Cybersecurity has become a major concern for governments, companies and citizens, as some of their most sensitive information is routinely stored and communicated online. Rogue attackers can steal confidential information or corrupt their databases, potentially leading to critical security incidents ranging from reputational damages and economic losses to national security risks.
The threat, however, works in two ways. While companies and governments are concerned about being targets of digital infiltration, they have used these technologies to obtain extensive information from common citizens for crime and terrorism prevention or commercial purposes. Collecting geolocationdata and screening social networks are now common practices, relatively easy to carry out due to the embedded features of modern devices.
For years, many surveillance practices were conducted in a legal void. Recently, however, several governments have been introducing laws to claim exclusive and privileged access to the digital information of citizens within and beyond their borders. Such sweeping surveillance powers can threaten the privacy of ordinary citizens, and thereby fundamental liberties.
Recent UK legislation on surveillance powers
Enhancing the government’s surveillance powers has been a constant item on Prime Minister Theresa May’s agenda. In 2012, when she was Home Secretary, May pushed the draft Communications Data Bill, which required technology companies to track, retain, and store communications records as well as to make them available to the police. The bill, however, was never passed because the parliamentary committee in charge of reviewing it concluded that the bill was “too sweeping.” Nick Clegg, then Deputy Prime Minister, even went as far to claim that the bill was neither proportionate nor technologically feasible.
In July 2014, a similar law was introduced as fast-track legislation: the Data Retention and Investigatory Powers Act (DRIPA). The Act gave expansive communication surveillance and interception powers to the government. Worried about the content of the DRIPA and the hasty manner in which it was adopted, privacy advocates and some members of the Parliament successfully challenged it.
So far, the DRIPA has been declared contrary to European Union Law three times: first, on 17 July 2015 by the High Court of Justice, then, on 21 December 2016 by the European Court of Justice, and more recently, on 30 January 2018 by the Court of Appeal. These rulings confirmed that some of the features of the DRIPA contravened principles of European law.
Due to its fast-track nature, the DRIPA contained a sunset clause that made it expire on 31 December 2016. As a replacement, in November 2016, the new Investigatory Powers Act (IPAct)was presented. Its original version, which took several elements from the DRIPA, effectively allowed the government to interfere, acquire and retain communications data, bulk personal datasets and other information with very limited privacy safeguards.
Delaying through consultation
In late 2017, the UK government launched a public consultation about amendments to the Investigatory Powers Act to satisfy the requirements of the judgement. While the proposed changes address some of the ECJ concerns, critics have argued the proposed changes are not enough to comply with the Court’s decision that the definition of “serious crimes” is too broad, and a robust system of independent oversight is still lacking.
This process was unusual as the government admittedly “does not normally consult on such regulations.” It also seemed to be contrary to the government’s principle of consulting “only on issues that are genuinely undecided,” which was not the case, as the Court had already ruled that some surveillance practices found in the IPAct were inconsistent with European law. The consultation was open between 30 November 2017 and 18 January 2018, and while there is not a set period, keeping it open for just six weeks and over the holiday period does not constitute best practice.
Resisting Legal Challenges
Soon after the new IPAct was introduced, Liberty, a British organisation concerned with human rights protection, requested a judicial review to the High Court.Liberty argued that some powers protected by the Act such as the interception of communication, acquisition of communication history and the creation of bulk personal datasets breached the public’s rights.
The government conceded that some parts of the IPAct including the lack of independent oversight and broad purposes for data retention are inconsistent with European law. However, it noted that these concerns are being addressed in the 2017 consultation and asked the Court to set a deadline for April 2019 to deliver the changes.
The fact that the government kept the IPAct intact after the ECJ’s ruling means, according to Liberty, that ministers have been unlawfully ordering the retention of sensitive communications datasince the Act was introduced. Hence, any delay in implementing the required amendments, would leave privacy rights vulnerable in the meantime.
The consequences of Brexit for privacy protections
If the government is successful in delaying addressing the shortcomings of IPAct, two and a half years would have passed between ECJ’s ruling and the actual implementation of the changes –if they happen at all. As the expected end of the UK’s membership to the European Union is planned for 29 March 2019, after that day the UK government could argue that a ruling from the European Court of Justice is no longer applicable, and it may keep the content of the IPAct unaltered, setting back efforts to protect privacy.
The safeguards provided by European laws may cease once the UK withdraws from the European Union. After Brexit, UK citizens will not be protected by the Charter of Fundamental Rights of the European Union because, as its name suggests, it only applies to citizens of the EU. On the other hand, The European Convention on Human Rightsis independent from the EU and it protects the rights of the people from the countries that belong to the Council of Europe, including the UK. However, Theresa May has openly called the Convention as a hindrance to the UK’s security and prosperity, and has proposed to leave it.
As increasing surveillance powers have long been a priority for Prime Minister May, her government might be unwilling to agree to robust protections of privacy. The way the government has appealed, resisted and postponed the application of the rulings against its sweeping surveillance powers, as well as the implementation of privacy protection measures, has led advocacy leaders to denounce an intentional governmental delaying strategy. The UK government seems to intend to run out the clock until Brexit finally occurs to address surveillance legislation unencumbered.
While the rhetoric to justify enhanced surveillance has focused on portraying terrorists as the principal enemies to fight against, we should not forget that the human rights regime was established more than 60 years ago with the main aim to keep in check the power of the state and to prevent abuses against ordinary citizens. With Brexit, British citizens have to be even more vigilant to ensure that their government does not expand its surveillance powers in the name of safety but at the expense of fundamental liberties.
In the hearings, which took place on 27 and 28 February 2018, Liberty’s counsel told the Court that the broad range of data that the government can access under the IPAct can be used to build an intimate and comprehensive picture of citizens’ lives, thus undermining privacy rights. They also argued that the Act has failed both to provide adequate protection for legally privileged communications and to enforce the application of European data retention standards. Liberty requested the government to provide a clear purpose for data collection, to carry out targeted instead of indiscriminatesurveillance and to inform citizenswhen their data has been accessed.