On the trail of the Person of Ordinary Sensibilities

One of the more perplexing provisions of the draft Online Safety Bill is its multi-level definition of legal but harmful content (lawful but awful content, to give it its colloquial name).

The proposal that service providers’ safety duties under the Bill should apply to such content is in itself controversial, when users themselves – who are in the same position as authors of books - owe no duty of care in respect of the safety of their readers. Some campaigners have argued that the proposed service provider duties should be limited to illegal content at most.

But given that legal content is included, how has the government set about drawing a line between innocuous and harmful?

The draft Bill contains twin definitions: ‘content harmful to adults’ and ‘content harmful to children’. Since they are almost identical, I shall refer just to harmful content. Both definitions make use of a legal fiction: the adult or child “of ordinary sensibilities”. 

Baroness Bull, in the House of Lords, foresaw “endless court time being devoted to determining whether my sensibilities are more ordinary than the next person's".

Why does the draft Bill use this term? What does it mean?

Why the Person of Ordinary Sensibilities?

The first question is easier to answer than the second. The problem with trying to define harmful content is that speech is subjectively perceived and experienced. Different people respond to reading, hearing or viewing the same content in different ways. They differ as to whether they find content offensive, shocking or disturbing, they differ in their emotional response (enjoyment, distress, anger, fear, anxiety), they differ as to whether they change their views after reading, hearing or seeing it, and they differ in terms of any action that they may or may not choose to take after reading, hearing or seeing it.

Legislation based purely on subjectively perceived harm is thus liable to adopt, by default, the standard of the most easily shocked, upset or offended. Translated into service provider obligations, when assessing risk of harm on its service the service provider might have to assume a low threshold and the most sensitive user.

To counter this, an available tool is to restrict the kinds of harm that are in scope, so that (for instance) mere annoyance does not count. The draft Bill stipulates ‘physical or psychological harm’. However, psychological harm still contains a significant element of subjectivity – it is not restricted to a medical condition – and in any event there remains the issue of people’s differing susceptibilities to psychological impact.

An approach to addressing variable susceptibility is to posit a notional reader defined in objective – or at least pseudo-objective – terms (discussed in detail in section 5 of my submission to the Online Harms White Paper consultation). The law contains many examples of such legally fictional characters, from the Man on the Clapham Omnibus to the Right-Thinking Member of Society. They are intended to iron out extremes – but in order to achieve that they still need to be clothed in attributes selected by the statute, the court or both. Goddard L.J. once observed:

“Of course, different minds have different ideas as to what is moderate, and seeking for a mean, a normal, or an average where there really is no guide is very like Lord Bowen’s illustration of a blind man looking for a black hat in a dark room”. (Mills v Stanway Coaches Ltd [1940] 2 K.B. 334)

Such legally fictional characters are normally deployed as part of a process of determining liability after the event, based on ascertained facts involving known individuals, tested and argued through the adversarial court process.

By contrast, the service provider under the draft Online Harms Bill would be expected to engage in a process of predictive policing, anticipating the kinds of content that, if they were to appear on the service, the service provider would have reasonable grounds to believe satisfied the definition of harm. It would have to consider the concomitant risk posed by them; and (most probably) write an algorithm to address them.

The task that the draft Bill assigns to service providers is thus to predict, seek out, detect and then either deal with (for adult harmful content), or mitigate, manage or prevent (for various kinds of child harmful content), any number of different hypothetical black or grey hats that might or might not be present in the dark room. 

Level 1 - The Person of Ordinary Sensibilities

The legally fictional character chosen to bring some objectivity to the draft Online Harms Bill is the Person of Ordinary Sensibilities. So at Level 1 of the multi-level definition, S.46(3) defines content harmful to an adult as content the nature of which is such that “there is a material risk of the content having, or indirectly having, a significant adverse physical or psychological impact on an adult of ordinary sensibilities”. I will descend into the lower levels of the definition presently.

Antecedents

A version of the Person of Ordinary Sensibilities is found in existing law. The DCMS Minister for Digital and Culture Caroline Dinenage, in her letter of 16 June 2021 to the Lords Communications and Digital Committee, said: “This concept is already well-established in law, for example in case law concerning the tort of misuse of private information.” This refers to the judgment of the House of Lords in the Naomi Campbell case. However, there are significant differences between misuse of private information and infliction of psychological harm. Moreover, when we delve into the antecedents of the Person of Ordinary Sensibilities we find that a mutation has occurred.

The main difference from privacy is that the focus of infliction of psychological harm is on the reader of the material: the person on whom the harm is inflicted. In contrast, in the tort of misuse of private information the hypothetical Reasonable Person of Ordinary Sensibilities refers to the person whose privacy is said to have been invaded, not someone who reads the disclosed information.

The privacy test is therefore not about impact on someone who receives information. It is whether the Reasonable Person of Ordinary Sensibilities, put in the position of the person whose private information is said to have been misused, would find the disclosure offensive or objectionable. What view would that hypothetical person, put in the position of the claimant and exercising their rational faculties, take of such disclosure about their own private life?

Caution is therefore necessary in transposing the Reasonable Person of Ordinary Sensibilities from misuse of private information to psychological impact on the reader.

Must the Person of Ordinary Sensibilities be Reasonable?

Most intriguingly, somewhere on the journey from Campbell v MGN to the draft Online Safety Bill, ‘Reasonable’ has been jettisoned. 

This can be no accident since ‘reasonable’ is an integral part of the Campbell formulation, and can be traced back in turn to a 1960 US paper on Privacy by Dean William Prosser. Why would anyone take a conscious decision to strike out ‘Reasonable’? Why include the Unreasonable Person of Ordinary Sensibilities? I have given some thought to this and - on the assumption that Reasonable has indeed been omitted for a reason - I have a possible answer. Whether it is the actual explanation I do not know.

When considering whether reasonableness is relevant, recall that for inflicted harm - unlike for privacy - we are considering the impact of the information on its recipient. If you jab someone in the arm with a needle, any person of ordinary sensibilities will react autonomically in the same way (if not necessarily to the same degree): with pain and blood. There is no room for any additional concept of reasonableness, since the reaction of the person to whom it is done is not a matter of conscious decision. 

Omitting “reasonable” in the draft Bill’s formulation suggests either that the drafters of the Bill have assumed the same to be true of imparting information; or if not, that as far as the draft Bill is concerned the reasonableness of the reader’s conscious reaction is irrelevant.

We can conceive of a circumstance in which reaction to information is not a matter of conscious decision. If someone suffering from epilepsy were to encounter online content containing flashing lights, a physical reaction might be triggered. It would appear likely to fit the description of 'significant adverse physical impact'. That reaction is not in any sense a matter of voluntary choice, but a question of someone’s sensitivity to flashing lights. As with the needle in the arm, reasonableness of the reaction is simply an irrelevant concept of no application. The only relevant question is whether the sensibilities of an epilepsy sufferer should be considered to be ordinary. (More of that when we consider the Level 2 definition.)

That, it seems, is how the draft Online Harms Bill approaches the matter of reading online content, not just for physical harm but also psychological harm. It would be consistent with the phraseology “content having a significant… impact”.

One possible interpretation of the draft Bill is that only information causing an autonomic adverse psychological impact is in scope. Any kind of impact that engages the rational faculties of the reader, and to which the reasonableness of the reader’s chosen reaction is therefore a conceptual possibility, would be out of scope.

