In December, the CJEU stated that the British and Swedish investigatory powers laws were in contravention to the EU’s Charter of Fundamental Rights. This was in the case of the UK partly based on the litigation started by Tom Watson MP, initially with David Davies MP. This was reported in the Register, here, and the Guardian here. The Open Rights Group have asked for people to engage in the Home Office consultation; they propose to put a judicial warrant requirement on investigation requests for suspect internet data. This blog discusses my contribution. If you want to follow me, you’ll have to be quick the consultation closes tomorrow.
The judgement is that indiscriminate i.e. universal, comprehensive monitoring of internet & voice traffic is illegal. Investigations, including at the point of collection must have the purpose of fighting “serious crime”.
The Law established a two phase mechanism, a limited number of organisations can apply via the Home Secretary (or the Prime Minister, if spying on MPs) for a warrant via Judges. These warrants can be exceptionally broad, they’re certainly not based on individual probable cause, but they are signed of by a Judge as warranted and permitted under the Law. The second stage is that senior officers in a number of law enforcement agencies can request data of interest to them. These are not reviewed by anyone and certainly not by Judges; the Parliamentary draftsman (sic) had probably seen too many episodes of “The Wire”.
Even the Home Office feel this needs a better response than to tell the Court to go away (4,3), and have issued a consultation on their proposed statutory instrument with which they propose to change the law. The Open Rights Group are encouraging people to write replies, and the rest of this blog is the justification and the words I used in my reply.
Critically they propose that police or other the organisation requests to the retained data should require an independent agreement, but they do not address the breadth of the initial retention warrants or the failure to tell people that they are being investigated (Miranda rights). There is also no constraint on sending this data abroad to share with foreign governments, a position that will need to be made clear should we become an EU 3rd country. I also have a problem with “serious crime”. The UK definition would seem to include a large number of not so serious crimes and given that all local authorities can apply for information from the retained data sets.
The Guardian suggests that since we’re leaving the EU, we don’t need to abide by the CJEU rulings but as, should we leave, we will require a Data Protection Adequacy finding, it is clear from the EU’s treatment of the US Safe Harbour agreement that the EU considers inadequate legislative safeguards from state surveillance a threat to the right to privacy and so we will. As I and others argue if the IPA is too intrusive, we may lose our Adequacy finding; the US did in 2014.
The Register points at this copy of the judgement.
The words I used in the consultation reply are as follows,
The CJEU ruled that data retention could only be performed under independent authorisation and for the purpose of investigating serious crime. Both constraints should be written into law. Blanket, indiscriminate retention should be prohibited.
There needs to be an equivalent of the Miranda rights; anyone being investigated must be told.
Personal Data must be protected from export. There is currently no constraint on sending this data abroad to share with foreign governments. Many countries have the death penalty, these countries should be embargoed. This issue will be complicated should we actually leave the EU because it considers inadequate privacy protections from the state to be reasons to deny an “Adequacy” ruling for cross border data transfers. (It should be noted that as a 3rd country we will not be able to use the GDPR Article 23 restrictions).
I also have a problem with “serious crime”. The UK definition would seem to include a large number of not so serious crimes and given that all local authorities can issue requests for information, I think that a specific serious crime category should be created for the IPA. A serious crime should either be restricted to specific classes of crime such as terrorism and child abuse, or defined as a crime that warrants a prison sentence of over two years.
Image Credit: CC Dave Levy BY-SA