RIPA: hacked voicemails and undercover officers

Posted on | by Robin Hopkins

The Regulation of Investigatory Powers Act 2000 (RIPA) has featured prominently in the news in recent weeks, both as regards undercover police officers/“covert human intelligence sources” and as regards the phone-hacking scandal.

Hacked voicemails

This morning, the Court of Appeal gave judgment in Edmonson, Weatherup, Brooks, Coulson & Kuttner v R [2013] EWCA Crim 1026. As is well known, the appellants face charges arising out of the News of the World phone-hacking controversy – specifically, conspiring unlawfully to intercept communications in the course of their transmission without lawful authority contrary to section 1(1) of the Criminal Law Act 1977.

The communications in question are voicemails. Under section 1(1)(b) of RIPA, it is an offence intentionally to intercept, without lawful authority, any communication in the course of its transmission by means of a public telecommunications system (my emphasis). The central provision is section 2(7) of RIPA:

“(7) For the purposes of this section the times while a communication is being transmitted by means of a telecommunication system shall be taken to include any time when the system by means of which the communication is being, or has been, transmitted is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it.”

The appellants applied to have the charges dismissed on the grounds that the words “in the course of transmission” in section 1(1) of RIPA do not extend to voicemail messages once they have been listened to (by the intended recipient, that is, rather than by any alleged phone-hacker). They argued that the ordinary meaning of “transmission” is conveyance from one person or place to another and that section 2(7) is intended to extend the concept of “transmission” only so as to cover periods of transient storage that arising through modern phone and email usage, and when the intended recipient is not immediately available. Thus, once the message has been listened to, it can no longer be “in the course of transmission”.

The point had previously been decided against the appellant. The Court of Appeal (the Lord Chief Justice, Lloyd Jones LJ, Openshaw J) took a similar view. While it accepted that the application of section 2(7) may differ as between, for example, voicemails and emails, “there is nothing in the language of the statute to indicate that section 2(7) should be read in such a limited way” (as the appellants had contended) (paragraph 23). Further, the words “has been transmitted” in section 2(7) “make entirely clear that the course of transmission may continue notwithstanding that the voicemail message has already been received and read by the intended recipient” (paragraph 26).

The same conclusion was reached by focusing on the mischief which section 2(7) is intended to remedy, “namely unauthorized access to communications, whether oral or text, whilst they remain on the system by which they were transmitted. As the prosecution submits, unlawful access and intrusion is not somehow less objectionable because the message has been read or listened to by the intended recipient before the unauthorized access takes place” (paragraph 28, quoting an earlier judgment in this matter from Fulford LJ).

The Court accepted that section 2(7) went further than the prohibitions imposed by Directive 97/66/EC concerning the processing of personal data and the protection of privacy in the telecommunications sector (which RIPA sought to implement) and its successor, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (which postdates RIPA).  The Court found, however, that the Directives imposed minimum harmonisation; Parliament was entitled to go further and to set higher standards for the protection of privacy of electronic communications, provided that those additional obligations are compatible with EU law (paragraph 42).

Both the Data Protection Act 1998 and the Computer Misuse Act 1990 also raised their heads. The DPA, for example, contains a public interest defence which is not available under RIPA. It was argued that this risked creation parallel offences without parallel defences, violating the principle of legal certainty. This submission too was rejected (paragraphs 44-45).

The cases will now proceed to trial, apparently to commence in September.

Undercover officers

As regards the activities of undercover police officers, the major issue this week has concerned the alleged smearing of the family and friends of Stephen Lawrence: see for example The Guardian’s Q&A session with undercover-officer-turned-whistleblower Peter Francis.

The other major ongoing case regarding a former undercover officer concerns Mark Kennedy, who (together with others) infiltrated political and environmental activists over a period of years. Claims were commenced in the High Court, with part of the conduct complained of involving ensuing sexual relations between activists/their partners and undercover officers.

Earlier this year, J and others v Commissioner of Police for the Metropolis [2013] EWHC 32 (QB) saw part of the claims struck out. The Court held that the Investigatory Powers Tribunal had exclusive jurisdiction over the claims under the Human Rights Act 1998; it struck out these parts accordingly. It observed that conduct breaching Article 3 (inhuman and degrading treatment) – which included the claims relating to sexual activity – could not be authorised under RIPA, but conduct breaching Article 8 (privacy) could be authorised. Sexual activity with undercover officers did not necessarily engage Article 3.

Those parts of the claims which did not concern the Human Rights Act 1998 (actions at common law and for alleged breaches of statutory duties) were not exclusively within the Investigatory Powers Tribunal’s jurisdiction and were thus not struck out as an abuse of process, notwithstanding the police’s difficulties in presenting its case due to the ‘neither confirm nor deny’ approach to covert sources.

Unlike with the phone-hacking cases, it is not clear when this case will resume before the Court/Tribunal.

