[This is a Guest Post by P. Arun.]
On 13 September 2018, the European Court of Human Rights (ECtHR) in Big Brother Watch and Others v. United Kingdom (App nos. 58170/13, 62322/14 and 24960/15) held that bulk interception and mass surveillance by the United Kingdom government violated human rights law in Europe. It was primarily a consolidated challenge by numerous civil and human rights organisations (Big Brother Watch, Amnesty, Privacy International, ACLU etc.), where three cases got clubbed together. This challenge was an outcome of major revelations by Edward Snowden in 2013.
Conceptually, communications data is a subset of personal data, which may fall in between personal and sensitive, and sometimes even non-personal and non-sensitive (such as – call data record, traffic data in social networking, browsing data etc.). It may be regarded as non-sensitive in nature, but if we triangulate it with other sorts of metadata, it can speak volumes while portraying a meticulous and intrusive profile of an individual which may comprise intimate elements of private life. It comprises both metadata and payload data, where the former involves granular pieces of information, whereas the latter is the actual content and information which is being communicated. These definitions are not exhaustive, and there are significant disagreements too, but still, there are no disagreements with regard to the gravity of its importance, which ought to remain private and certainly be safeguarded. However, under the prevailing bulk interception where internet traffic data transiting via fibre optic cables were intercepted, extracted, filtered, stored, analysed and even shared to other agencies across the borders undoubtedly has chilling-effect when it is more secretive and ubiquitous (Kim, “How Bulk Interception Works” 2016).
UK’s Surveillance Regime under RIPA
Before 9/11, the UK government had enacted Regulation of Investigatory Powers Act 2000 (RIPA) to address the technological change and to empower intelligence agencies and public bodies to carry out surveillance over electronic data and particularly on communications data for law enforcement and security purpose. However, within a decade these powers caused serious issues concerning privacy, as these were deficient to protect from unlawful surveillance (Big Brother Watch, “The Grim RIPA” 2010). Moreover, there was also widespread concern about surveillance over journalists in order to identify their sources, and this seriously impinges freedom of press (Bradshaw, 2016).
After exhausting the existing domestic remedies by raising complaints before Investigatory Powers Tribunal (established by RIPA to address wrongful interference over communications), the human rights organisations along with journalists finally approached ECtHR due to widespread suspicion and concern over clandestine nature of surveillance. In this case, ECtHR was particularly looking into three issues: a) the bulk interception of communications on the basis of RIPA 2000; b) the acquisition of communications data from service providers under RIPA; and c) the intelligence-sharing between US and UK. It held that the first two violate right to privacy and freedom of expression protected under European Convention on Human Rights (ECHR) and ruled the last one did not violate either of them (see Table 1). Contrary to majority judgement, Judge Pauliine Koskelo and Judge Ksenija Turković, wrote dissents on the intelligence sharing regime and held that it violated Article 8 due to lack of adequate safeguards.
Table 1: Classification ECtHR ruling on violation of ECHR in Big Brother Watch case.
|Acquisition of Communications Data from Communication service providers (CSPs) [Chapter II RIPA]||Intelligence sharing|
Freedom of Expression
Prohibition of discrimination
Bulk Interception and Acquisition of communications Data violates Right to Privacy
The court found that bulk interception and acquisition of communications data carried out by the UK government under s.8(4) of RIPA violates the right to privacy protected under Article 8 of the ECHR. It found that the bulk interception was incompatible due to the nature of limitations and safeguards. The applicants mainly alleged that the particular section lacked the “quality of law” as the rules were unclear, complex, vague and disproportionate. For instance, there are interception targets which were called “external” communications. However, there is no clarity over “internal” and “external” communications: suppose a person from the UK is browsing a website or posting in social media or even using cloud storage, in all these cases the servers are located overseas. It is unclear whether it would be regarded as external communications or not.
It also held that the regime lacked sufficient safeguards and guarantees against potential abuse of these issues: absence of appropriate procedure for filtering, storing and analysing intercepted material; indefinite duration of surveillance, as it could be renewed after every six months; retention of intercepted data for disproportionate amount of period without any appropriate procedure of erasure; and finally, that it was disproportionately collecting and retaining not merely metadata but also payload data (real content) on a massive scale.
The court did not outrightly call the existence of bulk interception as contravening Article 8 of the Convention, as it said:
[I]n view of the current threats facing many Contracting States (including the scourge of global terrorism and other serious crime, such as drug trafficking, human trafficking, the sexual exploitation of children and cybercrime), advancements in technology which have made it easier for terrorists and criminals to evade detection on the Internet, and the unpredictability of the routes via which electronic communications are transmitted, the Court considers that the decision to operate a bulk interception regime in order to identify hitherto unknown threats to national security is one which continues to fall within States’ margin of appreciation. (para 314)
However, the court argued that it violated the European Convention because it failed to satisfy two elements: the “quality of law” requirement and limiting the interference as what is “necessary in a democratic society” (para 388). During the examination of the power under s.8(4) of RIPA, it found shortcomings in two areas: “first, the lack of oversight of the entire selection process, including the selection of bearers for interception, the selectors and search criteria for filtering intercepted communications, and the selection of material for examination by an analyst; and secondly, the absence of any real safeguards applicable to the selection of related communications data for examination” (para 387). Here the court found violation of human rights because bulk interception lacked oversight mechanisms and robust safeguards to protect individuals’ right to privacy. In addition to that, acquisition of communication data from CSPs (Chapter II RIPA) also lacked “prior review by a court or independent administrative body.” Therefore, it was held as not being “in accordance with the law” under Article 8 of ECHR.
