BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £5, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

United Kingdom Journals


You are here: BAILII >> Databases >> United Kingdom Journals >> Best and McCusker, 'The Scrutiny of the Electronic Communications of Businesses'
URL: http://www.bailii.org/uk/other/journals/WebJCLI/2002/issue1/kb-rm1.html
Cite as: Best and McCusker, 'The Scrutiny of the Electronic Communications of Businesses'

[New search] [Help]


 [2002] 1 Web JCLI 

The Scrutiny of the Electronic Communications of Businesses: Striking the Balance Between the Power to Intercept and the Right to Privacy?

Kirstie Best,

LLB Lecturer in Law, and

Rob McCusker,

BA MA Senior Lecturer in Law
School of Law, University College Northampton

 

© Copyright 2002 Kirstie Best and Rob McCusker
First Published in Web Journal of Current Legal Issues.



Summary


The Regulation of Investigatory Powers Act 2000 creates wide-ranging powers of interception for public authorities and businesses. The nature, scope and purpose of these powers are similar, despite the different nature of the bodies exercising them. Public authorities are allowed a broad discretion to intercept the communications of businesses (and others) in order to protect national security and other important interests of the United Kingdom. Businesses have been granted a discretion to intercept that is primarily exercisable in the protection of their own business interests, but can also operate for the protection of wider societal interests. The Act makes reference to human rights principles but, it is argued, the inclusion of these principles within the interception powers do not ensure that sufficient consideration is given to the right to privacy.


Contents

Introduction
The Justification for Interception by Government
The Right to Privacy
Regulation of Investigatory Powers Act 2000: General Power to Intercept
The Interception Powers of Public Authorities
Disclosure of Decryption Keys to Public Authorities
Practical Difficulties Resulting from the 2000 Act
The Justification for Interception by Employers
The Privacy Rights of Employees
The Horizontal Effect of the Human Rights Act 1998
The Interception Powers of Employers
Continuing Conflicting Interests
Conclusion

Bibliography



Introduction


The use, or propensity for the use, of electronic communications for a wide range of criminal activities has always made it extremely unlikely that governments would be able or willing to leave such communications unobserved and unregulated. The US National Security Council’s Director for Information Protection, Jeffrey Hunker, has argued that although companies may once have dealt with security breaches unilaterally, this approach is “...totally inappropriate when we’re dealing with a world where what you’re experiencing might be one facet of a much larger intelligence or terrorist or national security threat. (Beiser 1999) In his introduction to the National Infrastructure Security Co-ordination Centre Jack Straw (the then Home Secretary) noted that “[t]he growth of global networked IT systems offers unprecedented benefits for business. But it also creates new vulnerabilities. The number and sophistication of electronic attacks will continue to increase and Government has a responsibility to ensure that protection, proportionate to the threat, is in place for systems critical to national well-being and economic prosperity. (<www.open.gov.uk/homeoffice> January 2001). Furthermore, the US Attorney-General Janet Reno has stated that the public and private sectors have to co-operate if cyber-crime is to be tackled effectively. She argued that “...we all have a common goal – to keep the nation’s computer network secure, safe and reliable. (<www.bbc.co.uk/news> April 2000) These concerns have, in the United Kingdom, found legislative force through the Regulation of Investigatory Powers Act 2000. This allows public authorities to monitor the electronic communications of individuals and organisations, and allows employers (in the public and private sectors) to monitor usage by employees. This article analyses the justification for, and scope of, these powers and examines whether an appropriate balance has been struck between genuine security concerns and the right to privacy.

Top | Contents | Bibliography


The Justification for Interception by Government


Businesses, as well as governments, seemingly recognise the importance of secure systems, mainly because consumer confidence is a pre-requisite for the continued expansion of e-commerce. Businesses also recognise that such security can only be attained through the use of encryption.(1) Thus, the British Chambers of Commerce has observed that cryptography “..provides the basis for data protection and privacy and is also the key mechanism for identifying the parties to transactions, for authenticating data and for providing the digital signatures that are widely seen as an essential basis for electronic transactions. (<www.britishchambers.org.uk/news and policy.ict/ripbillsummary p.12) However, in their keenness to exploit the web commercially, companies have mostly forgotten the vulnerability to fraud of themselves and their customers. To have devised adequate protection within websites for businesses would have led to lengthy delays during which other, less scrupulous, competitors might have obtained a market advantage (Ging 2000). Businesses’ primary motivation is therefore the creation of profit, and the delay caused by implementing protection for consumers simply reduces that profit margin. As Taitt(2) notes, “[t]he bottom line is there isn’t any incentive for these companies to provide security. (Ging 2000)

The company that suffers a security breach is in a somewhat invidious position. To reveal that the breach has occurred enables the effects of that breach to become mitigated because, for example, consumers and credit card providers can be notified and the requisite action taken. However, revealing that a security breach has indeed occurred undermines public confidence in the company in particular and in e-commerce in general. The likelihood of security breaches becoming known in the public domain or business community, therefore, will be slight. A study by the Computer Security Institute and the FBI, which surveyed 643 computer-security professionals in large corporations, revealed that 70 percent of them had detected unauthorised use of their computer systems in the previous year. Only 273 of the 643 respondents were prepared to quantify the amount of money lost. However, the losses revealed by those 273 alone amounted to $266 million for the year (www.library.northernlight.com May 2000). Businesses, Stewart maintains, “..have an interest in minimizing their security weaknesses, and that makes for an ambivalent relationship with the security panic. It may bring unwanted government intervention and customer concern, so businesses are inclined to play down the threat. (Stewart 2000)