That seems very unlikely to be the government’s intention, first because the distinction (if there is one) verges on deep psychological and even philosophical questions about what is and is not a conscious reaction.  Does a Person of Ordinary Sensibilities respond automatically or make a choice in how they react emotionally to encountering, say, prejudice of various kinds? What if the question of whether the particular speech in question amounts to prejudice in the first place is contested and debated, each side regarding the other as prejudiced?

Second, such a narrow interpretation would appear to exclude from scope informational subject matter (such as misinformation) that the government plainly intends to include and is referred to elsewhere in the draft Bill.

The second (and I would say probable) interpretation is that the formulation includes situations in which the reader has a degree of conscious choice about how to react, but nevertheless the reasonableness of the reaction is to be treated as irrelevant.

There is a certain logic to that when we consider misinformation. Any potentially harmful impact of misinformation or disinformation necessarily depends on the reader believing what they are told. Deciding what to believe involves an exercise of the critical faculties. Capturing all misinformation within the definition of harmful content depends upon excluding reasonableness from the equation and including the Credulous Person of Ordinary Sensibilities within the notional reader.

To take an extreme example of the distinction between sensibilities and reasonableness, consider a post predicting that the world will end tomorrow. Would a person of ordinary sensibilities experience significant adverse psychological impact if they were to believe it? It is hard to think otherwise. At any rate there would surely be reasonable grounds for a service provider to believe that that was a material risk. Would a reasonable and well-informed person believe it? No. If reasonableness of the belief is ruled out of consideration, the Credulous Person of Ordinary Sensibilities is within scope, the end-of-the-world post falls within the definition of harmful content and is within the service provider’s safety duty.

Conversely, if reasonableness is a relevant attribute of the Person of Ordinary Sensibilities, then the more outlandish the misinformation, the less likely it would fall within scope. The service provider – in addition to all the other fiendish judgements that it is required to make - would have to distinguish between what misinformation it is reasonable and unreasonable to believe.

This is not some esoteric academic point. In the USA claims for negligent infliction of emotional distress are permitted in some states. The New Jersey Supreme Court in Williamson v Waldman limited recovery to “the fears experienced by a reasonable and well-informed person.” This was a case based on fear of contracting AIDS as a result of having been pricked by a discarded medical lancet while cleaning a trash can. The court observed:

“Therefore, as a matter of sound public policy, the standard of proximate cause should require as an element of the test of causation a level of knowledge of the causes, transmission and risks of AIDS. Such an enhanced standard will serve to overcome and discourage ignorance about the disease and its resultant social ills. Thus, the reasonableness standard should be enhanced by the imputation to the victim of emotional distress based on the fear of contracting AIDS of that level of knowledge of the disease that is then-current, accurate, and generally available to the public.”

What is a significant adverse psychological impact?

The range of possible emotional reactions to a given item of content may give rise to difficult questions.

Does our notional Person of Ordinary Sensibilities become angry, anxious, fearful or distressed when they read certain content? Is anger an adverse psychological impact? Or do only the other reactions, if they are significant, qualify as adverse? Does the service provider have to gauge, hypothetically, whether our fictional legal character would be angered or distressed by reading particular kinds of content?

Is the fact that (say) serious distress is one possible reaction of our notional Person of Ordinary Sensibilities enough to satisfy the definition and trigger the service provider’s safety duties? Does the service provider have to consider whether, the more highly charged the subject matter of a debate, it is more likely that someone will claim to be traumatised by the repugnant views of their opponent?

Physical and psychological harm are not supposed to be about taking offence or objection. On the other hand the government has said that psychological harm is not intended to be limited to medically recognised conditions. The examples of kinds of significant negative effect on the mental state of an individual that they give in the Explanatory Notes are:

“feelings such as serious anxiety and fear; longer-term conditions such as depression and stress; and medically recognised mental illnesses, both short-term and permanent.”

What is ‘significant’ may be a matter for debate. Does it mean serious (as the Explanatory Note suggests), or merely that it is not trivial? It is noteworthy that some US caselaw has sought to inject a standard of reasonableness into the seriousness of the emotional distress experienced: “a level of distress such that no reasonable person could be expected to endure it without undergoing unreasonable suffering”. (Williams v Tennessee National Corp.)

Level 2 - characteristics and membership of groups

Having started by saying in S.46(3) that the Person of Ordinary Sensibilities has only ordinary sensibilities, the draft Bill goes on to qualify that.  Section 46(4) provides that:

“… in the case of content which may reasonably be assumed to particularly affect people with a certain characteristic (or combination of characteristics), or to particularly affect a certain group of people, the provider is to assume that [the Person of Ordinary Sensibilities] possesses that characteristic (or combination of characteristics), or is a member of that group (as the case may be).”

To take our previous example of a sufferer from epilepsy, if their sensibilities are not Ordinary under S.46(3), they would appear to be so under S.46(4). Epilepsy seems apt to count at least as a characteristic, in which case the service provider should consider whether there is a material risk of user content with flashing lights affecting sufferers from epilepsy.

Curiously, the DCMS Minister’s letter to the Lords Committee said that “use of the term “ordinary sensibilities” is intended to make clear that the test of whether legal content is harmful does not include content that only people with an unusual sensitivity (such as a phobia) would be harmed by.” Perhaps the Minister was intending to refer only to S.46(3). If she was also including S.46(4), it is not clear to me why (say) epilepsy would not be within scope of that section.

The issues under S.46(4) become more complex when previous experience is brought into the equation.

The Lords Communications and Digital Committee asked the DCMS whether being a survivor of sexual abuse would count as a relevant characteristic. The Minister’s first comment was that it would expect Ofcom’s codes of practice and any supplementary guidance to assist service providers to fulfil their obligations in relation to any such points – which is not really to the point, since the question was about the meaning of the legislation (by which Ofcom would be bound). 

However, the Minister went on to suggest that experiences that can have a profound effect on victims should be taken into account by service providers when assessing the risk of harm posed by online content to individuals. The person of ordinary sensibilities would include someone who had had that experience. The same would apply in other cases where content could potentially give rise to a material risk of significant adverse physical or psychological impact on survivors of an experience.

One effect of this provision appears to be that if different survivors of an experience might react differently to certain content – some, perhaps, finding discussion of a difficult subject helpful and some suffering anxiety or worse – the service provider should assume the adverse reaction.

Level 3 – indirect impact on a Person of Ordinary Sensibilities

Section 46(7) defines indirect impact on a Person of Ordinary Sensibilities. S.46(7)(a) addresses the risk of content causing an individual to do or say things to a targeted adult that would have an adverse physical or psychological impact on such an adult.

In this context it is clear that the individual concerned is making a conscious choice about how to respond to content. However, the section speaks in terms of "content causing an individual to do or say things" to another adult.

The unstated premise appears to be that an individual makes no conscious decision – that reading content causes the individual to act in a certain way. However, we read and view and make decisions. We may do something or nothing. If we do something, we choose what to do.  Content does not cause a single, involuntary, Pavlovian response.

The DCMS Minister, in her letter to the Lords Communications Committee, suggested that in this instance reasonableness of the interposed individual’s response is in fact a limiting factor:

“The service provider would not have the necessary reasonable grounds to believe that there was such a risk if the content could only have such an effect by triggering an unexpected response in an unreasonable person (for example innocuous content leading to risky or violent behaviour). (emphasis added)

There is a tension between referring to a response as being 'triggered', while simultaneously considering the reasonableness of the response. 

A provision of this kind might include a reference to whether it was reasonably foreseeable that an individual would decide to take a certain kind of action as a result of reading certain kinds of content, and whether that action was reasonable. S.46(7) is silent on that. The government’s view could perhaps be that the reasonableness limitation is implicit in causation.

