FIRST SECTION
CASE OF
BIG BROTHER WATCH AND OTHERS
v. THE UNITED KINGDOM
(Applications nos. 58170/13, 62322/14and 24960/15)
JUDGMENT
See Also: Legal Summary
STRASBOURG
13 September 2018
This judgment will become final in the circumstances set out in Article 44 § 2 of the Convention. It may be subject to editorial revision.
TABLE OF CONTENTS
I. THE CIRCUMSTANCES OF THE CASE
B. The secret surveillance schemes
1. Government Communications Headquarters ("GCHQ")
2. The United States' National Security Agency ("NSA")
C. Domestic proceedings in the first and second of the joined cases
D. Domestic proceedings in the third of the joined cases
2. The IPT's first judgment of 5 December 2014
3. The IPT's second judgment of 6 February 2015
4. The IPT's third judgment of 22 June 2015 as amended by its 1 July 2015 letter
II. RELEVANT DOMESTIC LAW AND PRACTICE
A. The interception of communications
3. Specific safeguards under RIPA
4. The Interception of Communications Code of Practice
6. Belhadj and Others v. Security Service, Secret Intelligence Service, Government Communications Headquarters, the Secretary of State for the Home Department, and the Secretary of State for the Foreign and Commonwealth Office, IPT/13/132-9/H, [2015] UKIPTrib 13_132-H, [2014] UKIPTrib 13_132-9H and IPT/14/86/CH
1. British-US Communication Intelligence Agreement
2. Relevant statutory framework for the operation of the intelligence services
(d) Counter-Terrorism Act 2008
(e) The Data Protection Act 1998 ("DPA")
(f) The Official Secrets Act 1989 ("OSA")
(g) The Human Rights Act 1998 ("HRA")
3. The Interception of Communications Code of Practice
C. Acquisition of communications data
2. The Acquisition and Disclosure of Communications Data: Code of Practice
3. News Group and Others v. The Commissioner of Police of the Metropolis IPT/14/176/H, [2015] UKIPTrib 14_176-H, 17 December 2015
4. The Police and Criminal Evidence Act 1984
2. The Investigatory Powers Tribunal Rules 2000 ("the Rules")
3. IPT ruling on preliminary issues of law
F. Reviews of interception operations by the intelligence service
2. Privacy and security: a modern and transparent legal framework
4. A Democratic Licence to Operate: Report of the Independent Surveillance Review ("ISR")
5. Report of the Bulk Powers Review
7. Annual Report of the Interception of Communications Commissioner for 2016
(b) Acquisition of communications data under Chapter II of RIPA
G. The Investigatory Powers Act 2016
(a) Resolution no. 68/167 on The Right to Privacy in the Digital Age
(b) The Constitution of the International Telecommunication Union 1992
(c) The 2006 Annual Report of the International Law Commission
(d) The 2001 (Budapest) Convention on Cybercrime
1. Charter of Fundamental Rights of the European Union
Article 7 - Respect for private and family life
Article 8 - Protection of personal data
Article 11 - Freedom of expression and information
2. EU directives and regulations relating to protection and processing of personal data
3. Relevant case-law of the Court of Justice of the European Union ("CJEU")
(a) Digital Rights Ireland v. Minister for Communications, Marine and Natural Resources and Others and Seitinger and Others (Cases C-�293/12 and C -� 594/12; ECLI:EU:C:2014:238)
(b) Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others (Cases C -� 203/15 and C -� 698/15; ECLI:EU:C:2016:970)
I. EXHAUSTION OF DOMESTIC REMEDIES
B. The submissions of the third party
2. Application of those principles to the case at hand
II. ALLEGED VIOLATION OF ARTICLE 8 OF THE CONVENTION
(b) The submissions of the third parties
(iv) The Helsinki Foundation for Human Rights ("HFHR")
(v) The International Commission of Jurists ("ICJ")
(vi) Open Society Justice Initiative ("OSJI")
(viii) The Law Society of England and Wales
(ii) Existing case-law on the bulk interception of communications
(iii) The test to be applied in the present case
B. The intelligence sharing regime
(b) The submissions of the third parties
(i) The Electronic Privacy Information Center ("EPIC")
(iv) Center for Democracy and Technology ("CDT") and Pen American Center ("PEN America")
(v) The International Commission of Jurists ("ICJ")
(vi) Open Society Justice Initiative ("OSJI")
(vii) The Law Society of England and Wales
(viii) Human Rights Watch ("HRW")
(i) The scope of the applicants' complaints
(ii) The nature of the interference
(iv) Application of the test to material falling into the second category
(v) Application of the test to material falling into the third category
(i) Existing case-law on the acquisition of communications data
(ii) The approach to be taken in the present case
(iii) Examination of the Chapter II regime
III. ALLEGED VIOLATION OF ARTICLE 10 OF THE CONVENTION
1. The applicants in the third of the joined cases
2. The applicants in the second of the joined cases
2. The submissions of the third parties
(a) The Helsinki Foundation for Human Rights
(c) The Media Lawyers' Association ("MLA")
(b) The application of the general principles to the present case
IV. ALLEGED VIOLATION OF ARTICLE 6 OF THE CONVENTION
VI. APPLICATION OF ARTICLE 41 OF THE CONVENTION
PARTLY CONCURRING, PARTLY DISSENTING OPINION OF JUDGE KOSKELO, JOINED BY JUDGE TURKOVIĆ
I. The RIPA section 8(4) regime
(i) The context of earlier case-law
(ii) The context of the present case
II. The intelligence-sharing regime
JOINT PARTLY DISSENTING AND PARTLY CONCURRING OPINION OF JUDGES PARDALOS AND EICKE
In the case of Big Brother Watch and Others v. the United Kingdom,
The European Court of Human Rights (First Section), sitting as a Chamber composed of:
Linos-Alexandre Sicilianos,
President,
Kristina Pardalos,
Aleš Pejchal,
Ksenija Turković,
Armen Harutyunyan,
Pauliine Koskelo,
Tim Eicke,
judges,
and Abel Campos,
Section Registrar,
Having deliberated in private on 7 November 2017 and 3 July 2018,
Delivers the following judgment, which was adopted on the last-�mentioned date:
1. The case originated in three applications (nos. 58170/13, 62322/14and 24960/15) against the United Kingdom of Great Britain and Northern Ireland lodged with the Court under Article 34 of the Convention for the Protection of Human Rights and Fundamental Freedoms ("the Convention") by the companies, charities, organisations and individuals listed in the Appendix ("the applicants") on 4 September 2013, 11 September 2014 and 20 May 2015 respectively.
2. The applicants were represented by Mr D. Carey, of Deighton Pierce Glynn Solicitors; Ms R. Curling of Leigh Day and Co. Solicitors; and Ms E. Norton of Liberty. The Government of the United Kingdom ("the Government") were represented by their Agent, Ms R. Sagoo of the Foreign and Commonwealth Office.
3. The applicants complained about the scope and magnitude of the electronic surveillance programmes operated by the Government of the United Kingdom.
4. The applications were communicated to the Government on 7 January 2014, 5 January 2015 and 24 November 2015. In the first case, leave to intervene was granted to Human Rights Watch, Access Now, Bureau Brandeis, Center For Democracy & Technology, European Network of National Human Rights Institutions and the Equality and Human Rights Commission, the Helsinki Foundation For Human Rights, the International Commission of Jurists, Open Society Justice Initiative, The Law Society of England and Wales and Project Moore; in the second case, to the Center For Democracy & Technology, the Helsinki Foundation For Human Rights, the International Commission of Jurists, the National Union of Journalists and the Media Lawyers' Association; and in the third case, to Article 19, the Electronic Privacy Information Center and to the Equality and Human Rights Commission.
5. On 4 July 2017 the Chamber of the First Section decided to join the applications and hold an oral hearing. That hearing took place in public in the Human Rights Building, Strasbourg, on 7 November 2017.
There appeared before the Court:
(a)
for the Government
Ms
R. Sagoo
,
Agent
,
Mr
J. Eadie qc,
Mr
J. Milford
,
Counsel
,
Ms
N. Samuel
Mr
S. Bowden,
Mr
M. Anstee,
Mr
T. Rutherford,
Ms
L. Morgan,
Mr
B. Newman
,
Advisers.
(b) for the applicants
Ms
D. Rose qc,
Ms
H. Mountfield qc,
Mr
M. Ryder qc,
Counsel,
Mr
R. Mehta
,
Mr
C. McCarthy
,
Mr
D. Carey,
Mr
N. Williams
Advisers.
6. The Court heard addresses by Mr Eadie, Ms Rose and Ms Mountfield, as well as their replies to questions put by the President and by Judges Koskelo, Harutyunyan, Eicke, Turković and Pardalos.
I. THE CIRCUMSTANCES OF THE CASE
7 . The three applications were introduced following revelations by Edward Snowden relating to the electronic surveillance programmes operated by the intelligence services of the United States of America and the United Kingdom.
8. The applicants, who are listed in the Appendix, all believed that due to the nature of their activities, their electronic communications were likely to have either been intercepted by the United Kingdom intelligence services; obtained by the United Kingdom intelligence services after being intercepted by foreign governments; and/or obtained by the United Kingdom authorities from Communications Service Providers ("CSPs").
B. The secret surveillance schemes
9. Internet communications are primarily carried over international sub-marine fibre optic cables operated by CSPs. Each cable may carry several "bearers", and there are approximately 100,000 of these bearers joining up the global Internet. A single communication over the Internet is divided into "packets" (units of data) which may be transmitted separately across multiple bearers. These packets will travel via a combination of the quickest and cheapest paths, which may also depend on the location of the servers. Consequently, some or all of the parts of any particular communication sent from one person to another, whether within the United Kingdom or across borders, may be routed through one or more other countries if that is the optimum path for the CSPs involved.
1. Government Communications Headquarters ("GCHQ")
10. The Edward Snowden revelations indicated that GCHQ (being one of the United Kingdom intelligence services) was running an operation, codenamed "TEMPORA", which allowed it to tap into and store huge volumes of data drawn from bearers.
11 . According to the March 2015 Report of the Intelligence and Security Committee of Parliament ("the ISC report" - see paragraphs 151-159 below), GCHQ is operating two major processing systems for the bulk interception of communications. The United Kingdom authorities have neither confirmed nor denied the existence of an operation codenamed TEMPORA.
12. The first of the two processing systems referred to in the ISC report is targeted at a very small percentage of bearers. As communications flow across the targeted bearers, the system compares the traffic against a list of "simple selectors". These are specific identifiers (for example, an email address) relating to a known target. Any communications which match are collected; those that do not are automatically discarded. Analysts then carry out a "triage process" in relation to collected communications to determine which are of the highest intelligence value and should therefore be opened and read. In practice, only a very small proportion of the items collected under this process are opened and read by analysts. GCHQ does not have the capacity to read all communications.
13 . The second processing system is targeted at an even smaller number of bearers (a subset of those accessed by the process described in the paragraph above) which are deliberately targeted as those most likely to carry communications of intelligence interest. This second system has two stages: first, the initial application of a set of "processing rules" designed to discard material least likely to be of value; and secondly, the application of complex queries to the selected material in order to draw out those likely to be of the highest intelligence value. Those searches generate an index, and only items on that index may potentially be examined by analysts. All communications which are not on the list must be discarded.
14. The legal framework for bulk interception in force at the relevant time is set out in detail in the "Relevant Domestic law and practice" section below. In brief, section 8(4) of the Regulation of Investigatory Powers Act 2000 ("RIPA" - see paragraph 67 below) allows the Secretary of State to issue warrants for the "interception of external communications", and pursuant to section 16 of RIPA (see paragraphs 78-85 below) intercepted material cannot be selected to be read, looked at or listened to, "according to a factor which is referable to an individual who is known to be for the time being in the British Islands".
2. The United States' National Security Agency ("NSA")
15. The NSA has acknowledged the existence of two operations called PRISM and Upstream.
16. PRISM is a programme through which the United States' Government obtains intelligence material (such as communications) from Internet Service Providers ("ISPs"). Access under PRISM is specific and targeted (as opposed to a broad "data mining" capability). The United States' administration has stated that the programme is regulated under the Foreign Intelligence Service Act ("FISA"), and applications for access to material through PRISM have to be approved by the FISA Court, which is comprised of eleven senior judges.
17. Documents from the NSA leaked by Edward Snowden suggest that GCHQ has had access to PRISM since July 2010 and has used it to generate intelligence reports. GCHQ has acknowledged that it acquired information from the United States' which had been obtained via PRISM.
18. According to the leaked documents, the Upstream programme allows the collection of content and communications data from fibre-optic cables and infrastructure owned by United States' CSPs. This programme has broad access to global data, in particular that of non-US citizens, which can then be collected, stored and searched using keywords.
C. Domestic proceedings in the first and second of the joined cases
19. The applicants in the first of the joined cases (application no. 58170/13) sent a pre-action protocol letter to the Government on 3 July 2013 setting out their complaints and seeking declarations that sections 1 and 3 of the Intelligence Services Act (see paragraphs 100-103 below), section 1 of the Security Services Act (see paragraph 99 below) and section 8 of RIPA (see paragraph 67 below) were incompatible with the Convention. In their reply of 26 July 2013, the Government stated that the effect of section 65(2) of RIPA was to exclude the jurisdiction of the High Court in respect of human rights complaints against the intelligence services. These complaints could however be raised in the Investigatory Powers Tribunal ("IPT"), a court established under RIPA to hear allegations by citizens of wrongful interference with their communications as a result of conduct covered by that Act, which was endowed with exclusive jurisdiction to investigate any complaint that a person's communications have been intercepted and, where interception has occurred, to examine the authority for such interception (see paragraphs 123-143 below). No further action was taken by these applicants.
20. The applicants in the second of the joined cases (application no. 62322/14) did not bring any domestic proceedings as they did not believe that they had an effective remedy for their Convention complaints.
D. Domestic proceedings in the third of the joined cases
21. The ten human rights organisations which are the applicants in the third of the joined cases (application no. 24960/15) each lodged a complaint before the IPT between June and December 2013. They alleged that the intelligence services, the Home Secretary and the Foreign Secretary had acted in violation of Articles 8, 10, and 14 of the Convention by: (i) accessing or otherwise receiving intercepted communications and communications data from the US Government under the PRISM and Upstream programmes ("the PRISM issue"); and (ii) intercepting, inspecting and retaining their communications and their communications data under the TEMPORA programme ("the section 8(4) issue"). The applicants sought disclosure of all relevant material relied on by the intelligence services in the context of their interception activities and, in particular, all policies and guidance.
22. On 14 February 2014 the IPT ordered that the ten cases be joined. It subsequently appointed Counsel to the Tribunal (see paragraph 142 below), whose function is to assist the IPT in whatever way it directs, including by making representations on issues in relation to which not all parties can be represented (for example, for reasons of national security).
23. In their response to the applicants' claims, the Government adopted a "neither confirm nor deny" approach, that is to say, they declined to confirm or deny whether the applicants' communications had actually been intercepted. It was therefore agreed that the IPT would determine the legal issues on the basis of assumed facts to the effect that the NSA had obtained the applicants' communications and communications data via PRISM or Upstream and had passed them to GCHQ, where they had been retained, stored, analysed and shared; and that the applicants' communications and communications data had been intercepted by GCHQ under the TEMPORA programme and had been retained, stored, analysed and shared. The question was whether, on these assumed facts, the interception, retention, storage and sharing of data was compatible with Articles 8 and 10, taken alone and together with Article 14 of the Convention.
24 . The IPT, composed of two High Court Judges (including the President), a Circuit Judge and two senior barristers, held a five-day, public hearing from 14-18 July 2014. The Government requested an additional closed hearing in order to enable the IPT to consider GCHQ's unpublished - described during the public hearing as "below the waterline" - internal arrangements for processing data. The applicants objected, arguing that the holding of a closed hearing was not justified and that the failure to disclose the arrangements to them was unfair.
25. The request for a closed hearing was granted pursuant to Rule 9 of the IPT's Rules of Procedure (see paragraph 131 below) and on 10 September 2014 a closed hearing took place, at which neither the applicants nor their representatives were present. Instead, the IPT was "assisted by the full, perceptive and neutral participation ... of Counsel to the Tribunal", who performed the following roles: (i) identifying documents, parts of documents or gists that ought properly to be disclosed; (ii) making such submissions in favour of disclosure as were in the interests of the Claimants and open justice; and (iii) ensuring that all the relevant arguments (from the Claimants' perspective) on the facts and the law were put before the IPT.
26 . In the closed hearing, the IPT examined the internal arrangements regulating the conduct and practice of the intelligence services. It found that it was entitled to look "below the waterline" to consider the adequacy of the applicable safeguards and whether any further information could or should be disclosed to the public in order to comply with the requirements of Articles 8 and 10.
27. On 9 October 2014 the IPT notified the applicants that it was of the view that there was some closed material which could be disclosed. It explained that it had invited the Government to disclose the material and that the Government had agreed to do so. The material was accordingly provided to the applicants in a note ("the 9 October disclosure") and the parties were invited to make submissions to the IPT on the disclosed material.
28. The applicants sought information on the context and source of the disclosure but the IPT declined to provide further details. The applicants made written submissions on the disclosure.
29. The respondents subsequently amended and amplified the disclosed material.
30 . Following final disclosures made on 12 November 2014, the 9 October disclosure provided as follows:
"The US Government has publicly acknowledged that the Prism system and Upstream programme ... permit the acquisition of communications to, from, or about specific tasked selectors associated with non-US persons who are reasonably believed to be located outside the United States in order to acquire foreign intelligence information. To the extent that the Intelligence Services are permitted by the US Government to make requests for material obtained under the Prism system (and/or ... pursuant to the Upstream programme), those requests may only be made for unanalysed intercepted communications (and associated communications data) acquired in this way.
1. A request may only be made by the Intelligence Services to the government of a country or territory outside the United Kingdom for unanalysed intercepted communications (and associated communications data), otherwise than in accordance with an international mutual legal assistance agreement, if either:
- a relevant interception warrant under [RIPA] has already been issued by the Secretary of State, the assistance of the foreign government is necessary to obtain the communications at issue because they cannot be obtained under the relevant RIPA interception warrant and it is necessary and proportionate for the Intelligence Services to obtain those communications; or
- making the request for the communications at issue in the absence of a relevant RIPA interception warrant does not amount to a deliberate circumvention of RIPA or otherwise contravene the principle established in Padfield v. Minister of Agriculture, Fisheries and Food [1968] AC 997 [that a public body is required to exercise its discretionary powers to promote (and not to circumvent) the policy and the objects of the legislation which created those powers] (for example, because it is not technically feasible to obtain the communications via RIPA interception), and it is necessary and proportionate for the Intelligence Services to obtain those communications. In these circumstances, the question whether the request should be made would be considered and decided upon by the Secretary of State personally. Any such request would only be made in exceptional circumstances, and has not occurred as at the date of this statement.
...
2. Where the Intelligence Services receive intercepted communications content or communications data from the government of a country or territory outside the United Kingdom, irrespective of whether it is/they are solicited or unsolicited, whether the content is analysed or unanalysed, or whether or not the communications data are associated with the content of communications, the communications content and data are, pursuant to internal 'arrangements', subject to the same internal rules and safeguards as the same categories of content or data, when they are obtained directly by the Intelligence Services as a result of interception under RIPA.
3. Those of the Intelligence Services that receive unanalysed intercepted material and related communications data from interception under a s.8(4) warrant have internal 'arrangements' that require a record to be created, explaining why access to the unanalysed intercepted material is required, before an authorised person is able to access such material pursuant to s.16 of RIPA.
4. The internal 'arrangements' of those of the Intelligence Services that receive unanalysed intercepted material and related communications data from interception under a s.8(4) warrant specify (or require to be determined, on a system-by-system basis) maximum retention periods for different categories of such data which reflect the nature and intrusiveness of the particular data at issue. The periods so specified (or determined) are normally no longer than 2 years, and in certain cases are significantly shorter (intelligence reports that draw on such data are treated as a separate category, and are retained for longer). Data may only be retained for longer than the applicable maximum retention period where prior authorisation has been obtained from a senior official within the particular Intelligence Service at issue on the basis that continued retention of the particular data at issue has been assessed to be necessary and proportionate (if the continued retention of any such data is thereafter assessed no longer to meet the tests of necessity and proportionality, such data are deleted). As far as possible, all retention periods are implemented by a process of automated deletion which is triggered once the applicable maximum retention period has been reached for the data at issue. The maximum retention periods are overseen by, and agreed with the Commissioner. As regards related communications data in particular, Sir Anthony May made a recommendation to those of the Intelligence Services that receive unanalysed intercepted material and related communications data from interception under a s8(4) warrant, and the interim Commissioner (Sir Paul Kennedy) has recently expressed himself to be content with the implementation of that recommendation.
5. The Intelligence Services' internal 'arrangements' under [the Security Services Act 1989], [the Intelligence Services Act 1994] and ss.15-16 of RIPA are periodically reviewed to ensure that they remain up-to-date and effective. Further, the Intelligence Services are henceforth content to consider, during the course of such periodic reviews, whether more of those internal arrangements might safely and usefully be put into the public domain (for example, by way of inclusion in a relevant statutory Code of Practice)."
2. The IPT's first judgment of 5 December 2014
31. The IPT issued its first judgment on 5 December 2014. The judgment addressed the arrangements then in place for intercepting and sharing data, making extensive reference throughout to this Court's case-law.
32 . The IPT accepted that the PRISM issue engaged Article 8 of the Convention, albeit at a "lower level" than the regime under consideration in Weber and Saravia v. Germany (dec.), no. 54934/00, ECHR 2006-�XI. As a consequence, there would need to be compliance by the authorities involved in processing the data with the requirements of Article 8, particularly in relation to storage, sharing, retention and destruction. In the IPT's view, in order for the interference to be considered "in accordance with the law", there could not be unfettered discretion for executive action; rather, the nature of the rules had to be clear and the ambit of the rules had - in so far as possible - to be in the public domain (citing Bykov v. Russia [GC], no. 4378/02, §§ 76 and 78, 10 March 2009 and Malone v. the United Kingdom , 2 August 1984, Series A no. 82). However, it considered it plain that in the field of national security, much less was required to be put in the public domain and the degree of foreseeability required by Article 8 had to be reduced, otherwise the whole purpose of the steps taken to protect national security would be at risk (citing Leander v. Sweden , 26 March 1987, § 51, Series A no. 116).
33. The IPT continued:
"41. We consider that what is required is a sufficient signposting of the rules or arrangements insofar as they are not disclosed ... We are satisfied that in the field of intelligence sharing it is not to be expected that rules need to be contained in statute ( Weber ) or even in a code (as was required by virtue of the Court's conclusion in Liberty v. [the United Kingdom, no. 58243/00, 1 July 2008]). It is in our judgment sufficient that:
i) Appropriate rules or arrangements exist and are publicly known and confirmed to exist, with their content sufficiently signposted, such as to give an adequate indication of it (as per Malone ...).
ii) They are subject to proper oversight."
34 . The IPT noted that arrangements for information sharing were provided for in the statutory framework set out in the Security Services Act 1994 ("the SSA" - see paragraphs 98-99 below) and the Intelligence Services Act 1994 ("the ISA" - see paragraphs 100-103 below). It further referred to a witness statement of Charles Farr, the Director-General of the Office for Security and Counter Terrorism ("OSCT") at the Home Office, in which he explained that the statutory framework set out in those Acts was underpinned by detailed internal guidance, including arrangements for securing that the services only obtained the information necessary for the proper discharge of their functions. He further indicated that staff received mandatory training on the legal and policy framework in which they operated, including clear instructions on the need for strict adherence to the law and internal guidance. Finally, he stated that the full details of the arrangements were confidential since they could not be published safely without undermining the interests of national security.
35. The IPT therefore acknowledged that as the arrangements were not made known to the public, even in summary form, they were not accessible. However, the IPT considered it significant that the arrangements were subject to oversight and investigation by the Intelligence and Security Committee of Parliament and the independent Interception of Communications Commissioner. Furthermore, it itself was in a position to provide oversight, having access to all secret information, and being able to adjourn into closed hearing to assess whether the arrangements referred to by Mr Farr existed and were capable of giving the individual protection against arbitrary interference.
36. In so far as the claimants challenged the IPT's decision to look "below the waterline" when assessing the adequacy of the safeguards, the IPT considered itself entitled to look at the internal arrangements in order to be satisfied that there were adequate safeguards and that what was described as "above the waterline" was accurate and gave a sufficiently clear signposting as to what was "below the waterline" without disclosing the detail of it. In this regard, the IPT did not accept that the holding of a closed hearing, as had been carried out in the applicants' case, was unfair. It accorded with the statutory procedure, gave the fullest and most transparent opportunity for hearing full arguments inter partes on hypothetical and actual facts with as much as possible heard in public, and protected the public interest and national security.
37. Having considered the arrangements "below the waterline", the IPT was satisfied that the 9 October disclosure (as subsequently amended) provided a clear and accurate summary of that part of the evidence given in the closed hearing which could and should be disclosed and that the rest of the evidence given in closed hearing was too sensitive for disclosure without risk to national security or to the "neither confirm nor deny" principle. It was further satisfied that it was clear that the preconditions for requesting information from the United States Government were either the existence of a section 8(1) warrant, or the existence of a section 8(4) warrant within whose ambit the proposed target's communications fell, together, if the individual was known to be in the British Islands, with a section 16(3) modification (see paragraph 80 below). In other words, any request pursuant to PRISM or Upstream in respect of intercept or communications data would be subject to the RIPA regime, unless it fell within the wholly exceptional scenario outlined in 1(b) of the material disclosed after the first hearing. However, a 1(b) request had never occurred.
38. The IPT nevertheless identified the following "matter of concern":
"Although it is the case that any request for, or receipt of, intercept or communications data pursuant to Prism and/or Upstream is ordinarily subject to the same safeguards as in a case where intercept or communication data are obtained directly by the Respondents, if there were a 1(b) request, albeit that such request must go to the Secretary of State, and that any material so obtained must be dealt with pursuant to RIPA, there is the possibility that the s.16 protection might not apply. As already indicated, no 1(b) request has in fact ever occurred, and there has thus been no problem hitherto. We are however satisfied that there ought to be introduced a procedure whereby any such request, if it be made, when referred to the Secretary of State, must address the issue of s.16(3)."
39. However, subject to this caveat, the IPT reached the following conclusions:
"(i) Having considered the arrangements below the waterline, as described in this judgment, we are satisfied that there are adequate arrangements in place for the purpose of ensuring compliance with the statutory framework and with Articles 8 and 10 of the Convention, so far as the receipt of intercept from Prism and/or Upstream is concerned.
(ii) This is of course of itself not sufficient, because the arrangements must be sufficiently accessible to the public. We are satisfied that they are sufficiently signposted by virtue of the statutory framework to which we have referred and the Statements of the ISC and the Commissioner quoted above, and as now, after the two closed hearings that we have held, publicly disclosed by the Respondents and recorded in this judgment.
(iii) These arrangements are subject to oversight.
(iv) The scope of the discretion conferred on the Respondents to receive and handle intercepted material and communications data and (subject to the s.8(4) issues referred to below) the manner of its exercise, are accordingly (and consistent with Bykov - see paragraph 37 above) accessible with sufficient clarity to give the individual adequate protection against arbitrary interference."
40 . Finally, the IPT addressed an argument raised by Amnesty International only; namely, that the United Kingdom owed a positive obligation under Article 8 of the Convention to prevent or forestall the United States from intercepting communications including an obligation not to acquiesce in such interception by receiving its product. However, the IPT, citing M. and Others v. Italy and Bulgaria , no. 40020/03, § 127, 31 July 2012, noted that "the Convention organs have repeatedly stated that the Convention does not contain a right which requires a High Contracting Party to exercise diplomatic protection, or espouse an applicant's complaints under international law, or otherwise to intervene with the authorities of another state on his or her behalf". The IPT therefore rejected this submission.
41 . The IPT formulated four questions to be decided in order to determine whether the section 8(4) regime (which provided the legal framework for the bulk interception of external communications - see paragraph 67 below) was compatible with the Convention:
"(1) Is the difficulty of determining the difference between external and internal communications ... such as to cause the s.8(4) regime not to be in accordance with law contrary to Article 8(2)?
(2) Insofar as s.16 of RIPA is required as a safeguard in order to render the interference with Article 8 in accordance with law, is it a sufficient one?
(3) Is the regime, whether with or without s.16, sufficiently compliant with the Weber requirements, insofar as such is necessary in order to be in accordance with law?
(4) Is s. 16(2) indirectly discriminatory contrary to Article 14 of the Convention, and, if so, can it be justified?"
42. In relation to the first question, the applicants had contended that following the "sea-change in technology since 2000" substantially more communications were now external, and as a result the internal/external distinction in section 8(4) was no longer "fit for purpose". While the IPT accepted that the changes in technology had been substantial, and that it was impossible to differentiate at interception stage between external and internal communications, it found that the differences in view as to the precise definition of "external communications" did not per se render the section 8(4) regime incompatible with Article 8 § 2. In this regard, it considered that the difficulty in distinguishing between "internal" and "external" communications had existed since the enactment of RIPA and the changes in technology had not materially added to the quantity or proportion of communications which could or could not be differentiated as being external or internal at the time of interception. At worst, they had "accelerated the process of more things in the world on a true analysis being external than internal". In any case the distinction was only relevant at interception stage. The "heavy lifting" was done by section 16 of RIPA, which prevented intercepted material being selected to be read, looked at or listened to "according to a factor which is referable to an individual who is known to be for the time being in the British Islands" (see paragraphs 78-80 below). Furthermore, all communications intercepted under a section 8(4) warrant could only be considered for examination by reference to that section.
43. In respect of the second question, the IPT held that the section 16 safeguards, which applied only to intercept material and not to related communications data, were sufficient. Although it concluded that the Weber criteria also extended to communications data, it considered that there was adequate protection or safeguards by reference to section 15 (see paragraphs 72-77 below). In addition, insofar as section 16 offered greater protection for communications content than for communications data, the difference was justified and proportionate because communications data was necessary to identify individuals whose intercepted material was protected by section 16 (that is, individuals known to be in the British Islands).
44 . Turning to the third question, the IPT concluded that the section 8(4) regime was sufficiently compliant with the Weber criteria and was in any event "in accordance with the law". With regard to the first and second requirements, it considered that the reference to "national security" was sufficiently clear (citing Esbester v. the United Kingdom (dec.), no. 18601/91, 2 April 1993 and Kennedy v. the United Kingdom , no. 26839/05, 18 May 2010); the absence of targeting at the interception stage was acceptable and inevitable, as it had been in Webe r; on their face, the provisions of paragraph 5.2 of the Interception of Communications Code of Practice, together with paragraphs 2.4, 2.5, 5.3, 5.4, 5.5 and 5.6 were satisfactory; there was no call for search words to be included in an application for a warrant or in the warrant itself, as this would unnecessarily undermine and limit the operation of the warrant and might in any event be entirely unrealistic; and there was no requirement for the warrant to be judicially authorised.
45. In considering the third, fourth, fifth and sixth of the Weber criteria, the IPT had regard to the safeguards in sections 15 and 16 of RIPA, the Interception of Communications Code of Practice, and the "below the waterline arrangements". It did not consider it necessary that the precise details of all the safeguards should be published or contained in either statute or code of practice. Particularly in the field of national security, undisclosed administrative arrangements, which by definition could be changed by the Executive without reference to Parliament, could be taken into account, provided that what is disclosed indicated the scope of the discretion and the manner of its exercise. This was particularly so when, as was the case here, the Code of Practice itself referred to the arrangements, and there was a system of oversight (being the Commissioner, the IPT itself, and the ISC) which ensured that these arrangements were kept under review. The IPT was satisfied that, as a result of what it had heard at the closed hearing and the 9 October disclosure as amended, there was no large databank of communications data being built up and that there were adequate arrangements in respect of the duration of the retention of data and its destruction. As with the PRISM issue, the IPT considered that the section 8(4) arrangements were sufficiently signposted in statute, in the Code of Practice, in the Interception of Communications Commissioner's reports and, now, in its own judgment.
46. As regards the fourth and final question, the IPT did not make any finding as to whether there was in fact indirect discrimination on grounds of national origin as a result of the different regimes applicable to individuals located in the British Islands and those located outside, since it considered that any indirect discrimination was sufficiently justified on the grounds that it was harder to investigate terrorist and criminal threats from abroad. Given that the purpose of accessing external communications was primarily to obtain information relating to those abroad, the consequence of eliminating the distinction would be the need to obtain a certificate under section 16(3) of RIPA (which exceptionally allowed access to material concerning persons within the British Islands intercepted under a section 8(4) warrant - see paragraph 80 below) in almost every case, which would radically undermine the efficacy of the section 8(4) regime.
47 . Finally, in respect of Article 10, the applicants argued that its protection applied to investigatory NGOs as to journalists. Amnesty initially alleged before the IPT that there were likely to be no adequate arrangements for material protected by legal professional privilege, a complaint which was subsequently "hived off" to be dealt with in the Belhadj case (see paragraphs 92-94 below), to which Amnesty was joined as an additional claimant. No similar argument was made in respect of NGO confidence until 17 November 2014 (the first and second open hearings having taken place in July and October 2014). As the IPT considered that this argument could have been raised at any time, in its judgment it had been raised "far too late" to be incorporated into the ambit of the proceedings.
48. With regard to the remaining Article 10 complaints, the IPT noted that there was no separate argument over and above that arising in respect of Article 8. Although the IPT observed that there might be a special argument relating to the need for judicial pre-authorisation of a warrant (referring to Sanoma Uitgevers B.V. v. the Netherlands [GC], no. 38224/03, 14 September 2010), it emphasised that the applicants' case did not concern targeted surveillance of journalists or non-governmental organisations. In any case, in the context of untargeted monitoring via a section 8(4) warrant, it was "clearly impossible" to anticipate a judicial pre-authorisation prior to the warrant limited to what might turn out to impact upon Article 10. Although the IPT accepted that an issue might arise in the event that, in the course of examination of the contents, some question of journalistic confidence arose, it observed that there were additional safeguards in the Code of Practice in relation to treatment of such material.
49 . Following the publication of the judgment, the parties were invited to make submissions on whether, prior to the disclosures made to the IPT, the legal regime in place in respect of the PRISM issue complied with Articles 8 and 10 and on the proportionality and lawfulness of any alleged interception of their communications. The IPT did not see any need for further submissions on the proportionality of the section 8(4) regime as a whole.
3. The IPT's second judgment of 6 February 2015
50. In its second judgment of 6 February 2015, the IPT considered whether, prior to its December 2014 judgment, the PRISM or Upstream arrangements breached Article 8 and/or 10 of the Convention.
51. It agreed that it was only by reference to the 9 October disclosure as amended that it was satisfied the current regime was "in accordance with the law". The IPT was of the view that without the disclosures made, there would not have been adequate signposting, as was required under Articles 8 and 10. It therefore made a declaration that prior to the disclosures made:
"23. ... [T]he regime governing the soliciting, receiving, storing and transmitting by UK authorities of private communications of individuals located in the UK, which have been obtained by US authorities pursuant to Prism and/or ... Upstream, contravened Articles 8 or 10 ECHR, but now complies."
4. The IPT's third judgment of 22 June 2015 as amended by its 1 July 2015 letter
52. The third judgment of the IPT, published on 22 June 2015, determined whether the applicants' communications obtained under PRISM or Upstream had been solicited, received, stored or transmitted by the United Kingdom authorities in contravention of Articles 8 and/or 10 of the Convention; and whether the applicants' communications had been intercepted, viewed, stored or transmitted by the United Kingdom authorities so as to amount to unlawful conduct or in contravention of Articles 8 and/or 10.
53 . The IPT made no determination in favour of eight of the ten applicants. In line with its usual practice where it did not find in favour of the claimant, it did not confirm whether or not their communications had been intercepted. However, in relation to two applicants the IPT made determinations. The identity of one of the organisations was wrongly noted in the judgment and the error was corrected by the IPT's letter of 1 July 2015.
