectionable content for other reasons. At some points, the recitals suggest precisely this: “hosting service providers should act with due diligence and implement safeguards, including notably human oversight and verifications, where appropriate, to avoid any unintended and erroneous decision leading to removal of content that is not terrorist content” [rec 17]. Presumably the intention is that HSPs should take steps to avoid mistakenly considering content to be terrorist.  They clearly are under obligations to take other forms of content down, e.g. child pornography and hate speech. 

More questionable is the position with regard other types of content: the controversial and the objectionable, for example.  As private entities human rights obligations do not bite on them in the same way as they do with regards to States, so there may be questions about the extent to which a content provider can claim freedom of expression against an unwilling HSP (e.g. for Mastodon, the different instances have different community standards set up by that community - should those communities not be entitled to enforce those standards (providing that they are not themselves illegal)?).  There may moreover be differences between the various Member States as to how such human rights have horizontal effect and the deference given to contractual autonomy.  With regard to the video sharing platforms, it seems that room is given to the platforms to enforce higher standards if they so choose; there is not such explicit provision here.

A final point to note is the size of the penalties that are proposed.  The proposal implicitly distinguished between one-off failings and a ‘systematic failure to comply with obligations’.  In the latter cases, penalties of up to 4% of global turnover- in this there are similarities to the scale of penalties under the GDPR.  This seems to be developing into a standard approach in this sector.

Barnard & Peers: chapter 25, chapter 9
JHA4: chapter II:5
Photo credit: Europol

Thursday, 20 September 2018

Analysis of the ECtHR judgment in Big Brother Watch: part 2

Lorna Woods, Professor of Internet Law, University of Essex

(These comments on the judgment follow part 1 of the analysis, which explained the Court’s reasoning).

The Big Brother Watch judgment is, depending on your point of view, a confirmation of the possibility of bulk surveillance (para 314) or a recognition of the fact that the Regulation of Investigatory Powers Act (RIPA) regime was insufficient and that, to the extent that these weaknesses are copied over into the Investigatory Powers Act (IPA), that act is deficient also.  These two different views reflect the fact that the judgment is long and complex and that a one sentence summary is unlikely to do justice to all its nuances. In fact, in an area where there is a rapidly increasing body of case law, it is likely that the full significance of the judgment will not be known for some time and we know how it has been interpreted, followed, distinguished, over-written or simply ignored.  What follows then is necessarily a preliminary indication of the issues and points of significance that arise from the judgment.  It contains a number of themes, or questions:-

-          To what extent is there a consistent, even if gradated, approach across the different forms of surveillance?
-          To what extent should we say that the case law from the analogue era is not the best indicator of necessary safeguards for the digital?
-          What impact will this ruling have for the IPA – especially given that the Court’s assessment of the RIPA regime changes to improve accountability following on from the Snowden disclosures?


The first question, at least in relation to two of the sets of applicants, was the question of exhaustion.  While the Court accepted that there were “special circumstances” (para 268) (recognised in Sejdovic v Italy (app no. 56581/00)), so that the case was admissible, it is worth noting briefly the Court’s approach in getting to this point.

The applicant’s argument was based on the reasoning of the Court in Kennedy, that while the Investigatory Powers Tribunal (IPT) has heard cases which effectively constitute a challenge to the legal regime itself (rather than a claim of interference in the claimant’s individual case), the domestic regime did not obviously “benefit the applicant, given that it did not appear to give rise to a binding obligation on the State to remedy the incompatibility” (Big Brother Watch para 251, Kennedy para 109). Here, the Court relied on Zakharov - in terms of its discussion of victimhood and the admissibility of a claim in abstracto rather than in the context of availability of a remedy - to suggest that the distinction in Kennedy between an individual grievance and a general complaint against the system (in which latter case the IPT cannot provide a remedy) as regards has been removed. 

