Getty Images

Government must rewrite illegal sections of Snoopers’ Charter, court told

A court has been asked to give ministers until July 2018 to rewrite powers to require phone and internet companies to retain data on the population. The government acknowledges parts of surveillance regime are unlawful

Government powers that require telecommunications companies to store the public’s phone and internet records should be suspended after being found inconsistent with European law, the high court heard on 27 February 2018.

The human rights group Liberty said ministers have been unlawfully ordering the retention of sensitive communications data on the population for 14 months, since the introduction of the Investigatory Powers Act.

Martin Chamberlain, barrister at Brick Court Chambers, told a hearing in the Royal Courts of Justice that the courts should give the government until 31 July 2018 to amend the Investigatory Powers Act – also known as the Snoopers’ Charter – to bring it into line with European Union (EU) and human rights law.

“The court is saying you have until July to put your house in order. If you have not put your house in order, then it is open to the parties, including Liberty, to seek further relief from the court,” he told Lord Justice Rabinder Singh and Justice David Holgate.

A ruling by the court of appeal in January 2018 found that near-identical powers in the government’s previous surveillance law – the Data Retention and Investigatory Powers Act (Dripa) – were unlawful because they gave public bodies access to the UK’s internet activity with no suspicion of serious crime and no independent oversight.

The government has conceded that there are similar problems with Part 4 of the Investigatory Powers Act (IPA), which – like Dripa – gives powers to the Secretary of State to require internet and phone companies to retain customer data for reasons that stretch beyond serious crime and national security.

The court heard that the government had delayed appointing judicial commissioners, required under IPA, to approve data retention notices.

The government has proposed a series of amendments to the IPA on 30 November 2017, and put them out to public consultation for 8 weeks in a move it said would address “shortcomings” of the Investigatory Powers Act, though it has yet to make any legislative changes.

“Normally when a government department consults, it does not consult on law, particularly not EU law,” said Chamberlain. “But that is what they have consulted on. They have gone out to the public and said, ‘What do you think is at issue under EU law?’.”

The government’s proposals limit the ability of senior police officers, and officials at the Department for Work and Pensions (DWP) and HM Revenue and Customs, to authorise their own access to communications data, requiring permission from a new authorising body, the Office of Communications Data Authorisation.

The government also plans to restrict police and other public bodies’ access to communications data for investigations into crimes that carry a prison sentence of at least six months, rather than the usual three-year threshold for serious crime.

General and indiscriminate retention

Jaffey told the court that in reality only a small number of retention notices were required to collect data on the population on a huge – and unlawful – scale.

“In the UK there are two fixed line operators, BT and Virgin, and four mobile operators. Once you have covered those with a retention notice, you have general and indiscriminate retention,” he said.

Liberty told the court that surveillance should be targeted, rather than be indiscriminate. The government argued it collects data for the purposes of fighting crime and for protecting national security, but the court heard that the data collected should have a clear link to the reason it is being collected.

The Investigatory Powers Act also failed EU law because it did not require telephone and internet companies to retain data on their customers in Europe to European data protection standards, the court heard.

Chilling effects of data retention

Liberty argued in written submissions that the government’s continued retention and access to communications data amounts to a significant intrusion into the rights to private life, protection of personal data, and freedom of expression under the EU Charter for fundamental rights, and the e-Privacy Directive.

Communications data can be used to build up a “deep and comprehensive” picture of a person’s private life, including what they read online, where they shop, whether they access pornography, what dating sites they use, or whether they visit sites for people with HIV, other medical conditions, or seek information on abortion.

Mobile telephone data records the user’s location, which can be used to generate a detailed picture of where the person was, his or her destination, and other intimate details such as whether they had visited a doctor, lawyer or had attended a religious service.

In 2017, there were more than 700,000 applications for communications data, granted to local authorities and government agencies under the Regulation of Investigatory Powers Act (Ripa), the court heard.

Surveillance subjects should be notified

Ben Jaffey, representing Liberty, told the court that following a landmark judgement by the European Court of Justice in 2016, in a case brought by member of Parliament Tom Watson, people had a right to be told that their data had been accessed.

For example, a government body could receive a tip-off that parents were giving fraudulent information to get their children into a particular school.

A government agency might open an investigation, find no wrong doing, and close the investigation. But the parents would not be told and would have no right of redress in the Investigatory Powers Tribunal.

Jaffey said it was not the case that if people were notified their data had been accessed, it would make communications data less useful.

“Information from communications data is used in every single criminal prosecution without any effect on its usefulness. Someone who is the subject of a criminal prosecution already knows because it is disclosed. The only people not notified are innocent,” he said.

Legal and professional privilege under threat

The court heard that the Investigatory Powers Act did not provide adequate protection for legally privileged communications data.

Communications data could reveal that a person has spoken with their lawyer, the fact that they had taken legal advice, and their physical location. They could also reveal the identities of potential witnesses approached by a lawyer.

A single item of communications data could reveal a record of a call by a senior civil servant to a journalist shortly before a major leak is published. Retention and access to communications data discourages whistleblowers and those who provide information to journalists or watchdog organisations, the non-governmental organisation argued.

European Court of Justice should decide points of law

Liberty has asked the court to refer a number of questions of EU law surrounding the case to the European Court of Justice for clarification, including whether retaining communications data under the Investigatory Powers Act is a general and indiscriminate privacy violation.

Lord Justice Rabinder Signh questioned whether this was a matter the court should be involved with, given that Parliament had yet to make a decision on the amendments to part 4 of the Investigatory Powers Act.

“Here we are dealing with a process in which there is bound to be to-ing and fro-ing when Parliament is presented with a draft resolution. It may be voted down. They may accept lobbying from Liberty,” he said.

Earlier in the hearing, the government was forced to apologise unreservedly for breaching court deadlines, and was ordered to pay Liberty’s costs.

Data retention notices

Parts 3 and 4 of the Investigatory Powers Act permit the Secretary of State to issue a “retention notice” requiring telephone or internet companies to retain “relevant communications data” for up to 12 months.

Notices can be issued:

  • In the interests of national security;
  • For the purpose of preventing or detecting crime or preventing disorder;
  • In the interests of the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security;
  • In the interests of public safety;
  • For protecting public health;
  • To assess or collect any tax, duty, levy ... or charge payable to a government department;
  • To assist investigations into alleged miscarriages of justice;
  • Where a person has died or is unable to identify themselves because of a physical or mental condition;
  • For exercising functions relation to (i) the regulation of financial services and markets or (ii) financial stability.

Read more on Managing IT and business issues

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

France and Germany rely on the UK for intelligence in the pan-EU "war against terror". This one of the areas when the Commission says it want co-operation to continue after Brexit. But central to the most valued part of the UK contribution involves using data collected in breach of EU law. I should have included this in my recent blog (https://www.computerweekly.com/blog/When-IT-Meets-Politics/Is-Brexit-an-existential-threat-to-the-new-including-digital-Establishment) on how Brexit became an existential threat to the British establishment.

It is, paradoxically, one of the areas where leaving the EU (and the jurisdiction of the European Court), may lead to better and more mutually beneficial relations and a healing of divisions - albeit not those between the paranoid and the subservient in areas (like civil liberties) where common sense (that rarest of commodities) is missing.     
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close