call +44 20 7096 1079
April 29, 2013

Chapter Two

Angela Patrick is director of human rights policy at JUSTICE, an all-party law reform and human rights organisation. Angela is a qualified barrister, educated at Durham and Cambridge Universities. Before joining JUSTICE, from 2006 – 2011, she was assistant legal adviser to the UK Parliament’s Joint Committee on Human Rights.

Surveillance is a necessary activity in the fight against serious crime. When targeted, it clearly plays a vital part in our national security. However, unnecessary and excessive surveillance destroys our privacy and blights our liberty. Technological changes have consistently created a tension between the law, surveillance and the protection of privacy. In 1970, JUSTICE first observed:

Privacy has been infringed as long as man has lived in society; in every community, there have always been eavesdroppers, gossips and peeping Toms. But until very recent times, the physical means of infringement available to those have been our natural senses, apparatus with which we are all familiar and against which we know instinctively how to protect ourselves. The arrival of advanced electronics, microcircuits, high-definition optics, infra-red film and the laser beam have changed all this. 2

The intervening decades and the advent of the Internet have changed our relationship with each other and with the technology we use to support our daily lives. This has also created a new impetus to harness this technology for the purposes of the prevention and detection of crime, creating new challenges to our expectations of privacy. 3 The legal framework in the UK has routinely struggled to keep pace.

The common law famously stopped far short of an enforceable right to privacy. It has however long recognised the impact which living our lives observed may have upon our personal and social development.4

It is generally accepted that the greatest impetus for the structured regulation of surveillance within the United Kingdom has been the scrutiny of the European Court of Human Rights and the application of the right to respect for private and family life, home and correspondence, provided by Article 8 of the European Convention on Human Rights (ECHR), now transposed into domestic law by the Human Rights Act 1998 (HRA 1998). Article 8 (1) ECHR protects the right to respect of private and family life, home and correspondence. Article 8(2) provides that interferences with that right can only be justified when they serve a legitimate aim – such as protecting the rights of others or preventing and detecting crime – and the interference is necessary in a democratic society.

That each of the distinct acts of collection, retention and use of personal information is protected by our right to respect for private life, home and correspondence guaranteed by Article 8 ECHR is now a given.5 However, the Convention also recognises that surveillance is a justifiable act of State in the interests of protecting the rights of the wider community. Balancing the competing public interest in personal privacy and the public interest served by acts of covert surveillance, in practice, involves answering a series of questions:

  1. Is the law governing surveillance sufficiently clear and precise to allow individuals to understand when surveillance powers will be used? For example, when will personal data be retained, and in what circumstances may it be accessed by the State?
  2. Do those statutory provisions – and their implementation – address a legitimate aim, addressing the prevention and detection of crime, or other significant public interest?
  3. Has evidence been produced to show how surveillance benefits this aim, and to support the Government’s case that the interference with individual privacy posed would be proportionate to those benefits?
  4. Is surveillance the least restrictive means of achieving the aim and have alternatives been considered?
  5. Are adequate and effective safeguards against abuse provided?

Surveillance generally occurs without the knowledge of the individual being watched. Only in the limited circumstances when the information is used in a trial or when an authority acknowledges the surveillance will an individual be able to challenge its propriety. In these circumstances, the European Convention on Human Rights places a significant obligation on the State to ensure that surveillance powers are closely drawn, safeguards appropriate and provision made for effective oversight:

[it is] unacceptable that the assurance of the enjoyment of a right … could be…removed by the simple fact that the person concerned is kept unaware of its violation.6

The Court stressed that the justification of any surveillance measures places a significant burden on states to adopt the least intrusive measures possible:

[P]owers of secret surveillance of citizens, characterising as they do the police state, are tolerable under the Convention only in so far as strictly necessary for safeguarding the democratic institutions.7

Although the courts have stopped short of expressly requiring prior judicial authorisation of all surveillance operations, in many cases it has been considered essential. Judicial scrutiny is the paramount means of protecting individual privacy in instances where the individual themselves may be unaware that their information is being handled:

The rule of law implies, inter alia, that interference by the executive authorities with an individual’s rights should be subject to effective supervision, which should normally be carried out by the judiciary, at least in the last resort, since judicial control affords the best guarantees of independence, impartiality and a proper procedure.8

The primary focus of the European Court of Human Rights has been on the effectiveness of the law governing surveillance to avoid violations before they arise. Over the course of the 80s and 90s, the legislative framework in the UK was found seriously lacking, as we consistently failed to provide any adequate statutory basis for the use of covert powers of surveillance by our police and security agencies.9

Regulation of Investigatory Powers Act 2000 (“RIPA”)

The Regulation of Investigatory Powers Act 2000, or ‘RIPA’ as it is commonly known, governs the use of covert surveillance by public bodies. This includes bugs, video surveillance and interceptions of private communications (e.g. phone calls and emails), and even undercover agents (‘covert human intelligence sources’). It was introduced following a decision that the existing law on surveillance was insufficiently clear and incompatible with Article 8 ECHR.10

RIPA governs surveillance by the police and other law enforcement bodies (e.g. the Serious Fraud Office or the Serious Organised Crime Agency), the security and intelligence services (MI5, MI6 and GCHQ), as well as a large number of other public bodies, including local government.

