Privacy: strictures and safeguards
Human rights briefing: As the Investigatory Powers Bill completes its passage, the IPT ruling in the Privacy International case reminds us that Government use of personal data must not be unrestricted
On 17 October 2016, the Investigatory Powers Tribunal (“IPT”) published its decision in a case brought by the NGO Privacy International, against various UK Government agencies. The challenge related both to the acquisition, use, retention, disclosure and storage of bulk personal datasets by security intelligence agencies and to the issuing of directions by the Home and Foreign Secretaries to public electronic communications networks to transfer bulk communications data to GCHQ and MI5. Privacy International brought the case in the wake of revelations that the UK Government had been collecting hundreds of records pertaining to a wide range of individuals.
Under article 8 of the European Convention on Human Rights, any interference with an individual’s right to privacy must be in accordance with the law and necessary in a democratic society, in the interests of a number of specified factors, including national security. The IPT considered the impact of article 8 on the security intelligence agencies, and the balance to be struck between national security and privacy. Its judgment summarised what it considered to be a proper approach to data collection. This includes: the existence of adequate and effective controls on the arbitrariness of executive action; rules that are clear in nature; and that the ambit of the rules is in the public domain to allow for foreseeability of interference. There must also be effective oversight. Whilst the IPT adjourned on certain issues, it found that, due to the lack of safeguards, the bulk data collection regimes failed to comply with article 8 and were therefore illegal prior to avowal in 2015.
Investigatory powers bill
Bulk collection of communications data and personal datasets will be given enhanced statutory footing through the Investigatory Powers Bill, currently making its way through the final stages of the parliamentary process.
The bill was introduced in order to consolidate and update existing legislation on surveillance powers. This was, in part, a response to the revelations by Edward Snowden in relation to the UK’s surveillance practices; and also to prepare for the expiration of the data retention regime under the Data Retention and Investigatory Powers Act 2014. It covers the interception of communications (partially repealing/amending the Regulation of Investigatory Powers Act 2000 and Regulation of Investigatory Powers (Scotland) Act 2000), and the retention and access of communications data. It also includes a power to require the retention of internet connection records, powers of equipment interference, and powers to retain and use bulk personal datasets; and establishes an Investigatory Powers Commission.
Human Rights/Data Protection concerns
Dubbed the “Snoopers’ Charter”, the bill has been highly criticised by parliamentarians, academics, practitioners and civil society, in particular through the “Don’t Spy on Us” coalition of privacy, freedom of expression and digital rights organisations. Concerns have been raised that the bill perpetuates the flaws in the current system that it is intended to reform – and lacks adequate protection for privacy and freedom of expression rights, including through interference with legal professional privilege, lack of protection for journalistic sources, unnecessarily indiscriminate data collection and retention, and power to undermine encryption. Numerous amendments have been tabled during the bill’s progression through Parliament. Some that have been agreed so far have improved the privacy safeguards. These include the insertion of general privacy duties on the face of the bill, and the addition of a technical advisory panel of independent experts to advise on the impact of changing technology, so that MI5, MI6 and GCHQ can reduce their privacy interference. However, a number of questions still remain in relation to whether the bill contains adequate privacy safeguards. For example, a particular issue is whether it is necessary to require internet service providers to retain and hand over internet connection records (browsing history), particularly given the costs involved and the added risk of security breaches.
Given the difficulties with the transfer of personal data from the EU to the US following both Snowden’s revelations and the CJEU Schrems v Facebook decision, the terms of the bill as enacted may also be relevant, should the UK seek to ensure that, post-Brexit, it has adequate safeguards in place to enable the continued transfer of personal data from the EU.
It remains to be seen whether the bill, in its final form, will indeed offer adequate safeguards to protect individuals’ right to privacy. As technology advances and data collection increases, so too does awareness of privacy rights. This IPT ruling will likely be just one of many such challenges going forward.
Ailidh Callander, senior solicitor, Parliamentary & Public Law Unit, Anderson Strathern LLP