Draft Investigatory Powers Bill

Equality and Human Rights Commission Response to Committee call for evidence

21 December 2015

Contact details:

Sarfraz Khan 0161 829 8414

Stephen Lodge 020 7832 7851

Introduction

Three recent expert reports[1] made numerous recommendations to reform the present investigatory powers regime. Those reports examined a changed surveillance landscape after Edward Snowden revealed the scale of the UK intelligence and security agencies' electronic surveillance capabilities through the TEMPORA programme and through access to large volumes of electronic data under the PRISM and other surveillance programmes of their US counterparts.

Litigation brought against the UK intelligence and security agencies as a result of those revelations challenged the lawfulness of the present legal framework. Many of these cases are awaiting determination[2]. As a result of the revelations and subsequent cases, the UK Government has acknowledged the existence and use of certain surveillance powers.

The draft Bill seeks to replace and streamline the current legislative framework, most notably the Regulation of Investigatory Powers Act 2000 (RIPA). The EHRC has said since 2011[3] that RIPA is outdated and urgently in need of replacement.

The challenge is to ensure the intelligence, security and law enforcement agencies have the required capabilities necessary in a rapidly changing digital age to protect the public from terrorist threats and to prevent/detect crime, while ensuring those powers are subject to necessary constraints and safeguards to ensure they are only exercised in accordance with the law and only at the expense of qualified individual civil liberties (ie. those that can lawfully be restricted) in circumstances where demonstrably necessary and proportionate.

Overview

Our assessment of the human rights implications of the proposals in the draft Bill is provisional at this stage because we do not have sight of the full legal framework. This includes Codes of Practice and operational guidance which will contain practical explanation of how to exercise the powers in the draft Bill in compliance with human rights requirements. We recommend Codes of Practice in particular are published alongside the Bill to improve understanding and enable scrutiny of the full legal framework proposed. Furthermore, case law is still evolving concerning UK State surveillance powers and human rights: a number of cases remain outstanding, the outcome of which may have a significant bearing on the shape of the legislation.

The Home Office memorandum on the Investigatory Powers Bill and the European Convention on Human Rights (Home Office ECHR memorandum)[4] accompanying the draft Bill identifies the European Convention rights that are engaged in this context. It refers to Articles: 2 (right to life), 8 (respect for private and family life), 10 (freedom of expression), 14 (non­discrimination in the enjoyment of Convention rights) and Article 1 of Protocol 1 (the right to property) as well as relevant jurisprudence.

The purposes for which each of the powers contained in the draft Bill can be exercised accord with human rights requirements: protecting national security, the economic well­being of the country and preventing or detecting crime. These are legitimate aims for the purpose of interfering with qualified human rights such as the rights to privacy and free expression.

The draft Bill proposals aim to place investigatory capabilities and powers under an updated legal framework, which improves the prospect of those powers being ‘in accordance with law’ for the purposes of human rights law. This requires the powers to be precisely formulated in clear, accessible and foreseeable rules and circumscribed to prevent arbitrary use and abuse.

In addition to the legal guarantees which are set out in the legislation concerning the scope, grounds and duration for using these powers, the ‘double­lock’ prior warrant authorisation process that applies to most powers in the draft Bill aims to ensure that the powers are used in compliance with the law and human rights standards such as necessity and proportionality.

After the event oversight is to be streamlined in the form of a new Investigatory Powers Commissioner (IPC) responsible for inspection, audit and public reporting on the use of all the powers. That is in addition to an individual right to seek redress from the Investigatory Powers Tribunal (with a new domestic right of appeal against that tribunal’s judgments on points of law), which can order disclosure of serious errors to affected individuals where it is in the public interest. A new criminal offence is to be created concerning unauthorised access to data. The parliamentary oversight role of the security and intelligence services through the Intelligence and Security Committee is preserved, as is the data protection inspection and regulation regime through the Information Commissioner’s Office (ICO).

Our provisional analysis is that in many respects the draft Bill proposals considerably improve the legal framework governing investigatory powers in the UK and make important progress towards meeting relevant human rights requirements.

Proposals to further improve the draft Bill

Underpinning complex legislation with clearly articulated principles

In our 2011 research report[5] we recommended new legislation should contain a set of agreed principles that help to understand, apply and interpret the legislation, helping to ensure it is fit for purpose and stands the test of time. Those principles should include reference to compliance with human rights law and we recommend as a starting point those principles and key tests articulated in the respective reports of David Anderson QC and the Royal United Services Institute.

Judicial review under the ‘double­lock’ warrant process

A 'double-lock' mechanism applies to the exercise of most powers and requires initial approval of the warrant to be reviewed by a judicial commissioner.

We recommend that the standard of review by judicial commissioners should be clearly explained in a Code of Practice to make clear the requirement that judicial commissioners must apply the same principles as would be applied by a court on an application for judicial review should include intense scrutiny to whether the measure is necessary and proportionate.

Collection and acquisition of communications data

Communications data are defined as information about a communication other than the actual communication content. Such information includes information about the sender and the recipient (for example phone numbers and address) as well as information such as the fact, location and time of a communication. It also includes internet connection records.

Part 4 of the Bill provides a power for the Secretary of State to require the retention of communications data by a communications services provider for up to 12 months. This may include retention of internet connection records, which are records of internet services that have been accessed by a device. They may include a web address along with time and date of access and a service name (e.g. www.facebook.com) but not a full web address as this would be defined as content. It would show that a person has used, for example, Google but not what searches have been made on the site.