Level 4 – the Ultimate Demise of the Person of Ordinary Sensibilities

Section 46(6) contains a further refinement of the Person of Ordinary Sensibilities, dealing with the situation where there is a known person at whom content is directed, or who is the subject of it. At this point the Person of Ordinary Sensibilities is abandoned and replaced with the person’s own sensibilities.

Thus where the provider has knowledge, relevant to the content, about a particular person at whom content is directed, the risk of significant physical or psychological impact on that person is to be considered, taking into account any of the following known to or inferred by the provider—

(a) that person’s characteristics;

(b) that person’s membership of a certain group of people.

The effect of this section appears to be that someone who claims to be significantly and adversely psychologically impacted by particular content can put the service provider on notice. If the service provider has reasonable grounds to believe that a material risk of such impact exists, then its safety duty focuses on that person and that content. We can imagine that a service provider would be reluctant to deny the risk, once put on notice of the claim. As such, this provision appears to embody veto possibilities.

Conclusion

The draft Bill's attempt to convert subjective perception of content into an objective standard illustrates just how difficult it is to apply concepts of injury and harm to speech. The cascading levels of definition, ending up with a provision that appears to give precedence to an individual’s subjective claim to significant adverse psychological impact, will bear close scrutiny – not only in their own right, but as to how a service provider is meant to go about complying with them.

[30 June 2021. Inserted 'is to be treated as', for clarity. Deleted erroneous 'not'.]

Speech vs. Speech

Can something that I write in this blog restrict someone else’s freedom of expression?

According to the UK government, yes. In its Full Response to the Online Harms White Paper the government suggested that under the proposed legislation user redress mechanisms to be provided by platforms would enable users to “challenge content that unduly restricts their freedom of expression”.

To anyone brought up on the traditional notion that a fundamental right of freedom of expression exists in order to limit the uniquely coercive power of the state, the proposition that one individual is capable of restricting another individual’s freedom of expression (let alone that they can do so merely by writing and publishing) is a contradiction in terms. Yet presumably the government meant something by it.

Happily, that phrase did not make it into the draft Online Safety Bill. Perhaps someone thought better of it. Nevertheless, it amply illustrates the fog of confusion that arises once we embark on a discussion of freedom of expression. We elide freedom of expression as a desirable value and freedom of expression as a fundamental right. We confuse substantive laws with the surrounding metalaw of fundamental rights. We conflate shields and swords. We employ the same terms to describe protection from state coercion and using state coercion as an instrument.

As a result, discussions of freedom of expression tend to resemble convoys of ships passing in the night. If, by the right of freedom of expression, Alice means that she should be able to speak without fear of being visited with state coercion; Bob means a space in which the state guarantees, by threat of coercion to the owner of the space, that he can speak; Carol contends that in such a space she cannot enjoy a fully realised right of freedom of expression unless the state forcibly excludes Dan’s repugnant views; and Ted says that irrespective of the state, Alice and Bob and Carol and Dan all directly engage each other’s fundamental right of freedom of expression when they speak to each other; then not only will there be little commonality of approach amongst the four, but the fact that they are talking about fundamentally different kinds of rights is liable to be buried beneath the single term, freedom of expression.

If Grace adds that since we should not tolerate those who are intolerant of others’ views the state should – under the banner of upholding freedom of expression – act against intolerant speech, the circle of confusion is complete.

It is difficult to make sense of appeals to freedom of expression as a fundamental right without appreciating the range of different usages and their, to some degree, contradictory underpinnings. When the same label is used to describe a right to be protected against coercive state action, a right whose existence is predicated on coercive state action, and everything in between, the prospects of conducting a debate on common ground are not good.

Prompted by the existence of the Lords Communications and Digital Committee Inquiry into Freedom of Expression Online, this piece aims – without any great expectation of success - to dispel some of the fog.

Freedom of expression as a value Freedom of expression as a value holds that more scope for expression is generally preferable to less. That is a reason for resisting undue restrictions imposed by the state.  It is also a criterion by which the policies of institutions, both private and state, may be evaluated and praised or criticised. Although freedom of expression as a fundamental right is not the same thing as freedom of expression as a value, the existence of the fundamental right reflects the high value that we place on freedom of expression.

However, we also value freedom of choice. An institution that chooses to place restrictions on the speech that it permits within its environs is not automatically to be deprecated. We do not necessarily think less of a meeting venue because, choosing to avoid controversy, it declines to follow the approach of Conway Hall.

That said, maximising the scope for freedom of expression may be thought to be especially desirable in some contexts. Universities, holding themselves out as dedicated to free and fearless academic inquiry and debate, are one example.

If an institution’s policy on speech is criticised as overly restrictive, the implication is that it has had insufficient regard to freedom of expression as a value. Whether that also engages a right of freedom of expression may depend on the version of the right adopted - Alice’s, Bob’s, Carol’s, Ted’s or some other – and, at least for Alice’s version, whether the institution in question forms part of the state. Grace will consider that unfurling the banner of freedom of expression is its own justification for the state to employ coercion.

Alice’s shield against abuse of state power

The classic formulation of freedom of expression as a fundamental right is Alice’s version: a protective shield against abuse of the uniquely coercive power of the state. That is most plainly rendered in the US First Amendment:  “Congress shall make no law…”.

Although the European Convention on Human Rights is more equivocal, its primary concern is also said to be coercion by the state. ECtHR caselaw refers to the “primarily negative undertaking of a State to abstain from interference in the rights guaranteed by the Convention”. To comply with the Convention, an interference with freedom of expression by the state must be prescribed by law and satisfy conditions of necessity and proportionality.

From this perspective the proposition that my writing can restrict your (right of) freedom of expression is startling. My writing is not state action. As such, the proposition is orthogonal to Alice’s notion of a fundamental right. It falls at the first hurdle. We never reach the question of whether – and if so how – speech might of itself be capable of restricting someone’s differently conceptualised right of freedom of expression.

Bob and Carol’s sword of horizontality However, some concepts of fundamental rights are broader than a shield against state coercion. One such is the notion of a positive state obligation. That may require the state to unsheath its sword and take positive steps to ‘secure’ an individual’s fundamental right. In its simplest, bilateral, form a state can be required to take positive steps to protect an individual’s right as against the state itself.

In Europe the theory of positive state obligations has reached its full flowering with the theory of horizontal fundamental rights. This is borrowed from the German constitutional law concept of drittwirkung and has increasingly been adopted by the European Court of Human Rights. In this version the state is obligated not merely to refrain from interfering unjustifiably with someone’s Convention rights, but may positively be obliged to wield the sword of coercive power in order to secure a Convention right as between one private individual and another.

The Strasbourg Court frequently recites that the obligations on the State are not necessarily limited to abstaining from interference with Convention rights, but may “require positive measures of protection, even in the sphere of relations between individuals” (see e.g. Palomo Sanches v Spain 12 September 2011)

The ECHR evolution from shield to sword is well summarised by Monika Florczack-Wątor:

“After World War II, the European Convention on Human Rights was prepared in the belief that the greatest threats to an individual resulted from actions of the State and its authorities. … Several decades of development of the Council of Europe, whose main aim has been to promote the principles of democracy and respect for human rights, have strengthened trust in the State Parties to the Convention associated with this organization. They ceased to be perceived as the main threat to human rights, and the bar started to rise in terms of what was expected of them. With time came the recognition that it was not the State but private parties that posed the biggest threat to individuals’ rights and duties enshrined in the Convention. … Thus, as Andrew Clapham observes, the European Convention on Human Rights replaced the idea of protecting the individual against State measures with the idea of protecting the individual through State measures.” (The Role of the European Court of Human Rights in Promoting Horizontal Positive Obligations of the State. International and Comparative Law Review, 2017, vol. 17, no. 2, pp. 39–53.)

