Tuesday, 8 June 2021

Big Brother Watch/Rättvisa – a multifactorial puzzle

The European Court of Human Rights Grand Chamber has now delivered its long awaited judgment in Big Brother Watch.  It always seemed a bit of a stretch that the Strasbourg Court would tell the UK to close down the bulk (so to speak) of GCHQ’s operations, especially since 15 years ago the Weber/Saravia decision had accepted the principle of bulk communications surveillance (albeit in a world in which digital communications were not yet ubiquitous). 

So it proved. The Court’s Big Brother Watch judgment (and its companion judgment in the Swedish Centrum för Rättvisa case) lay down a revised set of fundamental rights criteria by which to assess bulk surveillance regimes, but do not forbid them as such.

The Grand Chamber’s approach

The twin judgments are notable for advancing further down the path of assessing a surveillance regime not by drawing red lines that must not be crossed, but by applying a multifactorial evaluation of criteria that feed into a “global assessment” of the regime's compliance with the “provided by law” and “necessary in a democratic society” requirements of the Convention.

The “provided by law” Convention requirement is that a measure must have some basis in law, and also have the quality of law: be publicly accessible and sufficiently certain and precise so as to be foreseeable in its effects. The scope of any discretion to exercise a surveillance power must be indicated with sufficient clarity to provide adequate protection against arbitrary interference.  

The conundrum that faces a human rights court is how such traditional rule of law requirements – certainty of law, foreseeability of legal effects, accessibility of a legal regime – can be applied to the inherently secret and discretionary nature of communications surveillance. The answer has been to import the notion that safeguards (such as independent oversight) can compensate for lack of openness, so long as the kind of circumstances in which communications surveillance may take place are clearly set out in legislation, supplemented if necessary by instruments such as codes of practice. The ECtHR’s particular focus on the role of safeguards is facilitated by its policy of considering the “provided by law” test jointly with whether the interference constituted by a given regime is “necessary in a democratic society” (BBW [334], Rättvisa [248]).

It is not a straightforward task to decide at what point safeguards sufficiently compensate for the rule of law deficiencies presented by secret exercise of a discretionary power. The Grand Chamber describes the role of safeguards in bulk interception of digital communications as “pivotal and yet elusive” (BBW [322], Rättvisa [236]). 

It is hard to avoid the conclusion that the search for this will o’the wisp is ultimately a matter of impression – the more so, the further the evaluation strays from red lines that cannot be crossed towards an overall multifactorial assessment, the result of which depends on how much weight the court chooses to give to each factor.

Bulk interception not per se unlawful

The challenge that faces a party seeking to strike down a bulk interception regime is how to bring a substantive objection – that a bulk communications surveillance regime is inherently repugnant - within the framework of a “quality of law” and “necessity” challenge. The argument will be that the interference with privacy and (perhaps) freedom of expression entailed by bulk communications interception is so great that, although useful, bulk communications interception does not pass the “necessity” test. This is the kind of argument that succeeded in the Marper case on blanket retention of DNA, fingerprint and cellular samples.

In the BBW and Rättvisa  cases the Grand Chamber held that a decision to operate a bulk interception regime continues to fall within the competence (“margin of appreciation”) of a Contracting State.  Their freedom of choice in how to operate such a regime is, however, more constrained. (BBW [340, 347], Rättvisa [254, 261])

Another way of stating the objection to such a regime might be that, given the scale of the interference, no amount of safeguards can compensate for the lack of foreseeability inherent in the secret exercise of bulk communications surveillance powers. However, in reality once necessity is surmounted in principle, the examination moves on to whether the combination of accessibility, precision of rules and compensating safeguards embodied in the regime under challenge is sufficient for Convention compliance.

