Carol Harlow: Surveillance and the Superstate

For a society as devoted to secrets and privacy as the British are traditionally supposed to be, however, the law possesses surprisingly few protections for the communications of its citizens. True, phone hacking has become a criminal offence under the Regulation of Investigatory Powers Act 2000 and the creation and retention of citizens’ data is now regulated by the Data Protection Act 1998 but there is no right of privacy per se at common law and resort is consequently to a haphazard and fragmentary set of common law rights of action, which protect person, property and dignity in limited situations [See Lord Bingham, ‘Tort and Human Rights’ in P Cane and J Stapleton (eds), The Law of Obligations (Clarendon Press, 1998)].

Government (a.k.a the Crown) has by way of contrast traditionally been highly privileged, benefiting from the existence of a set of wide and loosely defined prerogative powers in the area of security and defence. There has never been a constitutional ‘right to know’ and access to official information was until recently narrowly restricted by draconian Official Secrets Acts, which made it an offence for any Crown servant or agent or anyone in receipt of information from a Crown servant or agent to disclose such information without authority. Although toned down by the Official Secrets Act 1989, which restricts the categories of protected information, the underlying ethos, that information in the possession of government is its private property, has not been dispelled by the first freedom of information legislation, which came into force only in 2005 and is riddled with so many exemptions as to merit the label of ‘sheep in wolf’s clothing’ bestowed on it by Rodney Austin [‘The Freedom of information Act 2000: a sheep in wolf’s clothing?’ in J Jowell and D Oliver (eds), The Changing Constitution (Oxford University Press, 5th edn, 2004)].

In the last two decades, the relationship between state and citizen in the area of information has been complicated by the rapid evolution of information technology, globalization of communications and the multi-level nature of regulation. Many counter-terrorism measures involving surveillance emanate, for example, from the United Nations, while the European Union is starting to play a significant role in access to information and data protection. On the one hand, ICT has facilitated the accumulation and retention in government data banks of vast quantities of information, relevant and irrelevant, about its citizens. Concern over the uses to which such information would be put fuelled opposition to proposals – ultimately defeated – from Tony Blair’s government for citizen identity cards. On the other hand, easy access to the internet and rapid communication via mobile telephones, Skype, social networking sites, twittering and tweeting have worked to the benefit of citizens and rendered government control harder. This point was poignantly illustrated during the ‘Arab Spring’.

Concern, evidenced in the campaign against identity cards, has been growing at national level, over the growing use of modern technology to extend surveillance by public authorities – the proliferation of CCT cameras for crime prevention, centralized and systematic police monitoring of cameras used for traffic control for other purposes, and CCT use by the private sector, where it is barely controlled. The courts have shown themselves relatively unwilling to restrict the use of modern surveillance techniques. In Wood v MPC [2009] EWCA Civ 414, for example, the Court of Appeal rejected a claim that the filming of participants in a trouble-free demonstration and subsequent retention of the photographs was unlawful and amounted to a violation by the police of ECHR Article 8, ruling instead that the practice was a justifiable and proportionate measure for the prevention of crime. After the London riots in 2011, the Metropolitan police pressurized broadcasters to hand over videos and pictures they had taken, threatening a court production order under PACE. The press protested vigorously at the threat to freedom of speech (The Guardian 30 August 2011) but the issue remains unresolved. Similar protests met government proposals – not yet fully particularised – to extend rights of access by public authorities to electronic communications between citizens, stimulating a vigorous political response from the junior partners in the coalition government, (BBC News, 10 April 2012).

Strasbourg, interception and data protection

The interception of communications has brought the United Kingdom up against the Strasbourg Court of Human Rights on several occasions. Indeed, of the long line of cases marks the interest of the Strasbourg Court in interception of communications, data protection and surveillance, several involve the United Kingdom [ECtHR, Factsheet on data protection 2012].  In Malone v United Kingdom (1984) 7 EHRR 14, the issue was telephone tapping by the police, which came to light during Malone’s trial for handling stolen goods. When Malone sought a declaration that the practice was unlawful [Malone v. Commissioner of Police of the Metropolis (No. 2) [1979] 2 All ER 620] Megarry J. ruled (i) that the common law recognised no right of privacy on which to found an action (ii) that no actionable tort had been committed and (iii) that a claim based on Article 8 of the ECHR, which specifically protects the privacy of correspondence, must fail because the ECHR was not (at that time) directly applicable in domestic law. In reaching these conclusions, the judge remarked, however, that he found it ‘impossible to see how English law could be said to satisfy the requirements of the Convention’ and that ‘the subject cried out for legislation’. This did not prevent the British Government from arguing in Strasbourg both that the practice of requiring ministerial authorisation for all telephone tapping was sufficient to satisfy the Convention requirement that interceptions must be ‘in accordance with the law’; and also that the practice of ‘metering’ or recording dialled numbers and the time and duration of calls, fell outside the Convention right. The Government lost on both heads and the Interception of Communications Act 1985 followed.

This legislation is now taken up in the Regulation of Investigatory Powers Act 2000. RIPA’s objectives are wide: it provides for ‘the interception of communications, the acquisition and disclosure of data relating to communications, the carrying out of surveillance, the use of covert human intelligence sources and the acquisition of the means by which electronic data protected by encryption or passwords may be decrypted or accessed’ for purposes of national security or investigation of serious crime by the security services and police. A warrant signed by the Home Secretary is required. RIPA also regulates ‘metering’; it requires records to be kept and made accessible on ministerial request of dialled numbers etc. A monitor in the shape of an Interception of Communications Commissioner is provided. More controversially, RIPA permits a wide range of government agencies, including the Charity Commissioners, Financial Services Authority and local authorities to indulge in similar activities, albeit in limited circumstances. Largely on these grounds, it has been widely criticised as a ‘snoopers’ charter’.

