EHRM, 25-05-2021, nr. 58170/13, nr. 62322/14, nr. 24960/15, nr. 24969/15

The Edward Snowden revelations made in 2013 indicated that Government Communications Headquarters (‘GCHQ’, being one of the United Kingdom intelligence services) was running an operation, codenamed ‘TEMPORA’, which allowed it to tap into and store huge volumes of data drawn from bearers. The United Kingdom authorities neither confirmed nor denied the existence of an operation codenamed TEMPORA.

However, according to the March 2015 Report of the Intelligence and Security Committee of Parliament (‘the ISC report’ — see paragraphs 142–149 below), GCHQ was operating two major processing systems for the bulk interception of communications.

The first of the two processing systems referred to in the ISC report was targeted at a very small percentage of bearers. As communications flowed across the targeted bearers, the system compared the traffic against a list of ‘simple selectors’. These were specific identifiers (for example, an email address) relating to a known target. Any communications which matched the simple selectors were collected; those that did not were automatically discarded. Analysts then carried out a ‘triage process’ in relation to collected communications to determine which were of the highest intelligence value and should therefore be opened and read. In practice, only a very small proportion of the items collected under this process were opened and read by analysts. According to the ISC report, GCHQ did not have the capacity to read all communications.

The second processing system was targeted at an even smaller number of bearers (a subset of those accessed by the process described in the paragraph above) which were deliberately targeted as those most likely to carry communications of intelligence interest. This second system had two stages: first, the initial application of a set of ‘processing rules’ designed to discard material least likely to be of value; and secondly, the application of complex queries to the selected material in order to draw out those likely to be of the highest intelligence value. Those searches generated an index, and only items on that index could be examined by analysts. All communications which were not on the index had to be discarded.

The legal framework for bulk interception in force at the relevant time is set out in detail in the ‘relevant domestic law’ section below. In brief, section 8(4) of the Regulation of Investigatory Powers Act 2000 (‘RIPA’ — see paragraph 72 below) allowed the Secretary of State to issue warrants for the ‘interception of external communications’, and pursuant to section 16 of RIPA (see paragraphs 84–92 below) intercepted material could not be selected to be read, looked at or listened to, ‘according to a factor which is referable to an individual who is known to be for the time being in the British Islands’.

Chapter 12 of the Interception of Communications Code of Practice (‘the IC Code’ — see paragraph 116 below) set out the circumstances in which the United Kingdom intelligence services could request intelligence from foreign intelligence services, and the procedures which had to be followed for making such a request. Chapter 12 was added to the IC Code after the Investigatory Powers Tribunal (‘the IPT’) ordered the intelligence services to disclose their arrangements for intelligence sharing in the course of the proceedings brought by the applicants in the third of the joined cases (‘the Liberty proceedings’ — see paragraphs 28–60 below).

Chapter II of RIPA and the accompanying Acquisition of Communications Data Code of Practice governed the process by which certain public authorities could request communications data from CSPs (see paragraphs 117–121 below).

PRISM was a programme through which the United States' Government obtained intelligence material (such as communications) from Internet Service Providers (‘ISPs’). Access under PRISM was specific and targeted (as opposed to a broad ‘data mining’ capability). The United States' administration stated that the programme was regulated under the Foreign Intelligence Surveillance Act (‘FISA’), and applications for access to material through PRISM had to be approved by the Foreign Intelligence Surveillance Court (‘FISC’).

Documents from the NSA leaked by Edward Snowden suggested that GCHQ had access to PRISM since July 2010 and used it to generate intelligence reports. GCHQ acknowledged that it acquired information from the United States' which had been obtained via PRISM.

According to the leaked documents, the Upstream programme allowed the collection of content and communications data from fibre optic cables and infrastructure owned by United States' CSPs. This programme had broad access to global data, in particular that of non-US citizens, which could then be collected, stored and searched using keywords (for further details, see paragraphs 261–264 below).

The IPT accepted that the PRISM issue engaged Article 8 of the Convention, albeit at a ‘lower level’ than the regime under consideration in Weber and Saravia v. Germany (dec.), no. 54934/00, ECHR 2006-XI. As a consequence, the authorities involved in processing communications received from foreign intelligence services had to comply with the requirements of Article 8, particularly in relation to their storage, sharing, retention and destruction. In the IPT's view, following Bykov v. Russia [GC], no. 4378/02, §§ 76 and 78, 10 March 2009 and Malone v. the United Kingdom, 2 August 1984, Series A no. 82, in order for the interference to be considered ‘in accordance with the law’, there could not be unfettered discretion for executive action; rather, the nature of the rules had to be clear and the ambit of the rules had — in so far as possible — to be in the public domain. However, it considered it plain that in the field of national security, much less was required to be put in the public domain and the degree of foreseeability required by Article 8 had to be reduced, otherwise the whole purpose of the steps taken to protect national security would be at risk (citing Leander v. Sweden, 26 March 1987, § 51, Series A no. 116).

The IPT continued:

The IPT noted that arrangements for information sharing were provided for in the statutory framework set out in the Security Service Act 1989 (see paragraphs 105–106 below) and the Intelligence Services Act 1994 (see paragraphs 107–110 below). It further referred to a witness statement made in the above-mentioned Liberty proceedings by Charles Farr, the Director-General of the Office for Security and Counter Terrorism (‘OSCT’) at the Home Office, which explained that the statutory framework set out in those Acts was underpinned by detailed internal guidance, including arrangements for securing that the services only obtained the information necessary for the proper discharge of their functions. He further indicated that staff received mandatory training on the legal and policy framework in which they operated, including clear instructions on the need for strict adherence to the law and internal guidance. Finally, he stated that the full details of the arrangements were confidential since they could not be published safely without undermining the interests of national security.

The IPT acknowledged that as the arrangements were not made known to the public, even in summary form, they were not accessible. However, the IPT considered it significant that the arrangements were subject to oversight and investigation by the Intelligence and Security Committee of Parliament (‘the ISC’) and the independent Interception of Communications Commissioner (‘the IC Commissioner’). Furthermore, it itself was in a position to provide oversight, having access to all secret information, and being able to adjourn into closed hearing to assess whether the arrangements referred to by Mr Farr existed and were capable of giving the individual protection against arbitrary interference.

Having considered the ‘below the waterline’ arrangements, the IPT was satisfied that the 9 October disclosure (as subsequently amended — see paragraphs 33 and 36 above) provided a clear and accurate summary of that part of the evidence given in the closed hearing, and that the rest of the evidence given in closed hearing was too sensitive for disclosure without risk to national security or to the ‘neither confirm nor deny’ principle. It was further satisfied that the preconditions for requesting information from the Government of the United States of America were clear: there had to exist either a section 8(1) warrant, or a section 8(4) warrant within whose ambit the proposed target's communications fell, together, if the individual was known to be in the British Islands, with a section 16(3) modification (see paragraph 86 below). Any request pursuant to PRISM or Upstream in respect of intercept or communications data was therefore subject to the RIPA regime, unless it fell within the wholly exceptional scenario outlined in 1(b) of the material disclosed after the first hearing. However, a 1(b) request had never occurred.

The IPT nevertheless identified the following ‘matter of concern’:

However, subject to this caveat, the IPT reached the following conclusions:

Finally, the IPT addressed an argument raised by Amnesty International only; namely, that the United Kingdom owed a positive obligation under Article 8 of the Convention to prevent or forestall the United States from intercepting communications, including an obligation not to acquiesce in such interception by receiving its product. However, the IPT, citing M. and Others v. Italy and Bulgaria, no. 40020/03, § 127, 31 July 2012, noted that ‘the Convention organs have repeatedly stated that the Convention does not contain a right which requires a High Contracting Party to exercise diplomatic protection, or espouse an applicant's complaints under international law, or otherwise to intervene with the authorities of another State on his or her behalf’. The IPT therefore rejected this submission.

The IPT formulated four questions to be decided in order to determine whether the section 8(4) regime (which provided the legal framework for the bulk interception of external communications) was compatible with the Convention:

In relation to the first question, the applicants had contended that following the ‘sea-change in technology since 2000’, substantially more communications were now external, and as a result the internal/external distinction in section 8(4) was no longer ‘fit for purpose’. While the IPT accepted that the changes in technology had been substantial, and that it was impossible to differentiate at interception stage between external and internal communications, it found that the differences in view as to the precise definition of ‘external communications’ did not per se render the section 8(4) regime incompatible with Article 8 § 2. In this regard, it considered that the difficulty in distinguishing between ‘internal’ and ‘external’ communications had existed since the enactment of RIPA and the changes in technology had not materially added to the quantity or proportion of communications which could or could not be differentiated as being external or internal at the time of interception. At worst, they had ‘accelerated the process of more things in the world on a true analysis being external than internal’. In any case the distinction was only relevant at interception stage. The ‘heavy lifting’ was done by section 16 of RIPA, which prevented intercepted material being selected to be read, looked at or listened to ‘according to a factor which is referable to an individual who is known to be for the time being in the British Islands’ (see paragraphs 84–92 below). Furthermore, all communications intercepted under a section 8(4) warrant could only be considered for examination by reference to that section.

