BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £5, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
England and Wales Court of Appeal (Civil Division) Decisions |
||
You are here: BAILII >> Databases >> England and Wales Court of Appeal (Civil Division) Decisions >> Secretary of State for the Home Department v Watson MP & Ors [2018] EWCA Civ 70 (30 January 2018) URL: http://www.bailii.org/ew/cases/EWCA/Civ/2018/70.html Cite as: [2018] 2 WLR 1735, [2018] 2 CMLR 32, [2018] 4 All ER 105, [2018] EWCA Civ 70, [2018] HRLR 8, [2018] QB 912, [2018] WLR(D) 87 |
[New search] [Printable PDF version] [Buy ICLR report: [2018] 2 WLR 1735] [View ICLR summary: [2018] WLR(D) 87] [Buy ICLR report: [2018] QB 912] [Help]
ON APPEAL FROM THE HIGH COURT OF JUSTICE
QUEEN'S BENCH DIVISION, DIVISIONAL COURT
LORD JUSTICE BEAN AND MR JUSTICE COLLINS
Cases No. CO/3655/2014; CO/3667/2014; CO/3794/2014
Strand, London, WC2A 2LL |
||
B e f o r e :
LORD JUSTICE PATTEN
and
LORD LLOYD JONES
____________________
SECRETARY OF STATE FOR THE HOME DEPARTMENT |
Appellant |
|
- and - |
||
(1) TOM WATSON MP (2) PETER BRICE (3) GEOFFREY LEWIS |
Respondents |
|
- and - |
||
(1) OPEN RIGHTS GROUP (2) PRIVACY INTERNATIONAL (3) THE LAW SOCIETY OF ENGLAND AND WALES |
Interveners |
____________________
Ben Jaffey QC and Iain Steele (instructed by Liberty) for the First Respondent
Richard Drabble QC, Ramby De Mello and Azeem Suterwalla (instructed by Bhatia Best Solicitors) for the Second and Third Respondents
Jessica Simor QC and Ravi Mehta (instructed by Deighton Pierce Glynn) for the First and Second Interveners
Hearing date: 8 December 2017
____________________
Crown Copyright ©
Lord Lloyd-Jones:
"1. Does the judgment of the Court of Justice in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger, ECLI:EU:C:2014:238 ("Digital Rights Ireland") (including, in particular, paras 60-62 thereof) lay down mandatory requirements of EU law applicable to a Member State's domestic regime governing access to data retained in accordance with national legislation, in order to comply with Article 7 and 8 of the EU Charter ("the EU Charter")?
2. Does the judgment of the Court of Justice in Digital Rights Ireland expand the scope of Articles 7 and/or 8 of the EU Charter beyond that of Article 8 of the European Convention on Human Rights ("ECHR") as established in the jurisprudence of the European Court of Human Rights ("ECtHR")?"
In our judgment of 20 November 2015 we stated (at [118]) that we considered that the answers to these questions of EU law were not clear and were necessary in order for us to give judgment in these proceedings.
"1. Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on Privacy and Electronic Communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.
2. Article 15(1) of Directive 2002/58, as amended by Directive 2009/136 read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights must be interpreted as precluding national legislation governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review of a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union.
3. The second question referred by the Court of Appeal (England & Wales) (Civil Division) is inadmissible."
(1) Sections 1 and 2 of the Data Retention and Investigatory Powers Act 2014 ("DRIPA") were repealed on 30 December 2016.
(2) The legislation which has replaced the data retention arrangements under DRIPA, i.e. Part 4 of the Investigatory Powers Act 2016, is itself the subject of a judicial review claim brought by Liberty. This includes a challenge to the 2016 Act on grounds of non-compliance with the CJEU's judgment in the present case. Permission to apply for judicial review has been granted and a substantive hearing of the claim is due to be heard in the Administrative Court on 27 and 28 February 2018.