54 . In respect of Amnesty International, the IPT found that email communications had been lawfully and proportionately intercepted and accessed pursuant to section 8(4) of RIPA but that the time-limit for retention permitted under the internal policies of GCHQ had been overlooked and the material had therefore been retained for longer than permitted. However, the IPT was satisfied that the material had not been accessed after the expiry of the relevant retention time-limit and that the breach could be characterised as a technical one. It amounted nonetheless to a breach of Article 8 and GCHQ was ordered to destroy any of the communications which had been retained for longer than the relevant period and to deliver one hard copy of the documents within seven days to the Interception of Communications Commissioner to retain for five years in case they were needed for any further legal proceedings. GCHQ was also ordered to provide a closed report within fourteen days confirming the destruction of the documents. No award of compensation was made.
55 . In respect of the Legal Resources Centre, the IPT found that communications from an email address associated with the applicant had been intercepted and selected for examination under a section 8(4) warrant. Although it was satisfied the interception was lawful and proportionate and that selection for examination was proportionate, the IPT found that the internal procedure for selection was, in error, not followed. There had therefore been a breach of the Legal Resources Centre's Article 8 rights. However, the IPT was satisfied that no use was made of the material and that no record had been retained so the applicant had not suffered material detriment, damage or prejudice. Its determination therefore constituted just satisfaction and no compensation was awarded.
II. RELEVANT DOMESTIC LAW AND PRACTICE
A. The interception of communications
56 . Section 1(1) of RIPA renders unlawful the interception of any communication in the course of its transmission by means of a public postal service or a public telecommunication system unless it takes place in accordance with a warrant under section 5 ("intercept warrant").
57 . Section 5(2) allows the Secretary of State to authorise an intercept warrant if he believes: that it is necessary for the reasons set out in section 5(3), namely that it is in the interests of national security, for the purpose of preventing or detecting serious crime, or for safeguarding the economic well-being of the United Kingdom; and that the conduct authorised by the warrant is proportionate to what is sought to be achieved by that conduct. In assessing necessity and proportionality, account should be taken of whether the information sought under the warrant could reasonably be obtained by other means.
58 . Section 81(2)(b) of RIPA defines "serious crime" as crime which satisfies one of the following criteria:
"(a) that the offence or one of the offences that is or would be constituted by the conduct is an offence for which a person who has attained the age of twenty-one and has no previous convictions could reasonably be expected to be sentenced to imprisonment for a term of three years or more;
(b) that the conduct involves the use of violence, results in substantial financial gain or is conduct by a large number of persons in pursuit of a common purpose."
59 . Section 81(5) provides:
"For the purposes of this Act detecting crime shall be taken to include-�
(a) establishing by whom, for what purpose, by what means and generally in what circumstances any crime was committed; and
(b) the apprehension of the person by whom any crime was committed;
and any reference in this Act to preventing or detecting serious crime shall be construed accordingly ..."
60. Section 6 provides that in respect of the intelligence services, only the Director General of MI5, the Chief of MI6 and the Director of GCHQ may apply for an intercept warrant.
61. There are two types of intercept warrant to which sections 5 and 6 apply: a targeted warrant as provided for by section 8(1); and an untargeted warrant as provided for by section 8(4).
62 . By virtue of section 9 of RIPA, a warrant issued in the interests of national security or for safeguarding the economic well-being of the United Kingdom shall cease to have effect at the end of six months, and a warrant issued for the purpose of detecting serious crime shall cease to have effect after three months. At any time before the end of those periods, the Secretary of State may renew the warrant (for periods of six and three months respectively) if he believes that the warrant continues to be necessary on grounds falling within section 5(3). The Secretary of State shall cancel an interception warrant if he is satisfied that the warrant is no longer necessary on grounds falling within section 5(3).
63 . Pursuant to section 5(6), the conduct authorised by an interception warrant shall be taken to include the interception of communications not identified by the warrant if necessary to do what is expressly authorised or required by the warrant; and the obtaining of related communications data.
64. Section 21(4) defines "communications data" as
"(a) any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted;
(b) any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person-�
i. of any postal service or telecommunications service; or
ii. in connection with the provision to or use by any person of any telecommunications service, of any part of a telecommunication system;
(c) any information not falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by a person providing a postal service or telecommunications service."
65. The March 2015 Acquisition and Disclosure of Communications Data Code of Practice refers to these three categories as "traffic data", "service use information", and "subscriber information". Section 21(6) of RIPA further defines "traffic data" as data which identifies the person, apparatus, location or address to or from which a communication is transmitted, and information about a computer file or program accessed or run in the course of sending or receiving a communication.
66. Section 20 defines "related communications data", in relation to a communication intercepted in the course of its transmission by means of a postal service or telecommunication system, as communications data "obtained by, or in connection with, the interception"; and which "relates to the communication or to the sender or recipient, or intended recipient, of the communication".
67 . "Bulk interception" of communications is carried out pursuant to a section 8(4) warrant. Section 8(4) and (5) of RIPA allows the Secretary of State to issue a warrant for "the interception of external communications in the course of their transmission by means of a telecommunication system".
68. At the time of issuing a section 8(4) warrant, the Secretary of State must also issue a certificate setting out a description of the intercepted material which he considers it necessary to examine, and stating that he considers the examination of that material to be necessary for the reasons set out in section 5(3) (that is, that it is necessary in the interests of national security, for the purpose of preventing or detecting serious crime, or for safeguarding the economic well-being of the United Kingdom).
69. Section 20 defines "external communication" as "a communication sent or received outside the British Islands".
70. In the course of the Liberty proceedings, Charles Farr, the Director General of the OSCT, indicated that two people in the United Kingdom who email each other are engaging in "internal communication" even if the email service was housed on a server in the United States of America; however, that communication may be intercepted as a "by-catch" of a warrant targeting external communications. On the other hand, a person in the United Kingdom who communicates with a search engine overseas is engaging in an external communication, as is a person in the United Kingdom who posts a public message (such as a tweet or Facebook status update), unless all the recipients of that message are in the British Islands.
71 . Giving evidence to the Intelligence and Security Committee of Parliament in October 2014, the Secretary of State for the Foreign and Commonwealth considered that:
"-� In terms of an email, if one or both of the sender or recipient is overseas then this would be an external communication.
-� In terms of browsing the Internet, if an individual reads the Washington Post's website, then they have 'communicated' with a web server located overseas, and that is therefore an external communication.
-� In terms of social media, if an individual posts something on Facebook, because the web server is based overseas, this would be treated as an external communication.
-� In terms of cloud storage (for example, files uploaded to Dropbox), these would be treated as external communications, because they have been sent to a web server overseas."
3. Specific safeguards under RIPA
72 . Pursuant to Section 15(1), it is the duty of the Secretary of State to ensure, in relation to all interception warrants, that such arrangements are in force as he considers necessary for securing that the requirements of subsections (2) and (3) are satisfied in relation to the intercepted material and any related communications data; and, in the case of warrants in relation to which there are section 8(4) certificates, that the requirements of section 16 are also satisfied.
73. Section 15(2) provides:
"The requirements of this subsection are satisfied in relation to the intercepted material and any related communications data if each of the following-�
(a) the number of persons to whom any of the material or data is disclosed or otherwise made available,
(b) the extent to which any of the material or data is disclosed or otherwise made available,
(c) the extent to which any of the material or data is copied, and
(d) the number of copies that are made,
is limited to the minimum that is necessary for the authorised purposes."
74 . Section 15(3) provides:
"The requirements of this subsection are satisfied in relation to the intercepted material and any related communications data if each copy made of any of the material or data (if not destroyed earlier) is destroyed as soon as there are no longer any grounds for retaining it as necessary for any of the authorised purposes."
75. Pursuant to section 15(4), something is necessary for the authorised purposes if, and only if, it continues to be, or is likely to become, necessary as mentioned in section 5(3) of the Act (that is, it is necessary in the interests of national security, for the purpose of preventing or detecting serious crime; for the purpose of safeguarding the economic well-being of the United Kingdom; or for the purpose of giving effect to the provisions of any international mutual assistance agreement); it is necessary for facilitating the carrying out of any of the interception functions of the Secretary of State; it is necessary for facilitating the carrying out of any functions of the Interception of Communications Commissioner or of the IPT; it is necessary to ensure that a person conducting a criminal prosecution has the information he needs to determine what is required of him by his duty to secure the fairness of the prosecution; or it is necessary for the performance of any duty imposed on any person under public records legislation.
76. Section 15(5) requires the arrangements in place to secure compliance with section 15(2) to include such arrangements as the Secretary of State considers necessary for securing that every copy of the material or data that is made is stored, for so long as it is retained, in a secure manner.
77 . Pursuant to section 15(6), the arrangements to which section 15(1) refers are not required to secure that the requirements of section 15(2) and (3) are satisfied in so far as they relate to any of the intercepted material or related communications data, or any copy of any such material or data, possession of which has been surrendered to any authorities of a country or territory outside the United Kingdom. However, such arrangements are required to secure, in the case of every such warrant, that possession of the intercepted material and data and of copies of the material or data is surrendered to authorities of a country or territory outside the United Kingdom only if the requirements of section 15(7) are satisfied. Section 15(7) provides:
"The requirements of this subsection are satisfied in the case of a warrant if it appears to the Secretary of State-�
(a) that requirements corresponding to those of subsections (2) and (3) will apply, to such extent (if any) as the Secretary of State thinks fit, in relation to any of the intercepted material or related communications data possession of which, or of any copy of which, is surrendered to the authorities in question; and
(b) that restrictions are in force which would prevent, to such extent (if any) as the Secretary of State thinks fit, the doing of anything in, for the purposes of or in connection with any proceedings outside the United Kingdom which would result in such a disclosure as, by virtue of section 17, could not be made in the United Kingdom."
78 . Section 16 sets out additional safeguards in relation to the interception of "external" communications under section 8(4) warrants. Section 16(1) requires that intercepted material may only be read, looked at or listened to by the persons to whom it becomes available by virtue of the warrant if and to the extent that it has been certified as material the examination of which is necessary as mentioned in section 5(3) of the Act; and falls within section 16(2). Section 20 defines "intercepted material" as the contents of any communications intercepted by an interception to which the warrant relates.
79 . Section 16(2) provides:
"Subject to subsections (3) and (4), intercepted material falls within this subsection so far only as it is selected to be read, looked at or listened to otherwise than according to a factor which-�
(a) is referable to an individual who is known to be for the time being in the British Islands; and
(b) has as its purpose, or one of its purposes, the identification of material contained in communications sent by him, or intended for him."
80 . Pursuant to section 16(3), intercepted material falls within section 16(2), notwithstanding that it is selected by reference to one of the factors mentioned in that subsection, if it is certified by the Secretary of State for the purposes of section 8(4) that the examination of material selected according to factors referable to the individual in question is necessary as mentioned in subsection 5(3) of the Act; and the material relates only to communications sent during a period specified in the certificate that is no longer than the permitted maximum.
81. The "permitted maximum" is defined in section 16(3A) as follows:
"(a) in the case of material the examination of which is certified for the purposes of section 8(4) as necessary in the interests of national security, six months; and
(b) in any other case, three months."
82. Pursuant to section 16(4), intercepted material also falls within section 16(2), even if it is selected by reference to one of the factors mentioned in that subsection, if the person to whom the warrant is addressed believes, on reasonable grounds, that the circumstances are such that the material would fall within that subsection; or the conditions set out in section 16(5) are satisfied in relation to the selection of the material.
83. Section 16(5) provides:
"Those conditions are satisfied in relation to the selection of intercepted material if -�
(a) it has appeared to the person to whom the warrant is addressed that there has been such a relevant change of circumstances as, but for subsection (4)(b), would prevent the intercepted material from falling within subsection (2);
(b) since it first so appeared, a written authorisation to read, look at or listen to the material has been given by a senior official; and
(c) the selection is made before the end of the permitted period."
84. Pursuant to section 16(5A), the "permitted period" means:
"(a) in the case of material the examination of which is certified for the purposes of section 8(4) as necessary in the interests of national security, the period ending with the end of the fifth working day after it first appeared as mentioned in subsection (5)(a) to the person to whom the warrant is addressed; and
(b) in any other case, the period ending with the end of the first working day after it first so appeared to that person."
85 . Section 16(6) explains that a "relevant change of circumstances" means that it appears that either the individual in question has entered the British Islands; or that a belief by the person to whom the warrant is addressed in the individual's presence outside the British Islands was in fact mistaken.
86. Giving evidence to the Intelligence and Security Committee of Parliament in October 2014, the Secretary of State for the Foreign and Commonwealth explained that:
"When an analyst selects communications that have been intercepted under the authority of an 8(4) warrant for examination, it does not matter what form of communication an individual uses, or whether his other communications are stored on a dedicated mail server or in cloud storage physically located in the UK, the US or anywhere else (and in practice the individual user of cloud services will not know where it is stored). If he or she is known to be in the British Islands it is not permissible to search for his or her communications by use of his or her name, e-mail address or any other personal identifier."
4. The Interception of Communications Code of Practice
87. Section 71 of RIPA provides for the adoption of codes of practice by the Secretary of State in relation to the exercise and performance of his powers and duties under the Act. Draft codes of practice must be laid before Parliament and are public documents. They can only enter into force in accordance with an order of the Secretary of State. The Secretary of State can only make such an order if a draft of the order has been laid before Parliament and approved by a resolution of each House.
88. Under section 72(1) of RIPA, a person exercising or performing any power or duty relating to interception of communications must have regard to the relevant provisions of a code of practice. The provisions of a code of practice may, in appropriate circumstances, be taken into account by courts and tribunals under section 72(4) RIPA.
89. The Interception of Communication Code of Practice ("the IC Code") was issued pursuant to section 71 of RIPA. The IC Code currently in force was issued in 2016.
90 . Insofar as relevant, the IC Code provides:
"3.2. There are a limited number of persons who can make an application for an interception warrant, or an application can be made on their behalf. These are:
- The Director-General of the Security Service.
- The Chief of the Secret Intelligence Service.
- The Director of the Government Communications Headquarters (GCHQ).
- The Director-General of the National Crime Agency (NCA handles interception on behalf of law enforcement bodies in England and Wales).
- The Chief Constable of the Police Service of Scotland.
- The Commissioner of the Police of the Metropolis (the Metropolitan Police Counter Terrorism Command handles interception on behalf of Counter Terrorism Units, Special Branches and some police force specialist units in England and Wales).
- The Chief Constable of the Police Service of Northern Ireland.
- The Commissioners of Her Majesty's Revenue & Customs (HMRC).
- The Chief of Defence Intelligence.
- A person who, for the purposes of any international mutual assistance agreement, is the competent authority of a country or territory outside the UK.
3.3. Any application made on behalf of one of the above must be made by a person holding office under the Crown.
3.4. All interception warrants are issued by the Secretary of State. Even where the urgency procedure is followed, the Secretary of State personally authorises the warrant, although it is signed by a senior official.
Necessity and proportionality
3.5. Obtaining a warrant under RIPA will only ensure that the interception authorised is a justifiable interference with an individual's rights under Article 8 (right to respect for private and family life) of the European Convention on Human Rights (ECHR) if it is necessary and proportionate for the interception to take place. RIPA recognises this by first requiring that the Secretary of State believes that the authorisation is necessary for one or more of the following statutory grounds:
- In the interests of national security;
- To prevent or detect serious crime;
- To safeguard the economic well-being of the UK so far as those interests are also relevant to the interests of national security.
3.6. These purposes are set out in section 5(3) of RIPA. The Secretary of State must also believe that the interception is proportionate to what is sought to be achieved by that conduct. Any assessment of proportionality involves balancing the seriousness of the intrusion into the privacy or property of the subject of the operation (or any other person who may be affected) against the need for the activity in investigative, operational or capability terms. The warrant will not be proportionate if it is excessive in the overall circumstances of the case. Each action authorised should bring an expected benefit to the investigation or operation and should not be disproportionate or arbitrary. The fact that there is a potential threat to national security (for example) may not alone render the most intrusive actions proportionate. No interference should be considered proportionate if the information which is sought could reasonably be obtained by other less intrusive means.
3.7. The following elements of proportionality should therefore be considered:
- Balancing the size and scope of the proposed interference against what is sought to be achieved;
- Explaining how and why the methods to be adopted will cause the least possible intrusion on the subject and others;
- Considering whether the activity is an appropriate use of the legislation and a reasonable way, having considered all reasonable alternatives, of obtaining the necessary result;
- Evidencing, as far as reasonably practicable, what other methods have been considered and were either not implemented or have been employed but which are assessed as insufficient to fulfil operational objectives without the addition of the intercept material sought.
...
Duration of interception warrants
3.18. Interception warrants issued on serious crime grounds are valid for an initial period of three months. Interception warrants issued on national security/economic well-being of the UK grounds are valid for an initial period of six months. A warrant issued under the urgency procedure (on any grounds) is valid for five working days following the date of issue unless renewed by the Secretary of State.
3.19. Upon renewal, warrants issued on serious crime grounds are valid for a further period of three months. Warrants renewed on national security/economic well-being of the UK grounds are valid for a further period of six months. These dates run from the date on the renewal instrument.
3.20. Where modifications to an interception warrant are made, the warrant expiry date remains unchanged. However, where the modification takes place under the urgency provisions, the modification instrument expires after five working days following the date of issue, unless it is renewed in line with the routine procedure.
3.21. Where a change in circumstance leads the intercepting agency to consider it no longer necessary, proportionate or practicable for a warrant to be in force, the agency must make a recommendation to the Secretary of State that it should be cancelled with immediate effect.
...
4. SPECIAL RULES ON INTERCEPTION WITH A WARRANT
Collateral intrusion
4.1. Consideration should be given to any interference with the privacy of individuals who are not the subject of the intended interception, especially where communications relating to religious, medical, journalistic or legally privileged material may be involved, or where communications between a Member of Parliament and another person on constituency business may be involved or communications between a Member of Parliament and a whistle-blower. An application for an interception warrant should state whether the interception is likely to give rise to a degree of collateral infringement of privacy. A person applying for an interception warrant must also consider measures, including the use of automated systems, to reduce the extent of collateral intrusion. Where it is possible to do so, the application should specify those measures. These circumstances and measures will be taken into account by the Secretary of State when considering a warrant application made under section 8(1) of RIPA. Should an interception operation reach the point where individuals other than the subject of the authorisation are identified as investigative targets in their own right, consideration should be given to applying for separate warrants covering those individuals.
Confidential information
4.2. Particular consideration should also be given in cases where the subject of the interception might reasonably assume a high degree of privacy, or where confidential information is involved. This includes where the communications relate to legally privileged material; where confidential journalistic material may be involved; where interception might involve communications between a medical professional or Minister of Religion and an individual relating to the latter's health or spiritual welfare; or where communications between a Member of Parliament and another person on constituency business may be involved.
4.3. Confidential journalistic material includes material acquired or created for the purposes of journalism and held subject to an undertaking to hold it in confidence, as well as communications resulting in information being acquired for the purposes of journalism and held subject to such an undertaking. See also paragraphs 4.26 and 4.28 - 4.31 for additional safeguards that should be applied in respect of confidential journalistic material.
...
Communications involving confidential journalistic material, confidential personal information and communications between a Member of Parliament and another person on constituency business
4.26. Particular consideration must also be given to the interception of communications that involve confidential journalistic material, confidential personal information, or communications between a Member of Parliament and another person on constituency business. Confidential journalistic material is explained at paragraph 4.3. Confidential personal information is information held in confidence concerning an individual (whether living or dead) who can be identified from it, and the material in question relates to his or her physical or mental health or to spiritual counselling. Such information can include both oral and written communications. Such information as described above is held in confidence if it is held subject to an express or implied undertaking to hold it in confidence, or is subject to a restriction on disclosure or an obligation of confidentiality contained in existing legislation. For example, confidential personal information might include consultations between a health professional and a patient, or information from a patient's medical records.
...
4.28. Where the intention is to acquire confidential personal information, the reasons should be clearly documented and the specific necessity and proportionality of doing so should be carefully considered. If the acquisition of confidential personal information is likely but not intended, any possible mitigation steps should be considered and, if none is available, consideration should be given to whether special handling arrangements are required within the intercepting agency.
4.29. Material which has been identified as confidential information should be retained only where it is necessary and proportionate to do so for one or more of the authorised purposes set out in section 15(4). It must be securely destroyed when its retention is no longer needed for those purposes. If such information is retained, there must be adequate information management systems in place to ensure that continued retention remains necessary and proportionate for the authorised statutory purposes.
4.30. Where confidential information is retained or disseminated to an outside body, reasonable steps should be taken to mark the information as confidential. Where there is any doubt as to the lawfulness of the proposed handling or dissemination of confidential information, advice should be sought from a legal adviser within the relevant intercepting agency and before any further dissemination of the material takes place.
4.31. Any case where confidential information is retained should be notified to the Interception of Communications Commissioner as soon as reasonably practicable, as agreed with the Commissioner. Any material which has been retained should be made available to the Commissioner on request.
4.32. The safeguards set out in paragraphs 4.28 - 4.31 also apply to any section 8(4) material (see chapter 6) which is selected for examination and which constitutes confidential information.
...
6. INTERCEPTION WARRANTS (SECTION 8(4))
6.1. This section applies to the interception of external communications by means of a warrant complying with section 8(4) of RIPA.
6.2. In contrast to section 8(1), a section 8(4) warrant instrument need not name or describe the interception subject or a set of premises in relation to which the interception is to take place. Neither does section 8(4) impose an express limit on the number of external communications which may be intercepted. For example, if the requirements of sections 8(4) and (5) are met, then the interception of all communications transmitted on a particular route or cable, or carried by a particular CSP, could, in principle, be lawfully authorised. This reflects the fact that section 8(4) interception is an intelligence gathering capability, whereas section 8(1) interception is primarily an investigative tool that is used once a particular subject for interception has been identified.
6.3. Responsibility for the issuing of interception warrants under section 8(4) of RIPA rests with the Secretary of State. When the Secretary of State issues a warrant of this kind, it must be accompanied by a certificate. The certificate ensures that a selection process is applied to the intercepted material so that only material described in the certificate is made available for human examination. If the intercepted material cannot be selected to be read, looked at or listened to with due regard to proportionality and the terms of the certificate, then it cannot be read, looked at or listened to by anyone.
Section 8(4) interception in practice
6.4. A section 8(4) warrant authorises the interception of external communications. Where a section 8(4) warrant results in the acquisition of large volumes of communications, the intercepting agency will ordinarily apply a filtering process to automatically discard communications that are unlikely to be of intelligence value. Authorised persons within the intercepting agency may then apply search criteria to select communications that are likely to be of intelligence value in accordance with the terms of the Secretary of State's certificate. Before a particular communication may be accessed by an authorised person within the intercepting agency, the person must provide an explanation of why it is necessary for one of the reasons set out in the certificate accompanying the warrant issued by the Secretary of State, and why it is proportionate in the particular circumstances. This process is subject to internal audit and external oversight by the Interception of Communications Commissioner. Where the Secretary of State is satisfied that it is necessary, he or she may authorise the selection of communications of an individual who is known to be in the British Islands. In the absence of such an authorisation, an authorised person must not select such communications.
Definition of external communications
6.5. External communications are defined by RIPA to be those which are sent or received outside the British Islands. They include those which are both sent and received outside the British Islands, whether or not they pass through the British Islands in the course of their transmission. They do not include communications both sent and received in the British Islands, even if they pass outside the British Islands en route. For example, an email from a person in London to a person in Birmingham will be an internal, not external communication for the purposes of section 20 of RIPA, whether or not it is routed via IP addresses outside the British Islands, because the sender and intended recipient are within the British Islands.
Intercepting non-external communications under section 8(4) warrants
6.6. Section 5(6)(a) of RIPA makes clear that the conduct authorised by a section 8(4) warrant may, in principle, include the interception of communications which are not external communications to the extent this is necessary in order to intercept the external communications to which the warrant relates.
6.7. When conducting interception under a section 8(4) warrant, an intercepting agency must use its knowledge of the way in which international communications are routed, combined with regular surveys of relevant communications links, to identify those individual communications bearers that are most likely to contain external communications that will meet the descriptions of material certified by the Secretary of State under section 8(4). It must also conduct the interception in ways that limit the collection of non-external communications to the minimum level compatible with the objective of intercepting wanted external communications.
Application for a section 8(4) warrant
6.8. An application for a warrant is made to the Secretary of State. Interception warrants, when issued, are addressed to the person who submitted the application. The purpose of such a warrant will typically reflect one or more of the intelligence priorities set by the National Security Council (NSC).
6.9. Prior to submission, each application is subject to a review within the agency making the application. This involves scrutiny by more than one official, who will consider whether the application is for a purpose falling within section 5(3) of RIPA and whether the interception proposed is both necessary and proportionate.
6.10. Each application, a copy of which must be retained by the applicant, should contain the following information:
- Background to the operation in question:
Description of the communications to be intercepted, details of the CSP(s) and an assessment of the feasibility of the operation where this is relevant; and
Description of the conduct to be authorised, which must be restricted to the interception of external communications, or the conduct (including the interception of other communications not specifically identified by the warrant as foreseen under section 5(6)(a) of RIPA) it is necessary to undertake in order to carry out what is authorised or required by the warrant, and the obtaining of related communications data.
- The certificate that will regulate examination of intercepted material;
- An explanation of why the interception is considered to be necessary for one or more of the section 5(3) purposes;
- A consideration of why the conduct to be authorised by the warrant is proportionate to what is sought to be achieved by that conduct;
- Where an application is urgent, supporting justification;
- An assurance that intercepted material will be read, looked at or listened to only so far as it is certified and it meets the conditions of sections 16(2)-16(6) of RIPA; and
- An assurance that all material intercepted will be handled in accordance with the safeguards required by sections 15 and 16 of RIPA (see paragraphs 7.2 and 7.10 respectively).
Authorisation of a section 8(4) warrant
6.11. Before issuing a warrant under section 8(4), the Secretary of State must believe the warrant is necessary:
- In the interests of national security;
- For the purpose of preventing or detecting serious crime; or
- For the purpose of safeguarding the economic well-being of the UK so far as those interests are also relevant to the interests of national security.
6.12. The power to issue an interception warrant for the purpose of safeguarding the economic well-being of the UK (as provided for by section 5(3)(c) of RIPA), may only be exercised where it appears to the Secretary of State that the circumstances are relevant to the interests of national security. The Secretary of State will not issue a warrant on section 5(3)(c) grounds if a direct link between the economic well-being of the UK and national security is not established. Any application for a warrant on section 5(3)(c) grounds should therefore identify the circumstances that are relevant to the interests of national security.
6.13. The Secretary of State must also consider that the conduct authorised by the warrant is proportionate to what it seeks to achieve (section 5(2)(b)). In considering necessity and proportionality, the Secretary of State must take into account whether the information sought could reasonably be obtained by other means (section 5(4)).
6.14. When the Secretary of State issues a warrant of this kind, it must be accompanied by a certificate in which the Secretary of State certifies that he or she considers examination of the intercepted material to be necessary for one or more of the section 5(3) purposes. The purpose of the statutory certificate is to ensure that a selection process is applied to intercepted material so that only material described in the certificate is made available for human examination. Any certificate must broadly reflect the "Priorities for Intelligence Collection" set by the NSC for the guidance of the intelligence agencies. For example, a certificate might provide for the examination of material providing intelligence on terrorism (as defined in the Terrorism Act 2000) or on controlled drugs (as defined by the Misuse of Drugs Act 1971). The Interception of Communications Commissioner must review any changes to the descriptions of material specified in a certificate.
6.15. The Secretary of State has a duty to ensure that arrangements are in force for securing that only that material which has been certified as necessary for examination for a section 5(3) purpose, and which meets the conditions set out in section 16(2) to section 16(6) is, in fact, read, looked at or listened to. The Interception of Communications Commissioner is under a duty to review the adequacy of those arrangements.
Urgent authorisation of a section 8(4) warrant
6.16. RIPA makes provision (section 7(l)(b)) for cases in which an interception warrant is required urgently, yet the Secretary of State is not available to sign the warrant. In these cases the Secretary of State will still personally authorise the interception but the warrant is signed by a senior official, following discussion of the case between officials and the Secretary of State. RIPA restricts the issue of warrants in this way to urgent cases where the Secretary of State has personally and expressly authorised the issue of the warrant (section 7(2)(a)), and requires the warrant to contain a statement to that effect (section 7(4)(a)).
6.17. A warrant issued under the urgency procedure lasts for five working days following the date of issue unless renewed by the Secretary of State, in which case it expires after three months in the case of serious crime or six months in the case of national security or economic well-being, in the same way as other section 8(4) warrants.
Format of a section 8(4) warrant
6.18. Each warrant is addressed to the person who submitted the application. A copy may then be served upon such providers of communications services as he or she believes will be able to assist in implementing the interception. CSPs will not normally receive a copy of the certificate. The warrant should include the following:
- A description of the communications to be intercepted;
- The warrant reference number; and
- Details of the persons who may subsequently modify the certificate applicable to the warrant in an urgent case (if authorised in accordance with section 10(7) of RIPA).
Modification of a section 8(4) warrant and/or certificate
6.19. Interception warrants and certificates may be modified under the provisions of section 10 of RIPA. A warrant may only be modified by the Secretary of State or, in an urgent case, by a senior official with the express authorisation of the Secretary of State. In these cases a statement of that fact must be endorsed on the modifying instrument, and the modification ceases to have effect after five working days following the date of issue unless it is endorsed by the Secretary of State.
6.20. A certificate must be modified by the Secretary of State, except in an urgent case where a certificate may be modified by a senior official provided that the official holds a position in which he or she is expressly authorised by provisions contained in the certificate to modify the certificate on the Secretary of State's behalf, or the Secretary of State has expressly authorised the modification and a statement of that fact is endorsed on the modifying instrument. In the latter case, the modification ceases to have effect after five working days following the date of issue unless it is endorsed by the Secretary of State.
6.21. Where the Secretary of State is satisfied that it is necessary, a certificate may be modified to authorise the selection of communications of an individual in the British Islands. An individual's location should be assessed using all available information. If it is not possible, to determine definitively where the individual is located using that information, an informed assessment should be made, in good faith, as to the individual's location. If an individual is strongly suspected to be in the UK, the arrangements set out in this paragraph will apply.
Renewal of a section 8(4) warrant
6.22. The Secretary of State may renew a warrant at any point before its expiry date. Applications for renewals are made to the Secretary of State and contain an update of the matters outlined in paragraph 6.10 above. In particular, the applicant must give an assessment of the value of interception to date and explain why it is considered that interception continues to be necessary for one or more of the purposes in section 5(3), and why it is considered that interception continues to be proportionate.
6.23. Where the Secretary of State is satisfied that the interception continues to meet the requirements of RIPA, the Secretary of State may renew the warrant. Where the warrant is issued on serious crime grounds, the renewed warrant is valid for a further three months. Where it is issued on national security/economic well-being grounds the renewed warrant is valid for six months. These dates run from the date of signature on the renewal instrument.
6.24. In those circumstances where the assistance of CSPs has been sought, a copy of the warrant renewal instrument will be forwarded to all those on whom a copy of the original warrant instrument has been served, providing they are still actively assisting. A renewal instrument will include the reference number of the warrant or warrants being renewed under this single instrument.
Warrant cancellation
6.25. The Secretary of State must cancel an interception warrant if, at any time before its expiry date, he or she is satisfied that the warrant is no longer necessary on grounds falling within section 5(3) of RIPA. Intercepting agencies will therefore need to keep their warrants under continuous review and must notify the Secretary of State if they assess that the interception is no longer necessary. In practice, the responsibility to cancel a warrant will be exercised by a senior official in the warrant issuing department on behalf of the Secretary of State.
6.26. The cancellation instrument will be addressed to the person to whom the warrant was issued (the intercepting agency). A copy of the cancellation instrument should be sent to those CSPs, if any, who have given effect to the warrant during the preceding twelve months.
Records
6.27. The oversight regime allows the Interception of Communications Commissioner to inspect the warrant application upon which the Secretary of State's decision is based, and the interception agency may be required to justify the content. Each intercepting agency should keep the following to be made available for scrutiny by the Commissioner as he or she may require:
- All applications made for warrants complying with section 8(4), and applications made for the renewal of such warrants;
- All warrants and certificates, and copies of renewal and modification instruments (if any);
- Where any application is refused, the grounds for refusal as given by the Secretary of State;
- The dates on which interception started and stopped.
6.28. Records should also be kept of the arrangements for securing that only material which has been certified for examination for a purpose under section 5(3) and which meets the conditions set out in section 16(2) - 16(6) of RIPA in accordance with section 15 of RIPA is, in fact, read, looked at or listened to. Records should be kept of the arrangements by which the requirements of section 15(2) (minimisation of copying and distribution of intercepted material) and section 15(3) (destruction of intercepted material) are to be met. For further details see the chapter on "Safeguards".
7. SAFEGUARDS
7.1. All material intercepted under the authority of a warrant complying with section 8(1) or section 8(4) of RIPA and any related communications data must be handled in accordance with safeguards which the Secretary of State has approved in conformity with the duty imposed on him or her by RIPA. These safeguards are made available to the Interception of Communications Commissioner, and they must meet the requirements of section 15 of RIPA which are set out below. In addition, the safeguards in section 16 of RIPA apply to warrants complying with section 8(4). Any breach of these safeguards must be reported to the Interception of Communications Commissioner. The intercepting agencies must keep their internal safeguards under periodic review to ensure that they remain up-to-date and effective. During the course of such periodic reviews, the agencies must consider whether more of their internal arrangements might safely and usefully be put into the public domain.
The section 15 safeguards
7.2. Section 15 of RIPA requires that disclosure, copying and retention of intercepted material is limited to the minimum necessary for the authorised purposes. Section 15(4) of RIPA provides that something is necessary for the authorised purposes if the intercepted material:
- Continues to be, or is likely to become, necessary for any of the purposes set out in section 5(3) - namely, in the interests of national security, for the purpose of preventing or detecting serious crime, or for the purpose, in circumstances appearing to the Secretary of State to be relevant to the interests of national security, of safeguarding the economic well-being of the UK;
- Is necessary for facilitating the carrying out of the functions of the Secretary of State under Chapter I of Part I of RIPA;
- Is necessary for facilitating the carrying out of any functions of the Interception of Communications Commissioner or the Tribunal;
- Is necessary to ensure that a person conducting a criminal prosecution has the information needed to determine what is required of him or her by his or her duty to secure the fairness of the prosecution; or
- Is necessary for the performance of any duty imposed by the Public Record Acts.
Dissemination of intercepted material
7.3. The number of persons to whom any of the intercepted material is disclosed, and the extent of disclosure, is limited to the minimum that is necessary for the authorised purposes set out in section 15(4) of RIPA. This obligation applies equally to disclosure to additional persons within an agency, and to disclosure outside the agency. It is enforced by prohibiting disclosure to persons who have not been appropriately vetted and also by the need-to-know principle: intercepted material must not be disclosed to any person unless that person's duties, which must relate to one of the authorised purposes, are such that he or she needs to know about the intercepted material to carry out those duties. In the same way, only so much of the intercepted material may be disclosed as the recipient needs. For example, if a summary of the intercepted material will suffice, no more than that should be disclosed.
7.4. The obligations apply not just to the original interceptor, but also to anyone to whom the intercepted material is subsequently disclosed. In some cases this will be achieved by requiring the latter to obtain the originator's permission before disclosing the intercepted material further. In others, explicit safeguards are applied to secondary recipients.
7.5. Where intercepted material is disclosed to the authorities of a country or territory outside the UK, the agency must take reasonable steps to ensure that the authorities in question have and will maintain the necessary procedures to safeguard the intercepted material, and to ensure that it is disclosed, copied, distributed and retained only to the minimum extent necessary. In particular, the intercepted material must not be further disclosed to the authorities of a third country or territory unless explicitly agreed with the issuing agency, and must be returned to the issuing agency or securely destroyed when no longer needed.
