For centuries, the authorization of surveillance powers under UK law has – for the most part – been in the hands of the executive rather than judges. All that may be about to change, however, in light of a recent series of reports and judicial decisions. Indeed, the role of government ministers and senior police and intelligence officials in authorising surveillance appears increasingly anachronistic in light of the extensive role that UK judges already play in authorising or approving various national security measures, including terrorism investigation orders and deportation on grounds of national security. One model for judicial authorization is likely to be the much-overlooked Surveillance Commissioners, a group of retired judges, who are responsible for approving the use of bugs and other intrusive surveillance methods by police.
On July 17, the Divisional Court in London dealt the latest in a series of blows against the UK legal framework governing surveillance, striking down section 1 of the Data Retention and Investigatory Powers Act 2014 (‘DRIPA’). That section enabled the UK Secretary of State to issue “notices” to telecommunications firms requiring them to retain their customers’ communications data. DRIPA, rushed through Parliament in a mere 3 days last summer, was primarily intended to preserve the UK’s Data Retention (EC Directive) Regulations 2009 that were nullified as a result of the EU Court of Justice’s (CJEU) judgment in Digital Rights Ireland (C-293/12) in April last year. In that case, the CJEU held that the EU Data Retention Directive 2006/24/EC violated the rights to privacy and data protection under Articles 7 and 8 of the EU Charter of Fundamental Rights, not least because it entailed “an interference with the fundamental rights of practically the entire European population” yet had little in the way of safeguards, such as prior judicial authorisation of access to communications data.
Unsurprisingly, the Divisional Court found that the relevant provisions of DRIPA were contrary to EU law for essentially the same reasons as the CJEU had found the original directive to be invalid. “Above all”, the Divisional Court concluded, Digital Rights Ireland required that “access by the competent national authority to the data retained must be made dependent on a prior review by a court or an independent administrative body” (paragraph 91(c)). By contrast, the UK rules governing access to retained data – set out in Chapter 2 of Part 1 of the Regulation of Investigatory Powers Act 2000 (‘RIPA’) – require only that an application by a law enforcement body or intelligence agency “must be considered by a senior person,” typically a member of the same organisation but “who is independent of the investigation” (paragraph 98). On this basis, the Divisional Court held that the power contained in section 1 of DRIPA was inconsistent with EU law (paragraph 114(b)) and made an order disapplying it– only the second time that a court has disapplied primary legislation in the UK.
The challenge to DRIPA had been brought by two senior MPs, David Davis and Tom Watson, who were unhappy that Parliament had been asked to rush through the legislation without sufficient scrutiny. Following the Divisional Court’s judgment, Davis told reporters that it reflected “the emerging consensus in the last few weeks that prior judicial approval is needed.” In February this year, for instance, an inquiry by the Interception of Communications Commissioner into allegations that police forces had been using communications data to identify journalists’ confidential sources concluded that “judicial authorisation must be obtained in cases where communications data is sought to determine the source of journalistic information” (paragraph 8.9(1)).
Last month, David Anderson QC, the Independent Reviewer of Terrorism Legislation recommended among other things that interception warrants should be authorised by judges rather than, as is currently the case, the Secretary of State (recommendation 22). Last Tuesday, a review undertaken by the Royal United Services Institute concluded that interception warrants for law enforcement purposes should be authorised by a judge and that interception warrants for other purposes (e.g. foreign policy) should continue to be authorised by the Secretary of State but “subject to judicial review by a judicial commissioner” before the warrant is executed (recommendation 10).
For its part, however, the Intelligence and Security Committee – the oversight body for the intelligence services – concluded in its own review in March 2015 that it was better to retain the existing system of ministerial authorisation of interception warrants because government ministers are “able to take into account the wider context of each warrant application and the risks involved, whereas judges can only decide whether a warrant application is legally compliant” (paragraph FF, p75). It also noted that government ministers were “democratically accountable for their decisions”, from which it followed that “responsibility for authorising warrants for intrusive activities” remain with them (paragraph GG, p76). It is also worth noting that neither Anderson nor the RUSI review thought that judges should play a role in authorising requests by police and the intelligence services for access to communications data, save – in Anderson’s case – where the data was sought “for the purposes of determining matters that are privileged or confidential” or in “novel or contentious cases” (recommendations 68 and 70).
