Saturday, 21 February 2009
Of peer-reviews, checks and balances
However, Matron does not wish to talk about either of those plans today (in any case, letting her off the leash in relation to politicians' pronouncements on the Human Rights Act (HRA) is really not a good idea for anyone involved). Instead, she would like to share her impressions on the workings of the British constitutional system. For those of you not interested, feel free to go straight to the commercial...
Matron herself originates from a country with a strong written constitution, and the idea that that constitution - particularly the fundamental human rights contained in it - should be enforced by the courts against the politically motivated government of the day is second nature to her, part of her cultural make-up - one of those things that "go without saying". It is for this reason that Matron has always found it difficult to accept that the UK constitutional system largely seems to be based on a feeling of trust by the population in their elected officials that "they wouldn't do that". "That" being all the bad things an autocratic or totalitarian government might want to do - and has been shown to do in other countries - in the way of infringing its citizens' civil and human rights. Now, admittedly, this trust seems to be well founded in history and experience -after all Britain is one of the few European countries that has not gone through a period of political tyranny or dictatorship for at least a few centuries. But ask yourselves whether you really trust the average individual politician, and you see that the phenomenon of trust in them as a collective body at least merits thinking about. There is such widespread cynicism about individual politicians and their wheeler-dealing that nobody will even feign surprise at reports of inflated expense claims, lying to Parliament and the forging of official reports. The 1980's TV series "Yes Minister" was not only such a big success because of its writers and actors (although both were superb) but because people felt that it portrait fairly accurately the way in which the Whitehall and Westminster machineries work in practice. Even today, when a particularly juicy political scandal comes to light, it is difficult to not think back to a particular "Yes Minister" episode that targets just that sort of behaviour.
So, why is it, that if we don't trust individual politicians as far far as we can throw them, that we trust them as a collective to act in the country's best interest? The answer Matron usually get when raising this with her British chums is that there is indeed a feeling that a system of checks and balances exists that keeps the buggers honest. This system is said to include the judiciary, the media and the House of Lords. So lets look at each of those in turn.
Since the introduction of the HRA, the judiciary has admittedly been given much greater power to review laws made by Parliament and to make declarations of incompatibility where it feels that those laws do not come up to scratch, i.e. where they may violate the fundamental human rights of British (and other countries') citizens. Now it has been said before, but Matron will say it again, that - contrary to the views expressed by Daily Mail editor Paul Dacre - this isn't really a new way of doing things. Ever since the UK ratified the ECHR (and let us not forget that it was one of the first states to ratify the Convention in 1951) , its laws were supposed to be in line with Convention rights. The difference between then and now is merely that before the adoption of the HRA, the right to review of the compatibility of UK laws with Convention rights rested with the European Court of Human Rights in Strasbourg. What the HRA did, was to "bring rights home" as Labour put it at the time, which - most importantly - meant that citizens could now enforce Convention rights before the English courts. Let me repeat this again, more slowly: the HRA gave UK citizens no new rights. It merely brought jurisdiction over those rights to the UK courts.
Now Matron might be naive, but isn't that generally something that the Daily Mail should be happy about? English judges having a say before the European Court gets a look in? The problem, from the Mail's point of view is, of course, that British citizens can still appeal to the European Court once all domestic remedies have been exhausted. So, after all that, British rights may still be determined by foreigners.
But the point that worries most human rights campaigners - and where their views come into conflict with those of the Mail - is actually, that despite being given jurisdiction to review parliamentary laws, English courts do not have the right to declare those laws null and void if they find that they infringe human rights. In essence, this means that English judges can tell Parliament that it has done wrong when enacting a particular law, but they cannot force Parliament to repeal the law and adopt a new one. The fact that Parliament almost inevitably will repeal a law found incompatible by the Courts, is again nothing more than a constitutional convention - another expression of this country's charming naivety and trust in the system.
