Lorna Woods, Professor of Internet Law, University of Essex
This is the Grand Chamber’s take on a challenge to the UK’s RIPA regime originally decided by a chamber (judgment 13 September 2018). It is the culmination of a long series of challenges to the UK regime, following the publication of information revealing that the UK (and other Governments) had engaged in bulk surveillance of people’s communications as well as in intelligence sharing. The judgment arose from three applications originally filed before the Strasbourg Court: Big Brother Watch and Others v. the United Kingdom (App no. 58170/13); Bureau of Investigative Journalism and Alice Ross v. the United Kingdom (App no. 62322/14); and 10 Human Rights Organisations and Others v. the United Kingdom (App no. 24960/15) (and on which I commented). Similar questions were also in issue in Centrum för Rättvisa v. Sweden (App no. 35252/08), another Grand Chamber judgment handed down on the same day but based in a longstanding challenge to Swedish surveillance laws from 2008 which had been found by a chamber of the court not to violate Article 8 ECHR (the right to privacy).
It raises questions about the extent to which such surveillance is permissible and under what conditions – and is about the extent to which the safeguards identified before digitization and which were generally applied in relation to interception of communications can apply to intelligence gathering based on data analytics, where issues of meta data are directly considered as well as concerns about the content of communications. The particular problem is that surveillance has historically been considered from the perspective of individual surveillance, where a person may be the subject of surveillance when there are reasonable grounds for suspicion. The very nature of bulk data acquisition and intelligence gathering means that there is no such suspicion.
As many commentators have remarked, it is the first mass electronic surveillance case to be decided against the UK after the Edward Snowden revelations and, significantly, it also considered meta data (communications data) as well as content. While the Court found the UK government to be in violation of Article 8 on some points, it is not a complete ‘win’ for privacy activists. Notably, this judgment and that in Centrum för Rättvisa, sets the conditions for bulk collection of data; in so doing, has it – as the Court of Justice of the EU apparently has following La Quadrature du Net (Case C-511/18) -accepted the possibility the principle of mass survellance, with the loss of anonymity not just online but – with smart homes, cars and cities – potentially everywhere?
The UK Government Communications Headquarters (GCHQ) was running three surveillance systems:
- bulk interception of (foreign) communications (which was then winnowed down through automated means to sets of information that would be analysed by the security services);
- intelligence sharing among the ‘Five Eyes’ (the United States, Canada, Australia, New Zealand as well as the UK), specifically in collaboration with the PRISM and Upstream programs run by the American NSA; and
- acquisition of communications data from internet service providers.
The regime at that time was based on the Regulation of Investigatory Powers Act 2000 (RIPA), which has now been replaced by the Investigatory Powers Act 2016 (IPA); the Court decided matters on the basis of the law as was and not in the light of the IPA (though the IPA shares some features with the RIPA regime). In addition to statutory provisions, RIPA envisaged that codes of practice would provide more detail as to actual practice. As regards the sharing of intelligence, the Counter Terrorism Act 2008 allowed for the disclosure of information to each arm to exercise any of their functions, subject to any limitations imposed by virtue of the Data Protection Act 1998 (now itself replaced by the Data Protection Act 2018) and the Human Rights Act. The Official Secrets Act also applies. The U.K.-U.S. Communication Intelligence Agreement governs the exchange of intelligence information relating to “foreign” communications between the UK and the US, with the code of practice containing more detail as to treatment of foreign intelligence.
The applications – which included journalists and human rights organisations and which might be understood to be particularly affected by the threat of surveillance -were heard together. The 10 Human Rights Organisations had started their action in the IPT; the other applicants claimed there was no effective remedy. The Chamber decision found a violation of Article 8 and Article 10 in relation to the bulk interception regime in s 8(4) RIPA, and the regime for obtaining communications data, but found no violation as regards the information sharing.
There are three aspects to the judgment regarding Article 8. The consideration of the bulk interception (and the possibility of analysing associated communications data); the receipt of data from foreign intelligence services; and the acquisition of communications data from service providers. These also gave rise to claims under Article 10.
