Google Spain, freedom of expression and security: the Dutch fight back

The Dutch fighting back against the Spanish, battling to cast off the control exerted by Spanish decisions over Dutch ideologies and value judgments. I refer of course to the Eighty Years’ War (1568-1648), which in my view is a sadly neglected topic on Panopticon.

The reference could also be applied, without too much of a stretch, to data protection and privacy rights in 2015.

The relevant Spanish decision in this instance is of course Google Spain, which entrenched what has come to be called the ‘right to be forgotten’. The CJEU’s judgment on the facts of that case saw privacy rights trump most other interests. The judgment has come in for criticism from advocates of free expression.

The fight-back by free expression (and Google) has found the Netherlands to be its most fruitful battleground. In 2014, a convicted criminal’s legal battle to have certain links about his past ‘forgotten’ (in the Google Spain sense) failed.

This week, a similar challenge was also dismissed. This time, a KPMG partner sought the removal of links to stories about him allegedly having to live in a container on his own estate (because a disgruntled builder, unhappy over allegedly unpaid fees, changed the locks on the house!).

In a judgment concerned with preliminary relief, the Court of Amsterdam rejected his application, finding in Google’s favour. There is an excellent summary on the Dutch website Media Report here.

The Court found that the news stories to which the complaint about Google links related remained relevant in light of public debates on this story.

Importantly, the Court said of Google Spain that the right to be forgotten “is not meant to remove articles which may be unpleasant, but not unlawful, from the eyes of the public via the detour of a request for removal to the operator of a search machine.”

The Court gave very substantial weight to the importance of freedom of expression, something which Google Spain’s critics say was seriously underestimated in the latter judgment. If this judgment is anything to go by, there is plenty of scope for lawyers and parties to help Courts properly to balance privacy and free expression.

Privacy rights wrestle not only against freedom of expression, but also against national security and policing concerns.

In The Hague, privacy has recently grabbed the upper hand over security concerns. The District Court of The Hague has this week found that Dutch law on the retention of telecommunications data should be down due to its incompatibility with privacy and data protection rights. This is the latest in a line of cases challenging such data retention laws, the most notable of which was the ECJ’s judgment in Digital Rights Ireland, on which see my post here. For a report on this week’s Dutch judgment, see this article by Maarten van Tartwijk in The Wall Street Journal.

As that article suggests, the case illustrates the ongoing tension between security and privacy. In the UK, security initially held sway as regards the retention of telecoms data: see the DRIP Regulations 2014 (and Panopticon passim). That side of the argument has gathered some momentum of late, in light of (for example) the Paris massacres and revelations about ‘Jihadi John’.

Just this week, however, the adequacy of UK law on security agencies has been called into question: see the Intelligence and Security Committee’s report entitled “Privacy and Security: a modern and transparent legal framework”. There are also ongoing challenges in the Investigatory Powers Tribunal – for example this one concerning Abdul Hakim Belhaj.

So, vital ideological debates continue to rage. Perhaps we really should be writing more about 17th century history on this blog.

Robin Hopkins @hopkinsrobin

What does ‘surveillance’ mean?

A five-member panel of the Investigatory Powers Tribunal last week issued its decision in Re: a Complaint of Surveillance (case no: IPT/A1/2013). The decision was on a preliminary point arising from this sort of factual scenario: suppose you voluntarily participate in an interview with policing/investigatory authorities but, unbeknownst to you, the investigators use a device to record that interview? Would this act of recording constitute ‘surveillance’ for the purposes of the Regulation of Investigatory Powers Act 2000 (RIPA), such that it requires authorisation (assuming it to be ‘directed’) was required? Would it engage your rights under Article 8 ECHR?

There are arguments both ways. As the IPT observed, “the wording in Part II [of RIPA] presents some difficulties for the reasonable reader”. The official guidance publications answer the above questions differently: the Office of the Surveillance Commissioners answers ‘yes’, but the Home Office answers ‘no’.

The IPT has agreed with the Home Office’s interpretation.

By s. 48(2) RIPA, Parliament has chosen not to define ‘surveillance’ as such, but to deem that surveillance shall be construed so as to include certain activities. Those deeming examples extend or amplify the ordinary meaning of ‘surveillance’, the essence of which is that person who is subject to surveillance is intended to remain unaware of those means and does not engage with the person secretly gathering the intelligence. In the IPT’s view, “the notion of a ‘covert interview’ requiring RIPA authorisation is one that is difficult to grasp. An interview is by its very nature an overt intelligence gathering operation in which the interviewee actively participates, even if only to the extent of refusing to answer questions”. Such interviews cannot constitute ‘surveillance’ and Article 8 rights are not engaged here.

It follows that the recording of the interview is not observing or listening to “in the course of surveillance” within the meaning of s. 48(2)(b) of RIPA, and no authorisation is required. The making of the recording only involves the recording process itself. It does not involve a separate act of “observing or listening to” the person being interviewed.

