Data Retention incompatible with EU law: Victory? Victory you say?
*Photo credit: https://www.beencrypted.com/
Matthew White, PhD candidate Sheffield Hallam University
Introduction
On 27 April 2018, the High Court in
Liberty v Secretary of State for the Home
Department and Others [2018]
EWHC 975 (Admin) ruled that Part 4
(retention of communications data) of the Investigatory
Powers Act 2016 (IPA 2016) was incompatible with the European Union’s (EU) Charter of Fundamental
Rights (CFR). They did so in holding that access to retained communications
data was not limited to the purpose of serious crime, and it was not subject to
prior review by a court or an independent administrative body. Liberty regarded
this ruling as a landmark victory for privacy rights. This blog post questions
this assertion by critically analysing the High Court’s judgment with regards
to the specific aspect of data retention.
Ignore the European Convention on Human Rights at your peril:
In the second paragraph of the
High Court’s judgment, it was acknowledged that the judicial review proceedings
concerned not only the CFR but the European Convention
on Human Rights (ECHR). The High Court, however, proceeded to only consider
the former. This omission will become more important throughout this post.
Does not concern the content of communications?
The High Court acknowledged that
retention notices under s.87(1) of the IPA 2016 affects a wide range of private
information to do with communications, but not their content e.g. emails and
texts [3]. Emails and texts are of course, but one example of content, however,
some argue that communications data are equally (Elisabet Fura and Mark
Klamberg, ‘The Chilling Effect of Counter-Terrorism Measures: A Comparative
Analysis of Electronic Surveillance Laws in Europe and the USA’ (2012) Wolf
Legal Publishers, Oisterwijk 463, 467) or more revealing (Alberto Escudero-Pascual
and Gus Hosein, ‘Questioning lawful access to traffic data’ (2004)
Communications of the ACM 47:3 77, 82). This is precisely why the UN Office of
the High Commissioner for Human Rights (OHCHR) felt
such distinction is no longer tenable (para 19). It was even demonstrated by iiNet
that content is embedded in communications data in sites like Twitter and
Facebook.
Moreover, the High Court
considered s.87(1) of the IPA 2016 in isolation to, for example, s.87(4)(d)
which prevents retention notices from requiring telecommunications operators to
retain data which is not used by them for any lawful purpose. Lawful purpose is
not defined in the IPA 2016, but s.46(4)(a) of the IPA 2016 allows (by
regulation, s.46(1) and (2)) any business to conduct interception if it
constitutes a legitimate practice reasonably required for the purpose, in
connection with the carrying on of any relevant activities for the purpose of
record keeping. Section 46(2)(b) includes communications relating to business
activities, and this could allow interception for ‘business purposes.’ This
would square with the Home Office’s position in 2009 where they noted
that deep packet inspection (DPI) ‘is a term used to describe the technical process whereby many communications service
providers currently identify and obtain communications data from their networks
for their business purposes’ (p15). DPI enables
Internet Service Providers (ISPs) to access information addressed to the
recipient of the communication only, this requires the interception of
communications data and content (para
32). This could legitimise practices such as those that occurred in the Phrom
scandal where BT, TalkTalk and Virgin Media made a deal with Phorm to
covertly intercept traffic of their customers. Whether it does or does not
permit Phorm-like activities, is not the pressing issue at hand, it’s the
allowance of intercepted
data to be retained (para 125, p1104) which would constitute a lawful
purpose under s.87(4)(d) of the IPA 2016. This highlights that the High Court’s
focus on s.87(1) blinds them to the realities of communications data being just
as, if not more serious than content, and in any event, content could be
retained.
Appropriate remedy and the potential chaos that could ensue?
The High Court highlighted the
dispute between the Defendants and the Claimants as to the appropriate remedy,
where the former felt no more declaratory relief was necessary [32] because it
was already conceded that elements of Part 4 were inconsistent with EU law [31],
[38]. There was also a dispute as to the period of suspension should the High
Court disapply Part 4 [32]. Despite this acknowledgment of the Defendants, they
were of the position that Part 4 should continue as it currently is until it is
amended by Parliament [40-1]. The Claimants advocated for a suspended
disapplication, this for the High Court:
[W]as a
realistic and fair acknowledgement that, in this context, it cannot reasonably
be expected that there should, immediately, be no legislation at all in place
allowing retention of data that is needed to apprehend criminals or prevent
terrorist attacks [42].