(3) In proceedings brought by Privacy International against the Secretary of State for Foreign and Commonwealth Affairs and others the Investigatory Powers Tribunal ("the IPT") on 8 September 2017 made a further reference to the CJEU seeking, inter alia, to clarify the extent to which, if at all, the requirements set out in the CJEU's judgment in the present case apply in a national security context. (Judgment of Investigatory Powers Tribunal UKIPTrib IPT_15_110_CH). The questions referred are as follows:-
"In circumstances where:
a. the SIAs' capabilities to use BCD supplied to them are essential to the protection of the national security of the United Kingdom, including in the fields of counter-terrorism, counter-espionage and counter-nuclear proliferation;
b. a fundamental feature of the SIAs' use of the BCD is to discover previously unknown threats to national security by means of non-targeted bulk techniques which are reliant upon the aggregation of the BCD in one place. Its principal utility lies in swift target identification and development, as well as providing a basis for action in the face of imminent threat;
c. the provider of an electronic communications network is not thereafter required to retain the BCD (beyond the period of their ordinary business requirements), which is retained by the State (the SIAs) alone;
d. the national court has found (subject to certain reserved issues) that the safeguards surrounding the use of BCD by the SIAs are consistent with the requirements of the ECHR; and
e. the national court has found that the imposition of the requirements specified in §§1l9-125 of the judgment of the Grand Chamber in joined cases C-203/15 and C-698/15 Tele2 Sverige AB v Post-och telestyrelsen and Secretary of State for the Home Department v Watson and Others (ECLI:EU:C:2016:970) ('the Watson Requirements'), if applicable, would frustrate the measures taken to safeguard national security by the SIAs, and thereby put the national security of the United Kingdom at risk;
1. Having regard to Article 4 TEU and Article 1(3) of Directive 2002/58/EC on privacy and electronic communications (the "e-Privacy Directive"), does a requirement in a direction by a Secretary of State to a provider of an electronic communications network that it must provide bulk communications data to the Security and Intelligence Agencies ('SIAs') of a Member State fall within the scope of Union law and of the e-Privacy Directive?
2. If the answer to Question (1) is 'yes', do any of the Watson Requirements, or any other requirements in addition to those imposed by the ECHR, apply to such a direction by a Secretary of State? And, if so, how and to what extent do those requirements apply, taking into account the essential necessity of the SIAs to use bulk acquisition and automated processing techniques to protect national security and the extent to which such capabilities, if otherwise compliant with the ECHR, may be critically impeded by the imposition of such requirements?"
(4) On 30 November 2017 the Secretary of State published a consultation document and proposed amendments to the Investigatory Powers Act 2016 which are intended to address the judgment of the CJEU in the present proceedings. The consultation and proposed amendments deal, inter alia, with the restriction, in the context of fighting crime, to "serious crime", the need for prior review by a court or an independent administrative authority for access to retained data, ex-post facto notification and the issue of retention of retained communications data within the EU.
(1) access to and use of retained communications data should be restricted to the objective of fighting serious crime; and
(2) access to retained data should be dependent on a prior review by a court or an independent administrative body.
I consider that this is correct.
"We have carefully considered the evidence before us, both from the Claimant and the Respondents, and we are persuaded that if the Watson requirements do apply to measures taken to safeguard national security, in particular the [Bulk Communications Data] regime, they would frustrate them and put the national security of the United Kingdom, and, it may be, other Member States, at risk. It is to be hoped that, whether by reconsideration, or clarification, of paragraph 119 of the Judgment, or otherwise, the Grand Chamber will take the opportunity to consider whether any further statement than that the safeguarding provisions of the ECHR should apply is required."