Copying
7.6. Intercepted material may only be copied to the extent necessary for the authorised purposes set out in section 15(4) of RIPA. Copies include not only direct copies of the whole of the intercepted material, but also extracts and summaries which identify themselves as the product of an interception, and any record referring to an interception which includes the identities of the persons to or by whom the intercepted material was sent. The restrictions are implemented by requiring special treatment of such copies, extracts and summaries that are made by recording their making, distribution and destruction.
Storage
7.7. Intercepted material and all copies, extracts and summaries of it, must be handled and stored securely, so as to minimise the risk of loss or theft. It must be held so as to be inaccessible to persons without the required level of vetting. This requirement to store intercept product securely applies to all those who are responsible for handling it, including CSPs. The details of what such a requirement will mean in practice for CSPs will be set out in the discussions they have with the Government before a Section 12 Notice is served (see paragraph 3.13).
Destruction
7.8. Intercepted material, and all copies, extracts and summaries which can be identified as the product of an interception, must be marked for deletion and securely destroyed as soon as possible once it is no longer needed for any of the authorised purposes. If such intercepted material is retained, it should be reviewed at appropriate intervals to confirm that the justification for its retention is still valid under section 15(3) of RIPA.
7.9. Where an intercepting agency undertakes interception under a section 8(4) warrant and receives unanalysed intercepted material and related communications data from interception under that warrant, the agency must specify (or must determine on a system by system basis) maximum retention periods for different categories of the data which reflect its nature and intrusiveness. The specified periods should normally be no longer than two years, and should be agreed with the Interception of Communications Commissioner. Data may only be retained for longer than the applicable maximum retention periods if prior authorisation is obtained from a senior official within the particular intercepting agency on the basis that continued retention of the data has been assessed to be necessary and proportionate. If continued retention of any such data is thereafter assessed to no longer meet the tests of necessity and proportionality, it must be deleted. So far as possible, all retention periods should be implemented by a process of automated deletion, which is triggered once the applicable maximum retention period has been reached for the data at issue.
Personnel security
7.10. All persons who may have access to intercepted material or need to see any reporting in relation to it must be appropriately vetted. On an annual basis, managers must identify any concerns that may lead to the vetting of individual members of staff being reconsidered. The vetting of each individual member of staff must also be periodically reviewed. Where it is necessary for an officer of one agency to disclose intercepted material to another, it is the former's responsibility to ensure that the recipient has the necessary clearance.
The section 16 safeguards
7.11. Section 16 provides for additional safeguards in relation to intercepted material gathered under section 8(4) warrants, requiring that the safeguards:
- Ensure that intercepted material is read, looked at or listened to by any person only to the extent that the intercepted material is certified; and
- Regulate the use of selection factors that refer to the communications of individuals known to be currently in the British Islands.
7.12. In addition, any individual selection of intercepted material must be proportionate in the particular circumstances (given section 6(1) of the Human Rights Act 1998).
7.13. The certificate ensures that a selection process is applied to material intercepted under section 8(4) warrants so that only material described in the certificate is made available for human examination (in the sense of being read, looked at or listened to). No official is permitted to gain access to the data other than as permitted by the certificate.
7.14. In general, automated systems must, where technically possible, be used to effect the selection in accordance with section 16(1) of RIPA. As an exception, a certificate may permit intercepted material to be accessed by a limited number of specifically authorised staff without having been processed or filtered by the automated systems. Such access may only be permitted to the extent necessary to determine whether the material falls within the main categories to be selected under the certificate, or to ensure that the methodology being used remains up to date and effective. Such checking must itself be necessary on the grounds specified in section 5(3) of RIPA. Once those functions have been fulfilled, any copies made of the material for those purposes must be destroyed in accordance with section 15(3) of RIPA. Such checking by officials should be kept to an absolute minimum; whenever possible, automated selection techniques should be used instead. Checking will be kept under review by the Interception of Communications Commissioner during his or her inspections.
7.15. Material gathered under a section 8(4) warrant should be read, looked at or listened to only by authorised persons who receive regular mandatory training regarding the provisions of RIPA and specifically the operation of section 16 and the requirements of necessity and proportionality. These requirements and procedures must be set out in internal guidance provided to all authorised persons and the attention of all authorised persons must be specifically directed to the statutory safeguards. All authorised persons must be appropriately vetted (see paragraph 7.10 for further information).
7.16. Prior to an authorised person being able to read, look at or listen to material, a record should be created setting out why access to the material is required consistent with, and pursuant to, section 16 and the applicable certificate, and why such access is proportionate. Save where the material or automated systems are being checked as described in paragraph 7.14, the record must indicate, by reference to specific factors, the material to which access is being sought and systems should, to the extent possible, prevent access to the material unless such a record has been created. The record should include any circumstances that are likely to give rise to a degree of collateral infringement of privacy, and any measures taken to reduce the extent of the collateral intrusion. All records must be retained for the purposes of subsequent examination or audit.
7.17. Access to the material as described in paragraph 7.15 must be limited to a defined period of time, although access may be renewed. If access is renewed, the record must be updated with the reason for the renewal. Systems must be in place to ensure that if a request for renewal is not made within that period, then no further access will be granted. When access to the material is no longer sought, the reason for this must also be explained in the record.
7.18. Periodic audits should be carried out to ensure that the requirements set out in section 16 of RIPA and Chapter 3 of this code are being met. These audits must include checks to ensure that the records requesting access to material to be read, looked at, or listened to have been correctly compiled, and specifically, that the material requested falls within matters certified by the Secretary of State. Any mistakes or procedural deficiencies should be notified to management, and remedial measures undertaken. Any serious deficiencies should be brought to the attention of senior management and any breaches of safeguards (as noted in paragraph 7.1) must be reported to the Interception of Communications Commissioner. All intelligence reports generated by the authorised persons must be subject to a quality control audit.
7.19. In order to meet the requirements of RIPA described in paragraph 6.3 above, where a selection factor refers to an individual known to be for the time being in the British Islands, and has as its purpose or one of its purposes, the identification of material contained in communications sent by or intended for him or her, a submission must be made to the Secretary of State, or to a senior official in an urgent case, giving an explanation of why an amendment to the section 8(4) certificate in relation to such an individual is necessary for a purpose falling within section 5(3) of RIPA and is proportionate in relation to any conduct authorised under section 8(4) of RIPA.
7.20. The Secretary of State must ensure that the safeguards are in force before any interception under section 8(4) warrants can begin. The Interception of Communications Commissioner is under a duty to review the adequacy of the safeguards.
...
10. OVERSIGHT
10.1. RIPA provides for an Interception of Communications Commissioner, whose remit is to provide independent oversight of the use of the powers contained within the warranted interception regime under Chapter I of Part I of RIPA.
10.2. The Commissioner carries out biannual inspections of each of the nine interception agencies. The primary objectives of the inspections are to ensure that the Commissioner has the information he or she requires to carry out his or her functions under section 57 of RIPA and produce his or her report under section 58 of RIPA. This may include inspection or consideration of:
- The systems in place for the interception of communications;
- The relevant records kept by the intercepting agency;
- The lawfulness of the interception carried out; and
- Any errors and the systems designed to prevent such errors.
10.3. Any person who exercises the powers in RIPA Part I Chapter I must report to the Commissioner any action that is believed to be contrary to the provisions of RIPA or any inadequate discharge of section 15 safeguards. He or she must also comply with any request made by the Commissioner to provide any such information as the Commissioner requires for the purpose of enabling him or her to discharge his or her functions."
91. In his witness statement prepared for the Liberty proceedings, Charles Farr indicated that, beyond the details set out in RIPA, the 2010 Code, and the draft 2016 Code (which had at that stage been published for consultation), the full details of the sections 15 and 16 safeguards were kept confidential. He had personally reviewed the arrangements and was satisfied that they could not safely be put in the public domain without undermining the effectiveness of the interception methods. However, the arrangements were made available to the Commissioner who is required by RIPA to keep them under review. Furthermore, each intercepting agency was required to keep a record of the arrangements in question and any breach must be reported to the Commissioner.
6. Belhadj and Others v. Security Service, Secret Intelligence Service, Government Communications Headquarters, the Secretary of State for the Home Department, and the Secretary of State for the Foreign and Commonwealth Office, [2015] UKIPTrib 13_132-H , IPT/13/132-9/H and IPT/14/86/CH
92 . The applicants in this case complained of breaches of Articles 6, 8 and 14 of the Convention arising from the alleged interception of their legally privileged communications. Insofar as Amnesty International, in the course of the Liberty proceedings, complained about the adequacy of the arrangements for the protection of material protected by legal professional privilege ("LPP"), those complaints were "hived off" to be dealt with in this case, and Amnesty International was joined as a claimant (see paragraph 47 above).
93 . In the course of the proceedings, the respondents conceded that by virtue of there not being in place a lawful system for dealing with LPP, from January 2010 the regime for the interception/obtaining, analysis, use, disclosure and destruction of legally privileged material had not been in accordance with the law for the purposes of Article 8 § 2 of the Convention and was accordingly unlawful. The Security Service and GCHQ confirmed that they would work in the forthcoming weeks to review their policies and procedures in light of the draft Interception Code of Practice and otherwise.
94 . The IPT subsequently held a closed hearing, with the assistance of Counsel to the Tribunal (see paragraph 142 below), to consider whether any documents or information relating to any legally privileged material had been intercepted or obtained by the respondents. In a determination of 29 March 2015 it found that only two documents containing material subject to legal professional privilege of any of the claimants had been held by the agencies, and they neither disclosed nor referred to legal advice. It therefore found that the claimant concerned had not suffered any detriment or damage, and that the determination provided adequate just satisfaction. It nevertheless required that GCHQ provide an undertaking that those parts of the documents containing legally privileged material would be destroyed or deleted; that a copy of the documents would be delivered to the Interception of Communications Commissioner to be retained for five years; and that a closed report would be provided within fourteen days confirming the destruction and deletion of the documents.
95. Draft amendments to both the Interception of Communications Code of Practice and the Acquisition of Communications Data Code of Practice were subsequently put out for consultation and the Codes which were adopted as a result contained expanded sections concerning access to privileged information.
1. British-US Communication Intelligence Agreement
96. A British-US Communication Intelligence Agreement of 5 March 1946 governs the arrangements between the British and United States authorities in relation to the exchange of intelligence information relating to "foreign" communications, defined by reference to countries other than the United States, the United Kingdom and the Commonwealth. Pursuant to the agreement, the parties undertook to exchange the products of a number of interception operations relating to foreign communications.
2. Relevant statutory framework for the operation of the intelligence services
97. There are three intelligence services in the United Kingdom: the security service ("MI5"), the secret intelligence service ("MI6") and GCHQ.
98 . Pursuant to section 2 of the Security Services Act 1989 ("SSA"), it is the duty of the Director-General of MI5, who is appointed by the Secretary of State, to ensure that there are arrangements for securing that no information is obtained by MI5 except so far as necessary for the proper discharge of its functions or disclosed by it except so far as necessary for that purpose or for the purpose of the prevention or detection of serious crime or for the purpose of any criminal proceedings.
99 . According to section 1 of the SSA, the functions of MI5 are the protection of national security and, in particular, its protection against threats from espionage, terrorism and sabotage, from the activities of agents of foreign powers and from actions intended to overthrow or undermine parliamentary democracy by political, industrial or violent means; to safeguard the economic well-being of the United Kingdom against threats posed by the actions or intentions of persons outside the British Islands; and to act in support of the activities of police forces, the National Crime Agency and other law enforcement agencies in the prevention and detection of serious crime.
100 . Section 2 of the Intelligence Services Act 1994 ("ISA") provides that the duties of the Chief of Service of MI6, who is appointed by the Secretary of State, include ensuring that there are arrangements for securing that no information is obtained by MI6 except so far as necessary for the proper discharge of its functions, and that no information is disclosed by it except so far as necessary for that purpose, in the interests of national security, for the purposes of the prevention or detection of serious crime or for the purpose of any criminal proceedings.
101. According to section 1 of the ISA, the functions of MI6 are to obtain and provide information relating to the actions or intentions of persons outside the British Islands; and to perform other tasks relating to the actions or intentions of such persons. Those functions may only be exercised in the interests of national security, with particular reference to the State's defence and foreign policies; in the interests of the economic well-being of the United Kingdom; or in support of the prevention or detection of serious crime.
102. Section 4 of the ISA provides that it is the duty of the Director of GCHQ, who is appointed by the Secretary of State, to ensure that there are arrangements for securing that it obtains no information except so far as necessary for the proper discharge of its functions and that no information is disclosed by it except so far as necessary.
103 . According to section 3 of the ISA, one of the functions of GCHQ is to monitor or interfere with electromagnetic, acoustic and other emissions and any equipment producing such emissions and to obtain and provide information derived from or related to such emissions or equipment and from encrypted material. This function is exercisable only in the interests of national security, with particular reference to the State's defence and foreign policies; in the interests of the economic well-being of the United Kingdom in relation to the actions or intentions of persons outside the British Islands; or in support of the prevention or detection of serious crime.
(d) Counter-Terrorism Act 2008
104 . Section 19 of the Counter-Terrorism Act 2008 allows the disclosure of information to any of the intelligence services for the purpose of the exercise of any of their functions. Information obtained by an intelligence service in connection with the exercise of its functions may be used by that service in connection with the exercise of any of its other functions.
105 . Information obtained by MI5 may be disclosed for the purpose of the proper discharge of its functions, for the purpose of the prevention or detection of serious crime, or for the purpose of any criminal proceedings. Information obtained by MI6 may be disclosed for the purpose of the proper discharge of its functions, in the interests of national security, for the purpose of the prevention or detection of serious crime, or for the purpose of any criminal proceedings. Information obtained by GCHQ may be disclosed by it for the purpose of the proper discharge of its functions or for the purpose of any criminal proceedings.
(e) The Data Protection Act 1998 ("DPA")
106 . The DPA is the legislation transposing into United Kingdom law Directive 95/46/EC on the protection of personal data. Each of the intelligence services is a "data controller" for the purposes of the DPA and, as such, they are required to comply - subject to exemption by Ministerial certificate - with the data protection principles in Part 1 of Schedule 1, including:
"(5) Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes ...
and
"(7) Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
(f) The Official Secrets Act 1989 ("OSA")
107 . A member of the intelligence services commits an offence under section 1(1) of the OSA if he discloses, without lawful authority, any information, document or other article relating to security or intelligence which is in his possession by virtue of his position as a member of those services.
(g) The Human Rights Act 1998 ("HRA")
108 . Pursuant to section 6 of the HRA, it is unlawful for a public authority to act in a way which is incompatible with a Convention right.
3. The Interception of Communications Code of Practice
109 . Following the Liberty proceedings, the information contained in the 9 October disclosure was incorporated into the IC Code of Practice:
"12. RULES FOR REQUESTING AND HANDLING UNANALYSED INTERCEPTED COMMUNICATIONS FROM A FOREIGN GOVERNMENT
Application of this chapter
12.1. This chapter applies to those intercepting agencies that undertake interception under a section 8(4) warrant.
Requests for assistance other than in accordance with an international mutual assistance agreement
12.2. A request may only be made by an intercepting agency to the government of a country or territory outside the UK for unanalysed intercepted communications (and associated communications data), otherwise than in accordance with an international mutual assistance agreement, if either:
- A relevant interception warrant under RIPA has already been issued by the Secretary of State, the assistance of the foreign government is necessary to obtain the particular communications because they cannot be obtained under the relevant RIPA interception warrant and it is necessary and proportionate for the intercepting agency to obtain those communications; or
- Making the request for the particular communications in the absence of a relevant RIPA interception warrant does not amount to a deliberate circumvention of RIPA or otherwise frustrate the objectives of RIPA (for example, because it is not technically feasible to obtain the communications via RIPA interception), and it is necessary and proportionate for the intercepting agency to obtain those communications.
12.3. A request falling within the second bullet of paragraph 12.2 may only be made in exceptional circumstances and must be considered and decided upon by the Secretary of State personally.
12.4. For these purposes, a "relevant RIPA interception warrant" means one of the following: (i) a section 8(1) warrant in relation to the subject at issue; (ii) a section 8(4) warrant and an accompanying certificate which includes one or more "descriptions of intercepted material" (within the meaning of section 8(4)(b) of RIPA) covering the subject's communications, together with an appropriate section 16(3) modification (for individuals known to be within the British Islands); or (iii) a section 8(4) warrant and an accompanying certificate which includes one or more "descriptions of intercepted material" covering the subject's communications (for other individuals).
Safeguards applicable to the handling of unanalysed intercepted communications from a foreign government
12.5. If a request falling within the second bullet of paragraph 12.2 is approved by the Secretary of State other than in relation to specific selectors, any communications obtained must not be examined by the intercepting agency according to any factors as are mentioned in section 16(2)(a) and (b) of RIPA unless the Secretary of State has personally considered and approved the examination of those communications by reference to such factors.
12.6. Where intercepted communications content or communications data are obtained by the intercepting agencies as set out in paragraph 12.2, or are otherwise received by them from the government of a country or territory outside the UK in circumstances where the material identifies itself as the product of an interception, (except in accordance with an international mutual assistance agreement), the communications content and communications data must be subject to the same internal rules and safeguards that apply to the same categories of content or data when they are obtained directly by the intercepting agencies as a result of interception under RIPA.
12.7. All requests in the absence of a relevant RIPA interception warrant to the government of a country or territory outside the UK for unanalysed intercepted communications (and associated communications data) will be notified to the Interception of Communications Commissioner."
C. Acquisition of communications data
110. Chapter II of Part 1 of RIPA sets out the framework under which public authorities may acquire communications data from CSPs.
111. Pursuant to section 22, authorisation for the acquisition of communications data from CSPs is granted by a "designated person", being a person holding such office, rank or position with relevant public authorities as are prescribed by an order made by the Secretary of State. The designated person may either grant authorisation for persons within the same "relevant public authority" as himself to "engage in conduct to which this Chapter applies" (authorisation under section 22(3)), or he may, by notice to the CSP, require it to either disclose data already in its possession, or to obtain and disclose data (notice under section 22(4)). For the purposes of section 22(3), "relevant public authorities" includes a police force, the National Crime Agency, Her Majesty's Revenue and Customs, any of the intelligence services, and any such public authority as may be specified by an order made by the Secretary of State.
112 . Section 22(2) further provides that the designated person may only grant an authorisation under section 22(3) or give a notice under section 22(4) if he believes it is necessary for one of the following grounds:
"(a) in the interests of national security;
(b) for the purpose of preventing or detecting crime or of preventing disorder;
(c) in the interests of the economic well-being of the United Kingdom;
(d) in the interests of public safety;
(e) for the purpose of protecting public health;
(f) for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department;
(g) for the purpose, in an emergency, of preventing death or injury or any damage to a person's physical or mental health, or of mitigating any injury or damage to a person's physical or mental health; or
(h) for any purpose (not falling within paragraphs (a) to (g)) which is specified for the purposes of this subsection by an order made by the Secretary of State."
113. He must also believe that obtaining the data is proportionate to what is sought to be achieved.
114. Section 23 requires that the authorisation or notice be granted in writing or, if not, in a manner which produces a record of it having been granted. It must also describe the conduct authorised, the communications data to be obtained or disclosed, set out the grounds on which it is believed necessary to grant the authorisation or give the notice, and specify the office, rank or position of the person giving the authorisation.
115. Authorisations under section 22(3) and notices under section 22(4) last for one month, but may be renewed at any time before the expiry of that period.
116. The person who has given a notice under section 22(4) may cancel it if he is satisfied that it is no longer necessary for one of the specified grounds, or it is no longer proportionate to what is sought to be achieved.
2. The Acquisition and Disclosure of Communications Data: Code of Practice
117 . The Acquisition and Disclosure of Communications Data: Code of Practice, issued under section 71 RIPA and last updated in 2015, provides, as relevant:
" 1 INTRODUCTION
1.1. This code of practice relates to the powers and duties conferred or imposed under Chapter II of Part I of the Regulation of Investigatory Powers Act 2000 ('RIPA'). It provides guidance on the procedures to be followed when acquisition of communications data takes place under those provisions. This version of the code replaces all previous versions of the code.
1.2. This code applies to relevant public authorities within the meaning of RIPA: those listed in section 25 or specified in orders made by the Secretary of State under section 25.
1.3. Relevant public authorities for the purposes of Chapter II of Part I of RIPA ('Chapter II') should not:
- use other statutory powers to obtain communications data from a postal or telecommunications operator unless that power provides explicitly for obtaining communications data, or is conferred by a warrant or order issued by the Secretary of State or a person holding judicial office; or
- require, or invite, any postal or telecommunications operator to disclose communications data by exercising any exemption to the principle of non-�disclosure of communications data under the Data Protection Act 1998 ('the DPA').
...
1.7. The exercise of powers and duties under Chapter II is kept under review by the Interception of Communications Commissioner ('the Commissioner') appointed under section 57 of RIPA and by his inspectors who work from the Interception of Communications Commissioner's Office (IOCCO).
...
2 GENERAL EXTENT OF POWERS
Scope of Powers, Necessity and Proportionality
2.1. The acquisition of communications data under RIPA will be a justifiable interference with an individual's human rights under Articles 8 and, in certain circumstances, 10 of the European Convention on Human Rights only if the conduct being authorised or required to take place is both necessary and proportionate and in accordance with law.
2.2. RIPA stipulates that conduct to be authorised or required must be necessary for one or more of the purposes set out in section 22(2) of RIPA:
- in the interests of national security;
- for the purpose of preventing or detecting crime or of preventing disorder;
- in the interests of the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security;
- in the interests of public safety;
- for the purpose of protecting public health;
- for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department;
- for the purpose, in an emergency, of preventing death or injury or any damage to a person's physical or mental health, or of mitigating any injury or damage to a person's physical or mental health;
- to assist investigations into alleged miscarriages of justice;
- for the purpose of assisting in identifying any person who has died otherwise than as a result of crime or who is unable to identify himself because of a physical or mental condition, other than one resulting from crime (such as a natural disaster or an accident);
- in relation a person who has died or is unable to identify himself, for the purpose of obtaining information about the next of kin or other connected persons of such a person or about the reason for their death or condition; and
- for the purpose of exercising functions relating to the regulation of financial services and markets or to financial stability.
2.3. The purposes for which some public authorities may seek to acquire communications data are restricted by order. The designated person may only consider necessity on grounds open to their public authority and only in relation to matters that are the statutory or administrative function of their respective public authority. The purposes noted above should only be used by a public authority in relation to the specific (and often specialist) offences or conduct that it has been given the statutory function to investigate.
2.4. There is a further restriction upon the acquisition of communications data for the following purposes:
- in the interests of public safety;
- for the purpose of protecting public health; and
- for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department.
Only communications data within the meaning of section 21(4)(c) of RIPA [being subscriber information] may be acquired for these purposes and only by those public authorities permitted by order to acquire communications data for one or more of those purposes.
2.5. When a public authority wishes to acquire communications data, the designated person must believe that the acquisition, in the form of an authorisation or notice, is necessary. He or she must also believe that conduct to be proportionate to what is sought to be achieved by obtaining the specified communications data - that the conduct is no more than is required in the circumstances. This involves balancing the extent of the interference with an individual's rights and freedoms against a specific benefit to the investigation or operation being undertaken by a relevant public authority in the public interest.
2.6. As well as consideration of the rights of the individual under investigation, consideration must also be given to any actual or potential infringement of the privacy and other rights of individuals who are not the subject of the investigation or operation. An application for the acquisition of communications data should draw attention to any circumstances which give rise to significant collateral intrusion.
2.7. Particular consideration must also be given, when pertinent, to the right to freedom of expression.
2.8. Taking all these considerations into account in a particular case, an interference with the rights of an individual may still not be justified because the adverse impact on the rights of another individual or group of individuals is too severe.
2.9. Any conduct where the interference is excessive in relation to the aims of the investigation or operation, or is in any way arbitrary, will not be proportionate.
2.10. Before public authorities can request communications data, authorisation must be given by the designated person in the relevant authority. A designated person is someone holding a prescribed office, rank or position within a relevant public authority that has been designated for the purpose of acquiring communications data by order.
2.11. The relevant public authorities for Chapter II are set out in section 25(1). They are:
- a police force (as defined in section 81(1) of RIPA);
- the National Crime Agency;
- HM Revenue and Customs;
- the Security Service;
- the Secret Intelligence Service; and
- the Government Communications Headquarters.
These and additional relevant public authorities are listed in the Regulation of Investigatory Powers (Communications Data) Order 201033 and any similar future orders made under section 25 of the Act.
Communications Data
2.12. The code covers any conduct relating to the exercise of powers and duties under Chapter II of Part I of RIPA to acquire or disclose communications data. Communications data is defined in section 21(4) of RIPA.
2.13. The term 'communications data' embraces the 'who', 'when', 'where', and 'how' of a communication but not the content, not what was said or written.
2.14. It includes the manner in which, and by what method, a person or machine communicates with another person or machine. It excludes what they say or what data they pass on within a communication including text, audio and video (with the exception of traffic data to establish another communication such as that created from the use of calling cards, redirection services, or in the commission of 'dial through' fraud and other crimes, where data is passed on to activate communications apparatus in order to obtain communications services fraudulently).
2.15. It can include the address on an envelope, the time and duration of a communication, the telephone number or email address of the originator and recipient, and sometimes the location of the device from which the communication was made. It can also include data relating to unsuccessful call attempts i.e. when the person being dialled does not answer the call, but where the network has been able to connect it successfully. It does not include data relating to an unconnected call i.e. when a call is placed, but the network is unable to carry it to its intended recipient. It covers electronic communications (not just voice telephony) and also includes postal services.
2.16. Communications data is generated, held or obtained in the provision, delivery and maintenance of communications services, those being postal services or telecommunications services. DRIPA clarified the definition of telecommunications service in section 2 of RIPA to make explicit that provision of access to systems for the creation, management or storage of communications is included in the provision of a service.
2.17. 'Communications service providers' may therefore include those persons who provide services where customers, guests or members of the public are provided with access to communications services that are ancillary to the provision of another service, for example in hotels, restaurants, libraries and airport lounges.
2.18. In circumstances where it is impractical for the data to be acquired from, or disclosed by, the service provider, or where there are security implications in doing so, the data may be sought from the CSP which provides the communications service offered by such hotels, restaurants, libraries and airport lounges. Equally, circumstances may necessitate the acquisition of further communications data for example, where a hotel is in possession of data identifying specific telephone calls originating from a particular guest room.
2.19. Consultation with the public authority's Single Point of Contact (SPoC) will determine the most appropriate plan for acquiring data where the provision of a communication service engages a number of providers, though it is the designated person who ultimately decides which of the CSPs should be given a notice. With the proliferation of modern communications media, including mobile telephony, internet communications, and social networks, and given that one individual can use many different forms of communications, the knowledge and experience of the SPoC in providing advice and guidance to the designated person is significant in ensuring appropriateness of any action taken to acquire the data necessary for an investigation. If a CSP, having been given a notice, believes that in future another CSP is better placed to respond, they should approach the authority to inform them of their view after disclosing the relevant data that they hold.
2.20. Any conduct to determine the CSP that holds, or may hold, specific communications data is not conduct to which the provisions of Chapter II apply. This includes, for example, establishing from information available to the public or, where necessary, from a service provider which provider makes available a specific service, such as a particular telephone number or an internet protocol address.
2.21. Communications data is defined as:
- traffic data (as defined by sections 21(4)(a) and 21(6) of RIPA) - this is data that is or has been comprised in or attached to a communication for the purpose of its transmission (see section starting at paragraph 2.24 of this code for further detail);
- service use information (as defined by section 21(4)(b) of RIPA) - this is the data relating to the use made by a person of a communications service (see section starting at paragraph 2.28 of this code for further detail); and
- subscriber information (as defined by section 21(4)(c) of RIPA) - this relates to information held or obtained by a CSP about persons to whom the CSP provides or has provided a communications services. Those persons will include people who are subscribers to a communications service without necessarily using that service and persons who use a communications service without necessarily subscribing to it (see section starting at paragraph 2.30 of this code for further detail).
2.22. The data available on individuals, and the level of intrusion, differs between the categories of data. The public authorities which can acquire the data and, in some cases, the level of seniority of the designated person differ according to the categories of data in question.
...
Traffic Data
2.24. RIPA defines certain communications data as 'traffic data' in sections 21(4)(a) and 21(6) of RIPA. This is data that is or has been comprised in or attached to a communication for the purpose of transmitting the communication and which 'in relation to any communication':
- identifies, or appears to identify, any person, apparatus or location to or from which a communication is or may be transmitted;
- identifies or selects, or appears to identify or select, transmission apparatus;
- comprises signals that activate apparatus used, wholly or partially, for the transmission of any communication (such as data generated in the use of carrier pre-�select or redirect communication services or data generated in the commission of, what is known as, 'dial through' fraud); or
- identifies data as data comprised in, or attached to, a communication. This includes data which is found at the beginning of each packet in a packet switched network that indicates which communications data attaches to which communication.
2.25. Traffic data includes data identifying a computer file or a computer program to which access has been obtained, or which has been run, by means of the communication - but only to the extent that the file or program is identified by reference to the apparatus in which the file or program is stored. In relation to internet communications, this means traffic data stops at the apparatus within which files or programs are stored, so that traffic data may identify a server or domain name (web site) but not a web page. For example, the fact that a subject of interest has visited pages at http://www.gov.uk/ can be acquired as communications traffic data (if available from the CSP), whereas that a specific webpage that was visited is http://www.gov.uk/government/collections/ripa-�-�forms-�2 may not be acquired as communications data (as it would be content).
2.26. Examples of traffic data, within the definition in section 21(6), include:
- information tracing the origin or destination of a communication that is, or has been, in transmission (including incoming call records);
- information identifying the location of apparatus when a communication is, has been or may be made or received (such as the location of a mobile phone);
- information identifying the sender or recipient (including copy recipients) of a communication from data comprised in or attached to the communication;
- routing information identifying apparatus through which a communication is or has been transmitted (for example, dynamic IP address allocation, file transfer logs and e mail headers - to the extent that content of a communication, such as the subject line of an e mail, is not disclosed);
- web browsing information to the extent that only a host machine, server, domain name or IP address is disclosed;
- anything, such as addresses or markings, written on the outside of a postal item (such as a letter, packet or parcel) that is in transmission and which shows the item's postal routing;
- records of correspondence checks comprising details of traffic data from postal items in transmission to a specific address; and
- online tracking of communications (including postal items and parcels).
...
Service Use Information
2.28. Data relating to the use made by any person of a postal or telecommunications service, or any part of it, is widely known as 'service use information' and falls within section 21(4)(b) of RIPA.
2.29. Service use information is, or can be, routinely made available by a CSP to the person who uses or subscribes to the service to show the use of a service or services and to account for service charges over a given period of time. Examples of data within the definition at section 21(4)(b) include:
- itemised telephone call records (numbers called);
- itemised records of connections to internet services;
- itemised timing and duration of service usage (calls and/or connections);
- information about amounts of data downloaded and/or uploaded;
- information about the use made of services which the user is allocated or has subscribed to (or may have subscribed to) including conference calling, call messaging, call waiting and call barring telecommunications services;
- information about the use of forwarding/redirection services;
- information about selection of preferential numbers or discount calls; and
- records of postal items, such as records of registered post, recorded or special delivery postal items, records of parcel consignment, delivery and collection.
Subscriber Information
2.30. The third type of communications data, widely known as 'subscriber information', is set out in section 21(4)(c) of RIPA. This relates to information held or obtained by a CSP about persons to whom the CSP provides or has provided a communications service. Those persons will include people who are subscribers to a communications service without necessarily using that service and persons who use a communications service without necessarily subscribing to it.
2.31. Examples of data within the definition at section 21(4)(c) include:
- 'subscriber checks' (also known as 'reverse look ups') such as "who is the subscriber of phone number 01632 960 224?", "who is the account holder of e-�mail account [email protected]?" or "who is entitled to post to web space www.example.co.uk?";
- information about the subscriber to a PO Box number or a Postage Paid Impression used on bulk mailings;
- information about the provision to a subscriber or accountholder of forwarding/redirection services, including delivery and forwarding addresses;
- subscribers' or account holders' account information, including names and addresses for installation, and billing including payment method(s), details of payments;
- information about the connection, disconnection and reconnection of services to which the subscriber or account holder is allocated or has subscribed to (or may have subscribed to) including conference calling, call messaging, call waiting and call barring telecommunications services, and potentially static IP addresses;
- information about apparatus used by, or made available to, the subscriber or account holder, including the manufacturer, model, serial numbers and apparatus codes; and
- information provided by a subscriber or account holder to a CSP, such as demographic information or sign-�up data (to the extent that information, such as a password, giving access to the content of any stored communications is not disclosed save where the requirement for such information is necessary in the interests of national security).
...
2.35. Additional types of data may fall into the category of subscriber information, as communications services have developed and broadened, for example where a CSP chooses to collect information about the devices used by their customers. Prior to the acquisition of data which does not fall into the illustrative list of traditional subscriber information above, specific consideration should be given to whether it is particularly sensitive or intrusive, in order to ensure that such a request is still necessary and proportionate, and compliant with Chapter II.
Further Guidance on Necessity and Proportionality
2.36. Training regarding necessity and proportionality should be made available to all those who participate in the acquisition and disclosure of communications data.
Necessity
2.37. In order to justify that an application is necessary, the application needs as a minimum to cover three main points:
- the event under investigation, such as a crime or vulnerable missing person;
- the person, such as a suspect, witness or missing person, and how they are linked to the event; and
- the communications data, such as a telephone number or IP address, and how this data is related to the person and the event.
2.38. Necessity should be a short explanation of the event, the person and the communications data and how these three link together. The application must establish the link between the three aspects to be able to demonstrate the acquisition of communications data is necessary for the statutory purpose specified.
Proportionality
2.39. Applications should include an outline of how obtaining the data will benefit the investigation or operation. If more than one item of data is being sought, the relevance of the additional data should be explained.
2.40. This should include explaining how the level of intrusion is justified when taking into consideration the benefit the data will give to the investigation. This justification should include confirmation that relevant less intrusive investigations have already been undertaken where possible. For example, the subscriber details of a phone number may be obtainable from a phone book or other publically available sources.
2.41. The relevance of any time periods requested must be explained, outlining how these periods are proportionate to the event under investigation.
2.42. An examination of the proportionality of the application should particularly include a consideration of the rights (particularly to privacy and, in relevant cases, freedom of expression) of the individual and a balancing of these rights against the benefit to the investigation.
2.43. Collateral intrusion is the obtaining of any information relating to individuals other than the subject(s) of the investigation. Consideration of collateral intrusion forms part of the proportionality considerations, and becomes increasingly relevant when applying for traffic data or service use data. Applications should include details of what collateral intrusion may occur and how the time periods requested impact on the collateral intrusion. When there are no meaningful collateral intrusion risks, such as when applying for subscriber details of the person under investigation, the absence of collateral intrusion should be noted.
2.44. An examination of the proportionality of the application should also involve a consideration of possible unintended consequences and, when, relevant this should be noted. Unintended consequences of an application are outcomes that are not intended by the application.
2.45. Unintended consequences are more likely in more complicated requests for traffic data or in applications for the data of those in professions with duties of confidentiality. For example, if a journalist is a victim of crime, applications for service use data related to that journalist's phone number as part of the criminal investigation may also return some phone numbers of that journalist's sources, with unintended impact on freedom of expression. Such an application may still be necessary and proportionate but the risk of unintended consequences should be considered. The special considerations that arise in such cases are discussed further in the section on "Communications data involving certain professions".
3 GENERAL RULES ON THE GRANTING OF AUTHORISATIONS AND GIVING OF NOTICES
3.1. Acquisition of communications data under RIPA involves four roles within a relevant public authority:
- the applicant;
- the designated person;
- the single point of contact; and
- the senior responsible officer
3.2. RIPA provides two alternative means for acquiring communications data, by way of:
- an authorisation under section 22(3); or
- a notice under section 22(4).
