UK 'snoopers charter' claimed to break EU lawBy John Lettice
Posted: 15/10/2003 at 22:02 GMT
The data retention regimes in operation or preparation in at least ten European states are unlawful, and breach the European Convention on Human Rights, according to a legal opinion released today. According to the opinion, comissioned by Privacy International from law firm Covington & Burling, the European Commission's framework directive on the retention of communications data is in itself unlawful, which means that any state in the process of actually implementing it may have to think again.
In the UK, this could add another chapter to the tortuous and - so far - unfortunate history of the 'snooper's charter, which is currently before Parliament as a series of Statutory Instruments. Although a little watered down from its previous version, this still requires widespread retention of data as regards web sites visited, email addresses, phone calls and mobile phone location data, and still gives numerous public authorities access to that data.
According to the opinion, it's precisely this scattergun approach that breaches the Convention on Human Rights:
"Article 8 of the European Convention on Human Rights (ECHR) guarantees every individual the right to respect for his or her private life, subject only to narrow exceptions where government action is imperative. The Framework Decision and national laws similar to it would interfere with this right, by requiring the accumulation of large amounts of information bearing on individuals' private activities. This interference with the privacy rights of every user of European-based communications services cannot be justified under the limited exceptions envisaged by Article 8 because it is neither consistent with the rule of law nor necessary in a democratic society.
"The indiscriminate collection of traffic data offends a core principle of the rule of law: that citizens should have notice of the circumstances in which the State may conduct surveillance, so that they can regulate their behaviour to avoid unwanted intrusions. Moreover, the data retention requirement would be so extensive as to be out of all proportion to the law enforcement objectives served. Under the case law of the European Court of Human Rights, such a disproportionate interference in the private lives of individuals cannot be said to be necessary in a democratic society."
Privacy International is to pursue test cases in at least two EU countries where mandatory data retention is already in place, and has also lodged a complaint with the UK Information Commissioner, alleging that the government's regulations and voluntary code on retention breach at least three core principles of the Data Protection Act. Blanket retention of data, it argues, breaches the principle of proportionality, and flouts the specificity principle, while "the existence of a voluntary code for communications providers takes no account of the consent principle." PI has also lodged an Open Government request for disclosure of the government's legal advice relating to the regulations currently before Parliament.
PI director Simon Davies commented that the government was forcing "unwilling companies to be complicit in an unprecedented and disproportionate surveillance regime", and called on communications providers to "support their customers' rights by ignoring the government's proposals." Which would be fun - any takers?
Davies told The Register that the first test case is likely to be brought in Denmark. The second has yet to be determined, but as legislation is well advanced in several other cases, this may be an influential factor.
There will be a debate on the legal opinion at the LSE on 22nd October, details and registration here. ®
UK: Government trying to slip through "voluntary" data retention rejected by consultation process
- government leaves the communications industry open to legal challenge if they retain traffic data for the purpose of "national security" and then pass it over for other purposes, for example, for crime, public order or taxation
Tony Bunyan, Statewatch editor, comments:
"The government's consultation process showed that nearly everyone, except the law enforcements agencies, are against the plan for the voluntary retention of communications data. Industry and civil society are united in their concern that communications data retained for the purpose of "national security" under the ATCS Act 2001 cannot be legally passed over for other purposes such as crime in general and public order.
Limiting the purpose of data retention to national security was the express will of parliament. Yet the government has confirmed that hundreds of agencies which have nothing to do with national security are going to have access this data.
This is a classic case of the misuse of power and lawless decision-making"
The government has produced two sets of measures: 1) setting out which state agencies are to get access to communications data and 2) on data retention. The measures relate to two main Acts - the Regulation of Investigatory Powers Act 2000 (RIPA) and the Anti-Terrorism, Crime and Security Act 2001 (ATCS). The data to be retained, and accessed by a host of agencies, is traffic data for phone-calls, faxes, e-mails, mobile phone calls and internet usage.
The initial proposal to use powers under at ATCS 2001 to introduce data retention caused a public outcry both from the industry and civil society. In March 2003 the Home Office issued a consultation paper and the responses are summarised in a Home Office document also released on 11 September 2003.
Despite the recorded opposition (see below) by the industry, civil society and the Information Commissioner the draft Statutory Instrument - Retention of Communications Data (Code of Practice) Order 2003 - was laid before parliament on 11 September 2003 (like the other four related draft Order made public at the same time). This means that the draft code of practice entitled "Voluntary Retention of Communications Data" could come into effect after a minimum of 21 days unless sufficient MPs are able to raise the issue on the floor of the House - this is extremely rare as such a move would interrupt the business already planned by the government. The clock is already ticking but due to the parliamentary recess, for the party conference season, there are probably a little time left to raise this issue.
The responses to the consultation on data retention
Earlier this year there was a 12 week consultation process and 57 responses were received by the Home Office. The "Summary" of the responses - which is written by Home Office officials who naturally try to put the government's proposal in the best possible light - struggles to find any support at all for the proposal. On the central issue of whether communications data held for the purpose of "national security" could be used for other purposes no less that 25 of the 35 responses on this question said that:
"the approach was not appropriate or proportionate"
The "validity of data retention under the code.. provoked comments from 27 respondents" of these 22 "believed that the regime would be inappropriate".
