Regulating Surveillance in the UK

Regulating Surveillance in the UK
July 27, 2017 Daragh Murray

Originally published by the HUJI Cyber Security Research Center’s Cyber Law Program

The surveillance practices of intelligence agencies, and in particular large scale or bulk monitoring, have received increased human rights-based scrutiny in recent years. While intelligence agencies engage in surveillance in order to protect national security and the right to life, among other purposes, concerns have been raised regarding the impact of surveillance on rights such as the right to privacy and the right to freedom of expression, and the consequent impact of surveillance practices on the effective functioning of democracy itself.

A key objective underpinning human rights law is protection against arbitrary rights interference, and so it is essential that the activities of intelligence agencies have a clear legal basis. Importantly, this legal basis can also promote rights protection by establishing rules relating to the collection of data, access to that data, oversight, and so forth. The Investigatory Powers Act (IPA, 2016) establishes the legal basis for surveillance activities in the UK, and is particularly interesting from a human rights perspective. The IPA establishes wide-ranging surveillance powers while incorporating measures intended to protect rights and introducing an innovative ‘double lock’ oversight regime. This post will provide a brief overview of the powers established by the IPA, and will then highlight a few initial human rights considerations.

The Powers

Due to space limitations, our discussion here will be confined solely to those powers relating to communications interception and communications data (often referred to as ”metadata.”) The IPA allows for both targeted and bulk interception of communications. This allows intelligence agencies to access the content of communications, as well as any associated data. Authorization for these activities is subject to the ”double lock” (discussed further below), and is evaluated in relation to necessity and proportionality considerations. Bulk interception powers are restricted to overseas-related communications. It should be noted, however, that targeted interception powers include thematic warrants that relate to groups of persons or groups of organizations (etc.) These thematic powers occupy a space somewhere between traditionally-understood targeted operations focused on a specific individual or premises, and bulk powers.

The IPA also allows for the collection of communications data. This includes data that is used to identify or assist in identifying:

  • Sender or recipient (whether or not a person)
  • Time or duration of communication
  • Type, method or pattern, or fact, of communication
  • The telecommunications system (or part) through which a communication is transmitted
  • Location of any such system

Significantly, however, communications data is also defined as including machine-to-machine communications – thereby bringing the ‘Internet of Things’ into play – and Internet Connections Records, thus incorporating browsing histories, and so on.

Communications data may be obtained in a number of ways. Bulk communications data powers are restricted to the intelligence agencies, and subject to the ‘double lock’. Although not defined as bulk, other communications data related powers are quite broad. For example, to facilitate communications data requests, Internet Service Providers (ISPs) may be required to retain data, for a period of up to 12 months. This power is subject to the double lock, and necessity and proportionality considerations are included. However, the grounds on which retention orders may be issued are significantly broader than those required for other IPA powers (discussed further below), and this power is now on shaky grounds following the decision of the European Court of Justice in Watson and Others. Access to communications data may also be authorized on a targeted basis. Those agents that may request such powers are considerably broad, and the necessity basis is also very wide. Significantly, this power is not subject to a ‘double lock’, but instead requests may be approved by a senior ‘authorized officer’, and should include consultation with a ‘single point of contact’. The IPA also allows for the creation of a – as yet unclear – ‘filtering system’, that appears to allow for the effective amalgamation of multiple datasets through a unified search.

Human rights considerations

Necessity and proportionality requirements – key human rights law considerations – are built into the operation of the IPA. However, two issues may be briefly highlighted. First, human rights law typically restricts large scale surveillance measures to those that are “strictly necessary, as a general consideration, for the safeguarding of democratic institutions and, moreover, if it is strictly necessary, as a particular consideration, for the obtaining of vital intelligence in an individual operation.” This is a strict test, but one that arguably corresponds to most of the necessity grounds established under the IPA: i.e. national security, serious crime, and the economic well-being of the UK (as linked to national security). However, the non-bulk communications data necessity grounds are significantly broader, and include for example, preventing or detecting crime (not restricted to “serious” crime), exercising functions related to the regulation of financial markets, and “assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department” (section 61, IPA). From a human rights law standpoint these grounds raise eyebrows, and may be subject to legal challenge. Second, in relation to proportionality, human rights law requires that the utility of the measure be proportionate to the human rights harm of the interference. This is markedly different to the proportionality test established by the IPA which establishes that the test is whether the conduct is proportionate to what is to be achieved by that conduct. This does not establish proportionality in relation to the human rights harm, but rather considers proportionality in relation to the objective. This operationally focused proportionality test appears to focus on least intrusive means. Again, this may be subject to scrutiny before human rights courts.

Finally, a quick note on oversight. A unique feature of the IPA is the “double lock,” whereby authorization of certain surveillance activities must be first authorized by the Secretary of State, and then reviewed by a Judicial Commissioner. The IPA establishes that a Judicial Commissioner must “apply the same principles as would be applied by a court on an application for judicial review” (see, e.g. s.89). However, the specific requirements imposed in this regard are currently subject to debate. The ‘double lock’ is an innovative measure, and one that has the potential to be exceptionally important. However, its effectiveness will depend on the standard of review applied by the Commissioners in practice, and in particular whether this review engages with the substantive issues underlying the request for authorization, or is restricted to reviewing the Secretary of State’s decision making process.

Disclaimer: The views expressed herein are the author(s) alone.