The High Court noted that
whatever remedy it granted, it should not have the effect of ‘immediately
disapplying Part 4 of the 2016 Act, with the resultant chaos and damage to the
public interest which that would undoubtedly cause in this country’ [46]. The
use of ‘chaos’ was in reference to the Defendants who argued that
disapplication was a recipe for chaos [75].
A reason why the High Court
preferred not to disapply Part 4 immediately was because there would be no data
retention laws in place to aid in the fight against crime and terrorism. This
is not actually true, the Budapest
or Cybercrime Convention has had legal force in the UK since 1 September 2011.
This mainly concerns crimes committed via computer networks, but Article
14(2)(c) allows the UK to adopt measures to collect evidence in electronic form
of a criminal offence. This does not appear to limit offences to those
described in Articles 2-11. Moreover, Article 16 provides for data
preservation, which is the alternative to data retention. This is not the only
option available to the UK as discussed below. The High Court’s position is
essentially a strawman because immediate disapplication was not argued, and in
any event, would not be true if Part 4 were to be disapplied.
The High Court refers to ‘chaos’
and ‘damage’ to the public interest without explaining why and in what ways
this would be possible by disapplying Part 4. The language used by the High
Court needs to be critically analysed. Prior to the Data
Retention and Investigatory Powers Act 2014 (DRIPA 2014), communications
data retention had been voluntary under s.102(1) of the
Anti-terrorism, Crime and Security Act 2001 (ACTSA 2001), though the Data
Retention (EC Directive) Regulations 2007 and 2009
required data retention to a lesser extent. Previous attempts at mandatory data
retention, notably the draft
Communications Data Bill (dCDB) in 2013 was halted by the then Coalition
partners to the Conservatives, the Liberal
Democrats. There was no chaos, or damage to the public interest prior to
DRIPA 2014, when data retention was voluntary nor when the dCDB was rejected. When
the High Court in Davis and Others v
Secretary of State for the Home Department and Others [2015] EWHC
2092 (Admin) dispplied s.1 of
DRIPA 2014, albeit delayed for eight months [122], they felt it appropriate to
give Parliament enough time to scrutinise and pass new laws[121], and not
because of the chaos and damage that would ensue due to immediate
disapplication.
The High Court’s position
seemingly acts upon the assumption that if data retention obligations are
immediately disapplied, there would be no communications data to be accessed.
This is simply not the case when one considers one of the biggest telecommunications
operators in the world, Google, who store
‘your phone number, calling-party number, forwarding numbers, time and date of
calls, duration of calls, SMS routing information and types of calls.’ The
legal basis of this is questionable,
but the fact remains, such communications data could still be accessed under
s.61 of the IPA 2016 where a designated senior officer of a relevant public
authority could obtain communications data, whether it exists at the time or
not, meaning they could require a telecommunications operator to retain
communications data on an forward
looking basis (para 177). This authorisation process is however, subject to
change, requiring
authorisation by the Investigatory Powers Commissioner, but the fact
remains, the power is unchanged. Moreover, Part 6,
Chapter 2 of the IPA 2016 allows for the bulk collection of communications
data by intelligence services.
The High Court referred to the
Government swiftly enacting DRIPA 2014 [12]. What they did not mention was that
following Digital
Rights Ireland and the Court of Justice of the European Union’s (CJEU)
invalidation of the Data
Retention Directive (DRD), the Government did
nothing for three months. The High Court in Davis and Others noted there
was not a clear legal basis for the 2009 Regulations and thus some
telecommunications operators were considering deleting retained communications
data [45-6]. For three months, the Government must have known this was a
possibility, but did nothing, then rushed DRIPA 2014 through Parliament with indecent
haste in three days (Niklas Vainio and Samuli Miettinen,
‘Telecommunications data retention after Digital Rights Ireland: legislative
and judicial reactions in the Member States’ (2015) International Journal of
Law and Information Technology 23:3 290, 304).
