Read the original article published in The Lawyer, here
Europe is setting the pace in balancing state power against individual rights in the internet age. UK lawmakers could learn some useful lessons.
The upcoming bill on investigatory powers will take its place in a long tradition of balancing state powers and citizens’ rights, and is an opportunity to improve transparency and legal certainty.
Today (2 November) marks the second great British legal birthday of 2015 – the 250th anniversary of Lord Camden’s judgment inEntick v Carrington in 1765. In the timeless tussle between state surveillance powers and citizens’ rights this case concerned government attempts to stifle popular opposition in pamphlets and coffee shops, the social media platforms of their day, by harrying authors through warrants to search and seize their papers, and ransack their homes.
Lord Camden, in ringing tones, held that “by the laws of England every invasion of private property, be it ever so minute, is a trespass. […] If [a man] admits the fact he is bound by law to show by way of justification that some positive law has empowered or excused him”. The Judge came down firmly on the side of the citizen, holding that government agents claiming entry had failed to show proper authority.
The case has been influential down the years but the principle never jumped from paper to telephone or data communications. This is because entry into homes to seize papers is based on the law of trespass, a property right, and the courts have never granted that protection to data. This, in turn, explains why there is no common law right to privacy under English law and why it has been left to the Human Rights Act 1998, the Data Protection Act 1998 and the EU Charter of Fundamental Rights 2010, all comparatively recent and from Europe, to do the heavy lifting.
Meanwhile, communications, surveillance and security agencies all emerged from behind the veil of the state into the open: in the 1980s the government telecoms monopoly was ended (1982), the first statute regulating surveillance was passed (1985, now RIPA 2000), GCHQ was avowed (1983), and MI5 was put on a statutory footing (1989).
In 2013 Edward Snowden revealed three large data collection programmes – PRISM and UPSTREAM in the USA and TEMPORA in the UK. Governments had initiated these programmes for what they foresaw would be – and what is now – happening. This is what has become known as the ‘third platform’ – the combination of big data (data volumes increasing by 10 times every five years); mobile (internet sensors will rise to 25 billion by 2020); social media; and the move to the cloud (with hyperscale datacentres as its engine).
“There is no right to privacy under English common law”
Snowden and the third platform provided the setting for three important cases pitting state surveillance powers against citizens’ rights. In Digital Rights Ireland in 2014 the Court of Justice of the European Union (CJEU) struck down the EU Data Retention Directive which required telcos to hold all customer metadata, contrary to the right of respect for private life and personal data in the EU Charter.
This July, for similar reasons, the UK High Court struck down Section 1 DRIPA 2014, which the Government had rushed through to fill the gap left by Digital Rights Ireland.
And last month the CJEU again invoked the EU Charter to strike down the US/EU Safe Harbour agreement on personal data transfers between the US and the EU.
All this has set the scene for the UK’s new investigatory powers bill to be published later this autumn. This promises to be an epic debate, with the Government contending that risks from terrorism, cybercrime, data breaches, the dark net and encryption make broad powers indispensable and civil liberties groups arguing for strict safeguards.
So what will all this mean for ‘civil society’ – businesses and consumers?
The start point is a pragmatic approach to understanding data sovereignty risk management: these powers of the state have always been there, always will be. And it’s not just the US and UK that have these laws – most countries do. This means service providers, and hence their customers, are potentially subject to data collection and interception under the laws of the country where they are headquartered, the countries where their data centres are located, and any country claiming extra-territorial interception powers or imposing national data domiciliation requirements like Russia where, since September, personal data collected in Russia has to be stored on servers in Russia.
On this approach five changes to the UK investigatory powers legal framework would see significant improvements and increased trust.
First, the statute should recognise legal privilege, something which did not feature in the UK framework before this year. Second, there should be greater accountability of Government agencies through a higher level of judicial involvement in interception and communications data warrant authorisation and review. Third, allow providers to acknowledge more openly their interactions with state agencies. Fourth, better international co-operation between national agencies – the present system takes an average of 10 months to process a request for emails. Fifth, and perhaps most importantly, baking into the new law the principles and safeguards the CJEU says are so crucial.
The data – not just the medium – is the message now. In its privacy rights judgments over the past 18 months the CJEU has shown it grasps this better than anyone. In 250 years will British citizens look back on its words with the same appreciation with which we look back on Lord Camden’s in 1765?