< Back

Share |

The mass surveillance scandal fallout

November 2014

Over the last year the extent of NSA and GCHQ monitoring of communications has come under increasing scrutiny and informed privacy policy in Europe.

Government mass surveillance

In the USA, in a controversial ruling in January, a district judge questioned the legality of the US National Security Agency's (NSAs) metadata counterterrorism program. While other judges have backed the programme in the past, Judge Leon said the government was basing its legal justification on a 34 year old ruling which had been superseded by technological advances.

The US Privacy and Civil Liberties Oversight Board also advised that the NSA's mass surveillance programme should stop, holding by a three to two majority that there is no legal foundation for it under the Patriot Act. All members agreed data collected should be deleted sooner and that the daily collection of phone records was ineffective. President Obama said he would end the programme as it exists but that surveillance and mass data collection would continue.

The Deputy Director of the NSA said in March, that the NSA may start releasing transparency reports detailing the extent of its surveillance activities. Speaking at a TED talk, he criticised Edward Snowden for putting lives at risk by releasing information about the NSA's surveillance methods but also said that the NSA needed to do more to reassure people about its work. One of the suggestions it is apparently considering is publishing transparency reports similar to those published by internet companies.

In Europe, Judges at the European Court of Human Rights (ECHR) ordered the UK government to provide submissions by the beginning of May about whether GCHQ's surveillance programme could be a violation of the right to privacy under article 8 of the European Convention on Human Rights. The questions were made in response to a case brought by privacy groups which has been fast-tracked by the ECHR.

parting venetian blindsFollowing a European Parliamentary report on mass surveillance, the Article 29 Working Party (WP) adopted an Opinion on surveillance of electronic communications by way of response to the Snowden revelations. The WP was, unsurprisingly, of the view that terrorism and threats to national security did not justify covert, massive, indiscriminate and systematic surveillance of EU citizens which interferes with their fundamental rights and breaches European law. The WP advocated a transparent system which would allow citizens to understand what sort of information intelligence services access. It also argued for independent supervision of intelligence services, potentially partly by data protection authorities, and for the use of existing and future legislation to protect the rights of individuals in relation to the activities of the intelligence services.

In June, the UK government published a defence of its mass surveillance programme in response to the case brought by Privacy International and various civil rights groups. Charles Farr, the government's most senior security official, argued that searches on Google, Facebook, Twitter and YouTube and of emails to or from non-British citizens abroad, could be monitored by the security services on a mass basis without the need for a warrant due to the fact they are classed as "external communications". The argument about external communications extends to the concept of web searches constituting external communications with web-based platforms abroad. The government acknowledged the existence of the Prism programme but said it could "neither confirm or deny" Tempora.

The publication of the defence led for renewed calls for the overhaul of RIPA and for the introduction of new safeguards against routine surveillance of web searches, emails and social media without the need to obtain a warrant.

In July, seven ISPs from around the world joined with pressure group Privacy International to take action against GCHQ in relation to its surveillance activities. The ISPs claimed that GCHQ carried out illegal network attacks. This was the third case Privacy International had filed as a result of the Snowden revelations. The claims included allegations that GCHQ contravened the UK Computer Misuse Act and Article 1 of the First Additional Protocol of the European Convention of Human Rights and that surveillance breached Articles 8 and 10 of the Convention.

Despite increasing pressure on governments in connection with their surveillance activities, 2014 has not seen a clear resolution of the issues.  It seems most unlikely that campaigners (or indeed the EC) will achieve the results they are after as many governments continue to prioritise national security over privacy.

ship coming into harborSafe Harbor

As a direct result of the Snowden revelations, the Safe Harbor Framework, which US companies can self-certify they comply with in order to enable the legal export of EU personal data to them, has been called into question.

In February 2014, the European Parliamentary Committee for Civil Liberties, Justice and Home Affairs, adopted a report calling for a suspension of Safe Harbor pending a full review and making a series of recommendations to improve the scheme.

The following month, the European Data Protection Supervisor (EDPS) published an Opinion in response to the European Commission's Communication on rebuilding trust in EU-US data flows. The EDPS supported maintaining the Safe Harbor scheme but said revocation of the scheme should be considered if the USA failed to respond by making the improvements recommended by the EC.

The EDPS suggested the US surveillance activities may have been of greater significance than the EC allowed, infringing EU citizens' rights to privacy and data protection and potentially affecting EU legal instruments.

The EDPS was particularly concerned that the principles of necessity and proportionality were not observed by the US security services and are not enshrined into relevant US law.

The EDPS recommended that:

  • the EU adopt the new data protection Regulation to improve and consolidate existing law and adequately protect EU citizen personal data from other jurisdictions;
  • the Safe Harbor principles should be reviewed as recommended by the Commission but with tighter deadlines for compliance by the US;
  • access by the USA to EU personal data should take place only under existing legal instruments; and
  • the safeguards applying to EU-US law enforcement co-operation should be reinforced and care should be taken not to legitimise mass data transfers between the regions without appropriate safeguards and effective redress mechanisms for EU citizens in the event of breach.

