The European Court of Human Rights Grand Chamber has now
delivered its long awaited judgment in Big Brother Watch. It always seemed a bit of a stretch that the Strasbourg
Court would tell the UK to close down the bulk (so to speak) of GCHQ’s
operations, especially since 15 years ago the Weber/Saravia decision had accepted the principle of bulk communications surveillance (albeit in a world in which digital communications were not yet ubiquitous).
So it proved.
The Court’s Big Brother Watch judgment (and its companion judgment in the Swedish Centrum för Rättvisa case) lay down a revised set of fundamental rights criteria by which to assess
bulk surveillance regimes, but do not forbid them as such.
The Grand Chamber’s approach
The twin judgments are notable for advancing further down
the path of assessing a surveillance regime not by drawing red lines that must not
be crossed, but by applying a multifactorial evaluation of criteria that feed into a “global assessment” of the regime's compliance with the “provided by
law” and “necessary in a democratic society” requirements of the Convention.
The “provided by law” Convention requirement is that a measure
must have some basis in law, and also have the quality of law: be publicly
accessible and sufficiently certain and precise so as to be foreseeable in its
effects. The scope of any discretion to exercise a surveillance power must be
indicated with sufficient clarity to provide adequate protection against
arbitrary interference.
The conundrum that faces a human rights court is how such traditional
rule of law requirements – certainty of law, foreseeability of legal effects, accessibility
of a legal regime – can be applied to the inherently secret and discretionary nature of communications
surveillance. The answer has been to import the notion that safeguards (such as
independent oversight) can compensate for lack of openness, so long as the kind
of circumstances in which communications surveillance may take place are clearly
set out in legislation, supplemented if necessary by instruments such as codes
of practice. The ECtHR’s particular focus on the role of safeguards is facilitated by its
policy of considering the “provided by law” test jointly with whether the
interference constituted by a given regime is “necessary in a democratic society”
(BBW [334], Rättvisa [248]).
It is not a straightforward task to decide at what point safeguards
sufficiently compensate for the rule of law deficiencies presented by secret exercise of a discretionary power. The Grand
Chamber describes the role of safeguards in bulk interception of digital
communications as “pivotal and yet elusive” (BBW [322], Rättvisa [236]).
It is hard to avoid the conclusion that the search for this will o’the wisp is
ultimately a matter of impression – the more so, the further the evaluation strays
from red lines that cannot be crossed towards an overall multifactorial
assessment, the result of which depends on how much weight the court chooses to
give to each factor.
Bulk interception not per se unlawful
The challenge that faces a party seeking to strike down a bulk
interception regime is how to bring a substantive objection – that a bulk
communications surveillance regime is inherently repugnant - within the
framework of a “quality of law” and “necessity” challenge. The argument will be that
the interference with privacy and (perhaps) freedom of expression entailed by bulk
communications interception is so great that, although useful, bulk
communications interception does not pass the “necessity” test. This is the
kind of argument that succeeded in the Marper case on blanket retention of DNA, fingerprint and cellular samples.
In the BBW and Rättvisa cases the Grand Chamber held that a decision
to operate a bulk interception regime continues to fall within the competence
(“margin of appreciation”) of a Contracting State. Their freedom of choice in how to operate such
a regime is, however, more constrained. (BBW [340, 347], Rättvisa
[254, 261])
Another way of stating the objection to such a regime might
be that, given the scale of the interference, no amount of safeguards can compensate for the lack of foreseeability inherent in the secret exercise of bulk communications surveillance
powers. However, in reality once necessity is surmounted in
principle, the examination moves on to whether the combination of accessibility,
precision of rules and compensating safeguards embodied in the regime under challenge is sufficient for Convention compliance.