An authorisation granted to a member of a public authority permits that person to engage in conduct relating to the acquisition and disclosure of communications data under Part I Chapter II of RIPA. A notice given to a postal or telecommunications operator requires it to disclose the relevant communications data held by it to a public authority, or to obtain and disclose the data, when it is reasonably practicable for them to do so. Both authorisations and notices are explained in more detail within this chapter.
The applicant
3.3. The applicant is a person involved in conducting an investigation or operation for a relevant public authority who makes an application in writing or electronically for the acquisition of communications data. The applicant completes an application form, setting out for consideration by the designated person, the necessity and proportionality of a specific requirement for acquiring communications data.
3.4. An application may be made orally in exceptional circumstances, but a record of that application must be made in writing or electronically as soon as possible, and certainly within one working day (paragraphs 3.65 -� 3.71 provide more detail on urgent procedures).
3.5. An application - the original or a copy of which must be retained by the SPoC within the public authority - must:
- include the name (or designation) and the office, rank or position held by the person making the application;
- include a unique reference number;
- include the operation name (if applicable) to which the application relates;
- specify the purpose for which the data is required, by reference to a statutory purpose under 22(2) of RIPA;
- describe the communications data required, specifying, where relevant, any historic or future date(s) and, where appropriate, time period(s);
- describe whether the communications data relates to a victim, a witness, a complainant, a suspect, next of kin, vulnerable person or other person relevant to the investigation or operation;
- explain why the acquisition of that data is considered necessary and proportionate to what is sought to be achieved by acquiring it;
- consider and, where appropriate, describe any meaningful collateral intrusion - the extent to which the rights of any individual not under investigation may be infringed and why that intrusion is justified in the circumstances;
- consider and, where appropriate, describe any possible unintended consequences of the application; and
- identify and explain the time scale within which the data is required.
3.6. The application should record subsequently whether it was approved by a designated person, by whom and when that decision was made. If approved, the application form should, to the extent necessary, be cross-�referenced to any authorisation granted or notice given.
The designated person
3.7. The designated person is a person holding a prescribed office in a relevant public authority. It is the designated person's responsibility to consider the application and record their considerations at the time (or as soon as is reasonably practicable) in writing or electronically. If the designated person believes the acquisition of communications data is necessary and proportionate in the specific circumstances, an authorisation is granted or a notice is given.
3.8. Individuals who undertake the role of a designated person must have current working knowledge of human rights principles and legislation, specifically those of necessity and proportionality, and how they apply to the acquisition of communications data under Chapter II and this code.
3.9. When considering proportionality, the designated person should apply particular consideration to unintended consequences. The seniority, experience and training of the designated person provides them with a particular opportunity to consider possible unintended consequences.
3.10. Designated persons must ensure that they grant authorisations or give notices only for purposes and only in respect of types of communications data that a designated person of their office, rank or position in the relevant public authority may grant or give.
3.11. The designated person shall assess the necessity for any conduct to acquire or obtain communications data taking account of any advice provided by the single point of contact (SPoC).
3.12. Designated persons must be independent from operations and investigations when granting authorisations or giving notices related to those operations.
3.13. Except where it is necessary to act urgently, in circumstances where a public authority is not able to call upon the services of a designated person who is independent from the investigation or operation, the Senior Responsible Officer must inform the Interception of Communications Commissioner of the circumstances and reasons (noting the relevant designated persons who, in these circumstances, will not be independent). These may include:
- small specialist criminal investigation departments within public authorities which are not law enforcement or intelligence agencies; and
- public authorities which have on-going operations or investigations immediately impacting on national security issues and are therefore not able to a call upon a designated person who is independent from their operations and investigations.
3.14. In all circumstances where public authorities use designated persons who are not independent from an operation or investigation this must be notified to the Commissioner at the next inspection. The details of the public authorities and the reasons such measures are being undertaken may be published and included in the Commissioner's report.
3.15. Where a designated person is not independent from the investigation or operation their involvement and their justification for undertaking the role of the designated person must be explicit in their recorded considerations.
3.16. Particular care must be taken by designated persons when considering any application to obtain communications data to identify apparatus (such as a mobile telephone) at or within a location or locations and at or between times on a given date or dates where the identity of the apparatus is unknown. Unless the application is based on information that the apparatus was used or was likely to have been used in a particular location or locations at a particular time or times it will, in practice, be rare that any conduct to obtain communications data will be proportionate or the collateral intrusion justified.
...
The single point of contact
3.19. The single point of contact (SPoC) is an accredited individual trained to facilitate lawful acquisition of communications data and effective co-�operation between a public authority and CSPs. Despite the name, in practice many organisations will have multiple SPoCs, working together. To become accredited an individual must complete a course of training appropriate for the role of a SPoC and have been issued the relevant SPoC authentication identifier. SPoCs in public authorities should be security cleared in accordance with their own organisation's requirements. Details of all accredited individuals are available to CSPs for authentication purposes.
3.20. Communications data should be treated as information with a classification of OFFICIAL and a caveat of SENSITIVE, though it may be classified higher if appropriate. When handling, processing, and distributing such information, SPoCs must comply with local security policies and operating procedures. The SENSITIVE caveat is for OFFICIAL information that is subject to 'need to know' controls so that only authorised personnel can have access to the material. This does not preclude, for example, the disclosure of material or the use of this material as evidence in open court when required. Rather, the classification and caveat of OFFICIAL -� SENSITIVE makes clear that communications data must be treated with care, noting the impact on the rights to privacy and, where appropriate, freedom of expression of the subjects of interest and, depending on the data, possibly some of their communications contacts. Communications data acquired by public authorities must also by stored and handled in accordance with duties under the Data Protection Act.
3.21. An accredited SPoC promotes efficiency and good practice in ensuring only practical and lawful requirements for communications data are undertaken. This encourages the public authority to regulate itself. The SPoC provides objective judgement and advice to both the applicant and the designated person. In this way the SPoC provides a 'guardian and gatekeeper' function ensuring that public authorities act in an informed and lawful manner.
3.22. The SPoC should be in a position to:
- engage proactively with applicants to develop strategies to obtain communications data and use it effectively in support of operations or investigations;
- assess whether the acquisition of specific communications data from a CSP is reasonably practical or whether the specific data required is inextricably linked to other data;
- advise applicants on the most appropriate methodology for acquisition of data where the data sought engages a number of CSPs;
- advise applicants and designated persons on the interpretation of RIPA, particularly whether an authorisation or notice is appropriate;
- provide assurance to designated persons that authorisations and notices are lawful under RIPA and free from errors;
- consider and, where appropriate, provide advice to the designated person on possible unintended consequences of the application;
- provide assurance to CSPs that authorisations and notices are authentic and lawful;
- assess whether communications data disclosed by a CSP in response to a notice fulfils the requirement of the notice;
- assess whether communications data obtained by means of an authorisation fulfils the requirement of the authorisation; and
- assess any cost and resource implications to both the public authority and the CSP of data requirements.
3.23. The SPoC would normally be the person who takes receipt of any communications data acquired from a CSP (see paragraphs 3.33 and 3.49) and would normally be responsible for its dissemination to the applicant.
3.24. Public authorities unable to call upon the services of an accredited SPoC should not undertake the acquisition of communications data. Nonetheless, in the course of a joint investigation between authority A with no SPoC and authority B with RIPA communications data acquisition powers, authority B may, where necessary and proportionate, acquire communications data under RIPA to further the joint investigation.
3.25. In circumstances where a CSP is approached by a person who cannot be authenticated as an accredited individual and who seeks to obtain data under the provisions of RIPA, the CSP may refuse to comply with any apparent requirement for disclosure of data until confirmation of both the person's accreditation and their SPoC authentication identifier is obtained from the Home Office.
3.26. For each individual application, the roles of SPoC and designated persons will normally be carried out by two persons. In exceptional cases, such as those covered under the urgent oral procedure or, on rare occasions, for security reasons, both roles may be carried out by the same person. One person may, in separate applications, carry out the roles of either the SPoC or the designated person.
3.27. For each individual application, the roles of SPOC and Applicant will also normally be carried out by two persons. In exceptional cases, such as those covered under the urgent oral procedure or, on rare occasions, for security reasons, both roles may be carried out by the same person. One person may, in separate applications, carry out the roles of either the SPOC or the Applicant.
3.28. The same person must never be both the applicant and the designated person. Clearly, therefore, the same person should never be an applicant, a designated person and a SPoC.
3.29. Where a public authority seeks to obtain communications data using provisions providing explicitly for the obtaining of communications data (other than Chapter II of Part I of RIPA) or using statutory powers conferred by a warrant or order issued by the Secretary of State or a person holding judicial office, the SPoC should be engaged in the process of obtaining the data to ensure effective co-�operation between the public authority and the CSP.
3.30. Occasionally public authorities will wish to request data from CSPs that is neither communications data nor the content of communications. Given the training undertaken by a SPoC and the on-�going nature of a SPoC's engagement with CSPs, it is good practice to engage the SPoC to liaise with the CSP on such requests.
The senior responsible officer
3.31. Within every relevant public authority a senior responsible officer must be responsible for:
- the integrity of the process in place within the public authority to acquire communications data;
- compliance with Chapter II of Part I of RIPA and with this code;
- oversight of the reporting of errors to IOCCO and the identification of both the cause(s) of errors and the implementation of processes to minimise repetition of errors;
- engagement with the IOCCO inspectors when they conduct their inspections; and
- where necessary, oversight of the implementation of post-�inspection action plans approved by the Commissioner.
Authorisations
3.32. An authorisation provides for persons within a public authority to engage in specific conduct, relating to a postal service or telecommunications system, to obtain communications data.
3.33. Any designated person in a public authority may only authorise persons working in the same public authority to engage in specific conduct, such as requesting the data via secure auditable communications data acquisition systems. This will normally be the public authority's SPoC, though local authorities must now use the National Anti-�Fraud Network (see later in this chapter for more details).
3.34. The decision of a designated person whether to grant an authorisation shall be based upon information presented to them in an application.
3.35. An authorisation may be appropriate where:
- a CSP is not capable of obtaining or disclosing the communications data;
- there is an agreement in place between a public authority and a CSP relating to appropriate mechanisms for disclosure of communications data; or
- a designated person considers there is a requirement to identify a person to whom a service is provided but a CSP has yet to be conclusively determined as the holder of the communications data.
3.36. An authorisation is not served upon a CSP, although there may be circumstances where a CSP may require or may be given an assurance that conduct being, or to be, undertaken is lawful. That assurance may be given by disclosing details of the authorisation or the authorisation itself.
3.37. An authorisation - the original or a copy of which must be retained by the SPoC within the public authority - must:
- be granted in writing or, if not, in a manner that produces a record of it having been granted;
- describe the conduct which is authorised and describe the communications data to be acquired by that conduct specifying, where relevant, any historic or future date(s) and, where appropriate, time period(s);
- specify the purpose for which the conduct is authorised, by reference to a statutory purpose under section 22(2) of RIPA;
- specify the office, rank or position held by the designated person granting the authorisation. The designated person should also record their name (or designation) on any authorisation they grant; and
- record the date and, when appropriate to do so, the time when the authorisation was granted by the designated person.
...
3.40. At the time of giving a notice or granting an authorisation to obtain specific traffic data or service use data, a designated person may also authorise, to the extent necessary and proportionate at that time, the consequential acquisition of specific subscriber information relating to the traffic data or service use data to be obtained. This is relevant where there is a necessary and proportionate requirement to identify with whom a person has been in communication, for example:
- to identify with whom a victim was in contact, within a specified period, prior to their murder;
- to identify, where the target of an investigation or operation has been observed to make several calls from a public pay phone, the recipient of those calls;
- to identify a person making unlawful and unwarranted demands (as in the case of kidnap, extortion and blackmail demands and threats of violence); and
- where a victim or a witness has identified a specific communication or communications and corroboration of facts may reveal a potential offender or other witness.
3.41. At the time of giving a notice or granting an authorisation to obtain specific traffic data, a designated person may also authorise, to the extent necessary and proportionate at that time, the consequential acquisition of traffic data or service use information. This is relevant where there is a necessary and proportionate requirement to identify a person from the traffic data to be acquired, and the means to do so requires the CSP or another CSP to query their traffic data or service use information, for example:
- the CSP does not collect information about the customer within their customer information system but retains it in its original form as traffic data (such as a MAC or IMEI or an IP address); or
- where evidence or intelligence indicates there are several CSPs involved in routing a communication and there is a requirement to establish the recipient of the communication.
3.42. It is the duty of the senior responsible officer to ensure that the designated person, applicant or other person makes available to the SPoC such information as the senior responsible officer thinks necessary to ensure the integrity of any requirements for the acquisition of subscriber information to be obtained directly upon the acquisition or disclosure of any traffic data or service use data, and their compliance with Chapter II and with this code.
Notices
3.43. The giving of a notice is appropriate where a CSP is able to retrieve or obtain specific data, and to disclose that data, unless the grant of an authorisation is more appropriate. A notice may require a CSP to obtain any communications data, if that data is not already in its possession.
3.44. The decision of a designated person whether to give a notice shall be based on information presented to them in an application.
3.45. The 'giving of a notice' means the point at which a designated person determines that a notice should be given to a CSP. In practice, once the designated person has determined that a notice should be given, it will be served upon a CSP in writing or, in an urgent situation, communicated to the CSP orally.
3.46. The notice should contain enough information to allow the CSP to comply with the requirements of the notice.
3.47. A notice - the original or a copy of which must be retained by the SPoC within the public authority - must:
- be given in writing or, if not, in a manner that produces a record, within the public authority, of its having been given;
- include a unique reference number and also identify the public authority;
- specify the purpose for which the notice has been given, by reference to a statutory purpose under 22(2) of RIPA;
- describe the communications data to be obtained or disclosed under the notice specifying, where relevant, any historic or future date(s)and, where appropriate, time period(s);
- include an explanation that compliance with the notice is a requirement of RIPA;
- specify the office, rank or position held by the designated person giving the notice. The name (or designation) of the designated person giving the notice should also be recorded;
- specify the manner in which the data should be disclosed. The notice should contain sufficient information including the contact details of the SPoC to enable a CSP to confirm the notice is authentic and lawful;
- record the date and, when appropriate to do so, the time when the notice was given by the designated person; and
- where appropriate, provide an indication of any urgency or time within which the CSP is requested to comply with the requirements of the notice.
3.48. A notice must not place a CSP under a duty to do anything which it is not reasonably practicable for the CSP to do. SPoCs should be mindful of the need to draft notices to ensure the description of the required data corresponds with the ways in which the CSP processes, retains and retrieves its data for lawful disclosure. CSPs cannot necessarily or reasonably edit or adapt their systems to take account of every possible variation of what may be specified in notices.
3.49. In giving notice a designated person may only require a CSP to disclose the communications data to the designated person or to a specified person working within the same public authority. This will normally be the public authority's SPoC.
3.50. Ordinarily the CSP should disclose, in writing or electronically, the communications data to which a notice relates not later than the end of the period of ten working days from the date the notice is served upon the CSP.
Duration of authorisations and notices
3.51. An authorisation or notice becomes valid on the date upon which authorisation is granted or notice given. It is then valid for a maximum of one month. This means the conduct authorised should have been commenced or the notice served within that month.
3.52. All authorisations and notices should refer to the acquisition or disclosure of data relating to a specific date(s) or period(s). Any period should be clearly indicated in the authorisation or notice. The start date and end date should be given, and where a precise start and end time are relevant these must be specified. Where the data to be acquired or disclosed is specified as 'current', the relevant date should be taken to be the date on which the authorisation was granted or the notice given by the designated person. There can be circumstances when the relevant date or period cannot be specified other than 'the last transaction' or 'the most recent use of the service'.
3.53. Where an authorisation or a notice relates to the acquisition or obtaining of specific data that will or may be generated in the future, the future period is restricted to no more than one month from the date upon which the authorisation was granted or the notice given.
3.54. Designated persons should specify the shortest possible period of time for any authorisation or notice. To do otherwise would impact on the proportionality of the authorisation or notice and impose an unnecessary burden upon the relevant CSP(s).
Renewal of authorisations and notices
3.55. Any valid authorisation or notice may be renewed for a period of up to one month by the grant of a further authorisation or the giving of a further notice. A renewed authorisation or notice takes effect upon the expiry of the authorisation or notice it is renewing.
3.56. Renewal may be appropriate where there is a continuing requirement to acquire or obtain data that will or may be generated in the future. The reasoning for seeking renewal should be set out by an applicant in an addendum to the application upon which the authorisation or notice being renewed was granted or given.
3.57. Where a designated person is granting a further authorisation or giving a further notice to renew an earlier authorisation or notice, the designated person should:
- have considered the reasons why it is necessary and proportionate to continue with the acquisition of the data being generated; and
- record the date and, when appropriate to do so, the time when the authorisation or notice is renewed.
Cancellation of notices and withdrawal of authorisations
3.58. A designated person who has given notice to a CSP under section 22(4) of RIPA shall cancel the notice if, at any time after giving the notice, it is no longer necessary for the CSP to comply with the notice or the conduct required by the notice is no longer proportionate to what was sought to be achieved.
3.59. Reporting the cancellation of a notice to a CSP shall be undertaken by the designated person directly or, on that person's behalf, by the public authority's SPoC. Where human rights considerations are such that a notice should be cancelled with immediate effect the designated person or the SPoC will notify the CSP.
3.60. Cancellation of a notice reported to a CSP must:
- be undertaken in writing or, if not, in a manner that produces a record of the notice having been cancelled;
- identify, by reference to its unique reference number, the notice being cancelled; and
- record the date and, when appropriate to do so, the time when the notice was cancelled.
3.61. In cases where the SPoC has initiated the cancellation of a notice and reported the cancellation to the CSP, the designated person must confirm the decision in writing for the SPoC or, if not, in a manner that produces a record of the notice having been cancelled by the designated person. Where the designated person who gave the notice to the CSP is no longer available, this duty should fall on a person who has temporarily or permanently taken over the role of the designated person.
3.62. Similarly where a designated person considers an authorisation should cease to have effect, because the conduct authorised becomes unnecessary or no longer proportionate to what was sought to be achieved, the authorisation must be withdrawn. It may be the case that it is the SPoC or the applicant who is first aware that the authorisation is no longer necessary or proportionate. In such cases the SPoC (having been contacted by the applicant, where appropriate) may cease the authorised conduct, and then inform the designated person who granted the authorisation.
3.63. Withdrawal of an authorisation should:
- be undertaken in writing or, if not, in a manner that produces a record of it having been withdrawn;
- identify, by reference to its unique reference number, the authorisation being withdrawn;
- record the date and, when appropriate to do so, the time when the authorisation was cancelled; and
- record the name and the office, rank or position held by the designated person informed of the withdrawal of the authorisation.
3.64. When it is appropriate to do so, a CSP should be advised of the withdrawal of an authorisation, for example where details of an authorisation have been disclosed to a CSP.
Urgent oral giving of notice or grant of authorisation
3.65. In exceptionally urgent circumstances, an application for the giving of a notice or the grant of an authorisation may be made by an applicant, approved by a designated person and either notice given to a CSP or an authorisation granted orally. Circumstances in which an oral notice or authorisation may be appropriate include:
- an immediate threat of loss of human life, or for the protection of human life, such that a person's life might be endangered if the application procedure were undertaken in writing from the outset;
- an exceptionally urgent operational requirement where, within no more than 48 hours of the notice being given or the authorisation being granted orally, the acquisition of communications data will directly assist the prevention or detection of the commission of a serious crime and the making of arrests or the seizure of illicit material, and where that operational opportunity will be lost if the application procedure is undertaken in writing from the outset; or
- a credible and immediate threat to national security or a time-�critical and unique opportunity to secure, or prevent the loss of, information of vital importance to national security where that threat might be realised, or that opportunity lost, if the application procedure were undertaken in writing from the outset.
3.66. The use of urgent oral process must be justified for each application within an investigation or operation. The fact that any part of an investigation or operation is undertaken urgently must not be taken to mean that all requirements to obtain communications data in connection with that investigation or operation be undertaken using the urgent oral process. It must be clear in each case why it was not possible, in the circumstances, to use the standard, written process.
...
3.69. Written notice must be given to the CSP retrospectively within one working day of the oral notice being given. Failure to do so will constitute an error which may be reported to the Commissioner by the CSP and must be recorded by the public authority (see the section on errors in Chapter 6, Keeping of Records, for more details).
3.70. After the period of urgency, a separate written process must be completed demonstrating the consideration given to the circumstances and the decisions taken. The applicant or the SPoC shall collate details or copies of control room or other operational logs which provide contemporaneous records of the consideration given to the acquisition of data, decision(s) made by the designated person and the actions taken in respect of the decision(s).
3.71. In all cases where urgent oral notice is given or authorisation granted, an explanation of why the urgent process was undertaken must be recorded.
Communications data involving certain professions
3.72. Communications data is not subject to any form of professional privilege - the fact a communication took place does not disclose what was discussed, considered or advised.
3.73. However the degree of interference with an individual's rights and freedoms may be higher where the communications data being sought relates to a person who is a member of a profession that handles privileged or otherwise confidential information (including medical doctors, lawyers, journalists, Members of Parliament, or ministers of religion). It may also be possible to infer an issue of sensitivity from the fact someone has regular contact with, for example, a lawyer or journalist.
3.74. Such situations do not preclude an application being made. However applicants, giving special consideration to necessity and proportionality, must draw attention to any such circumstances that might lead to an unusual degree of intrusion or infringement of rights and freedoms, particularly regarding privacy and, where it might be engaged, freedom of expression. Particular care must be taken by designated persons when considering such applications, including additional consideration of whether there might be unintended consequences of such applications and whether the public interest is best served by the application.
3.75. Applicants must clearly note in all cases when an application is made for the communications data of those known to be in such professions, including medical doctors, lawyers, journalists, Members of Parliament, or ministers of religion. That such an application has been made must be recorded (see section 6 on keeping of records for more details), including recording the profession, and, at the next inspection, such applications should be flagged to the Interception of Communications Commissioner.
3.76. Issues surrounding the infringement of the right to freedom of expression may arise where a request is made for the communications data of a journalist. There is a strong public interest in protecting a free press and freedom of expression in a democratic society, including the willingness of sources to provide information to journalists anonymously. Where an application is intended to determine the source of journalistic information, there must therefore be an overriding requirement in the public interest, and the guidance at paragraphs 3.78-�3.24 should be followed.
3.77. Where the application is for communications data of a journalist, but is not intended to determine the source of journalistic information (for example, where the journalist is a victim of crime or is suspected of committing a crime unrelated to their occupation), there is nevertheless a risk of collateral intrusion into legitimate journalistic sources. In such a case, particular care must therefore be taken to ensure that the application considers whether the intrusion is justified, giving proper consideration to the public interest. The necessity and proportionality assessment also needs to consider whether alternative evidence exists, or whether there are alternative means for obtaining the information being sought. The application should draw attention to these matters.
Applications to determine the source of journalistic information
3.78. In the specific case of an application for communications data, which is made in order to identify a journalist's source, and until such time as there is specific legislation to provide judicial authorisation for such applications, those law enforcement agencies, including the police, National Crime Agency and Her Majesty's Revenue and Customs, in England and Wales with powers under the Police and Criminal Evidence Act 1984 (PACE) must use the procedures of PACE to apply to a court for a production order to obtain this data. Relevant law enforcement agencies in Northern Ireland must apply for a production order under the PACE (Northern Ireland Order) 1989. Law enforcement agencies in Scotland must use the appropriate legislation or common law powers to ensure judicial authorisation for communications data applications to determine journalistic sources.
3.79. Communications data that may be considered to determine journalistic sources includes data relating to:
- journalists' communications addresses;
- the communications addresses of those persons suspected to be a source; and
- communications addresses of persons suspected to be acting as intermediaries between the journalist and the suspected source.
3.80. Each authority must keep a central record of all occasions when such an application has been made, including a record of the considerations.
3.81. This includes that, where the police suspect wrong-�doing that includes communications with a journalist, the application must consider properly whether that conduct is criminal and of a sufficiently serious nature for rights to freedom of expression to be interfered with where communications data is to be acquired for the purpose of identifying a journalist's source.
3.82. As described in paragraph 3.29 above, the SPoC should be engaged in this process, to ensure appropriate engagement with the CSPs.
3.83. If and only if there is a believed to be an immediate threat of loss of human life, such that a person's life might be endangered by the delay inherent in the process of judicial authorisation, law enforcement agencies may continue to use the existing internal authorisation process under RIPA. Such applications must be flagged to the Interception of Communications Commissioner as soon as reasonably practicable, as agreed with the Commissioner. If additional communications data is later sought as part of the same investigation, but where a threat to life no longer exists, judicial authorisation must be sought.
3.84. The requirement for judicial oversight does not apply where applications are made for the communications data of those known to be journalists but where the application is not to determine the source of journalistic information. This includes, for example, where the journalist is a victim of crime or is suspected of committing a crime unrelated to their occupation.
Local authority authorisation procedure
3.85. Local authorities must fulfil two additional requirements when acquiring communications data that differ from other public authorities. Firstly, the request must be made through a SPoC at the National Anti-�Fraud Network ('NAFN'). Secondly, the request must receive prior judicial approval.
...
6 KEEPING OF RECORDS
Records to be kept by a relevant public authority
6.1. Applications, authorisations, copies of notices, and records of the withdrawal of authorisations and the cancellation of notices, must be retained by the relevant public authority in written or electronic form, and physically attached or cross-�referenced where they are associated with each other. The public authority should also keep a record of the date and, when appropriate to do so, the time when each notice or authorisation is given or granted, renewed or cancelled. Records kept by the public authority must be held centrally by the SPoC or in accordance with arrangements previously agreed with the Commissioner.
6.2. These records must be available for inspection by the Commissioner and retained to allow the Investigatory Powers Tribunal, established under Part IV of RIPA, to carry out its functions.
6.3. Where the records contain, or relate to, material obtained directly as a consequence of the execution of an interception warrant, those records must be treated in accordance with the safeguards which the Secretary of State has approved in accordance with section 15 of RIPA.
...
6.5. Each relevant public authority must also keep a record of the following information:
A. the number of applications submitted by an applicant to a SPoC requesting the acquisition of communications data (including orally);
B. the number of applications submitted by an applicant to a SPoC requesting the acquisition of communications data (including orally), which were referred back to the applicant for amendment or declined by the SPoC, including the reason for doing so;
C. the number of applications submitted to a designated person for a decision to obtain communications data (including orally), which were approved after due consideration;
D. the number of applications submitted to a designated person for a decision to obtain communications data (including orally), which were referred back to the applicant or rejected after due consideration, including the reason for doing so;
E. the number of notices requiring disclosure of communications data (not including urgent oral applications);
F. the number of authorisations for conduct to acquire communications data (not including urgent oral applications);
G. the number of times an urgent application is approved orally;
H. the number of times an urgent notice is given orally, or an urgent authorisation granted orally, requiring disclosure of communications data;
I. the priority grading of the application for communications data, as set out at paragraph 3.5 and footnote 52 of this code;
J . whether any part of the application relates to a person who is a member of a profession that handles privileged or otherwise confidential information (such as a medical doctor, lawyer, journalist, Member of Parliament, or minister of religion) (and if so, which profession); and
K . the number of items of communications data sought, for each notice given, or authorisation granted (including orally).
6.6. For each item of communications data included within a notice or authorisation, the relevant public authority must also keep a record of the following:
A. the Unique Reference Number (URN) allocated to the application, notice and/or authorisation;
B. the statutory purpose for which the item of communications data is being requested, as set out at section 22(2) of RIPA;
C. where the item of communications data is being requested for the purpose of preventing or detecting crime or of preventing disorder, as set out at section 22(2)(b) of RIPA, the crime type being investigated;
D. whether the item of communications data is traffic data, service use information, or subscriber information, as described at section 21 (4) of RIPA, and Chapter 2 of this code;
E. a description of the type of each item of communications data included in the notice or authorisation;
F. whether the item of communications data relates to a victim, a witness, a complainant, or a suspect, next of kin, vulnerable person or other person relevant to the investigation or operation;
G. the age of the item of communications data. Where the data includes more than one day, the recorded age of data should be the oldest date of the data sought;
H. where an item of data is service use information or traffic data retained by the CSP, an indication of the total number of days of data being sought by means of notice or authorisation; and
I. the CSP from whom the data is being acquired.
6.7. These records must be sent in written or electronic form to the Commissioner, as determined by him. Guidance on record keeping will be issued by IOCCO. Guidance may also be sought by relevant public authorities, CSPs or persons contracted by them to develop or maintain their information technology systems.
6.8. The Interception of Communications Commissioner will not seek to publish statistical information where it appears to him that doing so would be contrary to the public interest, or would be prejudicial to national security.
Records to be kept by a Communications Service Provider
6.9. To assist the Commissioner to carry out his statutory function in relation to Chapter II, CSPs should maintain a record of the disclosures it has made or been required to make. This record should be available to the Commissioner and his inspectors to enable comparative scrutiny of the records kept by public authorities. Guidance on the maintenance of records by CSPs may be issued by or sought from IOCCO.
6.10. The records to be kept by a CSP, in respect of each notice or authorisation, should include:
A . the name of the public authority;
B. the URN of the notice or authorisation;
C. the date the notice was served upon the CSP or the authorisation disclosed to the CSP;
D. a description of any communications data required where no disclosure took place or could have taken place;
E. the date when the communications data was made available to the public authority or, where secure systems are provided by the CSP, the date when the acquisition and disclosure of communications data was undertaken; and
F. sufficient records to establish the origin and exact communications data that has been disclosed in the event of later challenge in court.
Errors
6.11. Proper application of RIPA and thorough procedures for operating its provisions, including the careful preparation and checking of applications, notices and authorisations, should reduce the scope for making errors whether by public authorities or by CSPs.
6.12. An error can only occur after a designated person:
- has granted an authorisation and the acquisition of data has been initiated; or
- has given notice and the notice has been served on a CSP in writing, electronically or orally.
6.13. Any failure by a public authority to apply correctly the process of acquiring or obtaining communications data set out in this code will increase the likelihood of an error occurring.
6.14. Where any error occurs in the grant of an authorisation, the giving of a notice or as a consequence of any authorised conduct, or any conduct undertaken to comply with a notice, a record should be kept.
6.15. Where an error results in communications data being acquired or disclosed wrongly, a report must be made to the Commissioner ('a reportable error'). Such errors can have very significant consequences on an affected individual's rights with details of their private communications being disclosed to a public authority and, in extreme circumstances, being wrongly detained or wrongly accused of a crime as a result of that error.
6.16. In cases where an error has occurred but is identified by the public authority or the CSP without data being acquired or disclosed wrongly, a record will be maintained by the public authority of such occurrences ('recordable error'). These records must be available for inspection by the Commissioner.
6.17. This section of the code cannot provide an exhaustive list of possible causes of reportable or recordable errors. Examples could include:
Reportable errors
- an authorisation or notice made for a purpose, or for a type of data, which the relevant public authority cannot call upon, or seek, under RIPA;
- human error, such as incorrect transposition of information from an application to an authorisation or notice where communications data is acquired or disclosed;
- disclosure of the wrong data by a CSP when complying with a notice; and
- acquisition of the wrong data by a public authority when engaging in conduct specified in an authorisation.
Recordable errors
- a notice has been given which is impossible for a CSP to comply with and the public authority attempts to impose the requirement;
- failure to review information already held, for example unnecessarily seeking the acquisition or disclosure of data already acquired or obtained for the same investigation or operation;
- the requirement to acquire or obtain the data is known to be no longer valid;
- failure to serve written notice (or where appropriate an authorisation) upon a CSP within one working day of urgent oral notice being given or an urgent oral authorisation granted; and
- human error, such as incorrect transposition of information from an application to an authorisation or notice where communications data is not acquired or disclosed.
6.18. Reporting and recording of errors will draw attention to those aspects of the process of acquisition and disclosure of communications data that require further improvement to eliminate errors and the risk of undue interference with any individual's rights.
6.19. When a reportable error has been made, the public authority which made the error, or established that the error had been made, must establish the facts and report the error to the authority's senior responsible officer and then to the IOCCO within no more than five working days of the error being discovered. All errors should be reported as they arise. If the report relates to an error made by a CSP, the public authority should also inform the CSP and IOCCO of the report in written or electronic form. This will enable the CSP and IOCCO to investigate the cause or causes of the reported error.
6.20. The report sent to the IOCCO by a public authority in relation to a reportable error must include details of the error, identified by the public authority's unique reference number of the relevant authorisation or notice, explain how the error occurred, indicate whether any unintended collateral intrusion has taken place and provide an indication of what steps have been, or will be, taken to ensure that a similar error does not recur. When a public authority reports an error made by a CSP, the report must include details of the error and indicate whether the CSP has been informed or not (in which case the public authority must explain why the CSP has not been informed of the report).
6.21. Where a CSP discloses communications data in error, it must report each error to the IOCCO within no more than five working days of the error being discovered. It is appropriate for a person holding a suitably senior position within a CSP to do so, identifying the error by reference to the public authority's unique reference number and providing an indication of what steps have been, or will be, taken to ensure that a similar error does not recur. Errors by service providers could include responding to a notice by disclosing incorrect data or by disclosing the required data to the wrong public authority.
6.22. In circumstances where a reportable error is deemed to be of a serious nature, the Commissioner may investigate the circumstances that led to the error and assess the impact of the interference on the affected individual's rights. The Commissioner may inform the affected individual, who may make a complaint to the Investigatory Powers Tribunal (see section 9).
6.23. The records kept by a public authority accounting for recordable errors must include details of the error, explain how the error occurred and provide an indication of what steps have been, or will be, taken to ensure that a similar error does not reoccur. The authority's senior responsible officer must undertake a regular review of the recording of such errors.
6.24. Where material which has no connection or relevance to any investigation or operation undertaken by the public authority receiving it is disclosed in error by a CSP, that material and any copy of it (including copies contained in or as attachments in electronic mail) should be destroyed as soon as the report to the Commissioner has been made.
...
Excess Data
6.26. Where authorised conduct by a public authority results in the acquisition of excess data, or its disclosure by a CSP in order to comply with the requirement of a notice, all the data acquired or disclosed should be retained by the public authority.
6.27. Where a public authority is bound by the CPIA and its code of practice, there will be a requirement to record and retain data which is relevant to a criminal investigation, even if that data was disclosed or acquired beyond the scope of a valid notice or authorisation. If a criminal investigation results in proceedings being instituted all material that may be relevant must be retained at least until the accused is acquitted or convicted or the prosecutor decides not to proceed.
6.28. If, having reviewed the excess data, it is intended to make use of the excess data in the course of the investigation or operation, an applicant must set out the reason(s) for needing to use that material in an addendum to the application upon which the authorisation or notice was originally granted or given. The designated person will then consider the reason(s) and review all the data and consider whether it is necessary and proportionate for the excess data to be used in the investigation or operation. As with all communications data acquired, the requirements of the DPA and its data protection principles must also be adhered to in relation to any excess data (see next section).
7 DATA PROTECTION SAFEGUARDS
7.1. Communications data acquired or obtained under the provisions of RIPA, and all copies, extracts and summaries of it, must be handled and stored securely. In addition, the requirements of the DPA and its data protection principles must be adhered to.
7.2. Communications data that is obtained directly as a consequence of the execution of an interception warrant must be treated in accordance with the safeguards which the Secretary of State has approved in accordance with section 15 of RIPA.
Disclosure of communications data and subject access rights
7.3. This section of the code provides guidance on the relationship between disclosure of communications data under RIPA and the provisions for subject access requests under the DPA, and the balance between CSPs' obligations to comply with a notice to disclose data and individuals' right of access under section 7 of the DPA to personal data held about them.