As for the controlling powers of the media, Matron will try to limit her rant to the bare minimum. The British media works well in some cases but not so well in others and because much of the media's power seems to be with the tabloids rather than the broadsheets, one could argue that the influence of media power on legislation could work for or against the protection of human rights (again, the Paul Dacre story is a point in case). Also, while the media did a good job in relation to cases like the Attorney General's report on the existence of weapons of mass destruction in Iraq, Matron continues to be stupefied by the almost complete absence of proper commentary on legislative proposals on data retention. There is some, but compared to what is going on in, say, Sweden, Austria and Germany, coverage has been laughable. So the best Matron can do in this case is a verdict of "must do better", which - given the increased centralisation of media in the hands of only a few players - is unlikely. Having said that, this development is not only a British problem but seems to apply to almost all developed Western nations.
Which brings us to the House of Lords. Now, if anything, to Matron this is them most perplexing control instrument of them all. As a lawyer trained in constitutional theory, the principles of democracy and the state and the separation of powers, she cannot but look at the Upper Chamber with a certain amount of incredulity and irritation. Unelected, appointed for life and not particularly accountable to anyone themselves, members of this elite circle do not seem to her the best way of ensuring successive governments' compliance with common values of freedom, equality and human decency. And indeed, the recent cash-for-amendments allegations seem to be proof that the system may have some inherent flaws. And yet, it is the House Lords that human rights campaigners increasingly look to as an ally, when it comes to curbing the government's worst excesses in the human rights arena (most recently largely seen in the context of anti-terrorism laws). And it seems to work, as the recent dismissal of plans to extent to 42 days the period for which police could hold a suspect without charge, seems to show.
So why does it work? The most entertaining explanation Matron has ever heard was given by Lord Lester of Herne Hill during a conference a few years ago. His Lordship mused that most members of the House of Lords seem to have been barristers at one time or other in their life. Barristers, he argued, are an eccentric bunch and trying to control them is a bit like trying to herd cats.
So lets get this straight: the well-being of the British people is ultimately protected by its eccentrics? Now this is an explanation that Matron - a bit of an eccentric herself according to those who know her in the flesh - would love to believe and trust in. But is it enough? After 15 years' residence in this great country, Matron is no loser to answering this question than she was when she first taught English constitution law to undergraduates in 1997 - which she did with an undeniable air of anxiety and moral panic. The best she can come up with even today, is that constitutional checks and balances seem to draw their validity from, and seem to work within, their own cultural and historical context. Until they don't, that is.
Thursday, 19 February 2009
The Facebook conundrum - do we need to be protected from ourselves?
Now, Matron is not exactly what one would call an early adopter. That much can probably be deduced from the fact that she starts a blog at a time when everybody else is socially networking their little socks off. It has to be said that, for a tech lawyer, Matron is really rather technophobic. She also decided - after a short spell of online addiction back in the mid-nineties, largely related to a certain e-mail list which shall remain nameless (but lets just say that it led to a communal holiday in a cottage in Scotland with a number of people who were - unusal) - that she prefers face-to-face relationships to the virtual variety.
So, like everybody else over the age of 35, she has been following the FaceBook phenomenon with some interest and trepidation. So far, she has firmly rejected her students' untoward online advances, has lectured them, moaned at them, threatened to physically restrain them and, on one occasion, blackmailed them into engaging all possible privacy settings by telling them that she would openly display any of their publicly accessible profiles to attendees of an academic conference. She is also a paid up member of the "FaceBook Moral Panic Support Group" loudly lamenting the fact that things are not what they used to be.
So, although it is highly unfashionable in cyberlaw circles to call for increased legal regulation - technological solutions are still all the rage - Matron sticks by her guns and the points she made previously. What we need is a consumer protection approach that ensures that the purposes for which providers may use their users' personal data are limited in some way. And before all the Americans throw the First Amendment book at her, Matron is not talking about the abandonment of personal responsibility, user autonomy and free speech. She is merely appealing to common sense. Users of "my-way-or-the-highway" adhesion contracts should be subject to some sort of statutory framework.