Governments are aware of this protective reaction and this, in part, is what drives their desire to be able to monitor e-mail and Internet traffic. For example, the US Congress introduced the Cyberspace Electronic Security Act 1999. This provides, inter alia, law enforcement agencies with the right to gain access to, and then decrypt, encrypted information into plaintext (i.e. readable text) for the purposes of pursuing an investigation. Acting Attorney-General Jon Jennings argued that “..the same encryption products that help facilitate confidential communications between law-abiding citizens also pose a significant and undeniable public safety risk when used to facilitate and mask illegal and criminal activity. (<www.bbc.co.uk/news>20 August 1999) Similarly, the White House noted that the Act “..would protect the growing use of encryption for the legitimate protection of privacy and confidentiality by businesses and individuals, while helping law enforcement agencies obtain evidence to investigate and prosecute criminals despite their use of encryption to hide criminal activity. (www.cdt.org/crypto/CESA) In the United Kingdom, the desire to combat serious crime and terrorism underpinned the government’s introduction of the Regulation of Investigatory Powers Act 2000 (Press Notice, <www.homeoffice.gov.uk/ripa/pnrip.htm> February 2000). This Act establishes a comprehensive statutory framework for regulating surveillance by both public authorities and private bodies. In particular, it regulates the interception, acquisition and disclosure of communications and traffic data, and the investigation of electronic data protected by encryption. This repeals earlier, more limited, legislation such as the Interception of Communications Act 1985, and is an attempt to ensure that the law is now in line with technological developments.(3)

Top | Contents | Bibliography


The Right to Privacy


While there appear to be reasonable justifications for the interception of communications by public authorities, such actions do constitute a prima facie interference with the right to respect for private and family life, home and correspondence (as protected by Article 8(1) of the European Convention on Human Rights). Even where interference occurs in the context of the workplace it may breach this right.(4) The rationale for this is that the opportunity to form relationships is an essential component of one’s private life, and for many people the workplace is the main forum for doing so. Further, it may be difficult to distinguish an individual’s personal and professional activities, and their personal residence from their professional premises. Therefore, a broad interpretation of ‘private life’ is to be favoured, although the European Court of Human Rights has suggested that a restriction to Article 8(1) might be more easily justified where the context is professional rather than wholly personal. Finally, the aim of Article 8(1) is to protect individuals against arbitrary interference by public authorities, and such interference is objectionable regardless of the context (Niemietz, paras.29-31).

Article 8(2) does allow privacy to be limited ‘in accordance with the law’, which means that interception must be regulated by clear, precise and accessible legal rules (Sunday Times v United Kingdom (1979) 2 EHRR 245). In the absence of such rules there is likely to be found a breach of Article 8(1). A breach is also likely if there is a failure to explicitly warn of the possibility of interception. A lack of warning can create a reasonable expectation of privacy that may be reinforced where an employee works in seclusion (i.e. in their own office) and where some private use of telecommunications systems is permitted.(5) The interference must also be proportionate, in response to a pressing social need, and for one of the legitimate aims established by the Convention such as national security or the prevention of crime (Silver v United Kingdom (1983) 5 EHRR 347). Since the Convention applies to natural and legal persons (Sunday Times v United Kingdom) both individuals and businesses can claim that interception of their business communications by a public authority amounts to a breach of Article 8(1).

Top | Contents | Bibliography


Regulation of Investigatory Powers Act 2000: General Power to Intercept


Part I (Chapter 1) of the 2000 Act makes it unlawful to intercept, without lawful authority, telecommunications in the course of transmission. Section 1 has the effect of restricting the interception of, inter alia, e-mail, Internet access, fax, telephone calls (including mobile telephones), answer-phone messages, pagers, and video conferencing links. Liability is different depending on the circumstances of the interception. Section 1(1) and (2) establishes that the intentional interception of communications (whether transmitted by public or private telecommunications systems) will be a criminal offence if it occurs without lawful authority.(6) Section 1(3) creates a statutory tort (actionable by the sender or recipient) of unlawful interception on a private telecommunications system where the person with lawful control of that private system consents to (or carries out) the interception, but there is no lawful authority within the meaning of the Act.

What amounts to lawful authority under section 1 will depend on whether the interception is of a public or a private telecommunications system and who is seeking to intercept. A public authority (such as the police) can intercept communications on a public or private system under sections 3, 4 (both without warrant) or 5 (with warrant). A private body (such as a non-public sector employer) can only intercept communications transmitted via its own private system under section 3 or 4 (both without warrant). While private bodies do not have the same legal powers to intercept as public authorities, the 2000 Act provides the former with overt legal authority to restrict privacy, whereas previously their power lay solely in the absence of legal rules preventing such interceptions. As a corollary, the subject of this interception (such as a private sector employee) is also better protected from unjustified interceptions than previously. Similar arguments also apply to the more comprehensive powers now available to public authorities. However, the 2000 Act is not a panacea and the powers granted to public authorities and private bodies may be criticised for failing to give sufficient weight to the human rights of those whose communications are intercepted.