Finally, the High Court refers to
the ‘public interest’ without mentioning what aspects they mean. Is it the
public interest in fighting serious crime and stopping terrorism? Even if this
is what the High Court meant, they did so without acknowledging that privacy in
and of itself is a public interest. This is specifically mentioned in s.2(2)(d)
of the IPA 2016. Regan regards privacy as having public value because it is necessary
to the proper functioning of a democratic political system (Priscilla M. Regan,
‘Legislating Privacy, Technology, Social Values and Public Policy’ (The
University of North Carolina Press 1995). The then Labour Government even acknowledged
that ‘that the protection of privacy is in itself a public service.’ Privacy
is a prerequisite for liberal democracies because it sets limits on
surveillance by acting as a shield for groups
and individuals (Alan F. Westin, Privacy and Freedom, New York: Atheneum
(1967), 24). Moreover, privacy underpins
freedom of expression, religion, thought and conscious and
assembly/association. Furthermore, privacy is not
just an individual right nor does data retention just affects individuals.
In Riddick v Board Mills Ltd [1977]
QB 881, Lord Denning succinctly put it that:
The memorandum
was obtained by compulsion. Compulsion is an invasion of the private right to
keep one’s documents to oneself. The public interest in privacy and confidence
demands that this compulsion should not be pressed further than the course of
justice requires [p896].
This acknowledges the public
interest privacy serves, and to assume this only applies to the objectives such
as fighting serious crime and terrorism is to underestimate the fundamental
nature and importance of privacy.
Not general and indiscriminate data retention?
The High Court when considering
whether Part 4 of the IPA 2016 permitted general and indiscriminate data
retention referred to the Court of Appeal’s refusal in to apply Tom Watson and Others v Secretary of State
for the Home Department [2018]
EWCA Civ 70 [22-6]. The Court of Appeal’s reasoning remains unconvincing
and their semantic reasoning indicates what they would
have held. The Claimants before the High Court argued that Part 4 permitted
general and indiscriminate data retention, and thus should be referred to the
CJEU, however the Defendants argued that reading the IPA 2016 as a whole, this
is not the case [120].
The High Court towed the same
line as the Court of Appeal in Tom Watson
and Others where they noted that the CJEU were specifically referring to
Swedish law [121]. The High Court then summarises their view of the CJEU’s
ruling noting that Member States:
[M]ay adopt
legislation which permits decisions to be taken for the targeted retention of
data which is (a) sufficiently connected with the objective being pursued, (b)
is strictly necessary and (c) proportionate [124].
The High Court were of the
opinion that CJEU’s judgment did not require more detailed factors which may be
relevant as to the application of those tests [124]. For the High Court, it
would be impracticable and unnecessary to set out in detail in legislation the
range of factors to be applied with matters such as national security, public
safety and serious crime [124]. It must be noted that the issue of national
security is a matter that will be dealt with by the CJEU based upon the
Investigatory Powers Tribunal’s preliminary reference (analysis
here).
Public safety, however, is not an
objective that CJEU’s considers
to be capable of justifying data retention, only serious crime [102], so it is
unclear why the High Court even mentions this. The CJEU does refer to serious threats to public security, but
this is in regards to the links between the measure and objective evidence
[111]. The High Court also does not explain why it would be impracticable and
unnecessary to set out in detail the range of factors to be applied, when the
CJEU themselves observed that national law must be clear and precise [109]. Not
only does this raise issues with the EU law, because the Part 4 does not provide
clear and precise rules (Jennifer Cobbe, ‘Casting the dragnet- communications
data retention under the Investigatory Powers Act’ (2018) Public Law 10, 19),
but also with the ECHR. The ECtHR have ruled that it is essential to have clear, binding [60]
and detailed
rules, especially as the technology available for use is continually becoming
more sophisticated [229]. The reason for the ECtHR’s position is explained
in Szabo and Vissy v Hungary [2016] ECHR 579:
Given the
technological advances since the Klass and Others case, the potential
interferences with email, mobile phone
and Internet services as well as those of mass surveillance attract the
Convention protection of private life even more acutely [53].