Hopefully, the more stories are published about the blatant way that some providers abuse their users' data, the more political will there will be to do something about it. For that reason, last night's TV coverage of the FaceBook c***up was chicken soup for the soul. But even better than that, the BBC today published an article about a study that "proves" that online networking harms your health.
Isn't it great when scientific research confirms what you want to believe anyway?
Wednesday, 18 February 2009
Data retention and the incredible duplicity of events
Matron isn't quite sure what to commend them on first. That they managed to gloss over the extension of the retention period for internet data from currently six months (under the Voluntary Industry Code) to 12 months, blatantly ignoring the point made by a number of respondents (including the SCL and Liberty) that they have yet to present a business case for any retention of communications data?
That they managed to find and quote the one sentence in a highly critical submission by Liberty that acknowledges that "communications data records can prove a valuable crime detection and prevention tool” (in its submission, Liberty then goes on to say, that the recently reported use of communications data by local authorities for the purpose of enforcing laws against flytipping and benefit fraud hardly fall within the definition of serious crime and terrorism)?
But the most worrying part of the response has to be the government's refusal to even engage with the argument that the retention of internet data for 12 months may very well be disproportionate under Article 8 of the European Convention on Human Rights.
As a general rule, Matron loves to be right as much as the next know-it-all, but in some cases she really doesn't. And the fact that the Home Office - less than a week after the ECJ made a similar point - also seems to suggest that the retention of communications data is somehow separate from access to the data so retained is one of those cases.
But first things first. Let us first look at the changes to the draft Regulations that the Home Office wishes to introduce as a result of the consultation:
Application of the Regulations
Because the UK government has agreed to reimburse CSPs for the costs they incur in implementing the Directive, it has long tried to keep those costs to a minimum by avoiding duplicate storage of data. In practice, this is difficult as many CSPs are using networks operated by other CSPs so that communications data are often held by both the upstream and the downstream provider. In the original draft Regulations the government therefore proposed that they should not apply to a CSP to the extent that the data concerned are already retained by another UK CSP. However, CSPs were very unhappy with this provision as they feared it would create both uncertainty and market distortion. They also argued that third parties interested in accessing retained data (for example, copyright owners) might bring actions for breach of statutory duty against those CSPs ostensibly not required to retain data under the Regulations.
The revised Regulations published by the Home Office last week provide that they will only apply to a CSP if the Secretary of State issues a notice to that CSP requiring it to retain data. No statutory duty to retain data will exist on the part of the CSP in the absence of such a notice. At the same time, under revised regulation 10(2), the Secretary of State must issue such a notice to a CSP unless the data to which the Regulations apply are retained in the UK in accordance with the Regulations by another CSP. In the words of President Truman: "the buck stops with the Home Secretary". Meaning that even if the Home Office gets it wrong, it is now likely that third parties who feel aggrieved that a particular CSP has not retained communications data will probably have to bring an action against the UK government under the Francovich principles rather than have a case against the individual CSP. Directives do not have direct effect and from a CSPs point of view, their statutory duty is what English law says it is. So, that's good news. Or is it?
Well, it depends on whether or not you generally agree with the right of third parties to access data retained for crime prevention and anti-terrorism purposes for their own commercial purposes in the first place. Quite a few respondents raised this issue in their submission. It seems that the CSPs are mainly concern that this may net them lots of Norwhich Pharmacal orders from the already prolific film and music industry. But those of us, who feel that the use of CSP data for the purpose of enforcing copyright has already gone far enough, the Home Office's response to this issue is worrying indeed. It merely states that the Home Office is working with the Ministry of Justice and the Interception of Communications Commissioner to provide guidance for the courts on how these cases should be handled, and that, separately, the government intends to provide more effective remedies for rights holders. So, unsurprisingly, the government is still refusng to consider other solutions to the problem of filesharing and illegal downloads.
Data to be retained
Many ISPs have pointed out that the majority of communications data to be retained relates to unsolicited marketing e-mails ("spam") that is filtered by CSPs and that in most cases is never delivered to the intended recipient. Excluding that data from the retention requirement (along the lines of the Directive's exclusion of data relating to unconnected telephone calls) could save the government millions of £££ but did common sense prevail? Did it heck!
