The Court found that, as the provisions contained in the Data Retention Directive “applies to all means of electronic communication [and] covers all subscribers and registered users, [i]t therefore entails an interference with the fundamental rights of practically the entire European population.” [1] As such, the Directive “entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU” [2], which the Court ruled invalid.

The Anderson Review suggests the consequences of the ruling could be significant, since the Grand Chamber’s rulings are strictly binding. Henceforth, UK legislation in this area will require consideration of, for example, “the substantive and procedural conditions for access to and use of retained data” and provision for the physical security of data and its irreversible destruction” [3]. Moreover, although this case covered only the retention of communications data, the legality of bulk interception of communications could also be affected.

The Digital Rights Ireland ruling was cited as the case law with which section 1 of DRIPA was ruled incompatible and thus disapplied, from 31 March 2016, in Davis and Others vs The Secretary of State for the Home Department.

[1] Grand Chamber of the Court of Justice of the European Union, Joined Cases C‑293/12 and C‑594/12, paragraph 56, accessible at http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=407973

[2] Ibid, paragraph 65.

[3] David Anderson QC, A Question of Trust, p.97.

In its ruling, the Court found that section 1 DRIPA was inconsistent with EU law since it “does not lay down clear and precise rules providing for access to and use of [retained] communications data” and “access to the data is not made dependent on a prior review by a court or an independent administrative body whose decision limits access to and use of the data to what is strictly necessary.” [1]

In remedy, the Court “disapplied” DRIPA, although suspended its order until March 31, 2016, allowing government to propose – and Parliament to pass – modified legislation which complies with EU law. This suspension is significant given the sunset clause in DRIPA which requires, in any case, replacement legislation in 2016. The Home Office, in response to the verdict, has indicated an intention to appeal.

In its judgement, the High Court refers often to the Court of Justice of the EU (CJEU) case referred to as ‘Digital Rights Ireland‘, in which the Data Retention Directive was declared invalid. The CJEU stated that “It entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.” It’s judgement is based on an infringement of Articles 7 and 8 of the Charter of Fundamental Rights of the EU, which provide for privacy and data protection. While the CJEU case did not concern the bulk interception of content, the High Court felt it is “arguable that its principles (including in relation to prior independent authorisation) should apply in that area with at least the same force.”

Interestingly, the High Court reiterates the point made by the European Courts of Human Rights in the case Liberty v UK (2009) that the “[r]etention for the purpose of possible access is in itself an interference with rights under Articles 7 and 8 of the Charter and Article 8 of the ECHR.” The High Court then stresses the need for minimum safe guards to be expressed in legislation, limiting the purpose of communications data collection to serious offences (leaving the definition to Member States), and requiring prior review by courts or administrative bodies. However, the High Court limits the necessity of prior review to access of communications data, not the retention thereof.

[1] High Court ruling in Davis and Others vs The Secretary of State for the Home Department, paragraph 114, accessible at https://www.judiciary.gov.uk/wp-content/uploads/2015/07/davis_judgment.pdf.

The Anderson Review explains that “the relationship between the WTA and RIPA is somewhat opaque.” Since “there is no operational distinction between the two statutes … both [Acts] could be used to intercept the same communications.” [3]

[1] David Anderson Q.C., ‘A question of trust’, Report of the Investigatory Powers Review, July 2015, p.97.

[2] United Kingdom Parliament (2006), Wireless Telegraphy Act, Section 48(5), available at http://www.legislation.gov.uk/ukpga/2006/36/introduction.

[3] David Anderson Q.C., ‘A question of trust’, Report of the Investigatory Powers Review, July 2015, pp.97-98.

As the Explanatory Notes to the Act make clear, “providers generally have no business purpose for keeping a log of who used each address at a specific point in time” [1]; as such, the Anderson Review notes that the act “provided for the first time that service providers should generate and retain data that they did not need for their own business purposes” [2]. However, the Act also explicitly prevents CSPs from retaining “data that explicitly identifies the internet communications service or websites a user of the service has accessed … sometimes referred to as web logs”, a crude record of browsing history. [3]

[1] Explanatory notes to United Kingdom Parliament (2015), Counter-Terrorism and Security Act, available at http://www.legislation.gov.uk/ukpga/2015/6/notes/contents

[2] David Anderson Q.C., ‘A question of trust’, Report of the Investigatory Powers Review, July 2015, p.110.

