And no one goes to jail: Liberty & Ors v GCHQ

And no one goes to jail:

Liberty & Ors v GCHQ; Privacy International v FCO Investigatory Powers Tribunal. (IPT) Decision 5 December 2014

Elspeth Guild

In this article, Elspeth Guild (CEPS) presents the outcome of a key decision by the UK’s Investigatory Powers Tribunal on mass surveillance, more specifically the warrantless collection and storage of digital information by governmental authorities. Online surveillance and the follow-up to the PRISM scandal of 2013 are key components of the topic of societal security, central to the SOURCE project, and this contribution highlights the main challenges that this judicial decision encompasses.


This is a much awaited decision – the first judicial consideration of the NSA programmes on mass surveillance, PRISM, UPSTREAM (and TEMPORA) – by the Investigatory Powers Tribunal (IPT). This court in the United Kingdom investigates and determines complaints of unlawful use of covert techniques by public authorities infringing the right to privacy and claims against intelligence or law enforcement agency conduct which breaches a wider range of human rights. The IPT, as a number of the organisations involved in the case have pointed out frequently since the judgment, has never, in its over 15 years of existence, found against the UK intelligence agencies on a right to respect for privacy argument. As an intelligence community oversight body, this Tribunal has been quite gentle with the services. Yet, it is too easy to write off this Tribunal as yet another toothless UK body – this judgment deserves further attention even though it finishes with a complete vindication of the services.

The plaintiffs were Liberty (The National Council of Civil Liberties), Privacy International, American Civil Liberties Union, Amnesty International and Bytes for All. The defendants were GCHQ, the FCO and Government Communications Headquarters (and others). The central issue was whether the (assumed but never admitted) activities of MI5, MI6 and GCHQ (generally called the intelligence services) in the US NSA programmes of PRISM, UPSTREAM (and TEMPORA which lurks in the background) of mass or bulk surveillance of the internet and other internet based media as revealed by Edward Snowden in June 2013 are consistent with the UK’s obligations to respect private life and the right of freedom of expression as contained in the Human Rights Act and the European Convention on Human Rights (Articles 8 and 10).

The central question to which all the participants kept returning was the ‘warrantless’ nature of the surveillance programmes collecting, storing, manipulating and sharing information about massive amounts of emails and other internet communications as well as telecommunications for national security purposes. There are many additional issues which arise in the pleadings and judgment not least about the nature of the right to respect of privacy and expression, but at the core is the compatibility of bulk surveillance with privacy.

An issue which colonises many pages of the judgment (itself over 60 pages long) is the difference of rights between people in the UK and those outside it. The degree of privacy which those outside the UK are entitled to is generally accepted by the IPT as possibly only tangentially carrying rights of respect for privacy. The inside/outside divide is central to much of the argument. This is not least a result of the framework of the legislation under scrutiny, the Regulation of Investigatory Powers Act 2000 (RIPA), which contains extensive provisions on the issue of warrants for surveillance of all kinds (argued at great length in the judgment) but which does not directly cover stuff which falls into the hands of the UK intelligence services by way of agreements (arrangements in the judgment and the intelligence-speak of the decision) with other countries such as the USA. These are covered, it would seem, by codes of practice which apply to what the IPT calls the ‘below the waterline’ conduct and practices of the Intelligence Services (though in the end the IPT finds legal bases for these practices). Protecting these practices required a closed material procedure to be carried out by the IPT to determine whether they were compatible with the UK’s human rights obligations.

The human rights arguments revolve around three main issues:

·       What is the quality of the law (RIPA or other) which is the legal basis for the activities in one way or another?

·       Is this law adequately accessible and foreseeable that people know what is happening to their privacy?

·       Does the exception to the right to respect for privacy (or freedom of expression) on the basis of national security actually cover what is being done?

These issues unpack a large number of subsidiary ones not least the quality of UK oversight of the intelligence services and others.

