The Anderson report on surveillance (according to the media) suggested that UK security services should “keep” their powers of bulk surveillance – the downloading and storing of communications and internet material, basically without limit except the limitations of the technology they have. The report has come out in the same week that the Metropolitan Police were unable to confirm or deny (for which read “confirmed”) that dummy mobile phone towers, or Stingers, were lifting material from the phones of passers-by, apparently ad hoc and without specific investigatory purpose.
But it is really not clear that bulk surveillance powers do have legal sanction in Britain – and nor does Anderson say unequivocally that they do. Which is why, under Theresa May’s new “snooper’s charter” (the draft investigatory powers bill), she will be seeking to legalise something she claims is perfectly legal already – but really isn’t.
So what is the law? The key piece of legislation is the Regulation of Investigatory Powers Act 2000 (RIPA) – which Anderson wants replaced. This is often referred to as source of surveillance powers for just about anyone from GCHQ to schools checking on the residency of parents of local authorities looking at our recyling.
In fact it is intended to control, curb, restrict and limit surveillance – and in particular it is intended to prevent the state’s (and private bodies’) disproportionate bulk downloading and retention of the private information – which is just what the security forces do now as far as they technically can and which they will be able to do far more effectively under the investigatory powers bill, requiring ISPs, Google and the rest to keep such information for them.
RIPA and the European Union
The purpose of RIPA was to implement Article 5 of the 1997 European Union Directive 97/66/EC (now Art 5 of Directive 2002/58/EC) concerning the processing of personal data and the protection of privacy in the telecommunications sector. Article 5, headed Confidentiality of the Communications, says:
“1. Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1).”
Article 15(1) gives an exception for “a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (ie state security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system”. This is not a blanket permission (it must be “appropriate and proportionate”) and Article 8 of the European Convention of Human Rights (right to respect for private and family life, home and correspondence) would also apply since EU and UK law should be in conformity with the ECHR.
The intention of RIPA is to follow the basic intention of the Directive, to deal with the various “mischiefs” set out in the Directive, including “storage” of emails unless authorized by the recipient or by lawful authority under security laws (or, as RIPA s.3(3) adds, by the service provider “for purposes connected with the provision or operation of that service”). But there has been a deal of obfuscation about RIPA on both sides of the surveillance debate – most accepting without question that it is not fit for purpose given the advances in technology or the terrorist threat or whatever. Anderson himself says:
- “RIPA, obscure since its inception, has been patched up so many times as to make it incomprehensible to all but a tiny band of initiates. A multitude of alternative powers, some of them without statutory safeguards, confuse the picture further. This state of affairs is undemocratic, unnecessary and – in the long run – intolerable.”
But all that is not altogether true. It is an obligation of any British court when faced with “obscure” or “confusing” legislation based on an EU directive to simply interpret it according to that directive. Thus Article 249 EC states:
“A directive shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods.”
The job of the Government, through Parliament, is to effectively transpose the Directive into UK law. If it fails to do so or does it badly, judges – in Britain and in Luxembourg – can fix it by interpreting it to fulfil the purpose of the directive. RIPA must be interpreted “in every way possible in the light of the text and aims of the Directive to achieve the aims envisaged by it” (standard off the peg jurisprudential phraseology in EU Court of Justice cases on Directives; see for example Marleasing SA v La Comercial SA  ECR I-4135).
So in the case of bulk storage of surveillance information the issue then simply becomes: is it legally authorised; and if so is it “proportionate” to safeguard national security?
The security services have sought to obfuscate matters further by suggesting what they do doesn’t interfere with “communications” or that they only pick up internet traffic offshore, outside the jurisdiction of the UK; or that RIPA was never meant for this sort of thing (see Charles Farr’s flawed arguments).
It doesn’t matter. The Directive is future-proof and sophistry-proof since its intention is important, not the technicalities of the means of surveillance or convoluted legal arguments. “Listening, tapping, storage or other kinds of interception or surveillance of communications” is prohibited unless justified – and that justification must be tempered by proportionality.
It is possible that the authorities are acting unlawfully without realising it, relying on technical let-outs and not considering that downloading just about everything they can is actually “disproportionate” in the context of a Directive intended to curb such actions, not underpin them.
But Anderson seems to have offered them cover by suggesting that bulk surveillance is proportionate. His report cited cases where bulk surveillance has aided security services in catching actual criminals. But he is not a judge sitting in court and he hasn’t had a RIPA case argued in front of him. RIPA remains in force, and on the face of it the security services are in breach of it.
The investigatory powers bill
The UK Home Secretary, Theresa May, has now acknowledged that bulk surveillance has been going on for years (probably since around the time of the 9/11 terrorist attacks) and has cited Section 94 of the Telecommunications Act of 1984 (yes, irony imitating art) as authority. This gives the Home Secretary pretty sweeping powers to give “such directions of a general character as appear to the Secretary of State to be necessary in the interests of national security or relations with the government of a country or territory outside the United Kingdom”– in this case meaning that holders of digital communications material can be told to retain it and hand it over in bulk to the security services.