7.4. There is no provision in RIPA preventing CSPs from informing individuals about whom they have been required by notice to disclose communications data in response to a Subject Access Request made under section 7 of the DPA. However a CSP may exercise certain exemptions to the right of subject access under Part IV of the DPA.
7.5. Section 28 of the DPA provides that data are always exempt from section 7 where such an exemption is required for the purposes of safeguarding national security.
7.6. Section 29 of the DPA provides that personal data processed for the purposes of the prevention and detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty or other imposition of a similar nature are exempt from section 7 to the extent to which the application of the provisions for rights of data subjects would be likely to prejudice any of those matters.
7.7. The exemption to subject access rights possible under section 29 does not automatically apply to the disclosure of the existence of notices given under RIPA. In the event that a CSP receives a subject access request where the fact of a disclosure under RIPA might itself be disclosed, the CSP concerned must carefully consider whether in the particular case disclosure of the fact of the notice would be likely to prejudice the prevention or detection of crime.
7.8. Where a CSP is uncertain whether disclosure of the fact of a notice would be likely to prejudice an investigation or operation, it should approach the SPoC of the public authority which gave the notice - and do so in good time to respond to the subject access request. The SPoC can make enquiries within the public authority to determine whether disclosure of the fact of the notice would likely be prejudicial to the matters in section 29.
7.9. Where a CSP withholds a piece of information in reliance on the exemption in section 28 or 29 of the DPA, it is not obliged to inform an individual that any information has been withheld. It can simply leave out that piece of information and make no reference to it when responding to the individual who has made the subject access request.
7.10. CSPs should keep a record of the steps they have taken in determining whether disclosure of the fact of a notice would prejudice the apprehension or detection of offenders. This might be useful in the event of the data controller having to respond to enquiries made subsequently by the Information Commissioner, the courts and, in the event of prejudice, the police. Under section 42 of the DPA an individual may request that the Information Commissioner assesses whether a subject access request has been handled in compliance with the DPA.
Acquisition of communication data on behalf of overseas authorities
7.11. While the majority of public authorities which obtain communications data under RIPA have no need to disclose that data to any authority outside the United Kingdom, there can be occasions when it is necessary, appropriate and lawful to do so in matters of international co-�operation.
7.12. There are two methods by which communications data, whether obtained under RIPA or not, can be acquired and disclosed to overseas public authorities:
- judicial co-�operation; or
- non-�judicial co-�operation.
Neither method compels United Kingdom public authorities to disclose data to overseas authorities. Data can only be disclosed when a United Kingdom public authority is satisfied that it is in the public interest to do so and all relevant conditions imposed by domestic legislation have been fulfilled.
Judicial co-operation
7.13. A central authority in the United Kingdom may receive a request for mutual legal assistance (MLA) which includes a request for communications data from an overseas court exercising criminal jurisdiction, an overseas prosecuting authority, or any other overseas authority that appears to have a function of making requests for MLA. This MLA request must be made in connection with criminal proceedings or a criminal investigation being carried on outside the United Kingdom, and the request for communications data included must be capable of satisfying the requirements of Part I Chapter II of RIPA.
7.14. If such an MLA request is accepted by the central authority, it will be referred for consideration by the appropriate public authority in the UK. The application may then be considered and, if appropriate, executed by that public authority under section 22 of RIPA and in line with the guidance in this code of practice.
7.15. In order for a notice or authorisation to be granted, the United Kingdom public authority must be satisfied that the application meets the same criteria of necessity and proportionality as required for a domestic application.
Non-judicial co-operation
7.16. Public authorities in the United Kingdom can receive direct requests for assistance from their counterparts in other countries. These can include requests for the acquisition and disclosure of communications data for the purpose of preventing or detecting crime. On receipt of such a request, the United Kingdom public authority may consider seeking the acquisition or disclosure of the requested data under the provisions of Chapter II of Part I of RIPA.
7.17. The United Kingdom public authority must be satisfied that the request complies with United Kingdom obligations under human rights legislation. The necessity and proportionality of each case must be considered before the authority processes the authorisation or notice.
Disclosure of communications data to overseas authorities
7.18. Where a United Kingdom public authority is considering the acquisition of communications data on behalf of an overseas authority and transferring the data to that authority, it must consider whether the data will be adequately protected outside the United Kingdom and what safeguards may be needed to ensure that. Such safeguards might include attaching conditions to the processing, storage and destruction of the data.
7.19. If the proposed transfer of data is to an authority within the European Union, that authority will be bound by the European Data Protection Directive (95/46/EC) and its national data protection legislation. Any data disclosed will be protected there without need for additional safeguards.
7.20. If the proposed transfer is to an authority outside of the European Union and the European Economic Area (Iceland, Liechtenstein and Norway), then it must not be disclosed unless the overseas authority can ensure an adequate level of data protection. The European Commission has determined that certain countries, for example Switzerland, have laws providing an adequate level of protection where data can be transferred without need for further safeguards.
7.21. In all other circumstances, the United Kingdom public authority must decide in each case, before transferring any data overseas, whether the data will be adequately protected there. The Information Commissioner has published guidance on sending personal data outside the European Economic Area in compliance with the Eighth Data Protection Principle, and, if necessary, his office can provide guidance.
7.22. The DPA recognises that it will not always be possible to ensure adequate data protection in countries outside of the European Union and the European Economic Area, and there are exemptions to the principle, for example if the transfer of data is necessary for reasons of 'substantial public interest'. There may be circumstances when it is necessary, for example in the interests of national security, for communications data to be disclosed to a third party country, even though that country does not have adequate safeguards in place to protect the data. That is a decision that can only be taken by the public authority holding the data on a case by case basis.
8 OVERSIGHT
8.1. RIPA provides for an Interception of Communications Commissioner ('the Commissioner') whose remit is to provide independent oversight of the exercise and performance of the powers and duties contained under Chapter II of Part I of RIPA. The Commissioner is supported by his inspectors who work from the Interception of Communications Commissioner's Office (IOCCO).
8.2. This code does not cover the exercise of the Commissioner's functions. It is the duty of any person who uses the powers conferred by Chapter II, or on whom duties are conferred, to comply with any request made by the Commissioner to provide any information he requires for the purposes of enabling him to discharge his functions.
8.3. Should the Commissioner establish that an individual has been adversely affected by any wilful or reckless failure by any person within a relevant public authority exercising or complying with the powers and duties under RIPA in relation to the acquisition or disclosure of communications data, he shall, subject to safeguarding national security, inform the affected individual of the existence of the Tribunal and its role. The Commissioner should disclose sufficient information to the affected individual to enable them to engage the Tribunal effectively.
8.4. Reports made by the Commissioner concerning the inspection of public authorities and their exercise and performance of powers under Chapter II may be made available by the Commissioner to the Home Office to promulgate good practice and help identify training requirements within public authorities and CSPs.
8.5. Subject to the approval of the Commissioner, public authorities may publish their inspection reports, in full or in summary, to demonstrate both the oversight to which they are subject and their compliance with Chapter II of RIPA and this code. Approval should be sought on a case by case basis at least ten working days prior to intended publication, stating whether the report is to be published in full, and, if not, stating which parts are to be published or how it is to be summarised."
3. News Group and Others v. The Commissioner of Police of the Metropolis IPT/14/176/H, [2015] UKIPTrib 14_176-H, 17 December 2015
118 . These proceedings were brought before the IPT by three journalists and their employer. They challenged four authorisations issued under section 22 of RIPA with the purpose of enabling police to obtain communications data which might reveal sources of information obtained by the journalists. They argued, inter alia , that the section 22 regime (at the time supplemented by the 2007 Code of Practice) breached their rights under Article 10 of the Convention as it did not adequately safeguard the confidentiality of journalists' sources. The IPT agreed that the regime in place at the time did not contain effective safeguards to protect Article 10 rights in a case in which the authorisation had the purpose of obtaining disclosure of the identity of a journalist's source. It held:
"107. In the absence of a requirement for prior scrutiny by a court, particular regard must be paid to the adequacy of the other safeguards prescribed by the law. The designated person is not independent of the police force, although in practice, properly complying with the requirements of s 22, he will make an independent judgement, as he did in this case. In general the requirement for a decision on necessity and proportionality to be taken by a senior officer who is not involved in the investigation does provide a measure of protection as to process, but the role of the designated person cannot be equated to that of an independent and impartial judge or tribunal.
108. Subsequent oversight by the Commissioner, or, in the event of a complaint, by this Tribunal, cannot after the event prevent the disclosure of a journalist's source. This is in contrast to criminal investigations where a judge at a criminal trial may be able to exclude evidence which has been improperly or unfairly obtained by an authorisation made under s 22. Where an authorisation is made which discloses a journalist's source that disclosure cannot subsequently be reversed, nor the effect of such disclosure mitigated. Nor was there any requirement in the 2007 Code for any use of s 22 powers for the purpose of obtaining disclosure of a journalist's source to be notified to the Commissioner, so in such cases this use of the power might not be subject to any effective review. Furthermore none of the Complainants had any reason to suspect that their data had been accessed until the closing report on Operation Alice was published in September 2014. If the Respondent had not disclosed that information - and it is to his credit that he did - then the Complainants would never have been in a position to bring these proceedings.
109. So in a case involving the disclosure of a journalist's source the safeguards provided for under s 22 and the 2007 Code were limited to requiring a decision as to necessity and proportionality to be made by a senior police officer, who was not directly involved in the investigation and who had a general working knowledge of human rights law. The 2007 Code imposed no substantive or procedural requirement specific to cases affecting the freedom of the press. There was no requirement that an authorisation should only be granted where the need for disclosure was convincingly established, nor that there should be very careful scrutiny balancing the public interest in investigating crime against the protection of the confidentiality of journalistic sources. The effect of s 22 and the 2007 Code was that the designated person was to make his decision on authorisation on the basis of the same general tests of necessity and proportionality which would be applied to an application in any criminal investigation."
119. The IPT could not award any remedy in respect of the failure to provide adequate safeguards to protect Article 10 rights, as this did not in itself render the authorisations unlawful. However, it also found that one of the authorisations was unlawful, as it had been neither proportionate nor necessary. In considering the appropriate remedy, it acknowledged that it had the power to award compensation, but declined to do so since it did not consider it necessary to afford just satisfaction.
120 . In March 2015 the 2007 Code of Practice was replaced by a new code. Paragraph 3.78 of that new ACD Code provides that in the specific case of an application for communications data, which is made in order to identify a journalist's source, those law enforcement agencies with powers under the Police and Criminal Evidence Act 1984 (PACE) must use the procedures of PACE to apply to a court for a production order to obtain this data.
4. The Police and Criminal Evidence Act 1984
121. Schedule 1 of PACE governs the procedure for applying to court for a production order. It provides, as relevant:
"1. If on an application made by a constable a judge is satisfied that one or other of the sets of access conditions is fulfilled, he may make an order under paragraph 4 below.
...
4. An order under this paragraph is an order that the person who appears to the judge to be in possession of the material to which the application relates shall-�
(a) produce it to a constable for him to take away; or
(b) give a constable access to it,
not later than the end of the period of seven days from the date of the order or the end of such longer period as the order may specify.
...
7. An application for an order under paragraph 4 above that relates to material that consists of or includes journalistic material shall be made inter partes ."
122. Section 78 of PACE permits a court to refuse to allow evidence on which the prosecution proposes to rely to be given if it appears to the court that, having regard to all the circumstances, including the circumstances in which the evidence was obtained, the admission of the evidence would have such an adverse effect on the fairness of the proceedings that the court ought not to admit it.
123 . The IPT was established under section 65(1) of RIPA to hear allegations by citizens of wrongful interference with their communications as a result of conduct covered by that Act. Members must hold or have held high judicial office or be a qualified lawyer of at least ten years' standing.
124 . Section 65(2) provides that the IPT is the only appropriate forum in relation to proceedings against any of the intelligence services for acts allegedly incompatible with Convention rights, and complaints by persons who allege to have been subject to the investigatory powers of RIPA. It has jurisdiction to investigate any complaint that a person's communications have been intercepted and, where interception has occurred, to examine the authority for such interception.
125. According to sections 67(2) and 67(3)(c), the IPT is to apply the principles applicable by a court on an application for judicial review. It does not, however, have power to make a Declaration of Incompatibility if it finds primary legislation to be incompatible with the European Convention on Human Rights as it is not a "court" for the purposes of section 4 of the Human Rights Act 1998.
126. Under section 67(8), there is no appeal from a decision of the IPT "except to such extent as the Secretary of State may by order otherwise provide". No such order has been made by the Secretary of State. Furthermore, in R(Privacy International) v. Investigatory Powers Tribunal [2017] EWCA Civ 1868 the Court of Appeal recently confirmed that section 67(8) also had the effect of preventing a judicial review claim from being brought against a decision of the IPT. As a consequence, the IPT is a court of last resort for the purposes of the obligation to request a preliminary ruling under Article 267 of the Treaty on the Functioning of the European Union (see paragraph 236 below).
127 . Section 68(6) and (7) requires those involved in the authorisation and execution of an interception warrant to disclose or provide to the IPT all documents and information it may require.
128 . Section 68(4) provides that where the IPT determines any complaint it has the power to award compensation and to make such other orders as it thinks fit, including orders quashing or cancelling any warrant and orders requiring the destruction of any records obtained thereunder (section 67(7)). In the event that a claim before the IPT is successful, the IPT is generally required to make a report to the Prime Minister (section 68(5)).
129. Section 68(1) entitles the IPT to determine its own procedure, although section 69(1) provides that the Secretary of State may also make procedural rules.
2. The Investigatory Powers Tribunal Rules 2000 ("the Rules")
130. The Rules were adopted by the Secretary of State to govern various aspects of the procedure before the IPT.
131 . Although the IPT is under no duty to hold oral hearings, pursuant to Rule 9 it may hold, at any stage of consideration, oral hearings at which the complainant may make representations, give evidence and call witnesses. It may also hold separate oral hearings which the person whose conduct is the subject of the complaint, the public authority against which the proceedings are brought, or any other person involved in the authorisation or execution of an interception warrant may be required to attend. Rule 9 provides that the IPT's proceedings, including any oral hearings, are to be conducted in private.
132. Rule 11 allows the IPT to receive evidence in any form, even where it would not be admissible in a court of law. It may require a witness to give evidence on oath, but no person can be compelled to give evidence at an oral hearing under Rule 9(3).
133. Rule 13 provides guidance on notification to the complainant of the IPT's findings:
"(1) In addition to any statement under section 68(4) of the Act, the Tribunal shall provide information to the complainant in accordance with this rule.
(2) Where they make a determination in favour of the complainant, the Tribunal shall provide him with a summary of that determination including any findings of fact.
...
(4) The duty to provide information under this rule is in all cases subject to the general duty imposed on the Tribunal by rule 6(1).
(5) No information may be provided under this rule whose disclosure would be restricted under rule 6(2) unless the person whose consent would be needed for disclosure under that rule has been given the opportunity to make representations to the Tribunal."
134. Rule 6 requires the IPT to carry out its functions in such a way as to ensure that information is not disclosed that is contrary to the public interest or prejudicial to national security, the prevention or detection of serious crime, the economic well-being of the United Kingdom or the continued discharge of the functions of any of the intelligence services. Pursuant to Rule 6, in principle, the IPT is not permitted to disclose: the fact that it has held an oral hearing under Rule 9(4); any information disclosed to it in the course of that hearing or the identity of any witness at that hearing; any information otherwise disclosed to it by any person involved in the authorisation or execution of interception warrants, or any information provided by a Commissioner; and the fact that any information has been disclosed or provided. However, the IPT may disclose such information with the consent of the person required to attend the hearing, the person who disclosed the information, the Commissioner, or the person whose consent was required for disclosure of the information, as the case may be. The IPT may also disclose such information as part of the information provided to the complainant under Rule 13(2), subject to the restrictions contained in Rule 13(4) and (5).
135 . In R(A) v. Director of Establishments of the Security Service [2009] EWCA Civ 24 Lord Justice Laws observed that the IPT was "a judicial body of like standing and authority to the High Court". More recently, in R(Privacy International) v. Investigatory Powers Tribunal (cited above) Lord Justice Sales noted that "[t]he quality of the membership of the IPT in terms of judicial expertise and independence is very high".
3. IPT ruling on preliminary issues of law
136 . On 23 January 2003, in a case involving a complaint by British-Irish Rights Watch, the IPT gave a ruling on preliminary issues of law, [2003] UKIPTrib 01_62, in which it considered whether a number of aspects of its procedure were within the powers conferred on the Secretary of State and Convention compliant. The IPT sat, for the first time, in public.
137 . Specifically on the applicability of Article 6 § 1 to the proceedings before it, the IPT found:
"85. The conclusion of the Tribunal is that Article 6 applies to a person's claims under section 65(2)(a) and to his complaints under section 65(2)(b) of RIPA, as each of them involves 'the determination of his civil rights' by the Tribunal within the meaning of Article 6(1)."
138 . The IPT considered that Rule 9 made it clear that oral hearings could be held at its discretion. If a hearing was held, it had to be held in accordance with Rule 9. The absence from the Rules of an absolute right to either an inter partes oral hearing, or, failing that, to a separate oral hearing in every case was within the rule-making power in section 69(1) of RIPA and was compatible with the Convention rights under Article 6, 8 and 10. The IPT explained that oral hearings involving evidence or a consideration of the substantive merits of a claim or complaint ran the risk of breaching the "neither confirm nor deny" policy or other aspects of national security and the public interest. It was therefore necessary to provide safeguards against that and the conferring of a discretion to decide when there should be oral hearings and what form they should take was a proportionate response to the need for safeguards.
139 . The IPT found the language in Rule 9(6), which stipulates that oral hearings must be held in private, to be clear and unqualified; it therefore had no discretion in the matter. It concluded that the width and blanket nature of the rule went beyond what was authorised by section 69 of RIPA and, as a consequence, it found Rule 9(6) to be ultra vires section 69 and not binding on it.
140. The IPT also considered the requirements in Rule 6 for the taking of evidence and disclosure. It concluded that these departures from the adversarial model were within the power conferred on the Secretary of State and compatible with Convention rights in Articles 8 and 10, taking account of the exceptions for the public interest and national security in Articles 8(2) and 10(2), and in particular the effective operation of the legitimate policy of "neither confirm nor deny" in relation to the use of investigatory powers. It noted that disclosure of information was not an absolute right where there were competing interests, such as national security considerations.
141 . Finally, as regards the absence of reasons following a negative decision, the IPT concluded that section 68(4) and Rule 13 were valid and binding and that the distinction between information given to the successful complainants and that given to unsuccessful complainants (where the "neither confirm nor deny" policy had to be preserved) was necessary and justifiable.
142 . The IPT may appoint Counsel to the Tribunal to make submissions on behalf of applicants in hearings at which they cannot be represented. In the Liberty case, Counsel to the Tribunal described his role as follows:
"Counsel to the Tribunal performs a different function [from special advocates in closed proceedings conducted before certain tribunals], akin to that of amicus curiae . His or her function is to assist the Tribunal in whatever way the Tribunal directs. Sometimes (e.g. in relation to issues on which all parties are represented), the Tribunal will not specify from what perspective submissions are to be made. In these circumstances, counsel will make submissions according to his or her own analysis of the relevant legal or factual issues, seeking to give particular emphasis to points not fully developed by the parties. At other times (in particular where one or more interests are not represented), the Tribunal may invite its counsel to make submissions from a particular perspective (normally the perspective of the party or parties whose interests are not otherwise represented)."
143 . This description was accepted and endorsed by the IPT.
144. Part IV of RIPA provided for the appointment by the Prime Minister of an Interception of Communications Commissioner and an Intelligence Services Commissioner charged with supervising the activities of the intelligence services.
145 . The Interception of Communications Commissioner was responsible for keeping under review the interception of communications and the acquisition and disclosure of communications data by intelligence agencies, police forces and other public authorities. He reported to the Prime Minister on a half-yearly basis with respect to the carrying out of his functions. This report was a public document (subject to the non-disclosure of confidential annexes) which was laid before Parliament. In undertaking his review of surveillance practices, the Commissioner and his inspectors had access to all relevant documents, including closed materials, and all those involved in interception activities had a duty to disclose to him any material he required. The obligation on intercepting agencies to keep records ensured that the Commissioner had effective access to details of surveillance activities undertaken.
146. The Intelligence Services Commissioner also provided independent external oversight of the use of the intrusive powers of the intelligence services and parts of the Ministry of Defence. He also submitted annual reports to the Prime Minister, which were laid before Parliament.
147 . However, these provisions, insofar as they relate to England, Scotland and Wales, were repealed by the Investigatory Powers Act 2016 (see paragraphs 195-201 below) and in September 2017 the Investigatory Powers Commissioner's Office ("IPCO") took over responsibility for the oversight of investigatory powers. The IPCO consists of around fifteen Judicial Commissioners, current and recently retired High Court, Court of Appeal and Supreme Court Judges; a Technical Advisory Panel made up of scientific experts; and almost fifty official staff, including inspectors, lawyers and communications experts. The more intrusive powers such as interception, equipment interference and the use of surveillance in sensitive environments will be subject to the prior approval of a Judicial Commissioner once the provisions of the 2016 Act have entered into force. Use of these and other surveillance powers, including the acquisition of communications data and the use of covert human intelligence sources, are also overseen by a programme of retrospective inspection and audit by Judicial Commissioners and IPCO's inspectors.
F. Reviews of interception operations by the intelligence service
148 . The Intelligence and Security Committee of Parliament ("the ISC") was originally established by the Intelligence Services Act 1994 to examine the policy, administration and expenditure of MI5, MI6, and GCHQ. Since the introduction of the Justice and Security Act 2013, however, the ISC was expressly given the status of a Committee of Parliament; was provided with greater powers; and its remit was increased to include inter alia oversight of operational activity and the wider intelligence and security activities of Government. Pursuant to sections 1-4 of the Justice and Security Act 2013, it consists of nine members drawn from both Houses of Parliament, and, in the exercise of their functions, those members are routinely given access to highly classified material in carrying out their duties.
149. Following the Edward Snowden revelations, the ISC conducted an investigation into GCHQ's access to the content of communications intercepted under the US PRISM programme, the legal framework governing access, and the arrangements GCHQ had with its overseas counterpart for sharing information. In the course of the investigation, the ISC took detailed evidence from GCHQ and discussed the programme with the NSA.
150 . The ISC concluded that allegations that GCHQ had circumvented United Kingdom law by using the NSA PRISM programme to access the content of private communications were unfounded as GCHQ had complied with its statutory duties contained in the ISA. It further found that in each case where GCHQ sought information from the United States, a warrant for interception, signed by a Government Minister, had already been in place. However, it found it necessary to further consider whether the current statutory framework governing access to private communications remained accurate.
2. Privacy and security: a modern and transparent legal framework
151 . Following its statement in July 2013, the ISC conducted a more in-depth inquiry into the full range of the intelligence services' capabilities. Its report, which contained an unprecedented amount of information about the intelligence services' intrusive capabilities, was published on 12 March 2015 (see paragraphs 11-13 above).
152 . The ISC was satisfied that the United Kingdom's intelligence and security services did not seek to circumvent the law, including the requirements of the Human Rights Act 1998, which governs everything that they do. However, it considered that as the legal framework had developed piecemeal, it was unnecessarily complicated. The ISC therefore had serious concerns about the resulting lack of transparency, which was not in the public interest. Consequently, its key recommendation was that the current legal framework be replaced by a new Act of Parliament which should clearly set out the intrusive powers available to the intelligence services, the purposes for which they may use them, and the authorisation required before they may do so.
153. With regard to GCHQ's bulk interception capability, the inquiry showed that the intelligence services did not have the legal authority, the resources, the technical capability, or the desire to intercept every communication of British citizens, or of the Internet as a whole: thus, GCHQ were not reading the emails of everyone in the United Kingdom. On the contrary, GCHQ's bulk interception systems operated on a very small percentage of the bearers that made up the Internet and the ISC was satisfied that GCHQ applied levels of filtering and selection such that only a certain amount of the material on those bearers was collected. Further targeted searches ensured that only those items believed to be of the highest intelligence value were ever presented for analysts to examine, and therefore only a tiny fraction of those collected were ever seen by human eyes.
154. In respect of Internet communications, the ISC considered that the current system of 'internal' and 'external' communications was confusing and lacked transparency and it therefore suggested that the Government publish an explanation of which Internet communications fall under which category, including a clear and comprehensive list of communications.
155. Nevertheless, the inquiry had established that bulk interception could not be used to target the communications of an individual in the United Kingdom without a specific authorisation naming that individual, signed by a Secretary of State.
156 . With regard to section 8(4) warrants, the ISC observed that the warrant itself was very brief. It further noted that insofar as the accompanying certificate set out the categories of communications which might be examined, those categories were expressed in very general terms (for example, "material providing intelligence on terrorism (as defined by the Terrorism Act 2000 (as amended)), including, but not limited to, terrorist organisations, terrorists, active sympathisers, attack planning, fund-raising"). Given that the certificate was so generic, the ISC questioned whether it needed to be secret or whether, in the interests of transparency, it could be published.
157 . Although the section 8(4) certificate set out the general categories of information which might be examined, the ISC observed that in practice, it was the selection of the bearers, the application of simple selectors and initial search criteria, and then complex searches which determined what communications were examined. The ISC had therefore sought assurances that these were subject to scrutiny and review by Ministers and/or the Commissioners. However, the evidence before the ISC indicated that neither Ministers nor the Commissioners had any significant visibility of these issues. The ISC therefore recommended that the Interception of Communications Commissioner should be given statutory responsibility to review the various selection criteria used in bulk interception to ensure that they followed directly from the Certificate and valid national security requirements.
158 . The ISC noted that communications data was central to most intelligence services' investigations: it could be analysed to find patterns that reflected particular online behaviours associated with activities such as attack planning, and to establish links, to help focus on individuals who might pose a threat, to ensure that interception was properly targeted, and to illuminate networks and associations relatively quickly. It was particularly useful in the early stages of an investigation, when the intelligence services had to be able to determine whether those associating with a target were connected to the plot (and therefore required further investigation) or were innocent bystanders. According to the Secretary of State for the Home Department, it had "played a significant role in every Security Service counter-terrorism operation over the last decade". Nevertheless, the ISC expressed concern about the definition of "communications data". While it accepted that there was a category of communications data which was less intrusive than content, and therefore did not require the same degree of protection, it considered that there now existed certain categories of communications data which had the potential to reveal more intrusive details about a person's private life and, therefore, required greater safeguards.
159 . Finally, with regard to the IPT, it expressly recognised the importance of a domestic right of appeal.
160 . The Independent Reviewer of Terrorism Legislation, a role that has existed since the late 1970s, is an independent person, appointed by the Home Secretary and by the Treasury for a renewable three-year term and tasked with reporting to the Home Secretary and to Parliament on the operation of counter-terrorism law in the United Kingdom. These reports are then laid before Parliament, to inform the public and political debate. The Independent Reviewer's role is to inform the public and political debate on anti-terrorism law in the United Kingdom. The uniqueness of the role lies in its complete independence from government, coupled with access based on a very high degree of clearance to secret and sensitive national security information and personnel.
161. The purpose of the Anderson Report, published in June 2015 and identified by reference to the then Independent Reviewer of Terrorism Legislation, was to inform the public and political debate on the threats to the United Kingdom, the capabilities required to combat those threats, the safeguards in place to protect privacy, the challenges of changing technology, issues relating to transparency and oversight, and the case for new or amended legislation. In conducting the review the Independent Reviewer had unrestricted access, at the highest level of security clearance, to the responsible Government departments and public authorities. He also engaged with service providers, independent technical experts, non-governmental organisations, academics, lawyers, judges and regulators.
162 . The Independent Reviewer noted that the statutory framework governing investigatory powers had developed in a piecemeal fashion, with the consequence that there were "few [laws] more impenetrable than RIPA and its satellites".
163 . With regard to the importance of communications data, he observed that it enabled the intelligence services to build a picture of a subject of interest's activities and was extremely important in providing information about criminal and terrorist activity. It identified targets for further work and also helped to determine if someone was completely innocent. Of central importance was the ability to use communications data (subject to necessity and proportionality) for:
(a) linking an individual to an account or action (for example, visiting a website, sending an email) through IP resolution;
(b) establishing a person's whereabouts, traditionally via cell site or GPRS data;
(c) establishing how suspects or victims are communicating (that is, via which applications or services);
(d) observing online criminality (for example, which websites are being visited for the purposes of terrorism, child sexual exploitation or purchases of firearms or illegal drugs); and
(e) exploiting data (for example, to identify where, when and with whom or what someone was communicating, how malware or a denial of service attack was delivered, and to corroborate other evidence).
164. Moreover, analysis of communications data could be performed speedily, making it extremely useful in fast-moving operations, and use of communications data could build a case for using a more intrusive measure, or deliver the information that would make other measures unnecessary.
165 . His proposals for reform can be summarised as follows:
(a) A comprehensive and comprehensible new law should be drafted, replacing "the multitude of current powers" and providing clear limits and safeguards on any intrusive power it may be necessary for public authorities to use;
(b) The definitions of "content" and "communications data" should be reviewed, clarified and brought up-to-date;
(c) The capability of the security and intelligence agencies to practice bulk collection of intercepted material and associated communications data should be retained, but only subject to strict additional safeguards including the authorisation of all warrants by a Judicial Commissioner at a new Independent Surveillance and Intelligence Commission ("ISIC");
(d) The purposes for which material or data was sought should be spelled out in the accompanying certificate by reference to specific operations or mission purposes (for example, "attack planning by ISIL in Iraq/Syria against the UK");
(e) There should be a new form of bulk warrant limited to the acquisition of communications data which could be a proportionate option in certain cases;
(f) Regarding the authorisation for the acquisition of communications data, designated persons should be required by statute to be independent from the operations and investigations in relation to which the authorisation is sought;
(g) Novel or contentious requests for communications data, or requests for the purpose of determining matters that are privileged or confidential, should be referred to the ISIC for determination by a Judicial Commissioner;
(h) The ISIC should take over intelligence oversight functions and should be public-facing, transparent and accessible to the media; and
(i) The IPT should have the capacity to make declarations of incompatibility and its rulings should be subject to appeals on points of law.
4. A Democratic Licence to Operate: Report of the Independent Surveillance Review ("ISR")
166 . The ISR was undertaken by the Royal United Services Institute, an independent think-tank, at the request of the then deputy Prime Minister, partly in response to the revelations by Edward Snowden. Its terms of reference were to look at the legality of United Kingdom surveillance programmes and the effectiveness of the regimes that govern them, and to suggest reforms which might be necessary to protect both individual privacy and the necessary capabilities of the police and security and intelligence services.
167 . Despite the revelations by Edward Snowden, having completed its review the ISR found no evidence that the British Government was knowingly acting illegally in intercepting private communications, or that the ability to collect data in bulk was being used by the Government to provide it with a perpetual window into the private lives of British citizens. On the other hand, it found evidence that the present legal framework authorising the interception of communications was unclear, had not kept pace with developments in communications' technology, and did not serve either the Government or members of the public satisfactorily. It therefore concluded that a new, comprehensive and clearer legal framework was required.
168. In particular, it supported the view set out in both the ISC and Anderson reports that while the current surveillance powers were needed, both a new legislative framework and oversight regime were required. It further considered that the definitions of "content" and "communications data" should be reviewed as part of the drafting of the new legislation so that they could be clearly delineated in law.
169 . With regard to communications data, the report noted that greater volumes were available on an individual relative to content, since every piece of content was surrounded by multiple pieces of communications data. Furthermore, aggregating data sets could create an extremely accurate picture of an individual's life since, given enough raw data, algorithms and powerful computers could generate a substantial picture of the individual and his or her patterns of behaviour without ever accessing content. In addition, the use of increasingly sophisticated encryption methods had made content increasingly difficult to access.
170. It further considered that the capability of the security and intelligence services to collect and analyse intercepted material in bulk should be maintained, but with the stronger safeguards recommended in the Anderson Report. In particular, it agreed that warrants for bulk interception should include much more detail than is currently the case and should be the subject of a judicial authorisation process, save for when there is an urgent requirement.
171. In addition, it agreed with both the ISC and the Anderson report that there should be different types of warrant for the interception and acquisition of communications and related data. It was proposed that warrants for a purpose relating to the detection or prevention of serious and authorised crime should always be authorised by a Judicial Commissioner, while warrants for purposes relating to national security should be authorised by the Secretary of State subject to judicial review by a Judicial Commissioner.
172 . With regard to the IPT, the ISR recommended open public hearings, except where it was satisfied private or closed hearings were necessary in the interests of justice or other identifiable public interest. Furthermore, it should have the ability to test secret evidence put before it, possibly through the appointment of Special Counsel. Finally, it agreed with the ISC and Anderson reports that a domestic right of appeal was important and should be considered in future legislation.
5. Report of the Bulk Powers Review
173 . The bulk powers review was set up in May 2016 to evaluate the operational case for the four bulk powers contained in what was then the Investigatory Powers Bill (now the Investigatory Powers Act 2016: see paragraphs 195-201 below). Those powers related to bulk interception and the bulk acquisition of communications data, bulk equipment interference and the acquisition of bulk personal datasets.
174. The review was again carried out by the Independent Reviewer of Terrorism Legislation. To conduct the review he recruited three team members, all of whom had the necessary security clearance to access very highly classified material, including a person with the necessary technical background to understand the systems and techniques used by GCHQ, and the uses to which they could be put; an investigator with experience as a user of secret intelligence, including intelligence generated by GCHQ; and senior independent counsel with the skills and experience to challenge forensically the evidence and the case studies presented by the security and intelligence services.
175. In conducting their review, the team had significant and detailed contact with the intelligence services at all levels of seniority as well as the relevant oversight bodies (including the IPT and Counsel to the Tribunal in the relevant cases), NGOs and independent technical experts.
176 . Although the review was of the Investigatory Powers Bill, a number of its findings in respect of bulk interception are relevant to the case at hand. In particular, having examined a great deal of closed material, the review concluded that it was an essential capability: first, because terrorists, criminal and hostile foreign intelligence services had become increasingly sophisticated at evading detection by traditional means; and secondly, because the nature of the global Internet meant that the route a particular communication would travel had become hugely unpredictable. The review team looked at alternatives to bulk interception (including targeted interception, the use of human sources and commercial cyber-defence products) but concluded that no alternative or combination of alternatives would be sufficient to substitute for the bulk interception power as a method of obtaining the necessary intelligence.
177. Following a series of four terrorist attacks in the short period between March and June 2017, in the course of which some 36 innocent people were killed and almost 200 more were injured, the Home Secretary asked the recently retired Independent Reviewer of Terrorism Legislation, David Anderson Q.C. to assess the classified internal reviews of the police and intelligence services involved. In placing the attacks in context, the Report made the following observations:
"1.2 The attacks under review were the most deadly terrorist attacks on British soil since the 7/7 London tube and bus bombings of July 2005. All four were shocking for their savagery and callousness. The impact of the first three attacks was increased by the fact that they came at the end of a long period in which Islamist terrorism had taken multiple lives in neighbouring countries such as France, Belgium and Germany but had not enjoyed equivalent success in Britain.
1.3 The plots were part of an increasingly familiar pattern of Islamist and (to a lesser extent) anti-Muslim terrorist attacks in western countries, including in particular northern Europe. The following points provide context, and an indication that lessons learned from these incidents are likely to be transferrable.
1.4 First, the threat level in the UK from so-called "international terrorism" (in practice, Islamist terrorism whether generated at home or abroad) has been assessed by the Joint Terrorism Analysis Centre (JTAC) as SEVERE since August 2014, indicating that Islamist terrorist attacks in the UK are "highly likely". Commentators with access to the relevant intelligence have always been clear that this assessment is realistic. They have pointed also to the smaller but still deadly threat from extreme right wing (XRW) terrorism, exemplified by the murder of Jo Cox MP in June 2016 and by the proscription of the neo-Nazi group National Action in December 2016.