The Court’s decision on RIPA
In BBW the UK’s now superseded RIPA (Regulation of
Investigatory Powers Act 2000) regime was under challenge. As in the Chamber judgment in 2018 the Grand Chamber found the UK regime wanting. But it did so
in slightly different ways:
|
Chamber
|
Grand
Chamber
|
|
Article 8
|
|
|
Bulk
interception: lack of provision for sufficient oversight of the entire selection
process, specifically search criteria and selectors [387, 388]
|
Lack of
independent authorisation at the outset [377]
Lack of
provision for oversight of categories of selectors at point of authorisation;
lack of provision for enhanced safeguards for use of strong selectors linked
to identifiable individuals [383]
Insufficiently
precise nature of SoS certificate as to descriptions of material necessary to
be examined [386, 387, 391]
All
applicable to both content and RCD [416]
|
|
Bulk
interception: examination of related communications data (RCD) exempted from
all safeguards applicable to content, such as S.16(2) ‘British Islands’
restriction applicable to content. [357, 387, 388]
|
Lack of
‘British Islands’ restriction for RCD is not decisive in overall assessment [421];
different storage periods for RCD (“several months”) were not evident in the
Interception Code. Should be included in legislative and/or other general
measures [423]
|
|
Communications
data acquisition: Violation of EU law meant that acquisition could not be in
accordance with the law [467, 468]
|
Not contested
[521, 522]
|
|
Article 10
|
|
|
Bulk
interception: lack of protection for journalistic privilege at selection and
examination stage (content and RCD) [493, 495, 500]
|
As per Art 8;
additionally, no requirement for a judge or similar to decide whether use of
selectors or search terms known to be connected to a journalist was justified
by an overriding requirement in the public interest; or whether a less
intrusive measure might have sufficed [456];
Nor provision
for similar authorisation of continued storage and examination of
confidential journalistic material once a connection to a journalist became
known. [457]
|
|
Communications
data acquisition: insufficiently broad journalistic privilege protections
[499, 500]
|
Not contested
[527, 528]
|
The main concrete point of difference from the Chamber judgment is probably
the Grand Chamber's emphasis on prior independent authorisation. That, in the form of Judicial
Commissioner approval of the Secretary of State’s decision to issue a warrant, is
now a feature of the Investigatory Powers Act 2016 which has superseded RIPA.
It is difficult to predict specific implications of the two Grand Chamber judgments for
the IP Act. This is due to the Court’s already noted holistic, multifactorial approach to fundamental rights compliance. Although in places the Grand Chamber speaks of ‘minimum requirements’ –
which might suggest a cumulative set of threshold conditions – in others it
speaks of ‘shortcomings’ that inform the overall assessment and may be
compensated for by other features of the regime.
This approach is more prominent in the Rättvisa
judgment, in which the Court held that while certain safeguards did compensate for
identified shortcomings in the Swedish regime, they did not do so sufficiently. The BBW judgment, while also adopting the “global assessment” approach, is
in substance a starker exercise in striking down the RIPA regime owing to lack
of certain safeguards.
The main reason for the difference between the two judgments is that the Swedish surveillance regime did provide for initial authorisation of bulk warrants by an independent
Foreign Intelligence Court. It could not, therefore, be said (as it was for RIPA
in BBW) that the regime lacked independent authorisation at the outset (a minimum requirement that the Court has now described as a “fundamental
safeguard” that “should” be present ([377]). The approach of the Court in Rättvisa was
therefore of necessity more nuanced.
Hard versus soft limits
By contrast with the Grand Chamber’s holistic, multifactorial
approach, the EU Court of Justice has moved in the direction of insisting on that the relevant legal instruments set out clear and precise hard limits on powers.
That contrast may to some extent reflect the different roles of the two courts. The
CJEU’s task is to lay down the content of substantive, positive EU law, within
the framework of the Charter of Fundamental Rights. The task of the ECtHR is
not to harmonise or lay down positive law (although when it ventures into the territory
of horizontal rights it comes perilously close to doing that), but to determine
whether a potentially wide variety of Contracting
State laws has strayed beyond the boundaries of Convention compatibility.
Although even the CJEU must allow for some differences
in Member State domestic laws, it is in principle able to be more prescriptive
than the ECtHR.
At any rate, the ECtHR (confirmed by the Grand Chamber in the BBW
and Rättvisa cases) has taken a softer-edged approach, with greater stress
on safeguards than on the need for clear and precise limits on powers (emphasised by
the CJEU most recently in Privacy International/La Quadrature). Whether or
not that ultimately means a substantively stricter outcome than the CJEU's approach, it certainly makes for one
that is less predictable in terms of compliance with the Convention.
The ECtHR’s approach is exemplified by the set of compliance
criteria articulated by the Grand Chamber in BBW and Rättvisa. It has laid down eight minimum criteria, compared with the six in Weber/Saravia,
to be considered in deciding whether a surveillance regime passes the initial
‘in accordance with the law’ test.