This Act predates the world wide web and certainly predates all the whizzy social media and communication resources GCHQ is looking at. It was updated in 2003 to include “public electronic communications networks” rather than just telecoms. That update (in Schedule 17, para 70 of the 2003 Communications Act also added:
“(2A) The Secretary of State shall not give a direction under subsection (1) or (2) unless he believes that the conduct required by the direction is proportionate to what is sought to be achieved by that conduct.”
This is an acknowledgment of the key issue in RIPA and EU law. Surveillance must be proportionate to the end in view “in a democratic society” – meaning one that upholds liberal values, not one that simply holds elections. But since all this surveillance has been secret, only now “avowed” by May, there has been no way of testing its legality in court. Nor will there be in future.
It is questionable whether her new draft bill suddenly renders all this lawful beyond doubt – not least because the specific actions of the security services will remain secretive, though we now have a better idea of what they are doing in general.
EU and economic dimensions
Why is the European Union interested in all this anyway? It’s partly a matter of personal privacy but also of crucial importance to business to have a free and open internet so products can be offered on it without consumers fearing for their privacy. The 1997 and 2002 Directives are as much a protection for companies as individuals. Paragraph 6 of the preamble to the 2002 Directive notes:
“The Internet is overturning traditional market structures by providing a common, global infrastructure for the delivery of a wide range of electronic communications services. Publicly available electronic communications services over the Internet open new possibilities for users but also new risks for their personal data and privacy.”
The EU wants the new possibilities developed without individuals holding back from taking advantage of them for fear of disproportionate surveillance. Article 1(1) of the Directive says the intention is “to ensure the free movement of such data and of electronic communication equipment and services in the Community”.
The EU would be concerned to ensure that no nation within it and no companies within that nation have an unfair advantage over others in the EU through monitoring of communications. Additionally there should be no disincentive to individuals and firms using, say, UK communication systems for fear of extensive monitoring by the national government. There must be level playing fields.
GCHQ’s alleged activities are very much an issue between Britain and the EU, and an economic one at that. The EU allows for security to be a wholly national issue (“national security remains the sole responsibility of each Member State” Art 4(2) of the Treaty of the European Union) but not economic well-being.
If RIPA has not effectively transposed the Directive into UK law, leaving loopholes to get round it, and UK judges do not interpret it as being in compliance, then Britain will be in breach of its legal obligations to the EU. The same will be the case if RIPA is swept aside and replaced with a new Act. An indication of how an EU court would regard the snooper’s charter is given below in Digital Rights Ireland.
Note: the EU Court of Justic (CJEU) is to examing UK law on surveillance under an expedited procedure (for a preliminary ruling requested by the Court of Appeal in London) under this order on 12 April 2016. See the Guardian here.
Privacy International is also challenging bulk collection in the Investigatory Powers Tribunal later in 2016 (Case No. IPT/15/110/CH). Details of the organisation’s legal argumentsd are here.
This post utilises material from a long and complex piece on Thinking Legally: Hacking judgment and GCHQ
A piece by Marietta Cauchi notes that 2014 Data Retention and Investigatory Powers Act (DRIPA), intended to get round the striking down of the EU Data Retention Directive (see below), reduces RIPA safeguards and “arguably draws in a much larger chunk of everyone’s online activity”.
The High Court has now (July 2015) found Section 1 of DRIPA in breach of EU law, based on the Digital Rights Ireland case. (See the Guardian; Bailii case here: R (Davis, Watson et al) v Home Secretary.) Under DRIPA the Home Secretary could issue notices to “require a public telecommunications operator to retain relevant communications data if the Secretary of State considers that the requirement is necessary and proportionate” in the light of operations. Access to the information thus held was not sufficiently regulated, however. The High Court case is also here Davis – Courts and Tribunals Judiciary. (pdf)
Anderson report: IPR Report Web Accessible
Liberty & others -v- FCO & others Case brought against GCHQ surveillance, rejected by the Tribunal. Much was made of the “internal” versus “external” interception issue dealt with in the Charles Farr piece above. The lawyers for the authorities reject the term”bulk surveillanc” and prefer “discriminate (in the sense that it is within very broad selectors) but vast”.
Litster and others v Forth Dry Dock Engineering Company in which Lord Templeman said: “the courts of the United Kingdom are under a duty to follow the practice of the European Court of Justice by giving a purposive construction to Directives and to Regulations issued for the purpose of complying with Directives”. So a literal reading of the relevant British law (TUPE Regulations 1981), which had failed to extend rights to sacked workers, was discarded for a “purposive” reading based on the relevant Directive ( 2001/23/EC) which allowed the court to uphold their rights.
Anderson on bulk collectilon of surveillance material
1.12. Though I seek to place the debate in a legal context, it is not part of my role to offer a legal opinion (for example, as to whether the bulk collection of data as practised by GCHQ is proportionate). A number of such questions are currently before the courts, which have the benefit of structured and opposing legal submissions and (in the case of the IPT) the facility to examine highly secret evidence, and which are the only bodies that can authoritatively determine them.