The best known example of the Strasbourg Court’s invocation of horizontality is its interpretation of the Article 8 privacy right. The von Hannover decision led to the UK being obliged to develop a new tort of misuse of private information.

Horizontality has been applied – but so far not often - to the Article 10 freedom of expression right. For example, in Herbai v Hungary the Strasbourg Court held that the state had a positive obligation under Article 10 to secure an employee’s right of freedom of expression as against their private sector employer. That right was violated where the state provided no redress when the employer dismissed the employee on account of material that the employee posted on a website.

In principle, horizontality could be deployed to support Bob or Carol’s position. How though, to decide the outcome? Since wielding the sword of horizontality tends to require the state to interfere with the fundamental rights of another person, the human rights court ends up ‘balancing’ the conflicting fundamental rights of the persons involved (or at least the individual’s interests against those of ‘the community as a whole’) in order to decide which should prevail. That exercise, however, is more akin to conducting and resolving a policy debate than deciding a legal question.  

‘Balancing’ is a process that the Strasbourg court often undertakes in freedom of expression cases for a different reason. ECHR Article 10.2 permits an interference with freedom of expression by the state to be justified on the grounds of protection 0f the reputation or rights of others. ‘Rights’, in this context, necessarily has a broader meaning than a right to be protected from state interference. It implies something that the State is entitled to use its coercive power to protect from interference by other persons, even if it is not obliged to do so. Horizontality goes a step further by introducing an obligation on a State to secure such a right.

It is a whole topic in itself how human rights courts go about deciding whether to invoke horizontality in a particular case; and whether when they do so they supplant the role of the legislature by creating substantive law, rather than limiting themselves to the metalaw role of determining whether laws and other measures adopted by states have overstepped civilised boundaries.

Ted’s thicket of competing rights

Once we have ventured into the territory of horizontality and balancing of conflicting rights, it is but a short step to think of fundamental rights in Ted’s terms: enjoyed by individuals as against each other.

As a matter of enforceable rights, however, Ted has taken a step too far. Although, where horizontality is invoked, the court in effect decides where to draw the line between the rights of two private persons, the exercise is still conducted via the medium of the state. Judgments of the Strasbourg court are addressed to Contracting States. They stipulate what domestic laws they must not have or (in the case of positive obligations and horizontality) must have. Strasbourg decisions do not create directly assertable and enforceable rights as between one individual and another.

Nevertheless, Ted’s perspective is almost inevitably adopted as shorthand. Fundamental rights are universally discussed in horizontal terms. As their primary function of protection against the state has assumed comparatively less prominence, fundamental rights have come to resemble a thicket of competing rights, each one demanding that the balance with other conflicting rights be resolved in its favour and secured by the sword of state action.

With each step away from Alice’s basic shield against the excesses of state power towards Ted’s thicket of horizontal rights, fundamental rights become ever more intricately woven into the fabric of society – yet, paradoxically, woven with thinner thread as the content of the various rights asserted becomes ever more contested, subjective and conflicting. Appeals to fundamental rights increasingly come to resemble little more than policy advocacy clothed in the language of rights.

Speech as a restriction on freedom of expression

Returning to the government’s suggestion that users could “challenge content that unduly restricts their freedom of expression”: if it is conceptually possible for a private actor to restrict someone else’s fundamental freedom of expression right, could writing a blog or a social media post qualify? In other words, can speech itself restrict someone else’s fundamental right of freedom of expression? Alice rejects the premise. Bob has no view. Carol says yes. Ted says speech is violence. Dan has no say, since his views are repugnant.

What of Grace? She is busy taking the sword to the village in order to save it.

Carved out or carved up? The draft Online Safety Bill and the press

When he announced the Online Harms White Paper in April 2019 the then Culture Secretary, Jeremy Wright QC, was at pains to reassure the press that the proposed regulatory regime would not impinge on press freedom. He wrote in a letter to the Society of Editors:

“where these services are already well regulated, as IPSO and IMPRESS do regarding their members' moderated comment sections, we will not duplicate those efforts. Journalistic or editorial content will not be affected by the regulatory framework.”

The last sentence, at any rate, always seemed like an impossible promise to fulfil. The government’s subsequent attempts to live up to it have resulted in some of the more inscrutable elements of the draft Online Safety Bill. 

Carve-out for news publisher content

It is true that ‘news publisher content’ is carved out of the safety duties that would be imposed on user to user and search services.  The exemption is intended to address the problem that a news publisher’s feed on, for instance, a social media site would constitute user generated content. As such, without an exemption it would be directly affected by the social media platform’s own duty of care and indirectly regulated by Ofcom.

However, a promise not to affect journalistic or editorial content goes further than that. First, the commitment is not limited to broadcasters or newspapers regulated by IPSO or IMPRESS.  Second, as we shall see, a regulatory framework may still have an indirect effect on content even if the content is carved out of the framework.

Furthermore, even trying to exclude direct effect gives rise to a problem. If you want to carve out the press, how do you do so without giving the government (or Ofcom) power to decide who does and does not qualify as the press? If a state organ draws that line, isn’t the resulting official list in itself an exercise in press regulation? We shall see how the draft Bill has tried to solve this conundrum.

Beneath the surface of the draft Bill lurks a foundational challenge. Its underlying premise is that speech is potentially dangerous, and those that facilitate it must take precautionary steps to mitigate the danger. That is the antithesis of the traditional principle that, within boundaries set by clear and precise laws, we are free to speak as we wish. The mainstream press may comfort themselves that this novel approach to speech is (for the moment) being applied only to the evil internet and to the unedited individual speech of social media users; but it is an unwelcome concept to see take root if you have spent centuries arguing that freedom of expression is not a fundamental risk, but a fundamental right.

Even the most voluble press advocates of imposing a duty of care on internet platforms have offered what seems a slightly muted welcome to these aspects of the draft Bill. Lord Black, in the House of Lords on 18 May 2021, (after declaring his interest as deputy chairman of the Telegraph Media Group) said:

“The draft Bill includes a robust and comprehensive exemption for news publishers from its framework of statutory regulation … . That is absolutely right. During pre-legislative scrutiny of the Bill, we must ensure that this exemption is both watertight and practical so that news publishers are not subject to any form of statutory control, and that there is no scope for the platforms to censor legitimate content.”

One might ask what constitutes ‘legitimate’ content and who - if not the platforms – would decide. Ofcom? At any rate the draft Bill will disappoint anyone hoping for a duty of care regime that could not have any effect at all on news publisher content. It is difficult to see how things could be otherwise, the former Culture Secretary’s promise notwithstanding.

The draft Bill

Now we can embark on a tour of the draft Bill’s attempts to square the circle of delivering on the former Secretary of State’s promise. First, a diagram.

Got that? Probably not.

So let us conduct a point by point examination of how the draft Bill tries to exclude the press from its regulatory ambit, and consider how far it succeeds. The News Media Association’s submission to the White Paper consultation, to which I will refer, contained a list of what the NMA thought the legislation should do in order to carve out the press. Unsurprisingly, the draft Bill falls short.

But first, a note on terminology: it is easy to slip into using ‘platforms’ to describe those organisations in scope. We immediately think of Facebook, Twitter, YouTube, TikTok, Instagram and the rest. But it is not only about them: the government estimates that 24,000 companies and organisations will be in scope. That is everyone from the largest players to an MP’s discussion app, via Mumsnet and the local sports club discussion forum. So, in an effort not to lose sight of who is in scope, I shall adopt the dismally anodyne ‘U2U provider’.

