Author: Daniella Lock (PhD student at UCL Faculty of Laws). The original post was published on Just Security on 30 November 2016.
What was formerly known as the Investigatory Powers Bill, referred to elsewhere as the “revised Snoopers’ Charter,” has received Royal Assent and, as of Nov. 29, is officially law in the UK. The Act (full text here) does introduce additional safeguards, as well as a new body of oversight and the involvement of judges in the authorization of surveillance warrants. However, the broad range of surveillance powers available to the British Government, which were exposed by the Snowden leaks, have not been scaled back but further entrenched within British law. This is despite consistent pleas to reduce the powers by parliamentarians, legal practitioners and legal NGOs, and amendments having been made to the Act by both Houses of Parliament.
The Not So New Powers
The government’s powers exposed by the Snowden leaks were the subject of widespread fear and shock, and they will be further consolidated by this new legislation. The surveillance powers that the Act will now explicitly enshrine in law include: targeted and bulk hacking powers; bulk interception of communications (provided for under the previous UK surveillance regime); access to bulk personal datasets (BPDs); and the acquisition of communications data, both targeted and bulk, which involves the retention of web history logs (known as “Internet Connection Records”). The Act also provides for the use of thematic warrants in relation to targeted surveillance powers. These warrants, equated with general warrants in a previous Just Security post by Scarlet Kim, have the potential to be very broad in scope and may be used against “a group of persons who share a common purpose or who carry on, or may carry on a particular activity.”
All of these far-reaching surveillance powers existed in one form or other prior to the Act. However, many of them were only avowed by the UK Government in the aftermath of the Snowden leaks. For example, engagement in the bulk acquisition of communications data by the security services was first admitted in November 2015, when the then-Home Secretary, Theresa May, informed Parliament that communications data was being obtained in bulk from Communication Service Providers under the authority of the Telecommunications Act 1984. The use of hacking powers was acknowledged by the UK government through the publication of the Draft Equipment Interference Code of Practicepublished in February 2015 (containing, admittedly, unclear distinctions between bulk and targeted powers). The use of thematic warrants and BPDs were publicly avowed for the first time in March 2015 in a report by the Intelligence and Security Committee (the Parliamentary committee appointed to oversee the work of the UK’s security services).
The Passage of the Act
Many were hoping to prevent or obstruct the UK Government in its consolidation of these extensive powers. Since the Act was first published in bill form, there has been rigorous engagement with its provisions by legal practitioners, legal NGOs as well as tech companies. When the Act was published in draft form in November 2015 last year, over 1,500 pages of written evidence were submitted to the Joint Committee responsible for scrutinizing the bill. Written evidence was then submitted throughout the year. Legal NGOs and legal practitioners made recommendations calling for many of the powers either to be removed or subjected to much greater restriction. For example, Liberty calledfor a removal of all bulk powers contained in the bill, and the barrister (and Reader at University College London) Dr. Tom Hickman called for the scope of thematic warrants to be greatly reduced.
Official scrutiny of the Act was primarily undertaken by the Joint Committee for the Investigatory Powers Act and the Intelligence and Security Committee (ISC), who both wrote reports in response to the draft bill. These reports also conveyed skepticism about certain powers contained in the bill. For example, the ISC expressed uncertainty over the need for bulk hacking powers, and the Joint Committee stated that it was not clear that the bulk powers of interception and hacking were compliant with the UK’s obligations under the European Convention on Human Rights.
Partly in response to concerns such as these, the government called for a review of bulk powers by the Independent Review of Terrorism Legislation. The publication of the review report was discussed in a previous blog post by Shaheed Fatima Q.C. The Independent Reviewer concluded in the report that there was a “proven operational case” with respect to three of the bulk powers which were “already in use.” These powers were bulk interception, bulk acquisition (of communications data) and BPDs. At the time of the review, the Independent Reviewer had been told by the UK’s Government Communications Headquarters (GCHQ) they had not so far engaged in bulk hacking. With regards to this power, it was found that there was a “distinct, but not yet proven, operational case” for it.