Retention in the EU
"In particular, the national legislation must make provision for the data to be retained within the European Union and for the irreversible destruction of the data at the end of the data retention period …"
"However, the Claimant submits that it is not an absolute bar, because of the interpolation of paragraph 123 between paragraphs 122 and 125. That paragraph provides for there to be a review by an independent authority of compliance with the level of protection guaranteed by EU law, and Mr. De la Mare submitted that, by virtue of the reference to Article 8(3) of the Charter, this was to be seen as an independent authority supervising the transfer of data out of the European Union, thus making the bar not absolute."
I also note that it was common-ground among the parties before the IPT that there was uncertainty as to the scope of this obligation.
Notification Requirement
"Likewise, the competent national authorities to whom access to the retained data has been granted must notify the persons affected, under the applicable national procedures, as soon as that notification is no longer liable to jeopardise the investigations being undertaken by those authorities. That notification is, in fact, necessary to enable the persons affected to exercise, inter alia, their right to a legal remedy, expressly provided for in Article 15(2) of Directive 2002/58, read together with Article 22 of Directive 95/46, where their rights have been infringed …"
A declaration reflecting paragraph 1 of the dispositif
"As regards the setting of limits on such a measure with respect to the public and the situations which may potentially be affected, the national legislation must be based on objective evidence which makes it possible to identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences, and to contribute in one way or another to fighting serious crime or to preventing a serious risk to public security. Such limits may be set by using a geographical criterion where the competent national authorities consider, on the basis of objective evidence, that there exists, in one or more geographical areas, a high risk of preparation for or commission of such offences."
In paragraph 112 the CJEU then states its answer to the question referred by the Swedish court in identical terms to paragraph 1 of the dispositif.
(1) First, I am satisfied that this specific point has not been in issue in the present proceedings. In particular, it has not previously been argued in these proceedings that DRIPA was unlawful because it did not require there to be an identified public whose data was likely to reveal a direct or indirect link with serious criminal offences. There has been no evidence or argument on this point specific to DRIPA. The issue has been raised for the first time only following the decision of the CJEU in relation to the Swedish legislation. On the contrary, it has been the position of the Respondents that EU law permits a general retention regime provided it is accompanied by appropriate safeguards for access. During the course of argument before the Divisional Court, counsel for the First Respondent accepted that the CJEU in Digital Rights Ireland "cannot have meant that [communications service providers] can only lawfully be required to retain the communications data of "suspects or persons whose data would contribute to the prevention, detection or prosecution of serious criminal offences" as such a restriction would be wholly impracticable (Divisional Court Judgment at paragraph 70). Before this court the Respondents expressly adopted the conclusion of the Divisional Court that "the solution to the conundrum" is that "a general retention regime for communications data infringes ... the EU Charter unless it is accompanied by an access regime (laid down at national level) which provides adequate safeguards for those rights." (Divisional Court Judgment, at paragraph 89; First Respondent's Skeleton Argument, at paragraph 59; Second and Third Respondents' Skeleton Argument at paragraph 8).
(2) Secondly, the reasoning of the CJEU at paragraphs 106 – 112 is closely linked to the language and effect of the Swedish statute and, in particular, its requirement of blanket retention of all communications data by all communications service providers. I accept that the analysis and conclusions of the CJEU in this regard are not necessarily susceptible of automatic application to the different scheme of DRIPA.
(3) Thirdly, the effect of this section of the judgment of the CJEU is a live issue in the pending proceedings in which Liberty challenges Part 4, Investigatory Powers Act 2016, which is due to be heard in February 2018. I consider that it is appropriate for this issue to be addressed in those proceedings where the court will have the benefit of detailed evidence, and full pleadings and submissions.
Terms of Declaration
Section 1 of the Data Retention and Investigatory Powers Act 2014 was inconsistent with EU law to the extent that, for the purposes of the prevention, investigation, detection and prosecution of criminal offences, it permitted access to retained data:-
(a) where the object pursued by that access was not restricted solely to fighting serious crime; or
(b) where access was not subject to prior review by a court or an independent administrative authority.
Sir Geoffrey Vos, Chancellor of the High Court:
Lord Justice Patten: