Nóra Ni Loideán: Privacy International Symposium – Data Privacy: European and British Perspectives
Privacy International has brought judicial review proceedings against the Investigatory Powers Tribunal, in respect of the Tribunal’s treatment of a complaint about computer hacking by GCHQ. At first instance ( EWHC 114 (Admin)) and on appeal ( EWCA Civ 1868), it has been held that judicial review of the Tribunal is precluded by the ouster clause contained in s. 67(8) of the Regulation of Investigatory Powers Act 2000. A seven-judge bench of the Supreme Court (Lady Hale, Lord Reed, Lord Kerr, Lord Wilson, Lord Sumption, Lord Carnwath and Lord Lloyd-Jones) will hear Privacy International’s appeal in December.
This online collection grows out of a symposium held by the Centre for Public Law at the University of Cambridge on October 20, 2018, organised by Dr Paul Daly (University of Cambridge). Symposium participants have agreed to post short contributions on this important litigation.
The foregoing analysis of the Privacy International preliminary reference to the Court of Justice of the EU (CJEU) may provide useful context for those predominantly interested in the domestic litigation concerning the pending UK Supreme Court judgment on ouster clauses and the Investigatory Powers Tribunal (IPT).
The Privacy International preliminary reference from the IPT to the CJEU raises a number of significant issues for data privacy law in Europe, including questions of legality, proportionality, and the capacity of the CJEU to adjudicate on matters concerning national security. The latter is unprecedented and is arguably the most important with respect to the future reach of EU law in matters of government surveillance. Specifically, the CJEU is being asked to reconcile the apparently unstoppable force of the expanding scope of EU data protection law with (what has until now been considered) the ‘immoveable object’ of national security being the sole jurisdiction of EU Member States as provided under primary EU law (Article 4 TEU) and secondary EU law (Article 1(3) of the 2002 E-Privacy Directive).
As addressed elsewhere, Privacy International highlights another key issue within European data privacy law, namely the EU’s highest court’s increasingly purposive and expansive interpretation and application of the EU Charter of Fundamental Rights in its recent landmark data privacy case law. In its reference to the CJEU, the IPT has rightly (in my view), although with a highly selective and incomplete analysis of the relevant EU law, raised the question of what exact legal basis provides for the application of EU law in this instance to the national security authorities of EU Member States.
This has been a thorny issue for the CJEU since the seminal case of Digital Rights Ireland, which although was heralded by privacy advocates for striking down the 2006 EU Data Retention Directive, also raised concerns of legal certainty and questions regarding the role and capacity of the CJEU as an adjudicator of fundamental rights. Here the Luxembourg Court departed from an earlier 2009 judgment (Ireland v Parliament) where the main aim that determined that the legal basis of the 2006 EU Data Retention Directive was held to be the internal market. This made the impugned 2006 Directive a binding ‘first-pillar measure’ as it sought to harmonise the internal market for communication service providers. This meant that the primary aim of the 2006 Directive was not the fighting of crime or terrorism (a ‘third-pillar measure’) which would have required the retention regime to have been adopted under another legal basis of ‘a framework decision’. The latter would then have accorded Member State governments with the discretion to opt out of such a measure. This EU governance ‘à la carte’ framework has since been replaced by a new legislative regime under the Lisbon Treaty in 2009.
In 2014, however, without any reasoning or reference to its earlier judgment, the CJEU Grand Chamber instead held that the scope of the same EU law governing data retention for the purposes of serious crime extended beyond the internal market legal basis concerning its retention by the private sector and now applied also to the access, and subsequent processing of this data, by competent law enforcement authorities. Consequently, the IPT has been put in a position whereby it must seek clarification from the CJEU regarding whether or not, or to what extent, the privacy and data protection requirements and minimum safeguards established by the CJEU in its earlier judgments of Digital Rights Ireland and Tele2 Sverige AB & Watson apply in the context of national security.
More specifically, this reference concerns the UK’s Bulk Communications Data (BCD) regime, as provided for under section 94 of the Telecommunications Act 1984. Communications data does not reveal the content of a communication. Instead, it identifies the ‘who’, ‘when’, ‘where’, and ‘how’ of a communication. It may reveal far more about an individual’s private life when done so in ‘bulk’. This method of monitoring may encompass the communications from all of an individual’s devices (smartphones, tablets, and laptops). These may then be retained over a lengthy period of time (usually six months), combined, and analysed. The capacity to aggregate and sift through the resulting detailed profiles and identify patterns is then achieved through the combination of many isolated items of information that may not in themselves be considered especially private or personal.
