Monday, 5 February 2018

Data Retention is still here to stay, for now…

Matthew White, Ph.D candidate, Sheffield Hallam University.


On 30 January 2018, human rights NGO Liberty tweeted that the:

This was in reference to the Court of Appeal’s (CoA) judgment in Tom Watson and Others v Secretary of State for the Home Department [2018] EWCA Civ 70 with regards to access to communications data under the Data Retention and Investigatory Power Act 2014 (DRIPA 2014). Many regard this as a ruling the Snoopers Charter or mass surveillance as unlawful. This post critically analyses the CoA’s judgment with regards to general data retention, access to communications data on the basis of prior review by a court or an independent administrative body and notifications.


The background to this case dates from 2014 in which the Court of Justice of the European Union (CJEU) in Joined Cases C293/12 and C594/12, Digital Rights Ireland (analysis here) invalidated Directive 2006/24/EC (the Data Retention Directive (DRD)) for its incompatibility with Articles 7 (privacy) and 8 (data protection) of the Charter of Fundamental Rights (CFR). This led to the introduction of DRIPA 2014, and subsequent challenges in the High Court (HC) and CoA on its compatibility with Digital Rights Ireland, which ultimately led to a preliminary reference (joined by a reference in Tele2 from a Swedish Court) to the CJEU for clarification (analysis here). In Joined Cases C-203/15 and C-698/15, Tele2 and Watson the CJEU ruled that Articles 7, 8, 11 (freedom of expression) and 52(1) (limitations of rights) preclude Member States from adopting laws which permit the general and indiscriminate retention ‘of all traffic and location data of all subscribers and registered users relating to all means of electronic communication’ [134(1)]. The CJEU also ruled that the access to retained communications data should be subject to prior review by a court or an independent administrative body and only on the basis of fighting serious crime [134(2)].

Court of Appeal’s judgment

In the leading judgment, Lord Lloyd-Jones summarises the background to this case [1-3] (also see above), and quickly distinguishes between the Swedish reference and its own in highlighting that the CJEU’s answers in paragraph 134(2) and (3) reflect their reference. His Lordship does so by highlighting the difference between UK and Swedish legislation [4]. His Lordship also highlighted several developments since Tele2 and Watson, namely that DRIPA 2014 had been repealed and replaced by the Investigatory Powers Act 2016 (IPA 2016), which is also subject to challenge, with Privacy International seeking to clarify the extent in which the CJEU’s ruling applies in the national security context (analysis here) and the UK Government seeking to amend the IPA 2016 to conform with the CJEU’s ruling with regards to serious crime and prior review for access by a court/independent administrative body [6].

The question before the CoA was again DRIPA 2014’s compatibility with the CJEU’s rulings on data retention [7]. Both parties and the CoA agreed that the CJEU’s jurisprudence establishes access to retained communications data is restricted to the objective of fighting serious crime and that access should be subject to prior review by a court/independent administrative body [9]. The CoA declined to grant any declaratory relief with regards the CJEU’s rulings in the national security context as this was already subject to a preliminary reference by the Investigatory Powers Tribunal (IPT) [10-12]. The CoA, did however, grant declaratory relief with regards to DRIPA 2014 for being inconsistent with European Union (EU) law with regards to serious crime and access to communications data [13].

With regards to data being retained within the EU, the CoA declined to make a definitive statement on the hope that the CJEU will clarify the matter with regards to the IPT’s reference [14-19]. Watson et al urged the CoA to declare that DRIPA 2014 had failed to make provisions for ex post facto notifications [20]. The CoA, however, declined for three reasons: a) it was not previously an issue in the national proceedings; b) it was not in the CJEU’s ratio in Tele2 and Watson; and c) the CJEU will in any event consider this based on the IPT’s reference.

