Hasan Dindjer Takes a Look at the Parliamentary Legal Advice on GCHQ Surveillance

On Wednesday a group of British legislators published legal advice suggesting that a great deal of the surveillance carried out by GCHQ is most likely unlawful. The advice was commissioned by the All Party Parliamentary Group on Drones, an informal grouping of MPs and peers, and was written by barristers Jemima Stratford QC and Tim Johnston. As Ben points out, it got a fair amount of attention in the UK, and its striking conclusions – not least about the potential criminal liability of GCHQ staff – are one reason for that. The advice addresses the legality of GCHQ’s allegedly passing information to NSA that might be used in the planning of drone strikes. But along the way to answering that question, the advice ends up being very wide-ranging, and it considers the lawfulness of various presumed GCHQ activities which are of interest outside the context of drones. The authors consider five possible scenarios based on assumed facts drawn from the Snowden disclosures. The scenarios are, briefly: (a) intercepting bulk electronic data sent between persons both located in the UK, (b) retaining that data and subjecting it to ‘pattern of life’ analysis, (c) sharing data with NSA, (d) sharing data with NSA so that it is available for targeting drone strikes, and (e) US forces operating from UK bases transferring data obtained unlawfully and/or for drone strike targeting. The five scenarios form a sequence, with the lawfulness of each step depending on the lawfulness of all previous steps.

Bulk Data Interception

Bulk data interception is governed by the Regulation of Investigatory Powers Act 2000 (‘RIPA’). As far as contents data is concerned, RIPA distinguishes internal from external communications (the latter being communications “sent or received outside the British Islands”). According to the advice the distinction is usually fairly clear, and scenario (a) is plainly one of internal communications. The authors consider the counter-argument that interceptions made on a transatlantic cable are external, but reject it as “an artificial construction, which does not reflect the language or intention of the statutory framework,” and one that would, for example, render a mobile telephone call between two persons in the UK “external” where the signal travels by satellite. RIPA only allows interception of internal contents data subject to control mechanisms, including the requirement that the warrant identify a named person or premises. Since bulk collection is not targeted in this way, the advice concludes that scenario (a) is unlawful under the statute. The authors consider bulk collection of external contents data to be lawful under RIPA, since here there is no requirement that persons or premises be named. Nevertheless, there remains the question whether such collection would be compatible with the European Convention on Human Rights (‘ECHR’). The ECHR is binding on the UK as a matter of international law, though UK courts are not permitted to disapply or strike down statutes that are incompatible with it. The advice makes the case that RIPA’s authorisation of bulk collection of external contents data is incompatible with the right to privacy under Article 8 of the ECHR, which provides, in relevant part:

8.1 Everyone has the right to respect for his private and family life, his home and correspondence.

8.2 There shall be no interference by a public authority with the exercise of this right except such as in accordance with the law…

The phrase “in accordance with the law” has been given a fairly broad interpretation in the jurisprudence and requires certain minimum safeguards to avoid abuses of power (Liberty v United Kingdom Application No. 58243/00). The opinion argues that in this respect RIPA is “very probably unlawful.” It “provides too wide a discretion to the Secretary of State in respect of the categories and kinds of documents” that may be collected, for instance in allowing her to “order the interception of all material passing along a transatlantic cable.” So much for bulk collection of contents data. RIPA has a different regime for “communications data” (i.e. metadata). In this area, there are fewer constraints and no distinction is made between internal and external communications. In the view of the authors, RIPA also falls foul of Article 8 in being insufficiently clear and certain about “the circumstances in which the executive may or may not authorise interception of communications data”; this renders it not “in accordance with the law” for the purposes of the ECHR. The advice also considers a potential argument that RIPA’s limitations do not apply at all where the interception takes place on a transatlantic cable since there the interception would not be “effected by conduct” within the UK (a trigger for the Act’s limitations). The authors “seriously doubt whether a court would accept that argument, not least because there would still be conduct connected with the interception in the UK.” In any event they consider that action taken outside the statute would be contrary to the ECHR.

Data Retention and Use

RIPA contains various limits on how intercepted data may be dealt with---who may see it, how long it can be kept for, and so on. However, the advice points out that RIPA does not appear to limit the uses to which data can be put (apart from its admissibility in court) and therefore pattern of life analysis may be performed. Moreover, it places no express restriction on the retention of non-suspects’ data. The authors regard the arguments here as “relatively finely balanced,” but conclude that more stringent safeguards would be needed to make the statutory scheme compliant with Article 8.

