Data Retention is still a permanent fixture, at least for the time being.

Matthew White, Ph.D candidate, Sheffield Hallam University.

Introduction

On January 30, 2018, the human rights organization Liberty announced on Twitter that the Court of Appeal found the UK government to be acting illegally. The government was gathering internet and phone records from the entire country and allowing public bodies to access them without any suspicion of serious crime or independent approval.

This referred to the Court of Appeal’s (CoA) decision in the case of Tom Watson and Others v Secretary of State for the Home Department concerning access to communication data under the Data Retention and Investigatory Power Act 2014 (DRIPA 2014). This decision is widely considered a judgment that the so-called “Snoopers’ Charter” or mass surveillance is illegal. This piece analyzes the CoA’s decision regarding general data retention, access to communications data based on prior review by a court or an independent body, and notifications.

Background

This case dates back to 2014 when the Court of Justice of the European Union (CJEU) invalidated the Data Retention Directive (DRD) in its decision in Digital Rights Ireland. The court found it incompatible with the right to privacy and data protection under the Charter of Fundamental Rights (CFR). This led to the implementation of DRIPA 2014 and subsequent challenges in the High Court (HC) and CoA regarding its compatibility with Digital Rights Ireland. Ultimately, the case led to a preliminary reference to the CJEU for clarification (alongside a reference in Tele2 from a Swedish court). In the joined cases of Tele2 and Watson, the CJEU ruled that EU member states are prohibited under Articles 7, 8, 11, and 52(1) of the Charter of Fundamental Rights from enacting laws that allow for the broad and indiscriminate retention of all traffic and location data of all subscribers and registered users for all electronic communication methods. The CJEU also ruled that access to this retained data should only be granted for the purpose of fighting serious crime and only with prior review by a court or an independent body.

Court of Appeal’s judgment

In the leading judgment, Lord Lloyd-Jones summarized the background of the case and quickly distinguished the UK’s reference from the Swedish reference. He underscored that the CJEU’s answers in paragraph 134(2) and (3) specifically addressed the UK’s reference due to differences in legislation between the two countries. His Lordship also noted several developments since Tele2 and Watson: DRIPA 2014 had been replaced by the Investigatory Powers Act 2016 (IPA 2016), which was also facing legal challenges. Privacy International was seeking clarification on the extent to which the CJEU ruling applied to national security, and the UK government aimed to amend IPA 2016 to comply with the CJEU’s ruling regarding serious crime and prior review for access.

The main issue before the CoA was again DRIPA 2014’s compatibility with the CJEU’s rulings on data retention. All parties, including the CoA, agreed that the CJEU’s decisions restricted access to retained communication data for fighting serious crime and mandated prior review by a court or independent body. The CoA chose not to issue any declaratory relief concerning the CJEU’s rulings in the context of national security, as this was already under consideration by the Investigatory Powers Tribunal (IPT). However, the CoA granted declaratory relief regarding DRIPA 2014, stating it was incompatible with European Union (EU) law concerning serious crime and access to communications data.

Regarding data retained within the EU, the CoA chose not to make a definitive statement, hoping that the CJEU would provide clarity on the matter in the IPT’s reference. Watson and others urged the CoA to declare that DRIPA 2014 failed to provide for retroactive notifications. The CoA declined for three reasons: this was not an issue in previous national proceedings, it was not part of the CJEU’s core reasoning in Tele2 and Watson, and the CJEU would consider this issue based on the IPT’s reference.

Lord Lloyd-Jones initially considered granting declaratory relief on the basis that DRIPA 2014 lacked limitations to comply with the CJEU’s ruling concerning the relationship between retained data and threats to public security, but ultimately chose not to. He provided three reasons for this decision: First, there was no argument that DRIPA 2014 was illegal because it lacked a requirement for an identifiable public whose data would likely reveal connections to serious crime. The CJEU’s ruling on general data retention was in response to the specific characteristics of Swedish legislation. In Davis and Others v Secretary of State for the Home Department and Others, the High Court believed that the CJEU (in Digital Rights Ireland) did not intend to rule general data retention as unlawful but rather that adequate safeguards for access needed to be in place. Second, the CJEU’s reasoning on general data retention reflected the all-encompassing nature (all services, data, and users) of Swedish data retention law, so the analysis and conclusions did not automatically apply to DRIPA 2014. Third, this issue was still pending for a February hearing.

As a result, the CoA unanimously held that DRIPA 2014 was incompatible with EU law for not restricting data retention to fighting serious crime and for lacking a prior review process by an independent administrative body for data access.

Was the Swedish Court’s question on blanket indiscriminate data retention not applicable in the UK context?