Robin Hopkins

Liberty takes action against the British Intelligence Services

Posted on | by Julian Milford

Anyone interested in issues of privacy and data protection cannot have avoided the recent allegations in The Guardian (and now, everywhere else) about blanket surveillance by GCHQ of emails and phone calls between UK residents, when they have been routed in and out of the UK through servers held abroad; and about the use by UK authorities of surveillance information on UK residents collected by the US, without going through the usual domestic legal checks on collection of such information. Liberty has now announced that it is taking legal action against the British Intelligence Services. It will argue that their actions have breached both the provisions of the Regulation of Investigatory Powers Act 2000, and the right to respect for private life, home and correspondence under Article 8 of the European Convention on Human Rights. Liberty’s press release of today (25 June 2013) can be seen at https://www.liberty-human-rights.org.uk/media/press/2013/liberty-issues-claim-against-british-intelligence-servic.php.

Bank Mellat: closed material procedures and FOIA

Posted on | by Julian Milford

Last week, the Supreme Court gave judgment in Bank Mellat v Her Majesty’s Treasury (no.1) [2013] UKSC 38. The Bank Mellat case involved financial restrictions imposed by HMT on the Bank under the Counter-Terrorism Act 2008 (“the 2008 Act”), on the basis that it enabled funding for Iran’s nuclear weapons programme. The High Court and Court of Appeal had both adopted a closed material procedure (“CMP”) – i.e. a procedure in which the court sits in private, and hears evidence and/or submissions without one party either being present or seeing the material – in order to consider sensitive material adduced by HMT which could not be disclosed to the Bank. They had specific statutory authority to do so under the 2008 Act. The Supreme Court did not have such authority. The  relevant questions were whether it was possible for the Supreme Court to adopt a CMP on appeal, in the absence of specific statutory provision; and if so, whether it was appropriate to do so in that particular case. The Supreme Court was faced with the difficulty of reconciling two strong but opposing interests. On the one hand, it was important that the Court should be able to see and consider any relevant material before the High Court and Court of Appeal. On the other, the Supreme Court itself in Al Rawi v Security Service [2012] 1 AC 531 had uncompromisingly set its face against any derogation from the open justice principle. The Supreme Court was divided; but the majority considered that the Court had implied authority to adopt a CMP under its powers conferred by the Constitutional Reform Act 2005, where the lower courts had themselves used a CMP. Nevertheless, the Court was uncomfortable about doing so, and expressed that discomfort in strong terms.

Bank Mellat (no.1) was not, of course, a freedom of information case. But it has important things to say for freedom of information cases. Freedom of information appeals are the classic example of cases which may require a CMP. Submissions must be made about, and evidence given on, the disputed information in the appeal. But that may involve disclosing the content of the information itself. If the party requesting the information was present, this would wholly undermine the purpose of the appeal. So the general points made about CMPs in Bank Mellat (no.1) are of obvious significance for FOIA appeals.

At [68]-[74] of the judgment in Bank Mellat (no.1), Lord Neuberger (giving the majority’s view) made the following general points about the use of closed material by or before appeal courts:

(1)    Where a judge gives an open and closed judgment, it is highly desirable that in the open judgment the judge (i) identifies every conclusion in the open judgment reached in whole or in part in the light of points made or evidence referred to in the closed judgment; and (ii) says that this is what they have done.

(2)    A judge who has relied on closed material in a closed judgment should say in the open judgment as much as can properly be said about the closed material relied on. Any party excluded from the closed hearing should know as much as possible about the court’s reasoning, and the evidence and the arguments it has received.

(3)    On an appeal against an open and closed judgment, an appellate court should only be asked to conduct a closed hearing if it is strictly necessary for fairly determining the appeal. That puts an important onus on legal representatives asking an appeal court to look at closed material. An advocate who wants a closed hearing should carefully consider whether the request should, or even can properly, be made, and advise their clients accordingly. (This would of course be relevant for appeals to the Upper Tribunal from FOIA decisions in the First-Tier Tribunal.)

(4)    If the appellate court decides that it should look at closed material, careful consideration should be given by the advocates and the court to whether it would nevertheless be possible to avoid a closed hearing, on the basis that the court can be addressed on confidential material in open court e.g. by elliptical references. This, again, is particularly relevant to the Upper Tribunal on FOIA appeals.

(5)    If the court decides that a CMP is necessary, the parties should try and agree a way of avoiding, or minimising the extent of, a closed hearing.

(6)    If there is a closed hearing, the lawyers representing the party relying on closed material should give the excluded party as much information as possible about closed documents relied on.

(7)    Appellate courts should be robust about acceding to applications to go into closed session or even to look at closed material.

The general tenor of the judgments is to deprecate any use of CMPs. As Lord Neuberger put it: “any judge, indeed anybody concerned about the dispensation of justice, must regard the prospect of a closed material procedure, whenever it is mooted and however understandable the reasons it is proposed, with distaste and concern.”

Julian Milford

Knowing I’m On the Street Where You Live? Well, Google Does.