1.5 Secondly, the growing scale of the threat from Islamist terrorism is striking. The Director General of MI5, Andrew Parker, spoke in October 2017 of "a dramatic upshift in the threat this year" to "the highest tempo I've seen in my 34 year career". Though deaths from Islamist terrorism occur overwhelmingly in Africa, the Middle East and South Asia, the threat has grown recently across the western world, and has been described as "especially diffuse and diverse in the UK". It remains to be seen how this trend will be affected, for good or ill, by the physical collapse of the so-called Islamic State in Syria and Iraq.
1.6 Thirdly, the profiles of the attackers ... display many familiar features. Comparing the five perpetrators of the Westminster, Manchester and London Bridge attacks with those responsible for the 269 Islamist-related terrorist offences in the UK between 1998-2015, as analysed by Hannah Stuart ("the total"):
(a) All were male , like 93% of the total.
(b) Three were British (Masood, Abedi, Butt), like 72% of the total.
(c) One was a convert to Islam (Masood), like 16% of the total.
(d) Three resided in London (43% of the total) and one in North West England (10% of the total).
(e) Three (Masood, and to a more limited extent Abedi and Butt) were known to the police , like 38% of the total.
(f) The same three were known to MI5 , like 48% of the total.
(g) At least one (Butt) had direct links to a proscribed terrorist organisation , as had 44% of the total. His links, in common with 56% of the total who had links with such organisations, were with Al-Muhajiroun (ALM).
In view of their possible pending trials I say nothing of Hashem Abedi, currently detained in Libya in connection with the Manchester attack, or of the Finsbury Park attacker Darren Osborne who (like Khalid Masood at Westminster) is not alleged to have had accomplices.
1.7 Fourthly, though the targets of the first three attacks did not extend to the whole of the current range, they had strong similarities to the targets of other recent western attacks: political centres (e.g. Oslo 2011, Ottawa 2014, Brussels 2016); concert-goers, revellers and crowds (e.g. Orlando 2016, Paris 2016, Barcelona 2017); and police officers (e.g. Melbourne 2014, Berlin 2015, Charleroi 2016). There are precedents also for attacks on observant Muslims which have crossed the boundary from hate crime to terrorism, including the killing of Mohammed Saleem in the West Midlands in 2013.
1.8 Fifthly, the modus operandi (MO) of terrorist attacks has diversified and simplified over the years, as Daesh has employed its formidable propaganda effort to inspire rather than to direct acts of terrorism in the west. The attacks under review were typical in style for their time and place:
(a) Unlike the large, directed Islamist plots characteristic of the last decade, all four attacks were committed by lone actors or small groups , with little evidence of detailed planning or precise targeting.
(b) Strong gun controls in the UK mean that bladed weapons are more commonly used than firearms in gang-related and terrorist crime.
(c) Since a truck killed 86 innocent people in Nice (July 2016), vehicles -� which featured in three of the four attacks under review - have been increasingly used as weapons.
(d) The combination of a vehicle and bladed weapons, seen at Westminster and London Bridge, had previously been used to kill the soldier Lee Rigby (Woolwich, 2013).
(e) Explosives , used in Manchester, were the most popular weapon for Islamist terrorists targeting Europe between 2014 and 2017. The explosive TATP has proved to be capable of manufacture (aided by on-line purchases and assembly instructions) more easily than was once assumed."
7. Annual Report of the Interception of Communications Commissioner for 2016
178 . The Commissioner observed that when conducting interception under a section 8(4) warrant, an intercepting agency had to use its knowledge of the way in which international communications were routed, combined with regular surveys of relevant communications links, to identify those individual communications bearers that were most likely to contain external communications that would meet the descriptions of material certified by the Secretary of State under section 8(4). It also had to conduct the interception in ways that limited the collection of non-external communications to the minimum level compatible with the objective of intercepting the wanted external communications.
179 . He further observed that prior to analysts being able to read, look at or listen to material, they had to provide a justification, which included why access to the material was required, consistent with, and pursuant to section 16 and the applicable certificate, and why such access was proportionate. Inspections and audits showed that although the selection procedure was carefully and conscientiously undertaken, it relied on the professional judgment of analysts, their training and management oversight.
180 . According to the report, 3007 interception warrants were issued in 2016 and five applications were refused by a Secretary of State. In the view of the Commissioner, these figures did not capture the critical quality assurance function initially carried out by the staff and lawyers within the intercepting agency or the warrant-granting department (the warrant-granting departments were a source of independent advice to the Secretary of State and performed pre-authorisation scrutiny of warrant applications and renewals to ensure that they were (and remained) necessary and proportionate). Based on his inspections, he was confident that the low number of rejections reflected the careful consideration given to the use of these powers.
181. A typical inspection of an interception agency included the following:
- a review of the action points or recommendations from the previous inspection and their implementation;
- an evaluation of the systems in place for the interception of communications to ensure they were sufficient for the purposes of Chapter 1 of Part 1 of RIPA and that all relevant records had been kept;
- the examination of selected interception applications to assess whether they were necessary in the first instance and then whether the requests met the necessity and proportionality requirements;
- interviews with case officers, analysts and/or linguists from selected investigations or operations to assess whether the interception and the justifications for acquiring all of the material were proportionate;
- the examination of any urgent oral approvals to check that the process was justified and used appropriately;
- a review of those cases where communications subject to legal privilege or otherwise confidential information had been intercepted and retained, and any cases where a lawyer was the subject of an investigation;
- a review of the adequacy of the safeguards and arrangements under sections 15 and 16 of RIPA;
- an investigation of the procedures in place for the retention, storage and destruction of intercepted material and related communications data; and
- a review of the errors reported, including checking that the measures put in place to prevent recurrence were sufficient.
182. After each inspection, inspectors produced a report, including:
- an assessment of how far the recommendations from the previous inspection had been achieved;
- a summary of the number and type of interception documents selected for inspection, including a detailed list of those warrants;
- detailed comments on all warrants selected for further examination and discussion during the inspection;
- an assessment of the errors reported to the Commissioner's office during the inspection period;
- an account of the examination of the retention, storage and destruction procedures;
- an account of other policy or operational issues which the agency or warrant-granting departments raised during the inspection;
- an assessment of how any material subject to legal professional privilege (or otherwise confidential material) has been handled;
- a number of recommendations aimed at improving compliance and performance.
183 . During 2016, the Commissioner's office inspected all nine interception agencies once and the four main warrant-granting departments twice. This, together with extra visits to GCHQ, made a total of twenty-two inspection visits. In addition, he and his inspectors arranged other ad hoc visits to agencies.
184. Inspection of the systems in place for applying for and authorising interception warrants usually involved a three-stage process. First, to achieve a representative sample of warrants, inspectors selected them across different crime types and national security threats. In addition, inspectors focussed on those of particular interest or sensitivity (such as those which gave rise to an unusual degree of collateral intrusion, those which have been extant for a considerable period, those which were approved orally, those which resulted in the interception of legal or otherwise confidential communications, and so-called 'thematic' warrants). Secondly, inspectors scrutinised the selected warrants and associated documentation in detail during reading days which preceded the inspections. Thirdly, they identified those warrants, operations or areas of the process which required further information or clarification and arranged to interview relevant operational, legal or technical staff. Where necessary, they examined further documentation or systems relating to those warrants.
185 . 970 warrants were examined during the twenty-two interception inspections (sixty-one percent of the number of warrants in force at the end of the year and thirty-two percent of the total of new warrants issued in 2016).
186 . According to the report, every interception agency had a different view on what constituted an appropriate retention period for intercepted material and related communications data. There was no period prescribed by the legislation, but the agencies had to consider section 15(3) of RIPA, which provided that the material or data had to be destroyed as soon as retaining it was no longer necessary for any of the authorised purposes in section 15(4). The vast majority of content was reviewed and automatically deleted after a very short period of time unless specific action was taken to retain the content for longer because it was necessary to do so. The retention periods differed within the interception agencies and ranged between thirty days and one year. The retention periods for related communications data also differed within the interception agencies, but ranged between six months and one year.
187. Inspectors made a total of twenty-eight recommendations in their inspection reports, eighteen of which were made in relation to the application process. The majority of the recommendations in this category related to the necessity, proportionality and/or collateral intrusion justifications in the applications; or the handling of legally privileged or otherwise confidential material relating to sensitive professions.
188. The total number of interception errors reported to the Commissioner during 2016 was 108. Key causes of interception errors were over-collection (generally technical software or hardware errors that caused over-collection of intercepted material and related communications data), unauthorised selection/examination, incorrect dissemination, the failure to cancel interception, and the interception of either an incorrect communications address or person.
(b) Acquisition of communications data under Chapter II of RIPA
189. According to the report, police forces and law enforcement agencies were responsible for acquiring ninety-three percent of the total number of items of data in 2016, six percent was acquired by intelligence services and the remaining one percent was acquired by other public authorities, including local authorities. Fifty percent of the data acquired was subscriber information, forty-eight percent was traffic data and two percent service use information. Most of the acquired items of data (eighty-one percent) related to telephony, such as landlines or mobile phones. Internet identifiers, for example email or IP addresses, accounted for fifteen percent of the acquired data and two percent of requests were related to postal identifiers.
190. With regard to the purpose of the request, eighty-three percent of the items of data were acquired for the purpose of preventing or detecting crime or preventing disorder; eleven percent were acquired for the purpose of preventing death or injury or damage to a person's mental health, or of mitigating any injury or damage to a person's physical or mental health; and six percent were acquired in the interests of national security.
191 . Furthermore, approximately seventy percent of data requests were for data less than three months old, twenty-five percent aged between three months and one year, and six percent for data over twelve months old. Eighty-one percent of the requests required data for a communications address for periods of three months or less (for example, three months of incoming and outgoing call data for a communications address). Twenty-five percent of all requests were for data relating to a period of less than one day.
192 . Twenty-seven percent of submitted applications were returned to the applicant by the Single Point of Contact ("SPoC") for development and a further five percent were declined by the SPoC. Reasons for refusing data applications included: lack of clarity; failure to link the crime to the communications address; and insufficient justification for collateral intrusion. Four percent of submitted applications were returned to applicants by designated persons for further development and one percent was rejected. The main reason for designated persons returning or rejecting applications was that they were not satisfied with the necessity or proportionality justifications given (fifty-two percent). A significant number of applications were returned because designated persons were not satisfied with the overall quality or clarity of the application (twenty-one percent). Other reasons for rejection included the designated persons declaring that they were not independent of the investigation and requesting that the application be forwarded to an independent designated person for consideration (six percent).
193 . In 2016 forty-seven public authorities advised that they had made a total of 948 applications that related to persons who were members of sensitive professions. A significant proportion of these 948 applications were categorised incorrectly (that is, the applicant had recorded a sensitive profession when there was not one). This was usually because the applicant erred on the side of caution, recording a sensitive profession if there was a possibility of one, rather than because they knew that there was one, a fact which provided the Commissioner with "a greater level of assurance that [designated persons] are taking sensitive professions into account when necessary". Furthermore, according to the Commissioner, most applications relating to members of sensitive professions were submitted because the individual had been a victim of crime or was the suspect in a criminal investigation. In these cases, the profession of the individual was usually not relevant to the investigation, but public authorities showed proper consideration of the sensitive profession by bringing it to the attention of the authorising officer.
194 . Having considered the "reportable errors", the Commissioner noted that the number of serious errors remained very low (0.004%).
G. The Investigatory Powers Act 2016
195 . The Investigatory Powers Act 2016 received Royal Assent on 29 November 2016.
196 . On 30 December 2016 Part 4 of the 2016 Act, which included a power to issue "retention notices" to telecommunications operators requiring the retention of data, came into force (although not in its entirety). Following a legal challenge by Liberty, the Government conceded that Part 4 of the IPA was, in its current form, inconsistent with the requirements of EU law. Part 4 was not amended and on 27 April 2018 the High Court found Part 4 to be incompatible with fundamental rights in EU law since, in the area of criminal justice, access to retained data was not limited to the purpose of combating "serious crime"; and access to retained data was not subject to prior review by a court or an independent administrative body. The court concluded that the legislation had to be amended by 1 November 2018.
197 . On 13 February 2017 the provisions of the IPA relating to the appointment of the Investigatory Powers Commissioner and other Judicial Commissioners came into force. On 3 March 2017, the Government appointed the first Investigatory Powers Commissioner (a judge currently sitting on the Court of Appeal and former justice of the International Criminal Court) for a three-year term and he took up appointment with immediate effect. The newly created Investigatory Powers Commissioners Office ("ICPO") commenced operations on 8 September 2017 and is ultimately due to consist of around 70 staff (including approximately fifteen judicial commissioners made up of current and recently retired judges of the High Court, Court of Appeal and Supreme Court, and a technical advisory panel of scientific experts).
198. The remainder of the 2016 Act is not yet in force.
199. In terms of safeguards, when it enters into force in full the Act will require that bulk interception and bulk equipment interference warrants may only be issued where the main purpose of the interception is to acquire intelligence relating to individuals outside the United Kingdom, even where the conduct occurs within the United Kingdom. Similarly, interference with the privacy of persons in the United Kingdom will be permitted only to the extent that it is necessary for that purpose. It will also introduce a "double-lock" for the most intrusive surveillance powers, meaning that a warrant issued by the Secretary of State will also require the approval of one of the appointed Judicial Commissioners. There will also be new protections for journalistic and legally privileged material, including a requirement for judicial authorisation for the acquisition of communications data identifying journalists' sources; tough sanctions for the misuse of powers, including the creation of new criminal offences; and a right of appeal from the IPT.
200. In addition, the new Act will consolidate and update the powers available to the State to obtain communications and communications data. It will provide an updated framework for the use (by the security and intelligence services, law enforcement and other public authorities) of investigatory powers to obtain communications and communications data. These powers cover the interception of communications, the retention and acquisition of communications data, and equipment interference for obtaining communications and other data. The Act also makes provision relating to the security and intelligence services' retention and examination of bulk personal datasets.
201 . On 23 February 2017 the Home Office launched a public consultation on the five draft codes of practice it intends to issue under the 2016 Act (on the Interception of Communications, Equipment Interference, Bulk Communications Data Acquisition, Retention and Use of Bulk Personal Datasets by the Security and Intelligence Agencies and National Security Notices), which will set out the processes and safeguards governing the use of investigatory powers by public authorities. They will give detail on how the relevant powers should be used, including examples of best practice. They are intended to provide additional clarity and to ensure the highest standards of professionalism and compliance with the relevant legislation. Following the closure of the consultation on 6 April 2017, the draft codes were further amended and Regulations bringing them into force will be laid and debated before Parliament. They will only come into force when they have been debated in both Houses of Parliament and approved by a resolution in both Houses.
(a) Resolution no. 68/167 on The Right to Privacy in the Digital Age
202. Resolution no. 68/167, adopted by the General Assembly on 18 December 2013, reads as follows:
"The General Assembly,
...
4. Calls upon all States:
...
( c ) To review their procedures, practices and legislation regarding the surveillance of communications, their interception and the collection of personal data, including mass surveillance, interception and collection, with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law;
( d ) To establish or maintain existing independent, effective domestic oversight mechanisms capable of ensuring transparency, as appropriate, and accountability for State surveillance of communications, their interception and the collection of personal data ..."
(b) The Constitution of the International Telecommunication Union 1992
203. Articles 33 and 37 of the Constitution provide as follows:
The Right of the Public to Use the International Telecommunication Service
"Member States recognize the right of the public to correspond by means of the international service of public correspondence. The services, the charges and the safeguards shall be the same for all users in each category of correspondence without any priority or preference .
..."
Secrecy of Telecommunications
"1. Member States agree to take all possible measures, compatible with the system of telecommunication used, with a view to ensuring the secrecy of international correspondence.
2. Nevertheless, they reserve the right to communicate such correspondence to the competent authorities in order to ensure the application of their national laws or the execution of international conventions to which they are parties."
(c) The 2006 Annual Report of the International Law Commission
204. In its 2006 Annual Report the ILC proposed to include the topic "Protection of personal data in the transborder flow of information" in its long-term programme of work. The Secretariat's supporting report (Annex D) identifies a number of core principles of public international law:
Core principles
"23. A number of core principles are discernible from developments in this field in almost forty-years. Such principles include the following:
Lawful and fair data collection and processing: This principle presupposes that the collection of personal data would be restricted to a necessary minimum. In particular such data should not be obtained unlawfully or through unfair means;
Accuracy: The information quality principle is a qualitative requirement and entails a responsibility that the data be accurate, and necessarily complete and up to date for the purpose intended.
Purpose specification and limitation: This principle establishes the requirement that the purpose for which the data are collected should be specified to the data subject. Data should not be disclosed, made available or otherwise used for purposes other than those specified. It has to be done with the consent or knowledge of the data-subject or under the operation of the law. Any subsequent use is limited to such purpose, or any other that is not incompatible with such purpose. Differences lie in the approaches taken by States. Some jurisdictions perceive the obligation for consent to be ex ante.
Proportionality: Proportionality requires that the necessary measure taken should be proportionate to the legitimate claims being pursued.
Transparency: Denotes a general policy of openness regarding developments, practices and policies with respect to protection of personal data.
Individual participation and in particular the right to access: This principle may be the most important for purposes of data protection. The individual should have access to such data; as well as to the possibility of determining whether or not the keeper of the file has data concerning him; to obtain such information or to have it communicated to him in a form, in a manner and at a cost that is reasonable. This accords with the right of an individual to know about the existence of any data file, its contents, to challenge the data and to have it corrected, amended or erased.
Non-discrimination: This principle connotes that data likely to give rise to unlawful and arbitrary discrimination should not be compiled. This includes information collated on racial or ethnic origin, colour, sex life, political opinions, religious, philosophical and other beliefs as well as membership of an association or trade union.
Responsibility: This principle embraces data security; data should be protected by reasonable and appropriate measures to prevent their loss, destruction, unauthorized access, use, modification or disclosure and the keeper of the file should be accountable for it.
Independent supervision and legal sanction: Supervision and sanction require that there should be a mechanism for ensuring due process and accountability. There should be an authority accountable in law for giving effect to the requirements of data protection.
Data equivalency in the case of transborder flow of personal data: This is a principle of compatibility; it is intended to avoid the creation of unjustified obstacles and restrictions to the free flow of data, as long as the circulation is consistent with the standard or deemed adequate for that purpose.
The principle of derogability: This entails power to make exceptions and impose limitations if they are necessary to protect national security, public order, public health or morality or to protect the rights of others."
Derogability
"24. While privacy concerns are of critical importance, such concerns have to be balanced with other value-interests. The privacy values to avoid embarrassment, to construct intimacy and to protect against misuse associated with the need to protect the individual have to be weighed against other counter-values against individual control over personal information; such as the need not to disrupt the flow of international trade and commerce and the flow of information; the importance of securing the truth, as well as the need to be live in secure environment. There are allowable restrictions and exceptions, for example, with respect to national security, public order (ordre public), public health or morality or in order to protect the rights and freedoms of others, as well as the need for effective law enforcement and judicial cooperation in combating crimes at the international level, including the threats posed by international terrorism and organized crime.
25. The processing of personal data must be interpreted in accordance with human rights principles. Accordingly, any of the objectives in the public interest would justify interference with private life if it is (a) in accordance with the law, (b) is necessary in a democratic society for the pursuit of legitimate aims, and (c) is not disproportionate to the objective pursued. The phrase "in accordance with the law" goes beyond to the formalism of having in existence a legal basis in domestic law, it requires that the legal basis be "accessible" and foreseeable". Foreseeability necessitates sufficiency of precision in formulation of the rule to enable any individual to regulate his conduct. "
205. The Convention, which entered into force in respect of the United Kingdom on 1 December 1987, sets out standards for data protection in the sphere of automatic processing of personal data in the public and private sectors. It provides, insofar as relevant:
Preamble
"The member States of the Council of Europe, signatory hereto,
Considering that the aim of the Council of Europe is to achieve greater unity between its members, based in particular on respect for the rule of law, as well as human rights and fundamental freedoms;
Considering that it is desirable to extend the safeguards for everyone's rights and fundamental freedoms, and in particular the right to the respect for privacy, taking account of the increasing flow across frontiers of personal data undergoing automatic processing;
Reaffirming at the same time their commitment to freedom of information regardless of frontiers;
Recognising that it is necessary to reconcile the fundamental values of the respect for privacy and the free flow of information between peoples,
Have agreed as follows:"
Article 1 - Object and purpose
"The purpose of this Convention is to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him ("data protection").
..."
Article 8 - Additional safeguards for the data subject
"Any person shall be enabled:
a. to establish the existence of an automated personal data file, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the file;
b. to obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him are stored in the automated data file as well as communication to him of such data in an intelligible form;
c. to obtain, as the case may be, rectification or erasure of such data if these have been processed contrary to the provisions of domestic law giving effect to the basic principles set out in Articles 5 and 6 of this convention;
d. to have a remedy if a request for confirmation or, as the case may be, communication, rectification or erasure as referred to in paragraphs b and c of this article is not complied with."
Article 9 - Exceptions and restrictions
"1. No exception to the provisions of Articles 5, 6 and 8 of this Convention shall be allowed except within the limits defined in this article.
2. Derogation from the provisions of Articles 5, 6 and 8 of this Convention shall be allowed when such derogation is provided for by the law of the Party and constitutes a necessary measure in a democratic society in the interests of:
a. protecting State security, public safety, the monetary interests of the State or the suppression of criminal offences;
b. protecting the data subject or the rights and freedoms of others.
..."
Article 10 - Sanctions and remedies
"Each Party undertakes to establish appropriate sanctions and remedies for violations of provisions of domestic law giving effect to the basic principles for data protection set out in this chapter."
206. The Explanatory Report explains that:
Article 9 - Exceptions and restrictions
"55. Exceptions to the basic principles for data protection are limited to those which are necessary for the protection of fundamental values in a democratic society. The text of the second paragraph of this article has been modelled after that of the second paragraphs of Articles 6, 8, 10 and 11 of the European Human Rights Convention. It is clear from the decisions of the Commission and the Court of Human Rights relating to the concept of "necessary measures" that the criteria for this concept cannot be laid down for all countries and all times, but should be considered in the light of the given situation in each country.
56. Littera a in paragraph 2 lists the major interests of the State which may require exceptions. These exceptions are very specific in order to avoid that, with regard to the general application of the convention, States would have an unduly wide leeway.
States retain, under Article 16, the possibility to refuse application of the convention in individual cases for important reasons, which include those enumerated in Article 9.
The notion of "State security" should be understood in the traditional sense of protecting national sovereignty against internal or external threats, including the protection of the international relations of the State."
207. The Protocol, which has not been ratified by the United Kingdom, provides, insofar as relevant:
Article 1 - Supervisory authorities
"1. Each Party shall provide for one or more authorities to be responsible for ensuring compliance with the measures in its domestic law giving effect to the principles stated in Chapters II and III of the Convention and in this Protocol.
2. a. To this end, the said authorities shall have, in particular, powers of investigation and intervention, as well as the power to engage in legal proceedings or bring to the attention of the competent judicial authorities violations of provisions of domestic law giving effect to the principles mentioned in paragraph 1 of Article 1 of this Protocol.
b. Each supervisory authority shall hear claims lodged by any person concerning the protection of his/her rights and fundamental freedoms with regard to the processing of personal data within its competence.
3. The supervisory authorities shall exercise their functions in complete independence.
4. Decisions of the supervisory authorities, which give rise to complaints, may be appealed against through the courts.
..."
Article 2 - Transborder flows of personal data to a recipient which is not subject to the jurisdiction of a Party to the Convention
"1. Each Party shall provide for the transfer of personal data to a recipient that is subject to the jurisdiction of a State or organisation that is not Party to the Convention only if that State or organisation ensures an adequate level of protection for the intended data transfer.
2. By way of derogation from paragraph 1 of Article 2 of this Protocol, each Party may allow for the transfer of personal data:
a. if domestic law provides for it because of:
-� specific interests of the data subject, or
-� legitimate prevailing interests, especially important public interests, or
b. if safeguards, which can in particular result from contractual clauses, are provided by the controller responsible for the transfer and are found adequate by the competent authorities according to domestic law."
208. This Recommendation (No. R (95) 4 of the Committee of Ministers), which was adopted on 7 February 1995, reads, insofar as relevant, as follows:
"2.4. Interference by public authorities with the content of a communication, including the use of listening or tapping devices or other means of surveillance or interception of communications, must be carried out only when this is provided for by law and constitutes a necessary measure in a democratic society in the interests of:
a. protecting state security, public safety, the monetary interests of the state or the suppression of criminal offences;
b. protecting the data subject or the rights and freedoms of others.
2.5. In the case of interference by public authorities with the content of a communication, domestic law should regulate:
a. the exercise of the data subject's rights of access and rectification;
b. in what circumstances the responsible public authorities are entitled to refuse to provide information to the person concerned, or delay providing it;
c. storage or destruction of such data.
If a network operator or service provider is instructed by a public authority to effect an interference, the data so collected should be communicated only to the body designated in the authorisation for that interference."
(d) The 2001 (Budapest) Convention on Cybercrime
209. The Convention provides, insofar as relevant:
Preamble
"The member States of the Council of Europe and the other States signatory hereto,
...
Convinced of the need to pursue, as a matter of priority, a common criminal policy aimed at the protection of society against cybercrime, inter alia, by adopting appropriate legislation and fostering international co-operation;
Conscious of the profound changes brought about by the digitalisation, convergence and continuing globalisation of computer networks;
Concerned by the risk that computer networks and electronic information may also be used for committing criminal offences and that evidence relating to such offences may be stored and transferred by these networks;
Recognising the need for co-operation between States and private industry in combating cybercrime and the need to protect legitimate interests in the use and development of information technologies;
Believing that an effective fight against cybercrime requires increased, rapid and well-functioning international co-operation in criminal matters;
Convinced that the present Convention is necessary to deter action directed against the confidentiality, integrity and availability of computer systems, networks and computer data as well as the misuse of such systems, networks and data by providing for the criminalisation of such conduct, as described in this Convention, and the adoption of powers sufficient for effectively combating such criminal offences, by facilitating their detection, investigation and prosecution at both the domestic and international levels and by providing arrangements for fast and reliable international co-operation;
Mindful of the need to ensure a proper balance between the interests of law enforcement and respect for fundamental human rights as enshrined in the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights and other applicable international human rights treaties, which reaffirm the right of everyone to hold opinions without interference, as well as the right to freedom of expression, including the freedom to seek, receive, and impart information and ideas of all kinds, regardless of frontiers, and the rights concerning the respect for privacy;
Mindful also of the right to the protection of personal data, as conferred, for example, by the 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data;
...
Title 1 - Offences against the confidentiality, integrity and availability of computer data and systems."
Article 2 - Illegal access
"Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the access to the whole or any part of a computer system without right. A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system."
Article 3 - Illegal interception
"Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. A Party may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system."
Article 4 - Data interference
"1. Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the damaging, deletion, deterioration, alteration or suppression of computer data without right.
2. A Party may reserve the right to require that the conduct described in paragraph 1 result in serious harm.
..."
Article 15 - Conditions and safeguards
"1. Each Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights, and other applicable international human rights instruments, and which shall incorporate the principle of proportionality."
210. The Explanatory Report explains that:
"38. A specificity of the offences included is the express requirement that the conduct involved is done "without right". It reflects the insight that the conduct described is not always punishable per se, but may be legal or justified not only in cases where classical legal defences are applicable, like consent, self-defence or necessity, but where other principles or interests lead to the exclusion of criminal liability. The expression "without right" derives its meaning from the context in which it is used. Thus, without restricting how Parties may implement the concept in their domestic law, it may refer to conduct undertaken without authority (whether legislative, executive, administrative, judicial, contractual or consensual) or conduct that is otherwise not covered by established legal defences, excuses, justifications or relevant principles under domestic law. The Convention, therefore, leaves unaffected conduct undertaken pursuant to lawful government authority (for example, where the Party's government acts to maintain public order, protect national security or investigate criminal offences). Furthermore, legitimate and common activities inherent in the design of networks, or legitimate and common operating or commercial practices should not be criminalised. Specific examples of such exceptions from criminalisation are provided in relation to specific offences in the corresponding text of the Explanatory Memorandum below. It is left to the Parties to determine how such exemptions are implemented within their domestic legal systems (under criminal law or otherwise).
...
"58. For criminal liability to attach, the illegal interception must be committed "intentionally", and "without right". The act is justified, for example, if the intercepting person has the right to do so, if he acts on the instructions or by authorisation of the participants of the transmission (including authorised testing or protection activities agreed to by the participants), or if surveillance is lawfully authorised in the interests of national security or the detection of offences by investigating authorities."
211 . The Venice Commission noted, at the outset, the value that bulk interception could have for security operations, since it enabled the security services to adopt a proactive approach, looking for hitherto unknown dangers rather than investigating known ones. However, it also noted that intercepting bulk data in transmission, or requirements that telecommunications companies store and then provide telecommunications content data or metadata to law-enforcement or security agencies involved an interference with the privacy and other human rights of a large proportion of the population of the world. In this regard, the Venice Commission considered that the main interference with privacy occurred when stored personal data was accessed and/or processed by the agencies. For this reason, the computer analysis (usually with the help of selectors) was one of the important stages for balancing personal integrity concerns against other interests.
212 . According to the report, the two most significant safeguards were the authorisation process (of collection and access) and the oversight process. It was clear from the Court's case-law that the latter must be performed by an independent, external body. While the Court had a preference for judicial authorisation, it had not found this to be a necessary requirement. Rather, the system had to be assessed as a whole, and where independent controls were absent at the authorisation stage, particularly strong safeguards had to exist at the oversight stage. In this regard, the Venice Commission considered the example of the system in the United States, where authorisation was given by the Foreign Intelligence Surveillance Court. However, it noted that despite the existence of judicial authorisation, the lack of independent oversight of the court's conditions was problematic.
213 . Similarly, the Commission observed that notification of the subject of surveillance was not an absolute requirement of Article 8 of the Convention. In this regard, a general complaints procedure to an independent oversight body could compensate for non-notification.
214 . The report also considered internal controls to be a "primary safeguard". In this regard, recruitment and training were key issues; in addition, it was important for the agencies to build in respect for privacy and other human rights when promulgating internal rules.
215 . The report also considered the position of journalists. It accepted that they were a group which required special protection, since searching their contacts could reveal their sources (and the risk of discovery could be a powerful disincentive to whistle-blowers). Nevertheless, it considered there to be no absolute prohibition on searching the contacts of journalists, provided that there were very strong reasons for doing so. It acknowledged, however, that the journalistic profession was not one which was easily identified, since NGOs were also engaged in building public opinion and even bloggers could claim to be entitled to equivalent protections.
216 . Finally, the report briefly considered the issue of intelligence sharing, and in particular the risk that States could thereby circumvent stronger domestic surveillance procedures and/or any legal limits which their agencies might be subject to as regards domestic intelligence operations. It considered that a suitable safeguard would be to provide that the bulk material transferred could only be searched if all the material requirements of a national search were fulfilled and this was duly authorised in the same way as a search of bulk material obtained by the signals intelligence agency using its own techniques.
1. Charter of Fundamental Rights of the European Union
217. Articles 7, 8 and 11 of the Charter provide as follows:
Article 7 - Respect for private and family life
" Everyone has the right to respect for his or her private and family life, home and communications."
Article 8 - Protection of personal data
"1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which have been collected concerning him or her, and the right to have them rectified.
3. Compliance with these rules shall be subject to control by an independent authority. "
Article 11 - Freedom of expression and information
"1. Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.
2. The freedom and pluralism of the media shall be respected."
2. EU directives and regulations relating to protection and processing of personal data
218. The Data Protection Directive (Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data), adopted on 24 October 1995, regulated for many years the protection and processing of personal data within the European Union. As the activities of Member States regarding public safety, defence and State security fall outside the scope of Community law, the Directive did not apply to these activities (Article 3(2)).
219. The General Data Protection Regulation, adopted in April 2016, superseded the Data Protection Directive and became enforceable on 25 May 2018. The regulation, which is directly applicable in Member States [1] , contains provisions and requirements pertaining to the processing of personally identifiable information of data subjects inside the European Union, and applies to all enterprises, regardless of location, that are doing business with the European Economic Area. Business processes that handle personal data must be built with data protection by design and by default, meaning that personal data must be stored using pseudonymisation or full anonymisation, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation, or if the data controller or processor has received explicit, opt-in consent from the data's owner. The data owner has the right to revoke this permission at any time.
220. A processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing, how long data is being retained, and if it is being shared with any third-parties or outside of the EU. Users have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Public authorities, and businesses whose core activities centre around regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy.
221. The Privacy and Electronic Communications Directive (Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector), adopted on 12 July 2002, states, in recitals 2 and 11:
"(2) This Directive seeks to respect the fundamental rights and observes the principles recognised in particular by the Charter of fundamental rights of the European Union. In particular, this Directive seeks to ensure full respect for the rights set out in Articles 7 and 8 of that Charter.
(11) Like Directive 95/46/EC, this Directive does not address issues of protection of fundamental rights and freedoms related to activities which are not governed by Community law. Therefore it does not alter the existing balance between the individual's right to privacy and the possibility for Member States to take the measures referred to in Article 15(1) of this Directive, necessary for the protection of public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the enforcement of criminal law. Consequently, this Directive does not affect the ability of Member States to carry out lawful interception of electronic communications, or take other measures, if necessary for any of these purposes and in accordance with the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the rulings of the European Court of Human Rights. Such measures must be appropriate, strictly proportionate to the intended purpose and necessary within a democratic society and should be subject to adequate safeguards in accordance with the European Convention for the Protection of Human Rights and Fundamental Freedoms."
222. The Directive further provides, insofar as relevant:
Article 1 - Scope and aim
"1. This Directive harmonises the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community.
2. The provisions of this Directive particularise and complement Directive 95/46/EC for the purposes mentioned in paragraph 1. Moreover, they provide for protection of the legitimate interests of subscribers who are legal persons.
3. This Directive shall not apply to activities which fall outside the scope of the Treaty establishing the European Community, such as those covered by Titles V and VI of the Treaty on European Union, and in any case to activities concerning public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the activities of the State in areas of criminal law."
Article 15 - Application of certain provisions of Directive 95/46/EC
"1. Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia , adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union."
223. On 15 March 2006 the Data Retention Directive (Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC) was adopted. It provided, insofar as relevant:
Article 1 - Subject matter and scope
"1. This Directive aims to harmonise Member States' provisions concerning the obligations of the providers of publicly available electronic communications services or of public communications networks with respect to the retention of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.
2. This Directive shall apply to traffic and location data on both legal entities and natural persons and to the related data necessary to identify the subscriber or registered user. It shall not apply to the content of electronic communications, including information consulted using an electronic communications network."
Article 3 - Obligation to retain data
"1. By way of derogation from Articles 5, 6 and 9 of Directive 2002/58/EC, Member States shall adopt measures to ensure that the data specified in Article 5 of this Directive are retained in accordance with the provisions thereof, to the extent that those data are generated or processed by providers of publicly available electronic communications services or of a public communications network within their jurisdiction in the process of supplying the communications services concerned."
3. Relevant case-law of the Court of Justice of the European Union ("CJEU")
(a) Digital Rights Ireland v. Minister for Communications, Marine and Natural Resources and Others and Seitinger and Others (Cases C-�293/12 and C -� 594/12; ECLI:EU:C:2014:238)
224 . In a judgment of 8 April 2014 the Court of Justice of the European Union ("the CJEU") declared invalid the Data Retention Directive 2006/24/EC laying down the obligation on the providers of publicly available electronic communication services or of public communications networks to retain all traffic and location data for periods from six months to two years, in order to ensure that the data was available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law. The CJEU noted that, even though the directive did not permit the retention of the content of the communication, the traffic and location data covered by it might allow very precise conclusions to be drawn concerning the private lives of the persons whose data had been retained. Accordingly, the obligation to retain the data constituted in itself an interference with the right to respect for private life and communications guaranteed by Article 7 of the Charter of Fundamental Rights of the EU and the right to protection of personal data under Article 8 of the Charter.
