Tristan Goodman questions whether the UK data regime strikes an appropriate balance between efficiency and legitimacy
‘There is a balance to be found between our individual right to privacy and our collective right to security’.
Chairing the first public hearing of the Intelligence and Security Committee in 2014, Sir Malcolm Rifkind’s announcement summarises the central aims of the UK data retention regime now governed by the Investigatory Powers Act 2016 (IPA): first, to ensure that law enforcement bodies and national intelligence agencies can conduct effective investigatory powers and, second, to justify, formalise, and regulate data retention activities which may be used to interfere with an individual’s right to privacy. However, despite considerable efforts, the UK regime does not reflect an appropriate balance, by overestimating the legitimacy of its aims. While legal analysis forms part of this argument, data retention is an area where rapidly changing technologies arguably escape enduring legal responses. As such, it is necessary to provide a critical analysis of the wider debates which constitute the regime as a whole. Noting the factual and normative aspects of balancing exercises, both the impact and nature of data retention must be better understood if the UK regime is to reflect a more appropriate balance.
Tipping the balance beyond privacy and the individual
As Rifkind’s announcement indicates, the impact of data retention is commonly understood as interfering with an individual’s right to privacy. That understanding is continually reaffirmed in public and political debates, as well as providing the legal basis upon which data retention obligations are justified. However, these ideas reflect a common misunderstanding of the issues at the heart of the debate. In practice, data retention impacts a broad range of rights, including those related to privacy, which affects societies as well as individuals.
Let us consider the right to freedom of expression. Though intuition may suggest that privacy and freedom of expression are inherently conflicting rights, reality demonstrates that a degree of privacy is required for freedom of expression to function properly. Evidently, for the press to inform the public about state misconduct, there must be an assurance that journalistic sources will not be made known to the state; otherwise, there can be a ‘chilling effect’ or ‘collateral impact’ on the freedom of expression of a press that is no longer ‘free’. The implication is not that any use of data retention to identify journalistic sources is necessarily inappropriate, but rather that the impact on freedom of expression must be part of the balancing exercise. Notably, the UK Investigatory Powers Tribunal (IPT) recently adopted this approach, but it has failed to translate into the provisions of the IPA.
While the Code of Practice for data retention acknowledges that ‘there is a strong public interest in protecting a free press and freedom of expression in a democratic society’, privacy is essential for freedom of expression in a variety of democratic contexts. David Anderson QC succinctly summarises, ‘[j]ust as democracy is enabled by the privacy of the ballot box, so expression of dissenting views is enhanced by the ability to put them across anonymously’. Moreover, in an age where social networking services have evolved to enable political deliberation, the press no longer have ‘a monopoly on speaking truth to power’. Therefore, the rational behind ensuring press freedoms can, and should, be extended to other (online) actors. Without a reasonable expectation of privacy, many would not speak out against state misconduct, not only journalistic sources.
To some extent, the CJEU has acknowledged this point in relation to the UK data retention regime. In Tele2 Svergige AB/Tom Watson and Others, the CJEU, finding the now expired Data Retention and Investigatory Powers Act 2014 (DRIPA) incompatible with privacy protections under the Charter of Fundamental rights of the European Union (CFEU), suggested: ‘The fact that data is retained without the subscriber or registered user being informed is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance’. The implication is that individuals may avoid online activities which engage politically sensitive subjects, undermining critical deliberative processes. While Anderson suggests that the CJEU should have ‘sought to avoid assertions based on theory or on informal predictions of popular feeling’, there is growing empirical evidence of the ‘actual harms’ implicit in its suggestion. Again, the conclusion is not that all data retention practices are necessarily inappropriate; regulation of extreme or hateful speech can pursue legitimate aims which promote social cohesion and security. Nonetheless, the real and significant impact on freedom of expression – particularly, political expression – should be taken more seriously in the balancing exercise.
However, the debate should not be conducted simply on the level of ‘individual versus state’. Data retention impacts the societies in which individuals are situated. Again, the CJEU has indicated that the UK data retention regime may need rebalancing in this regard. In Watson, the CJEU concluded that data retention ‘raises questions relating to…freedom of expression’, which ‘constitutes one of the essential foundations of a pluralistic, democratic society’. While the CJEU’s subsequent reasoning revolves around the right to privacy (and the protection of personal data), its analysis of the UK data retention regime suggests that interferences with privacy have corresponding effects on freedom of expression. It is, therefore, implicit in the CJEU’s analysis that protecting privacy is beneficial for broader societal aims. That said, it would have been preferable for the CJEU to more explicitly recognise the importance of privacy to society, as the European Court of Human Rights has done in relation to data retention and other surveillance powers. Yet, having found that DRIPA ‘exceeds the limit of what is strictly necessary and cannot be considered to be justified, within a democratic society’, the CJEU has referred the case to the English Court of Appeal for a decision on whether UK law is consistent with EU requirements. There is, therefore, an important opportunity for the UK data retention regime to reflect a more appropriate balance in light of the CJEU’s rebalancing exercise.
