Elementary, My Dear Watson: Data Retention in Britain and Israel
Published: June 10 th 2018 at IDI.
Although the ruling in the Watson case does not entail any practical changes in British law, it may offer some indication of the future of the IPA, which regulates British law on the subject of digital surveillance. The ruling should also be seen as a reminder of the partial regulation of digital surveillance in Israeli law and a call to reexamine the proportionality of the existing arrangements.
On 30 January 2018, the Court of Appeal in London published its ruling in Tom Watson MP v. Secretary of State for the Home Department (hereinafter: “Watson.”)[1] The ruling discusses an appeal by the state against the ruling of the High Court from July 2015,[2] which nullified some of the provisions of the British Data Retention and Investigatory Powers Act 2014 (hereinafter: DRIPA).[3] In Watson, the court granted declarative relief, announcing that the provisions of DRIPA are inconsistent with European law. Some British media outlets rushed to describe the ruling as a judicial declaration nullifying the British digital surveillance regime, although it would not seem to be accurate to view the ruling as a full-fledged revolution.
The issue of data retention relates to the scope of the obligation imposed on database owners, and communications services providers in particular, to retain communication data and content so that this information will later be available to investigative bodies acting in accordance with a court order or any other demand. The wider the powers granted by law to the investigative bodies to intercept communication on a real-time basis, the less the need for these bodies to rely on prior information in accordance with the data retention obligation of communications providers (since they are authorized to intercept these data on a real-time basis). Conversely, the more restrictions the law imposes on the ability of these bodies to intercept communication directly, the more dependent they are on the use of data supplied by the communications providers.
In British law, DRIPA served until recently as the source of authority of the secretary of state when ordering data preservation. The secretary was empowered to instruct communications providers to retain metadata (data that does not relate to the actual content of the communication), if he believed that such retention was necessary and proportionate in the context of a wide range of purposes, including national security, prevention of crime and rioting, public security, protection of public health, collection or estimation of taxes, saving life, and preventing damage to person and property during an emergency.
In the July 2015 ruling, the High Court restricted the substantive application of DRIPA and narrowed the purposes for which it will be permitted to access and use communications data stored under the terms of an order issued by virtue of the act. The High Court determined that, as of March 2016, the provisions of DRIPA would be nullified concerning access and use of communications retained fro goals other than the prevention or identification of serious crimes, or for the goals of pursuing related legal claims. It was also established that it is not possible to permit access and use of communications data unless this is subject to judicial review ensuring the presence of strict necessity therefore.[4] The state appealed against the decision of the High Court,[5] which argued that the questions before it related to European law, and accordingly referred two questions to the European Court,[6] where the questions were clarified in Tele2 Sverige AB.[7]
The European Court ruled in Tele2 Sverige AB that, under EU law, the national regulation of data retention, cannot be general and indiscriminate. Obliging data providers to retain data will be possible when there is strict necessity to do so, and within the framework of the state regulation of the retention of communications data. Such regulation must include appropriate restrictions and controls regarding the retained data categories, the communications means from which data are collected, the scope of the objects of information regarding which data are retained, and the period of retention.[8] Such legislation is required to define substantive and procedural conditions in which communications service providers will grant access to these data to the empowered authorities. The data concerned must be related to a person who committed a “serious crime,” as distinct from crimes on levels equivalent to felony. Judicial review (or review by an independent authority) is required of applications for these data.[9]
However, while the European Court of Justice grappled with the Tele2 Sverige AB case, the Investigatory Powers Act 2016 (hereinafter: “IPA”) came into force in Britain.[10] The IPA constituted a comprehensive reform of digital surveillance laws. Among other changes, it nullified the arrangements in DRIPA. This explains why the Appeals Court in Watson could only grant declarative relief regarding a law that is no longer in forced. Against the background of the ruling of the European Court of Justice in Tele2 Sverige AB, the Court of Appeal in Watson ruled that DRIPA is inconsistent with European law, insofar as its provisions permit, for the purposes of law enforcement, access to retained data not intended for the prevention of a serious crime, or insofar as it permits access to retained data without judicial review or review by another independent administrative authority.[11]
This declarative relief undoubtedly provides moral encouragement for the opponents of the IPA, which even during its process of enactment became known as “the UK Snooper’s Charter.” The IPA regulates diverse digital surveillance practices, including various techniques for bulk collection, as well as data retention. In June 2017, the High Court granted permission to the human rights organization Liberty to instigate legal proceedings attacking the IPA.[12]
In addition, the uncertainty regarding the arrangements for the transfer of information between the EU and the UK in the post-Brexit era may also tend to restrain the broad authorities of the IPA, whose computability with European law is doubtful. Indeed, before the granting of the ruling in Watson, the British government circulated a legislative memorandum for the proposed amendment of the IPA for public comment. Among other changes, the proposal sought to change the purposes for which the secretary may order the preservation of communications data and bring some of the powers to secure communications data under quasi-judicial review.
A comparison between the developments in the UK and the remainder of Europe and the Israeli law concerning data perseveration yields some fairly unflattering results from Israel’s perspective. The issue of data preservation is not regulated in detail. The Protection of Privacy Law and the regulations enacted by virtue thereof do not include general provisions concerning the period of retention of data in the database, the content of data that may be retained, the maximum period of holding of the data, or any other aspect of data retention. Israeli law does not include any prohibition against the preservation of sensitive information, nor any restrictions applying to the period of preservation of sensitive information by cellular communications companies.[13] Some observers argue that the enactment of the Communications Data Law[14] created a possible obligation of data retention.[15] However, the GSS Law empowers the prime minister to establish by way of secret rules provisions determining the manner in which the holder of the telecommunications license must preserve information, the period of preservation, and modalities for the transfer of the information to the GSS.[16] This obligation applies to the preservation of non-content data.