While the conclusions of the review were welcomed by the UK government, they were not accepted across the board and opposition to the reach of surveillance powers in the bill remained. Liberty criticized the scope of the review, arguing that its lack of consideration of the necessity and proportionality of bulk powers meant that the most important question regarding their use had gone unanswered. It also criticized the short time-frame for the review, citing the lack of time that had been available for those carrying out the review to consult experts in the field. It also highlighted that no operational case with regards to internet connection records had been made, and it claimed that this power should be removed from the bill.
Despite determined efforts by many to oppose the powers in the bill, only fairly minor changes were made to them during its passage. For example, restrictions were added to class warrants for BPDs, the examination of material obtained under bulk warrant and additional safeguards were added with respect to accessing journalistic material and legally privileged material.
Changes the Act Makes to the UK Surveillance Regime as a Whole
For those less familiar with the provisions contained in the Act, it should be noted that at the same time as ensuring the same breadth of surveillance powers are available to the government, it also introduces a new authorization process for these powers and new safeguards and body of oversight.
With respect to the authorization process, there is now a mechanism by which judges, called Judicial Commissioners, will be involved in the decision-making process for the issuing of surveillance warrants—a mechanism described as the “Double-Lock.” Judicial Commissioners will be required to approve warrants initially issued by the Secretary of State before they can be fully authorized.
A new oversight body will be set up, which merges previously existing oversight bodies. The body will be made up of an Investigatory Powers Commissioner and a group of Judicial Commissioners. It will keep under review the exercise of statutory functions by public authorities provided for in the Act. Furthermore, as stated, Judicial Commissioners will also be involved in the authorization process for surveillance warrants.
Insofar as these additions to the UK surveillance regime serve to impose robust limitations on the UK government’s use of its surveillance powers, they are clearly welcome. However, the extent to which they will impose robust limitations has been a matter of debate. One issue of controversy is that the Act expressly states that the Judicial Commissioners are to apply judicial review principles when reviewing the Secretary of State’s decision. As was discussed in an earlier blog post by Shaheed Fatima Q.C, there may still be potential for Judicial Commissioners to undertake substantive and meaningful review of the Secretary of State’s decision despite this constraint. However, this remains to be seen.
Furthermore, there are a number of other factors that may serve to constrain the Judicial Commissioners, highlighted here by Lord David Pannick, which are not acknowledged in the Act. For example, there is no clause in the Act which provides that the Judicial Commissioner would have access to all of the same information on the basis of which the Secretary of State made their decision. There is also no provision in the Act to ensure that Judicial Commissioners will be able to access a special advocate to assist them in their decision-making. Concerns have also been raised about the fact that this same oversight body, responsible for providing oversight with regards to the UK surveillance regime, is also responsible for approving surveillance warrants.
Initial Concerns with UK Surveillance Powers Still Stand
While it is not clear how robust these restrictions will be, what is clear is that the Act does not reduce the powers available to the government. And ultimately, many of the concerns that were initially voiced about the Act still stand. For example, the problems discussed in the blog post by Scarlet Kim, in connection with the expansive hacking powers and use of thematic warrants, remain. The concerns regarding justifiability of access to Internet Connection Records, discussed in a blog post by Shaheed Fatima Q.C, are as relevant as they were last year.
Due to the extensive surveillance powers that the Act provides for, it is still not clear whether the new regime will be compliant with standards set by international law. This was expressly stated by the UN Special Rapporteur when he delivered his first report to the UN Human Rights Council in March this year. The Special Rapporteur argued that the provisions in the Act “prima facie fail the benchmarks” set in recent case law by the European Court of Human Rights (ECtHR) and the Court of Justice of the European Union (CJEU).
This view is at least plausible. As was highlighted in an earlier blog post by Carly Nyst, the ECtHR has, in the cases of Zakharov v Russia (Grand Chamber) and Szabó and Vissy v Hungary, recently emphasized the need for human rights law principles to be “enhanced” to take into account States’ increased appetite for “massive monitoring of communications.” In the case of Zakharov, it was also emphasized that interceptions must:
“clearly identify a specific person to be placed under surveillance or a single set of premises as the premises in respect of which authorization is ordered. Such information may be made by names, addresses, telephone numbers or other relevant information.”
