Silencing the Canary: the lawfulness of the U.K. Investigatory Powers Bill’s secrecy provisions under the ECHR

Following the Snowden revelations in 2013 concerning the complicity of the tech industry in widespread electronic government surveillance in the U.S., tech companies have individually and collectively become increasingly active as advocates of privacy and free speech rights, culminating in legal challenges to government electronic surveillance.

Since the dropping by the U.S. Department of Justice (DOJ) of its much publicised writ against Apple, which sought to compel Apple to hack the security key code system of the Apple iPhone 5, the battle between tech companies and the DOJ over privacy and encryption in the U.S. has taken another turn.  In April, Microsoft filed a suit in the District Court of Seattle against the DOJ challenging the ‘secrecy order’ provisions (a range of anti-tipping off and gagging powers) under the Electronic Communications Privacy Act (ECPA).

With the Investigatory Powers Bill (IPB), which contains similar secrecy requirements, currently being debated before the U.K. Parliament, the U.S. case provides fair warning of possible human rights challenges tech companies may bring against the U.K. government. This post will consider the implications of the Bill’s secrecy provisions in light of the rights of tech companies under the European Convention on Human Rights (ECHR).

The Microsoft – DOJ claim                                                 

In short, the ECPA allows a U.S. government agency to apply to the Court for a warrant requiring Microsoft, or any other internet company, to hand over their customers’ private data. In addition, an order can be made by the court preventing the company from publicising the fact that they have been required to disclose the data.

Microsoft’s challenge claims that the ‘secrecy orders’ under section 2705(b) ECPA infringe their customers’ Fourth Amendment rights because the government’s search and/or seizure of their data is conducted without their knowledge. It further argues that Microsoft’s own First Amendment rights are infringed because it is prevented from communicating to its customers, the fact that it has been required to hand over the data (and about the lack of privacy guarantees contained in the ECPA).

In its claim, Microsoft states that it has been served with almost 2,600 secrecy orders in the past 18 months, two thirds of which contained no time limitations. The broader free speech point is that barring the tech industry from initiating a discussion about their involvement in the government’s electronic surveillance activities silences public debate, and provides inadequate judicial oversight; something of a reprieve of Jeremy Bentham’s adage that, ‘publicity is the very soul of justice’.

The Investigatory Powers Bill 

The proposed U.K. legislation, which has been referred to as the ‘Snooper Charter’, would bring into force a similar, albeit more invasive system of secrecy provisions attaching to disclosure requirements.

Pursuant to the Bill, the U.K. government through its agencies (e.g. a police force, local authority, MI5, MI6), will have the power to issue warrants for various electronic surveillance activities including data interception and equipment interference. Along with these powers comes the authority to compel telecommunication providers to ‘provide assistance’ to the government, including through decryption.  Parts II-VI of the Bill provide that such assistance may come in the form of retaining and disclosing private data or interfering with equipment for the purposes of disclosing private data to the requesting agency. The duty to assist the government is mandatory; contractual and statutory data protection obligations owed by the company to their customers are rendered meaningless. In addition, the obligation to assist in the provision of data will not be subject to judicial oversight- while the government must seek a warrant to hack, it is not required to obtain approval to compel assistance from technology companies.

Not only are the surveillance powers broad and the potential duties placed on tech companies wide-ranging, the Bill also proposes the attachment of secrecy requirements whereby companies would be prevented from disclosing the existence of the government warrant and the fact that data has been accessed or handed over.

During the Bill’s consultation phase, a coalition of tech companies (Microsoft, Google, Facebook, Twitter and Yahoo) expressed a number of concerns about the far reaching implications for their users’ privacy. This, along with the U.S. experience, provides strong indicators as to how the legislation, if it comes into force, will be received in the U.K. It is possible that tech companies will use the ECHR to push back against the government’s overbroad surveillance powers, and to protect their rights and the rights of users.

The IPB and the ECHR

The European Court of Hunan Rights (ECtHR) has held that indiscriminate surveillance programmes violate the right to respect for private life and correspondence, which is enshrined in Article 8 of the ECHR (Zakharov and Szabó and Vissy). In these cases, the applicants were individuals rather than companies however, the ECtHR has long recognised that alleged violations of the rights of companies can be brought before it (National Provincial Building Society v. United Kingdom). The question then becomes – what rights of tech companies might be infringed by the IPB’s secrecy provisions?