225. The access of the competent national authorities to the data constituted a further interference with those fundamental rights, which the CJEU considered to be "particularly serious". The fact that data was retained and subsequently used without the subscriber or registered user being informed was, according to the CJEU, likely to generate in the minds of the persons concerned the feeling that their private lives were the subject of constant surveillance. The interference satisfied an objective of general interest, namely to contribute to the fight against serious crime and terrorism and thus, ultimately, to public security. However, it failed to satisfy the requirement of proportionality.
226. Firstly, the directive covered, in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime. It therefore entailed an interference with the fundamental rights of practically the entire European population. It applied even to persons for whom there was no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime.
227. Secondly, the directive did not contain substantive and procedural conditions relating to the access of the competent national authorities to the data and to their subsequent use. By simply referring, in a general manner, to serious crime, as defined by each Member State in its national law, the directive failed to lay down any objective criterion by which to determine which offences might be considered to be sufficiently serious to justify such an extensive interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. Above all, the access by the competent national authorities to the data retained was not made dependent on a prior review carried out by a court or by an independent administrative body whose decision sought to limit access to the data and their use to what was strictly necessary for the purpose of attaining the objective pursued.
228. Thirdly, the directive required that all data be retained for a period of at least six months, without any distinction being made between the categories of data on the basis of their possible usefulness for the purposes of the objective pursued or according to the persons concerned. The CJEU concluded that the directive entailed a wide-ranging and particularly serious interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, without such an interference being precisely circumscribed by provisions to ensure that it was actually limited to what was strictly necessary. The CJEU also noted that the directive did not provide for sufficient safeguards, by means of technical and organisational measures, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of those data.
(b) Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others (Cases C -� 203/15 and C -� 698/15; ECLI:EU:C:2016:970)
229. In Secretary of State for the Home Department v. Watson and Others , the applicants had sought judicial review of the legality of section 1 of the Data Retention and Investigatory Powers Act 2014 ("DRIPA"), pursuant to which the Secretary of State could require a public telecommunications operator to retain relevant communications data if he considered it necessary and proportionate for one or more of the purposes falling within paragraphs (a) to (h) of section 22(2) of RIPA. The applicants claimed, inter alia , that section 1 was incompatible with Articles 7 and 8 of the Charter and Article 8 of the Convention.
230. By judgment of 17 July 2015, the High Court held that the Digital Rights judgment laid down "mandatory requirements of EU law" applicable to the legislation of Member States on the retention of communications data and access to such data. Since the CJEU, in that judgment, held that Directive 2006/24was incompatible with the principle of proportionality, national legislation containing the same provisions as that directive could, equally, not be compatible with that principle. In fact, it followed from the underlying logic of the Digital Rights judgment that legislation that established a general body of rules for the retention of communications data was in breach of the rights guaranteed in Articles 7 and 8 of the Charter, unless that legislation was complemented by a body of rules for access to the data, defined by national law, which provides sufficient safeguards to protect those rights. Accordingly, section 1 of DRIPA was not compatible with Articles 7 and 8 of the Charter as it did not lay down clear and precise rules providing for access to and use of retained data and access to that data was not made dependent on prior review by a court or an independent administrative body.
231. On appeal by the Secretary of State, the Court of Appeal sought a preliminary ruling from the CJEU.
232. Before the CJEU this case was joined with the request for a preliminary ruling from the Kammarrätten i Stockholm in Case C-�203/15 Tele2 Sverige AB v Post- och telestyrelsen . Following an oral hearing in which some fifteen EU Member States intervened, the CJEU gave judgment on 21 December 2016. The CJEU held that Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, had to be interpreted as precluding national legislation governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, was not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union.
233. The CJEU declared the Court of Appeal's question whether the protection afforded by Articles 7 and 8 of the Charter was wider than that guaranteed by Article 8 of the Convention inadmissible.
234 . Following the handing down of the CJEU's judgment, the case was relisted before the Court of Appeal. On 31 January 2018 it granted declaratory relief in the following terms: that section 1 of DRIPA was inconsistent with EU law to the extent that it permitted access to retained data where the object pursued by access was not restricted solely to fighting serious crime; or where access was not subject to prior review by a court or independent administrative authority.
(c) Privacy International v. Secretary of State for Foreign and Commonwealth Affairs, Secretary of State for the Home Department, Government Communications Headquarters, Security Service and Secret Intelligence Service (IPT/15/110/CH, [2017] UKIPTrib IPT_15_110_CH ; EU OJ C 22, 22.1.2018, p. 29-�30)
235. On 8 September 2017 the IPT gave judgment in the case of Privacy International , which concerned the acquisition by the agencies of Bulk Communications Data under section 94 of the Telecommunications Act 1984 (a different regime from those which form the subject of the present complaints) and Bulk Personal Data. The IPT found that, following their avowal, the regimes were compliant with Article 8 of the Convention. However, it identified the following four requirements which appeared to flow from the CJEU judgment in Watson and Others and which seemed to go beyond the requirements of Article 8 of the Convention: a restriction on non-targeted access to bulk data; a need for prior authorisation (save in cases of validly established emergency) before data could be accessed; provision for subsequent notification of those affected; and the retention of all data within the European Union.
236 . On 30 October 2017 the IPT made a request to the CJEU for a preliminary ruling clarifying the extent to which the Watson requirements could apply where the bulk acquisition and automated processing techniques were necessary to protect national security. In doing so, it expressed serious concern that if the Watson requirements were to apply to measures taken to safeguard national security, they would frustrate them and put the national security of Member States at risk. In particular, it noted the benefits of bulk acquisition in the context of national security (referring to the Bulk Powers Review - see paragraphs 173-176 above); the risk that the need for prior authorisation could undermine the agencies' ability to tackle the threat to national security; the danger and impracticality of implementing a requirement to give notice in respect of the acquisition or use of a bulk database, especially where national security was at stake; and the impact an absolute bar on the transfer of data outside the European Union could have on Member States' treaty obligations.
I. EXHAUSTION OF DOMESTIC REMEDIES
237. The Government submitted that the applicants in the first and second of the joined cases had not exhausted domestic remedies within the meaning of Article 35 § 1 of the Convention, which provides as follows:
"1. The Court may only deal with the matter after all domestic remedies have been exhausted, according to the generally recognised rules of international law, and within a period of six months from the date on which the final decision was taken."
238. The Government argued that the applicants in the first and second of the joined cases had not exhausted domestic remedies as they had failed to raise their complaints before the IPT. The IPT was a bespoke domestic tribunal set up for the very purpose of investigating, considering and ruling on the issues now raised before this Court. In Kennedy v. the United Kingdom , no. 26839/05, 18 May 2010 the Court held that the IPT was Article 6 compliant and, as could be seen from the Liberty proceedings, it was capable of providing redress. Furthermore, it was advantageous for the Court to have the benefit of a detailed assessment of the operation of the relevant domestic legal regime by a bespoke domestic tribunal with an understanding of that system. That was especially so where, as in the case at hand, domestic law was not only complex, but also involved an assessment of issues of necessity and proportionality which would be particularly difficult to undertake without a proper determination at national level of facts material to the balance between the rights of the individual and the interests of the community as a whole.
239. As for the effectiveness of the IPT as a domestic remedy, the Government noted that it was "one of the most far-reaching systems of judicial oversight over intelligence matters in the world", with broad jurisdiction and remedial powers. It produced open judgments to the extent that it could do so consistently with the public interest. It could investigate and consider in closed session any sensitive material that was relevant to the complaints and produce decisions having regard to that material. On account of its ability to assess and evaluate the adequacy of the internal safeguards, it was in a "special position" to make a proper assessment of proportionality. In the present case, the applicants' complaints under Articles 8 and 10 of the Convention focussed on the alleged lack of publicly available safeguards and proportionality, and the IPT had the jurisdiction and requisite powers to deal with all of those complaints. It could make clear the extent to which the relevant domestic regime was compatible with the Convention and, if it was not compatible, it could identify the respects in which it was deficient. If there was a lack of foreseeability, it could identify with precision the respects in which the applicable safeguards were not - but should be - public, which, in turn, meant that those aspects of the regime could be remedied by the Government with further disclosure and/or amendments to the Code of Practice. Finally, where proportionality was in issue, it could, through its ability to consider relevant intelligence material in closed proceedings, provide an effective remedy by ordering the quashing of section 8(4) warrants and ordering the destruction of data.
240. Finally, in relation to the IPT's more general declaratory jurisdiction, the Government argued that there was no deficit in Convention terms. On the contrary, it could and did rule on the general lawfulness of regimes about which complaints were made and if it concluded that a regime was contrary to the Convention, it would so state. Furthermore, the Government's reaction to such findings had been consistent. As could be seen from the response to the Liberty and Belhadj determinations (see paragraphs 92-94 above), it had ensured that any defects were rectified and dealt with. Therefore, even though it has no jurisdiction to make a Declaration of Incompatibility under section 4 of the Human Rights Act 1998, on the facts a finding of incompatibility would be an effective trigger for the necessary changes to ensure Convention compatibility. In light of both this fact, and the Court's increasing emphasis on subsidiarity, the Government contended that the position had moved on since Kennedy , in which the Court did not accept that the IPT had provided the applicant with an effective remedy for his general complaint about the Convention compliance of section 8(1) of RIPA.
241 . The applicants in the first and second of the joined cases submitted that they had done all that was required of them in terms of domestic remedies. While they accepted that they did not file complaints with the IPT before lodging their applications with this Court, they had not done so in reliance on the Court's findings in Kennedy ; namely, that a claim before the IPT was not necessary in order for a general challenge to be brought against the United Kingdom's domestic framework. Although they accepted that it was always open to the Court to reconsider whether a domestic avenue of complaint provided an effective remedy, it had held that an applicant could only be required to make use of a remedy that had developed since the application was lodged if they could still make use of the remedy and it would not be unjust to declare the application admissible ( Campbell and Fell v. the United Kingdom , 28 June 1984, §§ 62-63, Series A no. 80).
242 . In any event, the applicants argued that there had been no change of circumstances such as would make the IPT an effective remedy. In particular, they relied upon the arguments made by the applicants in the third of the joined cases in support of their Article 6 complaint, and further noted that the IPT could not make a Declaration of Incompatibility. The latter in any case did not constitute an effective remedy, since it did not result in the invalidation of the impugned legislation).
B. The submissions of the third party
243. In its third party intervention, the European Network of National Human Rights Institutions ("ENNHRI") submitted that the international legal framework, including the International Covenant on Civil and Political Rights ("ICCPR") and the American Convention on Human Rights ("ACHR"), and case-law supported the contention that domestic remedies did not have to be followed if they were not capable of providing an effective remedy.
244 . It is a fundamental feature of the machinery of protection established by the Convention that it is subsidiary to the national systems safeguarding human rights. This Court is concerned with the supervision of the implementation by Contracting States of their obligations under the Convention. It should not take on the role of Contracting States, whose responsibility it is to ensure that the fundamental rights and freedoms enshrined therein are respected and protected on a domestic level ( Vučković and Others v. Serbia (preliminary objection) [GC], nos. 17153/11and 29 others, § 69, 25 March 2014). However, the application of the rule must make due allowance for the fact that it is being applied in the context of machinery for the protection of human rights that the Contracting Parties have agreed to set up and it must therefore be applied with some degree of flexibility and without excessive formalism (see Vučković and Others , cited above, § 76; see also Akdivar and Others v. Turkey , 16 September 1996, § 69, Reports of Judgments and Decisions 1996-�IV and Gough v. the United Kingdom , no. 49327/11, § 140, 28 October 2014).
245 . States are dispensed from answering before an international body for their acts before they have had an opportunity to put matters right through their own legal system, and those who wish to invoke the supervisory jurisdiction of the Court as concerns complaints against a State are thus obliged to use first the remedies provided by the national legal system (see, among many authorities, Vučković and Others , cited above, § 70 and Akdivar and Others , cited above, § 65). The Court is not a court of first instance; it does not have the capacity, nor is it appropriate to its function as an international court, to adjudicate on cases which require the finding of basic facts, which should, as a matter of principle and effective practice, be the domain of domestic jurisdiction (see Demopoulos and Others v. Turkey (dec.) [GC], nos. 46113/99, 3843/02, 13751/02, 13466/03, 10200/04, 14163/04, 19993/04and 21819/04, § 69, ECHR 2010). Similarly, in cases requiring the balancing of conflicting interests under Articles 8 and 10 of the Convention it is particularly important that the domestic courts are first given the opportunity to strike the "complex and delicate" balance between the competing interests at stake. Those courts are in principle better placed than this Court to make such an assessment and, as a consequence, their conclusions will be central to its own consideration of the issue ( MGN Limited v. the United Kingdom , no. 39401/04, §§ 140-155, 18 January 2011; Palomo Sánchez and Others v. Spain [GC], nos. 28955/06, 28957/06, 28959/06and 28964/06, § 57, 12 September 2011; Axel Springer AG v. Germany [GC], no. 39954/08, §§ 85-88, 7 February 2012; Courtney v. Ireland (dec), no. 69558/10, 18 December 2012; and Charron and Merle-�Montet v. France (dec), no. 22612/15 , § 30, 16 January 2018 ).
246. The obligation to exhaust domestic remedies therefore requires an applicant to make normal use of remedies which are available and sufficient in respect of his or her Convention grievances. The existence of the remedies in question must be sufficiently certain not only in theory but in practice, failing which they will lack the requisite accessibility and effectiveness (see Vučković and Others , cited above, § 71 and Akdivar and Others , cited above, § 66).
247. There is, however, no obligation to have recourse to remedies which are inadequate or ineffective. To be effective, a remedy must be capable of remedying directly the impugned state of affairs and must offer reasonable prospects of success (see Vučković and Others , cited above, § 73 and Sejdovic v. Italy [GC], no. 56581/00, § 46, ECHR 2006-�II). The existence of mere doubts as to the prospects of success of a particular remedy which is not obviously futile is not a valid reason for failing to exhaust that avenue of redress (see Vučković and Others , cited above, § 74 and Scoppola v. Italy (no. 2) [GC], no. 10249/03, § 70, 17 September 2009).
248. As regards the burden of proof, it is incumbent on the Government claiming non-exhaustion to satisfy the Court that the remedy was an effective one, available in theory and in practice at the relevant time. Once this burden has been satisfied, it falls to the applicant to establish that the remedy advanced by the Government was in fact exhausted, or was for some reason inadequate and ineffective in the particular circumstances of the case, or that there existed special circumstances absolving him or her from this requirement (see Vučković and Others , cited above, § 77; McFarlane v. Ireland [GC], no. 31333/06, § 107, 10 September 2010; Demopoulos and Others , cited above, § 69; and Akdivar and Others , cited above, § 68).
249 . Where an applicant is challenging the general legal framework for secret surveillance measures, the Court has identified the availability of an effective domestic remedy as a relevant factor in determining whether that applicant was a "victim" of the alleged violation, since, in the absence of such a remedy, widespread suspicion and concern among the general public that secret surveillance powers were being abused might be justified ( Roman Zakharov v. Russia [GC], no. 47143/06, § 171, ECHR 2015).
2. Application of those principles to the case at hand
250 . The IPT is a specialist tribunal with sole jurisdiction to hear allegations of wrongful interference with communications as a result of conduct covered by RIPA (see paragraph 124 above). The Court of Appeal has recently observed that the IPT is "a judicial body of like standing and authority to the High Court" and that "[t]he quality of the membership of the IPT in terms of judicial expertise and independence is very high" (see paragraph 135 above). Its members must hold or have held high judicial office or be a qualified lawyer of at least ten years' standing (see paragraph 123 above), and in the present case it was composed of two High Court Judges (including the President), a Circuit Judge and two senior barristers (see paragraph 24 above). It has jurisdiction to investigate any complaint that a person's communications have been intercepted (see paragraph 124 above). In conducting such an investigation, the IPT will generally proceed on the assumption that the facts asserted by the applicant are true and then, acting upon that assumption, decide whether they would constitute lawful or unlawful conduct. In doing so, the IPT considers both the generic compliance of the relevant interception regime (on the basis of assuming there to have been an interception as alleged) as well as, at a subsequent stage, the specific question whether the individual applicant's rights have, in fact, been breached. Those involved in the authorisation and execution of an intercept warrant are required to disclose to the IPT all the documents it may require, including "below the waterline" documents which could not be made public for reasons of national security (see paragraph 127 above), irrespective of whether those documents support or undermine their defence. The IPT has discretion to hold oral hearings, in public, where possible (see paragraphs 131, 138 and 139 above) and, in closed proceedings it may appoint Counsel to the Tribunal to make submissions on behalf of claimants who cannot be represented (see paragraph 142 above). When it determines a complaint the IPT has the power to award compensation and make any other order it sees fit, including quashing or cancelling any warrant and requiring the destruction of any records (see paragraph 128 above). In considering the complaint brought by the applicants in the third of the joined cases ("the Liberty proceedings") , the IPT used all of these powers for the benefit of the applicants.
251. The Court considered the role of the IPT in secret surveillance cases in Kennedy (cited above), decided in 2010. In that case the applicant complained that his communications had been intercepted pursuant to a targeted warrant authorised under section 8(1) of RIPA (the specific complaint), and that the targeted interception regime under section 8(1) was not compliant with Article 8 of the Convention (the general compliance complaint). The Court held that the proceedings before the IPT had been Article 6 compliant, since any procedural restrictions were proportionate to the need to keep secret sensitive and confidential information and did not impair the very essence of the applicant's right to a fair trial. With regard to the IPT's effectiveness as a remedy, it acknowledged that Article 35 § 1 had "a special significance in the context of secret surveillance given the extensive powers of the IPT to investigate complaints before it and to access confidential information". It considered these extensive powers to be relevant to the applicant's specific complaint as it had required a factual investigation into whether his communications had been intercepted. However, it was not persuaded of their relevance to the general compliance complaint, since it was a legal challenge and, having already decided the specific complaint, it was unlikely that the IPT could further elucidate the general operation of the surveillance regime and applicable safeguards, such as would assist the Court in its consideration of the compliance of the regime with the Convention. While it accepted that the IPT could consider a complaint about the general compliance of a surveillance regime with the Convention and, if necessary, make a finding of incompatibility, the Government had not addressed in their submissions how such a finding would benefit the applicant, given that it did not appear to give rise to a binding obligation on the State to remedy the incompatibility.
252. Although in Kennedy the Court distinguished between a specific and general complaint, it is clear from its more recent case-law that while the two complaints are indeed distinct, they are nevertheless connected. In Roman Zakharov the Court identified the availability of an effective domestic remedy to a person who suspects that he or she was subjected to secret surveillance (in other words, an effective domestic remedy for a specific complaint) as a relevant factor in determining whether that person was a "victim" in respect of a complaint challenging the general legal framework for secret surveillance, since, in the absence of such a remedy, widespread suspicion and concern among the general public that secret surveillance powers were being abused might be justified ( Roman Zakharov , cited above, § 171). In view of the significance the Court has attached to the existence of such a domestic remedy, it would be problematic if applicants were not required to use it before making either a specific or general complaint to this Court. The Court should not have to consider a challenge to a legislative regime in abstracto when the applicants had a domestic forum in which they could have challenged at the very least the possible application of those measures to them.
253. In any event, the IPT's ruling in Mr Kennedy's case came very early in the Tribunal's history. In fact, Mr Kennedy's application, together with an application lodged by British and Irish Rights Watch, was the first time that the IPT sat in public. It was in the context of those applications that it gave its defining ruling on preliminary issues of law and established its current practice (see paragraphs 136-141 above). For the reasons set out below, the Court considers that in view both of the manner in which the IPT has exercised its powers in the fifteen years that have elapsed since that ruling, and the very real impact its judgments have had on domestic law and practice, the concerns expressed by the Court in Kennedy about its effectiveness as a remedy for complaints about the general compliance of a secret surveillance regime are no longer valid.
254 . First, in Kennedy the IPT had fully examined Mr Kennedy's specific complaint about the interception of his communications. The Court was solely concerned with whether an examination of the general complaint could have provided additional clarification. Unlike the present case, therefore, the Court was not being called upon to consider the general complaint entirely in abstracto .
255. Secondly, an examination of the IPT's extensive post- Kennedy case-law demonstrates the important role that it can and does play in analysing and elucidating the general operation of secret surveillance regimes. For example, in B v. the Security Services , Case No IPT/03/01/CH, [2004] UKIPTrib 03_01, 31 March 2004 the IPT considered, as a preliminary issue of law, whether the Secretary of State's "neither confirm nor deny" policy was compatible with Article 8 of the Convention. Similarly, in A Complaint of Surveillance , Case No IPT/A1/2013, [2013] UKIPTrib A1_2013, 24 July 2013 the IPT provided elucidation on the meaning of the term "surveillance" in Part II of RIPA. Moreover, given the "secret" nature of most surveillance regimes, the scope of their operation will not always be evident from the "above the waterline" material. For example, in the Liberty proceedings the IPT played a crucial role first in identifying those aspects of the surveillance regimes which could and should be further elucidated, and then recommending the disclosure of certain "below the waterline" arrangements in order to achieve this goal. It could therefore be said that the IPT, as the only tribunal with jurisdiction to obtain and review "below the waterline" material, is not only the sole body capable of elucidating the general operation of a surveillance regime; it is also the sole body capable of determining whether that regime requires further elucidation.
256 . This "elucidatory" role is of invaluable assistance to the Court when it is considering the compliance of a secret surveillance regime with the Convention. The Court has repeatedly stated that it is not its role to determine questions of fact or to interpret domestic law. That is especially so where domestic law is complex and, for reasons of national security, the State is not at liberty to disclose relevant information to it. Given the confidential nature of the relevant documentation, were applicants to lodge complaints about secret surveillance with this Court without first raising them before the IPT, this Court would either have to become the primary fact-finder in such cases, or it would have to assess necessity and proportionality in a factual vacuum. This difficulty is particularly apparent in respect of those complaints not considered by the IPT in the Liberty proceedings; in particular, the Chapter II complaint and the complaint about the receipt of non-intercept material from foreign intelligence services. The Court has before it very limited information about the scope and operation of these regimes and it could therefore only consider these complaints if it were either to accept the applicants' allegations as fact, or to attempt to conduct its own fact-finding exercise. In such cases, therefore, it is particularly important that the domestic courts, which have access to the confidential documentation, first strike the "complex and delicate balance" between the competing interests at stake (see paragraph 245 above).
257. Consequently, on the basis of the information submitted to it, the Court considers that the IPT can - and regularly does - elucidate the general operation of surveillance regimes, including in cases where such elucidation is considered necessary to ensure the regime's Convention compliance.
258 . Furthermore, from the information submitted in the present case it would appear that where the IPT has found a surveillance regime to be incompatible with the Convention, the Government have ensured that any defects are rectified and dealt with. In the Liberty proceedings, once the IPT had identified which of the "below the waterline" arrangements could and should be made public in order for the intelligence sharing regime to be Convention compliant, the Government agreed to the proposed disclosure ("the 9 October disclosure") and the disclosed material was subsequently added to the amended Code of Practice (see paragraphs 26-30 above). In addition, having found that there had been a breach of Article 8 of the Convention by virtue of the fact that email communications of Amnesty International, which had been intercepted and accessed "lawfully and proportionately", had nevertheless been retained for longer than was permitted under GCHQ's internal policies, the IPT ordered GCHQ to destroy the communications within seven days, and to provide a closed report within fourteen days confirming their destruction (see paragraph 54 above).
259. Similarly, in the Belhadj case the Government conceded that from January 2010 the regime for the interception, obtaining, analysis, use, disclosure and destruction of legally privileged material had not been in accordance with the law for the purposes of Article 8 § 2 of the Convention and was accordingly unlawful. As a consequence, the Security Service and GCHQ confirmed that they would work in the forthcoming weeks to review their policies and procedures (see paragraph 93 above).
260 . In addition, in News Group and Others v. The Commissioner of Police of the Metropolis the IPT found that the regime under Chapter II of RIPA (for the acquisition of communications data) did not contain effective safeguards to protect Article 10 rights. Although the IPT could not award any remedy in respect of the failure to provide adequate safeguards, as this did not in itself render the authorisations for the acquisition of communications data unlawful, in March 2015 the 2007 ACD Code of Practice was replaced by a new code with enhanced safeguards in respect of applications for communications data designed to identify a journalist's source (see paragraphs 118-120 above). The applicants in that case subsequently lodged a complaint under Article 10 of the Convention with this Court; however, in a recent decision the Court declared the complaint inadmissible as it found that the applicants had not suffered a "significant disadvantage" within the meaning of Article 35 § 3 (b) of the Convention (see Anthony France and Others v. the United Kingdom (dec.), nos. 25357/16, 25514/16, 25552/16and 25597/16, 26 September 2016). In particular, the Court observed that "the applicants have benefitted from a thorough and comprehensive judgment from the IPT, which clearly sets out all the aspects of the interference with their rights". Furthermore, although "the IPT could not find that there had been a violation of their rights, it nonetheless made a clear statement that their rights had been infringed" and a change in the law subsequently occurred (see Anthony France and Others , cited above, §§ 43-46).
261. Finally, to cite an earlier example, in Paton and Others v. Poole Borough Council , [2009] UKIPTrib 09_01, Case Nos IPT/09/01/C, IPT/09/02/C, IPT/09/03/C, IPT/09/04/C and IPT/09/05/C, 29 July 2010, the IPT found that surveillance carried out by a local authority was both unlawful and in breach of Article 8 of the Convention as it was not for the permitted purpose and was neither necessary nor proportionate. While the IPT made no findings regarding the Convention compliance of the regime as a whole, the case was highly publicised and fed into a general public debate about the surveillance powers of local councils. Very shortly after the judgment was handed down, the Government announced that there was to be a review of RIPA which would cover its use by local authorities. Two years later RIPA was amended to restrict the power of local authorities to conduct surveillance.
262 . Therefore, while the evidence submitted by the Government may not yet demonstrate the existence of a "binding obligation" requiring it to remedy any incompatibility identified by the IPT, in light of the IPT's "special significance" in secret surveillance cases which arises from its "extensive powers ... to investigate complaints before it and to access confidential information" (see Kennedy , cited above, § 110) the Court would nevertheless accept that the practice of giving effect to its findings on the incompatibility of domestic law with the Convention is sufficiently certain for it to be satisfied as to the effectiveness of the remedy.
263 . The effectiveness of the IPT is further underlined by the fact that it can, as a matter of EU law, make an order for reference to the CJEU where an issue arises that is relevant to the dispute before it (see Privacy International v. Secretary of State for Foreign and Commonwealth Affairs, Secretary of State for the Home Department, Government Communications Headquarters, Security Service and Secret Intelligence Service , at paragraph 236 above). The Court has held that the protection of fundamental rights by Community law can be considered to be "equivalent" to that of the Convention system (see Bosphorus Hava Yolları Turizm ve Ticaret Anonim Şirketi v. Ireland [GC], no. 45036/98, § 165 ECHR 2005-�VI) and it would therefore be surprising if applicants were permitted to bypass a court or tribunal which could have such a significant role in the enforcement of Community law and its fundamental rights guarantees.
264. Insofar as the applicants rely on the fact that the IPT cannot issue a Declaration of Incompatibility (see paragraph 242 above), it is sufficient to note that the Court has not yet accepted that the practice of giving effect to the national courts' Declarations of Incompatibility by amendment of legislation is "so certain as to indicate that section 4 of the Human Rights Act is to be interpreted as imposing a binding obligation" (see Burden v. the United Kingdom [GC], no. 13378/05, § 43, ECHR 2008). Consequently, the relevant question is not whether the IPT can issue a Declaration of Incompatibility, but whether the practice of giving effect to its findings is sufficiently certain.
265 . In light of the foregoing considerations, the Court finds that as a general rule the IPT has shown itself to be a remedy, available in theory and practice, which is capable of offering redress to applicants complaining of both specific incidences of surveillance and the general Convention compliance of surveillance regimes. As a result, the complaints made by the applicants in the first and second of the joined cases must be declared inadmissible for non-exhaustion unless they can show that there existed special circumstances absolving them from the requirement to exhaust this remedy.
266 . In this regard, they contend that precisely such circumstances existed; namely, that at the time they lodged their applications with this Court they were entitled to rely on Kennedy as authority for the proposition that the IPT was not an effective remedy for a complaint about the general Convention compliance of a surveillance regime.
267. Although, at first glance, there would appear to be significant differences between the present case and that of Kennedy (for example, as the applicant in Kennedy had brought a specific complaint to the IPT the Court was not required to consider the more general complaint entirely in the abstract, and in Kennedy the applicant's challenge to the RIPA provisions was a challenge to primary legislation as opposed to the whole legal framework governing the relevant surveillance regime), the Government, for their part, have not sought to distinguish Kennedy from the case at hand. Moreover, the case-law of the IPT which the Government have relied on as evidence of its effectiveness as a remedy post-dates the introduction before this Court - on 4 September 2013 and 11 September 2014 - of the complaints made by the applicants in the first and second of the joined cases. For example, the main judgment in the Liberty proceedings was delivered on 5 December 2014, the Belhadj proceedings concluded on 26 February 2015 and News Group and Others was decided on 17 December 2015). While the Court has identified some earlier cases which illustrate the effectiveness of the IPT (for example, B , A Complaint of Surveillance and Paton and Others ), none of these cases concerned a general complaint about the Convention compliance of a surveillance regime. In comparison, the Liberty proceedings, Belhadj and News Group and Others all demonstrate the important and unique role of the IPT in both elucidating the operation of such regimes, and remedying any breaches of the Convention.
268 . Consequently, while the Court acknowledges that since Kennedy was decided in 2010 the IPT has shown itself to be an effective remedy which applicants complaining about the actions of the intelligence services and/or the general operation of surveillance regimes should first exhaust in order to satisfy the requirements of Article 35 § 1 of the Convention, it would nevertheless accept that at the time the applicants in the first and second of the joined cases introduced their applications, they could not be faulted for relying on Kennedy as authority for the proposition that the IPT was not an effective remedy for a complaint about the general Convention compliance of a surveillance regime. It therefore finds that there existed special circumstances absolving these applicants from the requirement that they first bring their complaints to the IPT and, as a consequence, it considers that their complaints cannot be declared inadmissible pursuant to Article 35 § 1 of the Convention.
II. ALLEGED VIOLATION OF ARTICLE 8 OF THE CONVENTION
269. Cumulatively, the applicants in the three joined cases complain about the Article 8 compatibility of three discrete regimes: the regime for the bulk interception of communications under section 8(4) of RIPA; the intelligence sharing regime; and the regime for the acquisition of communications data under Chapter II of RIPA. The Court will consider each of these regimes separately.
270. The applicants in all of the joined cases complain that the regime under section 8(4) of RIPA for the bulk interception of communications is incompatible with their right to respect for their rights under Article 8 of the Convention, which reads as follows:
"1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."
271. The Government contested that argument. They did not, however, raise any objection under Article 1 of the Convention; nor did they suggest that the interception of communications under the section 8(4) regime was taking place outside the United Kingdom's territorial jurisdiction. The Court will therefore proceed on the assumption that the matters complained of fall within the jurisdictional competence of the United Kingdom.
272. The Court notes that this complaint is not manifestly ill-founded within the meaning of Article 35 § 3 (a) of the Convention. It further notes that it is not inadmissible on any other grounds. It must therefore be declared admissible.
273. The applicants accepted that the bulk interception regime had a basis in domestic law. However, they argued that it lacked the quality of law because it was so complex as to be inaccessible to the public and to the Government, reliance was placed on arrangements which were substantially "below the waterline" rather than on clear and binding legal guidelines, and it lacked sufficient guarantees against abuse.
274. In particular, the applicants submitted that the section 8(4) regime did not comply with the six requirements identified by this Court in Weber and Saravia v. Germany (dec.), no. 54934/00, ECHR 2006-�XI. Firstly, they contended that the purposes for which interception could be permitted (such as "the interests of national security" and "the economic well-being of the United Kingdom) were too vague to provide a clear limit on the intelligence services' activities.
275. Secondly, they argued that in practice any person was liable to have his or her communications intercepted under section 8(4). Although the regime was targeted at "external" communications, there was no clear definition of "internal" and "external" communications, and in any event modern technological developments had rendered the distinction between the two meaningless. While the Secretary of State was required to provide descriptions of the material he considered it necessary to examine, the ISC had reported that section 8(4) warrants were framed in generic terms.
276. Thirdly, with regard to the limits on the duration of surveillance, the applicants submitted that, in practice, a section 8(4) warrant could continue indefinitely, being renewed every six months by the Secretary of State pursuant to section 9(1)(b) of RIPA.
277. Fourthly, according to the applicants the procedure for filtering, storing and analysing intercepted material lacked adequate safeguards and gave rise to an unacceptable risk of an arbitrary and disproportionate interference with Article 8 of the Convention. First of all, there was no requirement that the selectors used to filter intercepted communications be identified in the Secretary of State's certificate accompanying the section 8(4) warrant, and these selectors were not otherwise subject to oversight. Secondly, the section 16 safeguards only applied where a person was "known to be for the time being in the British Islands". Thirdly, the protections in section 16 of RIPA only applied to the "content" of intercepted communications, and not the filtering, storage and analysis of "related communications data", despite the fact that communications data was capable of providing the Government with a detailed profile of the most intimate aspects of a person's private life.
278. Fifthly, in relation to the communication of intercepted material, the applicants contended that the requirement that the Secretary of State ensure that its disclosure was limited to "the minimum that is necessary for the authorised purposes" was an ineffective safeguard. The authorised purposes enumerated in section 15(4) of RIPA were extremely wide, and included situations where the information was or was "likely to become" necessary for any of the purposes specified in section 5(3) of RIPA.
279. Sixth and finally, the applicants submitted that there were no effective or binding safeguards against the disproportionate retention of intercepted data. Indeed, according to the applicants it was clear from the third IPT judgment in the Liberty proceedings that Amnesty International's communications had been stored without the appropriate (automated) deletion procedures being followed, and neither the intelligence services nor the oversight and audit mechanisms had detected this.
280 . In addition to arguing that the Webe r requirements were not satisfied, the applicants in any event contended that they were no longer sufficient to ensure that a communications surveillance regime was compatible with Article 8 of the Convention. Weber had been decided in 2006, and subsequent technological developments meant that Governments could now create detailed and intrusive profiles of intimate aspects of private lives by analysing patterns of communications on a bulk basis. The applicants therefore identified a number of additional requirements which they believed were now necessary to ensure the Convention compliance of a legal framework for surveillance: the requirement for objective evidence of reasonable suspicion in relation to the persons for whom data was being sought; prior independent judicial authorisation of interception warrants; and the subsequent notification of the surveillance subject.
281. Finally, the applicants submitted that the section 8(4) regime was disproportionate. In their view the intelligence services were systematically collecting both content and communications data on a massive scale and retaining it for future searching and use. Such a blanket approach fell foul of the principles established in S. and Marper v. the United Kingdom [GC], nos. 30562/04and 30566/04, ECHR 2008 and M.K. v. France , no. 19522/09, 18 April 2013.
282 . At the outset, the Government submitted that the information and intelligence obtained under the section 8(4) regime was critical to the protection of the United Kingdom from national security threats; in particular, but not exclusively, from the threat of terrorism. This was especially so given the current level of sophistication of terrorists and criminals in communicating over the Internet in ways that avoided detection, whether through the use of encryption, the adoption of bespoke communications systems, or simply because of the volume of Internet traffic in which they could now hide their communications. Imposing additional fetters on the interception of communications would damage the State's ability to safeguard national security and combat serious crime at exactly the point when advances in communication technology had increased the threat from terrorists and criminals using the Internet.
