UK court backs security ban on anonymised telephone calls system

A UK court has upheld the Government’s right to ban commercial marketing of a money-saving telephone service on security grounds because it could provide anonymity for callers. The service uses “GSM gateways” that can reduce call charges by rerouting calls through mobile phone SIM cards – but it also allows users to make anonymous calls, potentially avoiding government surveillance.

The Court of Appeal refused to award companies damages for a government licensing system that in effect bans the GSM gateway services they offered and largely halted their business.

Lord Justice Richards said: “Since the time when the existence of GSM gateways first came to light in 2002, the Home Office has maintained that the exemption of commercial operators of such gateways from the licensing regime would be seriously detrimental to public security.” He explained the system thus:

“When a call is routed through a GSM gateway, the caller line identification of the party originating the call is replaced by that of the SIM card in the GSM gateway, so that the identity of the originating caller is masked. This is said to give rise to serious public security concerns for law enforcement agencies in relation to the investigation and prevention of terrorism and serious crime.” (Recall Support Services Limited et al v Secretary of State for Culture, Media and Sport [2014] EWCA Civ 1370 para 9.)

Recall Support Services and five other firms sought to challenge the ban under a European Union law to encourage the telephony sector to develop. They had originally claimed £415m in damages for alleged losses as a result of the UK Government’s maintenance of a restriction on the commercial use of GSM gateways despite a European Commission directive intended to free up telephony services.

A GSM gateway contains one or more mobile SIM cards which are used to route telephone calls originating from a fixed line network through a mobile network. This way the caller seems to be phoning mobile-to-mobile, cheaper than fixed line to mobile calls. They can also make use of free call time offered with a mobile contract. When free time runs out on one SIM, calls can be routed by another slotted into the GSM gateway. 

A “commercial multi-user GSM gateway” (or COMUG) allows a commercial operator to provide services to multiple end users. Although the Government changed the regulatory regime as required by a new EC Directive in 2002, it maintained restrictions on such systems via a licensing system that in effect banned them.

The Authorisation Directive (2002/20/EC) allowed for either general authorisation for use of radio spectrum “where possible, in particular where the risk of harmful interference [with wireless telegraphy] is negligible”; or a more restricted individual authorisation ie licensing. The Government decided commercial GSM gateways should fall under the latter regime. The companies complained that “in practice at all material times there was no prospect of such a licence being granted to a GSM gateway operator”. It was in effect a prohibition rather than a restriction.

However, the Home Office maintained that allowing commercial operators of such gateways to be unlicensed would damage public security because rerouting masks the identity of the original caller. A High Court judge, Mrs Justice Rose, had found in 2013 (after hearing some evidence in private) that what she called the “restriction” (rather than “prohibition”) of COMUGs was justified on security grounds.

The legal case
The companies contended that the EU rules imply that no individual licensing regimes should be retained for electronic communications services and hence “security grounds” are not available to the Government for the purpose of prohibiting commercial use of such a service – and even if such grounds existed, the Government, in derogating from the Directive (ie pursuing a contrary policy), should have alerted the European Commission under Article 114(4) of the Treaty on the Functioning of the European Union (see below). Furthermore, it failed to effectively introduce such grounds into its legislation implementing the directive.

The Court of Appeal has now rejected the companies’ case (October 2014). Lord Justice Richards noted: “The recitals to the Framework Directive and to the Authorisation Directive evidence a clear intention that Member States are to be permitted to derogate from the provisions of the directives on grounds of public security and other objectives of public interest.” (Para 29) It follows that the UK Government were not derogating from the provision as such ie they were not acting in conflict with it. Hence there was no need to inform the EC under Article 114(4).