The IPT expressly rejected the contention that, regardless of the purpose, nature or circumstances of the intelligence-gathering activities in question, every act of “observing or listening to persons”, their conversations or communications is automatically treated as surveillance.

Robin Hopkins (@hopkinsrobin)

Prism and Tempora: Privacy International commences legal action

Panopticon has reported in recent weeks that, following the Edward Snowden/Prism disclosures, Liberty has brought legal proceedings against the UK’s security bodies. This week, Privacy International has announced that it too is bringing a claim in the Investigatory Powers Tribunal – concerning both the Prism and Tempora programmes. It summarises its claim in these terms:

“Firstly, for the failure to have a publicly accessible legal framework in which communications data of those located in the UK is accessed after obtained and passed on by the US National Security Agency through the Prism programme.  Secondly, for the indiscriminate interception and storing of huge amounts of data via tapping undersea fibre optic cables through the Tempora programme.”

Legal complaints on Prism-related transfers have been made elsewhere on data protection grounds also. A group of students who are members of a group called Europe vs. Facebook have filed complaints to the data protection authorities in Ireland (against Facebook and Apple), Luxembourg (against Skype and Microsoft) and Germany (against Yahoo).

European authorities have expressed concerns on these issues in their own right. For example, the Vice President of the European Commission, Viviane Reding, has written to the British Foreign Secretary, William Hague, about the Tempora programme, and has directed similar concerns at the US (including in a piece in the New York Times). The European Parliament has also announced that a panel of its Committee on Civil Liberties, Justice and Home Affairs will be convened to investigate the Prism-related surveillance of EU citizens. It says the panel will report by the end of 2013.

In terms of push-back within the US, it has been reported that Texas has introduced a bill strengthening the requirements for warrants to be obtained before any emails (as opposed to merely unread ones) can be disclosed to state and local law enforcement agencies.

Further complaints, litigation and potential legal challenges will doubtless arise concerning Prism, Tempora and the like.

Robin Hopkins

RIPA: hacked voicemails and undercover officers

The Regulation of Investigatory Powers Act 2000 (RIPA) has featured prominently in the news in recent weeks, both as regards undercover police officers/“covert human intelligence sources” and as regards the phone-hacking scandal.

Hacked voicemails

This morning, the Court of Appeal gave judgment in Edmonson, Weatherup, Brooks, Coulson & Kuttner v R [2013] EWCA Crim 1026. As is well known, the appellants face charges arising out of the News of the World phone-hacking controversy – specifically, conspiring unlawfully to intercept communications in the course of their transmission without lawful authority contrary to section 1(1) of the Criminal Law Act 1977.

The communications in question are voicemails. Under section 1(1)(b) of RIPA, it is an offence intentionally to intercept, without lawful authority, any communication in the course of its transmission by means of a public telecommunications system (my emphasis). The central provision is section 2(7) of RIPA:

“(7) For the purposes of this section the times while a communication is being transmitted by means of a telecommunication system shall be taken to include any time when the system by means of which the communication is being, or has been, transmitted is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it.”

The appellants applied to have the charges dismissed on the grounds that the words “in the course of transmission” in section 1(1) of RIPA do not extend to voicemail messages once they have been listened to (by the intended recipient, that is, rather than by any alleged phone-hacker). They argued that the ordinary meaning of “transmission” is conveyance from one person or place to another and that section 2(7) is intended to extend the concept of “transmission” only so as to cover periods of transient storage that arising through modern phone and email usage, and when the intended recipient is not immediately available. Thus, once the message has been listened to, it can no longer be “in the course of transmission”.

The point had previously been decided against the appellant. The Court of Appeal (the Lord Chief Justice, Lloyd Jones LJ, Openshaw J) took a similar view. While it accepted that the application of section 2(7) may differ as between, for example, voicemails and emails, “there is nothing in the language of the statute to indicate that section 2(7) should be read in such a limited way” (as the appellants had contended) (paragraph 23). Further, the words “has been transmitted” in section 2(7) “make entirely clear that the course of transmission may continue notwithstanding that the voicemail message has already been received and read by the intended recipient” (paragraph 26).

The same conclusion was reached by focusing on the mischief which section 2(7) is intended to remedy, “namely unauthorized access to communications, whether oral or text, whilst they remain on the system by which they were transmitted. As the prosecution submits, unlawful access and intrusion is not somehow less objectionable because the message has been read or listened to by the intended recipient before the unauthorized access takes place” (paragraph 28, quoting an earlier judgment in this matter from Fulford LJ).

The Court accepted that section 2(7) went further than the prohibitions imposed by Directive 97/66/EC concerning the processing of personal data and the protection of privacy in the telecommunications sector (which RIPA sought to implement) and its successor, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (which postdates RIPA).  The Court found, however, that the Directives imposed minimum harmonisation; Parliament was entitled to go further and to set higher standards for the protection of privacy of electronic communications, provided that those additional obligations are compatible with EU law (paragraph 42).