Violation of Freedom of Expression and Freedom of Press under RIPA’s Surveillance Regime
In addition to privacy violation, the court also found that such a surveillance regime violates the right to freedom of expression (Article 10). The applicants who challenged state surveillance were NGOs working in public interest, and also journalists who work as public watchdogs due to which they expect confidentiality over journalistic sources and their material. The court found that there was a “potential chilling effect” of bulk interception (s.8(4)) on the freedom of press due to absence of procedures, and therefore “limit[ed] the intelligence services’ ability to search and examine such [journalistic] material other than where it is justified by an overriding requirement in the public interest” (para 495). Additionally it also looked into effects of the “collateral intrusion” over journalist because of the nature of surveillance (Chapter II RIPA) where the government acquires the huge amount of communications data from CSPs. The court found that it lacked special provisions to access journalistic communications data, which is confidential in nature.
While highlighting the significance of freedom of expression, the court stressed the importance of freedom of press for journalists in a democracy as it said:
The protection of journalistic sources is one of the cornerstones of freedom of the press. Without such protection, sources may be deterred from assisting the press in informing the public about matters of public interest. As a result the vital public-watchdog role of the press may be undermined, and the ability of the press to provide accurate and reliable information may be adversely affected. (para 487)
Relevance for India’s Surveillance Regime
In this context, it is important to note that the existing mass surveillance techniques employed by the Indian government are not merely in violation of the limitation principles outlined by the Supreme Court of India in Puttaswamy judgement but also lacks substantial safeguards to prevent executive abuse. For instance, Central Monitoring System (CMS), Network Traffic Analysis (NETRA), National Intelligence Grid (NATGRID) developed in the aftermath of 26/11 to empower the state with metadata surveillance, and it is totally enshrouded in the web of secrecy and empowers the executive itself to review the warrants (SFLC 2014). Recently the B.N Srikrishna Report also highlighted the nature of oversight mechanisms in India as it said: “there is little meaningful oversight that is outside the executive, and there is a vacuum in checks and balances to prevent the untrammeled rise of a surveillance society.” Hence it recommended the measures, i.e. to have both parliamentary and judicial oversight and it reasoned that “checks and balances is the need for ex ante access control as well as ex post accountability” (Srikrishna Committee Report 2018: 124-128). Interestingly the dissenting judges Koskelo and Turkovic in Big Brother Watch judgement also articulated similar views as they said: “it is quite essential to have in place an adequate system of safeguards, including controls exercised by independent bodies, both ex ante and ex post.” They also stressed on the risk of abuse if we rely on the executive oversight on secret surveillance. Hence, they stressed on the need for oversight and control by the independent judiciary (para 23-29).
In April 2015, IT Minister Ravi Shankar Prasad while responding to questions related to CMS in parliament held that one of its salient features is “analysis of Call Data Records (CDR) to help in establishing linkage between anti-social/anti-national elements” (Rajya Sabha Debates 2015). This poses numerous questions with regard to legality as under which law such “elements” were defined and permits the government to conduct surveillance. This surveillance mechanism draws the source of legality from s.(5)2 of Telegraph Act 1885 and it which allows only for public emergency and public safety and nothing else. The words such as “anti-social” and “anti-national” are vague and loose terms, by comparison.
Last year, there had been silent musings by the government to monitor communications in social media and carry out “predictive and sentiment analysis” of users on different platforms. It has drawn serious flak from the people and later it was withdrawn when the apex court responded to a petition on this surveillance tool and called it as establishing a ‘surveillance state’ (The Wire 2018). In addition to this, two major events occurred in end of December 2018, on the one hand MHA issued an ‘Order’ authorising 10 Central Agencies to intercept, monitor, and decrypt (Section 69 of IT Act) “any information generated, transmitted, received or stored in any computer” (The Hindu 2018). On the other hand, MeitY released controversial draft rules to amend Intermediary Rules, 2011 which mentioned about introducing the requirement of traceability and longer data retention. More recently, in the ongoing litigation challenging the surveillance regime (PUCL v Union of India), the government has set out some of the details pertaining to the architecture of the surveillance regime, which – in the manner outlined above – lack the requisite elements of oversight and necessary safeguards.
Moreover, the series of arrests of numerous activists in different states (Kannabiran 2018) makes one to ponder about the nature of right to privacy, freedom of expression and freedom of press in India. Undoubtedly, the lawmakers, activists along with citizens of India need to seriously engage and keep an eye on nature of state surveillance especially when new sorts of personal data are constantly evolving.