[3] Explanatory notes to United Kingdom Parliament (2015), Counter-Terrorism and Security Act, available at http://www.legislation.gov.uk/ukpga/2015/6/notes/contents

The Act also includes some limitations to the powers outlined in RIPA, including removing the power for obtaining warrants solely on the grounds of the UK’s economic interests (s.3). It also requires that the Independent Reviewer of Terrorism Legislation reports on the operation and regulation of investigatory powers by 1 May, 2015 (which was published in June 2015), and includes a ‘sunset clause’ providing for new legislation by the end of 2016.

A successful judicial challenge to DRIPA was lodged by the MPs David Davis and Tom Watson, which rendered DRIPA unlawful. This ‘disapplication’ was suspended until March 31, 2016, requiring new replacement legislation by that date, in effect bringing the sunset clause forward.

[1] Accessible at http://www.legislation.gov.uk/ukpga/2014/27/contents/enacted

A further ruling of the IPT in February 2015 found, for the first time in the Tribunal’s history, against the intelligence agencies. It declared that intelligence sharing between the UK and the United States was, prior to December 2014, in contravention of Articles 8 or 10 of the ECHR, because the rules governing the UK’s access to the NSA’s PRISM and UPSTREAM programmes were secret. However, the Tribunal also noted that at the time of its ruling, the agencies were in compliance with the relevant law. [2]

A final ruling of the IPT in this series on 22 June 2015 ruled that GCHQ had acted unlawfully in the way it handled intercepted private communications of the two of the foreign claimants: Egyptian Initiative for Personal Rights (EIPR) and the Legal Resources Centre (LRC) in South Africa. The Tribunal found only “technical” breaches of GCHQ’s internal procedures, which are secret. The court declared that there has been a breach of the EIPR’s Article 8 rights and ordered GCHQ to destroy any of the intercepted communications that were retained for longer than the relevant retention time limit. With regard to the LRC, the Tribunal ruled that “the interception was lawful and proportionate and that the selection for examination was proportionate, but that the procedure laid down by GCHQ’s internal policies for selection of the communications for examination was in error not followed in this case.” Since the data was not used, the Tribunal considers there to be no damage done to the LRC.

[1] Liberty and Others v GCHQ and Others [2014] UKIPTrib 13_77-H, 5 December 2014

[1] Liberty and Others v GCHQ and Others [2015] UKIPTrib 13_77-H, 6 February 2015

[1] Liberty and Others v GCHQ and Others [2015] UKIPTrib 13_77-H , 22 June 2015

• Section 94: Directions in the interests of national security etc.
  • (1) The Secretary of State may, after consultation with a person to whom this section applies, give to that person such directions of a general character as appear to the Secretary of State to be necessary in the interests of national security or relations with the government of a country or territory outside the United Kingdom …
  • (8) This section applies to OFCOM and to providers of public electronic communications networks.[1]

Little is known about the use of this potentially broad power. There is no list of purposes for which surveillance can be carried out, nor key steps to be followed or limitations to be respected in the course of any investigation. The Interception of Communications and Intelligence Services Commissioners appointed under RIPA have both told the UK Parliament they do not oversee its use [2], but the Interception of Communications Commissioner has since formally agreed to oversee its use.

[1] United Kingdom, Parliament (1984) Telecommunications Act 1984, available at: www.legislation.gov.uk/ukpga/1984/12/contents.

[2] Home Affairs Committee – Seventeenth Report, Counter-Terrorism, 30 April 2014, §175, available at: www.publications.parliament.uk/pa/cm201314/cmselect/cmhaff/231/23102.htm.

GCHQ’s Director must ensure “that there are arrangements for securing that no information is obtained by GCHQ except so far as necessary for the proper discharge of its functions and that no information is disclosed by it except so far as necessary for that purpose or for the purpose of any criminal proceedings” (section 4(2)). These functions can be exercised ‘in the interests of national security, the economic well-being of the UK,’ and ‘in support of the prevention or detection of serious crime’ (section 3(2)).