This piece has highlighted how, throughout the judgment, the CoA consistently argued that the prohibition of general data retention did not automatically apply to DRIPA 2014. They believed that the CJEU’s answer specifically addressed a reference from a Swedish court concerning Swedish legislation. This assumption presumed that DRIPA 2014 couldn’t allow for general data retention. This requires further examination. It is important to note that the CJEU explicitly stated that its ruling applied to national legislation, meaning it applied to all EU member states implementing data retention laws, not just Sweden, as the CoA suggested.

When the CJEU decided that blanket indiscriminate retention of all services, all users, and all data (“catch-all”) was not permissible under EU law, it would have rendered a power found within Clause 1 of the draft Communications Data Bill (dCDB) unlawful. This was because Clause 1 contained the same catch-all power as the Swedish law under question.

It is crucial to consider Section 1(2)(a) and (b) of DRIPA 2014 and Section 87(a) and (b) of IPA 2016 together. Both sets of powers allowed (and continue to allow) for retention notices to be issued to a (public) telecommunications operator, or any type of operator, to retain all data or any specific type of data. One could argue that Tele2 and Watson may not pose a problem for such powers because of the discretion regarding which operators are obligated to retain data and what data they must retain. Further, due to the CJEU’s emphasis on geographic data retention in Tele2 and Watson, which itself is problematic for human rights, one could argue that the obligation to retain data would not be based on the operator but rather on location, potentially requiring various operators within a given area to retain data. These are arguments one could assume the Home Secretary might invoke if necessary.

However, it is also important to note that it remains theoretically possible for all operators in the UK to be required to retain all data of users and subscribers. This is because retention notices apply to any type of operator to retain all or any type of data. This could be considered a general obligation because it could impact all telecommunications operators. Instead of a direct catch-all power like Clause 1 of the dCDB or Swedish law, the powers in DRIPA 2014 and IPA 2016 would be a power capable of catching all. When considering DRIPA 2014, the HC in Davis and Others arrived at the same conclusion. They noted that, due to the lack of limitations on retention notices, the validity of DRIPA should be tested under the assumption that retention notices issued under it could be as broad as legally permissible. This could mean a directive to each communications service provider (CSP) to retain all communications data for 12 months, essentially creating a general retention regime.

One could challenge this reasoning by arguing that the specific contents of a retention notice are irrelevant, as the power itself is being tested. This is precisely the European Court of Human Rights’ (ECtHR) stance on secret surveillance. In Roman Zakharov v Russia, the ECtHR’s Grand Chamber (GC) clarified its position on when an individual could claim to be a victim of a violation under Article 8 (right to privacy) of the European Convention of Human Rights (ECHR). The GC maintained that an applicant could claim to be a victim simply because secret surveillance measures exist. For instance, if legislation directly impacts all users of communication services by establishing a system where anyone’s communications can be intercepted, an individual can claim to be a victim. The GC continued that, even when surveillance cannot be verified, the mere threat of it can infringe upon the Article 8 rights of all current and potential users. In summary, the GC clarified its consistent stance that the legal power itself, not its actual use, is subject to challenge (unless argued by the applicants).

For the reasons highlighted above, one can argue that the CoA is playing with semantics regarding the powers found in Swedish legislation compared to DRIPA 2014. In practice, they allow for the same outcome: all operators, data, and users can be subject to data retention. Therefore, the CoA’s reliance on the argument that the CJEU’s position on general data retention only applied to Swedish law is weak.

Furthermore, the CoA relied on the HC’s interpretation of Digital Rights Ireland in Davis and Others which suggested that the CJEU ruled that general data retention would only be lawful if sufficient safeguards were in place. This is contradictory, considering that the CoA disagreed with this position in Secretary of State for the Home Department v Davis MP and Others. It’s also important to note that the CoA seems to be relying on the HC’s stance before the Tele2 and Watson ruling. In essence, in 2015, the HC did not believe that the CJEU considered general data retention unlawful in itself. However, in 2016, the CJEU explicitly stated that general data retention is unlawful. Therefore, the CoA’s reliance on an outdated HC position is questionable at best.

The CoA’s final justification for its stance is equally unconvincing. They declined to rule on the basis that Part 4 of IPA 2016 was already under legal challenge and therefore the court did not want to consider evidence from both sides prematurely. This is despite the fact that the government’s justification for data retention is publicly available, and the counter-arguments are easy to find. The CoA’s position allowed them to avoid the actual issue: whether general data retention is compatible with human rights. General data retention has never been compatible with human rights, at least since the 2008 ECtHR Grand Chamber ruling in S and Marper which found that general data retention, even for a specific group like suspects and convicts, violated Article 8. Tele2 and Watson, despite its flaws, is simply the next logical step in the discussion regarding communications data.