Marginal restrictions on the powers of local authorities are contained in the Protection of Freedoms Bill, currently before Parliament. Unsurprisingly, however, the Home Secretary (Theresa May) did not seize the opportunity afforded by the Bill seriously to curtail the snooping activities of public authorities. Instead, proposals to include in the next Queen’s Speech extensions to RIPA’s ambit have been announced to cover more modern forms of communication, including internet-based email, twittering and tweeting, Blackberries, Skype, mobile phone texting, social networking sites like Facebook and even online games. Proposed new legislation would, it is believed, force internet companies to install hardware enabling GCHQ on behalf of government to examine websites accessed and text messages or email sent. The proposals will in short allow police and intelligence officers to monitor a person’s contacts including websites, although the content of communications will not be accessed. Once again, the records will be available to local councils and other agencies, though in limited circumstances.

In S and Marper v. the United Kingdom [2008] ECHR 1581,  the Court ruled on the taking and retention of DNA samples from persons suspected of criminal offences but subsequently acquitted. There is an implicit reproof to the House of Lords, which had ruled to the contrary in R(LS and Marper) v Chief Constable of Yorkshire [2004] UKHL 39, in the ruling that

the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences… fails to strike a fair balance between the competing public and private interests and that… the retention at issue constitutes a disproportionate interference with the applicants’ right to respect for private life and cannot be regarded as necessary in a democratic society.

Necessary changes to bring the law into line with the Strasbourg judgment are also contained in the Protection of Freedoms Bill.

Enter the European Union

But data processing, retention and protection are no longer a purely domestic matter. They are the subject of a major new initiative under the direction of EU Commissioner, Viviane Reding. This is both a necessary and welcome development in view of the vast data banks that have been built up in the EU from material contributed by member states and often widely accessible to member state authorities and officials. Until the Lisbon Treaty came into force, winding up the ‘Third Pillar’ and bringing justice and home affairs into the ambit of the Community, this was a dark and windowless area of EU law and policy. In the Community pillar, some of the sketchy and piecemeal regulation, such as the Telecommunications Data Protection Directive (Council Directive 97/66 of 15 December 1997) or Data Retention Directive (Directive 2006/24/EC of 15 March 2006), had shown a capacity to bite. In Case C-518/07 Commission v Germany [2010] ECR I-1885, for example, the Commission successfully brought Germany before the Court of Justice because its domestic data supervisory authority was insufficiently independent. But Directive 95/46 on data protection, the generally applicable legislation, contains exceptions in Article 13, which authorises Member States to restrict the scope of the rights and obligations provided in the Directive when ‘such a restriction constitutes a necessary measure to safeguard national security, defence and public security’. Similar exceptions apply to the prevention, investigation, detection and prosecution of criminal offences. The consequence was policy-making marked by a serious democratic deficit and information shortfall, culminating in the highly suspect Prüm Convention, which provided for the establishment of DNA profile databases and allows access to partner countries’ fingerprint databases, which the other contracting parties will be able to check on request not only for the purpose of preventing terrorist attacks and serious criminal activity but also in case of political demonstrations and ‘other mass events’. Similarly controversial was the agreement with the United States on the transfer of passenger name record data (PRN), successfully attacked in the Court of Justice Case C-301/06 Ireland v Council and European Parliament (10 February 2009), but now the subject of a new agreement foisted on a not-entirely willing Parliament (see

Coupled with the EU Charter of Fundamental Freedoms, the Lisbon Treaty (TFEU Article 16) provides a new basis for, and mandates, EU lawmaking, from which the European Parliament can no longer be excluded. A proposal from the Commission for a legislative text would provide a Europe-wide framework for data protection. This would have a major impact on private generators of electronic data, which would in future have to prove either consent of the data subject to retention or that retention was necessary. A second proposal  for a directive covers processing of personal data by law enforcement authorities for purposes of crime prevention, investigation, etc. and ‘the free movement of such data’.  The Commission is also reviewing the Data Retention Directive, which requires companies to store communication traffic data for a period of between six months and two years. In fact, some member states and notably Sweden have already implemented this measure.

The European Data Supervisor has, however, expressed ‘serious disappointment’ with the provisions in the law enforcement area [Opinion of the European Data Protection Supervisor on the data protection reform package]. While welcoming the fact that the directive would cover domestic processing, he regrets that the level of data protection in this area would not be increased:

The main weakness of the package as a whole is that it does not remedy the lack of comprehensiveness of the EU data protection rules. It leaves many EU data protection instruments unaffected such as the data protection rules for the EU institutions and bodies, but also all specific instruments adopted in the area of police and judicial cooperation in criminal matters. [para. 443, emphasis mine]

The UK Information Commissioner has expressed similar views. He sees the Commission proposals as less ambitious than the current UK Data Protection Act and hopes that ‘the provisions will be strengthened as negotiations progress’. Clearly, we cannot rely on the European Union to halt the march towards a surveillance state.

Carol Harlow is Emeritus Professor of Law at the London School of Economics