Are proposals to introduce oversights over state powers to obtain, analyse, and retain mass sets of personal details sufficient to alleviate concerns where they include data about individuals unconnected to investigations?
Much has been written about the UK government’s proposed new Investigatory Powers Bill (IPB) since it was published for consultation by the Home Office, and formally presented to Parliament, early last month. Further to Sophie’s recent post, the IPB was introduced to overhaul aspects of the legal framework that provides oversight regarding the use of investigatory powers by UK agencies active in protecting interests of national security or detecting serious crime, while also extending in parts the reach of their powers. The latter is intended to close the so-called ‘capability gaps’ that exist as a result of today’s computer and communications environment, in particular in areas related to the interception and acquisition of communications data by these agencies, as well as obligations regarding the retention of such data by communications service providers (CSPs). The Bill, once adopted, will repeal and replace the Data Retention and Investigatory Powers Act 2014 (DRIPA), which must happen before 31 December 2016 – for more details, see here.
As Sophie mentions, the IPB contentiously proposes the introduction of legislative provision for the 12-month retention of ‘internet connections records’ by CSPs, which would enable security agencies to identify the communications (app or internet-based) service to which a device is connected at a particular time, although it is not clear to what extent this could also include other aspects of weblog data (the ‘content’ of a communication is specifically excluded, yet “anything in the context of web browsing which identifies the telecommunications service concerned is not content” according to the IPB).
Leaving aside this issue, in this post I have returned my attention to another topic regarding the extent to which the potential for privacy infringements resulting from state investigatory powers should be alleviated by a strengthening of their oversight and a legal commitment to ensure proportionality in their use (relative to the legitimate purposes and benefits for which they are used). This is the issue of the powers pertaining to bulk communications data and, in particular, personal datasets (BPDs) being brought back in the spotlight by the IPB.
I mentioned BPDs in a post earlier this year about the outcomes of two comprehensive reviews of the operation, regulation and current risks around the use and oversight of investigatory powers in the UK carried out by: David Anderson QC (the government’s independent reviewer of terrorism legislation) resulting in The Anderson Report: A Question of Trust; and the Intelligence and Security Committee of Parliament (ISC) resulting in its final inquiry report. These resulted in recommendations, inter alia, that the powers security agencies have to engage in bulk activities should be made more transparent (including the powers for which they may be used and authorisations required), subject to additional safeguards, in order to help reassure the public that their privacy is being respected.
The existence of bulk data investigatory capabilities to uncover national security ‘threats’ – and the suggestion that they could be used to carry out indiscriminate and pervasive personal data surveillance on the masses without legitimacy – has been a contentious issue since Snowden’s revelations of GCHQ activities in 2013. The regulatory framework constraining the use of such powers is also one of the most divisive issues at the heart of the IPB.
In Part 6 of the IPB, for example, new authorisation rules regarding activities to be performed in bulk are set out. Pursuant to chapter 1 of Part 6, while agencies will retain their ability to intercept communications in bulk, in the future, warrants should first be applied for by (or, on behalf of) the heads of the intelligence services and must be issued by the Secretary of State and approved by a Judicial Commissioner according to judicial review principles (a so-called ‘double-lock’ oversight process). Additional authorisation safeguards based upon an assessment of necessity and proportionality will apply to the examination of material intercepted under those warrants. Other bulk powers covered by the IPB include those relating to the bulk acquisition of communications data (chapter 2 of Part 6) and bulk equipment interference (chapter 3 of Part 6). In brief, the safeguards described that would apply to bulk interception under the Bill would also apply in respect of both these powers.
With this background in mind, Part 7 of the IPB concerns BPD warrants and other proposed safeguards and protections against the risks of infringing individuals’ privacy concerning the use of BPDs. (To note, the Bill will not create a new power of acquiring BPDs as current powers under the Security Service Act 1989 and the Intelligence Services Act 1994 already allow security and intelligence agencies to obtain and access BPDs to fulfil their statutory functions. In that context, the Privacy Impact Assessment accompanying the IPB states that, “As the Bill does not provide for new powers, it is considered that there is no greater risk to privacy as a result of policy.”)