As a general rule, RIPA governs active surveillance – actions interfering with individual privacy that would normally be illegal if carried out by a private individual, e.g. installing a listening device in someone’s house, but that can be lawful when carried out for a legitimate governmental purpose, e.g. detecting crime. It does not extend to other privacy technologies such as databases or CCTV (except, for example, where the CCTV camera was installed in such a way as to monitor a private home). This kind of surveillance activity is governed by the Data Protection Act 1998, which affords individuals protection against the disproportionate and unnecessary use and processing of their personal data.11

RIPA distinguishes between interception of private communications and communications data (Part 1), and between directed surveillance and intrusive surveillance (Part 2).

‘Directed’ surveillance is surveillance that is conducted as part of a specific investigation and carried out ‘in such a manner as is likely to result in the obtaining of private information about a person’.

‘Intrusive’ surveillance is directed surveillance that involves either residential premises, a private vehicle, or any kind of surveillance device. So, for example, following a suspect down a street as part of an operation would be directed surveillance. Planting a bug in someone’s house, by contrast, would be intrusive surveillance.

Interception of private communication (phone calls, emails, text messages, faxes, etc) or ‘intercepts’ are the most sensitive kind of surveillance. With few exceptions, interceptions are authorised under warrant by the Home Secretary and anything obtained pursuant to a warrant – and the warrant itself – is completely inadmissible in any legal proceedings. This is because of the fears of MI5 and MI6 that using intercept evidence would reveal too much about their interception capabilities. Interception without authorisation is a criminal offence.

‘Communications data’ is different from intercepts in that it is information about a communication rather than its contents. For example, the record of your phone provider that you called a particular telephone number on a particular time and date is communications data. What was actually said as part of telephone call would normally be covered by an intercept.

RIPA is complex and the kind of authorisation required and level of oversight available depends very much on the kind of surveillance. Generally speaking, the least intrusive kinds of surveillance are largely self-authorised by a senior member of the public body concerned, with after-the-fact scrutiny by the relevant commissioner. More intrusive surveillance requires the involvement of the Surveillance Commissioner but there is no prior judicial authorisation required for intercepts – the most intrusive kind of surveillance. The application of the Act is not limited to police and security services, but extends to public authorities including local councils, HMRC and other statutory bodies serving public functions. However, the most intrusive types of surveillance are reserved for use by a more limited range of services who work on the prevention and detection of crime.

In virtually every other common law country, interceptions and bugs by law enforcement require a judicial warrant. This means that the police have to apply to a judge for permission before they can carry out surveillance. By contrast, an interception warrant under Part 1 of RIPA is granted by the Home Secretary.12 The only requirement for judicial scrutiny under RIPA was introduced in 2012, when Parliament determined that local authorities exercising surveillance powers should first be authorised by a magistrate.13

Part 4 of the Act provides for after-the-fact oversight by three different bodies: the Interception of Communications Commissioner, the Intelligence Services Commissioner and the Chief Surveillance Commissioners. Different activities are governed by different Commissioners. The Investigatory Powers Tribunal – a special Tribunal with extraordinary procedures which allow a complaint to be considered in secret and without confirming that an individual has been subject to surveillance – is established to hear complaints related to surveillance, including claims that an operation has violated individual rights under the HRA 1998.

RIPA was intended to provide a human rights compatible framework for the governance of surveillance in the modern age. Unfortunately, the Act has been subject to widespread criticism. One of our most senior judges has criticised the Act as “perplexing”. The Act has led to a decade of crises and public controversies. For example, at the heart of the phone-hacking scandal was a misunderstanding that intercepting a voicemail message was only a criminal offence if the recipient hadn’t listened to it before the hacker did.15

Communications Data and the Draft Bill

The proposals in the Draft Communications Data Bill would adopt the existing RIPA oversight model and would build upon its framework for access to data. Failing to address the criticism about complexity and ineffective administrative oversight, it would expand upon the pool of data available for the purposes of surveillance by creating a new statutory framework for the generation and retention of data. The combination of this expanded model for retention and access may make the shortcomings in the RIPA model for oversight all the more glaring.

