Striking an Appropriate Balance: the UK Data Retention Regime and the IPA 2016

August 17, 2017

‘There is a balance to be found between our individual right
to privacy and our collective right to security’.

Chairing the first public hearing of the Intelligence and
Security Committee in 2014, Sir Malcolm Rifkind’s announcement summarises the
central aims of the UK data retention regime now governed by the Investigatory
Powers Act 2016 (IPA): first, to ensure that law enforcement bodies and
national intelligence agencies can conduct effective investigatory powers and,
second, to justify, formalise, and regulate data retention activities which may
be used to interfere with an individual’s right to privacy. However, despite
considerable efforts, the UK regime does not reflect an appropriate balance, by
overestimating the legitimacy of its aims. While legal analysis forms part of
this argument, data retention is an area where rapidly changing technologies
arguably escape enduring legal responses. As such, it is necessary to provide a
critical analysis of the wider debates which constitute the regime as a whole.
Noting the factual and normative aspects of balancing exercises, both the
impact and nature of data retention must be better understood if the UK regime
is to reflect a more appropriate balance.

Tipping the balance beyond privacy and the individual

As Rifkind’s announcement indicates, the impact of data
retention is commonly understood as interfering with an individual’s right to
privacy. That understanding is continually reaffirmed in public and political
debates, as well as providing the legal basis upon which data retention
obligations are justified. However, these ideas reflect a common
misunderstanding of the issues at the heart of the debate. In practice, data
retention impacts a broad range of rights, including those related to privacy,
which affects societies as well as individuals.

               Let us
consider the right to freedom of expression. Though intuition may suggest that
privacy and freedom of expression are inherently conflicting rights, reality
demonstrates that a degree of privacy is required for freedom of expression to
function properly. Evidently, for the press to inform the public about state
misconduct, there must be an assurance that journalistic sources will not be
made known to the state; otherwise, there can be a ‘chilling effect’ or ‘collateral
impact’ on the freedom of expression of a press that is no longer ‘free’. The
implication is not that any use of data retention to identify journalistic
sources is necessarily inappropriate, but rather that the impact on freedom of
expression must be part of the balancing exercise. Notably, the UK
Investigatory Powers Tribunal (IPT) recently adopted this approach, but it has
failed to translate into the provisions of the IPA.

               While
the Code of Practice for data retention acknowledges that ‘there is a strong
public interest in protecting a free press and freedom of expression in a
democratic society’, privacy is essential for freedom of expression in a
variety of democratic contexts. David Anderson QC succinctly summarises, ‘[j]ust
as democracy is enabled by the privacy of the ballot box, so expression of
dissenting views is enhanced by the ability to put them across anonymously’.
Moreover, in an age where social networking services have evolved to enable
political deliberation, the press no longer have ‘a monopoly on speaking truth
to power’. Therefore, the rational behind ensuring press freedoms can, and
should, be extended to other (online) actors. Without a reasonable expectation of
privacy, many would not speak out against state misconduct, not only
journalistic sources.

               To some
extent, the CJEU has acknowledged this point in relation to the UK data
retention regime. In Tele2 Svergige AB/Tom Watson and Others, the CJEU, finding
the now expired Data Retention and Investigatory Powers Act 2014 (DRIPA)
incompatible with privacy protections under the Charter of Fundamental rights
of the European Union (CFEU), suggested: ‘The fact that data is retained
without the subscriber or registered user being informed is likely to cause the
persons concerned to feel that their private lives are the subject of constant
surveillance’. The implication is that individuals may avoid online activities
which engage politically sensitive subjects, undermining critical deliberative
processes. While Anderson suggests that the CJEU should have ‘sought to avoid
assertions based on theory or on informal predictions of popular feeling’,
there is growing empirical evidence of the ‘actual harms’ implicit in its
suggestion. Again, the conclusion is not that all data retention practices are
necessarily inappropriate; regulation of extreme or hateful speech can pursue
legitimate aims which promote social cohesion and security. Nonetheless, the
real and significant impact on freedom of expression – particularly, political
expression – should be taken more seriously in the balancing exercise.

               However,
the debate should not be conducted simply on the level of ‘individual versus
state’. Data retention impacts the societies in which individuals are situated.
Again, the CJEU has indicated that the UK data retention regime may need
rebalancing in this regard. In Watson, the CJEU concluded that data retention
‘raises questions relating to…freedom of expression’, which ‘constitutes one of
the essential foundations of a pluralistic, democratic society’. While the
CJEU’s subsequent reasoning revolves around the right to privacy (and the
protection of personal data), its analysis of the UK data retention regime
suggests that interferences with privacy have corresponding effects on freedom
of expression. It is, therefore, implicit in the CJEU’s analysis that
protecting privacy is beneficial for broader societal aims. That said, it would
have been preferable for the CJEU to more explicitly recognise the importance
of privacy to society, as the European Court of Human Rights has done in
relation to data retention and other surveillance powers. Yet, having found
that DRIPA ‘exceeds the limit of what is strictly necessary and cannot be
considered to be justified, within a democratic society’, the CJEU has referred
the case to the English Court of Appeal for a decision on whether UK law is
consistent with EU requirements. There is, therefore, an important opportunity
for the UK data retention regime to reflect a more appropriate balance in light
of the CJEU’s rebalancing exercise.