Richards also rejected the companies’ contention that the Directive allowed only for licensing, not for banning a service. Rose J had accepted there was little likelihood of a licence being granted, but Richards said:

“An application for a licence could have been made to the regulator and, if made, would have had to be determined on its merits. A decision to refuse the application would have been amenable to judicial review and would therefore have had to be based on proper grounds. In those circumstances the fact that, on the judge’s finding, there was no realistic possibility of a licence being granted does not equate to a ban.” (Para 33)

The companies’ insistence that the EC Directive implied a clear duty on the Government, via Ofcom, to exempt them from licensing which should have been transposed into UK legislation was also rejected by Richards LJ:

“That is because, in my judgment, the compatibility of the commercial use restriction with the directive does not depend on whether the Secretary of State has the power under domestic law, by way of a direction under section 5 [of the Communications Act 2003], to prevent Ofcom from making exempting regulations to remove the restriction. I come back to the point that the commercial use restriction, as a valid measure of domestic law which is justified by considerations of public security in so far as it relates to COMUGs, is compatible to that extent with Article 5 of the Authorisation Directive.” (Para 59)

So, in effect, security considerations remain the trump card. The issue of “harmful interference” is thrown into the mix. It is defined by Article 2(2)(b) of the Authorisation Directive: “harmful interference means interference which endangers the functioning of a radio-navigation service or of other safety services or which otherwise seriously degrades, obstructs or repeatedly interrupts a radio-communications service operating in accordance with the applicable Community or national regulations.” But in 2009 Article 5 of the Authorisation Directive was amended by Directive 2009/140/EC (“Better Regulation pdf) to add to the implied “harmful interference” exception: “fulfil other objectives of general interest as defined by Member States in conformity with Community law”.

The wording of the original article (which talked of harmful interference “in particular” but mentioned nothing else) allowed Rose J to, as it were, backdate the new wording to the original Article 5 – hence to 2002-3 when the firms were operating their GSM gateway service. She took the view (and Richards agrees) that the Directive offered the licensing regime not merely for cases where there was a risk of “harmful interference” but for other issues as well – which might mean security even if this was not implied until several year later. Thus, Richards LJ says: “it would be very surprising if public security could not be relied on under Article 5(1) as a ground for making the use of radio frequencies the subject of a licensing regime rather than a general authorisation”.

Comment
Richards LJ seems to have bent over backwards in his judgment not to rock the security boat. His argument is in effect that since security objections were not excluded from the EC Directive, they must have been there by implication. And because it was there by implication, it didn’t need to be mentioned in the legislation transposing the Directive into UK law. He over-eggs the pudding to show security issues at the heart of everything the EU does.

It is true that EU law allows for, even demands, a more purposive approach in its interpretation by the courts than perhaps UK legislation does. However, that is intended to reveal the purpose of the Directive itself, not write in other purposes that were not there. The purpose of the Directive was to free up telephony services, create competition, enhance electronic business in the European Union. The Directive notes that the Lisbon European Council of 23 and 24 March 2000 “emphasised the importance for Europe’s businesses and citizens of access to an inexpensive, world-class communications infrastructure and a wide range of services”.

Richards and Rose draw on other bits of EU lore to suggest there is always an overriding sense that EU law is subject to a security exception eg TFEU Art 36 – which actually turns out to be about imports, not internal businesses. Similarly Richards (and the Directive) cite Article 52 TFEU, but that is about “special treatment for foreign nationals on grounds of public policy, public security or public health”.

Article 5(1) in the original Authorisation Directive said this: “Member States shall, where possible, in particular where the risk of harmful interference is negligible, not make the use of radio frequencies subject to the grant of individual rights of use but shall include the conditions for usage of such radio frequencies in the general authorisation.” It is couched in terms of a requirement to liberalise, not restrict. Nothing in the words on negligible harmful interference can possibly imply a whole host of possible other reasons for not to follow the principle of this recital, viz “not make the use of radio frequencies subject to the grant of individual rights of use”. It follows that the later 2009 Better Regulation amendment was not a clarification of the words “in particular”, but an addition.