The criteria are that the Court will examine whether the
domestic framework clearly defines:
1. the grounds on which bulk interception may be authorised;
2. the circumstances in which an individual’s communications
may be intercepted;
3. the procedure to be followed for granting authorisation;
4. the procedures to be followed for selecting, examining
and using intercept material;
5. the precautions to be taken when communicating the
material to other parties;
6. the limits on the duration of interception, the storage
of intercept material and the circumstances in which such material must be
erased and destroyed;
7. the procedures and modalities for supervision by an
independent authority of compliance with the above safeguards and its powers to
address non-compliance;
8. the procedures for independent ex post facto review of
such compliance and the powers vested in the competent body in addressing
instances of non-compliance.
These are framed as topic areas that have to be clearly
addressed in domestic law. They also imply some degree of minimum requirement:
for instance, domestic legislation that addressed the topic of limits on the
duration of interception by stating clearly that it may be unlimited would not
pass muster. Similarly, the factors connote some level of independent
supervision and review.
However, what those implied minimum requirements might
amount to in practice is not easy to tell. The eight topics appear to be as
much – perhaps more so - criteria to be assessed, as a cumulative set of
threshold conditions to be surmounted. They
may have elements of both. The Court referred in its judgment to its ‘overall
assessment’ of the bulk interception regime, emphasising that shortcomings in
some areas may be compensated by safeguards in others. The Court may also take
into account factors beyond the eight minimum criteria, such as notification
provisions.
In a separate Opinion Judge Pinto de Albuquerque pointed out
the ambiguity in the Grand Chamber’s judgment as to whether it was laying down factors
to be considered or mandatory requirements:
“On the one hand, it has used
imperative language (“should be made”, “should be subject”, “should be
authorised”, “should be informed”, “must be justified”, and “should be
scrupulously recorded”, “should also be subject”, “it is imperative that the
remedy should”) and has called them “fundamental safeguards” and even “minimum safeguards”.
But on the other hand, it has diluted these safeguards in “a global assessment
of the operation of the regime”, allowing for a trade-off among the safeguards.
It seems that at the end of the day each individual safeguard is not mandatory,
and the prescriptive language of the Court does not really correspond to
non-negotiable features of the domestic system.”
That said, the Court went on to lay down what it described
as the “fundamental safeguards” that would be the cornerstone of an Article
8-compliant bulk interception regime ([350]). This was articulated in the context of the
particular model presented to the court (collection, filtering to discard
unwanted material, automated application of selectors and search queries,
manual queries by analysts, examination by analysts, subsequent retention and use), which
the Court regarded as involving increasing interferences with privacy as the
process progressed. ([325]) . This model already feels somewhat old-fashioned, given the more sophisticated pattern-matching and other techniques that could be applied to analysis of, in particular, bulk communications data.
The Court's requirements are that the process must be subject to
end-to-end safeguards, meaning that:
- At each stage of the process an assessment must be made of the necessity and proportionality of the measures being taken. [350]
- Bulk interception should be subject to independent authorisation at the outset, when the object and scope of the operation are being defined [351]
- The operation should be subject to supervision and independent ex post facto review [350]
The Court commented that the importance of supervision and
review is amplified compared with targeted interception because of the inherent
risk of abuse and the legitimate need for secrecy [349].
Drilling down further into those fundamental safeguards, the
Court observed that:
- The independent authorising body should be informed of both the purpose of the interception and the bearers or communication routes likely to be intercepted. [352]
- Given that the choice of selectors and query terms determines which communications will be eligible for examination by an analyst, the authorisation should at the very least identify the types or categories of selectors to be used. The Court accepted that the inclusion of all selectors in the authorisation may not be feasible in practice. [354]
- Enhanced safeguards should be in place for strong selectors linked to identifiable individuals. The use of every such selector must be justified by the intelligence services and that justification should be scrupulously recorded and be subject to a process of prior internal authorisation providing for separate and objective verification of whether the justification conforms to the principles of necessity and proportionality. [355]
- Each stage of the bulk interception process – including the initial authorisation and any subsequent renewals, the selection of bearers, the choice and application of selectors and query terms, and the use, storage, onward transmission and deletion of the intercept material – should be subject to supervision by an independent authority. That supervision should be sufficiently robust to keep the interference with Art 8 rights to what is “necessary in a democratic society”. In order to facilitate supervision, detailed records should be kept by the intelligence services at each stage of the process. [356]
- Finally, an effective remedy should be available to anyone who suspects that his or her communications have been intercepted by the intelligence services, either to challenge the lawfulness of the suspected interception or the Convention compliance of the interception regime. A remedy that does not depend on notification to the interception subject can be effective. But it is then imperative that the remedy should be before a body which, while not necessarily judicial, is independent of the executive and ensures the fairness of the proceedings, offering, in so far as possible, an adversarial process. The decisions of such authority shall be reasoned and legally binding with regard, inter alia, to the cessation of unlawful interception and the destruction of unlawfully obtained and/or stored intercept material. [357]
The court also provided guidance on sharing intercept
material with agencies in other countries.