Moderated comments sections

The first limb of the Secretary of State’s commitment was to avoid duplicating existing regulation of moderated comments sections on newspapers’ own websites. That has been achieved not by a press-specific exemption, but through the draft Bill’s general exclusion of low risk ‘limited functionality’ services. This provision exempts services in which users are able to communicate only in the following ways: posting comments or reviews relating to content produced or published by the provider of the service (or by a person acting on behalf of the provider), and in various specified related ways (such as ‘like’ or ‘dislike’ buttons).

This exemption as drafted has problems, since technically (even if not contractually) a user is able to post anything to a non-proactively moderated free text review section. That could comments on comments – a degree of freedom which of itself appears to be disqualifying - even if the intended purpose is that the facility should be used only for reviewing the provider’s own content.

As for the protection that the exemption tangentially offers to comments sections on press websites, it is notable that it can be repealed or amended by secondary legislation, if the Secretary of State considers that to be appropriate because of the risk of physical or psychological harm to individuals in the UK presented by a service of the description in question.

News publisher content – what is it?

News publisher content present on a service is exempted from the service provider’s safety duties. There are two primary categories of news publisher content: that generated by UK-regulated broadcasters and that generated by other recognised news publishers. The latter have to meet a number of qualifying conditions, both administrative and substantive.

Administrative conditions

Administratively, a putative recognised news publisher must:

    (a)   Be an entity (i.e. an incorporated or unincorporated body or association of persons or an organisation)  

    (b) have a registered office or other business address in the UK

    (c) be the person with legal responsibility for material published by it in the UK

    (d) publish (by any means including broadcasting) the name address, and registered number    (if any) of the entity; and publish the name and address (and where relevant, registered or principal office and registered number) of any person who controls the entity (control meaning the same as in the Broadcasting Act).

Failure to meet any of these conditions would be fatal to an argument that the entity’s output qualified as news publisher content.

Organisations proscribed under the Terrorism Act 2000, or the purpose of which is to support a proscribed organisation, are expressly excluded from the news publisher exemption.

Substantive conditions

Substantively, the entity must:

    (a) Have as its principal purpose the publication of news-related material, such material being created by different persons and being subject to editorial control.

    (b) Publish such material in the course of a business (whether or not carried on with a view to profit)

    (c) Be subject to a standards code (one published either by an independent regulator or by the entity itself)

    (d) Have policies and procedures for handling and resolving complaints.

Again, failure to meet any of these conditions would be fatal.

‘News-related material’ has the same definition as in the Crime and Courts Act 2003:

    (a) News or information about current affairs

    (b) Opinion about matters relating to the news or current affairs; or

    (c) Gossip about celebrities, other public figures or other persons in the news.

News-related material is ‘subject to editorial control’ if there is a person (whether or not the publisher of the material) who has editorial or equivalent responsibility for the material, including responsibility for how it is presented and the decision to publish it.

Reposted news publisher material

The draft Bill also contains limited exemptions for news publisher content reposted by other users. To qualify, the material must be uploaded to or shared on the service by a user of the service, and:

    (a) Reproduce in full an article or written item originally published by a recognised news publisher (but not be a screenshot or photograph of that article or item or of part of it);

    (b) Be a recording of an item originally broadcast by a recognised news publisher (but not be an excerpt of such a recording); or

    (c) Be a link to a full article or written item originally published, or to a full recording of an item originally broadcast, by a recognised news publisher.

What isn’t exempted?

What news-related content would fall outside the exemptions from the U2U provider’s safety duties? Some of the most relevant are:

• The user reposting exemption does not apply to quotations, snippets, excerpts, screenshots and the like.
• Content from non-UK news publishers will not be exempt unless they are able to jump through the administrative and substantive hoops described above.  The requirement to have a registered office or other business address in the UK would itself seem likely to exclude the vast majority of non-UK news providers.
• Individual journalist accounts. Many well known broadcast and news journalists have their own Twitter or other social media accounts and make use of them prolifically to report on current news. These are outside the primary exemption, since an individual journalist is not a recognised news publisher. (Some of what individual journalists do would, of course, fall within the re-posting exemption.) The NMA argued that the exemption must apply to “the news publishers, corporately and individually to all their workforce and contributors”.

One opaque aspect of the exemption is what is meant by content “generated” by a recognised news publisher. If a newspaper publishes a story incorporating an embedded link to a TikTok video (as the Daily Mail did recently with the video from a migrant boat crossing the Channel), is the link part of the content generated by the news publisher? If so, is it anomalous that the story – including the embedded video - on the news publisher’s own site, subsequently posted to (say) Twitter, is exempt from Twitter’s safety duty, yet the same video originally posted on TikTok is still within scope of TikTok’s safety duty?

The example of amateur video uploaded from a migrant boat brings us neatly to the topic of citizen journalism. Citizen journalism is within scope of U2U providers’ safety duties and, for ordinary U2U providers, enjoys no special status over and above any other user generated content. 

Large players (Category 1 providers) will have a variety of freedom of expression duties imposed on them, applicable to UK-linked news publisher content or journalistic content, as well some duties in respect of so-called content of democratic importance. The duties will include, for instance, an obligation to specify in terms and conditions by what method journalistic content is to be identified. Since the draft Bill says only that journalistic content is content ‘generated for the purposes of journalism’, identifying such content looks like a tall order.

The journalistic content provisions are likely to run into criticism from opposing ends: on the one hand that some users will rely on them as a smokescreen to protect what is in reality non-journalistic material; and that on the other hand, the concept is too vague to be of real use, so in practice hands the decision on how to categorise to Ofcom. 

What is the significance of news publisher content being exempted?

The news publisher content exemption means that U2U providers do not have a safety duty for news publisher content. In other words, they are not obliged to include news publisher content in the various steps that they are required to take to fulfil their safety duties.

That does not mean that news publisher content could not be affected as a by-product of U2U providers' attempts to discharge their safety duties over other user content. U2U providers not being required proactively to monitor and inhibit news publisher content doesn’t mean that such content couldn’t be caught up in a provider’s efforts to do that for user generated content generally.

Lord Black spoke of precluding any scope for platforms to censor legitimate content. The closest the draft Bill’s general provisions come is the duty 'to have regard to the importance of freedom of expression’. For Category 1 providers the focus is additionally on dedicated, expedited complaints procedures and transparency of terms and conditions. 

The Impact Assessment concludes, under Freedom of Expression, that the regulatory model’s focus on transparency and user reporting and redress should lead to “some improvements” in users’ ability to appeal content removal and get this reinstated, “with a positive impact on freedom of expression”.

The Policy Risks table annexed to the Impact Assessment goes into more detail:

Risk

Mitigation

Regulation disproportionately impacts on freedom of expression, by incentivising or requiring content takedown.

The approach has built in appropriate safeguards to ensure protections for freedom of expression, including: ● Differentiated approach of legal/illegal content, e.g. not requiring takedown of legal but harmful content ● Safeguards for journalistic content ● Effective transparency reporting ● Proportionate enforcement sanctions to avoid incentivising takedowns ● User redress mechanisms will enable challenge to takedown ● Super-complaints will allow organisations to lodge complaints where they may be concerned about disproportionate impacts ● Regulator has a duty to consider freedom of expression

 

The Impact Assessment summarises the government’s final policy position thus:

“There will … be strong safeguards in place to ensure media freedom is upheld. Content and articles published by news media on their own sites will not be considered user generated content and thus will be out of regulatory scope.