In respect of the second question, the IPT held that the section 16 safeguards, which applied only to intercept material and not to related communications data, were sufficient. Although it concluded that the Weber criteria also extended to communications data, it considered that there was adequate protection or safeguards by reference to section 15 of RIPA (see paragraphs 77–82 below). In addition, in so far as section 16 offered greater protection for communications content than for communications data, the difference was justified and proportionate because communications data were necessary to identify individuals whose intercepted material was protected by section 16 (that is, individuals known to be in the British Islands).

Turning to the third question, the IPT concluded that the section 8(4) regime was sufficiently compliant with the Weber criteria (being the criteria set out in Weber and Saravia, cited above, § 95; see also paragraphs 274 and 335 below) and was in any event ‘in accordance with the law’. With regard to the first and second requirements, it considered that the reference to ‘national security’ was sufficiently clear (citing Esbester v. the United Kingdom (dec.), no. 18601/91, 2 April 1993 and Kennedy v. the United Kingdom, no. 26839/05, 18 May 2010); the absence of targeting at the interception stage was acceptable and inevitable, as it had been in Weber; on their face, the provisions of paragraph 5.2 of the IC Code, together with paragraphs 2.4, 2.5, 5.3, 5.4, 5.5 and 5.6 (see paragraph 96 below), were satisfactory; there was no call for search words to be included in an application for a warrant or in the warrant itself, as this would unnecessarily undermine and limit the operation of the warrant and might in any event be entirely unrealistic; and there was no requirement for the warrant to be judicially authorised.

In considering the third, fourth, fifth and sixth of the Weber criteria, the IPT had regard to the safeguards in sections 15 and 16 of RIPA, the IC Code, and the ‘below the waterline’ arrangements. It did not consider it necessary that the precise details of all the safeguards should be published or contained in either statute or code of practice. Particularly in the field of national security, undisclosed administrative arrangements, which by definition could be changed by the executive without reference to Parliament, could be taken into account, provided that what was disclosed indicated the scope of the discretion and the manner of its exercise. This was particularly so when, as was the case here, the IC Code referred to the arrangements, and there was a system of oversight (being the IC Commissioner, the IPT itself, and the ISC) which ensured that these arrangements were kept under review. The IPT was satisfied that, as a result of what it had heard at the closed hearing, there was no large databank of communications data being built up and there were adequate arrangements in respect of the duration of the retention of data and their destruction. As with the PRISM issue, the IPT considered that the section 8(4) arrangements were sufficiently signposted in statute, in the IC Code, in the IC Commissioner's reports and, now, in its own judgment.

As regards the fourth and final question, the IPT did not make any finding as to whether there was in fact indirect discrimination on grounds of national origin as a result of the different regimes applicable to individuals located in the British Islands and those located outside, since it considered that any indirect discrimination was sufficiently justified on the grounds that it was harder to investigate terrorist and criminal threats from abroad. Given that the purpose of accessing external communications was primarily to obtain information relating to those abroad, the consequence of eliminating the distinction would be the need to obtain a certificate under section 16(3) of RIPA (which exceptionally allowed access to material concerning persons within the British Islands intercepted under a section 8(4) warrant — see paragraph 86 below) in almost every case, which would radically undermine the efficacy of the section 8(4) regime.

Finally, the applicants had argued that the protection afforded by Article 10 of the Convention applied to investigatory NGOs in the same way it applied to journalists. Amnesty International initially alleged before the IPT that there were likely to be no adequate arrangements for material protected by legal professional privilege, a complaint which was subsequently ‘hived off’ to be dealt with in the Belhadj case (see paragraphs 99–101 below), to which Amnesty International was joined as an additional claimant. No similar argument was made in respect of NGO confidence until 17 November 2014 (after the first and second open hearings). As the IPT considered that this argument could have been raised at any time, in its judgment it had been raised ‘far too late’ to be incorporated into the ambit of the proceedings.

With regard to the remaining Article 10 complaints, the IPT noted that there was no separate argument over and above that arising in respect of Article 8. Although the IPT had regard to Sanoma Uitgevers B.V. v. the Netherlands [GC], no. 38224/03, 14 September 2010, it emphasised that the applicants' case did not concern targeted surveillance of journalists or non-governmental organisations. In any case, in its view, in the context of untargeted monitoring via a section 8(4) warrant, it would be ‘clearly impossible’ to anticipate a judicial pre-authorisation prior to the warrant limited to what might turn out to impact upon Article 10. Although the IPT accepted that an issue might arise in the event that, in the course of examination of the contents, some question of journalistic confidence arose, there were additional safeguards in the IC Code in relation to treatment of such material.

Following the publication of the judgment, the parties were invited to make submissions on whether, prior to the disclosures made to the IPT, the legal regime in place in respect of the PRISM issue complied with Articles 8 and 10, and on the proportionality and lawfulness of any alleged interception of their communications. The IPT did not see any need for further submissions on the proportionality of the section 8(4) regime as a whole.

Section 1(1) of RIPA 2000 (which has now been replaced by the Investigatory Powers Act 2016) rendered unlawful the interception of any communication in the course of its transmission by means of a public postal service or a public telecommunication system unless it took place in accordance with a warrant under section 5 (‘intercept warrant’).

Section 5(2) allowed the Secretary of State to authorise an intercept warrant if he or she believed that it was necessary for the reasons set out in section 5(3), namely that it was in the interests of national security, for the purpose of preventing or detecting serious crime, or for safeguarding the economic well-being of the United Kingdom (so far as those interests are also relevant to the interests of national security — see paragraphs 3.5 and 6.11 of the IC Code at paragraph 96 below); and that the conduct authorised by the warrant was proportionate to what was sought to be achieved by that conduct. In assessing necessity and proportionality, account had to be taken of whether the information sought under the warrant could reasonably have been obtained by other means.

Section 81(2)(b) of RIPA defined ‘serious crime’ as crime which satisfied one of the following criteria:

Section 81(5) provided:

Section 6 provided that in respect of the intelligence services, only the Director General of MI5, the Chief of MI6 and the Director of GCHQ could have applied for an intercept warrant.

There were two types of intercept warrant to which sections 5 and 6 applied: a targeted warrant as provided for by section 8(1), and an untargeted warrant as provided for by section 8(4).

By virtue of section 9 of RIPA, a warrant issued in the interests of national security or for safeguarding the economic well-being of the United Kingdom ceased to have effect at the end of six months, and a warrant issued for the purpose of detecting serious crime ceased to have effect after three months. At any time before the end of those periods, the Secretary of State was able to renew the warrant (for periods of six and three months respectively) if he or she believed that the warrant continued to be necessary on grounds falling within section 5(3). The Secretary of State was required to cancel an interception warrant if he or she was satisfied that the warrant was no longer necessary on grounds falling within section 5(3).

Pursuant to section 5(6), the conduct authorised by an interception warrant had to be taken to include the interception of communications not identified by the warrant if necessary to do what was expressly authorised or required by the warrant; and the obtaining of related communications data.

Section 21(4) defined ‘communications data’ as

The March 2015 Acquisition and Disclosure of Communications Data Code of Practice referred to these three categories as ‘traffic data’, ‘service use information’, and ‘subscriber information’. Section 21(6) of RIPA further defined ‘traffic data’ as data which identified the person, apparatus, location or address to or from which a communication was transmitted, and information about a computer file or program accessed or run in the course of sending or receiving a communication.

According to section 20 of RIPA, ‘related communications data’, in relation to a communication intercepted in the course of its transmission by means of a postal service or telecommunication system, meant ‘so much of any communications data as was obtained by, or in connection with, the interception’; and related ‘to the communication or to the sender or recipient, or intended recipient, of the communication’.

Section 71 of RIPA provided for the adoption of codes of practice by the Secretary of State in relation to the exercise and performance of his or her powers and duties under the Act. Draft codes of practice had to be laid before Parliament and were public documents. They could only enter into force in accordance with an order of the Secretary of State. The Secretary of State could only make such an order if a draft of the order had been laid before Parliament and approved by a resolution of each House.