Is balancing always appropriate?

Arguing for a more appropriate balance does not mean that
balancing, itself, is always appropriate. In the context of investigatory
powers, the CJEU has confirmed that interferences with fundamental rights, such
as privacy, must ‘respect the essence of those rights’, as stipulated by
Article 52(1) of the CFEU. More precisely, fundamental rights, as legal norms,
are not only categorised as principles that may be balanced against other
competing principles but are also capable of generating rules that are applied
in a binary manner determining the outcome of a case. While theoretical debate
questions whether the essence of each right is relevant to, or directly the
outcome of, the balancing exercise, legal practice now dictates that the
essence of a fundamental right may not be restricted or balanced, no matter how
pressing the competing public interest.

               Determining
what constitutes the inviolable essence of a fundamental right is ultimately a
matter of normative inquiry and contextual interpretation. However, in the
context of data retention, and insofar as the right to privacy is concerned,
one can conclude that a ban on general and indiscriminate retention of the
‘content’ of communications, as well as biometric data, forms part of the
inviolable essence of privacy. Significantly, the CJEU maintains an operative
distinction between the ‘content’ of communications (‘what is said or written’)
and ‘communications data’ (‘the who, when, where and how of a communication’).
Invalidating the EU Data Retention Directive in Digital Rights Ireland and
Seitlinger and Others
, the CJEU held that although the retention of
communications data constitutes a ‘particularly serious’ interference with the
right to privacy, it was not ‘such as to adversely affect the essence of those
rights given that…the directive does not permit the acquisition of knowledge of
the content of electronic communications as such’. While later decisions have
found that ‘general and indiscriminate retention’ of communications data is
incompatible with EU law, the CJEU maintains that such obligations do not
trigger the essential core of privacy. Accordingly, balancing exercises may
still be appropriate where blanket retention obligations only apply to
communications data. On that basis, the UK data retention regime has sought to
reflect a more appropriate balance by responding to the CJEU’s demands for
stricter legal safeguards when law enforcement agencies handle communications
data.

               Yet it
is still not clear that balancing is appropriate. The practical distinction
between content and communications data is questionable. The CJEU, itself,
recognises that, ‘taken as a whole’, communications data is ‘liable to allow
very precise conclusions to be drawn concerning the private lives of persons
whose data has been retained, such as everyday habits, permanent or temporary
places of residence, daily or other movements, the activities carried out, the
social relationships of those persons and the social environments frequented by
them’. Citing the Advocate-General’s Opinion in Watson, the CJEU notes how such
data provides ‘information that is no less sensitive, having regard to the
right to privacy, than the actual content of communications’. Therefore, a
benevolent reading of the CJEU’s judgments suggests that the distinction
between content and communications data is one of degree not kind.  In this way, the more systematic and
pervasive the retention and analysis of communications data, the closer it
moves towards the inviolable essence of privacy and data protection.
Ultimately, the logical conclusion is that the most systematic and pervasive
forms of retention and analysis of communications data can be regarded as
constituting an interference with the inviolable essence of privacy.

               Applying
this analysis to the UK regime, certain balancing exercises may be
inappropriate. Notably, the IPA provides data retention notices which mandate
telecommunications providers to retain site-level web-browsing histories
(‘internet connections records’) for up to 12 months. The government
acknowledges that such data are more intrusive than ordinary communications
data. Operating in the context of ‘general and indiscriminate’ retention
practices, this particular aspect of the regime (not specifically addressed by
the CJEU) plausibly violates the essence of privacy. Equally, such practices
may also interfere with the essence of freedom of expression. That
telecommunications providers are mandated to log online reading habits is
analogous, in the offline world, to keeping a list of the books, newspapers and
magazine that individuals have read for the last year. Noting the
aforementioned chilling effects on freedom of expression caused by such data
retention practices, such intrusions may be per se unlawful (and inappropriate).
Book titles, for example, are arguably part of the content of books or, at
least, have some content-like attributes. If so, then, by analogy with CJEU
case law – albeit discussing privacy not freedom of expression – interferences
may impinge upon the ‘essence’ of a fundamental right, denying any balancing
exercise. Observing how the CJEU’s analysis of ‘far-reaching’ and ‘particularly
serious’ interferences has recently extended to include the fundamental right
to freedom of expression, further grounds are provided to challenge the UK data
retention regime and any balance it seeks to reflect.

Conclusion

There is a tendency to legitimise data retention practices
by balancing the collective right to security against the individual right to
privacy. In so doing, however, the UK regime does not reflect an appropriate
balance between the efficiency and legitimacy of its aims. Of course, to speak
of any ‘balance’ is to speak metaphorically; it is not possible to assign
numerical values to the infringement of rights or levels of security. Absent a
common metric, however, plausible reasons can still be given for the relative
priority of rights and interests. This article has attempted to show the
implausibility of those reasons – found in legislation, case law and wider
debates – by highlighting common misunderstandings about the impact and nature
of data retention. For the UK, as elsewhere, the balance must be tipped beyond
privacy and the individual, to recognise the impact of data retention on other
rights which affect society as a whole. Critically, an appropriate balance must
also respect the inviolable essence of fundamental rights such as privacy and
freedom of expression.

Tristan Goodman is a recent law graduate and future trainee
solicitor at Slaughter and May