Article 8 ECHR

Article 8(1) provides that “Everyone has the right to respect for his private and family life, his home and his correspondence.” Article 8(2) allows authorities to interfere with the basic right “in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”

A challenge brought under Article 8 would be against the surveillance regime per se, as it is the privacy rights of the company’s customers, rather than that of the tech company, which are affected. The argument here would be based on the fact that the secrecy provisions prevent the release of information about interference with users’ privacy rights. The tech company could put forward the indefinite and indiscriminate nature of the secrecy provisions as grounds for finding them unlawful; for instance, measures that apply indiscriminately to persons arrested whether or not they are convicted of a criminal offence have been found by the ECtHR to be prima facie disproportionate (Brunet v. France).

In addition to compelling the State to abstain from arbitrary interference, inherent in Article 8 is a positive obligation to secure respect for privacy rights (X and Y v the Netherlands). It flows from this that a State has a positive duty to provide information about threats to an individual’s privacy rights. Therefore, repressing information about the accessing of private data would likely infringe the obligation.

Following the termination of surveillance measures, Article 8 requires the state to inform citizens about them as soon as it is feasible to do so without jeopardising the purpose of the surveillance operation (Weber and Saravia v Germany). The ECtHR has found subsequent notification of surveillance measures to be linked to the effectiveness of remedies before the courts and to the existence of effective safeguards against the abuse of monitoring powers. Unless otherwise justified, the IPB’s secrecy provisions are likely to offend this as its measures are indefinite; the secrecy requirements do not lapse with the termination of the warrant served on the tech company. Accordingly, even if a judicial commissioner reviewing the lawfulness of an active warrant later revoked it, the tech company would remain gagged from disclosing this information. As was seen in Weber, the question would turn on whether any customer could be informed about their data being handed over to the government without ‘jeopardising the purpose of the restriction’. Given that the warrants themselves are time-limited, it would fall on the government to explain why indefinite secrecy is necessary and proportionate in all cases.

Article 10 ECHR

Article 10 guarantees the right to freedom of expression, which includes the freedom to hold opinions and to receive and impart information and ideas without State interference.

The ECtHR has been clear in ruling that legislation prohibiting, in absolute and unconditional terms, the dissemination of national security information which eliminates public control over intelligence services’ activities, constitutes a breach of Article 10 as it goes beyond what is necessary in a democratic society (Vereniging Weekblad Bluf! v. the Netherlands). A challenge brought under Article 10 in the U.K. courts would be strengthened by the operation of section 12(4)(ii) Human Rights Act 1998 (HRA), which operates to tip the balance in favour of freedom of expression when publication of the material in question would be in the ‘public interest’.

The indiscriminate nature of the IPB’s secrecy provisions would provide compelling arguments against lawfulness. Firstly, the provisions attach automatically to any warrant, in contrast to legislation where a secrecy order is applied on a case-by-case basis. Secondly, the Bill does not require a balancing of the free speech rights of the provider to communicate with their customer or the customer’s due process rights, against competing national security considerations in the individual case; the measures apply indiscriminately and in all cases.

Finally, the secrecy requirements are absolute, prohibiting in section 49(4)) disclosure of the existence of the warrant or anything done by the company to comply, save for disclosures of a ‘general nature’, including specifically under section 50(7)(a)(ii) the number of warrants that the provider has been served with. There is an obvious debate to be had as to how narrowly or broadly disclosures of a ‘general nature’ might be defined; for instance, would the release of statistics on warrants targeting customers of a particular nationality be considered general? Whether or not general information, and the legislation more broadly, allows sufficient latitude for open discussion and scrutiny of the electronic surveillance regime will be at the heart of the lawfulness debate (B and P v. the United Kingdom).

Conclusion

Under English common law, data privacy and freedom of expression guarantees are limited. Therefore, proposals to repeal the HRA and further to revoke the ECHR altogether, place a range of human rights protections under threat. The E.U. Charter of Fundamental Rights may offer another avenue for securing privacy and data protection however, the future of these protections hang in the balance with the upcoming U.K. referendum on continued E.U. membership. Whatever the outcome, if the IPB does become law in its current form, the U.K. government should be prepared for its ‘Snooper Charter’ to undergo human rights scrutiny and legal challenges brought by individuals and tech companies alike.