Right to Privacy in the Digital Age Graham Smith Data Protection and Privacy Commissioners’ Conference Bird & Bird LLP 16 October 2014

Legitimate aim, necessity and proportionality are important… Page 2 © Bird & Bird LLP 2014 but don’t forget quality of law Human Rights Interferences

Page 3 © Bird & Bird LLP 2014 Article 8 ECHR – privacy protection No interference by a public authority except such as is: ●in accordance with the law and ●is necessary in a democratic society ●in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others ●Proportionality

"In many countries … vague and broadly conceived legal provisions are being invoked to legitimize and sanction the use of seriously intrusive techniques. Without explicit laws authorizing such technologies and techniques, and defining the scope of their use, individuals are not able to foresee – or even know about – their application.“ Special Rapporteur, 17 April 2013 Page 4 © Bird & Bird LLP 2014 Human Rights Interferences

“… the law must be sufficiently accessible, clear and precise so that an individual may look to the law and ascertain who is authorized to conduct data surveillance and under what circumstances.” Page 5 © Bird & Bird LLP 2014 High Commissioner’s Report June 2014 Human Rights Interferences

Secrecy and quality of law are natural enemies Page 6 © Bird & Bird LLP 2014 Accessibility

Secret law is not law Page 7 © Bird & Bird LLP 2014

Page 8 © Bird & Bird LLP 2014 ECHR “In accordance with the law” Existence and quality of law ●Existence: some basis in domestic law (statute or common law) ●Quality of law – compatible with rule of law Accessibility and foreseeability of consequences -Publication, detail and precision Protection against arbitrary interference, having regard to the legitimate aim of the measure For surveillance, a law which confers a discretion must indicate with sufficient clarity the scope of that discretion and the manner of its exercise -Contrary to rule of law for executive discretion to be expressed in terms of an unfettered power Laws, regulations, manuals and instructions (if sufficiently publicised) Liberty v UK Independent supervision

Human Rights Act 1998 Page 9 © Bird & Bird LLP 2014 A real issue Pre-1985 No statutory framework 1984 Malone v UK Phone taps warranted by SoS Not "in accordance with the law" IOCA 1985 Public telecommunications 1997 Halford v UK Unwarranted tap of office phone Not "in accordance with the law" RIPA 2000 Public and private networks Warranted and other interception Uncertified and certified warrants Outside and within UK Civil and criminal remedies Codes of Practice 2014 TEMPORA, PRISM "in accordance with the law?" 2007 Copland v UK Office , internet and phone use Not "in accordance with the law" 2008 Liberty v UK External warrants - filtering Not "in accordance with the law" 2010 Kennedy v UK Internal warrants scheme "in accordance with the law"

Legal Challenges Landscape

Page 11 © Bird & Bird LLP 2014 PRISM – sharing in accordance with law? Privacy International (UK Investigatory Powers Tribunal); Big Brother Watch (Strasbourg) ●No legal regime with Sufficiently clear and detailed rules Sufficient safeguards ●Secret and unpublished rules (if any) ●Insufficient indication of scope of discretion ●Oversight regime ●US FISA too broad/insufficient safeguards ●NL: Citizens v Plasterk (metadata v content, Art 8 applicability to sharing?)

Page 12 © Bird & Bird LLP 2014 TEMPORA – in accordance with law? Privacy International (UK Investigatory Powers Tribunal); Big Brother Watch (Strasbourg), Bureau of Investigative Journalism (Strasbourg) RIPA external warrants provisions ●Insufficiently specific or clear authorisation ●Insufficient public safeguards ●Lack of judicial or independent authority authorisation ●Oversight regime ●Automated versus sentient? ●Richer metadata? ●Secret legal interpretations? ●Professional/journalistic privilege ●DE: Harting - G10

Page 13 © Bird & Bird LLP 2014 TEMPORA – in accordance with law? Privacy International (UK Investigatory Powers Tribunal); Big Brother Watch (Strasbourg), Bureau of Investigative Journalism (Strasbourg) RIPA external warrants provisions ●Insufficiently specific or clear authorisation ●Insufficient public safeguards ●Lack of judicial or independent authority authorisation ●Oversight regime ●Automated versus sentient? ●Richer metadata? ●Secret legal interpretations? ●Professional/journalistic privilege ●DE: Harting - G10 “[UK gov’t] … accept that the interception under a s.8(4) warrant may be regarded as giving rise to a technical interference [with ECHR Art 8 rights] even if that communication is not and/or cannot be read, looked at or listened to by any person." “ … the mere existence of legislation which allows a system for the secret monitoring of communications entails a threat of surveillance for all those to whom the legislation may be applied. This threat necessarily … amounts in itself to an interference with the exercise of the applicants’ rights under Article 8, irrespective of any measures actually taken against them” (Weber [78]).

But it’s not just Snowden

Page 15 © Bird & Bird LLP 2014 Mandatory comms data retention Member State responses to Digital Rights Ireland ●Many never implemented in the first place, or were invalidated by national constitutional courts e.g. Germany Post CJEU ●Slovakia: Constitutional Court temporary invalidity declaration on retention aspects ●Romania: Constitutional Court declared unconstitutional ●Sweden: 4 operators ceased retention; regulator initially decided not to pursue; changed following government committee; challenge by CSP ●UK: substantially enacted by Data Retention and Investigatory Powers Act Threatened legal challenge by two Members of Parliament Professional/journalistic privilege > change in law?

… and watch out for the essence of the right Page 16 © Bird & Bird LLP 2014

“… any limitation to the right to privacy must not render the essence of the right meaningless” Page 17 © Bird & Bird LLP 2014 High Commissioner’s Report June 2014

Page 18 © Bird & Bird LLP 2014 EU Charter of Rights v ECHR Article 52 CharterArticle 8 ECHR Limitations permissible ifInterference permissible if 1.Provided for by lawIn accordance with the law 2. Respect the essence of the right and freedom 3.NecessaryNecessary in a democratic society 4. And genuinely meet recognised general interest objectives in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, Or the need to protect rights and freedoms of others or for the protection of the rights and freedoms of others. 5.ProportionateProportionate (caselaw)

Page 19 © Bird & Bird LLP 2014 Digital Rights Ireland (CJEU) EU Data Retention Directive - mandatory retention of communications data by service providers Essence of right adversely affected? No. “does not permit acquisition of knowledge of the content of the electronic communications as such”

Graham Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC and is authorised and regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 15 Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address. twobirds.com Thank you