In any case, when it comes to Israel, there are more questions than answers. The scope of data retention undertaken by the communications companies remains unclear. Do the GSS rules order indiscriminate data preservation, or solely for the purpose of specific intelligence goals? Are data preserved for security purposes in accordance with the GSS rules also used by other authorities for non-security-related purposes (such as in the framework of an order by virtue of the Communications Data Law)? Does the police rely on voluntary data preservation on the part of holders of telecommunications licenses?
It is apparent that the existing Israeli law is inconsistent with the European standard as applied by the British court in Watson. The Communications Data Law allows the police to ask the court to grant an order for receipt of communications data, among other reasons for the goals of the discovery, investigation or prevention of misdemeanors, a category that includes a wide range of offenses, some of which are not necessarily of sufficient severity to justify the violation of privacy inherent in the law.[17] Moreover, in urgent cases the Communications Data Law permits the receipt of communications data without judicial review(though not for the purpose of discovering or preventing misdemeanor-type offenses).[18] In Association for Civil Rights in Israel v. Israel Police,[19] which attacked the Communications Data Law, the application of the arrangement to misdemeanor-type offenses was found to the proportionate, in light of the judicial criticism of the granting of a communications data order for these purposes.[20] The arrangement permitting the receipt of communications data without a court order in urgent cases was also found to be proportionate, subject to the interpretation requiring the exercising of strict administrative discretion.[21]
Lastly, it is also important to note the privacy reform in the European Union. In May 2018, the General Data Protection Regulation (GDPR)[22] will come into effect. The data protection principles embodied in the GDPR include the principle of storage limitation,[23] which proposes that personal information will be retained in a manner permitting the identification of the object of the information for a period not exceeding that required for the goals for which it is processed. Europe has recognized Israel as having a proper level of protection of private information.[24] However, in light of the new threshold set by the GDPR, as well as European case law over recent years,[25] it is impossible to know whether, in the absence of the regulation of digital surveillance laws, including regarding the issue of the retention of and access to communications data, this decision (which has significant economic ramifications) will remain intact.
[1] Tom Watson MP v. Secretary of State for the Home Department, EWCA [2018] Civ 70.
[2] Davis and Others v. Secretary of State for the Home Department, EWHC [2015] 2092 (Admin.). For further discussion, see: Lornea M. Woods, “High Court Strikes down Data Retention Laws in Ruling on DRIPA,” 1 Eur. Data Prot. L. Rev. 336 (2015).
[3] Data Retention and Investigatory Powers Act 20, 14 c.27 (Eng).
[4] Ibid., in para. 122 of Justice Bean’s ruling.
[5] Secretary of State for the Home Department v. David Davis MP and Others, EWCA [2015] Civ.; for further discussion, see: Lornea M. Woods. “Court of Appeal Refers to CJEU on DRIPA,” 4 Eur. Data Prot. L. Rev. 307 (2015).
[6] Ibid., para. 118 of Justice Jones’ ruling.
[7] 7. CJEU, Joined Cases C-203/15 and C-698/15 (Tele2 Sverige AB and Secretary of State for the Home Department v Post- och telestyrelsen and Others), 21 Dec. 2016.
[8] Ibid., paras. 108-109.
[9] Ibid., para. 120.
[10] Investigatory Powers Act 2016, c.25 (Eng.).
[11] Watson, para. 27.
[12] Watson., para. 6(2).
[13] See CA 1994/06 (TA Dist.) Amir Liran v. Pelephone Communications et al., para. 9.
[14] Criminal Code Law (Enforcement Authorities – Communications Data), 5768-2007, SB 2122 5768 (21 Dec. 2007), p. 72 (hereinafter: “Communications Data Law.”)
[15] See the position of the Attorney General on 7 June 2009 in the framework of Liran.
[16] Art. 11 of the General Security Service Law, 5762-2002, SB 5762 (21 Feb. 2002), p. 179.
[17] Art. 3(A)(2) of the Communications Data Law.
[18] Art. 4 of the Communications Data Law.
[19] HCJ 3809/08 Association for Civil Rights in Israel v. Israel Police (published in Nevo, 28 May 2012).
[20] Ibid., paras. 18-19 of President Beinish’s ruling.
[21] Ibid., paras. 26-27 of President Beinish’s ruling.
[22] Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1 (EU) (hereinafter: “GDPR.”)
[23] GDPR, Art. 5(1)(e).
[24] 24. Article 29 Data Protection Working Party, Opinion 2009/6 on the level of protection of personal data in Israel (1 Dec. 2009).
[25] In addition to Tele2 Sverige AB, it is also worth mentioning: CJEU, Joined cases C-293/12 and C-594/12 (Digital Rights Ireland v Minister for Communications, Marine and Natural Resources, Seitlinger and Others), (18 Apr. 2014) [2014], as well as the court decision in CJEU, C-362/14 (Maximillian Schrems v Data Protection Commissioner), 6 Oct. 2015, which discusses the impact of mass surveillance on data transfer to private American companies. The decision may indicate the current mood in Europe concerning the level of privacy required for the transfer of information about European objects of information to third party countries.