The Court’s decision on RIPA

In BBW the UK’s now superseded RIPA (Regulation of Investigatory Powers Act 2000) regime was under challenge. As in the Chamber judgment in 2018 the Grand Chamber found the UK regime wanting. But it did so in slightly different ways:

Chamber

Grand Chamber

Article 8

 

Bulk interception: lack of provision for sufficient oversight of the entire selection process, specifically search criteria and selectors [387, 388]

Lack of independent authorisation at the outset [377]

 

Lack of provision for oversight of categories of selectors at point of authorisation; lack of provision for enhanced safeguards for use of strong selectors linked to identifiable individuals [383]

 

Insufficiently precise nature of SoS certificate as to descriptions of material necessary to be examined [386, 387, 391]

 

All applicable to both content and RCD [416]

Bulk interception: examination of related communications data (RCD) exempted from all safeguards applicable to content, such as S.16(2) ‘British Islands’ restriction applicable to content. [357, 387, 388]

Lack of ‘British Islands’ restriction for RCD is not decisive in overall assessment [421]; different storage periods for RCD (“several months”) were not evident in the Interception Code. Should be included in legislative and/or other general measures [423]

Communications data acquisition: Violation of EU law meant that acquisition could not be in accordance with the law [467, 468]

Not contested [521, 522]

Article 10

 

Bulk interception: lack of protection for journalistic privilege at selection and examination stage (content and RCD) [493, 495, 500]

As per Art 8; additionally, no requirement for a judge or similar to decide whether use of selectors or search terms known to be connected to a journalist was justified by an overriding requirement in the public interest; or whether a less intrusive measure might have sufficed [456];

 

Nor provision for similar authorisation of continued storage and examination of confidential journalistic material once a connection to a journalist became known. [457]

Communications data acquisition: insufficiently broad journalistic privilege protections [499, 500]

Not contested [527, 528]

The main concrete point of difference from the Chamber judgment is probably the Grand Chamber's emphasis on prior independent authorisation. That, in the form of Judicial Commissioner approval of the Secretary of State’s decision to issue a warrant, is now a feature of the Investigatory Powers Act 2016 which has superseded RIPA.

It is difficult to predict specific implications of the two Grand Chamber judgments for the IP Act. This is due to the Court’s already noted holistic, multifactorial approach to fundamental rights compliance. Although in places the Grand Chamber speaks of ‘minimum requirements’ – which might suggest a cumulative set of threshold conditions – in others it speaks of ‘shortcomings’ that inform the overall assessment and may be compensated for by other features of the regime.

This approach is more prominent in the Rättvisa judgment, in which the Court held that while certain safeguards did compensate for identified shortcomings in the Swedish regime, they did not do so sufficiently. The BBW judgment, while also adopting the “global assessment” approach, is in substance a starker exercise in striking down the RIPA regime owing to lack of certain safeguards. 

The main reason for the difference between the two judgments is that the Swedish surveillance regime did provide for initial authorisation of bulk warrants by an independent Foreign Intelligence Court. It could not, therefore, be said (as it was for RIPA in BBW) that the regime lacked independent authorisation at the outset (a minimum requirement that the Court has now described as a “fundamental safeguard” that “should” be present ([377]).  The approach of the Court in Rättvisa was therefore of necessity more nuanced.

Hard versus soft limits

By contrast with the Grand Chamber’s holistic, multifactorial approach, the EU Court of Justice has moved in the direction of insisting on that the relevant legal instruments set out clear and precise hard limits on powers.

That contrast may to some extent reflect the different roles of the two courts. The CJEU’s task is to lay down the content of substantive, positive EU law, within the framework of the Charter of Fundamental Rights. The task of the ECtHR is not to harmonise or lay down positive law (although when it ventures into the territory of horizontal rights it comes perilously close to doing that), but to determine whether a potentially wide variety of  Contracting State laws has strayed beyond the boundaries of Convention compatibility.

Although even the CJEU must allow for some differences in Member State domestic laws, it is in principle able to be more prescriptive than the ECtHR. 

At any rate, the ECtHR (confirmed by the Grand Chamber in the BBW and Rättvisa cases) has taken a softer-edged approach, with greater stress on safeguards than on the need for clear and precise limits on powers (emphasised by the CJEU most recently in Privacy International/La Quadrature). Whether or not that ultimately means a substantively stricter outcome than the CJEU's approach, it certainly makes for one that is less predictable in terms of compliance with the Convention.

The ECtHR’s approach is exemplified by the set of compliance criteria articulated by the Grand Chamber in BBW and Rättvisa. It has laid down eight minimum criteria, compared with the six in Weber/Saravia, to be considered in deciding whether a surveillance regime passes the initial ‘in accordance with the law’ test.

