Earlier this month the Draft Investigatory Powers Bill, the UK Government’s attempt to legitimize State surveillance powers, was presented to Parliament. Depending on your perspective, it is either a necessary security measure or a revised “Snooper’s Charter” (revised since it purports to build on the recommendations of three independent reviews by the Parliamentary Intelligence and Security Committee, the Independent Reviewer of Terrorism, and the Royal United Services Institute).
Three aspects of the bill are particularly controversial. First, it requires web and phone companies to keep records of website domains, though not actual pages, visited by citizens for 12 months. The records can then be accessed by police, the security services, and other public bodies if they meet certain requirements. Secondly, it expressly empowers the police and security services to hack into and bug computers and phones, and obliges companies to assist with bypassing encryption. Thirdly, there are concerns about the limited extent of judicial oversight allowed under the bill.
In this post, I consider the first of these, the domain-retention requirement.
In her Foreword to the bill the Home Secretary, Theresa May, defends the enhancement of powers in this area as being “only because a strong operational case has been made.” But it will be difficult for the Government to shake the perception that the bill is “backwards” and that, as Edward Snowden has observed, it “is trying to fit the law around the spying, rather than making spying fit the law.” This perception is only strengthened by May’s revelation, when introducing the bill into Parliament, that mass surveillance of UK citizens began soon after 9/11, purportedly pursuant to a broad power in section 94 of the Telecommunications Act 1984. As former Deputy Prime Minister Nick Clegg has said, this is “a capability that only a tiny handful of senior cabinet ministers knew about.”
May has sought to minimize the extent of the proposed intrusion, describing it as “the modern equivalent of an itemised phone bill.” This analogy has been strongly criticized. The comparison has been rejected by Snowden (who says that it is more “like a list of every book you’ve ever opened”), by UN Special Rapporteur on privacy Joe Cannataci (who has described the phone analogy as being “misleading”), and by Guardian commentator Frankie Boyle (who wrote, “It’s a document that shows what we’re thinking about. The government wants to know what we’ve been thinking about, and what could be more sinister than that?”).
Whatever the appropriate analogy might be, there is little doubt that the data has the potential to reveal highly personal information. The question at the heart of this debate is therefore a familiar one: Is this degree of interference (which according to Snowden is “the most intrusive and least accountable surveillance regime in the West”) into our private lives justified by May’s “strong operational case”? Given recent world events, it is not difficult to predict what the Government’s response will be. Indeed there have already been suggestions that the bill should be expedited, although these calls have not been welcomed by privacy groups. (For example, the Open Rights Group recently said, “Our response to these attacks is utter horror but our actions must be well thought out and considered. The Investigatory Powers Bill is one of the most important Bills that this parliament will pass and it is vital that it is scrutinised and debated properly.”)
There are also a number of other issues raised by this proposal. For example, will Internet Service Providers (ISPs) be able to keep customer data secure? Who will foot the bill for the implementation of the proposal in the Draft Investigatory Powers Bill? We know the answer to the latter question: Although the Government has budgeted to spend around £175 million on implementation costs, ISPs have said that the cost will be greater and may be reflected in price hikes — an outcome (being charged more for less privacy) which is likely to further incense critics of the proposal.
Finally, a recent related development: Last Friday, the Court of Appeal gave judgment in Home Secretary v Davis . Earlier this year, the High Court held that parts of the Data Retention and Investigatory Powers Act 2014 (DRIPA) were unlawful because (a) they failed to provide clear and precise rules to ensure that data is accessed only for preventing, detecting, or prosecuting serious crime, and (b) they do not require data access to be authorized by a court or independent body (i.e., so that access could be limited to that which is strictly necessary).
In an outcome that the Independent Reviewer has described as changing “the legal weather around the bulk retention of (and access to) communications data, in a way that the Government will welcome,” the Court of Appeal has decided to refer a question to the European Court of Justice (CJEU). The reference relates to the scope of the April 2014 judgment of the Grand Chamber of the CJEU in two joined cases, Case C-293/12 Digital Rights Ireland and Case C-594/12 Seitlinger, which I considered here. In Digital Rights, the Court held that the EU’s 2006 Data Retention Directive was invalid because it was incompatible with various provisions of the EU Charter — primarily Articles 7 and 8, the right to respect for private life (which is analogous to Article 8 of the European Convention on Human Rights) and the right to protection of personal data. The questions to be referred to the CJEU by the Court of Appeal are whether, by the judgment in Digital Rights Ireland, the Court intended to (a) lay down mandatory requirements of EU law with which Member States’ national legislation must comply, and to (b) expand the effect of Articles 7 and/or 8 of the EU Charter beyond the effect of Article 8 of the ECHR, as established in the jurisprudence of the European Court of Human Rights. The Court of Appeal’s reference may “change the weather” around this issue, but we won’t know in which direction the wind is blowing until the CJEU gives judgment.
The key development to watch, on this particular proposal but also the bill in general, will be the report on the bill by the Joint Select Committee.