Some have taken such commentary by the Court to be a sign that the ECtHR may be willing to take issue with the Act. Indeed, in a memorandum on surveillance and oversight mechanisms in the UK published in May, the Council of Europe Commissioner for Human Rights cited “major human rights concerns” over the then Bill. Of particular interest in the memorandum was a reference made to suggestions by surveillance experts that “the sheer breadth of a bulk warrant may have difficulties” against the “clear standard” quoted above, as set out in Zakharov. The Commissioner also commented that:
“by their nature bulk warrants place large groups of people under the menace of surveillance without any suspicion on the part of the authorities that an individual has committed a criminal offence or is of national security interest.”
Provisions in the Act may also come into conflict with certain standards set by the CJEU. The UK will be required to adhere to these standards for at least the next few years, even if the UK manages to begin the process of leaving the Union early next year. The key issue will be the Act’s provisions on data retention. Recent decisions—such as in the joined cases of Digital Rights Ireland and Seitlinger as well in the case of Schrems —suggest that the CJEU is willing to take a more hardline approach with respect to data retention. Furthermore, in July 2016 the Advocate General of the Court of Justice published his opinion on the Tom Watson (and formerly David Davis) case, regarding the lawfulness of the UK’s Data Retention and Investigatory Powers Act 2014 (DRIPA). The Advocate General stated in his opinion that data retention should only be lawful for the purpose of investigating serious crime. This opinion is not binding, and a lot depends on what the CJEU rules in relation to DRIPA early next year. However, it may be that the provisions for data retention in the Act, which allow for data to be retained on the basis of a broad range of purposes—including for the purposes of “public health” and “assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department”—may be incompatible with EU standards.
Looking to the Future
Legal NGOs have made it clear that they intend to challenge the Act on its compliance with international law. Liberty’s response to the passing of the Act by Parliament couldn’t have been clearer. They stated: “[t]he fight does not end here. Our message to Government: see you in Court.”
There are already challenges relevant to the Act underway. For example, Privacy International and five internet and communications providers have lodged an appeal in the ECtHR challenging the UK Government’s hacking powers (under the previous regime). An application by Big Brother Watch regarding bulk interception and intelligence sharing (under the old regime) is also waiting to be heard in Strasbourg. Many legal challenges to be made directly against the Act once it becomes law are no doubt being currently drafted.
Some will be relieved that, for now, the “fight” is not completely over. However, it seems like a sad reflection of the current state of British law-making that an Act like this could be passed in its current form, with the best chance of opposing its most questionable provisions apparently lying in the ability of pro bono lawyers to challenge it in courts.
People will point to a variety of factors to explain how we got here. One factor which has undoubtedly played a role, which other countries who may face similar legislation can hopefully learn from, is timing. It has taken just over nine months for the Act to pass through Parliament. This is an undeniably brief period of time for an Act which, at the time of being introduced to Parliament, was almost 250 pages of complex legal provisions, accompanied by 19 “overarching documents“ many of which were over a 100 pages long. The then Bill was over 300 pages long on leaving the Lords’ report stage. Nine months is insufficient time to subject so many complex provisions to proper scrutiny. Many parliamentarians would barely have had time to get their head around the implications of the first few chapters of the bill, let alone all of its nine long and technical separate parts. The government was warned that it was “not in the nation’s interest” to pass the Act this year, when over a 100 cross-party lawmakers and campaigners signed a letter calling for a longer consultation period to “give the Bill the time it needs.”
The letter reminded the government that the new law “could lead the world” if it was done right. Indeed, this new legislation was a big opportunity to wipe the slate clean after the Snowden leaks, and to help rebuild trust in the UK government and its surveillance practices. However, the UK government has chosen to push through a law which may well be seen as only serving to enhance distrust: for it consolidates far-reaching surveillance powers which many think should never have been relied upon in the first place.