national security – Panopticon

Google Spain, freedom of expression and security: the Dutch fight back

Posted on 13th March 2015 | by Robin Hopkins

The Dutch fighting back against the Spanish, battling to cast off the control exerted by Spanish decisions over Dutch ideologies and value judgments. I refer of course to the Eighty Years’ War (1568-1648), which in my view is a sadly neglected topic on Panopticon.

The reference could also be applied, without too much of a stretch, to data protection and privacy rights in 2015.

The relevant Spanish decision in this instance is of course Google Spain, which entrenched what has come to be called the ‘right to be forgotten’. The CJEU’s judgment on the facts of that case saw privacy rights trump most other interests. The judgment has come in for criticism from advocates of free expression.

The fight-back by free expression (and Google) has found the Netherlands to be its most fruitful battleground. In 2014, a convicted criminal’s legal battle to have certain links about his past ‘forgotten’ (in the Google Spain sense) failed.

This week, a similar challenge was also dismissed. This time, a KPMG partner sought the removal of links to stories about him allegedly having to live in a container on his own estate (because a disgruntled builder, unhappy over allegedly unpaid fees, changed the locks on the house!).

In a judgment concerned with preliminary relief, the Court of Amsterdam rejected his application, finding in Google’s favour. There is an excellent summary on the Dutch website Media Report here.

The Court found that the news stories to which the complaint about Google links related remained relevant in light of public debates on this story.

Importantly, the Court said of Google Spain that the right to be forgotten “is not meant to remove articles which may be unpleasant, but not unlawful, from the eyes of the public via the detour of a request for removal to the operator of a search machine.”

The Court gave very substantial weight to the importance of freedom of expression, something which Google Spain’s critics say was seriously underestimated in the latter judgment. If this judgment is anything to go by, there is plenty of scope for lawyers and parties to help Courts properly to balance privacy and free expression.

Privacy rights wrestle not only against freedom of expression, but also against national security and policing concerns.

In The Hague, privacy has recently grabbed the upper hand over security concerns. The District Court of The Hague has this week found that Dutch law on the retention of telecommunications data should be down due to its incompatibility with privacy and data protection rights. This is the latest in a line of cases challenging such data retention laws, the most notable of which was the ECJ’s judgment in Digital Rights Ireland, on which see my post here. For a report on this week’s Dutch judgment, see this article by Maarten van Tartwijk in The Wall Street Journal.

As that article suggests, the case illustrates the ongoing tension between security and privacy. In the UK, security initially held sway as regards the retention of telecoms data: see the DRIP Regulations 2014 (and Panopticon passim). That side of the argument has gathered some momentum of late, in light of (for example) the Paris massacres and revelations about ‘Jihadi John’.

Just this week, however, the adequacy of UK law on security agencies has been called into question: see the Intelligence and Security Committee’s report entitled “Privacy and Security: a modern and transparent legal framework”. There are also ongoing challenges in the Investigatory Powers Tribunal – for example this one concerning Abdul Hakim Belhaj.

So, vital ideological debates continue to rage. Perhaps we really should be writing more about 17th century history on this blog.

Robin Hopkins @hopkinsrobin

Surveillance powers to be kept alive via DRIP

Posted on 15th July 2014 | by Robin Hopkins

The legal framework underpinning state surveillance of individuals’ private communications is in turmoil, and it is not all Edward Snowden’s fault. As I write this post, two hugely important developments are afoot.

Prism/Tempora

The first is the challenge by Privacy International and others to the Prism/Tempora surveillance programmes implemented by GCHQ and the security agencies. Today is day 2 of the 5-day hearing before the Investigatory Powers Tribunal. To a large extent, this turmoil was unleashed by Snowden.

DRIP – the background

The second strand of the turmoil is thanks to Digital Rights Ireland and others, whose challenge to the EU’s Data Retention Directive 2006/24 was upheld by the CJEU in April of this year. That Directive provided for traffic and location data (rather than content-related information) about individuals’ online activity to be retained by communications providers for a period of 6-24 months and made available to policing and security bodies. In the UK, that Directive was implemented via the Data Retention (EC Directive) Regulations 2009, which mandated retention of communications data for 12 months.