The fact that there might still not be a remedy for an individual in the context of a general complaint, even if the IPT agrees to hear the complaint, is not addressed. Is the Court suggesting that a complainant should (in any event) bring an individual challenge so as to find a remedy to exhaust? Such a suggestion would follow the same line as the reasoning of the concurring opinion in Zakharov: that showed a preference for specific cases of interference. 

While the Court emphasised the importance of the IPT and how it has changed over its 15 year period – specifically its independence, the scope of its powers and techniques it has developed to allow it to hear cases without running into difficulties from the sensitivity of some of claims, it did not address head on the fact that the IPT has only rarely found against the Government in cases involving the security and intelligence services and that only after the Snowden disclosures (see for details the IPT’s report covering 2011-15 and the much shorter statistical report covering 2016).  While the elucidation of procedures – especially those “below the waterline” - is clearly helpful to the Court (see para 257), it does not help the victim if there is no remedy. 

This approach signals that the Court will not accept more applications which seek to avoid the delays and expense inherent in bringing an action before the IPT – campaigners take note.

Merits of Case

Article 8 and the Section 8(4) Regime

The applicants argued that the s. 8(4) regime was not lawful in the sense that the regime was complex and significant elements of the regime were not made public but were “below the waterline”; further they argued it did not comply with the 6 requirements to guard against unfettered discretion and the risk of abuse found in Weber.  The Court’s response is detailed and considered but -in the end – perhaps overly deferential to a set of institutions which seemed happily unaware of the practices of the security and intelligence services.

The Court’s reasoning starts with the statement that in previous judgments different approaches had been taken to different types of surveillance and that “there is no one set of general principles which apply in all cases concerning secret measures of surveillance” (para 303).  Weber consolidated the position in a number of earlier cases, though these were not cited: e.g Malone (App no. 8691/79); Huvig (App no. 11105/84) and -broadly speaking - Leander (App No. 9248/81 but crucially specifically identified the criteria whereas earlier case law operated on the basis of a broader test. Later in its judgment the Court pointed to Uzun (App no. 35623/05) (concerning GPS tracking where the Court considered that because the tracking of movements in public disclosed less information about the conduct, opinions and feelings of the person concerned less strict safeguards were required) and RE (App no. 62498/11) (concerning covert surveillance of consultations of individuals with legal advisors in a police station) as cases involving surveillance where the Weber 6 criteria were not applied (para 351).  Nonetheless, following the standard line for interception cases (albeit targetted interception rather than bulk), it agreed that the 6 principles from Weber should be the starting point for assessing foreseeability. In this, the Court is following a well-trodden path – one that case also be seen in Centrum för Rättvisa (App no. 35252/08) which also deals with bulk interception (para 99).  The Court found the complexity point was a question of foreseeability; insofar as it dealt with that issue, it did so as part of the Weber criteria.

While a consistent central principle is desirable, and the intention of the Court to set this out is to be applauded, the approach of the Court here suggests that there are differences between types of surveillance which are relevant (see similarly RE para 130), but it does not give us a clear framework as to what factors to be taken into account in determining what relevant differences are.  Should we look at the distinction between bulk and targeted interception, between content interception and meta-data collection; or even between the legitimate purposes? It may be that all are relevant; it would have been helpful had the impact of these differences been clearly mapped; this judgment, however, seems more to give rise to questions than answers.

One key factor the Court emphasised was the level of intrusion – and in this it followed previous jurisprudence. Notably, it argued that:

it would be wrong automatically to assume that bulk interception constitutes a greater intrusion into the private life of an individual than targeted interception, which by its nature is more likely to result in the acquisition and examination of a large volume of his or her communications (para 316). 

Does this mean that the level of safeguards in relation to bulk acquisition should be less than those for targeted interception based on the degree of intrusion? Or, might we argue that untargeted acquisition is more problematic because of its impact on society generally and because it is less likely to be proportionate? The Court deals with this issue by distinguishing between interception and selection/examination.  Another area in which the Court is unclear on the level of intrusion is in its consideration of meta data and whether it is less intrusive – more intrusive or similarly intrusive albeit in a different way. 