Is balancing always appropriate?
Arguing for a more appropriate balance does not mean that balancing, itself, is always appropriate. In the context of investigatory powers, the CJEU has confirmed that interferences with fundamental rights, such as privacy, must ‘respect the essence of those rights’, as stipulated by Article 52(1) of the CFEU. More precisely, fundamental rights, as legal norms, are not only categorised as principles that may be balanced against other competing principles but are also capable of generating rules that are applied in a binary manner determining the outcome of a case. While theoretical debate questions whether the essence of each right is relevant to, or directly the outcome of, the balancing exercise, legal practice now dictates that the essence of a fundamental right may not be restricted or balanced, no matter how pressing the competing public interest.
Determining what constitutes the inviolable essence of a fundamental right is ultimately a matter of normative inquiry and contextual interpretation. However, in the context of data retention, and insofar as the right to privacy is concerned, one can conclude that a ban on general and indiscriminate retention of the ‘content’ of communications, as well as biometric data, forms part of the inviolable essence of privacy. Significantly, the CJEU maintains an operative distinction between the ‘content’ of communications (‘what is said or written’) and ‘communications data’ (‘the who, when, where and how of a communication’). Invalidating the EU Data Retention Directive in Digital Rights Ireland and Seitlinger and Others, the CJEU held that although the retention of communications data constitutes a ‘particularly serious’ interference with the right to privacy, it was not ‘such as to adversely affect the essence of those rights given that…the directive does not permit the acquisition of knowledge of the content of electronic communications as such’. While later decisions have found that ‘general and indiscriminate retention’ of communications data is incompatible with EU law, the CJEU maintains that such obligations do not trigger the essential core of privacy. Accordingly, balancing exercises may still be appropriate where blanket retention obligations only apply to communications data. On that basis, the UK data retention regime has sought to reflect a more appropriate balance by responding to the CJEU’s demands for stricter legal safeguards when law enforcement agencies handle communications data.
Yet it is still not clear that balancing is appropriate. The practical distinction between content and communications data is questionable. The CJEU, itself, recognises that, ‘taken as a whole’, communications data is ‘liable to allow very precise conclusions to be drawn concerning the private lives of persons whose data has been retained, such as everyday habits, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them’. Citing the Advocate-General’s Opinion in Watson, the CJEU notes how such data provides ‘information that is no less sensitive, having regard to the right to privacy, than the actual content of communications’. Therefore, a benevolent reading of the CJEU’s judgments suggests that the distinction between content and communications data is one of degree not kind. In this way, the more systematic and pervasive the retention and analysis of communications data, the closer it moves towards the inviolable essence of privacy and data protection. Ultimately, the logical conclusion is that the most systematic and pervasive forms of retention and analysis of communications data can be regarded as constituting an interference with the inviolable essence of privacy.
Applying this analysis to the UK regime, certain balancing exercises may be inappropriate. Notably, the IPA provides data retention notices which mandate telecommunications providers to retain site-level web-browsing histories (‘internet connections records’) for up to 12 months. The government acknowledges that such data are more intrusive than ordinary communications data. Operating in the context of ‘general and indiscriminate’ retention practices, this particular aspect of the regime (not specifically addressed by the CJEU) plausibly violates the essence of privacy. Equally, such practices may also interfere with the essence of freedom of expression. That telecommunications providers are mandated to log online reading habits is analogous, in the offline world, to keeping a list of the books, newspapers and magazine that individuals have read for the last year. Noting the aforementioned chilling effects on freedom of expression caused by such data retention practices, such intrusions may be per se unlawful (and inappropriate). Book titles, for example, are arguably part of the content of books or, at least, have some content-like attributes. If so, then, by analogy with CJEU case law – albeit discussing privacy not freedom of expression – interferences may impinge upon the ‘essence’ of a fundamental right, denying any balancing exercise. Observing how the CJEU’s analysis of ‘far-reaching’ and ‘particularly serious’ interferences has recently extended to include the fundamental right to freedom of expression, further grounds are provided to challenge the UK data retention regime and any balance it seeks to reflect.
There is a tendency to legitimise data retention practices by balancing the collective right to security against the individual right to privacy. In so doing, however, the UK regime does not reflect an appropriate balance between the efficiency and legitimacy of its aims. Of course, to speak of any ‘balance’ is to speak metaphorically; it is not possible to assign numerical values to the infringement of rights or levels of security. Absent a common metric, however, plausible reasons can still be given for the relative priority of rights and interests. This article has attempted to show the implausibility of those reasons – found in legislation, case law and wider debates – by highlighting common misunderstandings about the impact and nature of data retention. For the UK, as elsewhere, the balance must be tipped beyond privacy and the individual, to recognise the impact of data retention on other rights which affect society as a whole. Critically, an appropriate balance must also respect the inviolable essence of fundamental rights such as privacy and freedom of expression.
Tristan Goodman is a recent law graduate and future trainee solicitor at Slaughter and May