What the High Court regards as
unnecessary and impracticable are actually requirements of both European
Courts, with the ECtHR taking that step furthering in explaining why.
The High Court then notes that
the combination of the scope and application of data retention measures and the
minimum safeguards are designed to achieve effective protection against the
risk of misuse of personal data [125]. Granted, the High Court are repeating
points made by the CJEU
[109], this approach overlooks what the ECtHR have held:
The mere
storing of data relating to the private life of an individual amounts to an
interference within the meaning of Article 8…The subsequent use of the stored
information has no bearing on that finding [67].
The misuse of personal data is
secondary to it actually being retained (and generated, see s.87(9)(b) of the
IPA 2016). The High Court then distinguishes Swedish law from the IPA 2016 in
that it does not require a blanket requirement requiring the general retention
of communications data, because it relies upon the discretion of the Secretary
of State [127]. This has already been argued to be a semantic
argument ‘of distinguishing a catch all power, and a power that can catch
all, which of course, in any event, amount to the same thing.’ The High Court
also relies on the description that the Secretary of State will only exercise
this power if it is considered necessary and proportionate, which for them, is
in line with EU law [128]. But this position betrays their previous
reasoning on DRIPA 2014, which had the same requirements of necessity and
proportionality [47], with both parties and the High Court accepting this
permitted a ‘general retention regime [65].’ A reason for this position was
because the contents of a retention notice cannot be verified due to disclosure
not being permitted, unless the Secretary of State permits it (see s.95(2)-(4)
of the IPA 2016).
The High Court then argues that
it would be difficult to conceive how the tests of necessity and
proportionality could require the retention of all communications data due to
the wording of ‘all data’ in the IPA 2016 [129]. This reasoning is problematic,
because it relies upon the ‘surely the UK would not?’ position. As Lord Kerr
observed in Beghal v Director of Public
Prosecutions [2015]
UKSC 49 that ‘is the potential reach of the power rather than its actual
use by which its legality must be judged [102].’ This is precisely why Cobbe
argues:
Retention
notices may be tailored to an extent, including by requiring that only data which
meets a certain description or is from a certain time period is retained. But
s.87 does allow for ISPs to be required to retain "all data"
indiscriminately, without differentiation, limitation, or exception, and
without clear safeguards for data subject to professional confidentiality
(Jennifer Cobbe, see above, 19).
As others and myself have argued,
s.87(2)(a) and (b) theoretically allows for the possibility ‘all operators in
the UK to be required to retain all data of users and subscribers’ (Matthew
White, ‘Protection
by Judicial Oversight, or an Oversight in Protection?’ (2017) Journal of
Information Rights, Policy, and Practice 2:1, 26) and should be treated as a
blanket and indiscriminate power (Matthew White, see above, 25; Jennifer Cobbe,
see above, 18; ; Andrew D. Murray, ‘Data
transfers between the EU and UK post Brexit?’ (2017) International Data
Privacy Law 7:3 149, 161).
In Liberty v UK [2008] ECHR 568 the
then UK Government accepted that s.3(2) of the Interception of Communications
Act 1985 allowed:
[I]n
principle, any person who sent or received any form of telecommunication outside
the British Islands during the period in question could have had such a
communication intercepted [64].
For the ECtHR, such a power was
virtually unfettered [64], and violated Article 8 for not being in accordance
with the law [70]. Furthermore, the High Court’s reasoning acts on the
assumption that the only way Part 4 could be unlawful is if it did permit or made
it possible for the retention of all communications data. This is simply not
true as seen in the case of Liberty above, where this did not even concern
communications within the UK, moreover in S and Marper [2008] ECHR 1581 the
GC ‘ruled
that general data retention, even on a specific group of individuals (suspects
and convicts) violated Article 8.’
