Digital Rights Ireland ruling, 2014

The Digital Rights Ireland ruling, of the Grand Chamber of the Court of Justice of the European Union in Joined Cases C‑293/12 and C‑594/12, given in 2014, declared invalid the EU Data Retention Directive (Directive 2006/24/EC). This Directive had provided the legal basis for UK regulations requiring service providers to retain communications data for law enforcement purposes, for between six and 24 months. This ruling resulted in the passing of the Data Retention and Investigatory Powers Act 2014 (DRIPA) by the UK Parliament, which asserted the continuing legality of communications data retention.

The Court found that, as the provisions contained in the Data Retention Directive “applies to all means of electronic communication [and] covers all subscribers and registered users, [i]t therefore entails an interference with the fundamental rights of practically the entire European population.” [1] As such, the Directive “entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU” [2], which the Court ruled invalid.

The Anderson Review suggests the consequences of the ruling could be significant, since the Grand Chamber’s rulings are strictly binding. Henceforth, UK legislation in this area will require consideration of, for example, “the substantive and procedural conditions for access to and use of retained data” and provision for the physical security of data and its irreversible destruction” [3]. Moreover, although this case covered only the retention of communications data, the legality of bulk interception of communications could also be affected.

The Digital Rights Ireland ruling was cited as the case law with which section 1 of DRIPA was ruled incompatible and thus disapplied, from 31 March 2016, in Davis and Others vs The Secretary of State for the Home Department.

 

[1] Grand Chamber of the Court of Justice of the European Union, Joined Cases C‑293/12 and C‑594/12, paragraph 56, accessible at http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=407973

[2] Ibid, paragraph 65.

[3] David Anderson QC, A Question of Trust, p.97.

Ruling: Davis and Others vs The Secretary of State for the Home Department

Davis and Others vs The Secretary of State for the Home Department was a judicial challenge by the MPs David Davis and Tom Watson to the Data Retention and Investigatory Powers Act 2014 (DRIPA). The case was heard in the High Court of Justice, which ruled in favour of the claimants, rendering DRIPA unlawful.

In its ruling, the Court found that section 1 DRIPA was inconsistent with EU law since it “does not lay down clear and precise rules providing for access to and use of [retained] communications data” and “access to the data is not made dependent on a prior review by a court or an independent administrative body whose decision limits access to and use of the data to what is strictly necessary.” [1]

In remedy, the Court “disapplied” DRIPA, although suspended its order until March 31, 2016, allowing government to propose – and Parliament to pass – modified legislation which complies with EU law. This suspension is significant given the sunset clause in DRIPA which requires, in any case, replacement legislation in 2016. The Home Office, in response to the verdict, has indicated an intention to appeal.

In its judgement, the High Court refers often to the Court of Justice of the EU (CJEU) case referred to as ‘Digital Rights Ireland‘, in which the Data Retention Directive was declared invalid. The CJEU stated that “It entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.” It’s judgement is based on an infringement of Articles 7 and 8 of the Charter of Fundamental Rights of the EU, which provide for privacy and data protection. While the CJEU case did not concern the bulk interception of content, the High Court felt it is “arguable that its principles (including in relation to prior independent authorisation) should apply in that area with at least the same force.”

Interestingly, the High Court reiterates the point made by the European Courts of Human Rights in the case Liberty v UK (2009) that the “[r]etention for the purpose of possible access is in itself an interference with rights under Articles 7 and 8 of the Charter and Article 8 of the ECHR.” The High Court then stresses the need for minimum safe guards to be expressed in legislation, limiting the purpose of communications data collection to serious offences (leaving the definition to Member States), and requiring prior review by courts or administrative bodies. However, the High Court limits the necessity of prior review to access of communications data, not the retention thereof.

[1] High Court ruling in Davis and Others vs The Secretary of State for the Home Department, paragraph 114, accessible at https://www.judiciary.gov.uk/wp-content/uploads/2015/07/davis_judgment.pdf.

 

Wireless Telegraphy Act 2006

The Wireless Telegraphy Act 2006, an Act of Parliament, was described by the Anderson Review as, outside of RIPA, “the key statute allowing for the interception of communications.” [1] Sections 48 and 49 grant broad powers for the interception of communications to “the Secretary of State, the Commissioners for [HMCR], or any other person designated for the purposes of this section by regulations made by the Secretary of State.” [2] The use of this power is limited to necessary and proportionate circumstances, and in relation to national security, the prevention of crime, public safety or health, economic well-being or tax collection.