Approximately 45 public bodies will have the power to access communications data for a variety of purposes. For most, the authorisation process comprises securing approval to access communications data from a designated person or single point of contact within the organisation but separate from the investigation or operation. That is a much lower level of authorisation than the 'double-lock' process.

In our view the proposal could be substantially improved by placing the power to grant authorisations for access to communications data in all cases in the hands of an independent administrative body. We recognise the relatively high number of such authorisations may make it impracticable for the same level of scrutiny by judicial commissioners as is envisaged for certain other powers. We suggest instead that consideration be given to having a separate system of independent administrative authorisation, perhaps by officers at the IPC, who could refer novel and contentious matters to the judicial commissioners.

Bulk powers concerning interception, acquisition of communication data and equipment interference

These powers appear to permit wide ranging bulk interception, acquisition and equipment interference including of communications and equipment in the UK in pursuit of relatively generalised operational purposes, and their selection for examination in many instances by reference to individuals known to be in the UK.

We consider further attention should be given to safeguards that clearly limit the basis on which bulk material can be examined and that will ensure safe retention and destruction of material. Such safeguards might include more narrowly defined purposes.

We have previously submitted to the ISC inquiry that bulk surveillance powers aimed at communications abroad are likely to disproportionately affect members of some ethnic minority communities in the UK and may therefore, subject to justification, be indirectly discriminatory. This remains a concern in relation to the draft Bill. We recommend the potentially discriminatory impact of these powers should be considered as part of the scrutiny of the draft Bill.

The power to retain information

Information only has to be destroyed, for example, when there are “no longer any relevant grounds for retaining it” (clause 40(5)), meaning “retention is not necessary or not likely to become necessary” (clause 40(6)).

This means it can be retained even where there is no current utility if it is considered it may be of future utility

In Digital Rights Ireland, in the context of retention of communications data, the Court of Justice of the European Union (CJEU) criticised the failure in Directive 2006/24/EC (the Data Retention Directive) to make any distinction in retention periods between categories of data on the basis of their possible usefulness for the purposes of the objective pursued or according to the persons concerned.

In the context of retention of DNA profiles of individuals who have not been convicted of an offence, the court has held a blanket or indiscriminate approach to retention of such information to be unlawful in breach of Article 8 ECHR.[6]

We would anticipate that a Code of Practice will set out appropriate safeguards for data retention, such as an express requirement to review, an automatic destruction period subject to exceptional circumstances, and different periods for different types of information. If so, it would be very helpful if a draft Code of Practice containing such safeguards were published alongside the Bill to aid scrutiny of these provisions. In light of developing case law we anticipate that such measures are likely to be required to ensure that the regime for retention of information is human rights compliant.

National Security Notices

Under clause 188, the Secretary of State may give any UK telecommunications operator a notice (“a national security notice”) requiring them to take such steps as the Secretary of State considers necessary in the interests of national security provided that the Secretary of State considers that the specified conduct is proportionate to what is sought to be achieved. The notice cannot include steps for purposes which require a warrant or authorisation.

In order to provide additional safeguards over the exercise of this power, and promote public confidence in its use, we consider this power should be subject to judicial approval and automatic referral to the IPC for review of how and why the power is being used.

Consistent safeguards for confidential information held by certain professions

There are additional safeguards in the Bill for MPs, and in some parts for journalists, but not for lawyers and other professionals who hold confidential material such as doctors.

The Home Office ECHR memorandum states that a Code of Practice will set out that particular consideration must be given where the subject of the interception may reasonably assume a high degree of privacy or where confidential information is involved. This will include confidential journalistic material and legally privileged material.

The memorandum states that where an application for a warrant is likely to lead to privileged material being intercepted, it will need to set out an assessment of the likelihood of that interception and the steps that will be taken to mitigate the risk. Where it is intended that privileged material be intercepted, the warrant will only be granted where the Secretary of State is satisfied that there are exceptional and compelling circumstances that make it necessary. Additional safeguards regarding the handling, retention and disclosure of the privileged material will apply. These additional safeguards are welcomed.

Where the intention is to acquire journalistic material, the memorandum states the application for the warrant should set out the reasons why and why it is considered necessary and proportionate to do so.

In the context of journalistic information, not only is compliance with the right to privacy protected by Article 8 ECHR required but also with the right to freedom of expression protected by Article 10 ECHR. Accordingly any interference must be justified as necessary and proportionate as balanced against rights of freedom of expression as well as interference in privacy.

The European Court of Human Rights in recent case law has referred to international law regarding protection of journalists, including Recommendation No. R(2000) 7 on the right of journalists not to disclose their sources of information adopted by the Committee of Ministers of the Council of Europe on 8 March 2000.[7]

The Recommendation[8] includes provisions that domestic law and practice in member States should provide for explicit and clear protection of the right of journalists not to disclose information identifying a source in accordance with Article 10 ECHR and that States should pay particular regard to the importance of the right of non-disclosure and the pre-eminence given to it in the case-law of the European Court of Human Rights[9]. Disclosure should only be ordered if there is an overriding requirement in the public interest and if circumstances are of a sufficiently vital and serious nature.

It will therefore be important that the Code of Practice clearly explains in particular that both the issuing authority and the judicial commissioner on review will need to consider the tests of necessity and proportionality against the interference with freedom of expression and the importance given to that right in case law.

Safeguards for information leaving the UK

Disclosure overseas may be made subject to certain restrictions but, for example, clause 41(2) only requires that safeguards are in place "to such extent (if any) as the appropriate issuing authority considers appropriate". Part 3 concerning communications data does not appear to have any specific safeguards in this regard.