Communications data is defined by RIPA and includes subscriber data, traffic data and use data. Broadly, subscriber data is information held by a provider about a user; traffic data outlines information such as the location of the communication and the people involved, and details of the equipment used; and use data relates to the use made of the relevant service (for example, what websites a user has visited etc).16 For example, subscriber data as originally defined might capture account details and addresses or telephone numbers associated with an account. In the Internet age, it might extend to all of the information held by, for example, Facebook, on its users, including “likes”, “dislikes”, marital status, family relationships and employment history and photographs. Traffic data as defined might set out the location of two static telephones; in the digital age, it may give a sophisticated picture of the type of device being used and may allow an individual’s movements to be pinpointed across a series of mobile phone calls as they move across the country. The definitions of communications data in RIPA would be adopted in the Draft Bill without amendment. The Parliamentary Joint Committee appointed to scrutinise the Draft Bill accepted that the definitions in RIPA are generally outdated.

Under RIPA “Requests” may be made for information that the provider already holds. Notices issued under RIPA may require a provider to acquire data it does not routinely keep on behalf of the requesting body. Notices and authorisations last one month unless renewed.17 Service providers must comply with notices requiring access to communications data under RIPA, unless it is ‘not reasonably practicable’ to do so.18 If necessary, the Secretary of State can seek an injunction for the enforcement of the notice.19 Oversight is provided by the Interception of Communications Commissioner.20 Since late 2005, public bodies able to make requests have been subject to an inspection regime carried out by an inspectorate under the direction of a Chief Inspector and the supervision of the Commissioner. Named public bodies can access different categories of data for different purposes, following internal administrative authorisation by a senior officer within their organisation. Local authorities may only access limited data following authorisation by a magistrate.

The Data Retention (EC Directive) Regulations 2009 (which implement the EU Data Retention Directive)21 require certain public communications operators to retain information originally held for commercial purposes for up to 12 months.22

The overriding difference between the existing framework and the proposals in the Draft Bill is a shift away from the presumption that for limited purposes, the State may access data already retained or reasonably obtainable by service providers, when shown to be necessary and proportionate for the prevention or detection of crime and other reasons, which serve the public interest. Instead, it creates a statutory basis for the generation, collection and retention of data about us all, with a rolling picture of our communications to be retained by individual Communications Service Providers (CSPs) for one year.23

The Draft Bill envisages an entirely new regime for access to this expanded pool of data, albeit one which appears similar to the RIPA model of requests and notices served by public officials “authorised” to obtain data for specific purposes (Clause 10). However, the Bill also provides for the creation of a centralised “filter” mechanism (Clause 14). Even following pre-legislative scrutiny, it is extremely unclear how this filter will relate to the data which CSPs will be required to harvest and store. However, it is clear that the Government intends that this process will allow the process of obtaining data following authorisation to be significantly automated and controlled by a central system which is either digitally operated or operated by a staff team under contract to the Secretary of State (it has been suggested that the Metropolitan Police might tender for this role). Without further information about how the filter mechanism might operate – or indeed how it might relate to individual authorisations – it is incredibly difficult to consider whether it might be accompanied by adequate safeguards for the protection of privacy. However, the introduction of automation for the compilation of data across several different providers does suggest that the Government seeks to increase the accessibility of data significantly. The Parliamentary Joint Committee appointed to scrutinise the Draft Bill described the process:

The Request Filter is a Government owned and operated data mining device which, to work efficiently, requires each CSP to maintain its own database of all its communications data in a common format. Each CSP database will be able to be accessed at any time by the Request Filter … The Request Filter can be equated to a federated database.24

This combination of an expanded pool of data, in combination with easier access through automated processing raises a number of questions about the proportionality of these measures. The question is then whether each of these steps is justified and proportionate, and whether, taken together, they are necessary in a democratic society. Even if evidence can be produced to show that there is a legitimate need for change, without clear information on the operation of these measures, it is difficult to assess whether there will be adequate safeguards in place – including through effective oversight – to satisfy the requirements of Article 8 ECHR and to protect the right to respect for private life, home and correspondence.

However, the compilation and the retention of data – as opposed to its use – has been subject to the increasing judicial scrutiny both at home and in Strasbourg.25 For example, the routine retention of the DNA samples and profiles of innocent people – who had been arrested and released – as part of the National DNA Database has been ruled a disproportionate interference with the right to respect for private life. In that case, the European Court of Human Rights explained that measures which operate without regard to individual impact and characteristics must be accompanied by clear justification and appropriate safeguards.26 More recently, the Court of Appeal ruled that the routine collection and retention by the police of information about protesters not been suspected of any criminal offence could amount to a violation of the rights of those individuals to respect for private life in violation of Article 8 ECHR.27

The arguments provided by the Government in support of the Bill have significantly underplayed the impact on individual privacy of data retention. A failure to recognise the proper boundaries imposed by the Convention – and the HRA 1998 – will lead to a significant risk of litigation and subsequent legal challenge at home or abroad. Individuals will seek to have retained data deleted and may challenge a refusal to do so. The proper scope of the existing law on data retention – embodied in the EU Data Retention Directive – is currently being challenged in precisely this way across Europe. Digital Rights Ireland awaits a decision of European Court of Justice in Luxembourg on the legality of blanket retention under EU law.28

The UK is pushing the boundaries of international law on the retention of data for the purposes of the prevention and detection of crime. As learnt in the development of the DNA database; where arbitrary rules are imposed without proper justification, the law will push back.

