ECHR rules against historic UK bulk interception regime
Following challenges by multiple claimants, the ECHR today ruled that parts of the UK framework set up by the 2000 Regulation of Investigatory Powers Act (RIPA) that allowed bulk interception warrants and collection of communications metadata from telecommunications providers infringed European Convention on Human Rights privacy protections.
The court also ruled that both the interception warrant and telecoms metadata regimes violated the human rights convention’s freedom of speech protections, as they failed to properly safeguard confidential journalistic material.
However, it dismissed the claimants’ arguments that the RIPA intelligence-sharing regime with foreign governments breached the convention’s privacy or freedom of expression provisions.
The Investigatory Powers Act replaced RIPA in 2016. Megan Goulding of Liberty, a human rights organisation that was one of the claimants that led to today’s judgment, told GDR that the new legislation “replicated and vastly expanded the powers we challenged in this case – and the protections for our rights remain entirely inadequate.”
The judgment comes months before the UK is set to leave the EU. The country faces becoming a third country for EU data protection purposes, and may seek an adequacy decision. The European Commission scrutinises the surveillance powers of countries that apply for adequacy.
RIPA had allowed the UK’s foreign ministers to issue interception warrants for the interception of communications made through telecoms systems.
The ECHR today noted that it has previously accepted that bulk interception regimes can be compatible with the human rights convention – but remain open to being abused, “especially where the true breadth of the authorities discretion to intercept cannot be discerned from the relevant legislation”.
The court’s case law has several requirements that such regimes must feature in order to be acceptable under the convention to minimise the risk of abuse. It upheld Sweden’s regime earlier this year.
The claimants had objected to multiple parts of the RIPA bulk interception warrant regime, saying for example that it was too complex to be accessible to the public, and that in practice anyone was liable to have their communications intercepted as while warrants were meant to outline material ministers believed was necessary to examine, they were instead framed generically.
The claimants had also noted that RIPA contained some safeguards for communications, but not for metadata – known in the act as “related communications data”.
The claimants had urged the court to update its requirements by creating a need for reasonable suspicion of interception subjects, prior independent judicial authorisation and subsequent notification of people subject to interception. They said this was necessary as modern communications interception can be highly intrusive.
The ECHR disagreed: the court said it accepted modern technology has increased the intrusiveness of interception, but concluded targeted interception remains more likely to result in a large volume of an individual’s communications being harvested – and with bulk interception necessarily being untargeted, it would be impossible to operate such a scheme with reasonable suspicion and subsequent notification requirements.
The court also said it was “not persuaded that the acquisition of related communications data is necessarily less intrusive than the acquisition of content”. If encrypted communications were decrypted, the court said, it might not reveal anything noteworthy about senders or recipients – but related data could reveal their identities and locations, with the degree of intrusion boosted in the context of bulk interception.
The court ultimately concluded that there was insufficient oversight of the process of selecting what data to intercept and which telecoms systems to tap, and that there was an “absence of any real safeguards applicable to the selection of related communications data for examination”.
The ECHR also agreed to find that RIPA’s separate framework for intercepting communications metadata from telecoms providers was illegal.
The claimants had said RIPA’s communications metadata interception regime was overly broad and applied in ill-defined circumstances, which also lacked proper safeguards against abuse.
The ECHR found that the regime was illegal due to an admission by the UK’s government relating to the metadata interception framework set up by the 2016 Investigatory Powers Act.
In 2017, the government admitted that part four of the new act, which covered telecoms metadata retention notices, was inconsistent with EU law; an English court this year told the government to amend the legislation by November.
The UK’s government had made the admission after the Court of Appeal of England and Wales declared the legislation clashed with EU law as access to retained data was not limited to the purpose of “serious crime”.
Today, the ECHR said UK domestic law clearly requires that any regime letting authorities access data retained by telecoms providers should only allow access for the purpose of fighting “serious crime”. But RIPA’s communications metadata framework allowed interception for the purpose of combating crime, not the narrower serious crime.
It also noted that the legislation unacceptably did not subject access to retained data to prior judicial or independent administrative authorisation, other than in cases when access was intended to reveal journalistic sources.
Foreign intelligence sharing
The claimants before the ECHR had also argued that the UK’s receipt of material intercepted by the US National Security Agency – as revealed by the Edward Snowden leak – breached their privacy rights. The arguments marked the first time the ECHR has been asked to consider European Convention on Human Rights compliance of intelligence-sharing regimes.
The court said the receipt of intercepted material by the UK and subsequent processing and examination by its intelligence services constituted the relevant interference with privacy rights.
Ultimately, it said that domestic law and practice was sufficiently clear about the procedure for requesting interception or conveyance of material obtained from foreign agencies, and saw “no evidence of any significant shortcomings” in that regime’s operation. It said the sharing did not violate privacy rights.
Graham Smith at Bird & Bird in London noted that the ECHR’s concern about a lack of oversight over the selection process for carriers to tap, and an absence of safeguards in the selection of related communications data to be examined, are both “criticisms [that] can also be made of the 2016 [Investigatory Powers] Act”.
While the new legislation introduced prior independent judicial commissioners’ authorisation of bulk interception warrants, it is “not explicit about the extent to which the oversight body should be involved in, for instance, approving selectors and search criteria – or even if it has to be at all,” Smith said.
He added that the new legislation also “largely replicates the RIPA carve out of what is now called secondary data from the safeguards that apply to selecting content for examination,” and that the court’s findings about journalistic privilege are also likely to have implications for the 2016 legislation.
Organisations involved in the challenge against the UK’s regime praised the judgment today.
Liberty lawyer Megan Goulding said the UK's government "can and must give us an effective, targeted system that protects our safety, data security and fundamental rights.”
Privacy International's general counsel Caroline Wilson Palow said the ECHR's judgment "rightly criticises the UK’s bulk interception regime for giving far too much leeway to the intelligence agencies to choose who to spy on and when. It confirms that just because it is technically feasible to intercept all of our personal communications, it does not mean that it is lawful to do so.”
And Amnesty International strategic litigation director Lucy Claridge said the ruling was "a significant step forward in the protection of privacy and freedom of expression worldwide”. But she said it "does not go far enough in condemning bulk surveillance" as it continues to give national governments a "wide margin of appreciation" in deciding whether to use bulk surveillance programmes, and "greenlights vast intelligence sharing with the US National Security Agency".
Liberty continues to challenge the 2016 legislation in the High Court of England and Wales.
The ECHR today highlighted that it is set to hear challenges to French, Austrian and German surveillance legislation.
Counsel to Big Brother Watch, English PEN, the Open Rights Group, Constanze Kurz, the Bureau of Investigative Journalism, Alice Ross, Amnesty International, Bytes For All, the National Council for Civil Liberties (Liberty), Privacy International, the American Civil Liberties Union, the Canadian Civil Liberties Association, the Egyptian Initiative for Personal Rights, the Hungarian Civil Liberties Union, the Irish Council for Civil Liberties and the Legal Resources Centre
Dinah Rose QC and Ravi Mehta in London
Helen Mountfield QC and Matthew Ryder QC in London
Conor McCarthy in London
Deighton Pierce Glynn
Associate Daniel Carey in Bristol
Associate Rosa Curling in London
National Council for Civil Liberties (Liberty)
Counsel to the UK’s government
James Eadie QC in London
Foreign and Commonwealth Office
Rashmeen Sagoo (now at the British Red Cross)
Copyright © Law Business ResearchCompany Number: 03281866 VAT: GB 160 7529 10