On the issue of the relationship between data to be retained, and the threat to public security, Lord Lloyd-Jones initially intended to grant declaratory relief on the grounds that DRIPA 2014 did not contain any limitations to comply with the CJEU’s ruling, but declined to do so [22-24]. Lord Lloyd-Jones recalled three reasons as to why this was justified:

First, it was not argued that DRIPA 2014 was unlawful because it did not require there to be an identifiable public whose data was likely to reveal direct or indirect links to serious crimes. The CJEU’s ruling on general data retention was in response to the Swedish legislation. The High Court in Davis and Others v Secretary of State for the Home Department and Others [2015] EWHC 2092 felt that the CJEU (in Digital Rights Ireland) could not have meant general data retention was unlawful, only that adequate safeguards had to be in place for access.

Second, the CJEU’s reasoning on general data retention reflects Swedish law’s catch all (all services, data and users) data retention, and the analysis and conclusions cannot be automatically applied to DRIPA 2014. Third, this is a live issue which is pending for a February hearing.

Thus, the CoA unanimously held that DRIPA 2014 was inconsistent with EU law for not limiting data retention for the purposes of fighting serious crime and access to said data was not subject to prior review by an independent administrative body [27].  

Was the Swedish Court’s question on blanket indiscriminate data retention not applicable in the UK context?

This post has highlighted how throughout this judgment, the CoA consistently held that the prohibition of general data retention does not automatically apply to DRIPA 2014, because the answer from the CJEU was in response to a reference from a Swedish court asking about Swedish legislation. This premise acts on the assumption that DRIPA 2014 could not permit general data retention. This requires closer scrutiny. It must first be noted, that when the CJEU made its ruling, it highlighted its ruling applied to national legislation, thus, contrary to what the CoA seem to suggest, this does not directly apply only to Sweden, but to all EU Member States implementing data retention legislation.

When the CJEU ruled that blanket indiscriminate data retention of all services, all users and all data (catch all) was not permissible under EU law, I highlighted that this would have made a power found within cl.1 of the draft Communications Data Bill (dCDB) unlawful (Matthew White, ‘Protection by Judicial Oversight, or an Oversight in Protection?’ (2017) Journal of Information Rights, Policy, and Practice 2:1, 24). This was due to the fact that cl.1 contained the same power that the Swedish reference was seeking to clarify, a catch all power.

Section 1(2)(a) and (b) of DRIPA 2014 and s.87(a) and (b) of the IPA 2016 must be considered together. Both sets of powers allowed or allows retention notices to be issued on a (public) telecommunications operator or any description of operators to retain all data or any description of data. I had previously argued that Tele2 and Watson may prove unproblematic for such powers because there was discretion on which telecommunications operators could be obligated to retain and what data they could retain (26). I further pointed out, due to the CJEU’s insistence on geographical data retention in Tele2 and Watson [111] (which in and of itself is problematic for human rights protection (36, 37)) it could be argued, the ability to require retention would not be based on operator, but by location and therefore, could require a variety of operators to retain in a given area (26). These are the sorts of arguments I would assume could be invoked by the Home Secretary if need be.

However, I also noted that ‘it is still theoretically possible for all operators in the UK to be required to retain all data of users and subscribers’ (26) because retention notices apply to any description of operators to retain all or any description of data. This could be considered a general obligation because it could affect all telecommunications operators and then be classed as a general obligation. Lord Kerr in his dissenting opinion in Beghal v Director of Public Prosecutions [2015] UKSC 49 noted that it ‘is the potential reach of the power rather than its actual use by which its legality must be judged [102].’ Instead of a catch all power like cl.1 of the dCDB or Swedish law, the powers in DRIPA 2014 and the IPA 2016 would be a power that can catch all. When considering DRIPA 2014, the HC in Davis and Others came to the same conclusion where they noted that:

Mr Eadie accepted that the consequence of this policy stance is that we should test the validity of DRIPA on the assumption that the retention notices issued under it may be as broad in scope as the statute permits, namely a direction to each CSP to retain all communications data for a period of 12 months. The case was argued on both sides on that basis. We shall refer in this judgment to a system under which the State may require CSPs to retain all communications data for a period as a "general retention regime" [65].