Statistics
Coming back to the mystery of the missing business case, the government was caught with a small amount of egg on its face, when it had to admit that the orginal draft Regulations had omitted a requirement of the Directive that statistics relating to the time elapsed between the date on which the data were retained and the date on which a lawful request for data was made should be collected. That sort of data is obviously essential for establishing whether or not a retention period of 12 months is actually necessary and, hence, proportionate under Art. 8 ECHR (other views that have been mooted include the suggestion that the police only needs a retention period of 12 months because it is so unorganised that it will need at least six months to actually make the request and that long retention periods are really there to cover incompetence and inefficieny. Matron prudently reserves judgment on that).
Apparently, the omission was an "oversight" and the necessary requirement has now been inserted in draft regulation 9, but as they say, just because you're paranoid, doesn't mean they're not after you.
Human rights considerations
But returning to the above mentioned duplicity of events, most notably of all the Home Office has indeed managed to dismiss any suggestions that the retention provisions may actually be disproportionate under Art. 8 ECHR, reasoning that respondents who made those suggestions largely focused on the proportionality of access to the retained data rather than its retention. However, access, the Home Office argues, is governed by RIPA not the Regulations, so arguments relating to disproportionality should be made in a RIPA context. Wait a minute! Isn't that what the ECJ just said?
It is, of course, complete baloney, particularly when you look at the recent judment by the European Court of Human Rights in S. and Marper v United Kingdom, where the court decided that the blanket and indiscriminate retention of DNA records by the UK government, regardless of whether the data subject was convicted of an offence after collection, failed to strike a fair balance between the competing public and private interests. The court concluded that the UK government had overstepped any acceptable margin of appreciation in this regard and it could be argued that similar considerations should apply in relation to the retention of personal data of millions of innocent individuals.
But leaving that aside for the moment, Matron continues to be worried about strategy. If both the UK government and the ECJ are trying to separate the retention of data from access to that data, it may really be time to take note. As Matron suggested before, data retention opponents, particularly in the UK, should start to seriously plan for a fight on two fronts, namely they should think about lodging actions for judicial review of both the Regulations (once they are in force) and the access provisions under RIPA.
Friday, 13 February 2009
You turn if you want...
Indeed, the group included Peter Fleischer, Google's global privacy counsel; David Hoffman, Intel's director of security policy and global privacy officer; as well as two privacy lawyers working for US law firms. The group was originally set up to provide independent expert advice to the Commission in relation to any specific or emerging issues relating to the current legislative framework for data protection. However, the Commission refused to confirm that this finally signalled the long awaited review of the 1995 Data Protection Directive. On the contrary, it emphasised that it did not envisage submitting any legislative proposal to amend the Directive in the short to medium term.
This attitude at least seems to have changed in the wake of the group's dismantling. There is now talk that the group will be disbanded into a wider consultation which is due to be launched at a conference organised by the Commission in May of this year.
The majority of privacy experts agree the that the Commission has been dragging its feed on this one and that a fresh look at the Directive is long overdue, particularly in light of the fact that changes to the framework are now being discussed - inappropriately many think - as part of the Telecoms Reform Package. So, as U-turns go, this one would be quite welcome. However, Matron worries that in this case a review may actually be used to water down the existing protection. If the negotiations relating to the proposed changes to the E-Privacy Directive are anything to go by, this concern does not seem to be entirely far fetched.
Thursday, 12 February 2009
Is time running out for privacy notices?
As someone who for a very long time predictably, boringly and (in the opinion of her partner) embarrassingly read all small print before signing, Matron has found that over the last few years she too has become more complacent. While she will still search for the tick boxes that will (hopefully) prevent her from being inundated with adverts for Viagra and penis enlargements, she no longer reads the privacy statements with the same sort of youthful vigour.
