Law and policy regarding the capture of communications data continues to dominate the headlines for 2016
The European Data Protection Day, and the equivalent US/Canadian Data Privacy Day, coincided last week on 28 January. Their purpose – this year in the 10th edition of their kind, corresponding to the anniversary of the opening for signature of the Council of Europe’s Convention 108 for the Protection of individuals with regard to automatic processing of personal data – is to raise awareness and promote privacy and data security best practices. It seems a fitting time, then, to take stock and consider what 2016 holds for the ongoing debate over the correct ambit of state surveillance powers and the legal/policy safeguards that should apply to them in the EU.
Recent developments in the UK are a good place to start. As a reminder, the current communications data retention regime set out in the Data Retention and Investigatory Powers Act 2014 (DRIPA) is due to expire at the end of this year. In anticipation of this event – and in light of the High Court’s decision last year in Secretary of State for the Home Department v Davis MP & Ors  EWCA Civ 1185 finding DRIPA to be inconsistent with EU law – the UK government sought to fast-track the review of the UK surveillance legal framework by publishing its text of the proposed Investigatory Powers Bill (IPB) last November. As mentioned in previous posts here and here, the draft IPB recommends a new framework for the retention and acquisition of communications data and will partly replace the Regulation of Investigatory Powers Act 2000 (RIPA).
The draft IPB was subsequently considered by the House of Commons Science and Technology Committee in December. The result of that review is a highly-critical report published this week here. Amongst other things, it argues that the Bill risks undermining the UK’s strongly-performing technology sector because of: uncertainty over vague and ambiguous legislative definitions; doubts over the feasibility of collecting and storing safely so-termed ‘internet connections records’ to be retained by communication service providers; as well as anticipated high compliance costs to be borne by the private sector.
Another area that is proving particularly contentious under the IPB relates to new provisions around powers for equipment interference by relevant UK authorities to hack the communications data therein (see Part 5 of the Bill). Industry has voiced concerns about how their customers might react to the prospect of such bulk equipment interference powers being introduced, especially as they would take place covertly and organisations would be under a duty of non-disclosure to their customers.
While this debate continues, last month the Equipment Interference (Code of Practice) Order 2016 (SI 2016/38) came into force. The self-titled Code of Practice, introduced pursuant to section 71 of RIPA and published here, provides guidance on:
- the procedures that must be followed before the intelligence services can interfere lawfully with electronic equipment;
- the processing, retention, destruction and disclosure of any information obtained by means of the interference; and,
- interference authorised under section 7 of the Intelligence Services Act 1994, which relates to authorisation of acts outside of the British Isles.
Notwithstanding, the Code is similar in form to the previous Covert Surveillance and Property Interference Revised Code of Practice.
Another, related development has been the coming into force of a revised Code of Practice on the interception of communications under RIPA (Part 1, Chapter 1) with the enactment of the Regulation of Investigatory Powers (Interception of Communications: Code of Practice) Order 2016. A copy of the Code of Practice has been published here. In summary, it:
- updates existing guidance to include new case law and legislative developments;
- gives additional information on the interception and handling of external communications and the content of warrants under section 8(4) of RIPA, and,
- provides further information on the protections given to legally privileged and other confidential material.
These amendments reflect developments in the law since the original code was brought into force in 2002.
Both new Codes of Practice must be taken into account by those in relevant UK authorities (see, e.g. section 6(2) of RIPA for a list of such public authorities) exercising related powers of interference and interception. They provide useful information on the lawfulness of their relevant powers and the rules and safeguards that apply to the security and law enforcement agencies in such exercise of those powers. They also build on the introduction of other new codes of practice regulating investigatory powers in 2015 (see my post here). But do these incremental nudges towards more transparency and due process over covert surveillance operations go far enough in a post-Snowden world? In other words, is a piecemeal approach to adding rigour to the oversight regime adequate for addressing concerns regarding the proportionality of means to purpose in the exercise of state investigation powers where citizens’ communications data are concerned?
The proposed text of the IPB would introduce more wholesale changes. Yet the Parliamentary Committee has been highly critical in the conclusions it has drawn during its inquiry. In the press release accompanying its report, the Parliamentary Committee states that “It has not addressed the need or otherwise for the communications monitoring provisions or whether they are proportionate to the threats they are intended to deal with” as “these matters will be covered by the Joint Committee established to scrutinise the draft Bill as a whole”. However, it does include a statement by Nicola Blackwood MP opining that “there are still many unanswered questions about how this legislation will work in the fast evolving world of communications technology”.
We can anticipate that the final version of the IPB will be presented to Parliamentary voting sometime in the Spring. The potential legal ‘fly in the ointment’, however, is whether the Court of Justice of the EU (CJEU) fast-tracks the preliminary reference before it from the English Court of Appeal to provide further guidance on the consequences of its decision in Digital Rights Ireland for EU state surveillance powers. In particular, the CJEU has been asked whether, in that decision, it had intended “to lay down mandatory requirements of EU law with which the domestic legislation of EU Member States must comply“. Moreover, did it “intend to expand the effect of Articles 7 and/or 8, EU Charter beyond the effect of Article 8 ECHR as established in the jurisprudence of the ECtHR“? For background, see Sophie’s post here.
Once that judgement is forthcoming, further legal challenges to the new UK legislative regime retaining and accessing communications data can almost certainly be expected to come thick and fast.