The Anderson Review explains that “the relationship between the WTA and RIPA is somewhat opaque.” Since “there is no operational distinction between the two statutes … both [Acts] could be used to intercept the same communications.” [3]

 

[1] David Anderson Q.C., ‘A question of trust’, Report of the Investigatory Powers Review, July 2015, p.97.

[2] United Kingdom Parliament (2006), Wireless Telegraphy Act, Section 48(5), available at http://www.legislation.gov.uk/ukpga/2006/36/introduction.

[3] David Anderson Q.C., ‘A question of trust’, Report of the Investigatory Powers Review, July 2015, pp.97-98.

 

Counter Terrorism and Security Act 2015

The Counter Terrorism and Security Act 2015, an Act of Parliament, makes provision for the retention of data by Content Service Providers (CSPs), amongst other counter-terrorist measures. Part III of the Act revises DRIPA to include mandating the retention of data regarding the allocation of IP addresses to given devices at particular times – thereby providing authorities with more information about the identity of a particular device user when IP addresses are used by multiple users simultaneously. For technical reasons however this provision does not make it possible in every case to verify the identity of individuals using devices.

As the Explanatory Notes to the Act make clear, “providers generally have no business purpose for keeping a log of who used each address at a specific point in time” [1]; as such, the Anderson Review notes that the act “provided for the first time that service providers should generate and retain data that they did not need for their own business purposes” [2]. However, the Act also explicitly prevents CSPs from retaining “data that explicitly identifies the internet communications service or websites a user of the service has accessed … sometimes referred to as web logs”, a crude record of browsing history. [3]

 

[1] Explanatory notes to United Kingdom Parliament (2015), Counter-Terrorism and Security Act, available at http://www.legislation.gov.uk/ukpga/2015/6/notes/contents

[2] David Anderson Q.C., ‘A question of trust’, Report of the Investigatory Powers Review, July 2015, p.110.

[3] Explanatory notes to United Kingdom Parliament (2015), Counter-Terrorism and Security Act, available at http://www.legislation.gov.uk/ukpga/2015/6/notes/contents

Data Retention and Investigatory Powers Act 2014

The Data Retention and Investigatory Powers Act 2014, an Act of Parliament, was passed in response to the Digital Rights Ireland ruling by the Court of Justice of the EU. [1] The Act’s primary provision is to restore to the Secretary of State the power to require communications service providers to retain for up to 12 months certain data generated or processed in the UK relating to telephony and Internet communications.  This “communications data” – information about subscribers and their use of a communications service – is collected by many government agencies from UK Communications Service Providers using powers in Part 1 Chapter 2 of RIPA. The Act was also intended to put beyond doubt the extraterritorial effects of authorisations and requirements, so that they could be served on overseas service providers.

The Act also includes some limitations to the powers outlined in RIPA, including removing the power for obtaining warrants solely on the grounds of the UK’s economic interests (s.3). It also requires that the Independent Reviewer of Terrorism Legislation reports on the operation and regulation of investigatory powers by 1 May, 2015 (which was published in June 2015), and includes a ‘sunset clause’ providing for new legislation by the end of 2016.

A successful judicial challenge to DRIPA was lodged by the MPs David Davis and Tom Watson, which rendered DRIPA unlawful. This ‘disapplication’ was suspended until March 31, 2016, requiring new replacement legislation by that date, in effect bringing the sunset clause forward.

[1] Accessible at http://www.legislation.gov.uk/ukpga/2014/27/contents/enacted

Ruling: IPT rulings in Liberty v Others cases

Liberty and Others v GCHQ and Others was a case combining various complaints made by privacy groups including Liberty, Amnesty International, Privacy International and others, heard by the Investigatory Powers Tribunal.  The complainants alleged that the interception activities of various UK bodies including GCHQ and the Home Office contravened Articles 8, 10 and 14 of the European Convention on Human Rights, in relation to the rights to privacy, freedom of expression and non-discrimination. In December 2014 the tribunal decided the UK’s surveillance activities were compatible with the European Convention’s privacy and freedom of expression guarantees. [1] In April 2015, the privacy groups involved lodged a complaint to the European Court of Human Rights in relation to the arguments rejected in the December ruling.

