Matthew White,
PhD candidate at Sheffield Hallam University.
Introduction
On 21 December 2016, the Grand
Chamber (GC) of the Court of Justice of the European Union (CJEU) in Cases
C-203/15 and C-698/15 Tele2 and Watson
ruled that blanket indiscriminate data retention was incompatible with European
Union (EU) law. With that judgment, Professor
Lorna Woods highlighted that this did not mean that the CJEU’s
interpretation of the requirements of the Charter of Fundamental Rights (CFR)
was ‘limited only to this set of surveillance measures.’ Hence, on 9 September
2017, the Investigatory Powers Tribunal (IPT) in Privacy
International v the Secretary of State for Foreign and Commonwealth Affairs and
Others handed down a judgment regarding the lawfulness under EU law of
the acquisition and use of Bulk Communications Data (BCD) under s.94 of the Telecommunications Act 1984 (TA 1984)
[4], including a request to the CJEU to answer further questions on EU law.
This blog post concerns itself not with the preliminary reference itself, but
the underlying flawed logic of the IPT’s reasoning with regards to fundamental
rights protection.
The IPT’s faulty premise plagues its judgement from the beginning
The IPT highlighted that the
issue before them was the balance between steps taken by the State, through
Security & Intelligence Agencies (SIAs) and to ‘protect its population
against terror and threat to life against the protection of privacy of the individual’ [6]. The
premise of the IPT is deeply flawed from the outset thus impacting upon its
reasoning. Daniel Solove has highlighted that ‘protecting the privacy of the
individual seems extravagant when weighed against the interests of society as a
whole’ (Daniel Solove, (2009) Understanding Privacy, Harvard University Press,
p89). When privacy is confined to individualistic notions (particularly of ‘bad
guys’), the argument for the departure of its protection becomes easier to
justify, no less when that justification is protecting an entire nation.
Privacy is not just an Individual Right
Many (including Solove) have
argued that privacy has a common, public and/or social value (Priscilla M.
Regan, Legislating Privacy, Technology,
Social Values and Public Policy, The University of North Carolina Press,
1995; Kirsty Hughes, ‘The social value of privacy, the value of privacy to
society and human rights discourse’ in Beate Roessler and Dorota Mokrosinska
(eds), Social Dimensions of Privacy
Interdisciplinary Perspectives (Cambridge University Press). Privacy is a
prerequisite for liberal democracies because it sets limits on surveillance by
acting as a shield for groups and
individuals (Alan F. Westin, Privacy
and Freedom, New York: Atheneum (1967), p24). It is also important in that,
in terms of voter autonomy and its attraction of talented people to public
office (Hughes, p228-229). Privacy is also important for social relations
(ibid, p229), even more so in that privacy invasive technologies can affect
social life more generally (Beate Roessler and Dorota Mokrosinska, p2). A
failure to protect social relations, is a failure to protect the democratic
state (Francesca Malloggi. “The Value of Privacy for Social Relationships.”
Social Epistemology Review and Reply Collective 6, no. 2 (2017): 68-77, p70).
These Powers do NOT just affect Individuals
Another problem with the IPT’s
premise is that to argue that such measures as BCD acquisition/use only affect
an individual’s privacy is simply not
true. It should be obvious by the very name and nature of the powers that
they are not
targeted on individuals (para 2.1), something which the Respondents in Privacy International even attested to
[9(ii)]. The draft
BCD Code of Practice under the Investigatory
Powers Act 2016 (IPA 2016) notes that ‘if the requirements of this chapter
are met then the acquisition of all
communications data generated by a particular CSP (Communications Service
Provider e.g. BT, Google, iCloud) could, in principle, be lawfully authorised’
(para 3.5). Thus, any suggestion that the issue at hand only concerns an
individual is palpably false. As the Grand Chamber (GC) of the European Court
of Human Rights (ECtHR) in S and Marper v United Kingdom
noted that the:
[M]ere storing
of data relating to the private life of an individual amounts to an
interference within the meaning [of Article 8]…subsequent use of the stored
information has no bearing on that finding [67].
