Last month, the Investigatory Powers Act 2016, commonly known as the ‘Snoopers Charter’, passed some hurdles but stumbled at others after the High Court gave the first judgment on the statute since it came into force.¹ Thus, the UK’s surveillance laws remain, at least for now, somewhat incompatible with the requirements of EU law. Such a judgment will no doubt be pertinent to the Brexit negotiations and an adequacy decision under the GDPR.

The Court did not examine the whole of the statute; it only dealt with the Part 4 of the Act, of which contains provisions relating to the retention of communications data. In particular, section 87 permits the issuing of ‘retention notices’ to telecommunications operators to maintain “relevant communications data.” This relevant data is essentially a reference to any kind of information that reveals ‘the who, what and where’ of communications. This includes the sender and the recipient of the communication, the time, duration and the method and system used to transmit the communication. What is not retained, however, is the actual contents of the communications, of which is prohibited under the statute.

The limits on this power are twofold. First, the Secretary of State, most likely the Foreign Secretary although it could be Home Secretary as well, can only issue such a notice if it is necessary and proportionate to do so for the purpose of national security or fighting serious crime. Second, such a notice has to be approved by a judicial commissioner, of whom are individuals required to judicially examine powers exercised under the Act.

The Court in this case was asked to judge on the compatibility of these provisions with EU law. Liberty, a human rights organisation and the claimants in this case, made three arguments in relation to the provisions contained in Part 4 of the Act that contravened EU law. The first was that the statute allowed for the indiscriminate and general retention of data. The second was that the statute did not limit the purpose for retaining such data to that of ‘serious’ crime. Finally, the claimants suggested that the access to this retained data by the security and intelligence agencies (SIAs) is not subject to the review, be it by a court or any other independent administrative body.

All or Something

The Court made a careful assessment of the statutory scheme in order to determine the validity of the first claim. It did so whilst keeping in mind the EU’s e-Privacy directive, which precludes national legislation permitting the retention of “all traffic and location data of all subscribers and registered users relating to all means of electronic communication.” In addition, the ECJ’s Watson² judgment established that Member States could only legislate for the targeted, as opposes to general, retention of data so long as three conditions are met: that the retention is sufficiently connected with the objective being pursued, that it is strictly necessary and that it is proportionate.

But upon examination of the statutory scheme provided by the 2016 Act, the Court found that its provisions did not offend any of the aforementioned requirements. It provided a number of reasons for this. Its first reason was as follows:

“…the Act does not contain a blanket requirement requiring the general retention of communications data. The Act does not itself impose any requirement on telecommunications operators to retain data. Instead, the Secretary of State is given a power to require retention of data by serving a notice on an operator.”³

Its second reasoning was that a notice could only be served if it is necessary and proportionate for one of the purposes listed under section 67 (national security, serious crime inter alia), which follows the ruling set out in Watson.

The third reason was centred around the Court’s interpretation of section 87 and what is actually allows for. It was asserted that to interpret section 87 as allowing the retention of all data was incorrect. Rather, the Act imposes the statutory requirement to satisfy the tests of necessity and proportionality and thus by implication it could not be the case that the retention of all data would satisfy those tests. Section 87 allows for a notice to retain a “description of data” rather than all data, and a notice may be issued in relation to a particular operator or a description of operators. Thus, section 87, read as a whole, conveys a statutory scheme that defines the exact content and scope of a retention notice “so as to satisfy the necessity and proportionality tests.”⁴

This thus demonstrates the improvements that have been made to surveillance powers over recent years, in that the statute itself imposes the adequate limitations (that of necessity and proportionality) on the powers that can be exercised by the SIAs. On top of this, data cannot be retained for more than 12 months.

The Court also noted that the Secretary of State, when issuing a retention notice, is not only required to consider whether it is necessary or proportionate to do so, but must also give consideration to the likely benefits of serving the notice, the number of users that would be affected, the technical feasibility and the costs involved. The Secretary of State must also consult any operator of whom the notice will be served to, as mandated by section 88.

Apart from the limitations imposed by the statute itself, the Court also emphasised the role of judicial commissioner.⁵ In accordance with section 89, a retention notice is subject to the approval of a judicial commissioner, who must review the notice, including the Secretary of State’s contentions that he or she considers it necessary and proportionate for the purposes sought. In doing so, the commissioner will apply the same judicial review principles as would be applied by a court. Section 2 of the Act lays out the considerations which the commissioner should make when coming to a decision, such as whether the objective sought can be achieved through less intrusive means for example. The requirements of the Human Rights Act 1998 and of public law in general may also be acknowledged.

