The Advocate General’s Opinion in the recent Watson/Tele2 case re-emphasises the importance of considered justification for the collection and storage of personal data which has implications for a variety of data retention regimes. In this post, Lorna Woods, Professor of Internet Law at the University of Essex, considers the legal position of the system used to capture and store vehicle number plates in the UK.
The Data Retention Landscape
Since the annulment of the Data Retention Directive (Directive 2006/24/EC) (DPD) with Digital Rights Ireland (Case C-293/12), it has become clear that the mass retention of data – even for the prevention of terrorism and serious crime – needs to be carefully justified. Cases such as Schrems (Case C-362/14) and Watson/Tele2 (Case C-698/15) re-emphasise this approach. This trend can be seen also in the case law of the European Court of Human Rights, such as Zakharov v. Russia (47143/06) and Szabo v Hungary (11327/14 and 11613/14).
Not only must there be a legitimate public interest in the interference in individuals’ privacy and data protection rights, but that interference must be necessary and proportionate. Mechanisms must exist to ensure that surveillance systems are not abused: oversight and mechanisms for ex ante challenge must be provided. It is this recognition that seems part of the motivation of the Investigatory Powers Bill currently before Parliament which deals – in the main – with interception and surveillance of electronic communications.
Yet this concern is not limited to electronic communications data, as the current case concerning passenger name records (PNR) data before the Court of Justice (Opinion 1/15) and other ECtHR judgments on biometric data retention (S and Marper v. UK (30562/04 and 30566/04)) illustrate. Despite the response of the UK government to this jurisprudence, there seems to be one area which has been overlooked – at least with regard to a full oversight regime. That area is automated number plate recognition (ANPR) and the retention of the associated data.
What is ANPR?
ANPR is a form of CCTV used to capture, read and store vehicle number plates. It is in broad use by state actors (e.g. Highways Agency, police, TfL and councils) and private organisations (petrol stations, car parks). Here we consider the police ANPR system in England which, broadly speaking can cross check the resulting numbers with lists of driver information. These can be suspect drivers and vehicles – for example those without valid insurance or suspects in an ongoing investigation.
In addition to the immediate cross-checking for problem cases, the data may be retained. Two images stored for each “read”; one is of the number plate itself and a wider “overview” captures an image of the whole vehicle. The data is processed locally by individual police forces but are then transferred to the NADC (‘the National ANPR Data Centre for the collection of Automatic Number Plate Recognition data from Force ANPR back office facilities’) and ANPR strategy is overseen by the National Police Chiefs’ Council (NPCC). This data can be used in the detection of offences in addition to traffic offences. The police provide an overview of the system on their website.
The amount of data so stored is vast: the NPCC site estimates 25-35 million ‘reads’ of number plates daily, though according to the NPCC Strategy this could easily be 40 million daily. Additionally, the London Met has a system which is essentially a copy of the NADC – the Olympic Feed – as the Home Office and Police thought the NADC was not fit for purpose. Originally designed to tackle terrorist threats connected to the London Olympics, the Olympic Feed is still used and feeds ‘national data into an extremely large local ANPR system with better capability’.
The Report of the Surveillance Camera Commissioner for 2014/15 noted that the data collected and stored by NADC can be used for data mining in a number of ways:
- Vehicle tracking: real time and retrospective;
- Vehicle matching: identifying all vehicles that have taken a particular route during a particular time frame;
- Geographical matching: identifying all vehicles present in a particular place at a particular time;
- Incident analysis: can be used to refute or verify alibi statements, to locate offenders or identify potential witnesses;
- Network analysis: link individuals to identify vehicles travelling in convoy;
- Subject analysis: ANPR can be integrated with other sources of data (CCTV, communications analysis, financial analysis) to create an in-depth profile and patterns of behaviour for an individual.
There have been concerns about such pervasive surveillance possibilities, and the intrusion into the private lives of people of absolutely no interest to the police (or security services) at all, especially given that the data so collected is retained for significant periods.