Due to the nature of the BCD
powers, to say they only affect the individual is to ignore the reality of such
sweeping powers which constitute mass
interference of a ‘substantial portion, or even all of the relevant population’
[256] and do have chilling effects on
totally innocent people (Rozemarijn van der Hilst, (2009), ‘Human Rights
Risks of Selected Detection Technologies Sample Uses by Governments of Selected
Detection Technologies’ p20; German
Forsa Institute, Meinungen der
Bunderburger zur Vorratsdatanspeicherung, 28 May 2008). Just like
blanket data retention, BCD acquisition/use would ‘relate
to all communications effected by all
users, without requiring any connection whatsoever with’ [180] national
security.
Article 8 is not limited to Privacy
As ‘private life’ in Article 8 of
the European Convention on Human Rights (ECHR) is not susceptible to exhaustive
definition [66], this means that the notion is much
wider than that of privacy (p12). This encompasses a sphere within
which every individual can freely develop and fulfil his personality, both in
relation to others and with the outside world (ibid). Private life also
includes one’s physical
and psychological integrity [58], autonomy [ibid] as well as a right to a
form of informational
self-determination [137], physical, social [159]
and ethnic identity
[58], professional
activities [29], a certain degree of anonymity [42]
and the protection of personal data (S
and Marper, [103]).
This does not even begin to
consider how such concepts
overlap (p10-11). Nor is Article 8 limited to private life, as ‘correspondence’ [44] and
the potential for ‘home’
[41] and family
life (p21) (even more so now under the new regime of the IPA 2016 in light
of the Internet of Things etc) are equally important in the surveillance
context. The measure ‘strikes at freedom of communication between
users of the postal and telecommunication
services’ [41] because we increasingly use the internet to ‘establish
and support personal relationships, bank, shop, to gather the news, to decide
where to go on holiday, to concerts, museums or football matches. Some use it
for education and for religious observance – checking the times and dates of
festivals or details of dietary rules.’ Very few aspects of our lives are
untouched by the internet (Paul Bernal, ‘Data gathering, surveillance and human
rights: recasting the debate’ (2016) Journal of Cyber Policy, 1:2 243, p247).
Correspondence becomes
particularly important when it affects legal professional privilege (LPP) and
journalistic sources. This was a criticism of data retention laws in that it
did not provide any exceptions for professional secrecy (Tele2 and Watson, [105]). The ECtHR in Kopp v Switzerland
noted that Swiss law violated Article 8 because it provided ‘no guidance on how
authorities should distinguish between protected and unprotected attorney-client
communications’ [73-75]. BCD acquisition/use suffers from the same
drawbacks.
Thus, when the IPT refers merely
to individual privacy, it does so
without acknowledging the breadth and multifaceted nature of Article 8, or how
surveillance measures impact on them in various ways, which limits their
ability to give a thorough assessment resulting in a possible divergence
from the ECtHR.
Confining the discussion to Privacy foregoes the broader context of
Fundamental Rights Protection
[i]t is hard
to imagine, for example, being able to enjoy freedom of expression, freedom of
association, or freedom of religion without an accompanying right to privacy
(Benjamin J. Goold, ‘Surveillance and the Political Value of Privacy’ (2009)
1:4 Amsterdam Law Forum 3, p4).
When Article 8 is confined to the
narrow aspect of the privacy of a suspected terrorist, not only does it
overlook the breadth of Article 8 (mentioned above) but it does not even
entertain other fundamental rights that might be at stake. This is also a view
the then Independent Reviewer of terrorism legislation, David
Anderson acknowledged (para 2.12) and Paul Bernal (Paul Bernal). The CJEU
were also aware of this to some degree in Tele2
and Watson where they noted that the data retention could have an effect on
the use of means of electronic communication and, consequently, on the exercise
by the users thereof of their freedom of expression, guaranteed in Article 11
of the CFR [101], which is essentially equivalent to Article 10 ECHR.