The analysis of the bulk communications involves a number of stages, each one narrowing the dataset but at the same time, intensifying the level of scrutiny on that information. The Court identified the following stages (para 325):
- the interception and initial retention of communications and related communications data;
- the application of specific ‘selectors’ (whether stong selectors – eg an email address - or complex queries);
- the examination of the resulting selected communications and communications data and retention of data;
- use of ‘final product’, including sharing that information.
While the mere holding of such information by the State in and of itself has long been held to be an intrusion into Article 8 rights, the Court portrayed the four stages as a process in which the degree of interference increases as the analysis progresses (paras 330-331). While bulk surveillance was not per se prohibited by the ECHR, the entire process must be subject to “end-to-end safeguards”.
The Court considered whether there was a need to develop the case law given the developments in technology. In Weber and Saravia and Liberty & Ors the Court had applied the principles developed in relation to targeted interception – targeted interception, however, has a much narrower impact that bulk surveillance. The Court identified a number of differences between targeted and bulk interception:
- bulk interception was predominantly directed towards international communications (para 244);
- bulk interception was predominantly aimed at intelligence gathering (rather than investigating crime) (para 345);
- insofar as individuals were targeted, there devices were not monitored but rather ‘strong selectors’ were used to fish out their communications from the mass of communications intercepted (para 346).
This meant that the safeguards already in place, although they provide a useful framework, should be adapted. Specifically, rules that envisaged a particular person or group of persons would not work here – eg the requirement to define clearly in domestic law the categories of people liable to have their communications intercepted and the nature of offences which might give rise to such an order or the requirement to have “reasonable suspicion” of the persons put under surveillance (para 348). Nonetheless, domestic law should still set out with sufficient clarity and detail the grounds upon which bulk interception might be authorised and any circumstances in which an individual’s communications might be intercepted. Supervision and review become more important (para 349). The domestic regime should ensure that an assessment of necessity and proportionality is made at each stage of the measures being taken; that bulk interception should be subject to independent authorisation at the outset, when the object and scope of the bulk operation are being defined; and that the operation at each stage should be subject to supervision and independent ex post facto review (para 350). Affected individuals should have access to an effective remedy. When assessing a regime, the Court would take into account its operation in practice including instances of actual abuse (para 360).
Note that the Court was not persuaded that the acquisition of related communications data through bulk interception was necessarily less intrusive than the acquisition of content. The same safeguards should therefore be used to assessed bulk collection and analysis of communications data as content.
The starting point for analysis is the typical three stage test (lawful, legitimate aim and necessary in a democratic society), but the Court blends the lawful and necessity questions together which it claims is established (citing Roman Zakharov – a Grand Chamber decision discussed here - and Kennedy). The Court produced a framework that was wider -in the assessment of the Court - than the six Weber criteria (para 361):
- the grounds on which bulk interception may be authorised;
- circumstances in which an individual’s communications may be intercepted;
- the procedure for granting authorisation;
- procedures for selecting, examining and using intercept material;
- precautions when communicating material to other parties;
- limits on duration of interception, storage of intercept material and circumstances in which that material must be erased/destroyed;
- supervision by an independent authority (with powers to address non-compliance);
- independent ex post review.
The Court also took the opportunity to provide more detail on data sharing. Any data shared must have been collected and stored in a Convention compliant manner. Additional safeguards relating to the transfer must be in place: the circumstances in which data are to be shared should be set out in domestic law; the receiving state should have safeguards in place capable of preventing abuse, including secure storage and restriction on onward disclosure. Heightened safeguards are required as regards material requiring special confidentiality (eg journalistic material). In principle the same tests apply to communications data, which it viewed as no less intrusive as content, though the safeguards need not be exactly the same given the different way content and communications data were likely to be analysed.