The High Court then also
incorrectly claims that s.87(2)(b) of the IPA 2016 relates to a ‘description of
data’ and not just to ‘all data’ [129] when the actual words are ‘any description
of data’ which simply means any and/or all data could be retained. The High
Court makes the same mistake with regards to telecommunications operators in
that a retention notice may relate to a particular operator or to a description
of operators [129] when, again the operative word in s.87(2)(a) is any
description of operators. The suggestion here is that if a retention notice is
issued on one telecommunications operator (because s.87(2) ‘list[s] the
elements which may be used when delineating the content and scope of a
retention notice so as to satisfy the necessity and proportionality tests in
any particular case [129]’, this would be alright. If one uses BT as an
example, with over
nine million broadband subscribers, would a retention notice on BT to
retain all this communications data sit well with the High Court? After all, BT
is but one telecommunications operator, has a large subscriber base, but
crucially not all of them, and the subscriber’s communications data does not
amount to all the communications data that could be retained in the UK. In fairness,
this is as much of the CJEU’s problem as it is the High Court’s, as this is
where S and Marper makes a crucial
distinction, that being, data retention measures that are general and
indiscriminate within a group can still be unlawful.
The High Court then refers to the
12-month retention limit [130], but this only serves to highlight the constant interference with fundamental
rights as retention notices will be renewed on a yearly basis. The High Court
also refers to matters to which the Secretary of State must have regard to in
s.88(1) of the IPA 2016 such as the benefits of the notice, number of users
affected, costs etc and must also take reasonable steps to consult the relevant
telecommunications operator (see s.88(2)). Regarding the former, the Secretary
of State could still issue the
intended retention notice irrespective of what has been regarded, and with the
latter, there is no obligation to actually consult a telecommunications
operator.
The High Court then refers to the
Judicial Commissioner’s (JC) role in the approval of retention notices based on
the Secretary of State’s conclusions
[133]. This is problematic
because there ‘is no obligation on the Secretary of State to make a full and
frank disclosure and therefore, the JC and IPC could be misled (accidently or
deliberately) (30)’ and could ‘be given a summary a summary of a summary of a
summary of a summary of the original intelligence case (30-1).’ The GC have
noted that it is essential that
the supervisory body has ‘access to all relevant documents, including closed
materials and that all those involved in interception activities have a duty to
disclose to it any material it required [281].’ This is currently not possible
under the IPA 2016. The High Court then refers to the JC’s applying principles
of judicial review to authorisations [133]. The question as to whether the Wednesbury principles would apply has
been subject to debate
(29), but the Investigatory Powers Commissioner (IPC) themselves have noted
that when human rights issues arise, the necessity and proportionality tests of
the ECHR and EU law will be applied instead of Wednesbury (para 17, 19). However, this statement is only advisory
and admits it is not binding (para 1), thus is not a real safeguard.
The High Court then refers to the
JC’s general duties under s.2 of the IPA 2016 [133]. The first of which
concerns the JC having regard to whether there are less intrusive measures to
achieve the objective. There is, data preservation, but this isn’t in the IPA
2016 (unless one considers s.61 to be form of data preservation). The second
concerns the level of protection to sensitive information, which is much
narrower than sensitive personal data in data projection instruments as it only
includes legally privileged material, journalistic sources, communications with
Members of Parliament etc. The JC’s cannot have regard to sensitive information
because as the Bar Council and Law Society have highlighted
that the problem bulk communications data retention is that it does not prevent
legally privileged data from entering the ‘pool’ in the first place (para 32).
With regards to journalistic sources, United Nations Educational, Scientific
and Cultural Organization (UNESCO) noted
that even when journalists encrypt the content, they may neglect to encrypt the
communications data which means they still leave behind a digital trail when
they communicate with their sources, making them identifiable (26).
The High Court then refers to the
fact that a telecommunications operator can refer a retention notice back to
the Secretary of State, which again would require approval by the IPC [134].