Article 10 ECHR: Freedom of Expression
Article 10 applies to communications via the
internet [34] (in French), regardless of the message
conveyed [55] and irrespective
of its nature [47]. The ECtHR regards freedom of expression as constituting
‘one of the essential foundations of a democratic society and one of
the basic conditions for its progress and for each individual’s self-fulfilment’
[100]. Not only does this highlight freedom of expressions value to democracy,
it highlights one of the various ways in which Article 10 interplays with
Article 8 i.e. self-development
[117].
Another way in which Articles 10
and 8 interlink is that of anonymity, where Lord Neuberger
noted that in the context of anonymous speech, Article 8 reinforces Article 10 (para 25). Within that context, Neuberger
continued that Article 8 rights are of fundamental
importance (ibid, para 42). Political reporting and investigative journalism
attract a high level of
protection under Article 10 [129]. The then Special Rapporteur for the
United Nations of freedom of expression, Frank La Rue highlighted that that restrictions
on anonymity can have a chilling effect, which dissuades the free expression of
information and ideas (para 49).
Article 9 ECHR: Freedom of Religion, Thought and Conscience
Like Article 10, Article 9 is
regarded as one of the
foundations of a democracy [34]. Article 9 entails the freedom to manifest
one’s religion can be done in public or in private [78].
It also includes the absolute and unconditional right to hold a belief [ibid, 79]. The right to manifest one’s belief has a
negative aspect, in that an individual has a ‘right not to be obliged to
disclose his or her religion or beliefs and not to be obliged to act in such a
way that it is possible to conclude that he or she holds’ [41]. BCD
acquisition/use makes this entirely
possible (para 1.1), causing a notable chilling
effect.
Article 11 ECHR: Freedom of Association/Assembly
The GC of the ECtHR has referred
to freedom of assembly, like Article 9 and 10 as one of the foundations of a
democratic society [91]. Similarly, freedom of association is of utmost
importance because it ‘enables
individuals to protect their rights and interests in alliance with others’
(p4). The Steering
Committee on Media and Information Society (Sterling Committee) in their to
human rights for Internet users when referring to Article 11 noted that users
have ‘the right to peacefully assemble and associate with others using the
Internet’ (para 61). Just as noted above with other Convention Rights,
surveillance has harmful
effects on freedom of association (see also Valerie Aston, ‘State
surveillance of protest and the rights to privacy and freedom of assembly: a
comparison of judicial and protester perspectives’ (2017) EJLT 8:1).
The enjoyments of the rights
contained in Articles 9-11, which are foundations for democracy (especially
online) are underpinned by Article 8.
How the premise impacts upon the IPT’s reasoning
Given the above mentioned, it is
important to discuss how the lack of consideration for the potential effects on
other fundamental rights affects the IPT’s reasoning.
It’s not all about Utility
The IPT discussed the evidence
for supporting BCD acquisition/use, ranging from Anderson’s report, the case
studies within them, Mi5 witness statements (Privacy International, [11-17]). The IPT makes reference to the
critical value of BCD acquisition/use and the need for the haystack, in order
to find the needle. A quick counter to the second point is ‘[i]f
you’re looking for a needle in a haystack, how does it help to add hay?’
The problem with the needle in the haystack argument is that it could be used
to justify any amounts of data to be stored/used, even all that is available.
Furthermore, this part of the
judgement concerns what the IPT considers to be ‘The Facts’ yet on closer
examination, not everything highlighted by the IPT are facts. For example, the IPT refers to the Respondents’ witnesses
speaking persuasively and refers to
an Mi5 witness. If the IPT were to regard witness statements as facts, then for
example, Bruce
Schneier’s, or former National Security Agency (NSA) official William
Binney’s denunciation of mass surveillance should be given equal weight.
There is no suggestion that this is what was (or should have been) presented
before the IPT, but it highlights the weight given to opinions by the IPT.
Discussing only the evidence of the Respondent also demonstrates the
problematic information
asymmetry in the surveillance context where:
[I]nformation
asymmetrification provides a foundation on which the existence of elites is
built and possibilities of strengthening that asymmetry will be
enthusiastically sought (Geoffrey Lightfoot and Tomasz Piotr Wisniewski,
‘Information asymmetry and power in a surveillance society’ (2014) Information
and Organization 24 214–235, p230).
