Contenu connexe Similaire à Communications Privacy and the State (20) Plus de Graham Smith (15) Communications Privacy and the State4. “For five years we bugged and burgled our
way across London at the State's behest…”
Page 4
© Bird & Bird LLP 2014
5. “It hasn't got one. The Security Service
cannot have the normal status of a Whitehall
department because its work very often
involves transgressing propriety or the law.”
Page 5
© Bird & Bird LLP 2014
MI5's legal status?
1955
8. A Code of Practice for State hacking
Page 8
© Bird & Bird LLP 2014
9. S.5 Intelligence Services Act: Minister’s warrant
“… any or all of the following:
a) obtain information from the equipment in pursuit of intelligence
requirements;
b) obtain information concerning the ownership, nature and use of
the equipment in pursuit of intelligence requirements;
c) locate and examine, remove, modify or substitute
equipment hardware or software which is capable of yielding
information of the type described in a) and b);
d) enable and facilitate surveillance activity by means of the
equipment.”
Page 9
© Bird & Bird LLP 2014
A Code of Practice for State hacking
10. Page 10
© Bird & Bird LLP 2014
Flashpoints
● Bulk communications data retention v targeted preservation
• Digital Rights Ireland, new Data Retention Directive?
• Retention by ISPs, webmail, social media platforms?
- UK: DRIPA, C-TSB
• Retention v generation
● Communications data acquisition
• Volume, purposes, bodies, authorisation, datatypes, richness, blurring
• Professional and journalistic privilege
● Bulk interception (TEMPORA - content and related comms data)
• Telephone, e-mail, IM, web communications
● Product sharing among agencies (PRISM)
• NSA GCHQ and others
● Cross-border powers v MLAT
• Providers abroad and/or conduct abroad (Microsoft US litigation)
● Exploits
14. We are all human rights lawyers now
Page 14
© Bird & Bird LLP 2014
15. Page 15
© Bird & Bird LLP 2014
Article 8 ECHR – privacy protection
No interference by a public authority except such as is:
● in accordance with the law and
● is necessary in a democratic society
● in the interests of
• national security,
• public safety
• or the economic well-being of the country,
• for the prevention of disorder or crime,
• for the protection of health or morals,
• or for the protection of the rights and freedoms of others
● Proportionality
16. Legitimate aim, necessity and
proportionality are important…
Page 16
© Bird & Bird LLP 2014
but quality of law comes first
Human Rights Interferences
17. Page 17
© Bird & Bird LLP 2014
ECHR “In accordance with the law”
Existence and quality of law
● Existence: some basis in domestic law (statute or common law)
● Quality of law – compatible with rule of law
• Accessibility and foreseeability of consequences
- Publication, detail and precision
• Protection against arbitrary interference, having regard
to the legitimate aim of the measure
• For surveillance, a law which confers a discretion must
indicate with sufficient clarity the scope of that
discretion and the manner of its exercise
- Contrary to rule of law for executive discretion to be
expressed in terms of an unfettered power
• Laws, regulations, manuals and instructions (if sufficiently
publicised) Liberty v UK
• Independent supervision
18. Secrecy and quality of law
are natural enemies
Page 18
© Bird & Bird LLP 2014
Accessibility
19. "In many countries … vague and
broadly conceived legal provisions are
being invoked to legitimize and sanction
the use of seriously intrusive techniques.
Without explicit laws authorizing such
technologies and techniques, and defining
the scope of their use, individuals are not
able to foresee – or even know about
– their application.“
UN Special Rapporteur, 17 April 2013
Page 19
© Bird & Bird LLP 2014
Human Rights Interferences
20. “… the law must be sufficiently
accessible, clear and precise so that
an individual may look to the law and
ascertain who is authorized to conduct
data surveillance and under what
circumstances.”
Page 20
© Bird & Bird LLP 2014
UN High Commissioner’s Report June 2014
Human Rights Interferences
22. Human Rights Act 1998
Page 22
© Bird & Bird LLP 2014
A real issue
Pre-1985
No statutory framework
1984 Malone v UK
Phone taps warranted by SoS
Not "in accordance with the law"
IOCA 1985
Public telecommunications
1997 Halford v UK
Unwarranted tap of office phone
Not "in accordance with the law"
RIPA 2000
Public and private networks
Warranted and other interception
Uncertified and certified warrants
Outside and within UK
Civil and criminal remedies
Codes of Practice
2014 Liberty v GCHQ (IPT)
TEMPORA
"in accordance with the law"
PRISM receipt (pre-judgment)
Not "in accordance with the law"
2007 Copland v UK
Office e-mail, internet and phone use
Not "in accordance with the law"
2008 Liberty v UK
External warrants - filtering
Not "in accordance with the law"
2010 Kennedy v UK
Telephony internal warrants scheme
"in accordance with the law"
23. What is the interference?
Page 23
© Bird & Bird LLP 2014
24. Retention by ISPs?
Page 24
© Bird & Bird LLP 2014
“the obligation imposed by Articles 3 and 6 of Directive
2006/24 on providers of publicly available electronic
communications services or of public communications networks
to retain, for a certain period, data relating to a person’s
private life and to his communications, such as those referred to
in Article 5 of the directive, constitutes in itself an
interference with the rights guaranteed by Article 7 of the
Charter." (CJEU, Digital Rights Ireland)
25. Capture by state agencies?
Page 25
© Bird & Bird LLP 2014
“[UK gov’t] … accept that the interception under a s.8(4)
warrant may be regarded as giving rise to a technical
interference [with ECHR Art 8 rights] even if that
communication is not and/or cannot be read, looked at or
listened to by any person." (UK gov't submissions in IPT)
26. Access by state agencies?
Page 26
© Bird & Bird LLP 2014
“the access of the competent national authorities to the data
constitutes a further interference with that fundamental
right" (CJEU, Digital Rights Ireland)
27. Threat of surveillance?
Page 27
© Bird & Bird LLP 2014
“ … the mere existence of legislation which allows a system
for the secret monitoring of communications entails a threat of
surveillance for all those to whom the legislation may be
applied. This threat necessarily … amounts in itself to an
interference with the exercise of the applicants’ rights under
Article 8, irrespective of any measures actually taken against
them” (ECtHR: Weber [78]).