Nonetheless, in a statement that could be considered an important step forward in terms of the Court’s recognition of the importance of meta data, it Court commented that it was “not persuaded that the acquisition of related communications data is necessarily less intrusive that the acquisition of content” and by contrast to content interception, bulk acquisition magnified the problem (para 356). It seems from the discussion of the related communications that the Weber criteria can be applied to bulk communications data acquisition (para 350).  Finally, though lying outside the fact pattern, the Court referred to its recent decision in Ben Faiza (App no. 31446/12) to say that (perhaps in contrast to Uzun) that real time tracking was more intrusive than the transfer of historical data. 

It is regrettable that – despite its recognition of the significance of communications data - the Court did not investigate further the points raised in some submissions regarding the scope of the data collected and the impact of new technologies in terms of the types of analytical techniques used.  So far this issue has not attracted much judicial attention (the exception being the brief mention in the ECJ’s Canada PNR Opinion (Opinion 1/15)). Judge Koskelo in a partly concurring partly dissenting opinion commented that on the sea change that has taken place in terms of the amount and nature of data that is available, as well as mechanisms for carrying out surveillance, exposing individuals to greater intrusion than before (paras 11-13).

Despite this ‘sea change’, the Court also rejected the proposal to ‘update’ the Weber criteria to require objective evidence of reasonable suspicion in relation to the persons for whom data is being sought and the subsequent notification of the surveillance subject on the basis that it “would be inconsistent with the Court’s acknowledgement that the operation of a bulk interception regime in principle falls within a State’s margin of appreciation” (para 317).  This suggests that the powers of European review are in fact limited so that they cannot exclude a particular instance of bulk surveillance.  Such a position would seem to be a movement from that which says bulk surveillance is not automatically prohibited but it still must satisfy the three-stage test in Article 8(2) as determined at Convention level.  In terms of proportionality of a bulk regime, the Court refers to the Anderson Review of Bulk Powers. It accepts its findings that there is a case for bulk surveillance, but seemingly equates that to a finding that such surveillance is proportionate (paras 384-6). It is clear from the review, however, that the question of the proportionality of any such measures was not considered, this being a matter for Parliament.

A further consideration is the extent to which the proportionality analysis changes (or should change) depending on the public interest objective in view.  The headline statement about the acceptability of bulk surveillance related to national security, yet RIPA allowed (and the IPA does allow) the carrying out of bulk surveillance on a broader range of grounds.  In any event, as Judge Koskelo commented, is it appropriate to judge the adequacy of safeguards in the context of cases that arose in very different factual circumstances? In that context, note that much of the assessment of the facts in this case is based on what the Court previously found in Kennedy – prior to the Snowden disclosures. Further, this approach to generalised surveillance seems to be a point at which there is some divergence between the Court and the ECJ, as noted in the Joint Partly Dissenting and Partly Concurring Opinion of Judges Pardalos and Eicke.

The Court suggested that the 6 criteria in Weber needed to be adapted for the context of bulk surveillance (as it did in Centrum för Rättvisa para 114) despite the fact that Weber itself concerned a bulk regime. Moreover, when the Grand Chamber applied the Weber criteria in the case of targeted interception it did not adapt Weber, although it also considered ‘additional relevant factors’ in relation to the consideration of ‘necessary in a democratic society’ (Zakharov, para 232). It is not therefore clear what the nature of and necessity for this adaptation is in this case.  The Court here also proposed considering the regime in the light of the Zakharov additional factors (para 320).  This consolidation sees to becoming more common (see also Centrum för Rättvisa). It should be noted, however, that while the two sets of considerations will be based on similar facts, their content is slightly different, though whether this consolidation has a detrimental impact on the level of protection afforded is an open question. 