Regarding the first point, the
value of a measure does not necessarily
make it necessary [48]. The IPT considers that although BCD acquisition/use
is essential, this does not completely resolve the question of proportionality
(Privacy International, [16]). Lord Kerr in his dissenting opinion in Beghal
v DPP quite rightly noted that ‘powers which can be used in an
arbitrary or discriminatory way are not transformed to a condition of legality
simply because they are of proven utility’ [93]. Although the IPT did find
s.94 not to be compliant with Article 8 prior to its avowal, this follows a
trend of watering
down the prescribed by/in accordance with law requirements noted in Kennedy v United Kingdom
in where for the IPT, honesty appears to be synonymous with legality.
Moreover, the supporting evidence
for BCD acquisition/use does not refer to what type of communications data was
used, how it was used, or why it was key. The IPT noted that nothing in the
evidence they examined contradicts what was set out in paragraphs 11-16. This
is problematic for two reasons, if the IPT only considered evidence from the
Respondent, then it would make sense that there is less likelihood that
evidence presented would contradict arguments put forward, and thus becomes a
one-sided argument. Secondly, as Bruce Schneier noted ‘no method of
surveillance or inquiry will ever stop a lone gunman.’ Although, the murder of
Fusilier Lee Rigby involved two assailants, the Intelligence
and Security Committee (ISC) noted that Mi5 ‘put significant effort into
investigating [Michael Adebolajo] and employed a broad range of intrusive techniques. None of these revealed any
evidence of attack planning.’ What this demonstrates is the contrary view
that all the surveillance in the world did not prevent individuals ‘such
as the Fort Hood shooter, or Anders Behring Breivik, or the Charlie Hebdo
attackers.’ Therefore, the IPT draws attention to its obscured view given
that it has inquisitorial powers (s.68(2)(b) of the Regulation of Investigatory Powers Act 2000 (RIPA 2000)) and could
have sought information regarding counter arguments.
No Genuine Intrusion?
When the IPT discussed the
operation of s.94 TA 1984, they noted that access to BCD is either targeted or
more likely to involve electronic trawling of masses of data which are not
‘read’ to find the needle in the haystack (Privacy
International, [19]). The IPT continues that a ‘miniscule quantity of the
data trawled is ever examined. There is thus no genuine intrusion to any save
that miniscule proportion’ (ibid). This reasoning of the IPT is almost as if
the UK exists in a vacuum when it comes to the findings of the GC in S and Marper. The IPT’s reasoning is
that only when communications data is accessed/examined, then follows genuine
intrusion. This is why confining the issue to privacy proves problematic because
the GC in S and Marper noted that the
protection of personal data is of fundamental importance to the enjoyment of
private and family life. This protection begins as soon as the data is
processed and retained, thus marks the genesis of genuine intrusion, any
subsequent use has no bearing on this. The IPT’s reasoning follows the sentient
being argument which suggests that privacy is only interfered with when
private data is read by an intelligence officer. Following this argument would
lead to the logical conclusion of sowing the seeds of the total destruction of
private life and data protection as surveillance becomes increasingly automated
e.g. by analogy automatic
number plate recognition (ANPR) [169-170], see also CJEU
Opinion on PNR [121-132]. Using last century’s arguments (if one could even
call it that) are not suitable today.
The IPT maintains the approach of
significantly downplaying the severity of interference caused by storing and
using communications data. The IPT had previously accepted a false analogy from
the Respondent of equating GPS data (a particular type of communications data)
with communications data in general to argue that it is not as serious as
interception (Matthew
White, ‘Protection by Judicial Oversight, or an Oversight in Protection?’
(2017) Journal of Information Rights, Policy and Practice 2:1, p9). This
was argued that when giving weight to this position:
[I]t did so by
considering a case of an isolated specific type of data, which cannot be used
to justify an argument that interference is less severe whilst ignoring the
cumulative total of the different types of communications data (ibid).
