DRIPA 2014 – court turns off the data tap 


R (on the application of Davis MP and others) v Secretary of State for the Home Department (Open Rights Group and others intervening) [2015] EWHC 2092 (Admin), [2015] All ER (D) 180 (Jul)

What’s the background to this case? 

In claims for judicial review brought by four individuals including two serving MPs, Lord Justice Bean sitting with the Honourable Mr Justice Collins in the Divisional Court held that DRIPA 2014, s 1 is inconsistent with EU law in so far as:

it does not lay down clear and precise rules providing for access to and use of communications data retained pursuant to a retention notice to be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating to such offences, and

access to the data is not made dependent on a prior review by a court or an independent administrative body whose decision limits access to and use of the data to what is strictly necessary for the purpose of attaining the objective pursued

The court therefore disapplied DRIPA 2014, ss 1 and 2, although that element of the order is suspended until 31 March 2016.

What happens next? How long does the government have to implement a new data retention law? 

DRIPA 2014 already contains (at DRIPA 2014, s 8(3)) a ‘sunset clause’ bringing its provisions to an end on 31 December 2016. This is reflective of the speed with which it was passed through both Houses–the Bill was fast-tracked through Parliament, passing through all its stages in the Commons on a single day, 15 July 2014, the Lords on 16 and 17 July 2014 and receiving the Royal Assent on 17 July 2014. The necessity for the fast-tracking of DRIPA 2014 was occasioned by the Court of Justice of the European Union’s (CJEU) ruling in Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and others, Re Landesregierung and others: C-293/12 and C-594/12 [2014] IP & T 622, which had struck down Directive 2006/24/EC. The UK’s existing data retention regulations (the Data Retention (EC Directive) Regulations 2007, SI 2007/2199 and the Data Retention (EC Directive) Regulations 2009, SI 2009/859) had been based upon that Directive, and the government was concerned that those regulations may no longer have been legally sound without it, hence the need for primary UK legislation.

Regardless therefore of any order by the Administrative Court in this case, by virtue of the sunset clause in DRIPA 2014 the government was already required to enact further legislation in relation to data retention during this parliament. The significance of the ruling in this case is that the court has identified clear parameters that any such new legislation must meet in order to comply with EU law (as set out in Digital Rights Ireland) and the court has accelerated the timetable by which that must be accomplished, giving the government until 31 March 2016. Furthermore, the court has hinted in the strongest terms it felt able to adopt that any bill laid as a replacement for DRIPA 2014 should be afforded a proper timetable in Parliament.

The mandatory requirements for a lawful legislative regime governing data retention as identified by the Administrative Court from the CJEU’s decision in Digital Rights Ireland are as follows:

a) Any legislation must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards sufficient to give effective protection against the risk of abuse and against any unlawful access to and use of that data.

b) Access to and use of retained data must be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating to such offences.

c) Above all, access to retained data must be made dependent upon a prior review by a court or an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary, such review to be initiated by a reasoned request.

The court recognised in the light of (c) above that further legislative change may well have to be accompanied by the setting up of an appropriate judicial or administrative body capable of properly authorising access to any retained data. It was partly for that reason that the court adopted the 31 March 2016 date for the disapplication of DRIPA 2014, ss 1 and 2 rather than the earlier date of January 2016 that had been urged upon it by the claimants.

What does this mean for any data that have already been collected? 

Continuity will be achieved so long as a new statutory regime is in place by 31 March 2016. It is to be noted that the court has declared DRIPA 2014, ss 1 and 2 unlawful not on the basis that blanket retention is itself necessarily unlawful, but because the access conditions provided for in DRIPA 2014 are not sufficiently robust to meet the criteria laid down in Digital Rights Ireland.

The issue of the lawfulness of blanket retention will soon be addressed by the CJEU in a referral from the Stockholm Administrative Court of Appeal in the case of Tele2 Sverige AB v Post och Telestyrelsen: C-203/15. It is unlikely, however, that any final judgment in the Swedish case will be available as guidance to the UK Parliament in its drafting of the new data retention regime to come into force after 31 March 2016.