Legislation will also include robust protections for journalistic content on in-scope services. Firstly, the legislation will provide a clear exemption for news publishers’ content. This means platforms will not have any new legal duties for these publishers’ content as a result of our legislation. Secondly, the legislation will oblige Category 1 companies to put in place safeguards for all journalistic content shared on their platforms. The safeguards will ensure that platforms consider the importance of journalism when undertaking content moderation, and can be held to account for the removal of journalistic content, including with respect to automated moderation tools.”

At the moment it is anyone’s guess what the various duties would mean when crystallised into practical requirements – a vice ingrained throughout the draft Bill. We will know only when Ofcom, however many years down the line, produces its series of safety Codes of Practice for the various different kinds of U2U service. A U2U provider would (unless it decides to take the brave route of claiming compliance with the safety duties in ways other than those set out in a Code of Practice) have to comply with whatever the applicable Code of Practice may say about freedom of expression.

If Ofcom were to go down the route of suggesting in a Code of Practice that news publisher content should be walled off from being indirectly affected by implementation of the providers’ safety duties, how could that be achieved? The spectre of an Ofcom-approved list of news publisher content providers rears its head again.

Even if there were such a list, how would such content be identified and separated out in practice? The NMA consultation submission suggested a system of ‘kite marking’. IT engineers could still be trying to build tagging systems to make that work in ten years’ time.

The government’s draft Online Safety Bill announcement claimed that the measures required of ordinary and large providers would “remove the risk that online companies adopt restrictive measures or over-remove content in their efforts to meet their new online safety duties.” (emphasis added)

This bold statement – in contrast with the more modest claim in the Impact Assessment - shows every sign of being another unfulfillable promise, whether for news publisher content or user-generated content generally.

Lord Black said in the Lords debate:

“We have the opportunity with this legislation to lead the world in ensuring proper regulation of news content on the internet, and to show how that can be reconciled with protecting free speech and freedom of expression. It is an opportunity we should seize.”

It can be no real surprise that a solution to squaring that circle is as elusive now as when the Secretary of State wrote to the Society of Editors two years ago. It has every prospect of remaining so.

Big Brother Watch/Rättvisa – a multifactorial puzzle

The European Court of Human Rights Grand Chamber has now delivered its long awaited judgment in Big Brother Watch.  It always seemed a bit of a stretch that the Strasbourg Court would tell the UK to close down the bulk (so to speak) of GCHQ’s operations, especially since 15 years ago the Weber/Saravia decision had accepted the principle of bulk communications surveillance (albeit in a world in which digital communications were not yet ubiquitous). 

So it proved. The Court’s Big Brother Watch judgment (and its companion judgment in the Swedish Centrum för Rättvisa case) lay down a revised set of fundamental rights criteria by which to assess bulk surveillance regimes, but do not forbid them as such.

The Grand Chamber’s approach

The twin judgments are notable for advancing further down the path of assessing a surveillance regime not by drawing red lines that must not be crossed, but by applying a multifactorial evaluation of criteria that feed into a “global assessment” of the regime's compliance with the “provided by law” and “necessary in a democratic society” requirements of the Convention.

The “provided by law” Convention requirement is that a measure must have some basis in law, and also have the quality of law: be publicly accessible and sufficiently certain and precise so as to be foreseeable in its effects. The scope of any discretion to exercise a surveillance power must be indicated with sufficient clarity to provide adequate protection against arbitrary interference.  

The conundrum that faces a human rights court is how such traditional rule of law requirements – certainty of law, foreseeability of legal effects, accessibility of a legal regime – can be applied to the inherently secret and discretionary nature of communications surveillance. The answer has been to import the notion that safeguards (such as independent oversight) can compensate for lack of openness, so long as the kind of circumstances in which communications surveillance may take place are clearly set out in legislation, supplemented if necessary by instruments such as codes of practice. The ECtHR’s particular focus on the role of safeguards is facilitated by its policy of considering the “provided by law” test jointly with whether the interference constituted by a given regime is “necessary in a democratic society” (BBW [334], Rättvisa [248]).

It is not a straightforward task to decide at what point safeguards sufficiently compensate for the rule of law deficiencies presented by secret exercise of a discretionary power. The Grand Chamber describes the role of safeguards in bulk interception of digital communications as “pivotal and yet elusive” (BBW [322], Rättvisa [236]). 

It is hard to avoid the conclusion that the search for this will o’the wisp is ultimately a matter of impression – the more so, the further the evaluation strays from red lines that cannot be crossed towards an overall multifactorial assessment, the result of which depends on how much weight the court chooses to give to each factor.

Bulk interception not per se unlawful

The challenge that faces a party seeking to strike down a bulk interception regime is how to bring a substantive objection – that a bulk communications surveillance regime is inherently repugnant - within the framework of a “quality of law” and “necessity” challenge. The argument will be that the interference with privacy and (perhaps) freedom of expression entailed by bulk communications interception is so great that, although useful, bulk communications interception does not pass the “necessity” test. This is the kind of argument that succeeded in the Marper case on blanket retention of DNA, fingerprint and cellular samples.

In the BBW and Rättvisa  cases the Grand Chamber held that a decision to operate a bulk interception regime continues to fall within the competence (“margin of appreciation”) of a Contracting State.  Their freedom of choice in how to operate such a regime is, however, more constrained. (BBW [340, 347], Rättvisa [254, 261])

Another way of stating the objection to such a regime might be that, given the scale of the interference, no amount of safeguards can compensate for the lack of foreseeability inherent in the secret exercise of bulk communications surveillance powers. However, in reality once necessity is surmounted in principle, the examination moves on to whether the combination of accessibility, precision of rules and compensating safeguards embodied in the regime under challenge is sufficient for Convention compliance.

The Court’s decision on RIPA

In BBW the UK’s now superseded RIPA (Regulation of Investigatory Powers Act 2000) regime was under challenge. As in the Chamber judgment in 2018 the Grand Chamber found the UK regime wanting. But it did so in slightly different ways:

Chamber	Grand Chamber
Article 8
Bulk interception: lack of provision for sufficient oversight of the entire selection process, specifically search criteria and selectors [387, 388]	Lack of independent authorisation at the outset [377]   Lack of provision for oversight of categories of selectors at point of authorisation; lack of provision for enhanced safeguards for use of strong selectors linked to identifiable individuals [383]   Insufficiently precise nature of SoS certificate as to descriptions of material necessary to be examined [386, 387, 391]   All applicable to both content and RCD [416]
Bulk interception: examination of related communications data (RCD) exempted from all safeguards applicable to content, such as S.16(2) ‘British Islands’ restriction applicable to content. [357, 387, 388]	Lack of ‘British Islands’ restriction for RCD is not decisive in overall assessment [421]; different storage periods for RCD (“several months”) were not evident in the Interception Code. Should be included in legislative and/or other general measures [423]
Communications data acquisition: Violation of EU law meant that acquisition could not be in accordance with the law [467, 468]	Not contested [521, 522]
Article 10
Bulk interception: lack of protection for journalistic privilege at selection and examination stage (content and RCD) [493, 495, 500]	As per Art 8; additionally, no requirement for a judge or similar to decide whether use of selectors or search terms known to be connected to a journalist was justified by an overriding requirement in the public interest; or whether a less intrusive measure might have sufficed [456];   Nor provision for similar authorisation of continued storage and examination of confidential journalistic material once a connection to a journalist became known. [457]
Communications data acquisition: insufficiently broad journalistic privilege protections [499, 500]	Not contested [527, 528]

The main concrete point of difference from the Chamber judgment is probably the Grand Chamber's emphasis on prior independent authorisation. That, in the form of Judicial Commissioner approval of the Secretary of State’s decision to issue a warrant, is now a feature of the Investigatory Powers Act 2016 which has superseded RIPA.