Malte Spitz of the German Green
party published data that was retained under Germany’s data retention laws in
which Zeit
Online created an interactive map detailing Spitz’s movements. Biermann
continued that this data revealed:
[W]hen Spitz
walked down the street, when he took a train, when he was in an airplane. It
shows where he was in the cities he visited. It shows when he worked and when
he slept, when he could be reached by phone and when was unavailable. It shows
when he preferred to talk on his phone and when he preferred to send a text
message. It shows which beer gardens he liked to visit in his free time. All in all, it reveals an entire life.
Advocate General (AG)
Saugmandsgaard Øe in Tele2
and Watson noted that that in the individual
context a general data retention obligation would facilitate equally serious interference as targeted surveillance measures, including those which intercept the content
of communications [254]. AG Saugmandsgaard Øe continued that the risks
associated with access to communications data ‘may be as great or even greater
than those arising from access to the content of communications’ [259]. For
example, replying to an email saying ‘lmao’ my not reveal much to an observer,
but the observer could learn what email address the message was sent from and
to, the time and date that message was sent, the location of when it was sent,
what browser was being used and what device was being used etc. This simple
analogy demonstrates why yet again the IPT are incorrect to downplay the
revealing nature of communications data given that people get killed based on it.
This seriousness only intensifies when the acquisition/use is in bulk.
Powerful Submissions?
The IPT highlighted the powerful
submissions (hence very persuasive (Privacy
International, [51])) made by the Respondent:
The use of
bulk acquisition and automated processing produces less intrusion than other
means of obtaining information.
The balance
between privacy and the protection of public safety is not and should not be
equal. Privacy is important and abuse must be avoided by proper safeguards, but
protection of the public is preeminent.
The existence
of intrusion as a result of electronic searching must not be overstated, and
indeed must be understood to be minimal.
There is no
evidence of inhibition upon, or discouragement of, the lawful use of telephonic
communication. Indeed the reverse is the case.
Requirements
or safeguards are necessary but must not, as the Respondents put it, eviscerate
or cripple public protection, particularly at a time of high threat [50].
It is important to deal with
these points individually (some of which are already dealt with above).
The
Respondents maintain that BCD acquisition/use is less intrusive than other
methods of gathering information without explaining what other methods are more
intrusive or why and why this is the least restrictive measure
to obtain the objective [260].
As noted
above, this is not just an issue of narrow privacy, but an issue of other applicable
fundamental rights protected by the ECHR. The premise of the balance between
privacy and public safety i.e. security is a miscast (Paul Bernal, p244),
misleading (ibid) and false (see here,
here
and here)
one to begin with. It ignores factors that demands for security can actually reduce security therefore, safety (Paul
Bernal, p224; Harold Abelson et al,
Keys under doormats: mandating insecurity by requiring government access to all
data and communications. Journal of Cybersecurity, 2015, 1–11, p5) and
otherwise prove ineffectual (see here
and here).
It also suggests that privacy should always be on the back foot when the issue
concerns the protection of the public, when the irony is that it’s the publics’
data that is being acquired and used (see social dimension of privacy above
which protects against utilitarian calculation of majoritarian societal
interests and/or political whims (Kirsty Hughes, p 227)). It also assumes that
when Convention Rights are a stake, the only question that needs to be answered
is whether the appropriate balance has been struck, forgoing legality and
necessity.
These types of
arguments would seemingly fall into the narrow nothing-to-hide-like argument
that looks for singular type of injury, be it some grave physical violence, a
loss of substantial money or something severely embarrassing (Daniel Solove. Nothing to Hide: The False Tradeoff between
Privacy and Security (2011). Yale University Press, p29). This of course
also ignores both European Courts on the severity of the mere storage of data
interfering with private/family life/freedom of
expression/association [107] and data protection.
Contrary to
what the Respondents assert, there is
evidence for chilling effects due to surveillance measures, some highlighted
above. Moreover, assessing chilling effects should not just be measured by
inhibitions, but actual methods of protecting online activity. There was An
increase in Virtual Private Network (VPN) (this essentially aims hide online
activity) subscriptions in Australia
when their national data retention laws came into force and in the UK
when the IPA 2016 and Digital Economy Act 2017 (DEA 2017) were
in passing. Or by the increasing
the use of ad blockers, which 11 million devices in the UK now have. As
Edward Snowden revealed ‘government
surveillance efforts are sometimes bolstered by online advertising practices.’