Under section 72(1) of RIPA, a person exercising or performing any power or duty relating to interception of communications had to have regard to the relevant provisions of a code of practice. The provisions of a code of practice could, in appropriate circumstances, be taken into account by courts and tribunals under section 72(4) of RIPA.

The IC Code was issued pursuant to section 71 of RIPA. The IC Code in force at the relevant time was issued in 2016.

In so far as relevant, that IC Code provided:

In his witness statement prepared for the Liberty proceedings (see paragraph 40 above), Charles Farr indicated that, beyond the details set out in RIPA, the 2010 IC Code, and the draft IC 2016 Code (which had at that stage been published for consultation), the full details of the sections 15 and 16 safeguards were kept confidential. He had personally reviewed the arrangements and was satisfied that they could not safely be put in the public domain without undermining the effectiveness of the interception methods. However, the arrangements were made available to the IC Commissioner who was required by RIPA to keep them under review. Furthermore, each intercepting agency was required to keep a record of the arrangements in question and any breach had to be reported to the IC Commissioner.

In this review the National Security Council (‘NSC’) stated that its priorities over the next five years would be to:

The applicants in this case complained of breaches of Articles 6, 8 and 14 of the Convention arising from the alleged interception of their legally privileged communications. In so far as Amnesty International, in the course of the Liberty proceedings, complained about the adequacy of the arrangements for the protection of material subject to legal professional privilege (‘LPP’), those complaints were ‘hived off’ to be dealt with in this case, and Amnesty International was joined as a claimant (see paragraph 52 above).

In the course of the proceedings, the respondents conceded that by virtue of there not being in place a lawful system for dealing with LPP, from January 2010 the regime for the interception/obtaining, analysis, use, disclosure and destruction of legally privileged material had not been in accordance with the law for the purposes of Article 8 § 2 of the Convention and was accordingly unlawful. The Security Service and GCHQ confirmed that they would work in the forthcoming weeks to review their policies and procedures in light of the draft IC Code and otherwise.

The IPT subsequently held a closed hearing, with the assistance of Counsel to the Tribunal (see paragraph 132 below), to consider whether any documents or information relating to any legally privileged material had been intercepted or obtained by the respondents. In a determination of 29 March 2015, it found that the intelligence services had only held two documents belonging to any of the claimants which contained material subject to LPP, and they neither disclosed nor referred to legal advice. It therefore found that the claimant concerned had not suffered any detriment or damage, and that the determination provided adequate just satisfaction. It nevertheless required that GCHQ provide an undertaking that those parts of the documents containing legally privileged material would be destroyed or deleted; that a copy of the documents would be delivered to the IC Commissioner to be retained for five years; and that a closed report would be provided within fourteen days confirming the destruction and deletion of the documents.

Draft amendments to both the IC Code and the Acquisition and Disclosure of Communications Data Code of Practice were subsequently put out for consultation and the Codes which were adopted as a result in 2018 contained expanded sections concerning access to privileged information.

A British-US Communication Intelligence Agreement of 5 March 1946 governed the arrangements between the British and United States authorities in relation to the exchange of intelligence information relating to ‘foreign’ communications, defined by reference to countries other than the United States, the United Kingdom and the Commonwealth. Pursuant to the agreement, the parties undertook to exchange the products of a number of interception operations relating to foreign communications.

There are three intelligence services in the United Kingdom: the security service (‘MI5’), the secret intelligence service (‘MI6’) and GCHQ.

Following the Liberty proceedings, the information contained in the 9 October disclosure (see paragraphs 33 and 36 above) was incorporated into the IC Code:

The IPT was established under section 65(1) of RIPA to hear allegations by citizens of wrongful interference with their communications as a result of conduct covered by that Act. It had jurisdiction to investigate any complaint that a person's communications had been intercepted and, where interception had occurred, to examine the authority for such interception.

Appointments to the IPT were essentially judicial in nature but varied depending on whether the proposed candidate was a serving member of the senior judiciary of England and Wales, Scotland or Northern Ireland (referred to as a ‘judicial member’) or if they were a ‘non-judicial member’. A non-judicial member could be a former member of the judiciary who was no longer serving or a senior member of the legal profession of at least ten years' standing who was not a full-time judge. Where judicial members were selected from the judiciary in England and Wales, the Judicial Office, on behalf of the Lord Chief Justice, managed the selection process. The Judicial Office invited expressions of interest from serving High Court Judges in England and Wales and applicants were interviewed by a panel, which consisted of the President of the IPT, a non-judicial member of the IPT and a lay Commissioner from the Judicial Appointments Commission. The panel then reported to the Lord Chief Justice who wrote to the Home Secretary making formal recommendations for appointments. The Home Secretary then wrote to the Prime Minister asking him to seek permission for Letters Patent from Her Majesty the Queen for the recommended appointment(s). The Prime Minister recommended the chosen candidate(s) to Her Majesty the Queen who formalised the appointment through Letters Patent. Non judicial-members were recruited through open competition. The IPT placed advertisements for non-judicial members in a selection of national newspapers and recruitment sites asking for expressions of interest from suitably qualified individuals. The process differed from that of judicial members in that it did not involve the Lord Chief Justice, but was the same in all other respects. There are currently five judicial members (two members of the English Court of Appeal (one of whom is the President), one member of the English High Court and two members of the Outer House of the Court of Session in Scotland (one of whom is the Vice-President)) and five non-judicial members (of whom one is a retired High Court judge from Northern Ireland).

According to sections 67(2) and 67(3)(c), the IPT was to apply the principles applicable by a court on an application for judicial review. It did not, however, have power to make a Declaration of Incompatibility if it found primary legislation to be incompatible with the European Convention on Human Rights as it was not a ‘court’ for the purposes of section 4 of the Human Rights Act 1998.

Section 68(6) and (7) required those involved in the authorisation and execution of an interception warrant to disclose or provide to the IPT all documents and information it required.

Section 68(4) provided that where the IPT determined any complaint it had the power to award compensation and to make such other orders as it thought fit, including orders quashing or cancelling any warrant and orders requiring the destruction of any records obtained thereunder (section 67(7)). In the event that a claim before the IPT was successful, the IPT was generally required to make a report to the Prime Minister (section 68(5)).

Section 68(1) entitled the IPT to determine its own procedure, although section 69(1) provided that the Secretary of State could also make procedural rules.

The Rules were adopted by the Secretary of State to govern various aspects of the procedure before the IPT.

Rule 9 allowed the IPT to hold, at any stage of consideration, oral hearings at which the complainant could make representations, give evidence and call witnesses. Although Rule 9 provided that the IPT's proceedings, including any oral hearings, were to be conducted in private, in cases IPT/01/62 and IPT/01/77 the IPT itself decided that, subject to the general duty imposed by Rule 6 (1) to prevent the disclosure of sensitive information, it could exercise its discretion in favour of holding an open hearing. Following this commitment to hold hearings in open when possible, the IPT has also published its significant rulings on its website, provided that there is no risk of disclosure of any prejudicial information.

Rule 11 allowed the IPT to receive evidence in any form, even where it would not be admissible in a court of law.

Rule 6 required the IPT to carry out its functions in such a way as to ensure that information was not disclosed that was contrary to the public interest or prejudicial to national security, the prevention or detection of serious crime, the economic well-being of the United Kingdom or the continued discharge of the functions of any of the intelligence services.

The IPT could appoint Counsel to the Tribunal to make submissions on behalf of applicants in hearings at which they could not be represented. In the Liberty case, Counsel to the Tribunal described his role as follows:

This description was accepted and endorsed by the IPT.

In this judgment, which was handed down on 15 May 2019, the Supreme Court held that section 67(8) of RIPA did not preclude judicial review of a decision of the IPT.

The ISC was originally established by the ISA to examine the policy, administration and expenditure of MI5, MI6, and GCHQ. Since the introduction of the Justice and Security Act 2013, however, the ISC was expressly given the status of a Committee of Parliament; it was provided with greater powers; and its remit was increased to include oversight of operational activity and the wider intelligence and security activities of Government. Pursuant to sections 1–4 of the Justice and Security Act 2013, it consisted of nine members drawn from both Houses of Parliament, and, in the exercise of their functions, those members were routinely given access to highly classified material.

Following the Edward Snowden revelations, the ISC conducted an investigation into GCHQ's access to the content of communications intercepted under the United States' PRISM programme, the legal framework governing access, and the arrangements GCHQ had with its overseas counterpart for sharing information. In the course of the investigation, the ISC took detailed evidence from GCHQ and discussed the programme with the NSA.