The UK regime did not provide sufficient “end to end” safeguards. In assessing the safeguards, the Court took into account the breadth of the grounds on which surveillance could take place; the UK’s rules ‘were formulated in relatively broad terms’ (para 371). The Court specifically focussed on the absence of independent authorisation, the failure to include the categories of selectors in the application for a warrant (which had implications for the necessity assessment), and the failure to subject selectors linked to an individual to prior internal authorisation both as regards content but also related communications data. Although the Court assessed the oversight provided by the Commissioner and the IPT as effective and robust respectively, these did not compensate for the shortcomings.
Note that in the parallel Swedish case, the Court applied a similar framework to find that the Swedish regime was also deficient. So, it found ‘the absence of a clear rule on destroying intercepted material which does not contain personal data, the absence of a requirement in the Signals Intelligence Act or other relevant legislation that, when making a decision to transmit intelligence material to foreign partners, consideration is given to the privacy interests of individuals; and the absence of an effective ex post facto review’ (Centrum för Rättvisa, para 369).
The complaint under Article 10 was considered separately, with the Court’s starting point being the importance of journalism. It emphasised the detrimental impact of compelled source disclosure, as well as the more serious intrusion of searching of journalists’ homes and workplaces. Safeguards must ‘be attended with the right to protection of journalistic sources must be attended with legal procedural safeguards commensurate with the importance of the principle at stake’, referring back to its decision in Sanoma Uitgevers (para 444). Crucially, independent review must take place prior to disclosure. In the older case of Weber, the interference with the journalist’s expression rights had not been seen as particularly serious; the journalists had not been targeted by the surveillance. The court determined that confidential journalistic material could have been accessed by the intelligence services either intentionally, through the deliberate use of selectors or search terms connected to a journalist or news organisation, or unintentionally, as a “bycatch” of the bulk interception operation. While the former category must be authorised in accordance with the approach in Sanoma Uitgevers, for the latter category because interference with journalistic material was not intended, it could not be predicted and therefore ex ante authorisation would not be possible.
The Court noted the technological developments since Weber, finding that the intrusion now would be more significant than at the time of Weber. Robust safeguards are therefore required so that when it becomes apparent that confidential journalistic material is in issue, that material could only continue to be stored and examined by an analyst if authorised by a judge or other independent and impartial decision‑making body with the power to determine whether its continued storage and examination was “justified by an overriding requirement in the public interest” (para 450). In both aspects, despite specific provisions in the relevant code of practice, the UK regime was deficient.
The complaint was considered from the perspective of solicited intercept material from the NSA. The applicants did not challenge the Chamber’s decision as regards the effectiveness of the IPT. Avoiding questions about Article 1 ECHR and the issue of a State’s jurisdiction, the Court focused on the initial request and subsequent receipt of intercept material, together with any subsequent use thereof. The Court noted the risk of States seeking to circumvent controls; there must be a clear basis in domestic law for such requests (found in the Code), and guarantees against the risk of abuse specifically relating to examination, use and storage, any onward transmission as well as erasure/destruction. The Grand Chamber found that, since the treatment of foreign intelligence was essentially the same as the treatment accorded to domestically generated material, the United Kingdom had in place adequate safeguards for the examination, use and storage of the content and communications data received from intelligence partners, as well as for the onward transmission of this material and for its erasure and destruction. It also noted the extra layer of protection provided by the Commissioner and the IPT. It found no violation of Article 8. The claims under Article 10 were likewise dismissed.
The Chamber’s finding that a regime which suffers the same flaws as a regime accepted to be incompatible with EU law, then having priority over domestic law, must also fail the in accordance with the law test was not challenged as regards Article 8. The Grand Chamber also agreed with this reasoning. An Article 10 challenged had also been brought against the regime. This was also considered not to be in accordance with the law; again the Grand Chamber followed this reasoning to find a violation of Article 10.
While the findings of violation were unanimous, the Court was not unanimous as regards to the finding of no violation being split by 12 votes to 5. Three judges shared a partly concurring opinion; judge Pinto De Albuquerque wrote a partly concurring but partly dissenting opinion and Judges Lemmens, Vehabovic, Ranzoni and Bosnjak produced a partly dissenting opinion.