The criteria are that the Court will examine whether the domestic framework clearly defines:

1. the grounds on which bulk interception may be authorised;

2. the circumstances in which an individual’s communications may be intercepted;

3. the procedure to be followed for granting authorisation;

4. the procedures to be followed for selecting, examining and using intercept material;

5. the precautions to be taken when communicating the material to other parties;

6. the limits on the duration of interception, the storage of intercept material and the circumstances in which such material must be erased and destroyed;

7. the procedures and modalities for supervision by an independent authority of compliance with the above safeguards and its powers to address non-compliance;

8. the procedures for independent ex post facto review of such compliance and the powers vested in the competent body in addressing instances of non-compliance.

These are framed as topic areas that have to be clearly addressed in domestic law. They also imply some degree of minimum requirement: for instance, domestic legislation that addressed the topic of limits on the duration of interception by stating clearly that it may be unlimited would not pass muster. Similarly, the factors connote some level of independent supervision and review.

However, what those implied minimum requirements might amount to in practice is not easy to tell. The eight topics appear to be as much – perhaps more so - criteria to be assessed, as a cumulative set of threshold conditions to be surmounted.  They may have elements of both. The Court referred in its judgment to its ‘overall assessment’ of the bulk interception regime, emphasising that shortcomings in some areas may be compensated by safeguards in others. The Court may also take into account factors beyond the eight minimum criteria, such as notification provisions.

In a separate Opinion Judge Pinto de Albuquerque pointed out the ambiguity in the Grand Chamber’s judgment as to whether it was laying down factors to be considered or mandatory requirements:

“On the one hand, it has used imperative language (“should be made”, “should be subject”, “should be authorised”, “should be informed”, “must be justified”, and “should be scrupulously recorded”, “should also be subject”, “it is imperative that the remedy should”) and has called them “fundamental safeguards” and even “minimum safeguards”. But on the other hand, it has diluted these safeguards in “a global assessment of the operation of the regime”, allowing for a trade-off among the safeguards. It seems that at the end of the day each individual safeguard is not mandatory, and the prescriptive language of the Court does not really correspond to non-negotiable features of the domestic system.”

That said, the Court went on to lay down what it described as the “fundamental safeguards” that would be the cornerstone of an Article 8-compliant bulk interception regime ([350]). This was articulated in the context of the particular model presented to the court (collection, filtering to discard unwanted material, automated application of selectors and search queries, manual queries by analysts, examination by analysts, subsequent retention and use), which the Court regarded as involving increasing interferences with privacy as the process progressed. ([325]) . This model already feels somewhat old-fashioned, given the more sophisticated pattern-matching and other techniques that could be applied to analysis of, in particular, bulk communications data.  

The Court's requirements are that the process must be subject to end-to-end safeguards, meaning that: 

  • At each stage of the process an assessment must be made of the necessity and proportionality of the measures being taken. [350]

  • Bulk interception should be subject to independent authorisation at the outset, when the object and scope of the operation are being defined [351]

  • The operation should be subject to supervision and independent ex post facto review [350]

The Court commented that the importance of supervision and review is amplified compared with targeted interception because of the inherent risk of abuse and the legitimate need for secrecy [349].

Drilling down further into those fundamental safeguards, the Court observed that:

  • The independent authorising body should be informed of both the purpose of the interception and the bearers or communication routes likely to be intercepted. [352]
  • Given that the choice of selectors and query terms determines which communications will be eligible for examination by an analyst, the authorisation should at the very least identify the types or categories of selectors to be used. The Court accepted that the inclusion of all selectors in the authorisation may not be feasible in practice. [354]
  • Enhanced safeguards should be in place for strong selectors linked to identifiable individuals. The use of every such selector must be justified by the intelligence services and that justification should be scrupulously recorded and be subject to a process of prior internal authorisation providing for separate and objective verification of whether the justification conforms to the principles of necessity and proportionality. [355]
  • Each stage of the bulk interception process – including the initial authorisation and any subsequent renewals, the selection of bearers, the choice and application of selectors and query terms, and the use, storage, onward transmission and deletion of the intercept material – should be subject to supervision by an independent authority. That supervision should be sufficiently robust to keep the interference with Art 8 rights to what is “necessary in a democratic society”. In order to facilitate supervision, detailed records should be kept by the intelligence services at each stage of the process. [356]
  • Finally, an effective remedy should be available to anyone who suspects that his or her communications have been intercepted by the intelligence services, either to challenge the lawfulness of the suspected interception or the Convention compliance of the interception regime. A remedy that does not depend on notification to the interception subject can be effective. But it is then imperative that the remedy should be before a body which, while not necessarily judicial, is independent of the executive and ensures the fairness of the proceedings, offering, in so far as possible, an adversarial process. The decisions of such authority shall be reasoned and legally binding with regard, inter alia, to the cessation of unlawful interception and the destruction of unlawfully obtained and/or stored intercept material. [357]