Another issue is the extent to which the ex post controls can be seen as compensating for a lack of ex ante controls.  While Judge Koskelo expressed concerns about the reliance on ex post control generally (paras 17, 20), a key point from this judgment is the Court’s re-iteration that prior judicial authorisation is not essential. Nonetheless, although the Court emphasised the importance of the ex post control by the IPT (para 318) (the new double lock system under the IPA not being in place at the time of the hearing), in relation to the selection of the material the ex post oversight seemed insufficient (paras 345-346).  It may be that the difference in the Court’s approach can be explained by its view of the degree of intrusion, with the selection of material being more intrusive than the collection though there is still a degree of uncertainty in what the test requires here. 

Significantly, the Court has viewed the interception of content as a potential violation in its own right. This seems to contradict the commonly made assertion that the automated collection of data (whether content of communications, communications meta data – or other data eg location via GPS or ANPR) is not an intrusion.  It also reminds us that the interception of content and its examination is not one event, but on ongoing process that may lead to multiple intrusions which need to be assessed individually (the data sharing reasoning reiterates this point too).  While the IPA has brought in greater ex ante controls, this is a weakness that remains in the new act.  The great unexplored territory is, as noted, whether a claim could be made that there should be some sort of control over types of analytical techniques used when analysing big data sets/predictive analytics.

A further point of some significance for the IPA regime is the Court’s approach to the use of related data which, despite some changes in terminology, is the same as in RIPA. It seems from the Court’s analysis that the selection for examination of such data for purposes beyond determining whether the individual is in the UK or Ireland requires greater oversight than the regime currently provides.   The Court also refrained from discussing (perhaps because the Government did not raise it) the question of where the interception takes place (para 271). This issue remains for another day.

Article 8 and Data Sharing

As regards the data-sharing regime, there will no doubt be disappointment that the Court accepted the regime. It could be said that the judgment thereby renders data sharing acceptable, especially given its emphasis on the global nature of terrorism and the States’ duties to protect security. The judgment is perhaps significant for what it did not cover. It carefully limited the topic on which it ruled, the receipt of intelligence and did not discuss the sharing of intelligence gather by the British services and shared overseas. There is also an assumption here that a person outside the UK who data is shared with the British services will still have convention rights when the information is shared/processed in the UK.  The issue of where the intrusion happens may become more complex in other situations – perhaps in the context of equipment interference warrants.

Article 8 and Bulk Communications Data

The Court’s analysis of the bulk communications data regime is in some ways disappointing as it does not deal directly with the substance. Instead the regime falls because there is no basis in law, despite the existing statutory framework (whether we consider RIPA or IPA). Simply put, the domestic courts have recognised that the statute must be disapplied for non-compliance with the requirements of EU law, and the Strasbourg Court therefore concluded that the regime “cannot be in accordance with the law within the meaning of Article 8” (para 467).  The point worth emphasising here is that the Court based its conclusion on its understanding of domestic law, not by relying directly on EU law.  It certainly has not gone as far as adopting the reasoning of the Court of Justice in the data retention cases.

Article 10

Finally, a relative novelty in Big Brother Watch is the Article 10 freedom of expression arguments (the Court not having considered the issue since Weber).  Note that the Court relied on its reasoning under 8(2) with regard to the assessment of 10(2): the considerations seem therefore to be the same, implicitly introducing the Weber criteria and the Zakharov additional considerations into freedom of expression.  Presumably this jurisprudence will not be relied on save in the specific context of the impact of secret surveillance on the media. While the Court did not state that journalistic communications would be entirely off-limits (similarly lawyers’ conversations are not sacrosanct: Kopp), there are a couple of points that will have implications for the IPA. In relation to bulk interception there were concerns about the lack of safeguards in relation to the selection of material (para 493), an area where the Court had already found the regime to be weak. Further, the IPA provides safeguards that are limited to applications that have the purpose of targetting journalists’ communications; the Court here noted that the protections did not “apply in every case where there is a request for the communications data of a journalist or where such collateral intrusion is likely” (para 499). This lack, adding to the general failings of the regime (above), meant that the regime could not be considered in accordance with the law for the purposes of Article 10(2).

Barnard & Peers: chapter 9
JHA4: chapter II:7
Photo credit: MiniPress news