It is difficult to predict specific implications of the two Grand Chamber judgments for the IP Act. This is due to the Court’s already noted holistic, multifactorial approach to fundamental rights compliance. Although in places the Grand Chamber speaks of ‘minimum requirements’ – which might suggest a cumulative set of threshold conditions – in others it speaks of ‘shortcomings’ that inform the overall assessment and may be compensated for by other features of the regime.

This approach is more prominent in the Rättvisa judgment, in which the Court held that while certain safeguards did compensate for identified shortcomings in the Swedish regime, they did not do so sufficiently. The BBW judgment, while also adopting the “global assessment” approach, is in substance a starker exercise in striking down the RIPA regime owing to lack of certain safeguards. 

The main reason for the difference between the two judgments is that the Swedish surveillance regime did provide for initial authorisation of bulk warrants by an independent Foreign Intelligence Court. It could not, therefore, be said (as it was for RIPA in BBW) that the regime lacked independent authorisation at the outset (a minimum requirement that the Court has now described as a “fundamental safeguard” that “should” be present ([377]).  The approach of the Court in Rättvisa was therefore of necessity more nuanced.

Hard versus soft limits

By contrast with the Grand Chamber’s holistic, multifactorial approach, the EU Court of Justice has moved in the direction of insisting on that the relevant legal instruments set out clear and precise hard limits on powers.

That contrast may to some extent reflect the different roles of the two courts. The CJEU’s task is to lay down the content of substantive, positive EU law, within the framework of the Charter of Fundamental Rights. The task of the ECtHR is not to harmonise or lay down positive law (although when it ventures into the territory of horizontal rights it comes perilously close to doing that), but to determine whether a potentially wide variety of  Contracting State laws has strayed beyond the boundaries of Convention compatibility.

Although even the CJEU must allow for some differences in Member State domestic laws, it is in principle able to be more prescriptive than the ECtHR. 

At any rate, the ECtHR (confirmed by the Grand Chamber in the BBW and Rättvisa cases) has taken a softer-edged approach, with greater stress on safeguards than on the need for clear and precise limits on powers (emphasised by the CJEU most recently in Privacy International/La Quadrature). Whether or not that ultimately means a substantively stricter outcome than the CJEU's approach, it certainly makes for one that is less predictable in terms of compliance with the Convention.

The ECtHR’s approach is exemplified by the set of compliance criteria articulated by the Grand Chamber in BBW and Rättvisa. It has laid down eight minimum criteria, compared with the six in Weber/Saravia, to be considered in deciding whether a surveillance regime passes the initial ‘in accordance with the law’ test.

The criteria are that the Court will examine whether the domestic framework clearly defines:

1. the grounds on which bulk interception may be authorised;

2. the circumstances in which an individual’s communications may be intercepted;

3. the procedure to be followed for granting authorisation;

4. the procedures to be followed for selecting, examining and using intercept material;

5. the precautions to be taken when communicating the material to other parties;

6. the limits on the duration of interception, the storage of intercept material and the circumstances in which such material must be erased and destroyed;

7. the procedures and modalities for supervision by an independent authority of compliance with the above safeguards and its powers to address non-compliance;

8. the procedures for independent ex post facto review of such compliance and the powers vested in the competent body in addressing instances of non-compliance.

These are framed as topic areas that have to be clearly addressed in domestic law. They also imply some degree of minimum requirement: for instance, domestic legislation that addressed the topic of limits on the duration of interception by stating clearly that it may be unlimited would not pass muster. Similarly, the factors connote some level of independent supervision and review.

However, what those implied minimum requirements might amount to in practice is not easy to tell. The eight topics appear to be as much – perhaps more so - criteria to be assessed, as a cumulative set of threshold conditions to be surmounted.  They may have elements of both. The Court referred in its judgment to its ‘overall assessment’ of the bulk interception regime, emphasising that shortcomings in some areas may be compensated by safeguards in others. The Court may also take into account factors beyond the eight minimum criteria, such as notification provisions.

In a separate Opinion Judge Pinto de Albuquerque pointed out the ambiguity in the Grand Chamber’s judgment as to whether it was laying down factors to be considered or mandatory requirements:

“On the one hand, it has used imperative language (“should be made”, “should be subject”, “should be authorised”, “should be informed”, “must be justified”, and “should be scrupulously recorded”, “should also be subject”, “it is imperative that the remedy should”) and has called them “fundamental safeguards” and even “minimum safeguards”. But on the other hand, it has diluted these safeguards in “a global assessment of the operation of the regime”, allowing for a trade-off among the safeguards. It seems that at the end of the day each individual safeguard is not mandatory, and the prescriptive language of the Court does not really correspond to non-negotiable features of the domestic system.”

That said, the Court went on to lay down what it described as the “fundamental safeguards” that would be the cornerstone of an Article 8-compliant bulk interception regime ([350]). This was articulated in the context of the particular model presented to the court (collection, filtering to discard unwanted material, automated application of selectors and search queries, manual queries by analysts, examination by analysts, subsequent retention and use), which the Court regarded as involving increasing interferences with privacy as the process progressed. ([325]) . This model already feels somewhat old-fashioned, given the more sophisticated pattern-matching and other techniques that could be applied to analysis of, in particular, bulk communications data.  

The Court's requirements are that the process must be subject to end-to-end safeguards, meaning that: 

• At each stage of the process an assessment must be made of the necessity and proportionality of the measures being taken. [350]
  
  
• Bulk interception should be subject to independent authorisation at the outset, when the object and scope of the operation are being defined [351]
  
  
• The operation should be subject to supervision and independent ex post facto review [350]

The Court commented that the importance of supervision and review is amplified compared with targeted interception because of the inherent risk of abuse and the legitimate need for secrecy [349].

Drilling down further into those fundamental safeguards, the Court observed that:

• The independent authorising body should be informed of both the purpose of the interception and the bearers or communication routes likely to be intercepted. [352]

• Given that the choice of selectors and query terms determines which communications will be eligible for examination by an analyst, the authorisation should at the very least identify the types or categories of selectors to be used. The Court accepted that the inclusion of all selectors in the authorisation may not be feasible in practice. [354]

• Enhanced safeguards should be in place for strong selectors linked to identifiable individuals. The use of every such selector must be justified by the intelligence services and that justification should be scrupulously recorded and be subject to a process of prior internal authorisation providing for separate and objective verification of whether the justification conforms to the principles of necessity and proportionality. [355]

• Each stage of the bulk interception process – including the initial authorisation and any subsequent renewals, the selection of bearers, the choice and application of selectors and query terms, and the use, storage, onward transmission and deletion of the intercept material – should be subject to supervision by an independent authority. That supervision should be sufficiently robust to keep the interference with Art 8 rights to what is “necessary in a democratic society”. In order to facilitate supervision, detailed records should be kept by the intelligence services at each stage of the process. [356]

• Finally, an effective remedy should be available to anyone who suspects that his or her communications have been intercepted by the intelligence services, either to challenge the lawfulness of the suspected interception or the Convention compliance of the interception regime. A remedy that does not depend on notification to the interception subject can be effective. But it is then imperative that the remedy should be before a body which, while not necessarily judicial, is independent of the executive and ensures the fairness of the proceedings, offering, in so far as possible, an adversarial process. The decisions of such authority shall be reasoned and legally binding with regard, inter alia, to the cessation of unlawful interception and the destruction of unlawfully obtained and/or stored intercept material. [357]

The court also provided guidance on sharing intercept material with agencies in other countries.