Will this be appealed? 

Permission to appeal was granted by the Administrative Court because of the public importance of the case. The defendant had belatedly sought a reference to the CJEU, but this was declined.

Is this likely to mean that aspects of David Anderson QC’s report will be implemented? 

Both David Anderson QC’s recent report and a surveillance review by the Royal United Services Institute in July 2015 have recommended prior judicial approval in relation to some or all authorisation for interception warrants. These, coupled with the findings of the Administrative Court, make it likely that any new regime is implemented by the government in relation to data retention and access is highly likely to include some kind of mechanism for prior judicial approval where access to retained data is sought.

This is the first time that MPs have successfully judicially reviewed the government. Can you see this happening more on other matters? 

The circumstances of this case were unusual in that the legislation was rushed through Parliament in a deal struck between the government and the leader of the opposition as a result of the CJEU’s finding in Digital Rights Ireland. Furthermore, the provision for the blanket retention of data made no distinction in relation to the retention of potentially privileged material, including correspondence between MPs and their constituents. This latter aspect of the case was not required to be ruled on however, with the court simply noting that special consideration was to be given to applications concerning access to data involving communications with lawyers, MPs, or journalists.

Jonathan Price was interviewed by Alex Heshmaty. 

This article was first published on Lexis®PSL IP & IT on 4 August 2015

Privacy watchdog doesn’t ‘like’ Facebook’s approach


A report commissioned by the Belgian Privacy Commission into Facebook’s policies and terms of service has criticised the social media network’s use of cookies and concludes that Facebook is operating in breach of European law in several key respects.

What aspects of European law is Facebook said to be in breach of?

The report found that:

(i) several clauses in Facebook’s new (2015) Statement of Rights and Responsibilities (SRR) violate the Unfair Contract Terms Directive 93/13/EEC;
(ii) Facebook’s Data Use Policy (DUP) does not comply with the requirements of the e-Privacy Directive 2002/58/EC, art 5(3) (as amended); and
(iii) Facebook tracks non-users in a manner which also violates the e-Privacy Directive.

The report is also critical of the transparency of Facebook’s DUP and the lack of sophisticated control Facebook affords its users, for example over the use of geolocation data.

Perhaps most surprising is the revelation that Facebook tracks non-users without their consent by the placing of cookies on their devices when they visit a Facebook page, which are then harvested when they subsequently visit a third-party website which uses one of Facebook’s social plug-ins such as a ‘like’ button (and there are 13 million such third-party websites including many government and corporate sites). The technical annex to the report also details how EU visitors to Facebook, whether or not they are members of the social network, have a cookie delivered to their device with a two-year lifespan.

What limits does EC law place on the tracking of internet users?

The e-Privacy Directive provides that processing of personal data may only take place if and to the extent that it is justified by one or more specified legitimate grounds. Many such grounds are set out in the e-Privacy Directive, art 7, but the report’s authors have identified the following three that might be relied upon by an online social network such as Facebook:

(i) if the unambiguous consent of the data subject has been obtained
(ii) if the processing is a necessity for the performance of a contract, and/or
(iii) if there is an overriding legitimate interest in the processing of the data

The report finds that only in very limited circumstances can (ii) or (iii) be relied upon, so that for most collection and processing of personal data by Facebook it must show that it has obtained the unambiguous consent of the data subject. In any event the e-Privacy Directive, art 5(3) provides that, where cookies are concerned, users must be offered the right to refuse.
Cookies are the most common method of tracking internet users. They are small packages of software that are placed onto a user’s device, uniquely identifying that device and capable of gathering data about how, where and when it has been used, for upload to the cookie’s owner at some future time. Almost all commercial websites now use cookies, and the data they gather is used most commonly to target advertising.

The other most relevant piece of European legislation in this context is the Data Protection Directive 95/46/EC:

(i) arts 10 and 11 provide data subjects with a right to information in relation to how their personal data is processed;
(ii) art 12 provides a right of access for data subjects to their personal data; and
(iii) art 14 provides data subjects with the right to object to their personal data being processed in most contexts relevant to an online social network.