The ISC concluded that allegations that GCHQ had circumvented United Kingdom law by using the PRISM programme to access the content of private communications were unfounded as GCHQ had complied with its statutory duties contained in the ISA. It further found that in each case in which GCHQ had sought information from the United States, a warrant for interception, signed by a Government Minister, had already been in place.

Following its statement in July 2013, the ISC conducted a more in-depth inquiry into the full range of the intelligence services' capabilities. Its report, which contained an unprecedented amount of information about the intelligence services' intrusive capabilities, was published on 12 March 2015.

The ISC was satisfied that the United Kingdom's intelligence and security services did not seek to circumvent the law, including the requirements of the Human Rights Act 1998, which governed everything that they did. However, it considered that as the legal framework had developed piecemeal, it was unnecessarily complicated. The ISC therefore had serious concerns about the resulting lack of transparency, which was not in the public interest. Consequently, its key recommendation was that the existing legal framework be replaced by a new Act of Parliament which clearly set out the intrusive powers available to the intelligence services, the purposes for which they could use them, and the authorisation required before they could do so.

With regard to GCHQ's bulk interception capability, the inquiry showed that the intelligence services did not have the legal authority, the resources, the technical capability, or the desire to intercept every communication of British citizens, or of the Internet as a whole. GCHQ were not, therefore, reading the emails of everyone in the United Kingdom. On the contrary, GCHQ's bulk interception systems operated on a very small percentage of the bearers that made up the Internet and the ISC was satisfied that GCHQ applied levels of filtering and selection such that only a certain amount of the material on those bearers was collected. Further targeted searches ensured that only those items believed to be of the highest intelligence value were ever presented for analysts to examine, with the consequence that only a tiny fraction of those collected were ever seen by human eyes.

In respect of Internet communications, the ISC considered that the distinction between ‘internal’ and ‘external’ communications was confusing and lacked transparency. It therefore suggested that the Government publish an explanation of which Internet communications fell under which category. Nevertheless, the inquiry had established that bulk interception could not be used to target the communications of an individual in the United Kingdom without a specific authorisation, signed by a Secretary of State, naming that individual.

The ISC observed that the section 8(4) warrant was very brief. In so far as the accompanying certificate set out the categories of communications which might be examined, those categories were expressed in very general terms (for example, ‘material providing intelligence on terrorism (as defined by the Terrorism Act 2000 (as amended)), including, but not limited to, terrorist organisations, terrorists, active sympathisers, attack planning, fund-raising’). Given that the certificate was so generic, the ISC questioned whether it needed to be secret or whether, in the interests of transparency, it could be published.

Although the section 8(4) certificate set out the general categories of information which could be examined, the ISC found that in practice it was the selection of the bearers and the application of simple selectors and search criteria which determined what communications were examined. The ISC had therefore sought assurances that these were subject to scrutiny and review by Ministers and/or the Commissioners. However, the evidence before the ISC indicated that neither Ministers nor the Commissioners had any significant visibility of these issues. The ISC therefore recommended that the IC Commissioner should be given statutory responsibility to review the various selection criteria used in bulk interception to ensure that they followed directly from the certificate and valid national security requirements.

The ISC noted that communications data were central to most intelligence services' investigations: they could be analysed to find patterns that reflected particular online behaviours associated with activities such as attack planning, to establish links, to help focus on individuals who might pose a threat, to ensure that interception was properly targeted, and to illuminate networks and associations relatively quickly. They were particularly useful in the early stages of an investigation, when the intelligence services had to be able to determine whether those associating with a target were connected to the plot (and therefore required further investigation) or were innocent bystanders. According to the Secretary of State for the Home Department, they had ‘played a significant role in every Security Service counter-terrorism operation over the last decade’. Nevertheless, the ISC expressed concern about the definition of ‘communications data’. While it accepted that there was a category of communications data which was less intrusive than content, and therefore did not require the same degree of protection, it considered that there existed certain categories of communications data which had the potential to reveal more intrusive details about a person's private life and, therefore, required greater safeguards.

Finally, with regard to the IPT, the ISC expressly recognised the importance of a domestic right of appeal.

The Independent Reviewer of Terrorism Legislation is a person wholly independent of Government, appointed by the Home Secretary and by the Treasury for a renewable three-year term. He is tasked with reporting to the Home Secretary and to Parliament on the operation of counter-terrorism law in the United Kingdom. These reports are laid before Parliament to inform the public and political debate.

The purpose of the Anderson Report, which was both laid before Parliament and published on 11 June 2015, and which was named after David Anderson Q.C., the then Independent Reviewer of Terrorism Legislation, was to inform the public and political debate on the threats to the United Kingdom, the capabilities required to combat those threats, the safeguards in place to protect privacy, the challenges of changing technology, issues relating to transparency and oversight, and the case for new or amended legislation. In conducting the review the Independent Reviewer had unrestricted access, at the highest level of security clearance, to the responsible Government departments and public authorities. He also engaged with service providers, independent technical experts, non-governmental organisations, academics, lawyers, judges and regulators.

The Independent Reviewer had noted that the statutory framework governing investigatory powers had ‘developed in a piecemeal fashion’, with the consequence that there were ‘few [laws] more impenetrable than RIPA and its satellites’.

With regard to the importance of communications data, he observed that they enabled the intelligence services to build a picture of a subject of interest's activities and were extremely important in providing information about criminal and terrorist activity. They identified targets for further work and also helped to determine if someone was completely innocent. Of central importance was the ability to use communications data (subject to necessity and proportionality) for:

Moreover, analysis of communications data could be performed speedily, making them extremely useful in fast-moving operations, and use of communications data could either build a case for using a more intrusive measure, or deliver the information that would make other measures unnecessary.

The Independent Reviewer's proposals for reform can be summarised as follows:

The ISR was undertaken by the Royal United Services Institute, an independent think-tank, at the request of the then deputy Prime Minister, partly in response to the revelations by Edward Snowden. Its terms of reference were to look at the legality of United Kingdom surveillance programmes and the effectiveness of the regimes that governed them, and to suggest reforms which might be necessary to protect both individual privacy and the necessary capabilities of the police and security and intelligence services.

Having completed its review the ISR found no evidence that the British Government was knowingly acting illegally in intercepting private communications, or that the ability to collect data in bulk was being used by the Government to provide it with a perpetual window into the private lives of British citizens. On the other hand, it found evidence that the existing legal framework authorising the interception of communications was unclear, had not kept pace with developments in communications' technology, and did not serve either the Government or members of the public satisfactorily. It therefore concluded that a new, comprehensive and clearer legal framework was required.

In particular, it supported the view set out in both the ISC and Anderson Report that while the current surveillance powers were needed, both a new legislative framework and oversight regime were required. It further considered that the definitions of ‘content’ and ‘communications data’ should be reviewed as part of the drafting of the new legislation so that they could be delineated clearly in law.

With regard to communications data, the report noted that greater volumes were available on an individual relative to content, because every piece of content was surrounded by multiple pieces of communications data. Furthermore, aggregating data sets could create an extremely accurate picture of an individual's life since, given enough raw data, algorithms and powerful computers could generate a substantial picture of the individual and his or her patterns of behaviour without ever accessing content. In addition, the use of increasingly sophisticated encryption methods had made content increasingly difficult to access.

It further considered that the capability of the security and intelligence services to collect and analyse intercepted material in bulk should be maintained, but with the stronger safeguards recommended in the Anderson Report. In particular, it agreed that warrants for bulk interception should include much more detail and should be the subject of a judicial authorisation process, save for when there was an urgent requirement.

In addition, it agreed with both the ISC and the Anderson Report that there should be different types of warrant for the interception and acquisition of communications and related data. It was proposed that warrants for a purpose relating to the detection or prevention of serious and organised crime should always be authorised by a Judicial Commissioner, while warrants for purposes relating to national security should be authorised by the Secretary of State subject to judicial review by a Judicial Commissioner.

With regard to the IPT, the ISR recommended open public hearings, except where it was satisfied private or closed hearings were necessary in the interests of justice or other identifiable public interest. Furthermore, the IPT should have the ability to test secret evidence put before it, possibly through the appointment of Special Counsel. Finally, it agreed with the ISC and Anderson Report that a domestic right of appeal was important and should be considered in future legislation.

The bulk powers review was set up in May 2016 to evaluate the operational case for the four bulk powers contained in what was then the Investigatory Powers Bill (now the Investigatory Powers Act 2016: see paragraphs 183–190 below). Those powers related to bulk interception and the bulk acquisition of communications data, bulk equipment interference and the acquisition of bulk personal datasets.