Posted on | by Christopher Knight

Following on from yesterday’s French enforcement announcement, the ICO announced on 21 June 2013 that the collection of personal data by Google’s Street View cars – including email addresses, URLs and passwords relating to thousands of individuals – was required to be deleted within 35 days. This payload data was, according to Google, accidentally collected by the cars when they travelled around the UK. Google has undertaken to comply and delete the data, so an appeal against the Enforcement Notice is not expected.

The terms of the Enforcement Notice can be seen here.
The ICO’s press release can be seen here.

Christopher Knight

Google and Data Protection Across Europe

Posted on | by Christopher Knight

On 20 June 2013 the Commission nationale de l’informatique et des libertés (the CNIL) – the French data protection agency – issued a statement in relation to its investigation into Google’s privacy policy. It formed part of co-ordinated action by data protection agencies in France, Germany, Italy, the Netherlands, Spain and the United Kingdom. The CNIL announced that Google was in breach of the French data protection legislation, mirroring findings in other European jurisdictions. The full text of the statement reads:

“From February to October 2012, the Article 29 Working Party (“WP29”) investigated into Google’s privacy policy with the aim of checking whether it met the requirements of the European data protection legislation. On the basis of its findings, published on 16 October 2012, the WP29 asked Google to implement its recommendations within four months.

After this period has expired, Google has not implemented any significant compliance measures.

Following new exchanges between Google and a taskforce led by the CNIL, the Data Protection Authorities from France, Germany, Italy, the Netherlands, Spain and the United Kingdom have respectively launched enforcement actions against Google.

The investigation led by the CNIL has confirmed Google’s breaches of the French Data Protection Act of 6 January 1978, as amended (hereinafter “French Data Protection Act”) which, in practice, prevents individuals from knowing how their personal data may be used and from controlling such use.

In this context, the CNIL’s Chair has decided to give formal notice to Google Inc., within three months, to:
◾Define specified and explicit purposes to allow users to understand practically the processing of their personal data;
◾Inform users by application of the provisions of Article 32 of the French Data Protection Act, in particular with regard to the purposes pursued by the controller of the processing implemented;
◾Define retention periods for the personal data processed that do not exceed the period necessary for the purposes for which they are collected;
◾Not proceed, without legal basis, with the potentially unlimited combination of users’ data;
◾Fairly collect and process passive users’ data, in particular with regard to data collected using the “Doubleclick” and “Analytics” cookies, “+1” buttons or any other Google service available on the visited page;
◾Inform users and then obtain their consent in particular before storing cookies in their terminal.

This formal notice does not aim to substitute for Google to define the concrete measures to be implemented, but rather to make it reach compliance with the legal principles, without hindering either its business model or its innovation ability.

If Google Inc. does not comply with this formal notice at the end of the given time limit, CNIL’s Select Committee (formation restreinte), in charge of sanctioning breaches to the French Data Protection Act, may issue a sanction against the company.

The Data Protection Authorities from Germany, Italy, the Netherlands, Spain and the United Kingdom carry on their investigations under their respective national procedures and as part of an international administrative cooperation.

Therefore,
◾The Spanish DPA has issued to Google his decision today to open a sanction procedure for the infringement of key principles of the Spanish Data Protection Law.
◾The UK Information Commissioner’s Office is considering whether Google’s updated privacy policy is compliant with the UK Data Protection Act 1998. ICO will shortly be writing to Google to confirm their preliminary findings.
◾The Data Protection Commissioner of Hamburg has opened a formal procedure against the company. It starts with a formal hearing as required by public administrative law, which may lead to the release of an administrative order requiring Google to implement measures in order to comply with German national data protection legislation.
◾As part of the investigation, the Dutch DPA will first issue a confidential report of preliminary findings, and ask Google to provide its view on the report. The Dutch DPA will use this view in its definite report of findings, after which it may decide to impose a sanction.
◾The Italian Data Protection Authority is awaiting additional clarification from Google Inc. after opening a formal inquiry proceeding at the end of May and will shortly assess the relevant findings to establish possible enforcement measures, including possible sanctions, under the Italian data protection law.”

Panopticon likes to deliver news from across la Manche too, and following on from Google’s involvement in the American Prism revelations, it would appear to have been a difficult couple of weeks for the leading internet search engine. Precise steps are awaited from the ICO at home.

 

Christopher Knight

How can this level of state surveillance be legal?

Posted on | by Timothy Pitt-Payne KC

Anya Proops addresses the above question, prompted by the recent revelations about the US Prism programme, in an article in today’s Guardian.  She discusses the main legal constraints on surveillance in the UK  – Article 8, the Data Protection Act, and the Regulation of Investigatory Powers Act.  And she even manages a name check for Panopticon – both the Benthamite version, and this blog.  The article is at page 32 of today’s print edition, and it’s online here.  It’s already attracted a lot of attention, both by way of comments on the online version, and on Twitter.