One could challenge this reasoning on account of it matters not whether the contents of a retention notice are known because it’s the power in question that is tested. This is precisely the position of the European Court of Human Rights (ECtHR) with regards to secret surveillance. In Roman Zakharov v Russia (ECHR, 4 December 2015) the ECtHR’s Grand Chamber (GC) clarified its position on when an individual can claim to be a victim of a violation under Article 8 (private and family life, home and correspondence) of the European Convention of Human Rights (ECHR). The GC maintained that an applicant can claim to be a victim by the mere existence of secret surveillance measures for example, where ‘legislation directly affects all users of communication services by instituting a system where any person can have his or her communications intercepted’ [171]. The GC continued that, when such surveillance cannot be verified, the menace of surveillance itself can interfere with the Article 8 rights of all users and potential users [ibid]. In summary, the GC clarified its jurisprudence where it has been consistently ruled that it is what the law permits that can be subject to challenge, not the actual use of the law (unless argued by the applicants).

For the reasons highlighted above, it is argued that the CoA are playing semantics with the powers found within Swedish legislation, and the powers found within DRIPA 2014, as they permit the same thing, namely all operators, data and users can be affected by data retention. Therefore, the CoA’s reliance on the CJEU’s position on general data retention only applied to and reflected Swedish law is untenable.

The CoA also relied upon the HC’s interpretation of Digital Rights Ireland in Davis and Others that the CJEU ruled that general data retention would only be lawful if appropriate safeguards were in place. This is ironic considering the CoA disagreed with this position in Secretary of State for the Home Department v Davis MP and Others [2015] EWCA Civ 1185 [90]. What is also striking, is that, unless the CoA have invented a TARDIS to prevent the CJEU’s judgment in Tele2 and Watson from occurring, they seem to rely on the HC’s position prior to Tele2 and Watson. Simply put, in 2015, the HC did not believe the CJEU meant general data retention was unlawful in and of itself, in 2016, the CJEU said, ‘Yes, we did, so we shall say it again.’ Thus, for the CoA to rely on what is best described as an outdated HC position is at best, ignorant and at worst, disingenuous.

The final reason on part of the CoA is also unconvincing. They declined on the basis that Part 4 of the IPA 2016 is under challenge and thus would not be privy to evidence of both sides. This is despite the operational case for data retention being in the public domain, and the counter arguments relatively easy to find. The position the CoA took allowed it to sidestep the real issue, whether general data retention is compatible with human rights. General data retention has never been compatible with human rights since at least 2008 when the ECtHR GC in S and Marper App nos. 30562/04 and 30566/04 (ECHR, 4 December 2008) ruled that general data retention, even on a specific group of individuals (suspects and convicts) violated Article 8. Tele2 and Watson (despite its many flaws 24, 34-41) is just the next logical step with regards to communications data.

Prior Review by a Court or Independent Administrative Body

The finding that DRIPA 2014 was inconsistent with EU law for not prescribing prior review by a court or an independent administrative body for access to communications data is to be welcomed. This is not a criticism of the CoA’s finding per se, but a criticism of the idea that this safeguard remedies the problems caused by data retention. Part 4 of the IPA 2016 allows retention notices to be approved by Judicial Commissioners (JC) under s.89. This mechanism has already been criticised because JC will only act based on the Secretary of State’s conclusions, there is no obligation for the Secretary of State to make a full and frank disclosure of their evidence for retention (thus can be misled), they can only make an assessment on judicial review principles (thus not a merit based or human rights review), nor are they institutionally independent from the Investigatory Powers Commission (IPC) (28-32).

Another problem is that the JC can authorise data retention that can catch all. As the GC in Roman Zakharov noted:

[T]he implementation in practice of measures of secret surveillance of communications is not open to scrutiny by the individuals concerned or the public at large, it would be contrary to the rule of law for the legal discretion granted to the executive or to a judge to be expressed in terms of an unfettered power [230].  

The power to retain in DRIPA 2014 and IPA 2016 are virtually unfettered, even if it applies to a single telecommunications operator, and even if this power was authorised by a judge (37-39). Essentially, giving a judge the power to authorise retention or access would only be sufficient based on what they can authorise to be retained or accessed. If this power is unfettered, it matters not if the judge increases the independence of the authorisation process. Thus, despite the CoA’s finding, DRIPA 2014 would still be in violation of fundamental rights.