Top | Contents | Bibliography


The Interception Powers of Public Authorities


In relation to the interception powers granted only to public authorities, section 5 provides a significant power to intercept any telecommunications. The Secretary of State may issue a warrant authorising the interception of communications on any telecommunications system (public or private). Such a warrant can only be issued to persons specified in section 6, such as the Director-General of the Security Service or the chief constable of a police force. The list is therefore strictly limited to persons exercising a public function. Section 5(2) and (3) states that a warrant should not be issued unless the Secretary of State believes it to be necessary and proportionate on the grounds of national security, the prevention and detection of serious crime, for the safeguarding of the economic well-being of the United Kingdom, or in relation to an international mutual assistance agreement. The Secretary of State must consider whether the information could be reasonably obtained by means other than a warrant (section 5(4)), although this suggests that a warrant can still be issued even if the information could be reasonably obtained etc.

This is very similar to the Secretary of State’s original power to authorise interception under warrant (section 2 of the 1985 Act), and the 2000 Act does little to address criticisms levelled at the 1985 Act. While the 1985 Act was found to comply with the Convention (Christie v United Kingdom App.No.21482/93), it is still objectionable that the Secretary of State issues warrants since this is suggestive of a lack of independence and a conflict of loyalties. In Klass the European Court of Human Rights stated that powers of surveillance required independent, effective and continuous control, and that a judge is the best guarantor of an impartial and proper application of procedures. However, the Court acknowledged that while judicial control is desirable, ministerial control is sufficient particularly where national security is in issue (paras.55-6).

Although the inclusion of proportionality within section 5 is positive, the Secretary of State is left with a wide and subjective discretion as to whether or not the warrant is necessary. Further, the grounds on which the warrant may be issued are broad and lacking in precise meaning. This would seem to conflict with the well-established principle that, particularly with secret surveillance powers, the law should be clear and detailed so that the circumstances and conditions governing the use of such powers are adequately indicated. Only in this way can the rule of law be upheld, and arbitrary interference prevented (Kopp, paras.63-4, 71-2; Amann v. Switzerland App.No.27798/95, paras.54-7).

Part I (Chapter II) of the 2000 Act allows public authorities to acquire and disclose communications data obtained from public and private telecommunications systems. Section 21 establishes that this does not refer to the contents of a communication but to data relating to the identity of the person, the apparatus, or location from which the communication is sent or received. Thus, the telephone number, e-mail address and headers, and the location of mobile telephones can all be discovered (Cape 2001, p.21). Sections 22 and 23 establish that public authorities (as designated by the Secretary of State) can require a telecom operator (of a public or private system) to obtain and disclose data if this is necessary and proportionate, and for a ground such as national security (or for any other purpose specified by Secretary of State). Authorisation for the exercise of this power comes from the public authority itself.

This type of information gathering was covered by section 1 of the Interception of Communications Act 1985, but this was not clear from its wording and its scope required clarification from the House of Lords.(7) A warrant was required, but only in relation to public telecommunications systems. Businesses are therefore now better protected than previously in that the terms of Chapter II are less ambiguous than the 1985 Act. Equally though, a business is now clearly legally obliged to disclose this information and will be liable for a failure to do so. As with section 5, this power can be criticised since the authorisation is on broad and imprecise grounds and the procedure lacks the appearance of impartiality since public authorities authorise their own exercise of the powers under Part 1 (Chapter II).

Top | Contents | Bibliography


Disclosure of Decryption Keys to Public Authorities


Under Part III of the 2000 Act the disclosure of encrypted electronic data (or the key for decryption) can be ordered by a public authority where that data has come into their possession by lawful means, and there are reasonable grounds to believe that it would be necessary and proportionate for national security, for the purpose of preventing or detecting crime, or in the interests of the economic well-being of the United Kingdom (or that it is necessary for the effective exercise of a statutory power or duty). An order can only be made if it is not reasonably practicable to obtain the information in any other way (section 49). It is an offence to fail to comply with a disclosure notice (section 53). Section 55 imposes a duty on authorities who have come into possession of a key to ensure that the key is only used to obtain specified information, and that it is used reasonably and proportionately to the minimum extent necessary. A failure to adhere to these requirements can give rise to a civil claim. This power did not exist under the 1985 Act so, while businesses are now protected against some disclosure requests by the criteria laid down in Part III, they are also now under a clear statutory duty to disclose where the Part III criteria are met.

Nevertheless, the Act does make reference to important human rights norms such as proportionality, and the requirement of reasonableness underpins the Part III power. The explicit reference to Convention principles can be taken as demonstrating Parliament’s clear intention that these intrusive powers must be exercised in accordance with Convention jurisprudence (this is of course supported by the Human Rights Act 1998, discussed below). Further, a section 49 notice should normally be issued by a circuit judge, except where the encrypted data has been obtained through an authorised interception, lawful search of property, or some other warrant or authorisation (Schedule 2). This goes some way to addressing concerns about the independence of the authorising procedure.

Top | Contents | Bibliography


Practical Difficulties Resulting from the 2000 Act


Encryption is deemed to be an inevitable facet of the successful expansion of e-commerce. The fact that criminals may utilise encryption in their own communications raises a concomitant need for law enforcement agencies to be able to intercept and decipher coded e-traffic. As Freeh (then FBI Director) noted as far back as 1997, “[u]nbreakable encryption will allows drug lords, spies, terrorists and even violent gangs to communicate about their crimes and their conspiracies with impunity." (Andrews 2000, p.4) The Chief Investigations Officer for HM Customs and Excise also noted that “..60 percent of our drug seizures are related to the interceptions of communications and that the ability, therefore, to be able to intercept e-traffic quickly and clearly was essential (Andrews 2000, p.4). The British and American governments have therefore sought to justify their respective pieces of legislation by the fact that the very possibility of the utilisation of encryption by criminal groups requires that governments have a concomitant right to access the plaintext of those otherwise hidden communications.