A further ruling of the IPT in February 2015 found, for the first time in the Tribunal’s history, against the intelligence agencies. It declared that intelligence sharing between the UK and the United States was, prior to December 2014, in contravention of Articles 8 or 10 of the ECHR, because the rules governing the UK’s access to the NSA’s PRISM and UPSTREAM programmes were secret. However, the Tribunal also noted that at the time of its ruling, the agencies were in compliance with the relevant law. [2]

A final ruling of the IPT in this series on 22 June 2015 ruled that GCHQ had acted unlawfully in the way it handled intercepted private communications of the two of the foreign claimants: Egyptian Initiative for Personal Rights (EIPR) and the Legal Resources Centre (LRC) in South Africa. The Tribunal found only “technical” breaches of GCHQ’s internal procedures, which are secret. The court declared that there has been a breach of the EIPR’s Article 8 rights and ordered GCHQ to destroy any of the intercepted communications that were retained for longer than the relevant retention time limit. With regard to the LRC, the Tribunal ruled that “the interception was lawful and proportionate and that the selection for examination was proportionate, but that the procedure laid down by GCHQ’s internal policies for selection of the communications for examination was in error not followed in this case.” Since the data was not used, the Tribunal considers there to be no damage done to the LRC.

[1] Liberty and Others v GCHQ and Others [2014] UKIPTrib 13_77-H, 5 December 2014

[1] Liberty and Others v GCHQ and Others [2015] UKIPTrib 13_77-H, 6 February 2015

[1] Liberty and Others v GCHQ and Others [2015] UKIPTrib 13_77-H , 22 June 2015

Telecommunications Act 1984

The Telecommunications Act 1984, an Act of Parliament, gives potentially wide-reaching power to the Secretary of State in relation to communications networks.

  • Section 94: Directions in the interests of national security etc.
    • (1) The Secretary of State may, after consultation with a person to whom this section applies, give to that person such directions of a general character as appear to the Secretary of State to be necessary in the interests of national security or relations with the government of a country or territory outside the United Kingdom …
    • (8) This section applies to OFCOM and to providers of public electronic communications networks.[1]

Little is known about the use of this potentially broad power. There is no list of purposes for which surveillance can be carried out, nor key steps to be followed or limitations to be respected in the course of any investigation. The Interception of Communications and Intelligence Services Commissioners appointed under RIPA have both told the UK Parliament they do not oversee its use [2], but the Interception of Communications Commissioner has since formally agreed to oversee its use.

[1] United Kingdom, Parliament (1984) Telecommunications Act 1984, available at: www.legislation.gov.uk/ukpga/1984/12/contents.

[2] Home Affairs Committee – Seventeenth Report, Counter-Terrorism, 30 April 2014, §175, available at: www.publications.parliament.uk/pa/cm201314/cmselect/cmhaff/231/23102.htm.

Intelligence Services Act 1994

The Intelligence Services Act 1994 (ISA) provides the core legal basis for the surveillance activities of the Government Communications Headquarters (GCHQ). [1] As detailed in the Act, GCHQ’s first statutory function is “to monitor or interfere with electromagnetic, acoustic and other emissions and any equipment producing such emissions and to obtain and provide information derived from or related to such emissions or equipment and from encrypted material” (section 3 (1)(a)).

GCHQ’s Director must ensure “that there are arrangements for securing that no information is obtained by GCHQ except so far as necessary for the proper discharge of its functions and that no information is disclosed by it except so far as necessary for that purpose or for the purpose of any criminal proceedings” (section 4(2)). These functions can be exercised ‘in the interests of national security, the economic well-being of the UK,’ and ‘in support of the prevention or detection of serious crime’ (section 3(2)).

The “interests of national security” have been broadly interpreted in UK law. In a leading case, the Court of Appeal agreed with a government submission that national security “is a protean concept, ‘designed to encompass the many, varied and (it may be) unpredictable ways in which the security of the nation may best be promoted’.”[2]

In relation to gaining unauthorised access to computer networks and systems outside the UK, the Intelligence Services Act 1994 provides:

  • 7 Authorisation of acts outside the British Islands.
    • (1) If, apart from this section, a person would be liable in the United Kingdom for any act done outside the British Islands, he shall not be so liable if the act is one which is authorised to be done by virtue of an authorisation given by the Secretary of State under this section…
    • (9) For the purposes of this section the reference in subsection (1) to an act done outside the British Islands includes a reference to any act which—
      • (a) is done in the British Islands; but
      • (b) is or is intended to be done in relation to apparatus that is believed to be outside the British Islands, or in relation to anything appearing to originate from such apparatus.