The review was again carried out by the Independent Reviewer of Terrorism Legislation. To conduct the review he recruited three team members, all of whom had the necessary security clearance to access very highly classified material, including a person with the necessary technical background to understand the systems and techniques used by GCHQ, and the uses to which they could be put; an investigator with experience as a user of secret intelligence, including intelligence generated by GCHQ; and senior independent counsel with the skills and experience to challenge forensically the evidence and the case studies presented by the security and intelligence services.

In conducting their review, the team had significant and detailed contact with the intelligence services at all levels of seniority as well as the relevant oversight bodies (including the IPT and Counsel to the Tribunal), NGOs and independent technical experts.

Although the review was of the Investigatory Powers Bill, a number of its findings in respect of bulk interception were relevant to the case at hand. In particular, having examined a great deal of closed material, the review concluded that bulk interception was an essential capability: first, because terrorists, criminal and hostile foreign intelligence services had become increasingly sophisticated at evading detection by traditional means; and secondly, because the nature of the global Internet meant that the route a particular communication would travel had become hugely unpredictable. The review team looked at alternatives to bulk interception (including targeted interception, the use of human sources and commercial cyber-defence products) but concluded that no alternative or combination of alternatives would be sufficient to substitute for the bulk interception power as a method of obtaining the necessary intelligence.

Following a series of four terrorist attacks in the short period between March and June 2017, in the course of which some thirty-six innocent people were killed and almost 200 more were injured, the Home Secretary asked the recently retired Independent Reviewer of Terrorism Legislation, David Anderson Q.C., to assess the classified internal reviews of the police and intelligence services involved. In placing the attacks in context, the Report made the following observations:

The IC Commissioner observed that when conducting interception under a section 8(4) warrant, an intercepting agency had to use its knowledge of the way in which international communications were routed, combined with regular surveys of relevant communications links, to identify those individual communications bearers that were most likely to contain external communications that would meet the descriptions of material certified by the Secretary of State under section 8(4). It also had to conduct the interception in ways that limited the collection of non-external communications to the minimum level compatible with the objective of intercepting the wanted external communications.

He further observed that prior to analysts being able to read, look at or listen to material, they had to provide a justification, which included why access to the material was required, consistent with, and pursuant to section 16 and the applicable certificate, and why such access was proportionate. Inspections and audits showed that although the selection procedure was carefully and conscientiously undertaken, it relied on the professional judgment of analysts, their training and management oversight.

According to the report, 3007 interception warrants were issued in 2016 and five applications were refused by a Secretary of State. In the view of the IC Commissioner, these figures did not capture the critical quality assurance function initially carried out by the staff and lawyers within the intercepting agency or the warrant-granting department (the warrant-granting departments were a source of independent advice to the Secretary of State and performed pre-authorisation scrutiny of warrant applications and renewals to ensure that they were (and remained) necessary and proportionate). Based on his inspections, he was confident that the low number of rejections reflected the careful consideration given to the use of these powers.

A typical inspection of an interception agency included the following:

After each inspection, inspectors produced a report, including:

During 2016, the IC Commissioner's office inspected all nine interception agencies once and the four main warrant-granting departments twice. This, together with extra visits to GCHQ, made a total of twenty-two inspection visits. In addition, he and his inspectors arranged other ad hoc visits to agencies.

Inspection of the systems in place for applying for and authorising interception warrants usually involved a three-stage process. First, to achieve a representative sample of warrants, inspectors selected them across different crime types and national security threats. In addition, inspectors focussed on those of particular interest or sensitivity (such as those which gave rise to an unusual degree of collateral intrusion, those which had been extant for a considerable period, those which were approved orally, those which resulted in the interception of legal or otherwise confidential communications, and so-called ‘thematic’ warrants). Secondly, inspectors scrutinised the selected warrants and associated documentation in detail during reading days which preceded the inspections. At this stage, inspectors were able to examine the necessity and proportionality statements made by analysts when adding a selector to the collection system for examination. Each statement had to stand on its own and had to refer to the overall requirement of priorities for intelligence collection. Thirdly, they identified those warrants, operations or areas of the process which required further information or clarification and arranged to interview relevant operational, legal or technical staff. Where necessary, they examined further documentation or systems relating to those warrants.

Nine hundred and seventy warrants were examined during the twenty-two interception inspections (sixty-one percent of the number of warrants in force at the end of the year and thirty-two percent of the total of new warrants issued in 2016).

Retention periods were not prescribed by legislation, but the agencies had to consider section 15(3) of RIPA, which provided that the material or data had to be destroyed as soon as retaining them was no longer necessary for any of the authorised purposes in section 15(4). According to the report, every interception agency had a different view on what constituted an appropriate retention period for intercepted material and related communications data. The retention periods therefore differed within the interception agencies; for content, they ranged between thirty days and one year, and for related communications data, they ranged between six months and one year. In practice, however, the vast majority of content was reviewed and automatically deleted after a very short period of time unless specific action was taken to retain the content for longer because it was necessary to do so.

The IC Commissioner expressly noted the he ‘was impressed by the quality’ of the necessity and proportionality statements made by analysts when adding a selector to the collection system for examination.

Inspectors made a total of twenty-eight recommendations in their inspection reports, eighteen of which were made in relation to the application process. The majority of the recommendations in this category related to the necessity, proportionality and/or collateral intrusion justifications in the applications, or to the handling of legally privileged or otherwise confidential material relating to sensitive professions.

The total number of interception errors reported to the IC Commissioner during 2016 was 108. Key causes of interception errors were over-collection (generally technical software or hardware errors that caused over-collection of intercepted material and related communications data), unauthorised selection/examination, incorrect dissemination, the failure to cancel interception, and the interception of either an incorrect communications address or person.

Finally, with regard to intelligence sharing, the IC Commissioner noted that:

The Intelligence Services Commissioner, in his report on compliance with the ‘Consolidated Guidance to Intelligence Officers and Service Personnel on the Detention and Interviewing of Detainees Overseas, and on the Passing and Receipt of Intelligence Relating to Detainees’, observed that

Oversight of compliance with the Consolidated Guidance now falls under the remit of the new Investigatory Powers Commissioner. The Guidance is currently being reviewed since the Intelligence Services Commissioner, in his 2015 report, indicated that while he did ‘not think that the Consolidated Guidance was fundamentally defective or not fit for purpose’, he nevertheless expressed the view that it had been ‘in operation in its current form for some years and that there was room for improvement’.

The Convention, which entered into force in respect of the United Kingdom on 1 December 1987, sets out standards for data protection in the sphere of automatic processing of personal data in the public and private sectors. It provides, in so far as relevant:

Preamble

Article 1 — Object and purpose

…

Article 8 — Additional safeguards for the data subject

Article 9 — Exceptions and restrictions

Article 10 — Sanctions and remedies

The Explanatory Report to the above-mentioned Convention explains that:

Article 9 — Exceptions and restrictions

The Protocol, which has not been ratified by the United Kingdom, provides, in so far as relevant:

Article 1 — Supervisory authorities

Article 2 — Transborder flows of personal data to a recipient which is not subject to the jurisdiction of a Party to the Convention

Recommendation (No. R (95) 4 of the Committee of Ministers), which was adopted on 7 February 1995, reads, in so far as relevant, as follows:

The Venice Commission noted, at the outset, the value that bulk interception could have for security operations, since it enabled the security services to adopt a proactive approach, looking for hitherto unknown dangers rather than investigating known ones. However, it also noted that intercepting bulk data in transmission, or requirements that telecommunications companies store and then provide telecommunications content data or metadata to law-enforcement or security agencies, involved an interference with the privacy and other human rights of a large proportion of the population of the world. In this regard, the Venice Commission considered that the main interference with privacy occurred when stored personal data were accessed and/or processed by the agencies. For this reason, the computer analysis (usually with the help of selectors) was one of the important stages for balancing personal integrity concerns against other interests.

According to the report, the two most significant safeguards were the authorisation (of collection and access) and the oversight of the process. It was clear from the Court's case-law that the latter had to be performed by an independent, external body. While the Court had a preference for judicial authorisation, it had not found this to be a necessary requirement. Rather, the system had to be assessed as a whole, and where independent controls were absent at the authorisation stage, particularly strong safeguards had to exist at the oversight stage. In this regard, the Venice Commission considered the example of the system in the United States, where authorisation was given by the FISC. However, despite the existence of judicial authorisation, the lack of independent oversight of the conditions and limitations set by the court was problematic.

