We recently published an analysis in Lawfare of the United Kingdom’s surveillance framework as it relates to the proposed U.S.-U.K. agreement for cross-border law enforcement data requests. Implementing the U.S.-U.K. agreement is subject to passage of draft legislation proposed by the Justice Department to Congress in July 2016 (“U.S. DOJ legislation”), which will set standards that approved partners like the U.K. must meet before qualifying for such bilateral agreements. In our piece, we argued that the U.K. framework has several shortcomings that call into question its compatibility with the proposed standards in the current draft legislation. Paul Rosenzweig found our commentary “troubling” and described our critique as “overbroad.” We address his concerns in our own reply below.
A Double Act Takes Two
In the section of his post entitled “The Big Picture,” Rosenzweig writes that we display “a bit of hubris” when we “say that the U.K. system doesn’t meet American standards.” He also calls our critique of British judicial scrutiny in the surveillance context “vaguely insulting to the U.K.” and states that it “smacks of American legal imperialism.”
To begin with, we do not argue that the U.K. system does not meet American standards, nor do we say that it should. The standards in the U.S. Department of Justice (DOJ) draft legislation are far from a direct transposition from U.S. law. In fact, Kim, together with Greg Nojeim, has argued that the standards embedded in the draft legislation fall short of those well-established in both U.S. and European law. And setting aside the relative strength or weakness of the standards in the U.S. DOJ legislation, the thrust of our argument is that U.K. law does not even clearly comport with these standards.
Rosenzweig further suggests that we are not in any position to criticize the Investigatory Powers Act (“IP Act”), given the level of legislative scrutiny levied by Parliament and the bill’s ultimate passage with support from the two major parties. At a general level, the argument that individuals should humbly accept the passage of legislation is both dangerous and undemocratic. Whether a piece of legislation has generated the political support needed to pass is a completely separate argument from whether it passes legal muster. In the U.K., the question of whether the IP Act is fully compatible with European law, including the European Convention on Human Rights and the E.U. Charter, is subject to ongoing litigation. In December 2016, just weeks after the passage of the IP Act, the Court of Justice of the European Union (“CJEU”) held that bulk data retention provisions in the U.K.’s Data Protection and Investigatory Powers Act – which were largely carried over into the IP Act – were incompatible with the E.U. Charter. The U.S. DOJ legislation does not concern bulk data retention (an obligation placed on companies), but the CJEU’s opinion also addressed minimum safeguards where the government seeks to access data retained by companies. That case has returned to the U.K. courts, which are adjudicating the viability of aspects of the IP Act in light of the CJEU’s decision. And Liberty, one of the U.K.’s largest and most respected civil liberties organizations, is separately challenging several of the powers authorized in the IP Act before the U.K. courts.
More specifically, our criticism of UK law is buttressed by many respected actors within the U.K. For example, U.K. lawyers and civil liberties groups have called to make intercept evidence admissible in court for over 20 years. Privacy International works closely with U.K. stakeholders and was also heavily engaged with analysis and scrutiny of the IP Act from its inception through passage, including by testifying upon invitation to the Joint Committee on the IP Bill. Thus, our concerns are far from grounded in a superficial, post-hoc reading of its text.
Finally, criticism of a law does not itself imply an imperialistic view or lack of humility. By writing our original post, we sought to bring attention to the U.K. as a valuable actor in the process of cross-border data access reform, whereas most of the attention thus far has focused on the U.S. legal system. This critical focus is a form of respect, not scorn. Rosenzweig’s statement that “it doesn’t matter what UK law allows – what matters is what US law allows under the Agreement” itself demonstrates this kind of one-sided focus we tried to avoid with our piece.
British Warrants: Lack of Clarity in the U.S. DOJ Legislation
In our original post, we argued that U.K. law authorizes the government to seek so-called “targeted” warrants, which are broader than those allowed under the U.S. DOJ legislation. Rosenzweig argues that we wrongly “equate what is possible under UK law with what would be possible under the proposed legislation.”
We accept Rosenzweig’s distinction between what is permitted in the U.S. DOJ legislation and what is permitted under U.K. law. We believe, however, that there is some lack of clarity in the commentary around the draft legislation that does not make this distinction adequately clear. Returning to U.K. deputy national security advisor Paddy McGuinness’s testimony before Congress, his language remains ambiguous in light of how the IP Act itself defines so-called “targeted” warrants. Asserting that the U.S.-U.K. agreement would “[l]imit access to targeted orders” and prohibit “bulk access to data” is hardly clarifying when the IP Act permits “targeted” warrants to cover classes of persons, organizations or premises and provides for an entirely separate category of “bulk” warrants. We recognize that the actual text of the U.S.-U.K. agreement – which is not available to the public – may clear up this confusion. But the public discussion to date has failed to establish with certainty the U.K. government’s position on what “targeted” warrants it believes it is permitted to seek pursuant to the U.S.-U.K. agreement.