Lack of notification was already incompatible with the European Convention on Human Rights

In declining to grant declaratory relief with regards to notification, it can be argued that the CoA have failed under their obligations under s.6 of the Human Rights Act 1998 (HRA 1998) to act in a way that is compatible with the ECHR. With regards to notifications, the ECtHR in Association for European Integration and Human Rights and Ekimdzhiev v Bulgaria App no. 62540/00 (ECHR, 28 June 2007) found that Bulgarian law violated Article 8 and 13 (effective remedy) for not having a notification system. The ECtHR noted that ‘as soon as notification can be made without jeopardising the purpose of the surveillance after its termination, information should be provided to the persons concerned’ [90]. Boeham and de Hert note that the ‘clear recognition of an (active) notification duty after surveillance measures have ended in the Ekimdzhiev v. Bulgaria case constitutes a remarkable development in the framework of the safeguards against abuse which are necessary in surveillance cases’ (Franziska Boehm and Paul de Hert, ‘Notification, an important safeguard against the improper use of surveillance - finally recognized in case law and EU law’ (2012) 3:3 European Journal of Law and Technology).

The position of the ECtHR was reaffirmed in Roman Zakharov [287], but reference was made to UK law in that there is an alternative to notification i.e. IPT jurisdiction [234, 288], however, I have previously referred to doubts raised by Boehm and de Hert which is worth quoting in full. Boehm and de Hert questioned whether UK law was ‘capable of responding to the challenges arising out of the use of new surveillance techniques’ (Franziska Boehm and Paul de Hert, The rights of notification after surveillance is over: ready for recognition? (Yearbook of the Digital Enlightenment Forum, IOS Press 2012), pp. 19-39, 37).

Boehm and de Hert continue that in light of powers such as data retention and ‘fishing expeditions’ that target a greater number of people without suspicion, a notification duty appears to be an effective tool to prevent abuse (ibid, 37-8). Finally, Boehm and de Hert note that the Belgian Constitutional Court has now adopted the notification principle as a requirement to comply with Article 8 (ibid, 38).

Thus, whether or not CJEU requires notification, this justification can be found within the jurisprudence of the ECHR. Boehm and de Hert’s approach would be consistent with this jurisprudence of the ECHR in terms of it being a living instrument ‘which must be interpreted in the light of present-day conditions and of the ideas prevailing in democratic [73]’ in that mass surveillance would deprive the:

The IPA 2016 does contain a notification process under s.231, but this is wholly inadequate as it quite plainly admits, that a violation of the ECHR is not sufficient in and of itself to justify a notification. This could be any ECHR right, not just a breach of privacy, data protection or freedom of expression, but the right to life (Article 2), freedom from torture (Article 3) etc. This would render s.231 at the very least, in violation of Article 8 and 13 (39-40). Granted, this was not argued before the CoA, it remains that this was an opportunity where the CoA could have used existing case law to find that DRIPA 2014 had in fact breached human rights, with or without any consideration for EU law and the principles set out in Tele2 and Watson.


In an amazing display of legal gymnastics, the CoA avoided the most central issue in the data retention debate, the compatibility of general data retention with fundamental rights. The CoA did so by not acknowledging that DRIPA 2014 did and the IPA 2016 now allows general data retention. Instead, the CoA relied upon the semantics of distinguishing a catch all power, and a power that can catch all, which of course, in any event, amount to the same thing. In finding that DRIPA 2014 was only unlawful insofar as it lacked prior review by a court/independent administrative body to access communications data and that this was not restricted to serious crime overlooks the central issue of this data being retained the first place. It is one thing the ensure greater independence with regards to the authorisation of surveillance measures, but is another thing to overlook what those authorisations allow, whether it be the retention or access of communications data. To do so would simply polish a turd, rather than flush it, as general data retention has always been a turd that has needed flushing since at least 2008. Although the question of data retention within the IPA 2016 is subject to judicial review before the HC, the CoA had the opportunity to faithfully apply Tele2 and Watson to DRIPA 2014, but instead of addressing the issue, it acted as though the issue did not exist.

Barnard & Peers: chapter II:7

Art credit: Lightning Broadband 

No comments:

Post a Comment