Member Login

Big Brother Watch v UK – Data Protection for beginners

By: Gemma McLoughlin Burke

or click here to request site subscription to search and view all judgments

The Edward Snowden leaks, which began in 2013, exposed a wide-range of State surveillance and storage of data by governments across the world, including the US and the UK. One particular issue that was exposed was the so-called “bulk interception” of data. In effect, governments were intercepting a wide range of communications – phone and internet – which they were storing and also filtering through for the purposes of identifying information which was of “high evidential value”. The documents leaked by Snowden also revealed that there was cross-government sharing of information which had been intercepted and stored.

The UK proceedings

In the UK, this bulk-interception is governed by the Regulation of Investigatory Powers Act 2000 (“RIPA”). In Big Brother Watch v the UK, the Applicants challenged the scope and widespread nature of the surveillance programmes being run by the UK Government as provided for in RIPA and further challenged the sharing of this information with other states. The Court considered the compatibility of this system and the provisions contained in the RIPA with the Convention and made a number of interesting findings. The three main issues which were considered by the Court were (i) Bulk interception of data, (ii) Obtaining data from communication services providers and (iii) Intelligence sharing with foreign states.

Bulk-interception and the right to privacy

The Court held that bulk interception of data could be justified by member states on the basis that they must be able to guard against potential threats to national security. However, if a state implements a bulk interception strategy it must ensure that the system contains “end to end” safeguards which militate against the potential risk of abuse. In this case, the safeguards purporting to protect the personal data of citizens was insufficient and the UK regime was therefore held to amount to a breach of privacy under Article 8 of the ECHR.

How does a State ensure compliance?

The Court stated that the following safeguards must be implemented in bulk interception strategies in order to ensure compliance with the Convention:

  • There should be a supervisory authority in the member state who is responsible for overseeing compliance with the Convention;
  • This authority should assess the necessity and proportionality of each step of the procedure of interception;
  • Authorisation for bulk interception should be sought from a body who is “independent of the executive”;
  • When seeking authorisation, the search terms which will be used to scan the intercepted data must be supplied;
  • Where search terms are linked to a specific individual, these must be “justified”, “recorded” and “subject to a process of prior internal authorisation”;
  • The procedure put in place should be subject to ex post facto review.

Assessing compliance

In summary, the Court stated that when conducting an assessment as to whether or not a State’s bulk interception policy is Convention compliant, it will conduct a “global assessment” of the legislation providing for the interception and consider:

  1. the grounds on which bulk interception may be authorised;
  2. the circumstances in which an individual’s communications may be intercepted;
  3. the procedure to be followed for granting authorisation;
  4. the procedures to be followed for selecting, examining and using intercept material;
  5. the precautions to be taken when communicating the material to other parties;
  6. the limits on the duration of interception, the storage of intercept material and the circumstances in which such material must be erased and destroyed;
  7. the procedures and modalities for supervision by an independent authority of compliance with the above safeguards and its powers to address non-compliance;
  8. the procedures for independent ex post facto review of such compliance and the powers vested in the competent body in addressing instances of non-compliance.

The right to freedom of expression

In the present case, the Court was particularly concerned with the right to freedom of expression insofar as it relates to journalists and freedom of the press. In particular, the Court considered the potential for regimes of this nature to impinge upon journalistic privilege and the protection of journalistic sources. The Court held that “interference with the protection of journalistic sources cannot be compatible with Article 10 of the Convention unless it is justified by an overriding requirement in the public interest.” And even where so justified, appropriate procedures and safeguards must be put in place. In the present case, given the lack of appropriate safeguards, the Court held that there had been a breach of the right to freedom of expression under Article 10.

The Court indicated that such safeguards should include the requirement to seek authorisation from an independent body, with such a request for authorisation to include the specific search terms to be used against the individual journalist. The independent body should then consider whether the request is justified in the public interest.

Obtaining data from private communications service providers

This case also considered the interception of general data and journalistic data from communications service providers and whether accessing such data amounted to a breach of Articles 8 & 10 of the Convention. The Court held that access to such data should be limited to combatting “serious crime” and again, emphasised the need to implement appropriate safeguards when accessing and processing such data. On this ground the Court found that there had been a breach of the right to privacy under Article 8 and the right to freedom of expression under Article 10.

Intelligence sharing

Finally, the Court was asked to consider whether intelligence sharing between states amounted to a violation of Article 8. The Court was concerned with the requesting and receipt of data by the UK from another State. In this case the Court  found that the UK “had in place adequate safeguards for the examination, use and storage of the content and communications data received from intelligence partners; for the onward transmission of this material; and for its erasure and destruction.” The Court was satisfied that the procedures which existed in relation to intelligence sharing with other States was sufficient to protect against potential abuse and therefore found that there was no breach of Article 8.

Conclusions

This judgment, although somewhat cautious and deferential to the autonomy of States in matters of State security, nonetheless makes clear that the protection of data is a paramount concern for the Court. The right to privacy is also a broad one and one which is continually adapting to the advancement of technology. Overall, this judgment should prompt states to review the manner in which they intercept and process data in order to be Convention compliant.

Leave a Comment

Your email address will not be published. Required fields are marked *