The “interests of national security” have been broadly interpreted in UK law. In a leading case, the Court of Appeal agreed with a government submission that national security “is a protean concept, ‘designed to encompass the many, varied and (it may be) unpredictable ways in which the security of the nation may best be promoted’.”[2]

In relation to gaining unauthorised access to computer networks and systems outside the UK, the Intelligence Services Act 1994 provides:

• 7 Authorisation of acts outside the British Islands.
  • (1) If, apart from this section, a person would be liable in the United Kingdom for any act done outside the British Islands, he shall not be so liable if the act is one which is authorised to be done by virtue of an authorisation given by the Secretary of State under this section…
  • (9) For the purposes of this section the reference in subsection (1) to an act done outside the British Islands includes a reference to any act which—
    • (a) is done in the British Islands; but
    • (b) is or is intended to be done in relation to apparatus that is believed to be outside the British Islands, or in relation to anything appearing to originate from such apparatus.

ISA also provides the basis for interference with property to add a surveillance mechanism – when access to transmitted data is complex, another means of access is to carry out surveillance at endpoints. This must be authorised by the Secretary of State under s.5 of the ISA for MI5, MI6 or GCHQ.

[1] Accessible at: www.legislation.gov.uk/ukpga/1994/13/contents.

[2] United Kingdom, Court of Appeal (2003) Secretary of State for the Home Department v Rehman [2003] 1 AC 153.

Ministers must certify whether bills introduced into Parliament are compliant with the Convention rights, including the ‘Right to Respect for Private life, home and correspondence’ in Article 8 of the ECHR. Senior UK courts may declare that a statute is incompatible with a Convention right – it is then for Parliament to decide whether to change the law to remedy this incompatibility, with a fast-track mechanism for amendment of the statute. Yet until this happens, the declaration alone “does not affect the validity, continuing operation or enforcement of the provision in respect of which it is given” (s.4).

Article 6 (1) of the Human Rights Act, requiring “public authorities to act compatibly with Convention rights”, was held by the Investigatory Powers Tribunal (IPT) in the 2004 case British-Irish Rights Watch and others v Security Service, GCHQ and the SIS to add a further safeguard to the infringement of privacy through the use of powers outlined in RIPA. However, the IPT is not one of the “senior courts” that under the Human Rights Act may make a declaration of incompatibility of UK law with the ECHR.

Article 8 of the Convention contains the following protections for everyone within the jurisdiction of the Council of Europe’s member states:

1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. [1]

The Court has developed general principles for restrictions on rights. These must be based on published, clear and specific legal rules; serve a legitimate aim in a democratic society; be “necessary” and “proportionate” to that aim; not involve discrimination based on race, colour, sex, language, religion, political or other opinion, national or social origin, nationality, property, birth or other status; not confer excessive discretion on the relevant authorities; and be subject to effective safeguards and remedies.

In his review, David Anderson QC considered the attitude of the European Court of Human Rights to the use of investigatory powers by signatory states including the UK, in relation to the right to privacy set down in Article 8. Anderson suggests that in recent cases, the Court has not tended to distinguish between intercepted communications and the use of communications data. A more salient distinction however is that of bulk collection practices versus individual instances of surveillance, “because of the sheer number of individuals whose private lives are interfered with” [2] in the former case. Thus Anderson summarises the Court’s view that “while bulk is not in itself a disproportionate interference with the right to respect for private life”, as set down in Article 8, nonetheless the practice “will be assessed against a higher standard than individual interferences with the right to privacy. The justification for that interference, and the safeguards in place to prevent abuse, will need to be more compelling if the requirements of Article 8(2) are to be satisfied.”[3]

[1] European Convention on Human Rights, accessible at: http://www.echr.coe.int/Documents/Convention_ENG.pdf

[2] David Anderson Q.C., ‘A question of trust’, Report of the Investigatory Powers Review, July 2015, p.78

[3] Ibid, p.79