Just before Christmas, the UK Interception of Communications Commissioner’s Office (IOCCO) published online its submission for the Investigatory Powers Review. It is a 51 p. document full of interesting things.
The purpose of this post is to highlight the main points made by the IOCCO with a view to clarifying the debate as regards the “legality” of the recently adopted DRIPA (the Data Retention and Investigatory Powers Act 2014), [to be read together with the new drafts of the Acquisition and disclosure of communications data and the Retention of communications data Codes of Practice Codes of Practice (see our earlier post on these drafts)], not to mention the very recent attempts to amend the Counter-Terrorism and Security Bill… which seems to be dead in the water… for now…
Before asking the question whether the legal framework is of quality (e.g. does it include enough safeguards to protect the fundamental right to the respect of private life?), let’s try to see whether the legal framework is clear. A few points to mention here:
- To refresh memories, the role of the IOCCO is to keep under review and perform an audit of the interception of the content of communications and related communications data, as well as the acquisition of communications data, in the UK. The IOCCO does not supervise the processes while they are being conducted. Instead, if a person has a complaint about the interception of their communications, the Investigatory Powers Tribunal is the competent authority to hear such a complaint…. Although obviously it is unlikely that an individual will become aware of such practices… in particular within 1 year of the conduct’s occurrence and, even if they were, that he or she will not necessarily be able to meet the threshold of demonstrating “wilful or reckless failure by any person within a relevant public authority exercising or complying with the powers” in respect of such practices.
- Notably, “the Tribunal processes appear to deal with the actions of public authorities and therefore it is not clear if that would include investigating the circumstances when a CSP [communications service provider] is at fault concerning the interception of the wrong communications address and/ or the disclosure of the wrong communications data”. In 2013 the IOCCO “reported that 20 % of the interception errors and 12.5% of the communications data errors were caused by CSPs”.
- Importantly, if the IOCCO’s mandate is to keep under review the acquisition of communications data by public authorities, it does not audit retention and destruction practices by CSPs. And DRIPA will not improve the situation. “There does not appear to be a legal requirement for the Interception Commissioner or any other independent oversight body to review the implementation of Section 1 of the Data Retention and Investigatory Powers Act (DRIPA) which relates to the giving of notice by a Secretary of State requiring the retention of specific communications by a CSP. There is currently no means of redress (i.e. Tribunal) for a CSP should they consider a notice requiring the retention of communications data is or has become disproportionate and should be cancelled and, there has been a refusal to cancel it”.
- The IOCCO does not audit “the use of other laws to acquire communications data which allow the public authorities using them to engage directly with the CSPs without the use of a SPoC (single point of contact)” [ e.g. by way of section 9 PACE orders].
- In practice it is not clear anymore what content and communications data are. The IOCCO notes that “the definition of communications data has not changed since the Act [RIPA] came into existence, despite the fact that communications technologies, and thus the types of information generated and processed have changed dramatically”. [For those interested in that distinction, I have recently presented a joint paper on this issue at the CPDP conference and the paper is available on request]. The recommendation of the IOCCO is therefore that “Amendments to the Act need to be undertaken to define what is content and by doing so better determine that which the term communications data relates to when generated within the online environment”.
Just to add, the IOCCO is also sceptical about the introduction of a prior judicial approval process as this does not guarantee that a judge will look at each request individually and that down-stream scrutiny will effectively take place.
Interestingly the IOCCO is not the only Commissioner Office to voice important concerns. “Too many CCTV cameras are useless” recently stated the Surveillance Camera Commissioner. His annual report published on 16 December 2014 is also worth reading.
What if Commissioners could be heard by the right people? Would we be living in a better world?