Lastly on this first claim, the Court cited sections 90 and 91, which allows telecommunications operators can send a notice back for review. In such a case the Secretary of State will need to consult and take into account the report of a Technical Advisory Board and a judicial commissioner.

For all these reasons, the Court concluded that the statutory scheme provided by the Act does not in any way permit the general and indiscriminate retention of communications data. In reality, the legislation requires a range of factors to be considered and imposes numerous controls ensuring that such a notice satisfies, inter alia, the tests of necessity (in relation to one of the statutory purposes) and proportionality and public law principles.

Why So Serious?

A discussion of the purposes for accessing retained data was also conducted by the Court. It examined whether the objective of national security, as well as others contained in the legislation, should be subject to a ‘seriousness test’. More specifically, it deliberated on whether the objective of fighting crime should be limited to fighting ‘serious’ crime.

The Court was clear that such a threshold was not necessary for the objective of national security. It held that such an objective had “sufficient intrinsic importance to be capable of justifying an interference with Articles 7, 8 and 11 [of the EU Charter], without the need to superimpose any ‘seriousness’ threshold.”⁶ It also emphasised that the inherent seriousness of any national security objective would be subject to the proportionality and necessity tests, thus rendering any kind of separate seriousness threshold nugatory for the particular statutory scheme produced by the 2016 Act.

On the other hand however, the objective of fighting crime was held to be different. The Court in this case followed the assertions made by the ECJ in previous cases, in that accessing retained data for the purposes of fighting crime should be limited to that of serious crime. This is because criminal offences “cover an enormous spectrum, ranging from (for example) relatively minor regulatory infringements to homicide and terrorist acts.”⁷ Accordingly, “[m]any criminal offences are insufficiently serious to be capable of justifying an interference with rights under Articles 7, 8 and 11 of the Charter of Fundamental Rights.”⁸

Notably though, Part 4 of the Act, as it currently stands, does not impose such a requirement when it comes to fighting serious crime, and thus the Court concluded that this constituted an undue interference with fundamental rights under EU law.

But Brexit

The Court agreed with the third claim made by the claimants, which was that the lack of judicial or administrative review of the access to retained data was also a breach of EU law. The Government has indicated though that it plans to make the appropriate amendments to address this shortcoming and others in due course.

The implications of this ruling, and possibly others, could be significant for Brexit. The Court cited a reference made by the Investigatory Powers Tribunal in the Privacy International case to the ECJ asking it to clarify whether the requirements in Watson with respect to data retention applied in the context of national security.⁹ If the answer is yes and the Act fails to meet those requirements, then further amendments would need to be made in response to such a ruling.

A large part of the impetus to make such amendments as swiftly as possible will be to make it more likely that the flow of data between the UK and the EU will continue post-Brexit, for the sake of many businesses on both sides. Ideally, such a flow would be maintained via a treaty, which would give the kind of additional benefits that a mere adequacy decision made unilaterally by the EU under Article 45 of the GDPR would not. This includes a possible role for the ICO to influence future EU policy decisions on data protection.

But any flaws in the 2016 Act may make such an agreement hard to come by, and if neither a treaty nor an adequacy decision is achieved, businesses will have to resort to formulating binding corporate rules (BCRs), as stipulated under Article 47 of the GDPR in order to allow data to flow between different entities. For small businesses in particular, this could be especially cumbersome, since any contracts touching on data transfers would have to be amended. Thus, the Government will be keen to get on with the amendments, else the chances of a smooth Brexit, in relation to data flows, may be slim.

Sources:

[1] Liberty v Secretary of State for the Home Department [2018] EWHC 975 (Admin)

[2] Cases C‑203/15 and C‑698/15 Tele2 Sverige AB v Post-och telestyrelsen ECLI:EU:C:2016:970

[3] Liberty (n 1), [at para 127].

[4] Ibid, [at para. 129].

[5] These provisions establishing the role of the judicial commissioner are not yet in force but the Government has said that these provisions will be brought into force when amendments are made in response to the Watson judgment, of which will be considered by Parliament before the summer recess in July 2018 [at para. 9].

[6] Liberty (n 1), [at para 161].

[7] Ibid, [at para 160].

[8] Ibid, [at para 160].

[9] Or bulk personal datasets to be more specific. Privacy International v Secretary of State for Foreign & Commonwealth Affairs & Ors [2016] UKIP Trib 15_110-CH