Data Sharing

Section 15 of RIPA provides that the limits on retention and use that apply where GCHQ itself holds contents data do not automatically apply where that data is shared with foreign powers. The Secretary of State has discretion to insist on the limits being adhered to but need not. The position regarding sharing metadata appears a little unclear, since RIPA in fact makes no mention of transfers of this sort. Considering the wording of the statute as a whole, and in particular that section 15 on data transfers refers only to “warrants” (not “authorisations” or “notices” which apply to communications data), the authors argue that RIPA does not authorise the transfer of communications data to third powers at all. The opinion concludes, therefore, that if communications data is being shared, it is being shared outside of the RIPA framework. This could only conceivably be lawful as an exercise of the Crown’s prerogative common law powers. The authors sound a constitutional warning: “whilst it is well-established that the Crown has such powers . . . we seriously question the propriety of the government relying on non-statutory (and hence necessarily unwritten and uncertain) powers in this field.” In any event, they take the view that both the RIPA framework for data sharing (subject to the Secretary of State’s wide discretion) and any potential sharing outside of RIPA (i.e. absent any statutory limits) amount to breaches of Article 8, for similar reasons to those above: overly wide executive discretion and insufficient safeguards. Memoranda of Understanding with the US might, the authors suggest, “represent an achievable way forward in relation to these issues.”

Sharing Data that Might be Used for Drone Strikes

Some of the advice’s most eye-catching conclusions come in its penultimate section on transfer of data used (or suspected of being used) to carry out drone strikes. Two different though related lines of argument are deployed. The first is that US drone strikes in Pakistan, Yemen and elsewhere are unlawful because there is no justification for them in the jus ad bellum (the authors reject a broad notion of “anticipatory self-defence”); therefore facilitating strikes by passing over data in the knowledge that it might be used for targeting is unlawful, in international and UK law. This first argument has to do with public law illegality. The second argument is that drone strikes “are not carried out in the context of an ‘international armed conflict’”; therefore combatant immunity does not apply, so carrying out a strike would amount to murder in UK law, and a person who assists a strike by transferring information would be personally liable in criminal law as an accessory to murder. (The latter point was recently the subject of the Khan case in the Court of Appeal. The claim failed on justiciability grounds.) The advice goes on to argue that were US service personnel to be transferring information used for drone strike targeting from British bases, they would also be committing crimes which the UK authorities could in principle prosecute. In short, the advice questions the lawfulness of every step in the sequence of assumed facts it considers. It concludes that bulk data collection is either ultra vires the statute, or else the statute is contrary to the ECHR. Its authors also regard the rules on retention, use and transfer of bulk data to be contrary to the ECHR. Some of these conclusions are necessarily based on analysis of European Court of Human Rights decisions which, though helpful, are not always straightforwardly analogous to the facts under consideration. There is now a chance for the Court to rule on these points; an application addressing them has been filed by Big Brother Watch and others (Application No 58170/13). Ben wondered in his post why this opinion by two lawyers in private practice should have become big news. I don’t want to overstate the extent to which it has become big news---it received fairly sparse coverage outside of the Guardian and the legal blogosphere---but it’s true that a lot of people are viewing it as an important development. That is partly because it’s unusual for legal advice to be sought and published by parliamentarians in this way (though the Intelligence and Security Committee has a call for evidence closing soon). It’s also partly because the opinion’s main author, Jemima Stratford QC, is a leading public law barrister and her conclusions are clearly very striking. But there is also an important wider context. Even though the Snowden revelations have been widely reported in the UK, the response to them has been in certain respects muted compared with the response in the US. In particular, it’s noticeable how little attention has been paid to the legal questions surrounding GCHQ’s activities. Whereas FISA and the FISA court are regularly (and rightly) brought up in debates in the US, RIPA and the Investigatory Powers Tribunal remain rather obscure in the UK. They rarely receive serious treatment in the media and are probably unheard of to many. Given that background, it is not all that surprising that this story got people’s attention. Perhaps it will now invigorate an overdue public debate on the legal issues around GCHQ surveillance.