It is worth pausing here to look back at what the ISC report said about BPDs as it was the first time that their existence has been formally acknowledged. BPDs are defined in the report (pages 55-56) as “large databases containing personal information about a wide range of people”, acquired “through overt and covert channels”, in order to identify ‘subjects of interest’ in the course of investigations, to establish links between individuals and groups, or as a means of verifying information obtained through other sources. As I mentioned in my previous post, further detail is sparse, albeit that the report recommends that oversight regarding BPDs should be placed on a clear statutory footing – to which the proposals in Part 7 of the IPB can be seen as a reaction. What can we glean from the IPB?
First, it can be gathered from Clause 150 that a BPD is a set of information that includes personal data relating to a number of individuals, from the nature of which it is likely that the majority of individuals are not (are and unlikely to become) of interest to the intelligence service in the exercise of its functions and – if retained by the services after initial examination of its contents – would be held in an electronic analytic system. (Of note, ‘personal data’ is attributed the same definition as that found in the Data Protection Act 1998, save that it extends that definition to include data related also to the deceased because the bulk personal datasets that an intelligence agency “may obtain or acquire might include data relating to deceased persons” e.g. if it is not updated constantly). Examples provided by the Home Office in an accompanying fact sheet include lists of people who have a passport or firearms license, a telephone directory, or the electoral roll.
Second, Part 7 sets out the safeguards that must be followed if a BPD is obtained, retained or examined. Two types of warrant are described. These are: ‘class warrants’ regarding particular types of BPDs (such as travel data) to be described in the warrant; and, ‘specific warrants’, which cover specific dataset to be described in the warrant where they do not fall within a class (e.g. “where a new or novel dataset is obtained, or where the dataset may raise issues of sensitivity”). Both types of warrant must be authorised personally by the Secretary of State, who must be satisfied that it is necessary (for the operational reason of national security etc. specified in the warrant) and proportionate, and that satisfactory handling and storage arrangements are in place. This decision is also subject to approval by a Judicial Commissioner, although a procedure is prescribed for specific warrants required in urgent circumstances in relation to which a post-issue review by a Judicial Commissioner would suffice. Warrants would come into effect at the point of issuance or, in the case of warrant renewals, the day following the day on which it would otherwise have ceased to be effective. In either case, the IPB specifies a maximum duration of six month, except for urgent warrants that are limited to five working days after the day of issuance. Where warrants are not renewed (or, where class warrants are cancelled), the intelligence services must apply to the Secretary of State who, in turn, could direct that the relevant material should be destroyed, or, with the approval of a Judicial Commissioner, that it continue to be retained and/or examined (in whole or in sub-set) where this is deemed necessary and proportionate. A similar procedure must be carried out in the case of specific warrants that cease to have effect (clause 157).
Finally, it is proposed that a publicly-available statutory code of practice will be introduced that will replace existing Handling Arrangements to which the agencies must have regard on how they should access, store, disclose to those outside the relevant service “where this is necessary for the proper discharge of the relevant service’s statutory function”, and destroy information contained in the BPDs, as well as audit arrangements. Compliance with this code would be overseen by the Investigatory Powers Commissioner. Any private misuse of a bulk dataset would be criminalised.
In summary, therefore, it is clear that the government believes that by introducing a more comprehensive and comprehensible statutory scheme for the use of previously-secret BPDs will increase confidence by the public that their privacy is being protected by the state as far as possible in the pursuit of legitimate security objectives. However, as a form of tool that has been admitted to be increasingly important to agency investigations, the proposals may not go far enough. In particular:
- The level of judicial scrutiny required may not go far enough for those wanting to be reassured that judicial oversight of warrants would not simply become a ‘rubber stamp’ exercise.
- Questions around the appropriate retention duration of PBDs is still a disputable issue since the CJEU’s decision in Digital Ireland and the recent referral of questions by the English Court of Appeal concerning DRIPA to the CJEU.