The court also provided guidance on sharing intercept material with agencies in other countries.

In the light of the above, the Court will determine whether a bulk interception regime is Convention compliant by conducting a global assessment of the operation of the regime. Such assessment will focus primarily on whether the domestic legal framework contains sufficient guarantees against abuse, and whether the process is subject to “end-to-end safeguards”. In doing so, the Court will have regard to the actual operation of the system of interception, including the checks and balances on the exercise of power, and the existence or absence of any evidence of actual abuse. [360]

The Court also observed that it was not persuaded that the acquisition of related communications data through bulk interception is necessarily less intrusive than the acquisition of content. It therefore considered that the interception, retention and searching of related communications data should be analysed by reference to the same safeguards as those applicable to content. [363]

That said, the Court observed that while the interception of related communications data would normally be authorised at the same time the interception of content is authorised, once obtained they could permissibly be treated differently by the intelligence services. 

In view of the different character of related communications data and the different ways in which they are used by the intelligence services, as long as the aforementioned safeguards were in place, the legal provisions governing their treatment did not necessarily have to be identical in every respect to those governing the treatment of content. [364]

Implications for the Investigatory Powers Act 2016

Where does this leave the 2016 Act? The Act ticks several important boxes, notably the “double lock” system of approval of bulk warrants by a Judicial Commissioner introduced after the end of the RIPA regime.

When considering the Convention compliance of the IP Act regime the Rättvisa decision is probably more factually relevant than the BBW decision, since it addresses a regime that featured initial authorisation by an independent court.

The IP Act in some respects provides stronger safeguards than those that fell short in Rättvisa – thus the UK IPT was held up as an example of what was possible in the area of ex post facto review.

On the other hand, the Swedish regime provided for mandatory presence of a privacy protection representative at Foreign Intelligence Court sessions. That was identified as a relevant safeguard to be weighed against the fact that the Court had never held a public hearing and that all its decisions were confidential.

There is no provision in the IP Act for a privacy protection representative to make submissions in the bulk warrant approval process. As to publicising bulk warrant approval decisions, in his April 2018 Advisory Notice the Investigatory Powers Commissioner said:

“The Judicial Commissioners will consider making any decisions on approvals public, subject to any statutory limitations and necessary redactions.”

It is noteworthy that the latest Annual Report of the Investigatory Powers Commissioner (for 2019) records that a Judicial Commissioner issued the first approvals of a communications data retention notice regarding internet connection records. It also describes a potential obstacle to approval of warrants posed by MI5's IT issues. Whilst this evinces a degree of openness, it does not go as far as (for instance) a practice of publishing Judicial Commissioner decisions on points of legal interpretation.

Given the multifactorial, trade-off-oriented approach of the Grand Chamber it is impossible to be categoric about whether this aspect of the IP Act regime presents Convention compliance problems. On the basis of Rättvisa we can expect, however, that it will be argued that either a privacy (and freedom of expression?) representative should be able to make submissions in the bulk warrant approval decision-making process, or the possibility of publishing elements of bulk warrant approval decisions should be explored further, or perhaps both.

As for the double-lock procedure itself, although the Secretary of State remains the primary decision-maker, and it is occasionally suggested that Judicial Commissioner approval, being based on judicial review principles, falls short of full scrutiny, it should not be forgotten that the Advisory Notice issued by the IPC in April 2018 stated that the Judicial Commissioners would not apply the relatively hands-off ‘Wednesbury reasonableness’ test, but instead the judicial review test applied by the domestic courts when considering interferences with fundamental rights. That would be taken into account in any assessment of the level of scrutiny applied to warrants.