Similarly, the Commission observed that notification of the subject of surveillance was not an absolute requirement of Article 8 of the Convention, since a general complaints procedure to an independent oversight body could compensate for non-notification.

The report also considered internal controls to be a ‘primary safeguard’. Recruitment and training were key issues; in addition, it was important for the agencies to build in respect for privacy and other human rights when promulgating internal rules.

The report acknowledged that journalists were a group which required special protection, since searching their contacts could reveal their sources (and the risk of discovery could be a powerful disincentive to whistle-blowers). Nevertheless, it considered there to be no absolute prohibition on searching the contacts of journalists, provided that there were very strong reasons for doing so. According to the report, the journalistic profession was not one which was easily identified, since NGOs were also engaged in building public opinion and even bloggers could claim to be entitled to equivalent protections.

Finally, the report considered briefly the issue of intelligence sharing, and in particular the risk that States could thereby circumvent stronger domestic surveillance procedures and/or any legal limits which their agencies might be subject to as regards domestic intelligence operations. It considered that a suitable safeguard would be to provide that the bulk material transferred could only be searched if all the material requirements of a national search were fulfilled and this was duly authorised in the same way as a search of bulk material obtained by the signals intelligence agency using its own techniques.

In a judgment of 8 April 2014 the CJEU declared invalid the Data Retention Directive 2006/24/EC laying down the obligation on the providers of publicly available electronic communication services or of public communications networks to retain all traffic and location data for periods from six months to two years, in order to ensure that the data were available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law. The CJEU noted that, even though the directive did not permit the retention of the content of the communication, the traffic and location data covered by it might allow very precise conclusions to be drawn concerning the private lives of the persons whose data had been retained. Accordingly, the obligation to retain the data constituted in itself an interference with the right to respect for private life and communications guaranteed by Article 7 of the Charter of Fundamental Rights of the European Union and the right to protection of personal data under Article 8 of the Charter.

The access of the competent national authorities to the data constituted a further interference with those fundamental rights, which the CJEU considered to be ‘particularly serious’. The fact that data were retained and subsequently used without the subscriber or registered user being informed was, according to the CJEU, likely to generate in the minds of the persons concerned the feeling that their private lives were the subject of constant surveillance. The interference satisfied an objective of general interest, namely to contribute to the fight against serious crime and terrorism and thus, ultimately, to public security. However, it failed to satisfy the requirement of proportionality.

Firstly, the directive covered, in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime. It therefore entailed an interference with the fundamental rights of practically the entire European population, according to the CJEU. It applied even to persons for whom there was no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime.

Secondly, the directive did not contain substantive and procedural conditions relating to the access of the competent national authorities to the data and to their subsequent use. By simply referring, in a general manner, to serious crime, as defined by each Member State in its national law, the directive failed to lay down any objective criterion by which to determine which offences might be considered to be sufficiently serious to justify such an extensive interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. Above all, the access by the competent national authorities to the data retained was not made dependent on a prior review carried out by a court or by an independent administrative body whose decision sought to limit access to the data and their use to what was strictly necessary for the purpose of attaining the objective pursued.

Thirdly, the directive required that all data be retained for a period of at least six months, without any distinction being made between the categories of data on the basis of their possible usefulness for the purposes of the objective pursued or according to the persons concerned. The CJEU concluded that the directive entailed a wide-ranging and particularly serious interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, without such an interference being precisely circumscribed by provisions to ensure that it was actually limited to what was strictly necessary. The CJEU also noted that the directive did not provide for sufficient safeguards, by means of technical and organisational measures, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of those data.

In Secretary of State for the Home Department v. Watson and Others, the applicants had sought judicial review of the legality of section 1 of the Data Retention and Investigatory Powers Act 2014 (‘DRIPA’), pursuant to which the Secretary of State could require a public telecommunications operator to retain relevant communications data if he or she considered it necessary and proportionate for one or more of the purposes falling within paragraphs (a) to (h) of section 22(2) of RIPA. The applicants claimed, inter alia, that section 1 was incompatible with Articles 7 and 8 of the Charter and Article 8 of the Convention.

On 17 July 2015, the High Court held that the Digital Rights judgment laid down ‘mandatory requirements of EU law’ applicable to the legislation of Member States on the retention of communications data and access to such data. Since the CJEU, in that judgment, held that Directive 2006/24 was incompatible with the principle of proportionality, national legislation containing the same provisions as that directive could, equally, not be compatible with that principle. In fact, it followed from the underlying logic of the Digital Rights judgment that legislation that established a general body of rules for the retention of communications data was in breach of the rights guaranteed in Articles 7 and 8 of the Charter, unless that legislation was complemented by a body of rules for access to the data, defined by national law, which provided sufficient safeguards to protect those rights. Accordingly, section 1 of DRIPA was not compatible with Articles 7 and 8 of the Charter as it did not lay down clear and precise rules providing for access to and use of retained data and access to those data was not made dependent on prior review by a court or an independent administrative body.

On appeal by the Secretary of State, the Court of Appeal sought a preliminary ruling from the CJEU.

Before the CJEU this case was joined with the request for a preliminary ruling from the Kammarrätten i Stockholm in Case C-203/15 Tele2 Sverige AB v Post- och telestyrelsen. Following an oral hearing in which some fifteen European Union Member States intervened, the CJEU gave judgment on 21 December 2016. The CJEU held that Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, had to be interpreted as precluding national legislation governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, was not restricted solely to fighting serious crime, where access was not subject to prior review by a court or an independent administrative authority, and where there was no requirement that the data concerned should be retained within the European Union.

The CJEU declared the Court of Appeal's question whether the protection afforded by Articles 7 and 8 of the Charter was wider than that guaranteed by Article 8 of the Convention inadmissible.

Following the handing down of the CJEU's judgment, the case was relisted before the Court of Appeal. On 31 January 2018 it granted declaratory relief in the following terms: that section 1 of DRIPA was inconsistent with European Union law to the extent that it permitted access to retained data where the object pursued by access was not restricted solely to fighting serious crime; or where access was not subject to prior review by a court or independent administrative authority.

This request for a preliminary ruling arose after Spanish police, in the course of investigating the theft of a wallet and mobile telephone, asked the investigating magistrate to grant them access to data identifying the users of telephone numbers activated with the stolen telephone during a period of twelve days prior to the theft. The investigating magistrate rejected the request on the ground, inter alia, that the acts giving rise to the criminal investigation did not constitute a ‘serious’ offence. The referring court subsequently sought guidance from the CJEU on fixing the threshold of seriousness of offences above which an interference with fundamental rights, such as competent national authorities' access to personal data retained by providers of electronic communications services, may be justified.

On 2 October 2018 the Grand Chamber of the CJEU ruled that Article 15(1) of Directive 2002/58/EC, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, had to be interpreted as meaning that the access of public authorities to data for the purpose of identifying the owners of SIM cards activated with a stolen mobile telephone, such as the surnames, forenames and, if need be, addresses of the owners, entailed an interference with their fundamental rights which was not sufficiently serious to entail that access being limited, in the area of prevention, investigation, detection and prosecution of criminal offences, to the objective of fighting serious crime. In particular, it indicated that:

It did not consider access to the data which were the subject of the request to be a particularly serious interference because it:

This request for a preliminary ruling arose from a complaint against Facebook Ireland Ltd which was made to the Irish Data Protection Commissioner by Mr. Schrems, an Austrian privacy advocate. Mr. Schrems challenged the transfer of his data by Facebook Ireland to the United States and the retention of his data on servers located in that country. The Data Protection Commissioner rejected the complaint since, in a decision of 26 July 2000, the European Commission had considered that the United States ensured an adequate level of protection of the personal data transferred (‘the Safe Harbour Decision’).

In its ruling of 6 October 2015, the CJEU held that the existence of a Commission decision finding that a third country ensured an adequate level of protection of the personal data transferred could not eliminate or even reduce the powers available to the national supervisory authorities under the Charter or the Data Protection Directive. Therefore, even if the Commission had adopted a decision, the national supervisory authorities had to be able to examine, with complete independence, whether the transfer of a person's data to a third country complied with the requirements laid down by the Directive.

However, only the CJEU could declare a decision of the Commission invalid. In this regard, it noted that the safe harbour scheme was applicable solely to the United States' undertakings which adhered to it, and United States' public authorities were not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevailed over the safe harbour scheme, so that United States' undertakings were bound to disregard, without limitation, the protective rules laid down by the scheme where they conflicted with such requirements. The safe harbour scheme therefore enabled interference by United States' public authorities with the fundamental rights of individuals, and the Commission had not, in the Safe Harbour Decision, referred either to the existence, in the United States, of rules intended to limit any such interference, or to the existence of effective legal protection against the interference.