However, the British Chambers of Commerce (BCC) has argued that the 2000 Act is “..likely to create a legal environment which will inhibit investment, impede the evolution of e-commerce, impose direct and indirect costs on business and the consumer, diminish overall trust in e-commerce, disrupt business-to-business relationships, place UK companies at a competitive disadvantage, and create a range of legal uncertainties which will place a growing number of businesses in a precarious position. (<www.britishchambers.org.uk/newsandpolicy.ict/ripbillsummary> p.1) The BCC's chief concern lies in the provisions concerning cryptography, which it maintains “...is now universally seen as a critical technology on which e-commerce will depend. (at p.12) Cryptographic technology, however, is only as good as the security under which the keys that unlock the coded language are kept. While the 2000 Act provides (section 49(2)) that a notice requiring disclosure by the key holder of encrypted information may be given on reasonable grounds, it also provides that, where there appears to be more than one person in possession of the key, notice will not be given (section 49(5) and (6)). Further, in “special circumstances those subsections will not apply (section 49(7)); what those circumstances are, or could be, is not disclosed. The BCC argues that this lack of clarification places businesses in a difficult strategic position. It notes that “[w]here a security risk can be quantified, a business decision can be made on whether the level of risk is tolerable or whether steps need to be taken to counter it. But when such a risk is of unknown extent, security decisions have to err on the side of caution by planning on the assumption that it is a much larger risk than it may turn out to be. (at p.12)

The propensity for small fledgling e-businesses to rely on third party operators is deemed by the BCC to be a crucial issue in the future development of e-commerce. For the e-businesses and their consumers alike, the presence or perception of secure web-sites will be essential. As the BCC note, “..a hosting company will not only have to manage its own keys but also the keys of many of its clients. This is an enormous security challenge in its own right but the addition of a requirement that all such keys might have to be supplied to UK government authorities could easy turn a difficult job into an impossible one. (at p.13) The BCC proceeds to argue that for e-commerce to grow there has to be a high degree of mutual trust between business, the consumer and government. It is trust, the BCC argues, which “...is predicated to a large extent on a demonstrated commitment to privacy and confidentiality. (at p.21) Consequently, the BCC argues, the release of encrypted information to outside parties, whether in plaintext or coded with decryption keys, will “...immediately erode the trust relationship between the commercial organisation and intermediaries, agents, third parties, clients and customers. (at p.21)

To conclude, in the context of interception by public authorities, the 2000 Act seems to be adequately drafted in terms of allowing public authorities sufficient powers of interception and disclosure. However, this is at the expense of both privacy and commercial interests, and while privacy maybe a less important factor to consider when interception is of business communications, the adverse commercial repercussions of these powers require that they be more limited. Thus, businesses may feel aggrieved that public authorities can access sensitive information on grounds that lack precision and, mainly, on the authorisation of the Secretary of State or a public authority that may be seen as having a vested interest in the interception. A better balance could be achieved between the perceived need to intercept, the right to privacy and commercial interests if judicial authorisation was always required, and if this could only be granted following a detailed examination of the justification for the particular interception. This would give the process the appearance of impartiality (which it currently lacks), even if the grounds for a particular interception could not be explained in detail to the subject of the interception due to security and other investigatory considerations.

Top | Contents | Bibliography


The Justification for Interception by Employers


The 2000 Act also provides employers with a legal right to intercept the communications of their employees. This has highlighted a degree of hypocrisy within the business community. During the passage of the 2000 Act, businesses, supported by the Confederation of British Industry, argued that to allow public authorities to examine their clients’ accounts, websites and e-mail would compromise the security of their operations and have a concomitant impact upon an already suspicious and cautious consumer base. Conversely, those same companies are adamant that they should be granted unlimited access to the telecommunications of their employees to safeguard, as they see it, the interests both of their businesses and consumers.

Such interference seemingly creates a conflict between the business interests of the employer and the privacy interests of employees. However, where the interception is of the employer’s own private telecommunications system and the employer undertakes it in order to ensure that the system is not being misused by employees, it may be argued that individual privacy is not in issue and should not be protected. After all, it is perfectly legitimate for an employer to expect employees to be working in the interests of the business rather than putting its telecommunications system to personal use. Such use may waste work time and resources, and could also be for damaging purposes (such as obtaining and circulating pornographic material, spreading computer viruses, or industrial espionage).

This view was implicit within the Interception of Communications Act 1985 since it left the regulation of private telecommunications systems to the discretion of the organisation controlling the system. It also finds support in the sole dissenting opinion from the European Commission of Human Rights in Halford. In dissent Mr H.G. Schermers argued (at p.541) that where an organisation interferes with communications transmitted via their own system (a system which it therefore controls and pays for), there is not an interference with private life.(8) Hence, the commercial interests of the employer, as protected by the interception, will automatically prevail over any interests of the employee.

Top | Contents | Bibliography



The Privacy Rights of Employees


However, the European Court in Halford found that employees do have a legitimate expectation of privacy in the workplace, and this expectation can only be forfeited if the employer intercepts communications with the consent and knowledge of employees and does so within a legal framework of regulation. Applying the decision in Niemietz, a legitimate restriction to an employee’s privacy maybe more easily justified though because of the professional, rather than wholly personal, context in which it occurs.