Another area of the IP Act that is likely to attract attention is the IP Act's bulk communications data acquisition warrant. This is the successor to S.94 of the Telecommunications Act 1984, which the government admitted in November 2015 had been used for bulk acquisition of communications data from communications service providers.

Unlike bulk interception under RIPA (and now under the IP Act), the bulk communications acquisition warrant is not focused on foreign intelligence purposes. Given the various references in the BBW and Rättvisa judgments to bulk interception being primarily used for foreign intelligence, and the acknowledgment that bulk communications data should not be regarded as less sensitive than content, the Convention compliance of a domestic bulk acquisition regime may fall to be considered in the future.

A potential problem area, both for bulk interception and communications data acquisition, is journalistic privilege. Although the IP Act contains stronger protections for journalistic material than did RIPA, it may be questioned whether those, at least of themselves, are sufficient to meet the criticisms contained in the two ECtHR judgments.

Returning to the central theme of the Grand Chamber judgments, does the IP Act provide sufficient end-to-end safeguards over the bulk interception process? Following the Chamber judgment in 2018 I suggested that since the 2016 Act did not spell out whether end to end oversight was applied to all stages of the bulk interception process, more would need to be done to fill that gap (remembering that it is not enough for that simply to be done – it must be required to be done by means of clearly stated public rules.) That view is reinforced by the Grand Chamber judgment. I can do no better than repeat what I said then:

“Beyond that, under the IP Act the Judicial Commissioners have to consider at the warrant approval stage the necessity and proportionality of conduct authorised by a bulk warrant. Arguably that includes all four stages identified by the Strasbourg Court (see my submission to IPCO earlier this year). If that is right, the RIPA gap may have been partially filled.

However, the IP Act does not specify in terms that selectors and search criteria have to be reviewed. Moreover, focusing on those particular techniques already seems faintly old-fashioned. The Bulk Powers Review reveals the extent to which more sophisticated analytical techniques such as anomaly detection and pattern analysis are brought to bear on intercepted material, particularly communications data. Robust end to end oversight ought to cover these techniques as well as use of selectors and automated queries. 

The remainder of the gap could perhaps be filled by an explanation of how closely the Judicial Commissioners oversee the various selection, searching and other analytical processes.

Filling this gap may not necessarily require amendment of the IP Act, although it would be preferable if it were set out in black and white. It could perhaps be filled by an IPCO advisory notice: first as to its understanding of the relevant requirements of the Act; and second explaining how that translates into practical oversight, as part of bulk warrant approval or otherwise, of the end to end stages involved in bulk interception (and indeed the other bulk powers).”

The case for the gap to be filled formally is reinforced when we consider that the government has publicly referred to discussions that have been taking place with IPCO to strengthen end to end supervision in practice. The Grand Chamber judgment records the government’s argument that:

“Robust independent oversight of selectors and search criteria was therefore within the IC Commissioner’s powers: by the time of his 2014 report he had specifically put in place systems and processes to make sure that actually occurred, and, following the Chamber judgment, the Government had been working with the IC Commissioner’s Office to ensure that there would be enhanced oversight of selectors and search criteria under IPA.”

In his Annual Report for 2019 (published in December 2020) the Investigatory Powers Commissioner stated:

“Our oversight of bulk powers has evolved over the past year (see para 10.27). This reflected the European Court of Human Right’s judgment in the Big Brother Watch and others v UK case, and the Intelligence and Security Committee’s (ISC) Privacy and Security Report of March 2015.We reviewed our approach to inspecting bulk interception in 2019, considering the technically complex ways in which bulk interception is implemented and from 2020 our inspections will include a detailed examination of selectors and search criteria.”

Now that we have the Grand Chamber judgment the case appears to be stronger for the end to end oversight arrangements, and IPCO’s interpretation of the 2016 Act in that regard, to be spelled out publicly. That would also be well timed for the forthcoming review of the operation of the 2016 Act that is required to start in a year’s time.



No comments:

Post a Comment