The first striking aspect of the decision of the IPT is just how opaque it is. It is rare to come across such a profoundly unreadable judgment by any court. Normally, courts make some effort to ensure that their decisions are accessible at least to members of the legal community if not to lay people. The skeleton arguments submitted to the IPT were all models of clarity and order in terms of their arguments. As we know, often judges cut and paste from skeleton arguments to make use of counsel’s excellent work in the crafting of their judgments. That clearly was not the case here. This is as ponderous and as confusing a judgment as I have come across in a long time. It is very lengthy, it is divided into what appears to be a fairly arbitrary number of sections (PRISM starting at para 14, S 8(4) at para 61 then some final bits thrown in at the end). The decision includes various chunks of other judgments, not always of obvious use to the argument at issue, for instance the IPT’s own work (British Irish Rights Watch decision 9 December 2009) at great length from para 83 onwards but of no great authority, as the IPT itself confirms after five pages of quotes (“albeit not binding on us…” para 87). This is indeed a tedious judgment to read, I would not put it on a mandatory reading list for LLM students. At paras 153 et seq the IPT provides a ringing ‘summary’ of the decision which discards all the detailed intricacy of the arguments and for 3 pages explains in fairly simple language that all is well in UK intelligence oversight. If the approach to writing which the IPT adopted for these three pages had been used for the rest of the judgment the reader would have had a much easier time of it.

Leaving aside then the politics of writing strategies – perhaps the most fundamental aspect of the judgment is one never articulated at all. The activities of the intelligence service are required to find legal bases in the existing law, even if, as is the case for the receipt of information from the NSA, this takes place in the context of ‘below the waterline’ (ie secret to all of us and only revealed in closed material procedure) practices. These practices too must be covered by binding codes of conduct which have little buoys above the waterline which indicate to the discerning public that the adequately accessible and foreseeable test is fulfilled. What is going on here? It seems to me that the mere existence of the IPT in the form of a tribunal shines the spotlight on law and its capture of intelligence service activities. Every aspect of the intelligence services practices must be bundled into law (mainly RIPA but also some other odds and ends where RIPA is not applicable, see para 17).

As one reads through the rather turgid prose, an image is conjured up of a whole group of intelligence service employees being interrogated by their lawyers to figure out what legal basis they might claim applicable to the practices which are taking place. The court procedures require that legal bases are found – law takes a central grip on practice because otherwise the practice will be unlawful. This outcome would be catastrophic as the IPT notes at para 19 – if the surveillance activities of the intelligence services are not covered by law then not only are they unlawful, they will probably be criminal as a result of the Data Protection Act 1998 and Official Secrets Act 1989. Each intelligence service employee engaged in data collection is a ‘data controller’ for the purposes of the Data Protection Act. If his or her activities are not protected by statute then he or she will be disclosing information without lawful authority which is a criminal offence (S 1(1) Official Secrets Act 1989). So potentially, everyone goes to jail if the IPT does not find a legal basis for each and every data activity.

One of the key arguments made by the lawyers for the intelligence services is that all the activities must be lawful as they are all covered by a variety of oversight bodies. First, the Intelligence and Security Committee of Parliament (ISC) is considered. First established in 1994 to examine the policy, administration and expenditure of the Security Service, Secret Intelligence Service (SIS), and GCHQ, it was reformed in 2013. The ISC is now a Committee of Parliament with powers including oversight of operational activity and the wider intelligence and security activities. Besides overseeing the three agencies, the ISC also checks the intelligence-related work of the Cabinet Office including: the Joint Intelligence Committee (JIC); the Assessments Staff; and the National Security Secretariat. The Committee also provides oversight of Defence Intelligence in the Ministry of Defence and the Office for Security and Counter-Terrorism in the Home Office. Members of the ISC are appointed by Parliament and the Committee reports directly to Parliament. The Committee may also make reports to the Prime Minister on matters which are national security sensitive. Clearly this is a busy committee with lots to do.

There is also the Intercept of Communications Commissioner who is required to report to the Prime Minister annually on his functions which include a constant review of the intelligence services (para 24). But as the IPT is forced to conclude, its own role as a supervisory body is superior to those other two (para 46 which rather unhelpfully refers the reader to paras 70 – 76 for the arguments about its superiority but which paragraphs seem to deal with quite different issues). The IPT justifies its superior position on the basis that it has inter partes argument (except of course for the closed material proceedings); it has public hearings (except of course for the close material proceedings); it has access to all secret information; and it has the benefit of full argument (except in closed material proceedings). The delight of the IPT in justifying its superiority over other oversight bodies sits uncomfortably with the argument that intelligence services activities must be lawful because they are subject to a lot of oversight. One might be tempted to conclude that the IPT suspects that it may be the only oversight body which demands legality.