In the light of the above, the Court will determine whether
a bulk interception regime is Convention compliant by conducting a global
assessment of the operation of the regime. Such assessment will focus primarily
on whether the domestic legal framework contains sufficient guarantees against
abuse, and whether the process is subject to “end-to-end safeguards”. In doing
so, the Court will have regard to the actual operation of the system of interception,
including the checks and balances on the exercise of power, and the existence
or absence of any evidence of actual abuse. [360]
The Court also observed that it was not persuaded that the
acquisition of related communications data through bulk interception is
necessarily less intrusive than the acquisition of content. It therefore
considered that the interception, retention and searching of related
communications data should be analysed by reference to the same safeguards as
those applicable to content. [363]
That said, the Court observed that while the interception of related
communications data would normally be authorised at the same time the
interception of content is authorised, once obtained they could permissibly be
treated differently by the intelligence services.
In view of the different
character of related communications data and the different ways in which they
are used by the intelligence services, as long as the aforementioned safeguards were in place, the legal provisions governing
their treatment did not necessarily have to be identical in every respect to
those governing the treatment of content. [364]
Implications for the Investigatory Powers Act 2016
Where does this leave the 2016 Act? The Act ticks several
important boxes, notably the “double lock” system of approval of bulk warrants
by a Judicial Commissioner introduced after the end of the RIPA regime.
When considering the Convention compliance of the IP Act
regime the Rättvisa decision is probably more factually relevant than
the BBW decision, since it addresses a regime that featured initial authorisation by an independent court.
The IP Act in some respects provides stronger safeguards than
those that fell short in Rättvisa – thus the UK IPT was held up as an example
of what was possible in the area of ex post facto review.
On the other hand, the Swedish regime provided for mandatory
presence of a privacy protection representative at Foreign
Intelligence Court sessions. That was identified as a relevant safeguard to be weighed against the
fact that the Court had never held a public hearing and that all its decisions
were confidential.
There is no provision in the IP Act for a privacy protection
representative to make submissions in the bulk warrant approval process. As to
publicising bulk warrant approval decisions, in his April 2018 Advisory Notice the Investigatory Powers
Commissioner said:
“The Judicial Commissioners will
consider making any decisions on approvals public, subject to any statutory
limitations and necessary redactions.”
It is noteworthy that the latest Annual Report of the
Investigatory Powers Commissioner (for 2019) records that a Judicial
Commissioner issued the first approvals of a communications data retention notice
regarding internet connection records. It also describes a potential obstacle to approval of warrants posed by MI5's IT issues. Whilst this evinces a degree of openness, it does not go as far as (for instance) a practice of publishing
Judicial Commissioner decisions on points of legal interpretation.
Given the multifactorial, trade-off-oriented approach of the
Grand Chamber it is impossible to be categoric about whether this aspect of the
IP Act regime presents Convention compliance problems. On the basis of Rättvisa we can expect, however, that it will be argued that either a privacy (and freedom of expression?) representative should be able to make
submissions in the bulk warrant approval decision-making process, or the possibility
of publishing elements of bulk warrant approval decisions should be explored
further, or perhaps both.
As for the double-lock procedure itself, although the
Secretary of State remains the primary decision-maker, and it is occasionally
suggested that Judicial Commissioner approval, being based on judicial review
principles, falls short of full scrutiny, it should not be forgotten
that the Advisory Notice issued by the IPC in April 2018 stated that the Judicial Commissioners would not apply the relatively hands-off ‘Wednesbury reasonableness’
test, but instead the judicial review test applied by the domestic courts when
considering interferences with fundamental rights. That would be
taken into account in any assessment of the level of scrutiny applied to warrants.