The Surveillance Camera Commissioner noted that there were plans to extend the period of data retention from 2 years to a maximum of seven, which he saw as problematic. According to ANPR User Group minutes, the Met currently retain data for longer than two years. An ACPO report on ANPR (The police use of Automatic Number Plate Recognition, Jan. 2013) highlighted a number of problems with the use of ANPR in relation to the purposes it is used for, the quality of the data and the retention/appropriate deletion of that data. In a speech in November 2015, the Surveillance Camera Commissioner also highlighted the ‘ring of steel’ comprising 200 ANPR cameras erected in a predominantly Muslim area of Birmingham to monitor terrorist threats – effectively treating all those in that area as possible terrorists (See NGO complaint here).
Particular concerns about ANPR and NADC/Olympic Feed relate to the lack of a specific statutory basis for the database, nor any required oversight mechanisms. So, is the current oversight of ANPR use sufficient, especially given the swiftly developing jurisprudence on mass surveillance at both European Courts?
While there is no specific statutory mention of ANPR certain legislation is relevant: the Data Protection Act 1998 (DPA), the Protection of Freedoms Act 2012 (PoFA) and possibly Regulation of Investigatory Powers Act 2000 (RIPA) (insofar as the use of the data constitutes covert surveillance) all understood in the light of the Human Rights Act 1998 (HRA).
In principle the use of these technologies falls within the DPA as the registration number and the wider vehicle image could be personally identifiable information and thus the data protection principles apply. The Information Commissioner’s Office (ICO) has issued a Code of Practice with regard to CCTV, including ANPR cameras. Covert surveillance falls outside DPA and PoFA, being dealt with by RIPA. PoFA (which applies only to England and Wales) established the Commissioner for Surveillance Cameras, who also established a Code on the appropriate use of surveillance cameras by relevant authorities including the police (which has recently been reviewed). The two codes have principles in common – as the ICO’s code itself makes clear, though each has separate ‘enforcement’ processes.
The ICO’s Code makes clear that use of ANPR has to be justified and, further, that databases are kept up-to-date and accurate (in particular to prevent mismatches). Data must be kept secure and retention periods must be the minimum necessary for the purpose for which the data was collected. Thereafter the data must be immediately deleted. The ICO has previously expressed some concerns about retention periods for ANPR data.
The Surveillance Camera Code is aimed at addressing concerns that surveillance cameras are being abused. It establishes twelve principles to try to ensure that use of such cameras is legitimate, necessary and proportionate. In addition to rules on necessity of use of cameras and acquisition of data, the code requires procedures to be in place on the use of cameras and that access to the data is limited. It also requires transparency, an aspect about which the Surveillance Cameras Commission has been critical, for example, in a speech from Nov 2015. Since then, it seems more information is readily available (rather than individuals having to rely on FoI requests).
Although relevant authorities must have regard to the Code, the Commissioner has only soft enforcement powers, insofar as these are enforcement powers. Nonetheless the Commissioner has worked with the police to help develop self-assessment tools.
Impact on Human Rights under ECHR or the EU Charter
Leaving open the question of whether NADC and the Olympic Feed comply with the DPA in terms of proportionality, security/limiting access and deletion policy/retention and the effectiveness of a code that is not legally enforceable, what is the position under either the ECHR or the EU Charter?
The basic principles of these regimes are the same:
- Article 8 ECHR and Article 7 Charter provide for a right to private life. Additionally, the Charter contains a separate right to data protection in Article 8. The surveillance of an individual and the systematic storage of data/records constitutes an interference with these rights even if that data is not used or analysed (See Rotaru v. Romania 28341/95, paras. 43–44; Segerstedt-Wiberg v Sweden (2007) 44 E.H.H.R. 2; S and Marper, para 67). Indeed the existence of a system allowing surveillance can trigger the application of Article 8 (see e.g. Zakharov). The inspection and analysis of data would constitute separate interferences.
- Nonetheless, the right to private life is not absolute and an interference can be justified providing that the interference is:
- Based in law
- For a legitimate aim
- Including necessity and appropriateness as well as proportionality per se.
We will consider each of these potential justifications in turn.
