Case Summary and Outcome

The U.K. Investigatory Powers Tribunal ruled that the obtaining by Security and Intelligence Agencies of Bulk Communications Data (BCD) from telecom operators was lawful under domestic law, namely Section 94 of the Telecommunications Act 1984, but that both the BCD and the Bulk Personal Datasets (BPD) regimes failed to comply with European Convention of Human Rights (ECHR) principles until their existence was made public.

The campaign group, Privacy International, claimed that the acquisition and use of bulk personal and communications data by MI5, MI6 and Government Communications Headquarters (GCHQ) infringed the right to private life under Article 8 ECHR. The Foreign Secretary, the Home Secretary and the three security services argued that the use of these powers was lawful and essential for the protection of national security.

The Court reasoned that the obtaining of BPD and BCD under rules and arrangements that were not publicly accessible fell foul of the ECHR Article 8 requirement that such measures must be “in accordance with law” because the rules were not sufficiently foreseeable or accessible and were not subject to adequate oversight.

---

Facts

The claimant is Privacy International, an NGO working in the field of defending human rights at both the national and international levels. The Respondents are the Secretary of State for Foreign and Commonwealth Affairs, Secretary of State for the Home Department and the three Security and Intelligence Agencies (SIA).

The proceedings were brought before the court in relation to the SIA’s retention and use of Bulk Personal Datasets (‘BPD’) whose existence was acknowledged in response to a parliamentary report. The proceedings were subsequently amended to include claims concerning the authorization of transfers of Bulk Communications Data (‘BCD’) to the intelligence agencies under the 1984 Telecommunications Act.

BCD includes the ‘who, when, where and how’ of all telephone and internet users and may also track the location of the computers from which internet is accessed or the mobile-phones through which calls are made. Nevertheless the content of these communications remains protected until an interception warrant is granted.

BPD is a dataset that contains personal data about individuals, most of whom are not intelligence targets or suspects, incorporated into an analytical system. This dataset can be readily accessed by the intelligence agencies to trace links between targets and to identify suspects. The categories of information cover travel, communications, finance, population, commercial interests and intelligence.  A parliamentary report of March 2015 acknowledged that the SIAs derive the authority to use BPDs from the general powers conferred on them under the Intelligence Services Act 1994 [ISA 1994] and the Security Service Act 1989 [SSA 1989].

Operative provisions

Section 45 of the 1984 Telecommunications Act:

45(1).  A person engaged in the running of a public telecommunications system who otherwise than in the course of his duty intentionally discloses to any person –(a) the contents of any message which has been intercepted in the course of its transmission by means of that system; or   (b) any information concerning the use made of telecommunication services provided for any other person by means of that system, shall be guilty of an offence.  

(2).  Subsection (1) above does not apply to –(a) any disclosure which is made for the prevention or detection of crime or for the purposes of any criminal proceedings;   (b) any disclosure of matter falling within paragraph (a) of that subsection which is made in obedience to a warrant issued by the Secretary of State under section 2 of the Interception of Communications Act 1985 … or   (c) any disclosure of matter falling within paragraph (b) of that subsection which is made in the interests of national security or in pursuance of the order of a court.

The Secretary of State could not secure compulsory disclosure of information specifying the telecommunications services provided to a subscriber unless there was a statutory power which imposed on telecommunications providers a duty to do so. The only available power was to be found in s. 94(1) and (2).  S. 94(3) which imposed a duty on the person to whom a direction had been given to comply with it:

(3).  A person to whom this section applies shall give effect to any direction given to him by the Secretary of State under this section, notwithstanding any other duty imposed on him under this Act. 

 

---

Decision Overview

The parties agreed a list of issues:

a) Issue 1: Section 94 TA under domestic law: Is it lawful as a matter of domestic law to use section 94 to obtain BCD?

b) Issue 2: Is the section 94 TA regime in accordance with the law? This issue is to be considered in three time periods: first, prior to the avowal of the use of section 94 to obtain BCD [4^th November 2015]; secondly, from avowal to the date of hearing; thirdly, as at the date of hearing.

c) Issue 3: Is the BPD regime in accordance with the law? This issue is to be considered in four time periods. first, prior to the avowal of the holding of BPDs [March 2015]; secondly, from avowal to the publication of the BPD handling arrangements [4^th November 2015]; thirdly, from publication to the date of the hearing; and finally, as at the date of hearing.

d) Issue 4: Are the section 94 regime and the BPD regime proportionate?