While the Court in Halford was dealing with an interception by a public sector employer, its reasoning must be applied also to the private sector since the Convention places both negative and positive obligations upon signatory states. The negative obligation is that a state should not interfere with rights unless this is in accordance with the law and necessary in a democratic society. Thus, public authorities can only legitimately intercept the communications of individuals and businesses where there is clear legal authority to do so,(9) for the protection of a legitimate aim, and in a manner that is a proportionate response to a pressing social need. The state also has a positive obligation to protect rights from interference by others (Marckx v Belguim (1979) 2 EHRR 330). In X and Y v Netherlands ((1985) 8 EHRR 235, para.23) the Court stated this could require the implementation of measures protecting private life against the actions of other private individuals and organisations.(10)

In the context of the United Kingdom, the negative obligation meant that legislative reform of the interception of communications by public authorities was required, since the Halford situation was not covered by the 1985 Act (and did not meet the requirements of necessity etc). The positive obligation required that the legislative reforms had to go beyond simply dealing with the lacuna demonstrated by Halford. The law also had to protect communications from interference by other bodies not covered by the 1985 Act, such as private sector employers. A continuing failure to do so would have rendered the government vulnerable to challenge for a breach of its positive obligation to protect privacy.

Top | Contents | Bibliography


The Horizontal Effect of the Human Rights Act 1998


The protection of human rights in the private, as well as the public, sector is also supported by the Human Rights Act 1998 through its incorporation of the Convention into domestic law. The 1998 Act has a direct effect on public authorities and an indirect effect on private bodies. Public authorities are directly (vertically) bound since section 6(1) of the 1998 Act states that it is unlawful for a public authority to act incompatibly with Convention rights.(11) The 1998 Act also has a horizontal effect whereby Convention rights are indirectly enforceable against private bodies. This is achieved through sections 3 and 6 of the Act. Section 3(1) requires that the domestic courts interpret existing and future legislation (so far as it is possible to do so) in a way compatible with Convention rights (incompatible legislation remains valid). Section 3 is not worded to limit its effect only to legislation concerning public authorities, so it can apply to wholly private disputes.

Private bodies can also be indirectly bound by the 1998 Act since section 6(3)(a) defines a ‘public authority’ as including courts and tribunals. Therefore, in an action against a private body (for example, an employee suing for unfair dismissal) a human rights claim can be attached. The main cause of action is not the rights issue since these cannot be directly enforced against the private body (since section 6 only requires public authorities to act compatibly). Nevertheless, the court or tribunal is obliged to consider the human rights issue and must resolve it, through the application and interpretation of common law, equity or legislation, in a manner compatible with the Convention.(12)

The positive obligation imposed on states by the European Convention on Human Rights also lends weight to the argument that section 6 should have horizontal effect. Firstly, because the courts are part of the state they are subject to the Convention obligations, and these feed through into domestic law via section 6 and are imposed on the courts as public authorities (Davies 2000, p.839; Lester and Pannick 2000, p.381; Hunt 1998, pp.435-6). Secondly, section 2 of the 1998 Act requires that the courts must take Convention jurisprudence into account when interpreting Convention rights. Thus, the positive obligation will also come to form a part of domestic jurisprudence through this route (Bamforth 1999, pp.166-8).

The end result is that just as an individual or business can now claim privacy rights against public authorities in both international and domestic law, a private body (such as a business) may also find itself vulnerable to privacy claims from other private bodies (such as employees). However, just as the public authority may be able to show a legal justification for its interference with rights, equally a business may also be able to justify its interference. In particular, as a ‘legal person’ a business could monitor the communications of its employees in order to protect its own right to peaceful enjoyment of possessions (Article 1, First Protocol) against threats to its trade secrets or reputation (Bingley 2000, p.5). The restriction to an employee’s privacy could then be justified as falling within Article 8(2) ‘for the protection of the rights and freedoms of others.’

Top | Contents | Bibliography



The Interception Powers of Employers


Given that human rights norms extend to the workplace and govern relationships between employer and employee, it would be expected that the interception powers of employers would be explicitly granted subject to these norms. However, the powers created by the 2000 Act are notable for their lack of sufficient reference to these standards.

Sections 3 and 4 of the 2000 Act provide businesses with powers to intercept the telecommunications of their employees (and to an extent, those involving other businesses). Section 3(1) establishes that interception will be lawful where the interceptor has reasonable grounds for believing both the sender and the intended recipient have consented. This allows businesses to intercept communications between employees, including where their employee is communicating with another business (and enables public authorities to intercept communications between businesses). The difficulty here is what amounts to ‘reasonable grounds’ and ‘consent’. This could be shown by requiring explicit verbal or written consent from all those likely to be affected. This would be easy to obtain from employees, since it could be included as a clause within the contract of employment (although such consent may be given unwillingly or unwittingly). There are practical difficulties with obtaining consent from non-employees; a rider could be attached to e-mail messages, but this would only be read after the recipient had already opened and read the main message. Further, it would seem rather cumbersome to have to preface telephone calls with a consent clause (although this would be easy to attach to answer phones or voice mail). These difficulties may be overcome through the passage of time, whereby the expectation of all employees (and businesses) is that their telecommunications will be monitored and their consent is implicit from their continuing employment (or continuing to do business with a particular company). However, such routine and potentially blanket monitoring by businesses would be disproportionate given the difficulties of obtaining genuine consent and given the additional powers available under section 4 (discussed below). Where the interception is by a public authority, explicit consent should be obtained for every interception to ensure that the interference is indeed necessary and proportionate.