In Digital Rights Ireland, the CJEU held the Directive to be invalid on the grounds of incompatibility with the privacy rights enshrined under the EU’s Charter of Fundamental Rights. Strictly speaking, the CJEU’s judgment (on a preliminary ruling) then needed to be applied by the referring courts, but in reality the foundation of the UK’s law fell away with the Digital Rights Ireland judgment. The government has, however, decided that it needs to maintain the status quo in terms of the legal powers and obligations which were rooted in the invalid Directive.

On 10 July 2014, the Home Secretary made a statement announcing that this gap in legal powers was to be plugged on a limited-term basis. A Data Retention and Investigatory Powers (DRIP) Bill would be put before Parliament, together with a draft set of regulations to be made under the envisaged Act. If passed, these would remain in place until the end of 2016, by which time longer-term solutions could be considered. Ms May said this would:

“…ensure, for now at least, that the police and other law enforcement agencies can investigate some of the criminality that is planned and takes place online. Without this legislation, we face the very prospect of losing access to this data overnight, with the consequence that police investigations will suddenly go dark and criminals will escape justice. We cannot allow this to happen.”

Today, amid the ministerial reshuffle and shortly before the summer recess, the Commons is debating DRIP on an emergency basis.

Understandably, there has been much consternation about the extremely limited time allotted for MPs to debate a Bill of such enormous significance for privacy rights (I entitled my post on the Digital Rights Ireland case “Interfering with the fundamental rights of practically the entire European population”, which is a near-verbatim quote from the judgment).

DRIP – the data retention elements

The Bill is short. A very useful summary can be found in the Standard Note from the House of Commons Library (authored by Philippa Ward).

Clause 1 provides power for the Secretary of State to issue a data retention notice on a telecommunications services provider, requiring them to retain certain data types (limited to those set out in the Schedule to the 2009 Regulations) for up to 12 months. There is a safeguard that the Secretary of State must consider whether it is “necessary and proportionate” to give the notice for one or more of the purposes set out in s22(2) of RIPA.

Clause 2 then provides the relevant definitions.

The Draft Regulations explain the process in more detail. Note in particular regulation 5 (the matters the Secretary of State must consider before giving a notice) and regulation 9 (which provides for oversight by the Information Commissioner of the requirements relating to integrity, security and destruction of retained data).

DRIP – the RIPA elements

DRIP is also being used to clarify (says the government) or extend (say some critics) RIPA 2000. In this respect, as commentators such as David Allen Green have pointed out, it is not clear why the emergency legislation route is necessary.

Again, to borrow the nutshells from the House of Commons Library’s Standard Note:

Clause 3 amends s5 of RIPA regarding the Secretary of State’s power to issue interception warrants on the grounds of economic well-being.

Clause 4 aims to clarify the extra-territorial reach of RIPA in in relation to both interception and communications data by adding specific provisions. This confirms that requests for interception and communications data to overseas companies that are providing communications services within the UK are subject to the legislation.

Clause 5 clarifies the definition of “telecommunications service” in RIPA to ensure that internet-based services, such as webmail, are included in the definition.

Criticism

The Labour front bench is supporting the Coalition. A number of MPs, including David Davis and Tom Watson, have been vociferous in their opposition (see for example the proposed amendments tabled by Watson and others here). So too have numerous academics and commentators. I won’t try to link to all of them here (as there are too many). Nor can I link to a thorough argument in defence of DRIP (as I have not been able to find one). For present purposes, an excellent forensic analysis comes from Graham Smith at Cyberleagle.

I don’t seek to duplicate that analysis. It is, however, worth remembering this: the crux of the CJEU’s judgment was that the Directive authorised such vast privacy intrusions that stringent safeguards were required to render it proportionate. In broad terms, that proportionately problem can be fixed in two ways: reduce the extent of the privacy intrusions and/or introduce much better safeguards. DRIP does not seek to do the former. The issue is whether it offers sufficient safeguards for achieving an acceptable balance between security and privacy.

MPs will consider that today and Peers later this week. Who knows? – courts may even be asked for their views in due course.

Robin Hopkins @hopkinsrobin

REFUSING STUDENT VISAS DUE TO WMD CONCERNS: NEW NATIONAL SECURITY DECISION

Posted on 9th March 2012 | by Robin Hopkins

Mahmud Quayum (on behalf of the Camden Community Law Centre) v IC and FCO (EA/2011/0167) is the second First-Tier Tribunal decision in recent weeks on section 24 of FOIA (national security). The other is Summers, on which see Anya’s post here. In both cases, the Tribunal has found the exemption to be engaged and the public interest to favour its maintenance.

Quayum concerned the Academic Technology Approval Scheme. The Scheme, introduced in November 2007, aims to prevent the spread of knowledge and skills useful in the proliferation of weapons of mass destruction. All students from outside the EEA and Switzerland who wish to embark on certain designated post-graduate courses must apply to the FCO’s Counter Proliferation Department for an ATAS certificate before they apply for a student visa. The requester expressed concern that, in some cases, the applicant’s nationality could count decisively against them in a manner that breached equalities legislation. He requested details of refused applications, broken down by applicants’ nationalities and proposed study subjects. He argued that unsuccessful applicants lacked adequate rights of appeal, that much information about the scheme (as well as about countries who were a particular concern from a WMD perspective) was already public, and that non-disclosure would foster “an atmosphere of secrecy over openness”. As usual with s. 24 cases, those arguments went both to the engagement of the exemption and to the public interest.

The Tribunal found those arguments insufficient in both respects. The Equality Act 2010 contains an exemption for national security matters (s. 192). While there was no formal right of appeal, unsuccessful applicants could seek a review of refusals; this dispelled concerns about a “surreptitious mechanism”. The information in the public domain was materially different to that which had been requested. The Tribunal recognised that disclosure would assist in the transparency of an arguably controversial Scheme, but found this to be outweighed by the risk of disclosure undermining the effective operation of an important national security measure, including by discouraging universities (who risked being identified from the disputed information) from co-operating with the Scheme.

Regarding the approach to s. 24, the following extracts from the decision are worth noting:

“… national security is predominantly the responsibility of the government and its various departments. The Second Respondent has contended, correctly in the Tribunal’s view, that the Tribunal must at least initially afford due weight to what is regarded as the considered view of such departments, even though the exemption entails an element of public interest and the balancing test. In particular, and again the Tribunal endorses this approach, particular weight should be afforded to the views of the government or its appropriate department with regard to its or their assessment of what is required to safeguard national security in any given case and the prejudice likely to result from disclosure” (paragraph 43), and

“.. the Tribunal is equally firmly of the view in accepting the contention advanced by the Second Respondent that the particular weight to be applied in favour of maintaining the exemption will be proportionate to the severity of the perceived threat. Thus, to take the point which is in issue here it can with some justification, in the Tribunal’s judgment, be argued that since the proliferation of WMD would constitute one of the severest threats to the security of the state, given its potential wide-ranging effect, so must the countervailing public interest in disclosure be a weighty one, such that disclosure becomes a viable option. The Tribunal stresses that nothing that has just been said in any way converts the present exemption into an absolute one” (paragraph 44).

Finally – as is often the case of late – the requester sought to rely on Article 10 ECHR. Interestingly, the Tribunal in this case observed that Article 10 would make no difference to the analysis, given the checks and balances built into the meaning of s. 24 and the public interest test.

CAMPAIGN AGAINST ARMS TRADE – SECTION 27

Posted on 27th November 2011 | by Rachel Kamm

The First Tier Tribunal (Information Rights) has been considering international relations in Campaign Against Arms Trade v Information Commissioner and Ministry of Defence, EA/2011/0109.

The Campaign Against Arms Trade contacted The National Archive by email on 22 May 2009 to request access to files held under reference nos. DEFE68/133 and DEFE68/136. File 133 was entitled or described as relating to the “[MOD]: Central Staff: Registered Files and Branch Folders: sale of arms to Saudi Arabia”. The file was said to be made up predominantly of “telegrams, memos and general correspondence to deal with the negotiations which took place during 1971/72 regarding the Saudi Arabian Air Defence Program (SADAP)”. File 136 was stated as dealing with the follow-up to the Saudi decision not to renew a contract for the training and maintenance of aircraft operated by the Royal Saudi Air Force with the British firm, Airwork, but to give it to the Pakistani Air Force instead.

The National Archive released the files with redactions and invoked section 27(1) and section 27(2) of the Freedom of Information Act 2000 (FOIA). Section 27(1) provides that “Information is exempt information if its disclosure under this Act would, or would be likely to, prejudice –(a) relations between the United Kingdom and any other State, (b) relations between the United Kingdom and any international organisation or international court, (c) the interests of the United Kingdom abroad, or (d) the promotion or protection by the United Kingdom of its interests abroad.” The MoD relied on (a), (c) and (d) of section 27(1). They also relied section 27(2), which provides that “Information is also exempt information if it is confidential information obtained from a State other than the United Kingdom or from an international organisation or international court”. Both of these are qualified exemptions.

The Information Commissioner found that the exemptions in sections 27(1)(a), (c) and (d) and also section 27(2) were engaged. Having considered the balance of the public interest, he ordered limited disclosure of the previously redacted material. The appellant did not challenge this decision with respect to section 27(2) and therefore the Tribunal’s decision is only concerned with section 27(1).

The Tribunal considered the decision of Gilby v Information Commissioner and Foreign & Commonwealth Office (EA/2007/0071, 0078 and 0079). The Tribunal commented that it was not bound by Gilby but that it was following the same general approach: “If corrupt activities on the part of UK officials are evident from the papers, as defined in paragraph 59 of the Gilby decision, there is a strong public interest in disclosure“. However, it had “real difficulty in applying a workable and justifiable approach to partial disclosure of documents through redaction“.

The Tribunal concluded that section 27(1) was engaged and that the Commissioner had properly applied the public interest considerations. It rejected the argument that, given the level and extent of disclosure in the wake of the Gilby decision and indeed in another context, disclosure of much although not all of the requested information would not necessarily lead to an unfavourable reaction on the part of Saudi Arabia.

Interestingly, the Tribunal commented on its approach where the parties have agreed to an appeal being determined on the papers without a hearing. Where the parties so consent, the Tribunal “is firmly of the view that it must therefore approach this appeal with a proper sense of proportion and also with a due sense and degree of proportionality. The costs which would be attendant on a more protracted exercise means that a minute dissection of what is a substantial body of information cannot properly be justified at least in the present case and the Tribunal so finds“. The parties should bear this comment in mind, when deciding whether or not to request an oral hearing of an appeal.

FROM NAKED PHOTOS TO NUCLEAR ENRICHMENT: ROUNDUP OF NEW TRIBUNAL DECISIONS

Posted on 26th September 2011 | by Robin Hopkins

The past week saw a slew of new decisions from the First-Tier Tribunal. Here is Panopticon’s highlights package.

Sections 41 (information obtained in confidence) and 43 (commercial prejudice)

In DBIS v IC and Browning (EA/2011/0044), the requester (a Bloomberg journalist) had sought information from the Export Control Organisation in connection with licences issued for the exporting to Iran of “controlled goods” – explained by the Tribunal as “mainly military, dual use (potentially military), equipment designed for torture or repression or sources of radio-activity”. The relevant public authority, the Department for Business, Innovation & Skills, refused the request, relying on sections 41 and 43. The IC found for the requester on the narrow basis that, whilst disclosure would result in a breach of confidence, no commercial detriment would be suffered by the licence applicants as a result. Subsequent evidence from the Department persuaded the IC to change position and support the appeal, which was resisted by the applicant. In a decision which turned on the evidence, the Tribunal allowed the appeal, and found both sections 41(1) and 43(2) to be effective.

Section 42 (legal professional privilege)

Two recent decisions on this exemption. Both saw the Tribunal uphold the refusal, applying the established approach under which this exemption has a strong in-built public interest. Szucs v IC (EA/2011/0072) involved an FOIA request about an earlier FOIA request (the appellant requested the legal advice and associated documents provided to the Intellectual Property Office about how to deal with a previous FOIA request made by the appellant’s husband). Davis v IC and the Board of Trustees of the Tate Gallery (EA/2010/0185) is eye-catching primarily because it concerned the Tate’s legal advice concerning the inclusion in an exhibition of a photograph of the actress Brooke Shields, aged ten, naked, entitled “The Spirit of America” (the Tate had initially proposed to include this in an exhibition, but ultimately withdrew the photograph).

Section 40 (personal data)

Beckles v IC (EA/2011/0073 & 0074) concerned the identifiability of individuals from small sample sizes, in the context of information about dismissals, compromise agreements and out-of-court settlements. The appellant asked Cambridge University for information on (among other things) the number of employees who received post-dismissal settlements. The answer was a low number. He asked for further details concerning the settlement amounts, rounded to some appropriate non-exact figure. This, said the Tribunal (applying the Common Services Agency/Department of Health approach to identifiability from otherwise anonymous figures) was personal data, the disclosure of which would be unfair. Its reasoning is summed up in this extract:

“Information as to the settlement of a claim made by an identified individual relating to his or her employment is undoubtedly personal data. The question is whether the four individuals or any of them could be identified if the information requested were disclosed, even in approximated form…. Cambridge University is made up of a large number of much smaller academic or collegiate communities. It is likely that a number of colleagues or friends will be aware that a particular individual settled a claim with the University within the time-scale specified. They will be aware of the general nature of that person`s employment. This is a small group of claims in a relatively short period. In the form originally requested it is readily foreseeable that one or more of the four will be identified.”