Both the Data Protection Act 1998 and the Computer Misuse Act 1990 also raised their heads. The DPA, for example, contains a public interest defence which is not available under RIPA. It was argued that this risked creation parallel offences without parallel defences, violating the principle of legal certainty. This submission too was rejected (paragraphs 44-45).

The cases will now proceed to trial, apparently to commence in September.

Undercover officers

As regards the activities of undercover police officers, the major issue this week has concerned the alleged smearing of the family and friends of Stephen Lawrence: see for example The Guardian’s Q&A session with undercover-officer-turned-whistleblower Peter Francis.

The other major ongoing case regarding a former undercover officer concerns Mark Kennedy, who (together with others) infiltrated political and environmental activists over a period of years. Claims were commenced in the High Court, with part of the conduct complained of involving ensuing sexual relations between activists/their partners and undercover officers.

Earlier this year, J and others v Commissioner of Police for the Metropolis [2013] EWHC 32 (QB) saw part of the claims struck out. The Court held that the Investigatory Powers Tribunal had exclusive jurisdiction over the claims under the Human Rights Act 1998; it struck out these parts accordingly. It observed that conduct breaching Article 3 (inhuman and degrading treatment) – which included the claims relating to sexual activity – could not be authorised under RIPA, but conduct breaching Article 8 (privacy) could be authorised. Sexual activity with undercover officers did not necessarily engage Article 3.

Those parts of the claims which did not concern the Human Rights Act 1998 (actions at common law and for alleged breaches of statutory duties) were not exclusively within the Investigatory Powers Tribunal’s jurisdiction and were thus not struck out as an abuse of process, notwithstanding the police’s difficulties in presenting its case due to the ‘neither confirm nor deny’ approach to covert sources.

Unlike with the phone-hacking cases, it is not clear when this case will resume before the Court/Tribunal.

Robin Hopkins

SUPREME COURT JUDGMENT ON THE INVESTIGATORY POWERS TRIBUNAL

This week the Supreme Court handed down an important judgment on the jurisdictional scope of the Investigatory Powers Tribunal (IPT): R (on the application of A) v B [2009] UKSC 12. The case involved a former spy, ‘A’, who wished to publish a manuscript relating to the successes, failures and recruiting techniques of MI5. MI5 had refused to authorise the publication of certain elements of the manuscript under the Official Secrets Act 1989. A subsequently brought a claim for judicial review in the administrative court challenging MI5’s decision. The claim was advanced in particular on the basis that MI5’s refusal breached A‘s right to freedom of expression under Article 10 of the European Convention of Human Rights. The claim was resisted on the basis that, under s. 65 of the Regulation of Investigatory Powers Act (RIPA), it was the Investigatory Powers Tribunal (IPT) which had exclusive jurisdiction to hear any challenge made against MI5’s decision, irrespective of whether or not that challenge was made under the Human Rights Act 1998 (HRA). A’s claim for judicial review was allowed at first instance. In summary, Collins J held that the High Court exercised jurisdiction in respect of the claim in parallel with the IPT ([2008] 4 All ER 511). Collins J’s judgment was subsequently overturned by a majority of the Court of Appeal ([2009] 3 WLR 717). The Supreme Court has now unanimously upheld the Court of Appeal’s majority judgment. In essence, the Supreme Court held that:

 

  • the wording of s. 65 RIPA should be construed broadly so as to ensure that, where decisions of this nature were in issue, they should be heard by the IPT, even if they embraced challenges brought under the HRA;

 

  • the fact that s. 65 operated to oust the jurisdiction which the ordinary courts would otherwise have to hear a human rights challenge was not objectionable on constitutional grounds (i.e. it did not constitute an unlawful ouster). In particular, the ouster of jurisdiction embodied in s. 65 was lawful because: (a) it had been provided for in clear terms under the relevant legislation; and (b) it did not operate to prevent judicial scrutiny of the particular decision but instead merely ensured that that scrutiny was conducted by the IPT;

 

  • the mere fact that the IPT procedures were more secretive than those which would apply in the ordinary courts did not mean that there would be any breach of A’s right to a fair trial under Article 6 ECHR. The use of such procedures could be justified in view of the fact that determination of A’s claim would entail consideration of information which raised issues of national security. (It was noted in the judgment that an application to the ECtHR is currently pending on the question of whether certain of the IPT rules breach various articles of the Convention, including articles 6, 8 and 10).

 

The judgment is likely to be seen as controversial in certain quarters, not least because the secretive nature of the IPT process is regarded by many as being inherently unjust. 11KBW’s Jason Coppel appeared on behalf of B before the Supreme Court.  See further my post on the recent application of the IPT process to a surveillance procedure applied by a local authority.