That has partly to do with the problem identified by the ICO - they are getting longer and more impenetrable. But also - and therein, as they say, lies the rub - she makes a plain old profit/loss analysis. As her esteemed friend and colleague Prof. Lilian Edwards points out in one of her articles, the majority of privacy statements, particularly those used by online providers, are effectively adhesion contracts - not subject to negotiation, take it or leave it. If you want the service, you have to agree with the terms, so reading them could often be seen as an utter waste of time. And because most consumers - again in Lilian's words - prefer "jam today" - goods and services, fun and frivolity - over "jam tomorrow" - safety and security of their personal information - it has become easy for online providers progressivley to expand the purposes for which they may use their customers' personal data - ostensibly with their consent.
Consequently, and without wanting to criticise the ICO's commendable move to initiate a discussion of this subject, Matron cannot help thinking that the ICO stopped a bit short of what may actually be required. Instead of simply joining the plain English campaign, may it not now be time to revisit the entire concept of fair processing notices, particularly where the purposes for which the data can be used by businesses become binding on their customers on the basis of their IMPLIED consent (as is possible in the UK)? Should we start thinking about these isssues in terms of consumer protection and should we be looking into the possiblity of legislating for "unfair privacy terms" along the lines of the Unfair Terms in Consumer Contracts Regulations 1999?
It seems that for the time being the ICO wants to stick with the "educational approach": getting companies to simplify their privacy statements so that consumers can understand them better and make better choices. But extensive permissions to use consumer data are still extensive permissions by any other name and the concept of choice - as in all adhesion contracts - may be illusionary.
Wednesday, 11 February 2009
The imagery of surveillance
Tuesday, 10 February 2009
When Irish eyes are smiling - NOT
Yes, it is true that adopting harmonised European provisions under the third pillar requires unanimity in the European which is difficult to achieve. Difficult but not impossible and the proposers of the original Framework Decision on the subject (including Ireland and the UK) had made some headway in that regard back in September 2005 when both the European Parliament started to kick off. Also - and this is probably more important in the short term - in the absence of harmonising EU law, every member state would have been able to adopt its own data retention laws. That would have been great news for human rights organisations in places like Austria, whose government has long opposed data retention on principle, and Germany, where the Constitutional Court may very well have put a stop to it. But in places like Ireland, Italy and, not least, the UK we may well have ended up with laws which require providers to retain more types of data for longer than the maximum of 24 months allowed under the directive. Furthermore, much of the Council decisions come about as a result of horse-trading behind closed doors. At least, the involvement of the European Parliament guarantees some sort of political transparency, even though - as in this case - this will not always protect us from undesirable outcomes. So right on, ECJ, you did well.
But what does it all mean for individuals' right to privacy? Well, the bad news is that ISPs and telecommunication providers will now initially have to retain communications data for between 6 and 24 months. The technology and the infrastructure for this will have to be set up, costed and funded. And we know how it goes - once that infrastructure is in place, both the state and the providers will most probably manage to find a use for it even of the Directive is eventually binned. A frightening thought!
However, the ECJ has not yet examined the question of the Directive's compatibility with fundamental human rights, in particular with the right to privacy under Article 8 of the European Convention of Human Rights (ECHR). Indeed, it has very clearly stated that the action brought by Ireland - and consequently its own decision - relates solely to the choice of legal basis and not to any possible infringement of fundamental rights arising from interference with the exercise of the right to privacy by the Directive. That, in a way, is a good thing, because it leaves the door open for a future challenge by data retention opponents who hope to be able to prove that blanket data retention is wildly disproportionate to the objective the Directive is set to achieve. Judicial or constitutional reviews relating to the compatibility with the right to privacy of national laws implementing the Directive are already pending in a number of member states including Germany and Ireland. The relevant courts may now refer any of those cases to the ECJ for preliminary ruling. The German Constitutional Court - bound as it is by its own "Solange II" principles (that it will not review the compatibility of EC legislation with the German Constitution as long as ("solange") the European Communities, and in particular the judicature of the ECJ, secure the protection of fundamental rights) - are the most likely suspect for such a reference. The Court has repeatedly postponed its own decision in the pending case - likely because of the impending ECJ ruling.