Section 3(3) authorises interception by providers of telecommunications services if this is for purposes relating to the provision or operation of the service, or the enforcement of any enactment relating to the use of that service. Where the interception is by the provider of a public service, this power is unproblematic since it seems to be concerned with the general good running of the service. In relation to private telecommunications systems, the rationale is unclear, since it seems to replicate the powers to intercept under section 4(2) and the Lawful Business Practice Regulations (discussed below).

Section 4 lays down various powers to intercept, most of which will be applicable only to public telecommunications service providers (such as where the interception relates to someone outside of the United Kingdom). However, section 4(2) allows the Secretary of State to make regulations authorising ‘legitimate practices’ in relation to the interception of telecommunications by businesses (private and public sector). The communications must relate to business transactions, or take place in the course of business. Only services or apparatus specifically for use in relation to that business can be intercepted. Section 4(3) expressly limits this power to the person providing or using a telecommunications service for business purposes.

The resulting Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (Statutory Instrument No.2699) allow the monitoring and recording of communications without the consent of sender or recipient, provided that this is carried out by, or with the consent of, the system controller. They appear to also allow businesses (whether public or private) to monitor traffic data (certainly this is the view of the Data Protection Commissioner). The Regulations only authorise the interception of communications relating to the system controller’s business, where the system is provided for business use and where the business has taken reasonable efforts to inform potential users of the system that communications might be intercepted. This provides businesses with a significant power to intercept the telecommunications of their employees on several grounds: to establish the existence of facts relevant to business; to ascertain compliance with regulatory or self-regulatory procedures relevant to the business; to ascertain or demonstrate standards that ought to be achieved by those using the telecommunications systems; in the interests of national security or to prevent or detect crime; to investigate or detect the unauthorised use of any telecommunications system; and to ensure the effective operation of the system. Incoming communications can be monitored (not recorded) without consent to check on whether communications are relevant to business.

The Regulations fail to achieve a suitable balance between the business needs of employers and the privacy rights of employees, even given that such rights may be legitimately diluted in the context of the workplace. There is a lack of clarity in the grounds for interception, thus providing a broad discretion to employers and meaning that different businesses are likely to apply different standards to their employees. There is no mechanism provided for weighing the necessity, or the proportionality of the interception. The Regulations also fail to provide a clear rationale for monitoring; there is no indication as to whether it is intended only for serious abuses or whether trivial behaviour will also be covered.

This wide discretion may be fettered by the Draft Code of Practice issued by the Data Protection Commissioner under the Data Protection Act 1998 (www.britishlibrary.net/govt.html/). The relationship between the Regulations and the Draft Code is unclear, but the Commissioner has stated that they are not contradictory and that the latter adds detail to the legal framework provided by the former (Goodwin 2000, p.12). The Code states that monitoring should be for a specific business purpose (properly targeted at an identified risk) and that its impact on rights should be monitored. It should be lawful, open, clear and fair. An employee’s privacy and autonomy should not be unnecessarily intruded upon through the widespread use of monitoring or the revelation of personal details thus acquired. The intrusion should also be proportionate to the benefits of monitoring to the reasonable employer. The least intrusive methods should always be favoured. For example, traffic data rather than content should be monitored; the time spent on the Internet should be recorded rather than specific sites visited (Draft Code, pp.26-33).

The legal status of the Code is unclear, but it would be prudent for businesses to adhere to the principles it expounds since private and public bodies are bound by human rights norms. To apply the Regulations without reference to the Code would leave businesses vulnerable to legal challenge. The remedy for those affected could be either criminal or civil, as outlined in section 1 of the 2000 Act. Thus, an employee can obtain redress in this way, or possibly through arguing that monitoring is a breach of the implied term of trust and confidence between employer and employee. However, it is preferable for employers to adhere to the legal and non-legal standards required of them since many employees would probably be unwilling or unable to pursue legal action for a breach. Alternatively, it could be argued that until the status of the Code is clarified businesses have been given carte blanche to monitor and intercept staff e-mail, without necessarily having due regard for the letter of the law within the Regulations.

To conclude, in relation to the interception powers of employers, the 2000 Act and the resulting Regulations have failed to achieve a balance between the needs of employers and the rights of employees. The Draft Code goes some way to redressing this imbalance, but the uncertainties regarding its legal status undermine its ability to ameliorate the effects of the Regulations. It would be preferable for the Act and the Regulations to be amended so that the interception powers can only be exercised with explicit reference to human rights norms. Thus, the requirements of the Draft Code should be implemented, and in addition, interception should only occur where genuine consent has been sought (even if not ultimately given) and where there is a clearly made out justification for that interception which would stand up to independent scrutiny. Such measures are particularly important since it would not be reasonable or practicable for an employer to seek prior independent authorisation for business-related interceptions.

Top | Contents | Bibliography


Continuing Conflicting Interests


The Privacy Foundation has noted, as a portent perhaps of the UK situation, that roughly one in three of the USA’s 40 million employee population who use e-mail or the Internet at work (and 100 million workers or 27 percent world-wide) are monitored (www.zdnet.co.uk July 2001). More worrying perhaps is that a survey carried out by KLegal (part of KPMG) has already discovered that 20 percent of employers were breaking the Regulations by monitoring their staff’s e-mail without informing them that such monitoring was taking place (McAuliffe 2001).

