The investigatory Powers Tribunal (IPT) delivered its judgment yesterday in the case Privacy International v. Secretary of State for Foreign and Commonwealth Affairs et al. The skeleton arguments for the claimants and respondents can be accessed here.
In a nutshell and as recalled by para. 3 of the judgement:
“The proceedings were brought on 5th June 2015 relating to the SIAs [Security and Intelligence Agencies]’ acquisition, use, retention, disclosure, storage and deletion of Bulk Personal Datasets (“BPDs”), whose existence was publicly acknowledged in March 2015 by the Respondents in evidence to, and then in a Report by, the Intelligence Security Committee of Parliament (“ISC”). The proceedings were amended in September 2015 to add claims in relation to the use of s.94 of the Telecommunications Act 1984 (“s.94” and “the 1984 Act”) by the Home and Foreign Secretaries to give directions to Public Electronic Communications Networks (“PECNs”) to transfer bulk communications data to GCHQ and MI5 (“BCD”).”
A few dates are worth mentioning:
- March 2015: “[T]he existence of BPD was only avowed in March 2015, when disclosure was made to the ISC.”
- 4 November 2015: the Section 94 Handling Arrangements came into force on 4 November 2015. The Handling Arrangements “apply to bulk communications data obtained under section 94 of the Telecommunications Act 1984. They are mandatory and required to be followed by staff in the Intelligence Services. Failure to comply may lead to disciplinary action, which can include dismissal and prosecution.” In addition, “As with BPD, specific, detailed measures are also set out which are designed to limit access to data to what is necessary and proportionate, to ensure that such access is properly audited, and to ensure that disciplinary measures are in place for misuse.” Importantly, “the S.94 directions, and BCD, which had previously been disclosed to the ISC, were not publicly avowed until November 2015, when they were disclosed in the context of the draft Investigatory Powers Bill then being presented to Parliament.”
The IPT is faced with 4 issues:
“a) Issue 1: Section 94 TA under domestic law: Is it lawful as a matter of domestic law to use section 94 TA to obtain BCD? [Independently of the law of the EU and the ECHR]
- b) Issue 2: Is the section 94 TA regime in accordance with the law? This issue is to be considered in three time periods. First, prior to the avowal of the use of section 94 to obtain BCD [4th November 2015]. Secondly, from avowal to the date of hearing. Thirdly, as at the date of hearing.
- c) Issue 3: Is the BPD regime in accordance with the law? This issue is to be considered in four time periods. First, prior to the avowal of the holding of BPDs [March 2015]. Secondly, from avowal to the publication of the BPD handling arrangements. Thirdly, from publication to the date of the hearing. Finally, as at the date of hearing.
- d) Issue 4: Are the section 94 regime and the BPD regime proportionate?”
The IPT rules:
- “[I]t is lawful at domestic law to use s 94 to obtain BCD.” [The IPT refused to conceive both RIPA and DRIPA as constituting a comprehensive framework necessarily excluding alternatives or trapdoors. In fact the IPT rejected the very term of trapdoors as a way to describe the effects of s.94 the Telecommunications Act 1984].
- “Accordingly, our conclusion is, in respect of Issues 2 and 3, that, subject to the issue of transfer of data, and to resolution of Issue 4 below, the s.94 BCD [Bulk Communications Data] regime did not comply with Article 8 until November 4 2015 and thereafter complies, and that the BPD [Bulk Personal Data] regime did not comply with Article 8 until 12 March 2015 and thereafter complies. We so decide.”
- “Since the hearing, Mr. Anderson QC has published, as referred to in paragraph 21 above, his Bulk Powers Review. It is plainly highly relevant to this issue, and we propose to grant both parties the opportunity to make submissions upon it before reaching our conclusions in respect of this issue, which we consequently adjourn, to come on to be heard at the same time as the EU law issues.”
So the question that is on many lips is whether this new IPT’s decision actually means that the Investigatory Powers Bill (IPB) should actually be welcome.