- What happens if information in BPDs is incorrect?
- What obligations will overseas agencies have if BPDs are disclosed to them?
Perhaps most pressingly, questions around prospects for disproportionality (being linked to operational justifications for infringing the privacy of individuals not under suspicion) remains a spectre that will not easily disappear from the public mind. Such concerns may appear particularly valid where bulk powers regarding the covert creation, data matching and linkage of unknown – but potentially highly sensitive – personal data sets containing millions of records are concerned, which could include telephone and internet record datasets derived from bulk communications data acquired by CSPs. (For example, under Part 4 of the IPB (clause 71(8)(b)(i)), there is a proposition that CSPs could be required to generate communications data specifically for retention). Indeed, BPDs could encompass public or private data of all kinds (retail loyalty card? credit reports? medical records? biometric details?) obtained pursuant to the exercise of other agency powers. In turn, this could suggest an expansion of the reach of state-surveillance ‘tentacles’ to a previously unthinkable pervasive level and future technological developments will of course exacerbate this effect.
In short, while the IPB and its accompanying documents provide us with useful clarification to answer some of the many unknowns about BPDs, their value, and their oversight, these answers inevitably continue to throw out more questions seeking clarification about (a) why, how, and where BPDs are held, (b) who may access them, (c) to whom and under what conditions BPDs (and the products of their analysis) may be disclosed, (d) the processing of personal data in PBDs for purposes otherwise than in connection with the purposes for which it was obtained or retained, (e) the linking of BPDs (compare, e.g. concerns raised in Scotland this year about the creation of a ‘Super ID’ database), (f) the processes for determining how long BPDs (and the derived material generated from the analysis of BPDs) should be held and for the destruction of such data.
It is inevitable that, due to recent terrorist events, this is a highly emotive issue, albeit that resistance in some quarters to many provisions in the IPB will remain strong. Accordingly, the eventual Investigatory Powers Act may take some time to agree, and it could be significantly different from the draft Bill. In the meantime, the Joint Committee on the Draft Investigatory Powers Bill launched a call for evidence on the contents of the Bill, including BPDs, which ends next week. Next stop – the UK government plans to introduce a revised Bill in Parliament at the beginning of 2016.
Post-script: An Investigatory Powers Tribunal challenge brought by Privacy International to the use of BPDs under a variety of legal powers by the security services, and bulk communication data (BCD) acquired by GCHQ and MI5 under directions issued under s.94 Telecommunications Act 1984, was heard in the latter half of 2016.
The judgement was made available in October 2016. See the following description of the case facts by the Tribunal: “The communications data thus collected will include the “who, when, where and how” of both telephone and internet use and this may include the location of mobile and fixed line phones from which calls are made or received, and the location of computers used to access the internet. BCD does not include the content of any such communications, which may only be obtained under an interception warrant. Such data, acquired by overt or covert means, includes considerable volumes of data about biographical details, commercial and financial activities, communications and travel, as well as communications data obtained under s.94 arrangements or by interception under a warrant“. Regarding BPDs, of note, the Tribunal ruling included the disclosure from an unpublished 2010 MI5 policy statement that the BPDs held included material on the nation’s personal financial activities.
The final decision is here, helpfully summarised here (by Sophie), and here (by the Guardian in extract): “The tribunal said the regime governing the collection of … BCD – the who, where, when and what of personal phone and web communications – failed to comply with article 8 protecting the right to privacy of the European convention of human rights (ECHR) between 1998, when it started, and 4 November 2015, when it was made public. It added that the retention of of … BPD – which might include medical and tax records, individual biographical details, commercial and financial activities, communications and travel data – also failed to comply with article 8 for the decade it was in operation until it was publicly acknowledged in March 2015. The BPD regime failed to comply with the ECHR principles which we have above set out throughout the period prior to its avowal in March 2015. The BCD regime failed to comply with such principles in the period prior to its avowal in November 2015, and the institution of a more adequate system of supervision as at the same date”.