Most of the commentary has focussed understandably on the fact that the Court did not state that the bulk interception of communications was in itself contrary to Article 8 and on the safeguards. These are – obviously – important points, but there is a prior issue regarding the lawfulness test, which relates to the complexity and availability of domestic law. The Grand Chamber followed the Chamber in accepting that the Codes of Practice satisfied this requirement. While Codes are now public documents, this assessment does not fully take into account that for a considerable period much now in those codes were “below the waterline” and information was only forthcoming as a result of litigation.
Another question is the extent to which the judgment takes into the impact of digitalization. The Chamber judgment has suggested the different rules applied in different contexts, and that not all data would have the same impact. The Grand Chamber recognised that some updating of the analytical framework from Weber would be required (which turns out to be both a good and bad thing), and specifically notes the impact of meta data (probably a good thing). It is open at least to argument to state however that the negative consequences of the revision of Weber outweighed the good.
Looking at the good, it is indubitably true that some recognition of the change in techniques of state surveillance facilitated by changes in technology and computing power is an important prerequisite for ensuring effective protection of individuals’ rights. There is some way to go however before we can state confidently that the Court has appreciated the ramifications of the digitalisation of life and particularly data profiling. The key positive is that the Court does not think that meta data is less sensitive than content (para 363). It emphasises that
any intrusion occasioned by the acquisition of related communications data will be magnified when they are obtained in bulk, since they are now capable of being analysed and interrogated so as to paint an intimate picture of a person through the mapping of social networks, location tracking, Internet browsing tracking, mapping of communications patterns, and insight into who a person interacted with (para 342)
In this, the Court joins the Court of Justice (see eg. Tele2/Watson, para 99). While the Court goes someway to recognise the always-on aspect of digital surveillance (para 341), and certainly does not go down the route of the Chamber in suggesting some data are less impactful than others, it does not acknowledge the possibility of combining communications data with data from other sources. The range of data available is wide, especially given the range of smart devices. These include for example, biometric data from fitness trackers, biometric based systems proposed for cars note the driver’s blood pressure, heart rate and other vital to detect, if the driver is impaired in any way. At home detail from smart energy meters could be shared. Nor does it question the basis on which those analyses and interrogations take place. While in its safeguards it does suggest oversight over the circumstances in which data are chosen, it seems to take the tools as given. This is worrying given the emphasis that has previously been placed on the need for special safeguards in related to automated tools and processing techniques, a point the Court of Justice of the EU has also made (e.g Digital Rights Ireland, para 55).
While the emphasis on the significance of meta data is good, it should not be forgotten that the first part of the case concerned bulk interception – so interference with content. Against this context, the Court’s assessment that the first stage of the surveillance process – the data gathering stage – does not constitute a particularly serious interference is worrying (and arguably not in line with previous case law). It certainly underplays the threat to privacy that is implicit in the acquiring and holding of data (and Judges Lemmens, Vehabovic and Bosnjak discuss this in their concurring opinion, paras 3-8). A further question arises in relation to other forms of surveillance; what if smart city devices (eg lampposts) can record our conversations as we pass by (UK installation of microphones have apparently not been for this purpose but to detect aggression). How comfortable are we about data acquisition then? This reasoning may be the top of the slippery slope.
Within the EU context it should be remembered that the Court of Justice has repeatedly emphasised that “access on a generalised basis to the content of electronic communications” undermined the essence of the relevant EU Charter right (article 7) and could not be therefore be justified (see e.g. Schrems I, para 94). This then suggests a difference in approach between the two European courts. It would be unfortunate if the recognition of the impact of meta data led to a lowering of standards as regards content.