Communications service providers (CSPs) were looking for a "clear lawful basis for data retention" and not one which left them having to decide whether it was necessary or proportionate to comply with the code. Asked whether the "industry" would comply with a voluntary code there was little comfort for the government - as it was "voluntary" some CSPs might take part and others not. This would led to a "voluntary tax" on those participating. Moreover, the costs would be substantial as the retention of data for more than a short periods (days or a few weeks) is not built into CSPs infrastructure - "data processed for business purposes are not retained in a way that is usable by LEAs". Even if the government helps with some of the costs it would "consume engineering resources" which could be used for more profitable purposes - overall it would be "immensely expensive".
Overall 22 of the respondents were "against the concept of retention, whilst 14 favoured such a regime". The law enforcement agencies were in favour but the Information Commissioner would prefer "greater reliance to be placed on data preservation" ("data preservation" refers to retaining data on a specific person/target after a warrant has been issued by the Home Secretary to intercept communications). Nineteen out of 26 responses said that the period for retention was "not reasonable".
On the question the "disparity between the retention and access regimes" 24 of the 25 respondents who addressed this "considered the matter as a problem that needed to be resolved". One respondent said:
"There is a legal view that while the retention may not in itself be unlawful, there was a significant risk that the collateral use of such retained data beyond investigations relating to national security would infringe an individual's right".
The Home Office's own conclusion from the consultation is that there was a consensus that a voluntary approach was unable to resolves matters such as human rights implications, competitive neutrality, costs and particularly the issue "national security requires" resolution. Not the least because the industry wants a "firm lawful basis" to work on. There was a "disparity" between collecting data for purposes of national security and then giving access to data crime, public order or tax purposes - and, they might have added, to agencies which have nothing whatsoever to do with national security.
The Home Office's Explanatory Memorandum
The Explanatory Memorandum produced with the draft statutory Order simply ignores the results of the consultation and blandly states that the Order is "compatible with" the European Convention on Human Rights. Section 103.1.b. (RIPA 2000) says that the Home Secretary shall "consider any representations made to him about the draft" code during the consultation - in reality the government has simply ignored the consultation process whose results were not to its liking.
The Memorandum states that the code of practice is admissible in court and that its scope is as defined in Section 102.3 (ATCS 2001) namely to safeguard national security and to crimes which "relate directly or indirectly to national security".
The link between the retention of communications data and access to it
There is a direct link between the retention of data - which is only allowed for purposes related to "national security" (under ATCS 2001) - and access to the data held by service providers to state agencies (under Part I Chapter II of RIPA 2000) for the purposes of national security, preventing or detecting crime or preventing disorder, the economic well-being of the UK, public safety, public health, taxes and customs duties.
The limitation of Section 102 of the ATCS 2001 to national security is a direct result of changes forced on the government by parliament and civil society. The government's draft ATCS Bill sought to allow data retention for purposes of "national security" and for "the prevention or detection of crime or the prosecution of offenders." Parliament deliberately limited the scope of data retention to national security and crimes related to it. It is for this reason that service providers and civil society maintain that to give access to the retained data for other purposes is probably unlawful and would leave CSPs open to legal challenge.
Put simply the government is asking service providers to retain communications data for the purpose of "national security" under ATCS Act 2001 and at the same time is authorising access to this data by hundreds of agencies which have nothing whatsoever to do with national security.
Who will get access and for what purpose?
In August 2001 the government issued "Accessing Communications Data Draft Code of Practice". An updated Code of Practice to take into account the changes in the Statutory Order has not yet been produced or laid before parliament.
There was an outcry last year when it was admitted by the government that 1,039 public authorities would have the right to request access to communications and the list was withdrawn. The list, set out in the new Order, shows that only one of the 24 categories of bodies has been dropped (the Department of Work and Pensions which anyway has its own legal legislation). Rural councils have been dropped from the list of local authorities but three new bodies have been added - the Charity Commission, the Serious Fraud Office and the Gaming Board of Great Britain. The government has not released the total number of bodies, instead of being just over 1,000 it is now under 1,000.
What is interesting about the new list are the purposes for which agencies can get access to communications data. These purposes are set out in Section 22.2 of RIPA 2000 and are: (a) national security; (b) crime or preventing disorder; (c) the economic well-being of the UK; (d) public safety; (e) public health; (f) taxes and duties and (g) emergencies, preventing death or injury.
The only agencies on the list whose role directly concerns "national security" are Government Communications Headquarters (GCHQ), the Security Service (MI5) and the Secret Intelligence Service (MI6) who are allowed access under (a), (b) and (c) - which exactly fits their statutory roles. This means that these agencies, in addition to gathering intelligence through formal warrants for interception of telecommunications, can on their own authority request access to communications data.