The need for prior judicial authorisation has, of course, been a staple feature of many intrusive powers under UK law, not least of all the venerable search warrant. The power of the Secretary of State to issue general warrants for the seizure of private papers was famously condemned in 1765’s Entick v Carrington and part of Lord Camden’s judgment in that case is given over to recounting the history and qualifications of the Secretary of State, noting that he could see “no part of it that requires the authority of a magistrate.” Entick, in turn, became one of the central inspirations for the Fourth Amendment and its requirement for judicial authorisation of search warrants and – in due course – judicial warrants for the interception of private communications: see Katz v. United States.
In the UK, however, the traditional judicial protection afforded to people against unlawful search and seizure has only rarely extended to cases involving surveillance powers. In 1957, the Birkett committee noted that “it has been in some quarters that the authority for the issue of warrants for interception should not be left exclusively in the hands of the Secretary of State” and considered the argument “that warrants should be issued only on a sworn information before magistrates or a High Court judge”. However, Birkett and his fellow Privy Councillors were concerned that “if a number of magistrates or judges had the power to issue such warrants, the control of the use to which methods of interception can be put would be weaker than under the present system.” They also expressed misgivings that “it might very well prove easier in practice to obtain warrants” under such a system, although they did not attempt to explain why this might be the case.
Similar sentiments were expressed by the then-Home Secretary Jack Straw when RIPA was first debated in the Commons. He went so far as to claim that “in quite a number of other countries, the fact that a judicial warrant is required lessens the protection that is offered to people because the judicial warrant acts as a fig leaf for people’s human rights, and not as a serious safeguard.” The former Home Secretary’s speculations on comparative law might have been entirely unevidenced but they reflected the tenor of the Act, under which interception warrants would be continue to be made by the Secretary of State and access to communications data would essentially be self-authorised by the police force or intelligence agency in question. In the first decade of its operation, annual reports show that public officials made just under 3 million surveillance decisions under RIPA. Fewer than 5,000 – or about 0.16% – involved prior authorisation by a judge.
But the most interesting thing about this statistic is not that the vast majority of surveillance decisions under RIPA have not involved judges, but that judges have been involved in any of them at all. For RIPA is, in truth, a patchwork of different regulatory schemes and one of those schemes was borrowed straight from the Police Act 1997 which provided a statutory framework for the use of intrusive surveillance by police and other prosecuting bodies, e.g. planting a listening device or camera in someone’s home, office or vehicle. Notably, Part 3 of the 1997 Act established a body called the Surveillance Commissioners who were required to be “persons who hold or have held high judicial office” (section 91(2)), and who were tasked with approving the use of intrusive surveillance by police (ss97-100). When RIPA was enacted, the drafters simply extended the job of the Surveillance Commissioners to govern intrusive surveillance under that Act as well (save in the case of the intelligence services, whose bugs and cameras would instead be authorised by the Secretary of State). There are other parts of RIPA that also require judicial authorisation: local authorities must seek a magistrate’s approval before using directed surveillance under Part 2 and a judge’s approval is also required in order to issue an encryption notice under Part 3, but it is the role of the Surveillance Commissioners which provides the best model for how judicial authorisation of interception warrants might work.
First of all, intrusive surveillance under Part 2 of RIPA is – as the name suggests – every bit as invasive as the interception of communications over a network. If a judge’s approval is thought to be a necessary safeguard when it comes to the police planting a listening device in your car or a hidden camera in your bedroom, then it is not obvious why interception should be treated any differently. Secondly, it is true that judicial authorisation would involve an increase in the number of people with knowledge of highly sensitive capabilities. However, judges in the UK already preside over a number of matters that involve scrutiny of the activities of intelligence services, including terrorist asset freezing measures, terrorism investigation orders and deportation on grounds of national security. Thirdly, there is no indication that the Surveillance Commissioners have “made it easier” for police to obtain authorisations to use intrusive surveillance (which was one of Birkett’s fears), nor that the Commissioners have simply acted as a “fig leaf for human rights” (as Straw claimed they did in other countries).