The report is critical of the extent to which Facebook makes these rights available to users (and to some extent non-users), concluding that:
‘Facebook fails to provide (sufficient) granularity in exercising data subjects’ rights. For example the right to erasure can only be exercised with regard to the user’s profile altogether and only relates to self-posted content. The right to object can only be exercised with regard to the visibility of certain content to third parties.’

The message in the report is that the use of social networks is now so ubiquitous that Facebook’s ‘take it or leave it’ privacy policy is not good enough–users should be given greater adjustability in the control they have over their personal data.

How have consent policies (cookies etc) developed and have they been successful?

In June 2012 the European data protection authorities (through the Article 29 Working Party) issued an opinion that sought to distinguish between types of cookies and to suggest different policies depending upon the nature of the cookie and the privacy risk created. The opinion noted that ‘first-party analytic cookies’ (for example a cookie from the operator of the website a user is visiting aimed at improving the working of that website) do not always require informed consent. However, the cookies most frequently encountered are third-party cookies set for the collection of commercially valuable data and these certainly require the informed consent of the user. Such consent may be implied–it is the need for it to be informed that has given rise to the commonly experienced ‘cookie policy’ boxes found on most websites. There is little evidence that the text in these boxes is in fact read in practice, casting doubt on the efficacy of both the law and its implementation. Consent is certainly routinely given, however few users properly understand to what they are consenting.

What is driving companies to push the limits of acceptable tracking? What is the benefit to their business?

It can be of great benefit to all parties for a website to know some basic information about an individual user, saving time and making content much more relevant. However, as the report notes, for a company such as Facebook (and similar observations would apply to Google) the ability to track users and collect data about them is key to their business model. These companies’ assets are the data they collect, and the greater the amount of the data and the more sophisticated its relations, the more valuable are those assets. Tracking is therefore vital to these companies’ profitability. The more they know about what we do online, the more they know about us–and the more they know about us, the more powerful and profitable they will become.

Could Facebook face action for breaching European law?

Facebook’s position is that its DUP and SRR are compliant with European laws. It says that its tracking of non-users was a bug that is now being resolved. A Facebook spokesperson is reported in the Guardian as saying:

“This report contains factual inaccuracies. The authors have never contacted us, nor sought to clarify any assumptions upon which their report is based. Neither did they invite our comment on the report before making it public. We have explained in detail the inaccuracies in the earlier draft report (after it was published) directly to the Belgian DPA, who we understand commissioned it, and have offered to meet with them to explain why it is incorrect, but they have declined to meet or engage with us. However, we remain willing to engage with them and hope they will be prepared to update their work in due course.”

If Facebook has acted in breach of data protection law, action by private individuals in the UK has become more feasible very recently following the Court of Appeal’s ruling in Vidal-Hall v Google [2015] EWCA Civ 311, [2015] All ER (D) 307 (Mar) which has done away with the need for a claimant for damages under the UK’s Data Protection Act 1998 to show financial loss.

The Belgian Privacy Commission is expected to decide by 29 April 2015 whether or not to act upon the report.

What are the challenges of online consent in an Internet without borders?

As the report points out, the tracking techniques deployed by Internet companies are constantly evolving. In fact it is becoming increasingly possible to track users across the web without the use of cookies at all through techniques known as ‘fingerprinting’, thus rendering the protection in the e-Privacy Directive, art 5(3) outdated. While the data collected by such techniques is still capable of attracting the protection of the Data Protection Directive, the collection itself may be outside the current scope of the law. However, as the European Court of Justice has demonstrated in Google Spain SL and another company v Agencia Espanola de proteccion de Datos (AEPD) and another: C-131/12 [2014] All ER (D) 124 (the ‘right to be forgotten case’) and consistent with the new data protection ‘super-regulation’ due to be passed this year and come into force by 2017, European data protection law will soon apply to any company that does business here, regardless of where it is established.

Jonathan Price was interviewed by Alex Heshmaty.