Sections 24 (national security) and 27 (international relations)

Burt v IC and MOD (EA/2011/0004) concerned information gathered by staff of the UK Atomic Weapons Establishment on an inspection visit to a United States atomic energy facility, as a learning exercise regarding the proposed development of an enriched uranium facility at Aldermaston. The US had expressed its desire to maintain proper confidence in what it regarded as a sensitive area. The MOD refused the request, relying on sections 27 and 24. By the time of the appeal, only a small amount of information had not been disclosed. This was primarily of a technical nature, containing observations about the operation of plant, machinery, procedures and processes at the US facility.

The Tribunal upheld the MOD and Commissioner’s case as regards the outstanding material. As regards section 27, the Tribunal applied the principles from Campaign against the Arms Trade v IC and MOD (EA/2006/00040). It observed, however, that confidential information obtained from another country would not always be protected by section 27: it was “perhaps axiomatic that the foreign State will take the United Kingdom as it finds it including but not limited to the effect of its own domestic disclosure laws. It follows that there may well be cases where information otherwise imparted in confidence from a foreign State to a United Kingdom authority would need to be considered on its own merits as to whether some form of disclosure should be made or ordered whether under FOIA or under similar analogous legislation or principles such as the UK data protection principles.”

As regards section 24, the Tribunal applied Kalman v IC and Department of Transport (EA/2009/0111) (recourse to the exemption should be “reasonably necessary” for the purpose of safeguarding national security), and Secretary of State for the Home Department v Rehman [2003] 1 A 153 (the threat to national security need not be immediate or direct).

Burt is also an example of a “mosaic effect” case: taken in isolation, the disputed information may appear anodyne, but the concern is with how it might be pieced together with other publicly available information.

Section 14(1) FOIA (vexatious requests)

Dransfield v IC (EA/2011/0079) is an example of the Tribunal overturning the Commissioner’s decision that section 14(1) had been engaged (for another recent example, see my post here). As with many such cases, the history and context were pivotal. Given that it is the request, rather than the requester, which must be adjudged to be vexatious, how should the context be factored in? The Tribunal gave this useful guidance:

“There is, however, an important distinction to be drawn between taking into account the history and context of a request, as in the cases referred to above, and taking into account the history and context of other requests made by a requester or other dealings between the requester and the public authority. The former is an entirely proper and valid consideration. The latter risks crossing the line from treating the request as vexatious, to treating the requester is vexatious. That line, in our view, was crossed in the present case.”

Robin Hopkins

Reforming the Information Tribunal

Posted on 5th August 2009 | by Timothy Pitt-Payne QC

A letter was circulated yesterday (4th August) to “stakeholders” of the Information Tribunal, giving information about the implications for the Information Tribunal of the new unified tribunal structure.

The new structure involves a system of First Tier tribunals and Upper Tribunals. The Information Tribunal will be one of a number of tribunals that transfer into the General Regulatory Chamber (GRC), one of the First Tier tribunals.

According to the letter, from January 2010 information rights cases will generally be heard in the GRC, with an appeal to the Administrative Appeals Chambers of the Upper Tribunal on a point of law. However, in some circumstances cases will be heard in the first instance in the Upper Tribunal. This will be where the appeal is complex, unusual, or particularly important. In additional national security appeals (under section 28 of the Data Protection Act 1998 or section 60 of the Freedom of Information Act 2000) will go straight to the Upper Tribunal.

The procedural rules for those tribunals moving into the GRC in September 2009 have now been finalised and laid before Parliament. This includes the Charity Tribunal, the Estate Agents Appeals Panel and the Consumer Credit Appeals Tribunal. For those jurisdictions moving to the GRC in January 2010 – including the Information Tribunal – any further specific procedural rules will be added by amendment once Parliament has approved the transfer. Approval is expected later this year.

WordPress + Bootstrap

Tag: national security