29. Page 29
© Bird & Bird LLP 2014
PRISM – receipt in accordance with law?
Privacy International (UK Investigatory Powers
Tribunal); Big Brother Watch (Strasbourg)
● Allegations: No legal regime with
• Sufficiently clear and detailed rules
• Sufficient safeguards
● Secret and unpublished rules (if any)
● Insufficient indication of scope of discretion
● Oversight regime
● IPT held:
• Mid-hearing disclosures provided sufficient rules for future
• Pre-judgment no adequate signposting of internal policies
- Pre-judgment regime for solicitation, receipt of
PRISM/UPSTREAM data re individuals located in UK
breached Art 8/10
30. Page 30
© Bird & Bird LLP 2014
TEMPORA – in accordance with law?
Privacy International (UK Investigatory Powers Tribunal); Big Brother
Watch (Strasbourg), Bureau of Investigative Journalism (Strasbourg)
RIPA external warrants provisions
● Allegations: Insufficiently specific or clear authorisation
● Insufficient public safeguards
● Lack of judicial or independent authority authorisation
● Oversight regime
● Automated versus sentient?
● Richer metadata?
● Secret legal interpretations?
● Professional/journalistic privilege
● IPT held 'in accordance with the law', including related comms
data
● DE: Harting - G10
32. Data Protection Seminar 26 June 2014
Page 32
© Bird & Bird LLP 2014
Data Retention Directive
– Digital Rights Ireland
Proportionality
● Strict necessity [52], [56]
● Clear and precise rules governing scope and application [54]
● Minimum safeguards against risk of abuse, unlawful access and
abuse [54]
33. Data Protection Seminar 26 June 2014
Page 33
© Bird & Bird LLP 2014
Proportionality issues
Generality
● Applies to all means of electronic communication (use
widespread and of growing importance in people’s everyday
lives) [56]
● All subscribers and registered users [56]
● Interference with fundamental rights of practically the entire
European population [56]
● All persons, all means of electronic communication without any
differentiation, limitation or exception [57]
34. Data Protection Seminar 26 June 2014
Page 34
© Bird & Bird LLP 2014
Proportionality issues
Suspicionless
● Applies even to persons for whom no evidence capable of
suggesting a link, even indirect or remote, with serious crime
[58]
● No relationship required between data retained and a threat to
public security: not restricted to:
• data pertaining to:
- particular time period
- particular geographical zone
- circle of particular persons likely to be involved in serious
crime [59]
• persons whose data for other reasons could contribute to
prevention, detection or prosecution of serious offences [59]
35. Data Protection Seminar 26 June 2014
Page 35
© Bird & Bird LLP 2014
Proportionality issues
Specific rights
● Applies to persons whose communications are subject to
professional secrecy [58]
36. Data Protection Seminar 26 June 2014
Page 36
© Bird & Bird LLP 2014
Proportionality issues
Access and use
● No objective criterion to determine limits of access to data and
subsequent use for prevention, detection or prosecution of
sufficiently serious offences [60]
● Leaves serious crime definition to national law [60]
● No substantive and procedural conditions relating to access and
subsequent use
• Left to member States to define procedures and conditions
in accordance with necessity and proportionality [61]
• In particular no objective criteria re restriction of number of
persons authorised to access and subsequently use to that
strictly necessary [62]
37. Data Protection Seminar 26 June 2014
Page 37
© Bird & Bird LLP 2014
Proportionality issues
Independent supervision
● Above all, access not dependent on prior review by court or
independent administrative body following a reasoned request
• No obligation on MS to establish such limits [62]
● Stricter standard than ECtHR?
38. Data Protection Seminar 26 June 2014
Page 38
© Bird & Bird LLP 2014
Proportionality issues
Retention period
● No distinction between categories of data on basis of:
• possible usefulness
• persons concerned [63]
● No objective criteria limited to strict necessity on which to base
determination of retention period [64]
39. Page 39
© Bird & Bird LLP 2014
Mandatory communications data retention
Member State responses to Digital Rights Ireland
● Many never implemented or invalidated by national constitutional
courts e.g. Germany
Post CJEU
● Pfleger - EU Charter applies because exception from PECR Art 15
• Slovakia: Constitutional Court temporary invalidity declaration on
retention aspects
• Romania: Constitutional Court declared unconstitutional
• Sweden: 4 operators ceased retention; regulator initially decided
not to pursue; changed following government committee;
challenge by CSP
• UK: substantially re-enacted by Data Retention and Investigatory
Powers Act
- Pending legal challenge by two Members of Parliament
- PECR Art 15/EU Charter – disapplication of national legislation
• Journalistic privilege (acquisition)
- UK law to be changed to judicial authorisation
41. Graham Smith
graham.smith@twobirds.com
@cyberleagle
Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses.
Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the
Solicitors Regulation Authority. Its registered office and principal place of business is at 15 Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and
of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address.
twobirds.com
Thank you