As our lives have increasingly become data-driven and digital by default, finding the balance between privacy and national security/law enforcement has become one of the central legal, political, and ethical debates of the information age. On 11 May, the Director of the Information Law and Policy Centre, Dr Nora Ni Loideain joined a panel of experts at a Bingham Centre event to discuss the latest round in the legal debate – the European Court of Justice’s (CJEU) recent ruling in a case brought by Tom Watson MP against the UK government in regard to the legality of the Data Retention and Investigatory Powers Act (DRIPA). Although DRIPA has now expired, the CJEU Grand Chamber judgment delivered last December also calls into question the legal status of the legislation which replaced DRIPA in 2016, the Investigatory Powers Act (IP Act).
According to the panel chair, Professor Lorna Woods, the CJEU judgment formed what might be considered a “strong view” on privacy and regarded mass data retention as “disproportionate” compared to citizens’ rights to privacy. In this regard, the ruling continued in the same vein as the landmark 2014 Digital Rights Ireland judgment, which struck down the EU’s instrument for mandatory mass data retention – the Data Retention Directive – and declared it to be incompatible with the right to respect for private life and data protection protected by Articles 7 and 8 of the EU Charter of Fundamental Rights.
As we wait for the UK Court of Appeal to interpret the Watson/Tele2 judgment in relation to UK law, the panel considered what the Grand Chamber’s judgment might mean for mass data retention. In particular, Professor Lorna Woods put it to the panel and audience to consider whether the scope of data retention currently provided for under the IP Act 2016 was still possible in light of the reasoning of the CJEU Grand Chamber’s judgment.
“Much needed warning” or “potential catastrophe”?
For Max Hill QC, the recently appointed Independent Reviewer of Terrorism Legislation, reactions to the CJEU judgment have ranged from those who welcome the judgment as a “much needed warning to the UK” to bring its legislation into line with European norms through to those who regard the ruling as an “actual or potential catastrophe” for the security services’ ability to keep us safe. Hill QC sided with neither of these positions, but did argue in keeping with his predecessor David Anderson QC that “bulk data retention” is a “valuable tool” in the arena of national security and serious crime.
Hill QC suggested “all would be well” if the CJEU ruling in Watson/Tele2 against data retention regimes could be interpreted as not being applicable to national security, but he believed that the judgment was not clear on that point. In her remarks, Dr Nora Ni Loideain later noted that some of the more “vague” sections in the judgment might have been deliberate in order to allow national courts some latitude in their interpretation of the legal principles. In this respect, Hill QC suggested that the CJEU judgment demanded greater consideration of the definitions of “national security”, “serious crime”, and “crime”. He argued that this might be a method of “finding our way through Watson/Tele2” which would avoid striking down the Investigatory Powers Act and whereby mass data retention could be permitted to infringe the privacy of third parties in exceptional cases of serious crime or instances where national security is threatened.
A new opportunity to deliver world-leading oversight?
Rather than ‘finding way a though’, Dr Nora Ni Loideain suggested that the judgment in Watson/Tele 2 might be an opportunity to develop the ‘world-leading oversight arrangements’ originally stipulated by the government during the pre-legislative scrutiny of the Investigatory Powers Bill.
She highlighted that the UK has regularly been warned about its approach to privacy by European jurisprudence since Malone v UK in 1984, and that the Snowden revelations of 2013, as well as Privacy International’s challenges to the use of such powers by the intelligence agencies in 2016 had revealed serious flaws in the oversight regime. In particular, these latter events demonstrated that the independent authorities responsible for oversight – such as, the Interception of Communications Commissioner’s Office (IOCCO) – were being kept in the dark about the nature and extent of data collection and retention.
Critically, the Watson judgment has established that either a judicial or independent administrative body should be responsible for the oversight of data retention regimes, including prior review of requests by public authorities. Nora Ni Loideain considered, therefore, whether the Court of Appeal will determine that the reasoning of the CJEU Grand Chamber warrants major revisions to the Investigatory Powers Act in order to ensure that any independent administrative oversight body meets the CJEU’s requirements of functional and operational independence.
In particular, she felt that the establishment of an independent commission on a statutory basis – as recommended by the Anderson and RUSI reports on the Investigatory Powers Bill – was back on the agenda despite the government’s previous assertions that such a body was not necessary. Max Hill QC agreed, suggesting that the government would probably urgently consider amendments to the IP Act to deliver a new form of independent scrutiny of communications data. Indeed, UK Government IT tender documents spotted by the Open Rights Group in March included a reference to “a new communications data independent authorising body”.
The Brexit Elephant
The CJEU judgment in Watson/Tele2 will certainly have given the government pause for thought – even if that pause is currently consumed by the impending general election and Brexit. As with most discussions relating to the UK and EU law, Brexit was the all too conspicuous elephant in the room.
Fundamental questions remain to be answered as Max Hill QC articulated. How will the UK position itself – whether as a matter of choice or from where it will find itself as a consequence of the Brexit negotiations? And post-Brexit, will the UK need to maintain adherence to the letter of EU law in order to avoid a collapse in trust or could the UK take a broader legal approach?
Nora Ni Loideain was somewhat concerned that the CJEU standards in relation to independent oversight of data retention regimes and prior notification for individuals whose data was being collected could well “fall on deaf ears” if, post-Brexit, there was no external push coming from the Luxembourg court.
So … where to after Watson?
With the reaction of other EU member states not yet certain and the CJEU judgment still to be considered by the UK Court of Appeal (probably in the autumn), the advice from Max Hill QC on the future of data retention in the UK was “wait and see”. Not least because no less than three ongoing cases – including Liberty’s proposed challenge to the Investigatory Powers Act, Privacy International’s ongoing legal challenge on the use of bulk personal datasets in June before the Investigatory Powers Tribunal, and Big Brother Watch’s case concerning the legality of the UK’s surveillance regime following the Snowden revelations before the European Court of Human Rights – might also affect the outcome. But perhaps in the meantime, the final word ought to go to Renate Samson, Chief Executive of Big Brother Watch, who issued a clarion call for an ongoing public conversation about privacy, security, and investigatory powers.
Although Samson believed the Watson judgment was a “big win for privacy campaigners”, she felt that the government was only listening because of such court cases. Moreover, despite the views of sceptical audience members who felt many people were simply not interested in their privacy, she believed that the public needed to be more fully included in discussions of what constitutes “national security” and “serious crime” as well as what “necessary” and “proportionate” intrusion actually means in practice. After all, in a society of “digital citizens”, she argued, “this affects all of us”: intrusion into our digital data by state and private actors will remain a live issue for many years to come with potentially profound consequences for our own security, as well as our privacy.