This article was first published on Lexis®PSL IP & IT on 17 April 2015

Human rights and the interception of communications


Liberty (The National Council of Civil Liberties) and others v Government Communications Headquarters and others [2014] UKIPTrib 13_77-H, [2014] All ER (D) 156 (Dec)

In December 2014, the Investigatory Powers Tribunal (IPT) ruled that the current interception systems used by UK security services do not breach human rights.

How did this case come about?

The case was brought in the wake of the Snowden revelations, which caused public concern that the US and UK governments were routinely intercepting, collecting and sharing large volumes of communications content and data, including from their own and each other’s citizens. It was perceived at the time, and argued by the claimants, that the collection was indiscriminate. The thrust of the claimant’s case was that this interception, collection and sharing was–whether or not the collection was indiscriminate, but particularly if so–unlawful. The arguments as to lawfulness focused upon the requirement in ECHR, art 8(2) that there shall be no interference by a public authority (in this case ‘the security services’–MI5, MI6 and GCHQ) with the right to respect for an individual’s private life, including his correspondence, except as is in accordance with the law.

The primary question was therefore: Were there adequate systems of legal safeguards in the area of covert interception of communications to make the security services’ reliance upon ECHR, art 8(2) meaningful, and therefore valid? An analogous case in relation to ECHR, art 10(2) was also put and considered by the tribunal. The secondary question is: If there are such adequate safeguards, are they being properly implemented in fact?

The IPT answered the primary question in the affirmative, and concluded that there was, at least in respect of the systems governing the two aspects of communication interception examined by it, no contravention of ECHR, arts 8 or 10. A further case of indirect discrimination contrary to ECHR, art 14 was also put and dismissed. As to the secondary question, that will now be looked into by the IPT almost entirely in secret.

What is the significance of the ruling?

This case represents the legal responses of several of the most prominent relevant pressure groups and NGOs to the central Snowden revelation–namely that the UK and US governments run very substantial programmes of communication interception and may share the material so derived. The claimants made sustained and very critical submissions which for the most part were entertained and given serious and detailed consideration by the IPT.
The IPT itself, through its function and procedures and its independence, provides an important plank in the raft of statutory, regulatory and other provisions that together make up the system by which covert surveillance by the government is to be held in check, so this ruling constitutes an important element in the legitimisation of the interception programmes it considered.

The IPT is able to receive evidence and submissions on both an open and a closed basis. It has done so in this case, looking at the legislative and regulatory framework as it is available to the public, as well as examining in closed sessions those secret arrangements said to be ‘below the waterline’. Following that exercise, the IPT ruled that the intercept programmes are lawful and ‘human rights compliant’. In the course of reaching that conclusion, the IPT satisfied itself that–contrary to the received impression in some quarters following Snowden that the intelligence services are permitted to obtain communications and associated data by interception at will–this is not the case.

What grounds did the IPT give for holding that the interception systems did not breach human rights?

The case examined the legal framework governing two aspects of the collection and handling of communications content and data by the UK government and security services:

Material obtained by the US National Security Agency (NSA) pursuant to its Prism programme (and also possibly pursuant to another programme called Upstream) which was then shared with UK security services.

Regulation of Investigatory Powers Act 2000, s 8(4) (RIPA 2000)
The operation by the UK security services of warrants under RIPA 2000, s 8(4) (RIPA 2000). Section 8(4) provides that UK agencies may themselves intercept ‘external communications’, which is to say communications sent or received outside the British Islands, but crucially also along with internal communications, provided only that the interception of internal communications is necessary in order to enable the warrant to intercept the external communications. The claimant’s concern in relation to RIPA 2000, art 8(4) was that the security services were vacuuming up the communications of UK citizens, and that the proviso in RIPA 2000, s 8(4) was insufficient protection, allowing internal as well as external communications to be intercepted and read.

Broadly speaking, the IPT’s reasoning in respect of both issues was that there were adequate safeguards in place to ensure compliance with the law, and that those safeguards were sufficiently foreseeable by and available to the public. After considering the secret arrangements (those ‘below the waterline’) the IPT was satisfied that they, along with the duties already conferred on the security services by their own governing legislation, the Data Protection Act 1988, the Human Rights Act 1998 and RIPA 2000, were sufficient to ensure compliance with ECHR, arts 8 and 10.