Hence, the bulk collection of communications data can reveal rich profiles about an individual’s public and private life, or what this author describes as very detailed ‘narrative data’, eg the nature of a relationship between parties, or a person’s daily routine, based on the frequency/timing of their communications and tracking of their movements. Both the IPT, and the European Court of Human Rights’ in its recent landmark post-Snowden judgment of Big Brother Watch & Others v U.K., have held that this information is ‘of critical value’ and ‘a valuable resource for the intelligence services’ with respect to identifying patterns that ‘reflect particular online behaviours’ associated with activities like terrorist attacks and tracking networks and associations involved in such attacks. At the same time, as highlighted in the increasingly purposive data privacy jurisprudence of the CJEU Grand Chamber since Digital Rights Ireland which established the minimum safeguards for bulk data retention (later clarified to also apply to national law in Watson) at issue in Privacy International, the mere retention of communications data in bulk (even without content) still constitutes ‘a particularly serious interference’ with the right to respect for private life and data protection, as guaranteed under articles 7 and 8 of the EU Charter.
The 2016 Anderson Report which found that there was ‘a proven operational case’ for the use and acquisition of a ‘Bulk Communications Data’ (BCD) regime by the intelligence services noted the element of all data being aggregated in one place (ie all in one aggregated database) as an important and distinctive feature of the regime. It is important to note that the scope of this report and its findings (cited at length by the IPT in its preliminary reference to the CJEU) did not extend to assessing the proportionality of the regime or the adequacy of safeguards and their compatibility with the ECHR and EU legal systems.
Nevertheless, the Anderson Report concludes with the following four findings. First, the regime is noted as being ‘crucial’ in a variety of areas, including counter-terrorism and counter-espionage. Secondly, the acquisition of BCD is found to be ‘valuable’ in circumstances of imminent threat, with its ‘principal utility’ being the swift identification of a target and their subsequent actions. Thirdly, it is highlighted that the capability provided by this bulk retention, acquisition, and aggregation of these data cannot be matched with the use of data obtained in targeted means. Finally, the Report suggests that any alternatives to the BCD regime are ‘frequently more intrusive’. This finding addresses a key element that forms part of the examination of the condition of proportionality undertaken by the CJEU and ECtHR, namely whether there are other less intrusive measures available to the public authorities.
The IPT initially concedes that the evidence in the Anderson Report ‘does not completely resolve the question of proportionality … but it does very clearly establish the purpose for which these powers are deployed and how they are used’. The IPT then, effectively assuming the role of de facto advocate of the secret intelligence agencies, proceeds to fully resolve the question of whether the BCD regime does in fact satisfy the proportionality based on evidence that it both accepts and agrees with. This evidence, the IPT posits, consists of the combination of the 2016 Report’s findings with the evidence and materials seen by the IPT, with the former ‘fully’ supporting the latter. Hence, the IPT concludes its analysis of the ‘Relevant Factual Context – BCD’ with the determination that the regime effectively satisfies the condition of proportionality as it is ‘essential to the protection of the national security of the United Kingdom’ (para 17) (emphasis added).
It remains to be seen how much weight the CJEU will give to the IPT’s assessment of the proportionality of the BCD regime which (as the IPT consistently emphasizes) serves the ‘essential state function’ of safeguarding national security in determining the regime’s compatibility with EU law, particularly Articles 7 and 8 of the EU Charter. Much scrutiny will also be given to how, and to what extent, the CJEU will diverge from the deferential approach of the ECtHR in Big Brother Watch which gave considerable weight to the oversight role of the IPT in its conflated analysis of the legality and proportionality conditions of Article 8(2) ECHR, in addition to praising the IPT’s ‘elucidatory role’ in its earlier judgments and submissions as providing ‘invaluable assistance’ to the ECtHR.
Finally, the IPT has framed its submissions to the CJEU based on arguments largely drawn from the case law and approach of the ECtHR. The IPT’s analysis is strikingly incomplete here as there is no examination of the other key right that the CJEU will be required to assess – the right to data protection under Article 8 of the EU Charter of Fundamental Rights. The latter being particularly significant with respect to the issues of data security risks posed by the ‘vast quantity of data’ retained under the BCD regime, its sensitivity and capacity for profiling, and the risk of unlawful access. The IPT also ignores addressing the diverging approaches of the ECtHR and the CJEU with respect to the metaphorical ‘communicating vessels’ approach (notably dismissed in the AG’s influential Opinion to the CJEU in Watson) to specific oversight safeguards not being required where there are ‘suitable alternative mechanisms’.
Dr Nóra Ní Loideain is Director and Lecturer in Law of the Information Law and Policy Centre, Institute of Advanced Legal Studies, University of London.