As to whether the level of protection in the United States was essentially equivalent to the fundamental rights and freedoms guaranteed within the European Union, the CJEU found that legislation was not limited to what was strictly necessary where it authorised, on a generalised basis, storage of all the personal data of all the persons whose data were transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of their subsequent use. Therefore, under European Union law legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications had to be regarded as compromising the essence of the fundamental right to respect for private life. Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromised the essence of the fundamental right to effective judicial protection.

Finally, the Court found that the Safe Harbour Decision denied the national supervisory authorities their powers where a person called into question whether the decision was compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Commission had not had competence to restrict the national supervisory authorities' powers in that way and, consequently, the CJEU held the Safe Harbour Decision to be invalid

Following the judgment of the CJEU of 6 October 2015, the referring court annulled the rejection of Mr Schrems' complaint and referred that decision back to the Commissioner. In the course of the Commissioner's investigation, Facebook Ireland explained that a large part of personal data were transferred to Facebook Inc. pursuant to the standard data protection clauses set out in the annex to Commission Decision 2010/87/EU, as amended.

Mr Schrems reformulated his complaint, claiming, inter alia, that the United States' law required Facebook Inc. to make the personal data transferred to it available to certain United States' authorities, such as the NSA and the Federal Bureau of Investigation. Since those data were used in the context of various monitoring programmes in a manner incompatible with Articles 7, 8 and 47 of the Charter, Decision 2010/87/EU could not justify the transfer of those data to the United States. On this basis, he asked the Commissioner to prohibit or suspend the transfer of his personal data to Facebook Inc.

In a draft decision published on 24 May 2016, the Commissioner took the provisional view that the personal data of European Union citizens transferred to the United States were likely to be consulted and processed by the United States' authorities in a manner incompatible with Articles 7 and 8 of the Charter and that United States' law did not provide those citizens with legal remedies compatible with Article 47 of the Charter. The Commissioner found that the standard data protection clauses in the annex to Decision 2010/87/EU were not capable of remedying that defect, since they did not bind the United States' authorities.

Having considered the United States' intelligence activities under section 702 of FISA and Executive Order 12333, the High Court concluded that the United States carried out mass processing of personal data without ensuring a level of protection essentially equivalent to that guaranteed by Articles 7 and 8 of the Charter; and that European Union citizens did not have available to them the same remedies as citizens of the United States, with the consequence that United States' law did not afford European Union citizens a level of protection essentially equivalent to that guaranteed by Article 47 of the Charter. It stayed the proceedings and referred a number of questions to the CJEU for a preliminary ruling. It asked, inter alia, whether European Union law applied to the transfer of data from a private company in the European Union to a private company in a third country; if so, how the level of protection in the third country should be assessed; and whether the level of protection afforded by the United States respected the essence of the rights guaranteed by Article 47 of the Charter.

In a judgment of 16 July 2020, the CJEU held that the General Data Protection Regulation (‘GDPR’) applied to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, irrespective of whether, at the time of that transfer or thereafter, those data were liable to be processed by the authorities of the third country in question for the purposes of public security, defence and State security. Moreover, the appropriate safeguards, enforceable rights and effective legal remedies required by the GDPR had to ensure that data subjects whose personal data were transferred to a third country pursuant to standard data protection clauses were afforded a level of protection essentially equivalent to that guaranteed within the European Union. To that end, the assessment of the level of protection afforded in the context of such a transfer had to take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country.

Furthermore, unless there was a valid Commission adequacy decision, the competent supervisory authority was required to suspend or prohibit a transfer of data to a third country if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, the standard data protection clauses adopted by the Commission were not or could not be complied with in that third country and the protection of the data transferred (as required by European Union law) could not be ensured by other means.

In order for the Commission to adopt an adequacy decision, it had to find, duly stating reasons, that the third country concerned ensured, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the European Union legal order. In the CJEU's view, the Safe Harbour decision was invalid. Section 702 of the Foreign Intelligence Security Act (‘FISA’) did not indicate any limitations on the power it conferred to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-US persons potentially targeted by those programmes. In those circumstances, it could not ensure a level of protection essentially equivalent to that guaranteed by the Charter. Furthermore, as regards the monitoring programmes based on Executive Order 12333, it was clear that that order also did not confer rights which were enforceable against the United States' authorities in the courts.

On 8 September 2017, the IPT gave judgment in the case of Privacy International, which concerned the acquisition by the intelligence services of bulk communications data under section 94 of the Telecommunications Act 1984 and bulk personal data. The IPT found that, following their avowal, the regimes were compliant with Article 8 of the Convention. However, it identified the following four requirements which appeared to flow from the CJEU judgment in Watson and Others and which seemed to go beyond the requirements of Article 8 of the Convention: a restriction on non-targeted access to bulk data; a need for prior authorisation (save in cases of validly established emergency) before data could be accessed; provision for subsequent notification of those affected; and the retention of all data within the European Union.

On 30 October 2017, the IPT made a request to the CJEU for a preliminary ruling clarifying the extent to which the Watson requirements could apply where the bulk acquisition and automated processing techniques were necessary to protect national security. In doing so, it expressed serious concern that if the Watson requirements were to apply to measures taken to safeguard national security, they would frustrate them and put the national security of Member States at risk. In particular, it noted the benefits of bulk acquisition in the context of national security; the risk that the need for prior authorisation could undermine the intelligence services' ability to tackle the threat to national security; the danger and impracticality of implementing a requirement to give notice in respect of the acquisition or use of a bulk database, especially where national security was at stake; and the impact an absolute bar on the transfer of data outside the European Union could have on Member States' treaty obligations.

A public hearing took place on 9 September 2019. The Privacy International case was heard together with cases C-511/18 and C-512/18, La Quadrature du Net and Others, and C-520/18, Ordre des barreaux francophones et germanophone and Others, which also concerned the application of Directive 2002/58 to activities related to national security and the combating of terrorism. Thirteen States intervened in support of the States concerned.

Two separate judgments were handed down on 6 October 2020. In Privacy International the CJEU found that national legislation enabling a State authority to require providers of electronic communications services to forward traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security fell within the scope of the Directive on privacy and electronic communications. The interpretation of that Directive had to take account of the right to privacy, guaranteed by Article 7 of the Charter, the right to protection of personal data, guaranteed by Article 8, and the right to freedom of expression, guaranteed by Article 11. Limitations on the exercise of those rights had to be provided for by law, respect the essence of the rights, and be proportionate, necessary, and genuinely meet the objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others. Furthermore, limitations on the protection of personal data must apply only in so far as is strictly necessary; and in order to satisfy the requirement of proportionality, the legislation must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose personal data are affected have sufficient guarantees that data will be protected effectively against the risk of abuse.

In the opinion of the CJEU, national legislation requiring providers of electronic communications services to disclose traffic data and location data to the security and intelligence agencies by means of general and indiscriminate transmission — which affected all persons using electronic communications services — exceeded the limits of what was strictly necessary and could not be considered to be justified as required by the Directive on privacy and electronic communications read in light of the Charter.

However, in La Quadrature du Net and Others the CJEU confirmed that while the Directive on privacy and electronic communications, read in light of the Charter, precluded legislative measures which provided for the general and indiscriminate retention of traffic and location data, where a Member State was facing a serious threat to national security that proved to be genuine and present or foreseeable, it did not preclude legislative measures requiring service providers to retain, generally and indiscriminately, traffic and location data for a period limited to what was strictly necessary, but which could be extended if the threat persisted. For the purposes of combating serious crime and preventing serious threats to public security, a Member State could also provide — if it was limited in time to what was strictly necessary — for the targeted retention of traffic and location data, on the basis of objective and non-discriminatory factors according to the categories of person concerned or using a geographical criterion, or of IP addresses assigned to the source of an Internet connection. It was also open to a Member State to carry out a general and indiscriminate retention of data relating to the civil identity of users of means of electronic communication, without the retention being subject to a specific time limit.

Furthermore, the Directive on privacy and electronic communications, read in light of the Charter, did not preclude national rules which required providers of electronic communications services to have recourse, first, to the automated analysis and real-time collection of traffic and location data, and secondly, to the real-time collection of technical data concerning the location of the terminal equipment used, where it was limited to situations in which a Member State was facing a serious threat to national security that was genuine and present or foreseeable, and where recourse to such analysis may be the subject of an effective review by a court or independent administrative body whose decision was binding; and where recourse to the real-time collection of traffic and location data was limited to persons in respect of whom there was a valid reason to suspect that they were involved in terrorist activities and was subject to a prior review carried out either by a court or by an independent administrative body whose decision was binding.