The more problematic development is the approach to reasonable suspicion. The Court acknowledges that these surveillance practices do something different from other more traditional forms of surveillance, which tend to be reactive (ie somebody has done something bad) and more focussed (as opposed to diffuse), most likely based on existing evidence which suggests suspicion of specific individuals. This mass surveillance is about intelligence gathering, and about predicting – thus severing the link between an individual’s choices and actions and the likelihood of that person being the subject of surveillance. Rather than assess the surveillance by reference to existing standards – for example, the presumption of innocence and the impact of a State carrying out surveillance (which is recognised through the case law on the mere storing of data), the Court abandons these standards as part of its updating in order to fit round state choices. In so doing, it gives some legitimacy to the idea that the State may carry out surveillance on individuals without any grounds related to that person (para 317, 348).
This is based on the Court’s deference to the State’s assessment that these are necessary for national security reasons – though this assessment is not really critically examined. Indeed, when it re-emphasised that the choice of adopting certain surveillance techniques fell to the States, it emphasised the valuable nature of the technique (para 386, emphasis added). Judge Pinto De Albuquerque writes critically of the Court’s “self-imposed evidential and adjudicatory limitation” which “leads the Court to assume the inevitability of bulk interception and, even more so, that of a blanket, non-targeted, suspicion-less interception regime (Opinion, para 5). He also points to the fact that previous cases – including Zakharov – have involved bulk intercept of communications and yet still sought to apply the first two Weber criteria that the Court here has abandoned.
While of course a State may be free to make these choices about approaches to surveillance in principle they should be assessed to ensure that they are lawful and necessary in a democratic society. The test of lawfulness and the proportionality test implied in the ‘necessary in a democratic society’ actually ask different questions – but blending them together, as the Court has done here, dilutes the protective nature of the proportionality test. Rather than ask whether this is disproportionate and should not be done, the question becomes how to put oversight in place, which accepts the fact of the interference with the right in the first place. This criticism has been levelled at the Court’s approach before; the Court here (in referring to Zakharov and Kennedy to justify this approach) implies that this blurring of the three part test is both well-established and non-problematic. The Court has in some previous cases suggested that a test of “strict necessity” should be used for mass surveillance (Szabo and Vissy v. Hungary, para 73) – that sort of reasoning is not evident here.
As regards the safeguards themselves, it is unclear which grounds justify bulk surveillance (and contrast the position here with the EU position). It should be noted that that prior judicial authorisation is not a prerequisite for such surveillance, even if it might be best practice (para 320). The Court cites authorities to suggest that ex post oversight compensates for lack of ex ante control; this is like saying it is all right to drop an egg on the floor provided you have bucket and mop to clean up afterwards. The end result is not the same (and Judges Lemmens, Vehabovic and Bosnjak remind the Court of the significant harms that may eventuate from a lack of protection in their partly concurring opinion). Significantly, it seems that despite calling these various safeguards fundamental, a global assessment may be made, suggesting that some regimes may be weaker on some issues (perhaps not deal with them at all?) than others (para 370).
The approach to the sharing of data is also worrying. On the one hand, the Court recognises the threat posed by intelligence sharing, and the risk that safeguards may be circumvented. Yet, it seems to imply that a lesser standard of safeguards is acceptable in this context, and in so doing accepts the practice as well as the lower standards applicable (contrast viewpoint of Judge Koskelo joined by Judge Turković in the chamber judgment). It should be noted that the Court only considers one aspect of intelligence sharing – the receipt by the UK security and intelligence services of information. The issue of proportionality is dealt with relatively briefly. Notably, the Court states that the requirement for safeguards:
“... does not necessarily mean that the receiving State must have comparable protection to that of the transferring State; nor does it necessarily require that an assurance is given prior to every transfer” (para 362).
How oversight is supposed to function against what seems to be a highly flexible framework is uncertain. It is also questionable whether or to what extent this fits with the EU’s approach – admittedly relating to the export rather than as here import of data – under the GDPR and Articles 7 and 8 of the Charter. Judges Lemmens, Vehabovic, Ranzoni and Bosnjak suggested that the same “end-to-end” safeguards should apply here.
In sum, the outcome of this case while certainly restraining some of the potential excesses of the RIPA regime (and possibly therefore its younger sibling, IPA), it is by no means an unqualified victory for privacy activists.