One of the driving forces behind the corporate desire to intercept communications arguably lies with the recent influx of potent and costly e-mail borne viruses such as the ‘Love Bug’ and ‘Anna Kournikova’. The security of e-mail is indeed becoming an increasingly serious issue given that it is both a preferred mode of global communication and a common and simple vehicle for the introduction and dissemination of viruses and trojans. It is the convenience and user-friendly nature of e-mails that lies at the heart of the problem. It appears that many corporations’ security warnings regarding, for example, the opening of attachments, go unheeded by employees and thus provide a vehicle by which viruses can infiltrate and disrupt corporations. The US National Infrastructure Protection Center [sic] revealed in December 2000 that it had traced several virus attacks likely to coincide with Christmas. Hackers apparently exploit the feelings of Christmas spirit amongst employees by circulating festive e-mail attachments which enthused employees treat in a less-guarded manner than might otherwise be the case (Lee, p.5). Ironically, the threat feared by businesses most, that of e-mail corrupted with viruses, is likely to arrive via personal rather than work related e-mail, but the Regulations prohibit such e-mails being intercepted.(13) The overwhelming majority of security breaches are caused by a company’s own staff, either through deliberate intent or unwitting carelessness on their part. As Goodwin argues, “[d]isgruntled former employees, people who are careless with their passwords, and dishonest staff with a little IT knowledge, can be far more devastating to a business than an external attack. (Goodwin 2000a, p.16)

However, organisations typically spend 80 percent of their security budget protecting themselves against external threats, and only 20 percent on implementing internal security despite the fact that 80 percent of security breaches come from within companies (IT Week 19 February 2001, p.36). Further, the Department of Trade and Industry in the UK has reported that only 14 percent of UK companies had an information security policy (IT Week 26 March 2001, p.51). Therefore, while businesses could argue that the Regulations do not allow for effective monitoring of personal communications, businesses themselves also need to rethink their policy regarding where the security threat comes from and how it may be ameliorated. However, it is highly unlikely that a company would be able to prevent all employees from using e-mail for non-business purposes (Rogers 2000, p.6). Such a policy would also raise difficult issues regarding the legitimate use of telecommunications by employees, and the extent of their right to privacy when they do so.

Top | Contents | Bibliography



Conclusion


There are legitimate reasons that justify the interception of some communications by public authorities and businesses, although the latter may indeed feel that they do not presently have sufficiently broad powers of interception. However, on the whole the 2000 Act disproportionately favours the interceptors rather than the subjects of the interception. A more appropriate balance can be achieved between the security needs of interceptors (whether public authorities or businesses) and the privacy rights and commercial interests of the subject (whether a business or an employee). Thus, the authorisation of interception should generally be by an impartial third party, and authorisation only granted on clear and detailed grounds that have been objectively assessed. Interception should always be a proportionate response to a security concern. Finally, where interception is premised on consent, genuine consent should be sought from the subject of the interception. Where such consent is not given, or where it is not reasonable to obtain consent, then it is even more important that the interception is objectively justified. These amendments would not unduly hinder legitimate interceptions, but would give an appropriately greater weight to human rights principles and the right to privacy.

However, following the terrorist attacks in New York, the government's purported justification for increased interception will become more and more difficult to dislodge. Similarly, employers may argue that their right to monitor their employees will become an indispensable component of the government's security measures. At that juncture, the arguments advanced above regarding the balance to be achieved between human rights and security will need to be reassessed since, arguably, a greater propensity towards interception should be matched by greater safeguards for the subject of the interception.

Top | Contents


Bibliography


Andrews, S (2000) ‘Who Holds the Key? A Comparative Study of US and European Encryption Policies’ 2 The Journal of Information, Law and Technology 4.
Bamforth, N (1999) ‘The Application of the Human Rights Act 1998 to Public Authorities and Private Bodies’ 58(1) Current Legal Problems 159.
Beiser, V (1999) ‘Only You Can Prevent Cybercrime’ <www.wired.com/news/politics> July 7.
Bingley, L (2000) ‘Watchers Must Watch Out’ IT Week October 9, p.5.
Cape, E (2001) ‘The Right to Privacy – RIP?’ Legal Action January, p.21.
Davies, G (2000) ‘The “horizontal effect of the Human Rights Act’ NLJ June 2, p.839.
Fortune Magazine (2000) <www.library.northernlight.com> May 15.
Ging, P (2000) ‘Dark Side of the Web' <www.bbc.co.uk/news> May 27.
Goodwin, B (2000) ‘E-Mail Monitor Laws will Lead to more confusion’ Computer Weekly October 12, p.12.
Goodwin, B (2000a) ‘Cybercrime – An Inside Job’ Computer Weekly August 31, p.16.
Hunt, M (1998) ‘The “Horizontal Effect of the Human Rights Act’ Public Law 423.
Lee, C (2000) ‘Viruses and Hacking for Xmas’ IT Week December 11, p.5.
Lester, A and Pannick, D (2000) ‘The Impact of the Human Rights Act on Private Law: the Knight’s Move’ 116 Law Quarterly Review 380.
McAuliffe, W (2001) 'One in Five Employers Snoop on Staff E-Mail' <www.zdnet.co.uk> January 17.
Rogers, A (2000) ‘You Got Mail But Your Employer Does Too: Electronic Communication and Privacy in the 21st Century’ 5(1) Journal of Technology Law & Policy 6.
Stewart, S (2000) 'Anxiety Disorder' <www.thestandard.com> May 15.

British Chambers of Commerce (2000) The Economic Impact of the Regulation of Investigatory Powers Bill, www.britishchambers.org.uk/newsand policy.ict/ripbillsummary June 12.
Draft Code of Practice on the Use of Personal Data in Employer/Employee Relationships, <www.britishlibrary.net/govt.html>.