‘Based in law’
Article 8(2) ECHR requires that an interference be ‘in accordance with the law’, which is different from the text used in relation to other rights where an interference must be ‘prescribed by law’. This difference could suggest that, whereas for interferences with, for example, freedom of expression, the interference must show a specific legal base for that interference, for Article 8 no such legal base is required.
Instead, merely compliance with general norms (such as DPA, PoFA) might suffice. In Malone v UK, (8691/79) it was accepted that the expression meant that ‘the interference had some basis in domestic law’ (para 66, interpretation reiterated in the recent case of Zakharov, para 228). This interpretation is still ambiguous. In Malone, while there was no statutory authority giving the Secretary of State power to authorise interception, that authorisation was determined by the Court to be legal in domestic law.
The situation in Malone is, however, different from ANPR as in Malone there was an authorisation process in line with then accepted constitutional principles. Furthermore, it could well be argued that the case law on surveillance has moved on since Malone (which dates to the early 1980s) to be less deferential to state discretion. In any event, this textual difference does not find its way into the text for Articles 7 and 8 of the Charter. The exceptions to rights under the Charter ‘must be provided for by law and respect the essence of those rights and freedoms’ (Article 52(1) Charter). Here the Charter is emphasising that there must be legislative authorisation, at least at the systemic level.
The Strasbourg Court has also set down qualitative requirements in respect of any such law which must be: accessible; sufficiently clear as to be circumstances under which an interference may be justified; and consistent with the rule of law. The Court specified recently in Zakharov:
The “quality of law” in this sense implies that the domestic law must not only be accessible and foreseeable in its application, it must also ensure that secret surveillance measures are applied only when “necessary in a democratic society”, in particular by providing for adequate and effective safeguards and guarantees against abuse. [para 236, and see para 230 on safeguards against abuse]
Situations where the law is confused, or contradictory may be problematic. There have to be clear, detailed rules specifying the conditions subject to which interferences are legitimate (Weber and Saravia v Germany 54934/00), but they can be set down in secondary legislation and codes (Kennedy v. UK 26839/05) – providing that these are public (Liberty v. UK 58243/00).
The Charter provides that the Charter rights must match the Convention rights (though Charter protection may be higher). In principle, then, the same points about lawfulness will arise here. In this context, however, the Opinion of the Advocate General in Watson/Tele2 adds a gloss to our understanding, as he suggested that law must provide protection against arbitrary interference and any such laws or codes must be binding on the relevant authorities (para 150).
This requirement of lawfulness may give rise to some problems for the ANPR regime as it is not authorised by any statute (contrast covert surveillance under RIPA which must go through a process of authorisation). The assertion in the Home Office Document that ‘[t]he DPA and RIPA provide the framework to support Article 8 ECHR’ (para 1.4) is at best questionable, and does not seem to recognise differences between the two regimes.
For ANPR there is no authorisation of acquisition of data; any rules relate to processing and access. ANPR can in this way be distinguished from the collection of communications data. There, although the collection of data is potentially widespread, it must be triggered by a notice to the telecommunications operator. ANPR is distinctive in having no link to governmental oversight.
The police have also suggested that the Criminal Procedures and Investigations Act 1996 (CPIA) justifies the retention of data. This is a weak justification as it does not deal with creation, storage or access and cannot relate to individuals not of interest to the police.
The CPIA was introduced so as to allow the review of evidence after trial by defence teams or the Criminal Cases Review Commission so as to avoid miscarriages of justice – a different purpose altogether. Furthermore, this obligation to retain evidence has not been found to be sufficient justification for retention of data in other contexts (communications data, biometric data); special provision has been made to allow longer retention of data on a case by case basis (See Hansard, 10 Oct 2011, para 104).
Concerns have been expressed about using CPIA as a general exception allowing biometric data to be kept on a ‘just in case basis’ (see Report of Biometrics Commissioner 2014, p 59 et seq). The Anti-Social behaviour, Crime and Policing Act 2014, (which amends the Police and Criminal Evidence Act 1984), seeks to clarify that, once CPIA no longer applies, the sample must be destroyed, and prevents a sample that is retained under CPIA from being used other than for the purposes of any proceedings for the offence in connection with which it was taken (See Notes to the Act). This amendment can be seen as limiting the possibility of relying on CPIA as a general justification for retention of data.