However to extend "national security" to all police forces, including the British Transport Police, stretches the limits of their role and assumes a very broad-ranging definition of "national security". This same tendency applies to emergency services whom one would have thought would come under (d) and (e) all of whom apparently qualify under (b) crime and disorder. Moreover, the most voluminous list (Part III) including local and district councils plus NHS bodies and agencies all qualify under (b) rather than more obvious categories such as public safety and public health. Overall there has been a clear attempt to ensure that the categories of access are set out on the broadest - some would say extreme - boundaries.
Only those authorised on the grounds of (a) can legitimately request access to data limited to, or related to, national security.
The government proposals seek to allow access under the headings of "national security" and of crime to many agencies which do not naturally fall under these definitions.
"Sunset clause" invoked
Due to the delays and controversy on bringing in these Orders the "sunset clause" which dates from 14 December 2001 and last for two years has had to be renewed by the Home Secretary for another two years (Extension of Initial Period Order). This begs the obvious question: In December 2001 the ATCS Act was rushed through parliament on the grounds that the new powers were urgently needed to combat "terrorism" - does this mean that the security, intelligence and police agencies are still waiting for access to communication data to combat "terrorism" or does it mean they already had access?
Does delay of nearly two years not tell us that data retention is not to cope with terrorism but with crime and social control?
Legitimating existing practices
Perhaps the reason that the Home Secretary is prepared to ride rough-shod over all the objections by much of the industry and civil society and the law is that he is keen to put in place a measure which will legitimate, and make lawful, the long-standing practice of those "longer-established" communications providers who have been retaining data at the request of the law enforcement agencies well prior to 11 September 2001. This is confirmed in a submission by the National Criminal Intelligence Service to the Home Office on 21 August 2000:
"From a commercial perspective, the longer-established CSPs wish to ensure that an obligation to retain communications data for an appropriate period is placed equally on every CSP. Otherwise, some of the newer companies may be tempted to delete valuable data and exploit a competitive edge through reduced overheads. Examples of this are already appearing with certain CSPs proposing to delete data after very short periods. This will rapidly undermine the voluntary agreements achieved so far which now appear to have an increasingly fragility." (Source: Recommendation 3.3.3. in the NCIS submission on Communications Data Retention Law to Home Office, 21 August 2000 - NCIS submission - full text)
While the law enforcement agencies may have been accessing communications data lawfully the same cannot be said of the communications providers who have been retaining data for periods longer than is necessary for billing purposes (ie: a few weeks) under "voluntary agreements" for years.
The same NCIS submission cited above says:
"Most Police Forces and HM Customs and Excise retain such data obtained electronically on their own individual databases, in particular subscriber identities and itemised billing"
An on-going practice of the law enforcement agencies (police, customs etc) plus MI5 to themselves retain communications data gathered on their own databases for periods well in excess of the proposed 12 months limit is not covered by any legislation. The submission from the NCIS cited above says that in the 12 months prior to August 2000 the Metropolitan Police Service alone had required access to 63,590 subscriber details and 4,256 billing accounts. This data is said to have been gathered lawfully for intelligence or investigation purposes and is only indicative of the amount of data gathered nationally - in this period there were around 2,500 interception warrants in force for all the law enforcement agencies in England and Wales. The NCIS submission said that: "LEAs need the statutory authority to maintain their own communications data intelligence database" to hold data for up to seven years. Again it can be seen that the law enforcement agencies have exceeding their lawful powers and are waiting for this practice to be legitimised.
Where are the controls over databases held by the police, security and intelligence agencies?
Summary of conclusions
1. The government has simply ignored the consultation process whose results were not to its liking.
2. The government is asking service providers to retain communications data for the purpose of "national security" under ATCS Act 2001 and at the same time is authorising access to this data by hundreds of agencies which have nothing whatsoever to do with national security.
3. The government proposals seek to allow access under the headings of "national security" and of crime to many agencies which do not naturally fall under these definitions.
4. A number of big communications providers have been retaining data, and giving law enforcement agencies access to it, under quite unlawful "voluntary agreements" for years.
5. Where are the controls over databases held by the police, security and intelligence agencies?
1. Consultation paper on: Data retention (ATCS 2002) (pdf)
2. Consultation paper on: Access to communications data (RIPA 2000) (pdf, 1.2 MB)
3. Consultation paper on: Access to communications data (RIPA 2000) (Word, 291k)
4. Summary of responses to consultation paper on data retention: Responses reject data retention (pdf)
5. Summary of responses to consultation paper on access to communications: Responses on access to communications (pdf)
6. Retention of Communications Data (Code of Practice) Order 2003, dated 11 September 2003: Statutory Order (pdf)
7. Explanatory Memorandum - data retention: Memorandum (pdf)
8. Code of Practice on data retention issued in August 2001 which has to be revised: Draft Code of Practice (pdf)
9. Access to Communications Order 2003: Statutory Order (pdf)
10. Explanatory Memorandum - access to communications: Memorandum (pdf)
11. UK: Data retention and access consultation farce:
Government to allow access for crime purposes to records which can only be held for “national security”