‘Man up’, come back to the US and explain yourself. So the US Secretary of State John Kerry told Edward Snowden in a television appearance yesterday. Snowden’s lawyers say the American legal system makes a fair hearing impossible – but many have also questioned whether the very data collection laws which the whistleblower has exposed are in themselves unlawful. Pic from Flickr under creative comms, nolifebeforecoffee
The disclosures of the former NSA employee and CIA contractor continue to spark a debate over the extent to which authorities should be allowed to conduct such broad surveillance, with many surprised at the extent of to which governments, including the UK in the form of GCHQ, have been operating.
As well the political repercussions of the Snowden revelations, they also raise profound legal questions, both as to the nature of the laws which permit these activities, the chilling effect that such activities might have on freedom of expression and, more fundamentally, the impact that mass surveillance has on the correct operation of democracy.
A striking example of this is the transfer of intercept data to another state that then uses it for the purpose of carrying out a drone strike say, outside of a conventional conflict scenario (see R (on the application of Khan) v Secretary of State for Foreign and Commonwealth Affairs).
Mass collection of data
The statutory framework that governs surveillance by the security services in the UK is largely set out in the Regulation of Investigatory Powers Act 2000 (RIPA). RIPA distinguishes, in terms of what is allowed and the level of controls imposed, between various communications, ‘external’ and ‘internal’ – but also in how the interception of such data is treated.
So in respect of the interception of internal communications, a warrant has to be obtained which precisely targets a particular person or premises (s.8 (1)-(3) of RIPA). In contrast the interception of external communications is less strictly controlled, requiring only a specifying of the communications (such as say a series of keywords) to which the warrant relates (s.8 (4) (A). The latter is therefore very much more amenable to the authorising of very broad warrants and the obtaining of bulk or mass data.
In most cases, the boundary between internal and external communications is reasonably clear – a UK citizen sending an e-mail to an overseas location is an ‘external communication’ and would be subject to potential collection on a less restrictive basis. However there are a number of scenarios where such distinctions become more blurred.
For instance, the documents released by Edward Snowden suggest the interception by GCHQ of a significant number of communications passing along trans-Atlantic cables and routed via US servers. Where such communications are between individuals based in the British Isles then they would be internal (neither originating nor terminating outside of the British Isles for the purposes of s.20) and could not therefore be collected en masse.
However in circumstances where a mobile phone call takes place between individuals in the UK but the signal travels via a satellite which is clearly outside the British Isles the situation might be less clear. In such a situation both the Code of Practice to RIPA (issued pursuant to s.71), and the thread of CJEU cases concerning data protection (Case C-101/01 Lindqvist) suggest that in such a scenario the communication is internal (given the communication is sent and received inside the British Isles albeit via an international route) and would be subject to more stricter controls in terms of collection. However this might be deemed a legal ‘grey area’.
RIPA also impose fewer restrictions as regards the interception of communications data (which would cover most people’s online life, such as Twitter, but not e-mails) as opposed to content. In the former, no warrant is needed, simply authorisation by a designated person (set out in ss22-25 and including HMRC, National Crime Agency etc) who has considered the request ‘proportionate’.
Is the statutory framework lawful?
Two interconnected but separate human rights issues arise as regards the lawfulness or otherwise of RIPA (and other countries regulatory frameworks in this area).
The first, is the right of every person to respect for his or her private and family life under article 8 of the ECHR (rights which are also subject to international human rights protection under Article 12 of the UN’s Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights (ICCPR)).
In particular any interference with article 8 has to be in ‘accordance with the law’. The fact that a particular act might be allowed under a statutory framework is not of itself enough. The framework has to also be of sufficient ‘quality’ – which the Courts have interpreted as meaning that any law has to have an inbuilt degree of legal protection against arbitrary interference by public authorities (Malone v the UK). In other words it has to have some effective (and independent) regulation mechanism.
In the case of RIPA and the specific context of the interception of internal correspondence rather than external communications, the ECHR has held that it does provide a satisfactory protection concerning the storage, retention and destruction of contents data (Kennedy v UK). However the lawfulness of the very broad discretion accorded to the Secretary of State in respect of both the interception of external contents data and also communications (both internal and external) by RIPA has yet to be determined, but is currently the subject of legal challenges both domestically and in the ECHR.
The second issue, is the duty of states to protect personal data. RIPA for instance restricts the number of persons within the UK who may view intercepted contents data and requires the authorities to destroy data where there are no longer grounds for retaining it (s.15). However where the data is transferred overseas all that is required is that the Secretary of State thinks it necessary to disclose it, albeit he/she must have procedures in place to ensure that the materials are not disclosed in court (s.17). In respect of the transfer of communications data, there is no express reference to it at all and so the position is even murkier, though the way the provisions are set out would suggest that any transfer would have to at the very least be authorised via a warrant.
Again the states’ duty to protect data arises from the person’s right to respect for his or her privacy. In order to interfere with people’s privacy, states’ must fulfil strict rules to justify that interference. This gives rise to the obligation of data protection. The duty to protect personal data arises when such data is being used by state or private actors. It is designed to ensure that the use is consistent with the individual’s right to respect for his or her privacy. This is the reason why there are many different types of regime of data protection (depending on the country one examines).
Although how states go about protecting data might therefore be for them to determine: key is that personal data must be protected because the individual has a right to respect for his or her privacy. The content of the human right to respect for privacy of the person is therefore not variable.
The political ramifications
As the Snowden revelations began to surface a number of states, primarily led by the German and Brazilian authorities, began to address the issue of how to deal with US mass surveillance in particular and the interception of communications generally.
There was a great deal of discussion about bilateral negotiations and unilateral action (for instance, building new cables which avoid US territory). However, the fact that the UK authorities were carrying out mass surveillance for their US counterparts and others (the so-called Five Eyes) and were not only members of the Council of Europe but also of the European Union, was an example of the problem of such an approach.
Instead the German and Brazilian authorities (along with several NGOs) led a coalition of seemingly disparate countries in seeking a resolution of the General Assembly – using international human rights obligations – specifically the prohibition of arbitrary interference with people’s privacy. On 18 December 2013 the resolution was adopted without a vote in the UN General Assembly.
The resolution is based on the right to respect for privacy in the Universal Declaration and the ICCPR and ties the right to privacy to the right to freedom of expression – namely that if people are subject to mass surveillance they are no longer able to express themselves freely.
The resolution calls upon states to respect the right to privacy and prevent violations; to review their procedures, practices and legislation regarding the surveillance of communications, their interception and collection of personal data, including mass surveillance, in light of their obligations under international human rights law. This includes establishing or maintaining independent, effective domestic oversight mechanisms capable of ensuring the transparency and accountability of a state’s actions.
Importantly, the resolution also directs that the UN High Commissioner for Human Rights should report to the Human Rights Council in September 2014 on the protection and promotion of the right to privacy in the context of domestic and extraterritorial surveillance and/or interception of digital communications and collection of personal data, including on a mass scale.
However in the meantime our data continues to be hoovered up in industrial quantities – and the economics of mass surveillance is such that it is now significantly cheaper to store and retain data than it is to delete it.