Footnotes

(1) Encryption, also referred to as cryptography, is the "..use of mathematical or other methods to hide the content of messages or files". This definition is taken from A Report of the President's Working Group on Unlawful Conduct on the Internet (2000) The Electronic Frontier: The Challenge of Unlawful Conduct Involving the Use of the Internet, www.cybercrime.gov/unlawful.
(2) Technical Director of Buchanan International, Internet security experts.
(3) A number of cases revealed technological loopholes within the 1985 Act. For example, in R v Effick [1994] 99 CrAppR 312 the House of Lords held that cordless telephones were not part of the public telecommunications system, so interception of such telephones could occur without obtaining a warrant. This and other loopholes are detailed in the Justice report (1998) Under Surveillance: Covert Policing and Human Rights Standards, (London). The 2000 Act also regulates forms of surveillance by public authorities (such as visual observation through human sources) which previously had no legal basis and lacked compliance with the requirements of the European Convention on Human Rights. A comprehensive critique of the 2000 Act can be found in Akdeniz, Y, Taylor, N and Walker, C ‘Regulation of Investigatory Powers Act (1): BigBrother.gov.uk: State surveillance in the age of information and rights’ [2001] CrimLR 73.
(4) Niemietz v Germany (1992) 16 EHRR 97; Miailhe v France (1993) 16 EHRR 332; Huvig v France (1990) 12 EHRR 528. A number of other cases have also confirmed that the scope of Article 8(1) includes business premises and communications, such as Klass v FRG (1978) 2 EHRR 214, Malone v United Kingdom (1984) 7 EHRR 14, and Kopp v Switzerland (1998) 27 EHRR 91.
(5) Halford v UK (1997) 24 EHRR 523, paras. 44-51. There was also a finding of breach in Halford because the 1985 Act only regulated the interception of communications transmitted by a public telecommunications system, whereas Halford’s phone was part of her employer’s private telecommunications system. The restriction to her privacy was therefore not ‘in accordance with the law’.
(6) Section 2(1) defines ‘telecommunications system’ to mean any system for ‘the transmission of communications by any means involving the use of electro-magnetic energy’. A private telecommunications system is defined (in section 2(1)) as one which is not available to the public in the United Kingdom but is attached to a public telecommunications system. Therefore, a wholly internal system, without any means of connecting with the public system, is not covered by the Act; Milgate, H (2000) ‘Interception of Communications’ NLJ December 15, p.1862. Section 2(2) states that interception, for the purposes of Chapter 1, occurs where the contents of a communication are intercepted. Logging the number or destination of communications does not amount to interception, (section 2(5)), but it is regulated under Chapter II of the Act.
(7) Morgans v DPP [2000] WLR 386, per Lord Hope of Craighead at paras.48-54. Prior to the 2000 Act, the statutory basis for such practices was contentious. Arguably, it was not covered by the 1985 Act but was dealt with instead under the Telecommunications Act 1984 and the Data Protection Act 1984; Under Surveillance, p.17.
(8) Niemietz and Huvig were distinguished since here public authorities were searching premises owned by private bodies. Therefore, an employer may be protected from interference by public authorities, but an employee cannot be protected where the employer wishes to interfere.
(9) As shown in Malone where the European Court of Human Rights found that regulating the interception of communications by means only of administrative guidelines was a breach of Articles 8 and 13.
(10) The negative and positive obligations imposed by the European Convention on Human Rights are discussed in detail in Harris, D J O’Boyle, M and Warbrick, C (1995) Law of the European Convention on Human Rights (Butterworths), pp.19-22.
(11) The analysis that follows is based on the arguments set out in Bamforth, N (1999) ‘The Application of the Human Rights Act 1998 to Public Authorities and Private Bodies’ 58(1) CLJ 159 and (2001) ‘The True “Horizontal Effect of the Human Rights Act 1998’ 117 LQR 34, Hunt, M (1998) ‘The “Horizontal Effect of the Human Rights Act’ PL 423, and Lester, A and Pannick, D (2000) ‘The Impact of the Human Rights Act on Private Law: the Knight’s Move’ 116 LQR 380. As has been discussed in the Law Quarterly Review (2000), there are widely differing views as to the possible horizontal effect of the Act. Sir Richard Buxton (2000) ‘The Human Rights Act and Private Law’ 116 LQR 48, argues against a horizontal effect principally on the basis that the nature of Convention rights is not to impose obligations on private parties. Conversely, Sir William Wade (2000) ‘Horizons of Horizontality’ 116 LQR 217, argues in favour of a full horizontal effect whereby the courts are obliged to enforce rights (even against private parties) since they constitute legal norms which are integral to the justice system. We have applied a simplified version of what seems to be, broadly, the consensus view; that the 1998 Act will have an indirect horizontal effect.
(12) Hunt, pp.338-41; Hunt, Lester and Pannick, and Wade (amongst others) see section 6 as being the main basis for horizontal effect (although Lester describes this as a ‘diagonal’ effect whereby human rights principles are incrementally woven into private law). Bamforth (2001), pp.38-40, argues that section 6 does not impose a duty on the courts since there is no sanction for breach of that ‘duty’.
(13) Given the manner in which the Regulations define a “communication that can be intercepted, section 2(b)(i) and (ii).


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/uk/other/journals/WebJCLI/2002/issue1/kb-rm1.html