In response to the serious concerns raised by the EC, the USA agreed to review the Safe Harbor framework and re-iterated its commitment to the Safe Harbor and co-operation with Europe.  In July, the US Attorney General announced the intention of enacting legislation to address one of the EU's principle concerns; the lack of legal redress for EU citizens in the USA for breach of privacy rights.  This was greeted with cautious approval by the EC pending actual enactment.

At the time of writing, there have been no concrete proposals by the USA in relation to the reform of Safe Harbor.  The FTC is currently considering a complaint filed by the Center for Digital Democracy alleging that 30 companies are failing to comply with Safe Harbor and calling for an investigation.  The companies in question are involved in data profiling, online targeted advertising and data brokering. The complaint accuses the companies of not being transparent with EU citizens about what data is being collected and how the data is going to be used. It will be interesting to see how the FTC responds to the complaint and whether it decides to investigate further given the current EU focus on the Safe Harbor framework and its fitness for purpose.

computer server cablesThe Data Retention Directive – R.I.P.

In January, the Attorney General (AG) gave his Opinion on two references on the Data Retention Directive (Directive) which was introduced in aftermath of the Madrid and London bombings. The Directive required communications service providers to retain certain types of traffic, subscriber and location data for between six and 24 months and to make that data available for the purposes of investigation, detection and prosecution of serious crime.

The AG opined that the Directive was, as a whole, incompatible with Article 52(1) of the EU Charter of Fundamental Rights as the limitations on the exercise of fundamental rights it contained were not accompanied by the necessary principles for governing the guarantees needed to regulate access to the data and their use. The AG also held that the retention period of up to two years was too long to be compatible with Articles 7 and 52(1) of the Directive. While the ultimate objective of the Directive was found to be legitimate, it breached the principle of proportionality by requiring such a lengthy retention period.

The Opinion showed a distinct change in policy since the Directive was brought in in 2006, quite possibly as a result of the mass surveillance scandal.  While the Court of Justice of the European Union (CJEU) ruling that the Directive was invalid (which followed the Opinion), technically applies retrospectively, meaning the government never had the right to retain the data in the first place, there has been uncertainty following the judgment as to whether the Directive should continue to apply until such time as the EU agrees replacement legislation.  In the UK, however, new legislation was rushed through to fill the gap.

In August, the government passed the Data Retention and Investigatory Powers Act 2014 (which rejoices in the acronym DRIP) to ensure that telecoms and internet service providers continue to collect and store communications data following the CJEU's finding that the Directive was invalid.  The government took the view that it was necessary to act urgently as communications providers had said they would begin deleting data stored following the CJEU ruling on the Directive.

The government argued that DRIP does nothing more than consolidate and clarify current rules and bring them in-line with the findings of the CJEU although it is expected that much of this will be done through secondary legislation.

Under DRIP, public telecommunications operators can be required to store communications data for up to a year if the Secretary of State thinks it is necessary to help detect and prevent terrorism and other serious crimes. DRIP applies to providers of a service "which consists in or includes facilitating the creation, management or storage of communications transmitted or that may be transmitted, by means of such a system."  The Interception of Communications Commissioner will issue reports on how the new rules are being implemented every six months. In addition, a new independent reviewer will be appointed to consider anti-terrorism legislation and privacy safeguards.

DRIP allows the government to issue retention notices requiring public telecommunications operators to retain relevant communications data for up to 12 months if the Secretary of State considers the requirement is necessary and proportionate for one or more of the purposes falling within paragraphs (a) to (h) of s22(2) RIPA. DRIP is also intended to provide a clear legal framework around interception of communications following complaints that RIPA fails to do so.

Retention notices need to set out details of what needs to be retained and how long for as well as any other relevant requirements. There is scope for the Secretary of State to make further provisions for the retention of relevant communications data. Public telecommunications service providers retaining data under a retention notice must not disclose it other than in accordance with Chapter 2 of Part I RIPA, or a court order, other judicial authorisation or warrant, or under any applicable secondary legislation.

public telephonesThe definition of "Communications Data" is unchanged from that used in RIPA. "Relevant Communications Data" includes unsuccessful call attempts stored or logged in the UK.  Grounds for issuing warrants and obtaining data are slightly amended from those under s5(3)(c) and s22(2)(c) of RIPA, mainly to add in specific references to the interests of national security.  Amendments are also made to the extra territoriality provisions under Part I of RIPA.

In return for backing the new law, Labour and the Lib Dems secured a number of safeguards including:

  • the creation of a new Privacy and Civil Liberties Oversight Board to look at the impact of the law on privacy and civil liberties;
  • annual transparency reports on the use of the powers under DRIP;
  • the appointment of a senior former diplomat to lead discussions with the USA to establish a new data sharing agreement between the UK and the USA;
  • a restriction on the number of public bodies able to use communications data under RIPA;
  • a termination clause stating that the powers under DRIP expire at the end of 2016; and
  • a wider review of the powers needed during the next parliament.

Liberty, the civil rights campaign group has said it will seek a judicial review of the Act.  Whether or not they will be successful remains to be seen.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

CCTV camera
Debbie Heywood

Debbie Heywood      


Debbie looks at the impact of the Snowden revelations on the privacy landscape during 2014.

"It seems most unlikely that campaigners (or indeed the EC) will achieve the results they are after as many governments continue to prioritise national security over privacy."

"In response to the serious concerns raised by the EC, the USA agreed to review the Safe Harbor framework."