In the light of the above, the Court will determine whether a bulk interception regime is Convention compliant by conducting a global assessment of the operation of the regime. Such assessment will focus primarily on whether the domestic legal framework contains sufficient guarantees against abuse, and whether the process is subject to “end-to-end safeguards”. In doing so, the Court will have regard to the actual operation of the system of interception, including the checks and balances on the exercise of power, and the existence or absence of any evidence of actual abuse. [360]

The Court also observed that it was not persuaded that the acquisition of related communications data through bulk interception is necessarily less intrusive than the acquisition of content. It therefore considered that the interception, retention and searching of related communications data should be analysed by reference to the same safeguards as those applicable to content. [363]

That said, the Court observed that while the interception of related communications data would normally be authorised at the same time the interception of content is authorised, once obtained they could permissibly be treated differently by the intelligence services. 

In view of the different character of related communications data and the different ways in which they are used by the intelligence services, as long as the aforementioned safeguards were in place, the legal provisions governing their treatment did not necessarily have to be identical in every respect to those governing the treatment of content. [364]

Implications for the Investigatory Powers Act 2016

Where does this leave the 2016 Act? The Act ticks several important boxes, notably the “double lock” system of approval of bulk warrants by a Judicial Commissioner introduced after the end of the RIPA regime.

When considering the Convention compliance of the IP Act regime the Rättvisa decision is probably more factually relevant than the BBW decision, since it addresses a regime that featured initial authorisation by an independent court.

The IP Act in some respects provides stronger safeguards than those that fell short in Rättvisa – thus the UK IPT was held up as an example of what was possible in the area of ex post facto review.

On the other hand, the Swedish regime provided for mandatory presence of a privacy protection representative at Foreign Intelligence Court sessions. That was identified as a relevant safeguard to be weighed against the fact that the Court had never held a public hearing and that all its decisions were confidential.

There is no provision in the IP Act for a privacy protection representative to make submissions in the bulk warrant approval process. As to publicising bulk warrant approval decisions, in his April 2018 Advisory Notice the Investigatory Powers Commissioner said:

“The Judicial Commissioners will consider making any decisions on approvals public, subject to any statutory limitations and necessary redactions.”

It is noteworthy that the latest Annual Report of the Investigatory Powers Commissioner (for 2019) records that a Judicial Commissioner issued the first approvals of a communications data retention notice regarding internet connection records. It also describes a potential obstacle to approval of warrants posed by MI5's IT issues. Whilst this evinces a degree of openness, it does not go as far as (for instance) a practice of publishing Judicial Commissioner decisions on points of legal interpretation.

Given the multifactorial, trade-off-oriented approach of the Grand Chamber it is impossible to be categoric about whether this aspect of the IP Act regime presents Convention compliance problems. On the basis of Rättvisa we can expect, however, that it will be argued that either a privacy (and freedom of expression?) representative should be able to make submissions in the bulk warrant approval decision-making process, or the possibility of publishing elements of bulk warrant approval decisions should be explored further, or perhaps both.

As for the double-lock procedure itself, although the Secretary of State remains the primary decision-maker, and it is occasionally suggested that Judicial Commissioner approval, being based on judicial review principles, falls short of full scrutiny, it should not be forgotten that the Advisory Notice issued by the IPC in April 2018 stated that the Judicial Commissioners would not apply the relatively hands-off ‘Wednesbury reasonableness’ test, but instead the judicial review test applied by the domestic courts when considering interferences with fundamental rights. That would be taken into account in any assessment of the level of scrutiny applied to warrants.

Another area of the IP Act that is likely to attract attention is the IP Act's bulk communications data acquisition warrant. This is the successor to S.94 of the Telecommunications Act 1984, which the government admitted in November 2015 had been used for bulk acquisition of communications data from communications service providers.

Unlike bulk interception under RIPA (and now under the IP Act), the bulk communications acquisition warrant is not focused on foreign intelligence purposes. Given the various references in the BBW and Rättvisa judgments to bulk interception being primarily used for foreign intelligence, and the acknowledgment that bulk communications data should not be regarded as less sensitive than content, the Convention compliance of a domestic bulk acquisition regime may fall to be considered in the future.

A potential problem area, both for bulk interception and communications data acquisition, is journalistic privilege. Although the IP Act contains stronger protections for journalistic material than did RIPA, it may be questioned whether those, at least of themselves, are sufficient to meet the criticisms contained in the two ECtHR judgments.

Returning to the central theme of the Grand Chamber judgments, does the IP Act provide sufficient end-to-end safeguards over the bulk interception process? Following the Chamber judgment in 2018 I suggested that since the 2016 Act did not spell out whether end to end oversight was applied to all stages of the bulk interception process, more would need to be done to fill that gap (remembering that it is not enough for that simply to be done – it must be required to be done by means of clearly stated public rules.) That view is reinforced by the Grand Chamber judgment. I can do no better than repeat what I said then:

“Beyond that, under the IP Act the Judicial Commissioners have to consider at the warrant approval stage the necessity and proportionality of conduct authorised by a bulk warrant. Arguably that includes all four stages identified by the Strasbourg Court (see my submission to IPCO earlier this year). If that is right, the RIPA gap may have been partially filled.

However, the IP Act does not specify in terms that selectors and search criteria have to be reviewed. Moreover, focusing on those particular techniques already seems faintly old-fashioned. The Bulk Powers Review reveals the extent to which more sophisticated analytical techniques such as anomaly detection and pattern analysis are brought to bear on intercepted material, particularly communications data. Robust end to end oversight ought to cover these techniques as well as use of selectors and automated queries. 

The remainder of the gap could perhaps be filled by an explanation of how closely the Judicial Commissioners oversee the various selection, searching and other analytical processes.

Filling this gap may not necessarily require amendment of the IP Act, although it would be preferable if it were set out in black and white. It could perhaps be filled by an IPCO advisory notice: first as to its understanding of the relevant requirements of the Act; and second explaining how that translates into practical oversight, as part of bulk warrant approval or otherwise, of the end to end stages involved in bulk interception (and indeed the other bulk powers).”

The case for the gap to be filled formally is reinforced when we consider that the government has publicly referred to discussions that have been taking place with IPCO to strengthen end to end supervision in practice. The Grand Chamber judgment records the government’s argument that:

“Robust independent oversight of selectors and search criteria was therefore within the IC Commissioner’s powers: by the time of his 2014 report he had specifically put in place systems and processes to make sure that actually occurred, and, following the Chamber judgment, the Government had been working with the IC Commissioner’s Office to ensure that there would be enhanced oversight of selectors and search criteria under IPA.”

In his Annual Report for 2019 (published in December 2020) the Investigatory Powers Commissioner stated:

“Our oversight of bulk powers has evolved over the past year (see para 10.27). This reflected the European Court of Human Right’s judgment in the Big Brother Watch and others v UK case, and the Intelligence and Security Committee’s (ISC) Privacy and Security Report of March 2015.We reviewed our approach to inspecting bulk interception in 2019, considering the technically complex ways in which bulk interception is implemented and from 2020 our inspections will include a detailed examination of selectors and search criteria.”

Now that we have the Grand Chamber judgment the case appears to be stronger for the end to end oversight arrangements, and IPCO’s interpretation of the 2016 Act in that regard, to be spelled out publicly. That would also be well timed for the forthcoming review of the operation of the 2016 Act that is required to start in a year’s time.