Another area of the IP Act that is likely to attract attention is the IP Act's bulk communications data acquisition warrant. This is the successor to S.94
of the Telecommunications Act 1984, which the government admitted in November
2015 had been used for bulk acquisition of communications data from
communications service providers.
Unlike bulk interception under RIPA (and now under the
IP Act), the bulk communications acquisition warrant is not focused on foreign
intelligence purposes. Given the various references in the BBW and Rättvisa
judgments to bulk interception being primarily used for foreign intelligence, and
the acknowledgment that bulk communications data should not be regarded as less
sensitive than content, the Convention compliance of a domestic bulk acquisition
regime may fall to be considered in the future.
A potential problem area, both for bulk interception
and communications data acquisition, is journalistic privilege. Although the IP
Act contains stronger protections for journalistic material than did RIPA, it may be questioned whether those, at least of themselves, are sufficient to meet the criticisms
contained in the two ECtHR judgments.
Returning to the central theme of the Grand Chamber judgments, does the IP Act provide sufficient end-to-end safeguards over the bulk interception process? Following the Chamber judgment in 2018 I suggested that since the 2016 Act did not
spell out whether end to end oversight was applied to all stages of the bulk
interception process, more would need to be done to fill that gap (remembering
that it is not enough for that simply to be done – it must be required to be done by
means of clearly stated public rules.) That view is reinforced by the Grand
Chamber judgment. I can do no better than repeat what I said then:
“Beyond that, under the IP Act
the Judicial Commissioners have to consider at the warrant approval stage the
necessity and proportionality of conduct authorised by a bulk warrant. Arguably
that includes all four stages identified by the Strasbourg Court (see my
submission to IPCO earlier this year). If that is right, the RIPA gap may have
been partially filled.
However, the IP Act does not
specify in terms that selectors and search criteria have to be reviewed.
Moreover, focusing on those particular techniques already seems faintly
old-fashioned. The Bulk Powers Review reveals the extent to which more
sophisticated analytical techniques such as anomaly detection and pattern
analysis are brought to bear on intercepted material, particularly
communications data. Robust end to end oversight ought to cover these
techniques as well as use of selectors and automated queries.
The remainder of the gap could
perhaps be filled by an explanation of how closely the Judicial Commissioners
oversee the various selection, searching and other analytical processes.
Filling this gap may not
necessarily require amendment of the IP Act, although it would be preferable if
it were set out in black and white. It could perhaps be filled by an IPCO
advisory notice: first as to its understanding of the relevant requirements of
the Act; and second explaining how that translates into practical oversight, as
part of bulk warrant approval or otherwise, of the end to end stages involved
in bulk interception (and indeed the other bulk powers).”
The case for the gap to be filled formally is reinforced when
we consider that the government has publicly referred to discussions that have
been taking place with IPCO to strengthen end to end supervision in practice. The
Grand Chamber judgment records the government’s argument that:
“Robust independent oversight of
selectors and search criteria was therefore within the IC Commissioner’s
powers: by the time of his 2014 report he had specifically put in place systems
and processes to make sure that actually occurred, and, following the Chamber
judgment, the Government had been working with the IC Commissioner’s Office to
ensure that there would be enhanced oversight of selectors and search criteria
under IPA.”
In his Annual Report for 2019 (published in December 2020)
the Investigatory Powers Commissioner stated:
“Our oversight of bulk powers has
evolved over the past year (see para 10.27). This reflected the European Court
of Human Right’s judgment in the Big Brother Watch and others v UK case,
and the Intelligence and Security Committee’s (ISC) Privacy and Security Report
of March 2015.We reviewed our approach to inspecting bulk interception in 2019,
considering the technically complex ways in which bulk interception is
implemented and from 2020 our inspections will include a detailed examination
of selectors and search criteria.”
Now that we have the Grand
Chamber judgment the case appears to be stronger for the end to end
oversight arrangements, and IPCO’s interpretation of the 2016 Act in that regard, to be
spelled out publicly. That would also be well timed for the forthcoming review
of the operation of the 2016 Act that is required to start in a year’s time.