ISA also provides the basis for interference with property to add a surveillance mechanism – when access to transmitted data is complex, another means of access is to carry out surveillance at endpoints. This must be authorised by the Secretary of State under s.5 of the ISA for MI5, MI6 or GCHQ.

 

[1] Accessible at: www.legislation.gov.uk/ukpga/1994/13/contents.

[2] United Kingdom, Court of Appeal (2003) Secretary of State for the Home Department v Rehman [2003] 1 AC 153.

Human Rights Act 1998

The Human Rights Act 1998, an Act of Parliament, incorporates the rights set down in the European Convention on Human Rights (ECHR) into UK law. Specifically, it requires that public authorities act in accordance with the rights in Articles 2-12 and 14 of the Convention, Articles 1-3 of the First Protocol, and Article 1 of the Thirteenth Protocol, as read with Articles 16-18 of the Convention (section 6).  Courts must interpret statues to give effect to them (s.3).

Ministers must certify whether bills introduced into Parliament are compliant with the Convention rights, including the ‘Right to Respect for Private life, home and correspondence’ in Article 8 of the ECHR. Senior UK courts may declare that a statute is incompatible with a Convention right – it is then for Parliament to decide whether to change the law to remedy this incompatibility, with a fast-track mechanism for amendment of the statute. Yet until this happens, the declaration alone “does not affect the validity, continuing operation or enforcement of the provision in respect of which it is given” (s.4).

Article 6 (1) of the Human Rights Act, requiring “public authorities to act compatibly with Convention rights”, was held by the Investigatory Powers Tribunal (IPT) in the 2004 case British-Irish Rights Watch and others v Security Service, GCHQ and the SIS to add a further safeguard to the infringement of privacy through the use of powers outlined in RIPA. However, the IPT is not one of the “senior courts” that under the Human Rights Act may make a declaration of incompatibility of UK law with the ECHR.

European Convention on Human Rights

The UK is a party to the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), a treaty of the Council of Europe. The European Court of Human Rights, which hears individual petitions against rights violations, can declare UK law incompatible with the Convention, which usually leads to parliamentary amendment or further discussion by the European Court in later cases appealed from the UK courts. The UK’s Human Rights Act 1998 requires public authorities to act in accordance with the Convention rights.

Article 8 of the Convention contains the following protections for everyone within the jurisdiction of the Council of Europe’s member states:

  1. Everyone has the right to respect for his private and family life, his home and his correspondence.
  2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. [1]

The Court has developed general principles for restrictions on rights. These must be based on published, clear and specific legal rules; serve a legitimate aim in a democratic society; be “necessary” and “proportionate” to that aim; not involve discrimination based on race, colour, sex, language, religion, political or other opinion, national or social origin, nationality, property, birth or other status; not confer excessive discretion on the relevant authorities; and be subject to effective safeguards and remedies.

In his review, David Anderson QC considered the attitude of the European Court of Human Rights to the use of investigatory powers by signatory states including the UK, in relation to the right to privacy set down in Article 8. Anderson suggests that in recent cases, the Court has not tended to distinguish between intercepted communications and the use of communications data. A more salient distinction however is that of bulk collection practices versus individual instances of surveillance, “because of the sheer number of individuals whose private lives are interfered with” [2] in the former case. Thus Anderson summarises the Court’s view that “while bulk is not in itself a disproportionate interference with the right to respect for private life”, as set down in Article 8, nonetheless the practice “will be assessed against a higher standard than individual interferences with the right to privacy. The justification for that interference, and the safeguards in place to prevent abuse, will need to be more compelling if the requirements of Article 8(2) are to be satisfied.”[3]

[1] European Convention on Human Rights, accessible at: http://www.echr.coe.int/Documents/Convention_ENG.pdf

[2] David Anderson Q.C., ‘A question of trust’, Report of the Investigatory Powers Review, July 2015, p.78

[3] Ibid, p.79