Prior Review by a Court or Independent Administrative Body

The finding that DRIPA 2014 was inconsistent with EU law because it did not require prior review by a court or independent administrative body for access to communications data is a positive development. However, this is not a criticism of the CoA’s finding itself, but rather a criticism of the idea that this safeguard alone solves the inherent problems with data retention. Part 4 of IPA 2016 allows for retention notices to be approved by Judicial Commissioners (JC) under Section 89. This mechanism has already been criticized. The criticisms are that JCs will only act based on the Secretary of State’s conclusions, there’s no requirement for the Secretary of State to fully disclose their evidence for requesting data retention (leaving room for the JC to be misled), and the JCs can only make an assessment based on judicial review principles, not on a human rights review, and they are not truly independent from the Investigatory Powers Commission (IPC).

Another problem is that the JC can authorize data retention that could apply to everyone. As the Grand Chamber noted in Roman Zakharov, the implementation of secret surveillance is not subject to public or individual scrutiny. Therefore, it would be contrary to the rule of law to allow the executive branch or judges to have unlimited power in this area.

The power to retain data in DRIPA 2014 and IPA 2016 is practically unlimited, even if applied to a single operator or authorized by a judge. In essence, authorizing a judge to approve data retention or access is only sufficient if there are limitations on what can be collected or accessed. If the power is unlimited, it doesn’t matter if the authorization process involves a judge. Therefore, despite the CoA’s finding, DRIPA 2014 could still be considered a violation of fundamental rights.

Lack of notification was already incompatible with the European Convention on Human Rights

By refusing to grant declaratory relief concerning notification, one could argue that the CoA failed to fulfill its obligations under Section 6 of the Human Rights Act 1998 (HRA 1998) to act consistently with the ECHR. The ECtHR in Association for European Integration and Human Rights and Ekimdzhiev v Bulgaria found that Bulgarian law violated Articles 8 and 13 (right to an effective remedy) by not having a notification system. The ECtHR stated that individuals should be informed as soon as notification is possible without jeopardizing the purpose of the surveillance. Boehm and de Hert argue that this recognition of an active notification duty after surveillance ends is a significant development in safeguarding against abuse in surveillance cases.

The ECtHR reaffirmed this position in Roman Zakharov but mentioned that the UK has an alternative to notification: the IPT’s jurisdiction. However, Boehm and de Hert question whether UK law can handle the challenges posed by new surveillance technologies. They argue that in light of powers like data retention and “fishing expeditions” which target many people without specific suspicion, a notification requirement seems to be an effective way to prevent abuse. Boehm and de Hert also highlight that the Belgian Constitutional Court now recognizes notification as a requirement under Article 8.

Therefore, regardless of whether the CJEU mandates notification, justification for it can be found in established case law from the ECtHR. Boehm and de Hert’s approach would align with the ECHR’s position as a living instrument, meaning it should be interpreted based on current conditions. Mass surveillance, without notification, would deprive individuals of the opportunity to seek legal redress for violations of their right to privacy. This would make any remedies available under UK law more theoretical than practical.

While IPA 2016 includes a notification process under Section 231, it is inadequate because it explicitly states that an ECHR violation alone is not sufficient to warrant notification. This could apply to any ECHR right, not just privacy, data protection, or freedom of expression, but also the right to life, freedom from torture, etc. This makes Section 231, at best, a violation of Articles 8 and 13. Although not argued before the CoA, they missed an opportunity to use existing case law to find DRIPA 2014 in breach of human rights, with or without considering EU law and the principles outlined in Tele2 and Watson.

Conclusions

The CoA, through legal maneuvering, avoided the central issue in the data retention debate: the compatibility of general data retention with fundamental rights. The CoA achieved this by not acknowledging that DRIPA 2014 and IPA 2016 permit general data retention. Instead, the court focused on the semantics of differentiating between a direct catch-all power and a power capable of catching all, which, in effect, amount to the same thing.

The CoA found DRIPA 2014 unlawful only because it didn’t require prior review by a court/independent administrative body for accessing communications data and did not restrict this access to serious crime. However, this ignores the fundamental issue: the data being retained in the first place. Ensuring greater independence in authorizing surveillance is important, but it’s also crucial to consider what these authorizations allow, whether it’s retention or access to communication data. Focusing solely on the authorization process ignores the underlying problem of general data retention.

While the issue of data retention under IPA 2016 is currently under judicial review in the HC, the CoA had the opportunity to properly apply Tele2 and Watson to DRIPA 2014. Instead of tackling this issue head-on, the CoA acted as if it didn’t exist.

Barnard & Peers: chapter II:7

Art credit: Lightning Broadband

Licensed under CC BY-NC-SA 4.0