Prepared by Jim Killock, Executive Director
The Consultation process has been extremely flawed. The Home Office made no attempt to involve civil society or the groups whose complaints have, by the Home Office’s own admission, resulted in legal action against the UK by the EU Commission.
Interception of communications is of interest to the public because is it the regulation of their human right to privacy. Privacy is an increasing concern to people, who do not wish to feel that they are unprotected or inadequately protected from the prying eyes of governments or corporations, but find that new technologies give ever greater ability and commercial temptation to gather data.
Among communications companies and in fact anyone running a network, new technologies to intercept and examine communications “packets” are driving the potential for interception. Commercial opportunities to benefit from interception are being found; some are legitimate and some are not. But the lack of a regulator – or in fact anyone UK residents could complain to – sparked complaints to the EU Commission.
This Consultation has not recognized this, and has instead chosen to focus on those who might be the subjects of regulation as a “targeted consultation”, rather than those impacted by interference in their fundamental rights. Furthermore, it has wrongly focused on “unintentional” interception, and limited its scope to Communications Service Providers. It has also prejudged the matter of who should be the regulator. We do not have confidence in the independence of the chosen Interception of Communications Commissioner.
Baroness Neville-Jones wrote to us to explain that the short consultation is taking place in order to avoid substantial fines from the EU, an objective we can understand, although the Home Office has chosen the last possible moment to deal with this.
Unfortunately, it is likely these proposals will fail to satisfy the EU Commission, and we therefore believe it is very likely that legal action will continue. We strongly urge the Home Office to give proper consideration to this area and come up with a robust solution as we detail below.
We believe the government must remove the words “reasonable grounds for believing” (that consent is given) from section 3(1) of RIPA. The E-Privacy Directive, in section 5(1), says that member states must prohibit “interception or surveillance of communications” “without the consent of the users concerned”. “Reasonable grounds” for believing consent is given is a much weaker test.
At this point, we again question why this consultation is only targeting communication providers. The Google Streetview case showed that companies who are not communication service providers can breach the rights of users by intercepting communications. The correct question to ask would be the impact on companies who may be intercepting communications.
It is extremely important to have some information about the means by which “consent” would be granted. Two very important questions arise. Firstly, what type of means will be sought? How, for instance, will CSPs and other be asked to make sure that users are asked for their consent. It would be wrong, for instance, for ‘consent’ to be obtained via the small print of long terms and conditions. Such interception should be agreed separately from other consents in order for it to be meaningful.
Consent is currently obtained for many privacy policies in a very inadequate way. Terms and conditions are often impenetrable and non-negotiable.
Furthermore, consent cannot truly be said to have been given freely if it is a condition of accessing a service. CSPs should not be able to force customers to consent to interception of their communications in order to access their service. This is an especially important point as Internet access, for instance is a vital service. It would be inappropriate for providers of vital services to force customers to relinquish their rights as a condition of use.
Legislation should ensure that:
1. Users may object to interception of their communications at all times, and interception may never be imposed by terms and conditions of a service or contract
2. There is clear guidance given to service providers to make sure that consent is truly and fairly obtained for any instances of interception, and not simply bundled or hidden among other agreements
We do not agree that the proposals are sufficient to deal with the deficiencies identified by the Commission.
We do not understand why the proposals are restricted to a new penalty for unintentional interception for Communication Service Providers (CSPs). As the unintentional interception by Google during collection of Streetview material shows, non-CSPs are perfectly capable of unintentional interception. There is no reason to ignore this gap. Many people were upset and angry that their communications had been interfered with, and wish to see some redress, and sanction against the company involved. There seems no reason to simply ignore this, and allow companies to avoid punishment despite their irresponsibility.
We do not think that sending Company Directors to jail for the type of interception being considered here is especially likely, so we do not see any practical distinction between a fine imposed under a criminal regime and one imposed under a civil regime. In fact, the lower burden of proof may mean that a civil regime will in practice have more teeth.
However, we find the proposed penalty of £10,000 extraordinary. For data protection breaches, a fine of £500,000 is available. £10,000 is pocket money for major businesses, and represents no deterrent whatsoever. In fact, a fine of £10,000 is very likely to be less than the costs of making sure their businesses comply with the law. Yet breaches of privacy have severe consequences for confidence in communications such as the Internet.
There are other, non-financial means of creating deterrents. Breach notifications are being considered under the Data Protection review in the EU, and are about to become compulsory in the case of CSPs under the E-Privacy Directive. They could equally be applied to interception breaches.
1. Impose a realistic level of fine, comparable to data protection breaches
2. Use other deterrents such as breach notifications
We do not believe the IoCC should be taking a role in private interception of communications. Firstly, we do not believe the IoCC will pass the independence test required by the EU legislation, as a Commissioner based within the Home Office. Secondly, they have a culture of secrecy which would be hard for them to overcome in their new role, which requires transparency for confidence and proper enforcement. Thirdly, as any interception is likely to also be a data protection issue, this arrangement would cause regulatory overlap and waste, as two regulators would need to investigate.
As the Information Commissioner already has a culture that understands transparency and wide questions of enforcement, and would be likely to investigate the same breaches from a different perspective, we feel they would be a better candidate for the role of oversight of non-state interception.
That all said, we look forward to the ICO being better resourced and more technically competent than is currently the case. We would expect this new role to be an important driver towards those goals.
We also believe that the Commissioner should, as with data protection, receive prior notification of interception. This standard of transparency would make it much easier to judge if interception was intentional or unintentional, and the extent to which it is taking place, and who may need oversight or investigation. In short, it allows problems to reveal themselves.
It is clear that intentional interceptions, such as took place by BT and Phorm, led to this complaint being placed by the EU against the UK. It is therefore rather perplexing why this consultation seems to be ignoring instances of intentional interception for regulatory oversight. Intentional, but not lawful, interception seems to be the area where there are frequent dangers and need of oversight.
1. Give oversight powers to the ICO rather than the IoCC
2. Establish a prior notification scheme to the regulator for intentional interception
3. Place oversight over intentional interception, not just unintentional interception
4. Place oversight over all private entities, not just CSPs
We have mentioned a number of these. The most important are:
1. To avoid regulatory duplication and place the new duties within the ICO rather than IoCC
2. To cover intentional and unintentional interception by a regulator
3. To regulate all private entities, not just CSPs
4. To create a prior notification regime for intentional interception
5. To ensure the regulator gives clear advice and guidance to establish a high standard for consent
6. To ensure that consent to interception is never a condition of a general communications service
7. To establish breach notifications as a deterrent
8. To establish realistic levels for fines
Assuming adequate and independent regulation, this would seem reasonable.
ORG would suggest that the critical question is the cost of failing to give people adequate protections for their privacy rights.
The current cost is that at least two major cases of illegal interception by private entities – BT with Phorm, and Google’s Streetview – have gone unpunished with a consequent undermining of faith in justice and confidence in online technologies. This has a general cost to businesses as well as a social cost.
The cost of the current proposals is that neither case would have a regulator, so these would still go unpunished. So these proposals would still fail to allow UK citizens to develop confidence that their privacy will be protected.
The final cost, as Baroness Neville-Jones related to us, is the cost of fines from the EU; and perhaps more widely, the reputation and influence of the UK in relation to privacy laws, which is currently very low. These proposals do not seem to answer the Commission’s complaint about the lack of oversight over private interception, propose derisory redress, and push oversight of one aspect of the problem to a Commissioner with little reputation for independence. ORG does not believe the proposals are strong enough to remove the threat of EU fines.