For his part, Anderson described his recommendation in favour of judicial authorisation as “one of the more radical recommendations” in his report but also “one of the easiest to arrive at” (paragraph 14.48). As regards the ISC’s arguments about the need for democratic accountability, he noted that the Secretary of State “is in practice rarely if ever held politically accountable for the issue of warrants”, not least because disclosing any information about their existence is a criminal offence under s19. Anderson also noted a different concern expressed by the Foreign Office that judicial authorisation might “disadvantage the UK” because “judges would be liable to refuse applications that Ministers accept” (paragraph 14.57). Alas for the Foreign Office, their objection proved too much. As Anderson observed: “Were it the case that Ministers might be tempted to issue warrants in circumstances where it is illegal to do so, that would seem to me a strong argument in favour of judicial authorisation rather than against it” (ibid).
Anderson stopped short, however, of recommending judicial authorisation for access to communications data, save for those cases involving privileged or confidential material or “novel or contentious cases”. His recommendation, however, now appears to have been overtaken by the ruling of the Divisional Court in the DRIPA case in which it held that the scheme of self-authorisation for access to communications data under Chapter 2 of Part 1 of RIPA was not sufficient to comply with EU law. The Court in the DRIPA challenge was careful not to say that a judge was required: the CJEU in Digital Rights Ireland referred instead to “prior review by a court or an independent administrative body”. This follows the line taken by the European Court of Human Rights (ECtHR) in Klass v Germany (1980) 2 EHRR 214 in which the Strasbourg Court held that:
The rule of law implies, inter alia, that an interference by the executive authorities with an individual’s rights should be subject to an effective control which should normally be assured by the judiciary, at least in the last resort, judicial control offering the best guarantees of independence, impartiality and a proper procedure (paragraph 55).
Again, the Court in Klass stopped short of requiring judicial authorisation in every case. Rather, it held that the key safeguard was that surveillance must be subject to control by a body “independent of the authorities carrying out the surveillance” (paragraph 56). Under RIPA, however, this guarantee of independence has been watered down to mean someone within the same organisation or agency but who is not involved in the investigation. Although it did not provide much in the way of detail, it seems clear that the Divisional Court in the DRIPA case was not persuaded that a more senior police officer or intelligence officer could be considered sufficiently independent of his or her subordinates for this purpose. It is also worth noting that, even in Klass, where the ECtHR held that the German scheme of parliamentary oversight was sufficient, the initial surveillance decision was always taken by an “official qualified for judicial office” (paragraph 156).
Although the DRIPA ruling was concerned with the conditions governing access to communications data retained by communications service providers, rather than interception per se, it is liable to give rise to serious difficulties for interception warrants also. After all, a warrant to intercept communications is necessarily a warrant to obtain any related-communications data: see section 5(6)(b) of RIPA. To the extent, therefore, that such warrants are used to access data retained under DRIPA or any similar future provision of this kind, this would raise the question of whether the Secretary of State is sufficiently ‘independent’ for the purpose of complying with EU law. More generally, it gives rise to a curious mis-match in that a judge’s approval may be necessary in order for the police and intelligence services to access a customer’s metadata but not in order to listen to that customer’s phone calls or read their emails (something which the government itself deems considerably more intrusive).
Although the Divisional Court has taken the rare step of disapplying section 1 of DRIPA, it has also suspended the effect of its order until April next year. This gives the government some nine months in which to bring forward fresh legislation; something which it had committed to doing in any event following the Anderson report. The government had previously intimated that it would resist judicial authorisation but its hand may now be forced by the courts. Two hundred and fifty years after Entick, the government may finally be obliged to give the judges their due.