This claim is somewhat belied by the discussion of oversight of PRISM, UPSTREAM (and TEMPORA) where even the IPT, in its one and only wobble on the legality of the intelligence services activities accepts that there may be a problem of safeguards (the s16 RIPA issue at para 53) where data arrives as a result of an intelligence services request to their US counterparts. However, as the Secretary of State must approve any request it must be lawful. All of this is the ‘below the waterline’ procedures which are subject to their own codes (and very tenuous connection to provisions of a variety of acts) and thus also in the opinion of the IPT are lawful (see also para 117 and 118).

None of this deals with the problem of law being adequately accessible and foreseeable for people in order to qualify as law at all (the Quinton and Gillan v UK point). The few responses which the IPT makes to this necessary qualification of law are based on the national security exception and some really rather arcane arguments that because there are a number of oversight bodies writing annual reports, everyone knows what is going on and so there is accessibility and foreseeability (para 89 et seq). 

In the consideration of the warrant/warrantless issue (the so-called s8(4) RIPA matter) there is detailed discussion of the separation of internal and external communications. This fits well with the national legislation but from the perspective of the European Convention of Human Rights it is perhaps not quite so central. Article 8 – the right to respect for privacy is not limited to citizens so these fine distinctions are not obviously relevant to the nature of privacy, though some of the claimants argued it is relevant for the degree of responsibility. If a national court were tempted to look to the famous unwritten British constitution, then the internal/external argument might have more traction. Instead the IPT finds that there is no problem with the so-called warrantless searches as they are not really warrantless at all. The wording of the RIPA provision on general warrants (the s8(4) external ones) is acknowledged as wide and might even be characterised as all-encompassing but according to IPT it is nonetheless a warrant provided for by law (para 100). Further, regarding the safeguards, the IPT finds no problem with the current arrangements (para 114).

At this point, however there is a moment when everyone seems to be holding their breath – at para 111 the IPT tries to take on board the Court of Justice of the European Union’s judgment in Digital Rights Ireland (Case C-293/12, 8 April 2014). Only one very small paragraph of the judgment is cited – the CJEU’s finding of an absence of any relationship between the data retention directive and a threat to public security. The IPT carefully tiptoes around the rest of the judgment which potentially could be seen as something of a challenge to a system where the claim of national security without more is sufficient to trump the foreseeability requirement (para 116).

In the end, one is unsatisfied that the right to respect for privacy has been upheld. The proportionality test which the IPT carries out, although called proportionality actually resembles a British ‘reasonableness test’ instead. To be a proper proportionality test the primacy of the right must be the starting point against which the strength of the argument for an exception is tested to see whether it can justify a limitation of the right. Proportionality is not the equivalent on a man-on-the-Clapham-omnibus reasonableness test where the judge puts him or herself in the place of a reasonable person and so decides. Proportionality is designed to protect rights not to assess what is reasonable.

For all the words used in the judgment, one is equally unconvinced that there is actually much foreseeability in either the law or practice. The degree of dragging about in different statutes to find legal bases for various bits of practice seems excessive. The fact that most of us had no idea what was going on until Mr Snowden told us is, according to the IPT, no excuse for our ignorance. If we had been reading all the oversight reports and following all the discussions we might have got a tiny inkling of what was going on and how it affects our emails. One really wonders why this is considered sufficient by the IPT. 

The case ends with a see-you-soon card. A number of issues never get fully ventilated as most of the parties will be meeting again soon in the case of Belhadj where instead of the privacy of our correspondence being at stake, there is someone who suffered terribly on account of loose data. According to the BBC, after the 11 September attacks and the US-led invasion of Afghanistan in 2001, Mr Belhadj fled Libya where he was a dissident against Gadhafi, only to be arrested in 2004 in Thailand by the CIA and then handed over to Gaddafi's government. The role of the UK intelligence services is central to Mr Belhadj’s fate. For the moment, though, no one is going to go to jail.

Go to top