The Chamber expressly recognised that States enjoyed a wide margin of appreciation in deciding what type of interception regime was necessary to protect national security, but considered that the discretion afforded to States in operating an interception regime would necessarily be narrower. In this regard, it observed that the Court had identified six ‘minimum safeguards’ which should be set out in law to avoid abuses of power: the nature of offences which may give rise to an interception order, a definition of the categories of people liable to have their communications intercepted, a limit on the duration of interception, the procedure to be followed for examining, using and storing the data obtained, the precautions to be taken when communicating the data to other parties, and the circumstances in which intercepted data may or must be erased or destroyed. These safeguards, which were first set out in Huvig v. France, 24 April 1990, § 34, Series A no. 176 B and Kruslin v. France, 24 April 1990, § 35, Series A no. 176-A, had been applied routinely by the Court in its case-law on the interception of communications and in two cases specifically concerning the bulk interception of communications (see Weber and Saravia v. Germany (dec.), no. 54934/00, ECHR 2006-XI and Liberty and Others v. the United Kingdom, no. 58243/00, 1 July 2008).

In the Chamber's view, the decision to operate a bulk interception regime fell within the margin of appreciation afforded to Contracting States. It assessed the operation of the United Kingdom's bulk interception regime by reference to the six minimum safeguards set out in the preceding paragraph. As the first two safeguards did not readily apply to bulk interception, the Chamber reframed these safeguards, considering first, whether the grounds upon which a warrant could be issued were sufficiently clear; secondly, whether domestic law gave citizens an adequate indication of the circumstances in which their communications might be intercepted; and thirdly, whether domestic law gave citizens an adequate indication of the circumstances in which their communications might be selected for examination. In addition, in light of recent case-law (including Roman Zakharov v. Russia [GC], no. 47143/06, ECHR 2015) the Chamber also had regard to the arrangements for supervising the implementation of secret surveillance measures, the existence of notification mechanisms and any remedies provided for by national law.

It identified the following two areas of concern in the section 8(4) regime: first, the lack of oversight of the selection of bearers for interception, the selectors used for filtering intercepted communications, and the process by which analysts selected intercepted communications for examination; and secondly, the absence of any real safeguards applicable to the searching and selection for examination of related communications data. In view of the independent oversight provided by the Interception of Communications Commissioner (‘the IC Commissioner’) and the IPT, and the extensive independent investigations which followed the Edward Snowden revelations, the Chamber was satisfied that the United Kingdom was not abusing its bulk interception powers. Nevertheless, in view of the above-mentioned shortcomings, it held, by a majority, that the bulk interception regime did not meet the ‘quality of law’ requirement and was incapable of keeping the ‘interference’ to what was ‘necessary in a democratic society’.

The Chamber found that as the surveillance measures under the section 8(4) regime were not aimed at monitoring journalists or uncovering journalistic sources, the interception of such communications could not, by itself, be characterised as a particularly serious interference with freedom of expression. However, it considered that the interference would be greater if those communications were selected for examination. If that were the case the interference could only be ‘justified by an overriding requirement in the public interest’ if it was accompanied by sufficient safeguards. In particular, the circumstances in which such communications could be selected intentionally for examination would have to be set out sufficiently clearly in domestic law, and there would have to be adequate measures in place to ensure the protection of confidentiality where such communications had been selected, either intentionally or otherwise, for examination. In the absence of any publicly available arrangements limiting the intelligence services' ability to search and examine confidential journalistic material other than where it was justified by an overriding requirement in the public interest, the Chamber found that there had also been a violation of Article 10 of the Convention.

In the Liberty proceedings the IPT identified three categories of material which could be received from foreign intelligence partners: unsolicited intercept material; solicited intercept material; and non-intercept material. As the Government informed the Chamber that it was ‘implausible and rare’ for intercept material to be obtained ‘unsolicited’, the Chamber did not examine material falling into this category (see paragraph 417 of the Chamber judgment). The Chamber also declined to examine the receipt of non-intercept material, since the applicants had not specified the kind of material foreign intelligence services might obtain by methods other than interception and, as such, it was not satisfied that they had demonstrated that its acquisition would interfere with their Article 8 rights (see paragraph 449 of the Chamber judgment). The applicants have not contested either of these findings.

Furthermore, as the Liberty proceedings were brought by the applicants in the third of the joined cases, the IPT only considered the receipt of intelligence from the NSA. In their submissions before the Chamber and the Grand Chamber, the parties also focused on the receipt of material from the NSA.

The Grand Chamber will therefore limit its examination to the complaint about the receipt of solicited intercept material from the NSA.

The Government argued that the applicants in the first and third of the joined cases could not claim to be victims of the alleged violation because neither of the two conditions in Roman Zakharov (cited above, §171) were met (namely, the applicants could not possibly have been affected by the legislation permitting secret surveillance measures, and remedies were available at the national level). In particular, they argued that the applicants had put forward no basis on which they were at realistic risk either of having their communications intercepted under PRISM or Upstream, or of having their communications requested by the United Kingdom intelligence services. In addition, they submitted that the applicants had available to them an effective domestic remedy to discover whether they were the subject of unlawful intelligence sharing.

At the date of the Chamber's examination of the case the Government of the United Kingdom was in the process of replacing the existing legal framework for conducting secret surveillance with the new IPA. The provisions in the new legislation governing the retention of communications data by CSPs were subject to a domestic legal challenge by Liberty. In the course of those proceedings, the Government conceded that the relevant provision was inconsistent with the requirements of EU law. Consequently, the High Court found Part 4 to be incompatible with fundamental rights in EU law since, in the area of criminal justice, access to retained data was not limited to the purpose of combating ‘serious crime’; nor was it subject to prior review by a court or an independent administrative body (see paragraph 190 above).

In view of both the primacy of EU law over United Kingdom law, and the Government's concession in the domestic proceedings that the provisions of IPA governing the retention of communications data by CSPs was incompatible with EU law, the Chamber considered it ‘clear’ that domestic law required that any regime permitting the authorities to access data retained by CSPs should limit access to the purpose of combating ‘serious crime’, and that access should be subject to prior review by a court or independent administrative body. As the predecessor regime suffered from the same ‘flaws’ as its successor, the Chamber found that it could not be in accordance with the law within the meaning of Article 8 of the Convention (see paragraphs 465–468 of the Chamber judgment).

The parties made no further submissions before the Grand Chamber in respect of this complaint.

The Government did not contest the Chamber's findings before the Grand Chamber. Furthermore, the latter finds no ground on which to disagree with the Chamber's conclusions.

Accordingly, the Court considers that in the present case there was a violation of Article 8 of the Convention on account of the fact that the operation of the regime under Chapter II of RIPA was not ‘in accordance with the law’.

The Chamber acknowledged that the Chapter II regime afforded enhanced protection where data were sought for the purpose of identifying a journalist's source. In particular, paragraph 3.77 of the Acquisition of Communications Data Code of Practice provided that where an application was intended to determine the source of journalistic information, there had to be an overriding requirement in the public interest, and such applications had to use the procedures of the Police and Criminal Evidence Act 1984 (‘PACE’) to apply to a court for a production order to obtain these data. Pursuant to Schedule 1 to PACE, an application for a production order was made to a judge and, where the application related to material that consisted of or included journalistic material, the application had to be made inter partes. Internal authorisation could only be used if there was believed to be an immediate threat of loss of human life, and that person's life could be endangered by the delay inherent in the process of judicial authorisation (see paragraph 498 of the Chamber judgment).

Nevertheless, these provisions only applied where the purpose of the application was to determine a source; they did not apply in every case where there was a request for the communications data of a journalist, or where such collateral intrusion was likely. Furthermore, in cases concerning access to a journalist's communications data there were no special provisions restricting access to the purpose of combating ‘serious crime’. Consequently, the Chamber considered that the regime was not ‘in accordance with the law’ for the purpose of the Article 10 complaint (see paragraphs 496–499 of the Chamber judgment).

The parties made no further submissions before the Grand Chamber in respect of this complaint.

The Government did not contest the Chamber's findings before the Grand Chamber. Furthermore, the latter finds no ground on which to disagree with the Chamber's conclusions.

Accordingly, the Court considers that in the present case there has also been a violation of Article 10 of the Convention on account of the fact that the operation of the regime under Chapter II of RIPA was not ‘in accordance with the law’.