Even if one accepts the somersaulting involved in reading amendments backwards in time, the words “objectives of general interest” in the 2009 amendment should be seen in context as business and consumer interests. Licensing was not intended to aid government surveillance of telephone calls. And if the requirements of such surveillance destroy (rather than merely regulate) businesses that might offer improved or cheaper electronic services, that cannot be an “objective of general interest” promoted by the EU.

Directive 2002/21/EC does have a security clause (see below). But it also, at 3(1) has this: “Member States shall ensure the freedom to provide electronic communications networks and services, subject to the conditions set out in this Directive. To this end, Member States shall not prevent an undertaking from providing electronic communications networks or services, except where this is necessary for the reasons set out in Article 46(1) of the Treaty.” Art 46(1) is now Art 52 on foreign nationals. Richards finds this puzzling but in fact it rather defeats his point. The purpose of the Directive is to ensure Member States don’t “prevent an undertaking from providing electronic communications networks or services” – that is the most important point to take away from it.

This is important in the wider context of surveillance and the European Union. Government surveillance of electronic media is in effect a form of trade restraint, a secretive governmental regulation over what should be free businesses able to pursue their (and consumers’) best interests with a minimum of stifling interference. Surveillance is a business issue.Thus Directive 2002/58/EC says this:

“8) Legal, regulatory and technical provisions adopted by the Member States concerning the protection of personal data, privacy and the legitimate interest of legal persons, in the electronic communication sector, should be harmonised in order to avoid obstacles to the internal market for electronic communication in accordance with Article 14 of the Treaty. Harmonisation should be limited to requirements necessary to guarantee that the promotion and development of new electronic communications services and networks between Member States are not hindered.”

Richards LJ has failed to see the European Union’s purpose in the Directives he was looking at and instead accepted without question the UK Government’s insouciant view of the privacy issues involved.

Twitter: alrich0660

Thanks, as ever to Bailii.org and to Eur-Lex

See also: Mass surveillance in the UK: Charles Farr’s flawed arguments
News International hacking judgment and GCHQ scandal

Note: Mobile companies were not too happy with the COMUGS systems and acted against suppliers of the service. See this 2005 case: PDF 48KB – Competition Appeal Tribunal

Article 114(4) TFEU
“If, after the adoption of a harmonisation measure by the European Parliament and the Council, by the Council or by the Commission, a Member State deems it necessary to maintain national provisions on grounds of major needs referred to in Article 36, it shall notify the Commission of these provisions as well as the grounds for maintaining them.”

Directive 2002/21/EC on security
(Recital 7) The provisions of this Directive and the Specific Directives are without prejudice to the possibility for each Member State to take the necessary measures to ensure the protection of its essential security interests, to safeguard public policy and public security, and to permit the investigation, detection and prosecution of criminal offences, including the establishment by national regulatory authorities of specific and proportional obligations applicable to providers of electronic communications services.

The Francovich criteria for state liability
The case was brought under the principle of “state liability” according to the Francovich principles, that EU member states may be liable for losses owing to failure to transpose Directives into their law or for doing so inadequately. The principles were developed by the Court of Justice in Cases C-46/93 & 48/93, Brasserie du Pêcheur and Factortame [1996] ECR I-1131: (1) the rule of law infringed must be intended to confer rights on individuals; (2) the breach must be sufficiently serious; and (3) there must be a direct causal link between the breach of the obligation resting on the state and the damage sustained by the injured parties.

In the High Court case Mrs Justice Rose found no breach regarding COMUGS but a breach regarding “COSUGS” (where a commercial operator uses a GSM gateway to provide services to a single end-user (as opposed to multiple users), so all the calls diverted through the gateway come from one user, though from multiple fixed lines used by that one user’s workforce. She found that conditions (1) and (3) were satisfied but that condition (2) was not satisfied because the infringement did not constitute a manifest and grave disregard of the United Kingdom’s obligations under EU law.

See also the Communications Act 2003