Even if the U.S. DOJ legislation prohibits countries that authorize overbroad warrants from executing them under the bilateral agreement, it does not provide for recourse mechanisms for companies seeking to push back against requests or procedures for regularly scrutinizing requests for their compliance with the legislation. We have been told that companies who wish to challenge a request can resort back to the MLAT process, but the legislation itself does not address that avenue of recourse (nor the procedure for how companies would employ it). It is reasonable to ask whether companies, particularly smaller, less-resourced ones, will be prepared to fight what they perceive to be unlawful requests, especially without a clear sense of whether or how the U.S. government will get involved. The legislation does reserve, for the U.S. government, “the right to render the agreement inapplicable” for “any order for which it concludes the agreement may not be properly invoked.” However, under the proposed legislation, requests would go first to U.S. companies, not the U.S. government, calling into question the government’s direct role.
British Judicial Scrutiny: Not a Matter of Individuals, but of Systems
Rosenzweig points to the installment of Lord Justice Adrian Fulford as the first Investigatory Powers Commissioner, his endorsement by the Lord Chief Justice, and Fulford’s status as one of the U.K.’s most respected and senior judges, as evidence in favor of the adequacy of British judicial scrutiny in the surveillance context. But good judges don’t make good systems. Rosenzweig fails to address one of our primary criticisms, that judicial commissioners – who will be authorising surveillance warrants in the first instance – are appointed by the prime minister, rather than the independent Judicial Appointments Commission. Rosenzweig’s comment that “British judges are entirely non-political” seems contingent on the involvement of this Commission, which is not involved in appointing judicial commissioners.
Rosenzweig takes our criticism of the British “judicial review” standard as an argument that it is merely a “rubber stamp.” Those are his words, not ours. We have problems with the use of the judicial review standard for authorizing surveillance warrants, but we never claim that British judges do not engage in thoughtful review. Our argument is that judicial review – thoughtful or not – is unacceptably constrained.
Rosenzweig’s different understanding of what judicial review entails is indicative of a larger problem: confusion over what, exactly, this standard is. And our confusion is not limited to a debate on Lawfare; it is rife amongst the U.K. legal community itself. For example, the Bar Council, which represents barristers in England and Wales, in its consultation with the Home Office on the Codes of Practice for the IP Act, asked “[H]ow the test of judicial review is applied – will it be simply procedural or a full merits review . . . ?” Until clarity is achieved on what judicial review actually means, it is simply not possible to pronounce British judicial scrutiny compatible with the standard set forth in the U.S. DOJ legislation.
Intercept Evidence Admissibility in Court: A Privacy-Protective Measure
If disagreeing with something means being “180 degrees in error,” then we are happy to be 180 degrees in error from Rosenzweig’s view on the privacy-protective nature of barring intercept evidence in court. In the U.K., civil liberties organizations – who are likely to advocate most strongly for privacy protections – share our views, not his. In our post, we mentioned that the U.K.’s ban on the admissibility of intercept evidence in court makes it an outlier among common law countries. It actually makes it an outlier among nearly every other E.U. country as well. We would wager that civil liberties advocates in these countries have never made the argument that banning intercept evidence in court would promote the right to privacy.
Rosenzweig also argues that “[t]he IP Act establishes mechanisms for individuals to challenge the use of Investigatory Powers.” But disclosing intercept evidence is a crucial step towards an individual’s ability to avail herself of the mechanisms provided for challenging the government’s surveillance powers. Without disclosure, it is much harder for individuals to know, and therefore challenge, government surveillance. Rosenzweig adds that “any individual who thinks that surveillance powers have been used against them unlawfully can apply to the Investigatory Powers Tribunal to review their case.” But actually, in a decision last year, the Tribunal determined that only persons who can establish why they are “potentially at risk” of being subject to surveillance can bring a claim. Raising the standing bar makes it even harder for individuals to bring claims to the Tribunal, especially given the ban on the admissibility of intercept evidence in court.
We recognize the difficulties in the current cross-border data access system and the need for reform. Our writing elsewhere has called for changes, in the spirit of understanding that reform almost always requires a set of compromises. But these realities don’t mean we shouldn’t critique efforts that fall short of their full potential from a rights perspective. We believe reform efforts will be better served by a clear-eyed understanding of all relevant legal systems and the shortcomings of those systems.