As Alison explained it in her previous post, the IPB is an attempt, among other things, to legalise the practice of transfer, storage and use of bulk personal datasets as well as bulk acquisition of communications data. Chapter 2 of Part 6 regulates the power to issue bulk acquisition warrants “in the interests of national security,” “for the purpose of preventing or detecting serious crime,” or “in the interests of the economic well-being of the United Kingdom” (“so far as those interests are also relevant to the interests of national security”). Importantly while a bulk acquisition warrant is meant to target communications data, the telecommunications operator specified in the warrant can be required “to obtain any communications data specified in the warrant which is not in the possession of the operator but which the operator is capable of obtaining.” S. 147(8) besides adds that “A bulk acquisition warrant may relate to data whether or not in existence at the time of the issuing of the warrant.” Notably, a judicial commissioner must review the Secretary of State’s conclusions of its decision to issue a bulk acquisition warrant.
Chapter 7 of the IBP regulates the power to retain a bulk personal dataset. The decision is taken by the Secretary of State after an application is made by or on behalf of the head of an intelligence service. Once again the conclusions of the Secretary of State must be reviewed by a judicial commissioner.
To come back to the IPT, it applies the rulings in the judgement by the European Court of Human Right in Weber & Saravia v Germany  and Kennedy v United Kingdom  to solve issues 2 and 3 (Mention is also made of R E v United Kingdom  and Szabo & Vissy v Hungary). It insists at para. 61“it is not for this Tribunal to lay down new requirements.”
But the IPT (simply) reformulates the high-level test to be found in Weber: “As noted above, Issues 2 and 3 are framed by reference to the “in accordance with law” requirement in Article 8. That requirement is generally stated to comprise (a) that the measures under review should have a basis in domestic law, and (b) that the laws in question should be compatible with the rule of law, in being generally accessible, foreseeable and contain adequate safeguards against arbitrary use.” . [without assessing all the safeguards identified by the European Court of Human Rights (ECtHR) in Weber].
The IPT states that:
- “In considering acquisition of BCD, and access to such data held, the essential requirement in this context is that the BCD is acquired only for proper purposes, where the acquisition of the data is necessary and proportionate. The Handling Arrangements are clear in this respect (see Appendix A at paragraphs 94 and 98).” 
- “[T]he Handling Arrangements are clear as to the conditions under which any BPD may be obtained or accessed, and the operation of those arrangements is subject to independent oversight.” . But for BPD, as their existence had been avowed in March 2015 and oversight had been effective since March 2015, the BPD regime was in accordance with the law before the BCD regime.
- Why is the system of oversight effective? First, because the Interception of Communications Commissioner (ICC) and the Intelligence Services (IS) Commissioner managed to agree on who was doing what in their 2014 independent reviews of oversight effectiveness (followed by a series of reports in 2015, see Alison’s post here). The ICC reviewed s.94 powers, while the IS Commissioner reviewed the BPD regime. Second, it is noted that the commissioners have been critical, in particular the ICC, or better not have remained uncritical (!), in their reports [Is reliance on this assumption a sufficient safeguard?].
- One problem remains: ensuring appropriate safeguards are in place when data is transferred by the SIAs to other parties, i.e. foreign partners. And this is what the IPT states at para. 95: “The only area in which we need to give further consideration relates to the provisions for safeguards and limitations in the event of transfer by the SIAs to other bodies, such as their foreign partners and UK Law Enforcement Agencies. There are detailed provisions in the Handling Arrangements which would appear to allow for the placing of restrictions in relation to such transfer upon the subsequent use and retention of the data by those parties. It is unclear to us whether such restrictions are in fact placed, and in paragraph 48.2 of their Note of 29 July 2016 the Respondents submit that the Tribunal is not in a position to decide this issue.” Further submissions are thus needed!
Ultimately the IPT seems to welcome the IPB when it states at para. 86: “Further, just as the fact that there have been improvements [with the present IP Bill] does not necessarily mean that the previous system prior to the improvements was non-compliant (paragraph 62 above), similarly the fact that there could be further improvements does not mean of itself that the present system is non-compliant.”
What will the additional consideration of EU law bring? And by the reference to EU law here, one should understand, Digital Rights Ireland of 2015 and Tele2 Sverige AB, which has not been decided yet. Does EU law go beyond the law of the ECHR (for some earlier considerations on this point, see my previous post here)?
Finally, it is worth remembering that this is the second major breach by the SIAs upheld by the IPT (see Alison’s post here). Will the IP Bill put a definitive end to these “unprecedented judgements”?