But the ECJ also made another interesting point: namely, it emphasised that the Directive merely relates to activities of communication service providers (the retention of communications data) and not to the activities of public and law enforcement authorities (access to the retained data). While factually correct, this could suggest that when the ECJ eventually receives a reference from a national court, it may limit its own jurisdiction to a review of the question whether the mere retention of data infringes fundamental rights rather than taking a "big-picture-view" of the matter and taking into account the effect that law enforcement's access to that data will have on those rights. It could argue that the mere retention of data does not infringe individual rights provided that access to that data is limited and subject to sufficient safeguards. As the access provisions and safeguards are currently contained in national law (here in the UK, access is governed by Part I Chapter II of the Regulation of Investigatory Powers Act 2000 (RIPA) and a host of secondary regulation), the ECJ could rule itself out completely as a competent court to review the matter from that point of view leaving it instead to national courts to decide.
On the one hand, this could mean that data retention will come to be seen as be a beautiful example for a judicial game of "pass-the-parcel" where data retention provisions are quietly implemented all across Europe while the courts are sorting out their own compentency between themselves. On the other hand, such an approach by the ECJ could open up an opportunity for opponents provided they grasp it quickly and strongly enough.
Data retention opponents should now also consider the judicial review of national access provisions by the national courts as well as, ultimately, by the European Court of Human Rights in Strasbourg. To a varying extent, all EU member states are also signatories to the ECHR which means that their national laws are subject to that Court's jurisdiction once all national judicial remedies have been exhausted. In a UK context this could mean, that even if the ECJ, in a future action referred to it, determines that
- data retention alone is not enough to infringe people's fundamental rights
- it is not competent to review the access provisions that may be so infringing,
Like many others, lawyers advising data retention opponents have so far been puzzeld by the fact that the demarcation line between the jurisdiction of the ECJ and the ECtHR has never been clearly defined. Ever since the ECJ, in the case of Internationale Handelsgesellschaft v. Einfuhr und Vorratsstelle Getreide, confirmed that it would protect fundamental rights as general principles of EU law, the scene was set for a clash between the two courts, albeit that to date this clash has never materialised. It was thought, that data retention could have been the case, where this might finally happen.
However, unless the European Council adopts harmonised provisions on access to retained data which would bring the matter squarely within the ECJ's jurisdiction (probably unlikely, given how difficult it was to achieve consensus even on the retention of the data), civil rights organisations across the EU should now probably review their strategies and start planning for a two-pronged attack:
- Continue the judicial review of national laws implementing the Data Retention Directive with a view to a reference to the ECJ. Cross your fingers and hope.
- At the same time commence separate actions for judicial review of the related national access provisions arguing that they violate Art. 8 ECHR and that it would be inappropriate to refer those cases to the ECJ for preliminary decision, as they do not concern EU laws. If the national courts decide that those provisions do indeed violate Art. 8 ECHR, then - depending on the constitutional procedures of the relevant country - the provisions will either be void immediately or be declared "incompatible with human rights" leaving the legislator to amend the law. If the national court finds that access to retained data does not breach Art. 8 ECHR, the path to Strasbourg is clear. And it light of the court's most recent decision in the area of privacy and state surveillance, Matron can't help feeling that the chances of success in that court would be much better than before the ECJ.
However, even if a challenge before the ECtHR was successful, the problem of data retention may remain. Would the ECtHR assume jurisdiction on the retention provisions given that they are subject to review by the ECJ? If not, would national legislators, the European Institutions and/or the ECJ revise their position on data retention, if the ECtHR decided that access to the retained data breaches individuals' human rights? Data retention is expensive. National governments will (hopefully) not want to bear those cost or impose them on businesses operating from their territory if they cannot then access the data retained. An ECtHR decision condemning the right to access could therefore be a roundabout way to make them change their mind. But it's tricky. So "as long as" we don't know how best to tackle this we should probably tackle it any which way we can.