Moreover, Solove contends that the value of protecting against chilling effects
is not measured simply by its effects on individuals exercising their rights,
but its harms to society because among other things ‘they reduce the range of
viewpoints expressed and the degree of freedom with which to engage in
political activity’ (Daniel J. Solove, ‘’I’ve Got Nothing to Hide’ and Other Misunderstandings
of Privacy’ (2007) San Diego Law Review 44 745, p746). It is true that the
uptake in technology has increased e.g. smartphones
but this does not necessarily disprove the idea of chilling effects etc. This
is due to ignoring the fact that many may not be fully aware of what
information is being collected (Sandra Braman, 2006, Tactical memory: The
politics of openness in the construction of memory Sandra Braman. First Monday,
11(7); Connor
Sheridan, (2016) "Foucault, Power and the Modern Panopticon". Senior
Theses, Trinity College, Hartford, CT 2016. Trinity College Digital Repository,
p48; Majority
of Brits Unaware of Online Surveillance) where awareness leaves open the possibility of resistance (Andrew
Roberts, Privacy, Data Retention and Domination: Digital Rights Ireland Ltd v
Minister for Communications, (2015) 78(3) MLR 522–548, p545). This resistance
could be not using the technology, to finding ways to circumvent surveillance
law (self-regulatory), protests (Hintz, A. & Dencik, L. (2016). The
politics of surveillance policy: UK regulatory dynamics after Snowden. Internet
Policy Review, 5(3), p8) (political), or legal action all designed to protect fundamental
rights.
This is the
‘the ends justify the means’ justification. Not every interference or
derogation from the principle of protection of fundamental rights are necessary
in a democratic society.
Prior Authorisation
The IPT noted that Secretary of
State authorisations complied with the ECHR for reasons set out in a prior judgment.
The IPT were of the opinion that the ECtHR in Szabo & Vissy
v Hungary were not recommending any new safeguards because Hungarian
law fell below even existing principles [60]. This of course does not consider
cases such as Dumitru Popescu v Romania
[71-73], Iordachi and Others v Moldova
[40], and Uzun v Germany [72]
all endorsing the view that the body
issuing authorisations for interception should be independent and that there
must be either judicial control or control by an independent body over the
issuing body's activity.
So, when the ECtHR in Szabo endorses the view in Iordachi that ‘control by an independent
body, normally a judge with special expertise, should be the rule and substitute solutions the exception,
warranting close scrutiny’ [77] it is difficult to suggest the ECtHR in Szabo were not strongly advocating for
prior judicial control (Matthew White, p15). The ECtHR did acknowledge that post factum oversight may counterbalance the short comings of
initial oversight (referring to the IPT in Kennedy)
(Szabo, [77]). However, it has
already been argued that this counterbalance is not adequate (Matthew White,
p14-16).
Notification
According to the IPT, a
requirement of notification is inadequate in the circumstances of national
security because (a) national security is ongoing and (b) it relates to further
operations and methodologies (Privacy
International, [62]). The IPT also noted that this is not required for
compliance with the ECHR [63]. This, however, overlooks Association for
European Integration and Human Rights and Ekimdzhiev v Bulgaria where
the ECtHR found violations of Article 8 and 13 (effective remedy) for among
other things, a lack of a notification procedure [94] and [103]. Yet Ekimdzhiev concerned national security
and the ECtHR even referred to the notification in the national security
context in Germany for both individual (Klass v Germany, [11]
and general surveillance measures (Weber and Saravia v Germany,
[51-54] and in Leander v Sweden [31]).
This is permissible due to the ECtHR establishing the principle that:
[A]s soon as
notification can be made without
jeopardising the purpose of the surveillance after its termination, information should be provided to the
persons concerned (Ekimdzhiev,
[90]).