The Court’s reasoning is as follows:

Issue 1: Communications data, as defined in Section 21(4) of the Regulation of Investigatory Powers Act 2000, includes all electronic data that pertains to the location and user of the data, other than the content of the data itself. While the Claimant recognized that there are statutory provisions under which obtaining communications data is lawful, the Respondents’ case is that such data may also be lawfully obtained under the directions of the Secretary of State under Section 94 of the 1984. The Court said that the clear words of s. 94(1)-(3), read with s. 45(2), empowered the Secretary of State to direct telecommunications providers to provide billing and subscriber records to the Security Service and GCHQ in the interests of national security or foreign relations and required the telecommunications providers to comply with the direction. Contrary to the arguments made by the Claimant,  the Court said that Section 45 applied to both voluntary disclosures and disclosures made in the fulfilment of the duty created under Section 94. Further, the Court considered it very unlikely that Parliament intended to restrict or limit these powers.

The Court went on to dismiss the Claimant’s argument that a power conferred in very general terms cannot be relied on to defeat the intention of clear and particular statutory provisions, as set out by Lord Bingham CJ in R v. Liverpool County Council ex parte Baby Products Association [2000] LGR 171. In that case, the Court said, the powers relied on by the Council were general and ancillary in character, whereas the powers conferred under Section 94 were not. They could be exercised only on two grounds: national security or foreign relations, and may only be exercised in relation to the director of Ofcom, the U.K. Communications Regulator,  or the telecommunications operator.

Issues 2 and 3: The Court noted that these issues had been framed by reference to the “in accordance with law” requirement under Article 8 which requires a) that the measures under review should have a basis in domestic law and b) that the laws in question should be compatible with the rule of law, in being generally accessible, foreseeable and contain adequate safeguards against arbitrary use [Weber & Saravia v. Germany [2008] 46 EHRR SE5]. After reviewing the relevant ECHR jurisprudence the Court summarized its conclusions as follows:

(i) There must not be an unfettered discretion for executive action.  There must be controls on the arbitrariness of that action.

(ii)  The nature of the rules fettering such discretion and laying down safeguards must be clear and the ambit of them must be in the public domain so far as possible; there must be an adequate indication or signposting, so that the existence of interference with privacy may in general terms be foreseeable.

(iii) Foreseeability is only expected to a degree that is reasonable in the circumstances, being in particular the circumstances of national security, and the foreseeability requirement cannot mean that an individual should be able to foresee when the authorities are likely to resort to secret measures, so that he can adapt his conduct accordingly.

(iv) It is not necessary for the detailed procedures and conditions to be incorporated in rules of substantive law.

(v)  It is permissible for the Tribunal to consider rules, requirements or arrangements which are ‘below the waterline’, i.e. not publicly accessible, provided that what is disclosed sufficiently indicates the scope of the discretion and the manner of its exercise.

(vi) The degree and effectiveness of the supervision or oversight of the executive by independent Commissioners is of great importance, and can be a decisive factor (as in Kennedy v. United Kingdom [2011] 52 EHRR 4).

The Court carried out a detailed review of the rules and arrangements in place ‘below the waterline’ and found that each regime had failed to comply with the relevant ECHR principles in their respective ‘prior to avowal’ periods. In respect of the period since November 2015 (BCD) and March 2015 (BPD) the Court firstly referred to an earlier decision and said that as long as adequate safeguards existed, the lack of prior judicial authorization or notice to a subject of interception does not render the system in breach of Article 8. It said that under the statutory framework (i) the SIAs could only exercise their powers to protect national security, safeguard the economic well-being of the U.K. from external threats, or to prevent or detect serious crime; (ii) the SIAs were under a duty not to obtain any information, by any means, except so far as is necessary for the proper discharge of its functions or to disclose to others except for prescribed purposes; and (iii) there were substantial statutory protections, in particular under the Official Secrets Act 1989, against the misuse by any person of information obtained by the SIAs. It went on to consider the acquisition of BCD, and access to such data, and held that the relevant arrangements ensured that the data was acquired only for proper purposes, where the acquisition of the data is necessary and proportionate.

Regarding BPD it said that the statutory duties imposed on the SIAs govern all information whether obtained with or without a warrant, so that information used to constitute BPDs can only be obtained for proper purposes.

The Court then considered whether the BPD regime was compliant with Article 8 between public avowal in March 2015 and November 4  2015 when the BPD Handling Arrangements were published. The Court noted various provisions that covered similar ground to the Handling Arrangements and that were in existence over this period, namely, the SIA Bulk Personal Data Policy, relevant provisions of GCHQ’s Compliance Guide and the MI5 and similar MI6 Bulk Personal Data Guidance. In these circumstances the Court found that there was sufficient satisfaction of the principle of foreseeability and the requirements of Article 8 after March 2015. Therefore the Court concluded that the BPD and BCD systems were in compliance with the law following public avowal in March 2015 and November 2015 respectively.

The Court invited further submissions on whether the arrangements in place for the transfer of data to other bodies such as foreign partners and UK Law Enforcement Agencies were sufficient.

Issue 4: With regard to proportionality, the Court granted both parties the opportunity to submit arguments on the Bulk Powers Review that was published in August 2016 and adjourned the case to be heard together with EU law issues.

---