And if the IPC approves a notice on BT to retain all the communications data of
their subscribers, then what? The High Court summarises Part 4 by noting that
they ‘do not think it could possibly be said that the legislation requires, or
even permits, a’ general retention regime [135]. However, it was never the
argument that the IPA 2016 requires a
general retention regime, but that it permits
the Secretary of State and JC to require
a general retention regime. As the ECtHR have maintained ‘it
would be contrary to the rule of law for the discretion granted to the executive or to a judge to be expressed
in terms of an unfettered power [230].’ The question is not ‘will they’ but
‘can they.’
The High Court continues that
Part 4 and s.2 requires a range of factors to be taken into account before a
retention notice is issued [135]. Although it was already argued that ‘catch
all’ power is not necessary for Part 4 to be deemed unlawful, it is useful to
play Devil’s Advocate. Can the Secretary of State issue a retention notice on
all telecommunications operators to retain all communications data if they deem
it necessary and proportionate? Can a JC approve this? Can this still be the
case if the telecommunications operator refers this back to the Secretary of
State subject to approval by the IPC? If the answer is yes, then this
highlights that all the factors that the High Court refers to does not change
the operation of the power itself. If the answer is no, then the High Court is
ignoring the glaringly obvious implications of a power that can be applied to
all or any telecommunications operator to retain any or all communications
data.
The High Court then puts its
previous judgment to one side (where they agreed DRIPA 2014 permitted a general
retention regime) by arguing that:
Even if that
assumption were to be applied in this case, it is plain from the analysis set
out above, that the 2016 Act does not permit the general and indiscriminate
retention of communications data. In any event, we would add that the issue of
whether a UK enactment is inconsistent with EU legislation is not to be
determined by evidence from either party as to how the domestic scheme is
operated in practice or might be operated. Instead, the issue is an objective
question of law which turns on the proper interpretation of the two pieces of
legislation [136].
Essentially, the High Court are
saying, even if the previous judgment was correct, IPA 2016 is somehow
different, despite the wording of the power in DRIPA 2014 being identical. In
amazing fashion, the High Court decided that it does not really matter how the
law is or might be operated, but relies upon the notion of an ‘objection
question of law’ and how it is interpreted. And this is why ignoring the ECHR,
if it was not made clear above is problematic because the ECtHR have
consistently held
that:
[T]hat the
mere existence of laws and practices which permitted and established a system
for effecting secret surveillance of communications entailed a threat of
surveillance for all those to whom the legislation might be applied. This
threat necessarily affected freedom of communication between users of the
telecommunications services and thereby amounted in itself to an interference
with the exercise of the applicants’ rights under Article 8, irrespective of
any measures actually taken against them [168].
The High Court’s position is in
contrast to the position of the ECtHR in that secret surveillance can be judged
in abstracto or where an individual
can claim to actually be subject of a surveillance measure. All that is
required is that one is able to show that they
are ‘potentially at risk of being subjected to such measures [171].’ Whether
retention notices apply to all telecommunications operators to retain all
communications data, or to one telecommunications operator to retain all (or
even some) communications data, this allows for the ‘automatic
storage for six months of clearly
irrelevant data’ and ‘ cannot be considered justified under Article 8 [255].’ Even
six months is unacceptable to the ECtHR (which raises serious questions as to
the 12-month retention limit), this position is strengthened by Advocate
General Øe, who noted
that:
The
disadvantages of general data retention obligations arise from the fact that
the vast majority of the data retained will relate to persons who will never be
connected in any way with serious crime [252].
Conclusion
This blog post has highlighted
many flaws in the approach of the High Court with regards data retention. Part
4 of the IPA 2016 is neither consistent with the ECHR or EU law. The High Court
have fallen into the same trap as the Court of Appeal did earlier this year
when distinguishing a catch all power, and a power that can catch all. This
post only partially deals with the judgment as the aspects of entity data and
serious crime deserve posts of their own. What is just as disappointing as this
judgment is the claim that it was a landmark victory, when in actual fact, the
rulings against the Defendants were concessions they already made, leaving the
crucial aspect of Part 4 unscathed. A wise little green man might say ‘Victory?
Victory you say? Master Liberty, not victory. The shroud of data retention
persists. Continue the mass surveillance will.’
No comments:
Post a Comment