Those ‘below the waterline’ arrangements are sufficiently accessible to the public because–although themselves secret–they are sufficiently signposted by the statutory framework in which they sit. Furthermore, those arrangements that are below the waterline (as well as those above it) are subject to oversight, by the Interception of Communications Commissioner who is a former Lord Justice of Appeal, the Parliamentary Intelligence and Security Committee currently chaired by a former Foreign Secretary, and the IPT itself.

Has the case given any indication as to the limits of surveillance that would be allowed before they were found to breach human rights?

Yes. The IPT took the opportunity to set out some clear conclusions on this issue (at para [160]). In summary, it would always be unlawful for the security services to deliberately circumvent the requirements of UK law by looking to another state to effectively do its information gathering for it. Indiscriminate trawling for information by interception would also be unlawful. Intercepted material may only be retained for as long as is necessary for the lawful purpose for which it was obtained, and the security services are accountable for all intercepted information which they receive and retain by any means.

Throughout its judgment the IPT reiterated the principles of sufficiency of accessibility and foreseeability as minimum safeguards in relation to the regulatory apparatus bearing upon the state’s discretion where interception is concerned.

What has the general surveillance debate told us about the interaction between human rights and the actions of the state?

The broader human rights law impact of this case is not clear. The judgment is careful to operate within the bounds of well-established European Court of Human Rights (ECtHR) jurisprudence and does not purport to create any new law. What is more, because of the security services’ policy (unchallenged in this case) of ‘neither confirm nor deny’, there were no findings of fact–the parties and the tribunal proceeded upon certain agreed putative factual scenarios, with the respondents neither confirming nor denying that they in fact pertained.

What is potentially of interest is that, from the internal guidance and procedure posited or disclosed, it appears that even in the operation of their secret arrangements the security services are aware of–and try to reflect in those arrangements–the need to try and strike a proportionate balance between on the one hand the state’s duty to protect its citizens from terrorism and/or other serious crime, and on the other the private rights of citizens to privacy and freedom of expression. It was this attempt to build in these human rights principles to the security services’ ‘below the line’ policies that enabled the IPT to declare as lawful the arrangements to which it has been privy. It remains to be seen whether the security services have in fact managed to uphold those lawful policies in practice–this is what the IPT will now consider.

Is this the final word on the matter?

No. The claimants have said they will appeal the judgment to the ECtHR. Responding to the ruling James Welch, legal director for Liberty, said:
‘So a secretive court thinks that secret safeguards shown to it in secret are an adequate protection of our privacy. The IPT cannot grasp why so many of us are deeply troubled about GCHQ’s [RIPA 2000, s 8(4)] operation: a seemingly unfettered power to rifle through our on-line communications.’

It should also be noted that there are a number of instances in the judgment where either the judge has suggested or the security services themselves have expressed a willingness to consider that some or more of the arrangements currently operating below the waterline be made public. Doing so may conceivably lead to more challenges to the decisions those arrangements are intended to regulate.

Finally there is currently before the IPT a case arising out of a private civil law action, Belhaj and another v Straw MP and others (United Nations Special Rapporteur on Torture and others intervening) [2014] EWCA Civ 1394, [2014] All ER (D) 337 (Oct) in which it came to light that the security services may have been intercepting communications between the parties and their lawyers, which communications were otherwise covered by legal professional privilege (LPP).

The LPP issue was raised in the case under discussion by Amnesty, but given its centrality to the Belhaj case, the issue was hived off and will be determined in due course. The security services have disclosed on an open basis in the Belhaj litigation before the IPT–which is still at a preliminary stage–redacted and gisted versions of their internal policies which arguably go beyond what was openly available to the claimants in this case. So it seems that there is a creeping move towards greater openness as far as the hitherto secret arrangements are concerned.

Jonathan Price was interviewed by Alex Heshmaty.

This article was first published on Lexis®PSL Public Law on 6 January 2015.