There may also be some problems about clarity: we have two overlapping systems with different enforcement mechanisms which may be confusing. Furthermore, it may not be immediately clear which force is holding the data or where. This makes it harder for affected individuals to assert their rights. In all, any framework is undermined by the lack of coherence of piecemeal legislative responses, arguably with different rationales.
In any event, quite apart from questions as to whether a statutory basis is required, the fact that there is no authorisation and oversight regime makes it difficult for individuals to foresee the applicability of the regime. Moreover, if we follow the Advocate General in Watson/Tele2, the fact that storage of, retention of and access to information is governed only by internal codes may be problematic. In this, there may be some difference between the EU and the ECHR – though we have not yet had the final word on Watson/Tele2 from the Court of Justice. Indeed, it has been suggested that internal codes are used to limit citizen access to data rather than to facilitate it (e.g. Information Tribunal, Mathieson v IC & Devon & Cornwall Constabulary (EA/2010/0174)).
This seems unproblematic. In essence, the data is used mainly for the fight against crime recognised as a legitimate public interest in both EU and ECHR systems. The nature of the public interest is, however, also a relevant factor for assessing proportionality.
Were ANPR ever to be challenged, there would be much to be said about proportionality and the nature of the safeguards in the system. Here just three points will be flagged: issues of ‘mass surveillance’; nature of the public interest; and retention period.
ANPR constitutes mass surveillance in that it includes a majority of people who are of no interest to the police. Such a system requires particularly strong justification (especially with the retention of data for increasingly long periods), and both European Courts have been critical of systems of mass surveillance of communications (Digital Rights Ireland, Zakharov).
In the recent PNR Canada Opinion, the Advocate General suggested that the mass retention of PNR data was less problematic because it did not provide such a complete picture as communications data did, and the data was used in relation to a very serious threat: terrorism. Whether or not the Court of Justice accepts this suggestion, it is questionable whether types of data can be segregated in this way. As the Commissioner’s Report shows, the data is used and integrated with other data sets can provide detailed profiles of individuals. The use of the data may be more intrusive than might initially appear.
This brings us to the next question: part of the issue of proportionality is the seriousness of the public interest. Here the fact that ANPR was initially used in relation to the prosecution of traffic offences means it is harder to justify mass surveillance. Significantly, the Advocate General in Tele2/Watson determined that mass surveillance should be justified only in relation to serious crime.
While serious crime may be determined at national level (in both the EU and ECHR), and the use of ANPR is not limited to traffic offences, there is still no way that ANPR relates only to serious crime. It is also possible that the Court of Justice might start filling in the meaning of ‘serious crime’: a reference on the meaning of ‘serious crime’ has been made to the Court of Justice (Case C-207/16 Ministerio Fiscal), which may reduce the scope of state action further.
Finally, there is the question of retention period. It is of course arguable that the nature of the offences sought to be prosecuted and the nature of the data may affect the permissible retention period.
It should be noted that the Data Retention Directive – which permitted two years’ retention – and DRIPA which specified one year – were both seen as problematic. Part of this is the undifferentiated nature of the retention. It is one thing to retain data on suspicion, another in relation to a person of no interest to the police.
This is the same trap into which ANPR currently falls, and it also seems as though ANPR does not distinguish between the two types of ‘reads’ stored. While two years may sit on the edge of acceptability, the not very serious nature of some of the offences may weight against such long retention. An extension would make any justification still harder; indeed the ICO has raised this point, questioning whether the operational case for such an extension has convincingly been made. The retention – seemingly indefinitely – of the Olympic Feed, dating back to 2012, is more problematic still.
A legislative regime for ANPR?
In sum, it seems that there are number of flaws in the current ANPR regime which from a rights-based perspective throws its legality into doubt, as counsel in Mathieson recognised writing in her private capacity. It would seem far better to set up a legislative regime, with an appropriate oversight mechanism, rather than to allow the current system to continue. Not only is this undesirable from the perspective of the citizen road-user but the police use of ANPR data is exposed to legal challenge with potentially far-reaching consequences.