Anderson on privacy: 2.7. Privacy can also be understood in terms of control. Since knowledge is power, the transfer of private information to the state can be seen as a transfer of autonomy and of control. Even if the information is never actually read – for example, an electronic communication which was obtained pursuant to a bulk data collection exercise but not selected for scrutiny – the fact that it could be read may be seen as placing control in the hands of the state. Control may also be transferred when information is given to an online service provider, though with the distinguishing factors that consent is required (nominally, at least) and that service providers, while they may use or sell the data within the limits of their terms and conditions, lack the coercive powers of the state.
EU case on data retention: Digital Rights Ireland v Minister for Communications et al (C‑293/12)
This judgment, published in April 2014, declared invalid Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks. It raises the prospect of the snooper’s charter also coming into direct conflict with the EU and its principles. Inter alia it noted:
29. The retention of data for the purpose of possible access to them by the competent national authorities, as provided for by Directive 2006/24, directly and specifically affects private life and, consequently, the rights guaranteed by Article 7 of the Charter [privacy and family life]. Furthermore, such a retention of data also falls under Article 8 of the Charter because it constitutes the processing of personal data within the meaning of that article and, therefore, necessarily has to satisfy the data protection requirements arising from that article.
33. To establish the existence of an interference with the fundamental right to privacy, it does not matter whether the information on the private lives concerned is sensitive or whether the persons concerned have been inconvenienced in any way (see, to that effect, Cases C‑465/00, C‑138/01 and C‑139/01 Österreichischer Rundfunk and Others EU:C:2003:294, paragraph 75).
37. It must be stated that the interference caused by Directive 2006/24 with the fundamental rights laid down in Articles 7 and 8 of the Charter is, as the Advocate General has also pointed out, in particular, in paragraphs 77 and 80 of his Opinion, wide-ranging, and it must be considered to be particularly serious. Furthermore, as the Advocate General has pointed out in paragraphs 52 and 72 of his Opinion, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance.
38. Article 52(1) of the Charter [of Fundamental Rights of the European Union] provides that any limitation on the exercise of the rights and freedoms laid down by the Charter must be provided for by law, respect their essence and, subject to the principle of proportionality, limitations may be made to those rights and freedoms only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.
The judges acknowledge that “the retention of data for the purpose of allowing the competent national authorities to have possible access to those data, as required by Directive 2006/24, genuinely satisfies an objective of general interest” viz combating terrorism and crime. However on the issue of proportionality (ie “that acts of the EU institutions be appropriate for attaining the legitimate objectives pursued by the legislation at issue and do not exceed the limits of what is appropriate and necessary in order to achieve those objectives”) they say:
55. As for the question of whether the interference caused by Directive 2006/24 is limited to what is strictly necessary, it should be observed that, in accordance with Article 3 read in conjunction with Article 5(1) of that directive, the directive requires the retention of all traffic data concerning fixed telephony, mobile telephony, Internet access, Internet e-mail and Internet telephony. It therefore applies to all means of electronic communication, the use of which is very widespread and of growing importance in people’s everyday lives. Furthermore, in accordance with Article 3 of Directive 2006/24, the directive covers all subscribers and registered users. It therefore entails an interference with the fundamental rights of practically the entire European population.
58. Directive 2006/24 affects, in a comprehensive manner, all persons using electronic communications services, but without the persons whose data are retained being, even indirectly, in a situation which is liable to give rise to criminal prosecutions. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime. Furthermore, it does not provide for any exception, with the result that it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy.
59. Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences.
The judges examine further the breadth of material that would be kept and conclude:
69. Having regard to all the foregoing considerations, it must be held that, by adopting Directive 2006/24, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter.
Schedule 17, para 20 of the Communications Act 2003
(amending the 1984 Telecommunications Act Section 94)
70 (1)Section 94 of that Act (directions in the interests of national security) shall be amended as follows.
(2) In subsection (1), for “requisite or expedient” there shall be substituted “ necessary ”.
(3) In subsection (2), for “requisite or expedient” there shall be substituted “ necessary ”.
(4) After subsection (2), there shall be inserted—
“(2A) The Secretary of State shall not give a direction under subsection (1) or (2) unless he believes that the conduct required by the direction is proportionate to what is sought to be achieved by that conduct.”
(5) In subsection (3), for “this Act” there shall be substituted “ Part 1 or Chapter 1 of Part 2 of the Communications Act 2003 and, in the case of a direction to a provider of a public electronic communications network, notwithstanding that it relates to him in a capacity other than as the provider of such a network ”.
(6)In subsection (6), for “public telecommunications operators” there shall be substituted “ providers of public electronic communications networks ”.
(7)In subsection (8), for the words from “the Director” onwards there shall be substituted “ OFCOM and to providers of public electronic communications networks. ”