This establishes that to the
ECtHR’s mind, notification in the national security context is not
inappropriate or inadequate considering this has been the practice of Germany
for decades. Furthermore, the ECtHR acknowledge that it would not be desirable
in all circumstances to notify, therefore leaving that possibility open whereas
the IPT would prefer it kept shut. Also, in the national security context, the
GC of the ECtHR in Roman Zakharov v Russia
noted that notification was inextricably linked ‘to the effectiveness of
remedies before the courts and hence to the existence of effective safeguards
against the abuse of monitoring powers’ [234]. A point in which Paul de Hert and Franziska Boehm
share.
Although the GC referred to the
alternative to notification of the UK system i.e. the IPT jurisdiction (Roman Zakharov, [234]), de Hert and
Boehm have questioned whether Kennedy
‘is capable of responding to the challenges arising out of the use of new
surveillance techniques’ (Franziska Boehm and Paul de Hert, The rights of notification after surveillance
is over: ready for recognition? (Yearbook of the Digital Enlightenment
Forum, IOS Press 2012), pp. 19-39, p37). Boehm and de Hert continue that in
light of powers such as data retention and ‘fishing expeditions’ that target a
greater number of people without suspicion, a notification duty appears to be
an effective tool to prevent abuse (ibid, p37-8). Finally, Boehm and de Hert
note that the Belgian Constitutional Court has now adopted the notification
principle as a requirement to comply with Article 8 (ibid, p38). The IPT
highlights difficulties with the notification of BCD acquisition/use as to
whether notification should be to everyone whose data is in the database, those
subject to an electronic search or all those who feature in data in targeted
access (Privacy International, [64])?
Accepting this premise would accept the powers that are exercised to begin
with, which is at the heart of this issue.
Conclusions: Be careful what you wish for
Ultimately, the IPT referred the
question as to whether the Tele2 and
Watson requirements apply in the national security context to the CJEU
(ibid, [72]). This blog post has argued that much of the IPT’s reasoning with
regards to fundamental rights protection is lacking. By confining itself to a
restrictive notion of individual privacy of a person of interest, the IPT blinds
itself to the broader notions of Article 8 and the other fundamental rights it
underpins. Some aspects of the IPT’s reasoning (and Respondent’s arguments) is
not even consistent with the very human rights system (ECHR) the Respondents
are seeking to rely upon. The ECtHR have firmly noted that:
Given the
technological advances since the Klass
and Others case, the potential interferences with email, mobile phone and
Internet services as well as those of mass surveillance attract the Convention
protection of private life even more
acutely (Szabo, [53]).
The GC in Roman Zakharov found that Russian law to be in violation of Article
8 because interferences with privacy rights were ordered ‘haphazardly,
irregularly or without due and proper consideration’ (Roman Zakharov, [267]) in the national security context. Judge
Pinto de Albuquerque noted that Roman
Zakharov was a rebuke of ‘strategic
surveillance’ (Szabo, Concurring
Opinion of Judge Pinto de Albuquerque, [35]) which would accord a previous
concurring opinion of judge Pettiti in which surveillance should not be used
for ‘fishing’ exercises to bring in information (Kopp). If as the IPT say that a ‘miniscule quantity of the data trawled is ever examined’ how would
this square with the position of ‘[t]he automatic storage for six months of clearly irrelevant data cannot be
considered justified under Article 8’ (Roman
Zakharov, [255])? Time will tell if the ECtHR follows this trend in Big Brother Watch and Others
v UK, Bureau of Investigative
Journalism and Alice Ross v UK and 10 Human Rights Organisations
v UK. Therefore, the IPT should not convince itself of the ‘illusory
conviction that global surveillance is the deus
ex machina capable of combating the scourge of global terrorism’ (Szabo, Concurring Opinion of Judge Pinto
de Albuquerque, [20]). Surveillance has never just been an issue of privacy, or
private life or else the ECtHR would never have uttered its awareness:
[O]f the
danger such a law poses of undermining or
even destroying democracy on the ground of defending it, affirms that the
Contracting States may not, in the name
of the struggle against espionage and terrorism, adopt whatever measures they
deem appropriate (Klass, [49]).
Barnard & Peers: chapter 9
Photo credit: Pixabay