 

Read more

Notes

1. This section provides a brief review of the history of the law on surveillance in the UK. For a fuller analysis of the development of the current law, see JUSTICE, Freedom from Suspicion: Surveillance Reform for a Digital Age, 2011.

2. JUSTICE, Privacy and the Law, 1970, para 110.

3. See for example, Malone v Commissioner of Police for the Metropolis [1979] 244 Ch 357 – 362.

4. See for example, the description in Blackstone’s Commentaries on the Laws of England, Bk IV, Ch13: “Eaves-droppers, or such as listen under walls or windows, or the eaves of a house, to hearken after discourse…are indictable at the sessions”.

5. In Malone v UK (1984) 7 EHRR 14, the Court considered the attachment of a ‘meter check printer’ to a telephone line for the purposes of recording the time calls were made, to whom and for how long. The Court considered that the collection of this information engaged the right to privacy, but in these circumstances could be justified by reference to the commercial need for a supplier of services to legitimately ensure a subscriber is charged correctly. This use was proportionate and justifiable. However, passing the information to the police without statutory authority and relevant safeguards against abuse was not. See, for example, paras 56 – 84. In Amann v Switzerland (2000) 30 EHRR 843, for example, the Court held that the storing of information about the applicant on a card in a file was found to be an interference with private life, even though it contained no sensitive information and had probably never been consulted. In Rotaru v Romania (2000) 8 BHRC 449, at para 43, the Court stresses that even ‘public information can fall within the scope of private life where it is systematically collected and stored in files held by the authorities’.

6. (1978) 7 2 EHRR 214, paras 36, 41.

7. Ibid, para 42. See also Para 49: ‘The Court, being aware of the danger such a law poses of undermining or even destroying democracy on the ground of defending it, affirms that the Contracting States may not, in the name of the struggle against espionage and terrorism adopt whatever means they deem appropriate’.

8. Rotaru v Romania (2000) 8 BHRC 43 at para 59.

9. Malone v UK (1984) 7 EHRR 14 prompted the introduction of the Interception of Communications Act 1985, the first statutory regulation of surveillance in the UK.

10. Halford v UK (1997) 24 EHRR 523

11. A fuller description of the law governing CCTV can be found in Freedom from Suspicion, from page 111. See also Protection of Freedoms Act 2012, Sections 29 – 36, which will introduce a new Code of Practice to govern the use of surveillance cameras and provide for the appointment of a new Surveillance Camera Commissioner. The scope of the Code and the proposed role of the new Commissioner is outside the scope of this commentary.

12. RIPA, Section 5.

13. Protection of Freedoms Act 2012, Sections 37 – 38.

14. Attorney General’s Reference No 5 of 2002 [2004] UKHL 40 at para 9 (Lord Bingham). See also para 29 (Lord Steyn).

15. Freedom from Suspicion, para 10.

16. Freedom from Suspicion, Chapter 4, provides fuller details on the existing rules governing interception of communications data. Sections 21 and 22 of RIPA govern the current framework.

17. RIPA, Section 23(4) and (7).

18. RIPA, Section 22(7).

19. RIPA, Section 22(8).

20. RIPA, Section 57(2)(b)). See further Freedom from Suspicion, Chapter 3 above.

21. Directive 2006/24 EC

22. SI 859/2009

23. Draft Communications Data Bill, Part 1.

24. Joint Committee on the Draft Communications Data Bill, First Report of Session 2012-13, Draft Communications Data Bill, HL Paper 79/HC 479, para 113.

25. Amann v Switzerland (2000) 30 EHRR 843

26. S & Marper v UK, (2009) 48 EHRR 50

27. John Catt v ACPO and the Commissioner of the Metropolitan Police [2013] EWCA Civ 192

28. Digital Rights Ireland v The Minister for Justice and Others, [2010] 2006/3785P. A fuller consideration of each of the challenges is provided by the European Commission in its report to the Council and the European Parliament on this issue: COM (2011) 225. http://ec.europa.eu/commission_2010-2014/malmstrom/archive/20110418_data_retention_evaluation_en.pdf . There are additional questions raised over the compatibility of the operation of the Request Filter with EU law, in particular, whether the operation of the Filter will amount to “general monitoring” as prohibited by Article 15 of Directive 2000/31 EC (the E-Commerce Directive). These specific questions are outside the scope of this short introduction.