283 . The seriousness of the terrorist threat was underscored by a number of recent attacks across the United Kingdom and Europe, including the attack on Westminster Bridge on 22 March 2017, the Manchester Arena bombing of 22 May 2017, the attack on London Bridge on 3 June 2017, the attacks in Barcelona and Cambrils on 17 August 2017, and the attack on the London Underground on 15 September 2017. The Government therefore submitted that under the Convention scheme, it was properly for States to judge what was necessary to protect the general community from such threats. While those systems were subject to the Court's scrutiny, it had consistently - and rightly - afforded States a broad margin of appreciation in this field so as not to undermine the effectiveness of systems for obtaining life-saving intelligence that could not be gathered any other way.
284. Although the Government denied that the section 8(4) regime permitted mass surveillance or generalised access to communications, it accepted that it permitted, pursuant to the lawful authority of warrants, the bulk interception of bearers for wanted external communications. In the Government's opinion, the distinction between "internal" and "external" communications was sufficiently clear, and in any event it operated primarily as a safeguard at the macro level; that is, in determining which bearers should be targeted for interception. The Government further contended that bulk interception was critical for the discovery of threats and hitherto unknown targets which might be responsible for threats. Even when the identity of targets was known, they were likely to use a variety of different means of communication, and change those means frequently. Electronic communications did not traverse the Internet by routes that could necessarily be predicted; rather, they took the most efficient route, determined by factors such as cost and the volume of traffic passing over particular parts of the Internet at different times of the day. In addition, communications sent over the Internet were broken down into small pieces (or "packets"), which were transmitted separately, often through different routes. In the opinion of the Government, it was therefore necessary to intercept all communications travelling over more than one bearer to maximise the chance of identifying and obtaining the communications being sent to known targets.
285. With regard to whether the interference complained of was "in accordance with the law", the Government relied on the fact that it had its basis in primary legislation, namely section 8(4) of RIPA, supplemented by the Interception of Communications Code of Practice ("the IC Code"). It had been further clarified by the reports of the Interception of Communications Commissioner, which were also public documents.
286. In relation to the Weber requirements the Government argued that the first foreseeability requirement, being the "offences" which might give rise to an interception order, was satisfied by section 5 of RIPA, which defined the purposes for which the Secretary of State could issue an interception warrant. In Kennedy , despite the applicant's criticism of the terms "national security" and "serious crime", the Court had found the description of the offences which might give rise to an interception order to be sufficiently clear ( Kennedy , cited above, § 159).
287. Relying on Weber , the Government submitted that the second foreseeability requirement (the categories of people liable to have their communications intercepted) applied at both the interception stage and the selection stage. As regards the interception stage, a section 8(4) warrant was targeted at "external" communications, although in principle it might authorise the interception of "internal" communications insofar as that was necessary in order to intercept the external communications to which the warrant related. With regard to the selection stage, section 16(1) of RIPA provided that no intercepted material could be read, looked at or listened to by any person unless it fell within the Secretary of State's certificate, and it was proportionate in the circumstances to do so. Furthermore, section 16(2) placed sufficiently precise limits on the extent to which intercepted material could be selected to be read, looked at or listened to according to a factor which was referable to an individual known to be for the time being in the British Islands and which had as (one of) its purpose(s) the identification of material contained in communications sent by or intended for him.
288. The Government further argued that paragraphs 6.22-6.24 of the IC Code made sufficient provision for the duration and renewal of a section 8(4) warrant, thereby complying with the third requirement identified in Weber . Pursuant to section 9(2) of RIPA, a section 8(4) warrant could only be renewed if the Secretary of State believed that it continued to be necessary, and if the Secretary of State believed that the warrant was no longer necessary, section 9(3) of RIPA required that it be cancelled.
289. According to the Government, insofar as intercepted material could not be read, looked at or listened to by a person pursuant to section 16 of RIPA, it could not be used at all. Prior to its destruction, paragraph 7.7 of the IC Code required that it be stored securely. For material that could be read, looked at and listened to pursuant to section 16, the Government submitted that the regime satisfied the fourth of the Weber requirements. In particular, material had to be selected for examination through the application of search terms by equipment operating automatically for that purpose. If an analyst then wished to select material for examination, paragraphs 7.14-7.16 of the IC Code required that he or she create a record setting out why access was required and proportionate, consistent with the applicable certificate, and stating any circumstances likely to give rise to a degree of collateral infringement of privacy, and any measures taken to reduce the extent of that infringement. That record had to be retained for the purpose of subsequent audit. Paragraphs 7.11-7.20 further required that material should only be read, looked at or listened to by authorised persons receiving regular training in the operation of section 16 of RIPA and the requirements of necessity and proportionality. Finally, material could only be used by the intelligence services in accordance with their statutory functions, and only insofar as was proportionate under section 6(1) of the Human Rights Act 1998.
290. The Government further submitted that the section 8(4) regime satisfied the fifth Weber requirement. Section 15(2) set out the precautions to be taken when communicating intercepted material to other people. These precautions served to ensure that only so much intercepted material as was "necessary" for the authorised purpose could be disclosed. Paragraphs 7.4 and 7.5 of the IC Code further provided that where intercepted material was to be disclosed to a foreign State, the intelligence services had to take reasonable steps to ensure that the authorities of that State had and would maintain the necessary procedures to safeguard the intercepted material, and to ensure that it was disclosed, copied, distributed and retained only to the minimum extent necessary. It could only be further disclosed to the authorities of a third country if explicitly agreed. Finally, any disclosure would have to satisfy the constraints imposed by sections 1-2 of the Security Services Act 1989, sections 1-4 of the Intelligence Services Act 1994 as read with section 19(3)-(5) of the Counter Terrorism Act 2008 and section 6(1) of the Human Rights Act 1998.
291. With regard to the final Weber requirement, the Government contended that section 15(3) of RIPA and paragraphs 7.8-7.9 of the IC Code made sufficient provision for the circumstances in which intercepted material had to be erased or destroyed (including the obligation to review retention at appropriate intervals, and the specification of maximum retention periods which should normally be no longer than two years).
292 . Although the Government acknowledged that the safeguards in section 16 of RIPA did not apply to "related communications data", they argued that the covert acquisition of related communications data was less intrusive than the covert acquisition of content and, as such, the Court had never applied the Weber requirements to powers to acquire communications data. It was therefore their contention that instead of the list of six specific foreseeability requirements, the test in respect of communications data should be the more general one of whether the law indicated the scope of any discretion and the manner of its exercise with sufficient clarity to give the individual adequate protection against arbitrary interference.
293. According to the Government, the section 8(4) regime satisfied this test as regards the obtaining and use of related communications data. First of all, "related communications data" as defined in sections 20 and 21 of RIPA was not synonymous with "metadata" but was instead a limited subset of metadata. Secondly, the section 8(4) regime was sufficiently clear as to the circumstances in which the intelligence services could obtain related communications data (namely, by the interception of bearers pursuant to a section 8(4) warrant). Once obtained, access to related communications data had to be necessary and proportionate under section 6(1) of the Human Rights Act 1998 and subject to the constraints in sections 1-2 of the Security Services Act and sections 1-4 of the Intelligence Services Act. Storage, handling, use and disclosure of related communications data, including access by a foreign intelligence partner, would be constrained by section 15 of RIPA and paragraphs 7.1-7.10 of the IC Code. Finally, the Government argued that there was good reason for exempting related communications data from the safeguards in section 16; in order for section 16 to work, the intelligence services needed to be able to assess whether a potential target was "for the time being in the British Islands".
294. Finally, the Government addressed the applicants' proposals for "updating" the Weber requirements. They submitted that any requirement of "reasonable suspicion" would largely preclude the operation of bulk interception regimes, despite the fact that the Court had permitted such monitoring in Weber . Furthermore, in Kennedy (cited above, § 167) the Court clearly held that judicial authorisation could be either ex ante or post facto . In that case the Court had found that the oversight provided by the Commissioner, the ISC and the IPT had compensated for any lack of prior judicial authorisation. Finally, any requirement to notify a suspect of the use of bulk data tools against him could fundamentally undermine the work of the intelligence services and potentially threaten the lives of covert human intelligence sources close to the suspect. It would also be wholly impractical in the section 8(4) context, since many of the targets would be overseas and their personal details might be unknown or imperfectly known.
(b) The submissions of the third parties
295. Article 19 submitted that mass interception powers were by their very nature inherently incapable of being exercised in a proportionate manner and, as such, were inherently incompatible with the requirements of the Convention. Article 19 therefore urged the Court to conclude that only targeted surveillance based on reasonable suspicion and authorised by a judge constituted a legitimate restriction on the right to privacy.
296. Access Now submitted that the mass surveillance at issue in the present case failed to comply with the International Covenant on Civil and Political Rights ("ICCPR") and the International Principles on the Application of Human Rights to Communications Surveillance since the United Kingdom had not demonstrated that such surveillance was strictly necessary or proportionate. They further contended that surveillance programmes should not be considered independently but should instead be viewed in relation to the entirety of a nation's surveillance activities as machine learning, through which mathematical algorithms could draw inferences from collections of data, had increased the invasiveness of big data sets and data mining.
297. The ENNHRI also drew the Court's attention to international instruments such as the ICCPR, the American Convention on Human Rights, and the EU Charter of Fundamental Rights. It observed that in 2015 the Human Rights Committee reviewed the State Party report of the United Kingdom of Great Britain and Northern Ireland. It expressed concern that RIPA provided for untargeted warrants for the interception of external communications without affording the same safeguards as applied to internal communications, and it made a number of detailed recommendations, including the creation of sufficiently precise and foreseeable legal provisions, and judicial involvement in the authorisation of such measures.
(iv) The Helsinki Foundation for Human Rights ("HFHR")
298. The HFHR described their experience challenging the surveillance of communications by public authorities in Poland, which culminated in the Constitutional Tribunal finding certain aspects of the relevant legislation to be unconstitutional. The legislation was subsequently amended.
(v) The International Commission of Jurists ("ICJ")
299. The ICJ submitted that in light of the scale and scope of the interference with privacy entailed in mass surveillance, the distinction between the acquisition of metadata and content had become out-dated. Furthermore, the fact that, in a mass surveillance operation, elements of the interference with rights might take place outside a State's territorial jurisdiction didn't preclude that State's responsibility, since its control over the information was sufficient to establish jurisdiction.
(vi) Open Society Justice Initiative ("OSJI")
300. OSJI submitted that both the amount of data available for interception today and governments' appetite for data far exceeded what was possible in the past. Consequently, bulk interception was a particularly serious interference with privacy which could, through its "chilling effect", potentially interfere with other rights such as freedom of expression and freedom of association. To be lawful, bulk interception should therefore satisfy several preconditions: the governing law had to be sufficiently precise; the scope of the information gathered had to be limited by time and geography; and information should only be gathered based on "reasonable suspicion".
301 . EDRi and others argued that the present case offered the Court a crucial opportunity to revise its framework for the protection of metadata. Governments had built their surveillance programmes based on the distinction drawn between content and metadata in Malone v. the United Kingdom , 2 August 1984, Series A no. 82, but at the time that case was decided neither the Internet nor mobile phones existed. Today, metadata could paint a detailed and intimate picture of a person: it allowed for mapping of social networks, location tracking, Internet browsing tracking, mapping of communication patterns, and insight into who a person interacted with. Moreover, the level of detail that could be gleaned was magnified when analysed on a large scale. Indeed, Stewart Baker, general counsel of the NSA, had indicated that metadata could disclose everything about someone's life, and that if you had enough metadata, you wouldn't need content. As a result, different degrees of protection should not be afforded to personal data based on the arbitrary and irrelevant distinction between content and metadata, but rather on the inferences that could be drawn from the data.
(viii) The Law Society of England and Wales
302. The Law Society expressed deep concern about the implications of the section 8(4) regime for the principle of legal professional privilege. In particular, the regime permitted the interception of legally privileged and confidential communications between lawyers and clients, even when both were in the United Kingdom. It also permitted the routine collection of metadata attaching to such communications. Furthermore, once intercepted these legally privileged communications could be used, provided that the primary purpose and object of the warrant was the collection of external communications. This arrangement - and the absence of adequate constraints on the use of such material - was apt to have a potentially severe chilling effect on the frankness and openness of lawyer-client communications.
303 . Although the Court has developed extensive jurisprudence on secret measures of surveillance, its case-law concerns many different forms of surveillance, including, but not limited to, the interception of communications. It also concerns many different forms of "interference" with applicants' right to respect for their private lives; for example, while some cases concern the interception of the content of communications, others concern the interception or obtaining of communications data, or the tracking of individuals via GPS. As the Court has at times differentiated between the different types of surveillance and the different forms of interference, there is no one set of general principles which apply in all cases concerning secret measures of surveillance. The following principles can, however, be extrapolated from the Court's case-law.
304. Any interference with an individual's Article 8 rights can only be justified under Article 8 § 2 if it is in accordance with the law, pursues one or more of the legitimate aims to which that paragraph refers and is necessary in a democratic society in order to achieve any such aim (see Roman Zakharov , cited above, § 227, and Kennedy , cited above, § 130).
305. According to the Court's well established case-law, the wording "in accordance with the law" requires the impugned measure to have some basis in domestic law (as opposed to a practice which does not have a specific legal basis -� see Heglas v. the Czech Republic , no. 5935/02, § 74, 1 March 2007). It must also be compatible with the rule of law, which is expressly mentioned in the Preamble to the Convention and inherent in the object and purpose of Article 8. The law must therefore be accessible to the person concerned and foreseeable as to its effects (see Roman Zakharov , cited above, § 228; see also, among many other authorities, Rotaru v. Romania [GC], no. 28341/95, § 52, ECHR 2000-�V; S. and Marper , cited above, § 95, and Kennedy , cited above, § 151).
306. The Court has held on several occasions that the reference to "foreseeability" in the context of secret surveillance cannot be the same as in many other fields. Foreseeability in the special context of secret measures of surveillance, such as the interception of communications, cannot mean that an individual should be able to foresee when the authorities are likely to resort to such measures so that he can adapt his conduct accordingly. However, especially where a power vested in the executive is exercised in secret, the risks of arbitrariness are evident. It is therefore essential to have clear, detailed rules on secret surveillance measures, especially as the technology available for use is continually becoming more sophisticated. The domestic law must be sufficiently clear to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures (see Roman Zakharov , cited above, § 229; see also Malone , cited above, § 67, Leander , cited above, § 51; Huvig v. France , 24 April 1990, § 29, Series A no. 176-�B; Valenzuela Contreras v. Spain , 30 July 1998, § 46, Reports of Judgments and Decisions 1998-�V; Rotaru , cited above, § 55; Weber and Saravia , cited above, § 93; Association for European Integration and Human Rights and Ekimdzhiev v. Bulgaria , no. 62540/00, § 75, 28 June 2007). Moreover, the law must indicate the scope of any discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity to give the individual adequate protection against arbitrary interference (see Roman Zakharov , cited above, § 230; see also, among other authorities, Malone , cited above, § 68; Leander , cited above, § 51; Huvig , cited above, § 29; and Weber and Saravia , cited above, § 94).
307 . In its case-law on the interception of communications in criminal investigations, the Court has developed the following minimum requirements that should be set out in law in order to avoid abuses of power: the nature of offences which may give rise to an interception order; a definition of the categories of people liable to have their communications intercepted; a limit on the duration of interception; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which intercepted data may or must be erased or destroyed (see Huvig , cited above, § 34; Valenzuela Contreras , cited above, § 46; Weber and Saravia , cited above, § 95; and Association for European Integration and Human Rights and Ekimdzhiev , cited above, § 76). In Roman Zakharov (cited above, § 231) the Court confirmed that the same six minimum requirements also applied in cases where the interception was for reasons of national security; however, in determining whether the impugned legislation was in breach of Article 8, it also had regard to the arrangements for supervising the implementation of secret surveillance measures, any notification mechanisms and the remedies provided for by national law ( Roman Zakharov , cited above, § 238).
308. As to the question whether an interference was "necessary in a democratic society" in pursuit of a legitimate aim, the Court has acknowledged that, when balancing the interest of the respondent State in protecting its national security through secret surveillance measures against the seriousness of the interference with an applicant's right to respect for his or her private life, the national authorities enjoy a certain margin of appreciation in choosing the means for achieving the legitimate aim of protecting national security. However, this margin is subject to European supervision embracing both legislation and decisions applying it. In view of the risk that a system of secret surveillance set up to protect national security may undermine or even destroy democracy under the cloak of defending it, the Court must be satisfied that there are adequate and effective guarantees against abuse. The assessment depends on all the circumstances of the case, such as the nature, scope and duration of the possible measures, the grounds required for ordering them, the authorities competent to authorise, carry out and supervise them, and the kind of remedy provided by the national law. The Court has to determine whether the procedures for supervising the ordering and implementation of the restrictive measures are such as to keep the "interference" to what is "necessary in a democratic society" (see Roman Zakharov , cited above, § 232; see also Klass and Others v. Germany , 6 September 1978, §§ 49, 50 and 59, Series A no. 28, Weber and Saravia , cited above, § 106 and Kennedy , cited above, §§ 153 and 154).
309. Review and supervision of secret surveillance measures may come into play at three stages: when the surveillance is first ordered, while it is being carried out, or after it has been terminated. As regards the first two stages, the very nature and logic of secret surveillance dictate that not only the surveillance itself but also the accompanying review should be effected without the individual's knowledge. Consequently, since the individual will necessarily be prevented from seeking an effective remedy of his or her own accord or from taking a direct part in any review proceedings, it is essential that the procedures established should themselves provide adequate and equivalent guarantees safeguarding his or her rights. In a field where abuse is potentially so easy in individual cases and could have such harmful consequences for democratic society as a whole, it is in principle desirable to entrust supervisory control to a judge, judicial control offering the best guarantees of independence, impartiality and a proper procedure (see Roman Zakharov , cited above, § 233; see also Klass and Others , cited above, §§ 55 and 56).
310. As regards the third stage, after the surveillance has been terminated, the question of subsequent notification of surveillance measures is inextricably linked to the effectiveness of remedies before the courts and hence to the existence of effective safeguards against the abuse of monitoring powers. There is in principle little scope for recourse to the courts by the individual concerned unless the latter is advised of the measures taken without his or her knowledge and thus able to challenge their legality retrospectively (see Roman Zakharov , cited above, § 234; see also Klass and Others , cited above, § 57, and Weber and Saravia , cited above, § 135) or, in the alternative, unless any person who suspects that he or she has been subject to surveillance can apply to courts, whose jurisdiction does not depend on notification to the surveillance subject of the measures taken (see Roman Zakharov , cited above, § 234; see also Kennedy , cited above, § 167).
(ii) Existing case-law on the bulk interception of communications
311. The Court has considered the Convention compatibility of regimes which expressly permit the bulk interception of communications on two occasions: first in Weber and Saravia (cited above), and then in Liberty and Others v. the United Kingdom , no. 58243/00, 1 July 2008.
312. In Weber and Saravia the applicants complained about the process of strategic monitoring under the amended G10 Act, which authorised the monitoring of international wireless telecommunications. Signals emitted from foreign countries were monitored by interception sites situated on German soil with the aid of certain catchwords which were listed in the monitoring order. Only communications containing these catchwords were recorded and used. Having particular regard to the six "minimum requirements" set out in paragraph 307 above, the Court considered that there existed adequate and effective guarantees against abuses of the State's strategic monitoring powers. It therefore declared the applicants' Article 8 complaints to be manifestly ill-founded.
313 . In Liberty and Others the Court was considering the regime under section 3(2) of the Interception of Communications Act 1985, which was in effect the predecessor of the regime under section 8(4) of RIPA. Section 3(2) allowed the executive to intercept communications passing between the United Kingdom and an external receiver. At the time of issuing a section 3(2) warrant, the Secretary of State was required to issue a certificate containing a description of the intercepted material which he considered should be examined. The 1985 Act provided that material could be contained in a certificate, and thus listened to or read, if the Secretary of State considered that this was required in the interests of national security, the prevention of serious crime or the protection of the United Kingdom's economy. However, external communications emanating from a particular address in the United Kingdom could only be included in a certificate for examination if the Secretary of State considered it necessary for the prevention or detection of acts of terrorism. The Court held that the domestic law at the relevant time (which predated the adoption of the Interception of Communications Code of Practice - see, in particular, paragraph 109 above) did not indicate with sufficient clarity, so as to provide adequate protection against abuse of power, the scope or manner of exercise of the very wide discretion conferred on the State to intercept and examine external communications. In particular, it did not set out in a form accessible to the public any indication of the procedure to be followed for selecting for examination, sharing, storing and destroying intercepted material.
(iii) The test to be applied in the present case
314 . The Court has expressly recognised that the national authorities enjoy a wide margin of appreciation in choosing how best to achieve the legitimate aim of protecting national security (see Weber and Saravia , cited above, § 106). Furthermore, in Weber and Saravia and Liberty and Others the Court accepted that bulk interception regimes did not per se fall outside this margin. Although both of these cases are now more than ten years old, given the reasoning of the Court in those judgments and in view of the current threats facing many Contracting States (including the scourge of global terrorism and other serious crime, such as drug trafficking, human trafficking, the sexual exploitation of children and cybercrime), advancements in technology which have made it easier for terrorists and criminals to evade detection on the Internet, and the unpredictability of the routes via which electronic communications are transmitted, the Court considers that the decision to operate a bulk interception regime in order to identify hitherto unknown threats to national security is one which continues to fall within States' margin of appreciation.
315. Nevertheless, as indicated previously, it is evident from the Court's case-law over several decades that all interception regimes (both bulk and targeted) have the potential to be abused, especially where the true breadth of the authorities' discretion to intercept cannot be discerned from the relevant legislation (see, for example, Roman Zakharov , cited above, and Szabó and Vissy v. Hungary , no. 37138/14, 12 January 2016). Therefore, while States enjoy a wide margin of appreciation in deciding what type of interception regime is necessary to protect national security, the discretion afforded to them in operating an interception regime must necessarily be narrower. In this regard, the Court has identified six minimum requirements that both bulk interception and other interception regimes must satisfy in order to be sufficiently foreseeable to minimise the risk of abuses of power (see paragraph 307 above).
316. The applicants argue that in the present case the Court should "update" those requirements by including requirements for objective evidence of reasonable suspicion in relation to the persons for whom data is being sought, prior independent judicial authorisation of interception warrants, and the subsequent notification of the surveillance subject (see paragraph 280 above). In their view, such changes would reflect the fact that due to recent technological developments the interception of communications now has greater potential than ever before to paint an intimate and detailed portrait of a person's private life and behaviour. However, while the Court does not doubt the impact of modern technology on the intrusiveness of interception, and has indeed emphasised this point in its case-law, it would be wrong automatically to assume that bulk interception constitutes a greater intrusion into the private life of an individual than targeted interception, which by its very nature is more likely to result in the acquisition and examination of a large volume of his or her communications. In any event, although the Court would agree that the additional requirements proposed by the applicants might constitute important safeguards in some cases, for the reasons set out below it does not consider it appropriate to add them to the list of minimum requirements in the case at hand.
317. First of all, requiring objective evidence of reasonable suspicion in relation to the persons for whom data is being sought and the subsequent notification of the surveillance subject would be inconsistent with the Court's acknowledgment that the operation of a bulk interception regime in principle falls within a State's margin of appreciation. Bulk interception is by definition untargeted, and to require "reasonable suspicion" would render the operation of such a scheme impossible. Similarly, the requirement of "subsequent notification" assumes the existence of clearly defined surveillance targets, which is simply not the case in a bulk interception regime.
318 . Judicial authorisation, by contrast, is not inherently incompatible with the effective functioning of bulk interception. Nevertheless, as the Venice Commission acknowledged in their report on the Democratic Oversight of Signals Intelligence Agencies (see paragraph 212 above), while the Court has recognised that judicial authorisation is an "important safeguard against arbitrariness" (see Roman Zakharov , cited above, § 249), to date it has not considered it to be a "necessary requirement" or the exclusion of judicial control to be outside "the limits of what may be deemed necessary in a democratic society" (see, for example, Roman Zakharov , cited above, § 258; see also Klass and Others , cited above, §§ 51 and 56; Weber and Saravia , cited above, § 115; Kennedy , cited above, § 167; and Szabó and Vissy, cited above, § 77 ). There would appear to be good reason for this. The Court has found it "desirable to entrust supervisory jurisdiction to a judge" because, as a result of the secret nature of the surveillance, the individual will usually be unable to seek a remedy of his or her own accord (see Roman Zakharov , cited above, § 233). However, that is not the case in every contracting State. In the United Kingdom, for example, any person who thinks that he or she has been subject to secret surveillance can lodge a complaint with the IPT (see paragraph 250 above). Consequently, in Kennedy the Court accepted that regardless of the absence of prior judicial authorisation, the existence of independent oversight by the IPT and the Interception of Communications Commissioner provided adequate safeguards against abuse (see Kennedy , cited above, §§ 167-169). In this regard, the Venice Commission also noted that independent oversight may be able to compensate for an absence of judicial authorisation (see paragraph 212 above).
319. Secondly, the Court has acknowledged that "the possibility of improper action by a dishonest, negligent or over-zealous official can never be completely ruled out whatever the system" (see Klass and Others , cited above, § 59), and one need only look at its most recent jurisprudence to find examples of cases where prior judicial authorisation provided limited or no protection against abuse. For example, in Roman Zakharov , any interception of communications had to be authorised by a court and the judge had to give reasons for the decision to authorise interceptions. However, as judicial scrutiny was limited in scope and the police had the technical means to circumvent the authorisation procedure and to intercept any communications without obtaining prior judicial authorisation, the Court found that Russian law was incapable of keeping the "interference" to what was "necessary in a democratic society". Similarly, in Association for European Integration and Human Rights and Ekimdzhiev the relevant law required judicial authorisation before interception could take place. Nevertheless, the Court found that numerous abuses had taken place (according to a recent report, more than 10,000 warrants were issued over a period of some twenty-�four months). More recently, in Mustafa Sezgin Tanrıkulu v. Turkey , no. 27473/06, § 64, 18 July 2017 the Court found a violation of Article 8 where an assize court had granted the National Intelligence Agency permission to intercept all domestic and international communications for a month and a half with a view to identifying terrorist suspects.
320. Therefore, while the Court considers judicial authorisation to be an important safeguard, and perhaps even "best practice", by itself it can neither be necessary nor sufficient to ensure compliance with Article 8 of the Convention (see Klass and Others , cited above, § 56). Rather, regard must be had to the actual operation of the system of interception, including the checks and balances on the exercise of power, and the existence or absence of any evidence of actual abuse (see Association for European Integration and Human Rights and Ekimdzhiev , cited above, § 92). Accordingly, the Court will examine the justification for any interference in the present case by reference to the six minimum requirements, adapting them where necessary to reflect the operation of a bulk interception regime. It will also have regard to the additional relevant factors which it identified in Roman Zakharov , but did not classify as "minimum requirements"; namely, the arrangements for supervising the implementation of secret surveillance measures, any notification mechanisms and the remedies provided for by national law (see paragraph 307 above).
(α) The existence of an interference
321. The Government do not dispute that there has been an interference with the applicants' Article 8 rights.
(β) Justification for the interference
322. As already noted, an interference can only be justified under Article 8 § 2 if it is in accordance with the law, pursues one or more legitimate aims and is necessary in a democratic society in order to achieve any such aim (see paragraph 303 above). In cases where the legislation permitting secret surveillance is contested before the Court, the lawfulness of the interference is closely related to the question whether the "necessity" test has been complied with and it is therefore appropriate for the Court to address jointly the "in accordance with the law" and "necessity" requirements (see Roman Zakharov , cited above, § 236 and Kennedy , cited above, § 155). The "quality of law" in this sense implies that the domestic law must not only be accessible and foreseeable in its application, but it must also ensure that secret surveillance measures are applied only when "necessary in a democratic society", in particular by providing for adequate and effective safeguards and guarantees against abuse.
323. The parties do not dispute that the section 8(4) regime had a basis in domestic law; nor do they dispute that the regime pursued the legitimate aims of the protection of national security, the prevention of crime and the protection of the economic well-being of the country. The applicants do, however, contest the quality of domestic law and, in particular, its accessibility and foreseeability.
324. The Court will therefore assess in turn the accessibility of the domestic law, followed by its foreseeability and necessity, having regard to the six minimum requirements established in its case law, before turning its attention to the arrangements for supervising the implementation of secret surveillance measures, any notification mechanisms and the remedies provided for by national law (see paragraph 307 above).
- Accessibility
325. The applicants challenge the accessibility of domestic law on the grounds that it is too complex to be accessible to the public, and it relies on "below the waterline" arrangements. It is true that most of the reports into the United Kingdom's secret surveillance regimes have criticised the piecemeal development - and subsequent lack of clarity - of the legal framework (see paragraphs 152, 162 and 167 above). However, as with other cases in which domestic law has been considered in abstracto and amendments have been made to the legislation while the application was pending (see, for example, Association for European Integration and Human Rights and Ekimdzhiev ), in the present case the Court must review the Convention compliance of the law in force at the date of its examination of the applicants' complaints. It therefore can, and should, take into account the IC Code which was amended in 2016 to clarify the legal framework and reflect the further disclosures which were made following the Snowden revelations and which are examined in detail in the ISC report, the Anderson report and the ISR report (see paragraphs 90, 148-150, 160-165 and 166-172 above). As the IC Code is a public document, subject to the approval of both Houses of Parliament, and has to be taken into account both by those exercising interception duties and by courts and tribunals, the Court has expressly accepted that its provisions could be taken into consideration in assessing the foreseeability of the RIPA regime (see Kennedy , cited above, § 157).
326. Insofar as the applicants complain about the existence of "below the waterline" arrangements, the Court has acknowledged that States do not have to make public all the details of the operation of a secret surveillance regime, provided that sufficient information is available in the public domain (see Roman Zakharov , cited above, §§ 243-244 and 247; see also, among many examples, Szabó and Vissy, cited above, § 64, and Kennedy , cited above, § 159). In the context of secret surveillance, it is inevitable that "below the waterline" arrangements will exist, and the real question for the Court is whether it can be satisfied, based on the "above the waterline" material, that the law is sufficiently foreseeable to minimise the risk of abuses of power. This is a question that goes to the foreseeability and necessity of the relevant law, rather than its accessibility.
327. Therefore, while the Court concurs with several of the aforementioned domestic reports that RIPA and the accompanying surveillance framework are extremely complex, in the present case it will concentrate on the requirements of "foreseeability" and "necessity".
- The scope of application of secret surveillance measures
328 . The first two minimum requirements have traditionally been referred to as the nature of the offences which might give rise to an interception order and a definition of the categories of people liable to have their telephones tapped. In Roman Zakharov the Court made clear that pursuant to these two requirements "the national law must define the scope of application of secret surveillance measures by giving citizens an adequate indication as to the circumstances in which public authorities are empowered to resort to such measures" (see Roman Zakharov , cited above, §§ 243).
329 . In a targeted interception regime, the nature of the communications to be intercepted should be tightly defined, but once interception takes place it is likely that all - or nearly all - of the intercepted communications are analysed. The opposite will normally be true of a bulk interception regime, where the discretion to intercept is broader, but stricter controls will be applied at the selection for examination stage. In fact, in the present case, it is clear from Chapter 6 of the IC Code (see paragraph 90 above), the ISC report (see paragraphs 151-159 above), the first IPT judgment in the Liberty proceedings (see paragraphs 41-49 above) and the Government's observations that there are four distinct stages to the section 8(4) regime:
1. The interception of a small percentage of Internet bearers, selected as being those most likely to carry external communications of intelligence value.
2. The filtering and automatic discarding (in near real-time) of a significant percentage of intercepted communications, being the traffic least likely to be of intelligence value.
3. The application of simple and complex search criteria (by computer) to the remaining communications, with those that match the relevant selectors being retained and those that do not being discarded.
4. The examination of some (if not all) of the retained material by an analyst).
330. Thus, in addressing the first two minimum requirements, the Court will examine first, whether the grounds upon which a warrant can be issued are sufficiently clear; secondly, whether domestic law gives citizens an adequate indication of the circumstances in which their communications might be intercepted; and thirdly, whether domestic law gives citizens an adequate indication of the circumstances in which their communications might be selected for examination (see paragraph 328 above).
331. According to RIPA and the IC Code, the Secretary of State can only issue a warrant if he is satisfied that it is necessary in the interests of national security, for the purpose of preventing or detecting serious crime, or for the purpose of safeguarding the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security; and that the conduct authorised by the warrant is proportionate to what is sought to be achieved by that conduct. Pursuant to domestic law, when assessing necessity and proportionality, account should be taken of whether the information sought under the warrant could reasonably be obtained by other means (section 5(3) of RIPA and Chapter 6 of the IC Code - see paragraphs 57 and 90 above). It is clear that insofar as RIPA and the IC Code use the terms "necessity" and "proportionality" they are intended to ensure compliance with the requirements of Articles 8 and 10 of the Convention and should therefore be understood in the Convention sense (see paragraph 3.5 of the IC Code, at paragraph 90 above).
332. The Court has held that the condition of foreseeability does not require States to set out exhaustively by name the specific offences which may give rise to interception, provided that there is sufficient detail about the nature of the offences in question (see Roman Zakharov , cited above, §§ 243-244; see also, among many examples, Szabó and Vissy, cited above, § 64, and Kennedy , cited above, § 159). Moreover, the Court has expressly recognised the need to avoid excessive rigidity in the wording of certain statures and to keep pace with changing circumstances (see Szabó and Vissy, cited above, § 64 and Kokkinakis v. Greece , 25 May 1993, § 40, Series A no. 260-�A).
333. In Kennedy the Court had to consider whether the section 5(3) grounds (which apply to both section 8(1) and section 8(4) warrants) provided sufficient detail about the nature of the offences that might give rise to an interception order. It found that the term "national security" was frequently employed in both national and international legislation and constituted one of the legitimate aims to which Article 8 § 2 referred. It further noted that threats to national security tended to vary in character and might be unanticipated or difficult to define in advance. Finally, the Interception of Communications Commissioner had clarified that in practice "national security" allowed surveillance of activities which threatened the safety or well-being of the State and activities which were intended to undermine or overthrow Parliamentary democracy by political, industrial or violent means. It therefore found the term to be sufficiently clear (see Kennedy , cited above, § 159).
334. Furthermore, the Court observes that "serious crime" is clearly defined in section 81 of RIPA (see paragraphs 58-59 above; see also Kennedy , cited above, § 159) and the IC Code has clarified that the purpose of safeguarding the economic well-being of the United Kingdom is restricted to those interests which are also relevant to the interests of national security (see paragraph 90 above).
335. The Court therefore considers that section 5(3) is sufficiently clear, giving citizens an adequate indication of the circumstances in which and the conditions on which a section 8(4) warrant might be issued.
336. As for the persons liable to have their communications intercepted, it is clear that this category is wide. Section 8(4) only permits the Secretary of State to issue a warrant for the interception of external communications, which in principle excludes communications where both of the parties are in the British Islands. Although there has been some confusion about the application of the terms "external communications" and "internal communications" to modern forms of communications, the Secretary of State for the Foreign and Commonwealth, in giving evidence to the Intelligence and Security Committee of Parliament in October 2014, provided clarification about the status of emails, web-browsing, social media and cloud storage (see paragraph 71 above). However, even where it is clear that a communication is "internal", as it is between two people in the British Islands, in practice, some or all of its parts might be routed through one or more other countries, and would therefore be at risk of being intercepted under the section 8(4) regime. This is expressly permitted by section 5(6) of RIPA, which allows the interception of communications not identified in the warrant (see paragraph 63 above).
337. That being said, it is clear that the targeted bearers are not chosen at random. They are selected because they are believed to be the most likely to carry external communications of intelligence interest (paragraph 6.7 of the IC Code, at paragraph 90 above and the Annual Report of the Interception of Communications Commissioner for 2016, at paragraph 178 above). Therefore, while anyone could potentially have their communications intercepted under the section 8(4) regime, it is clear that the intelligence services are neither intercepting everyone's communications, nor exercising an unfettered discretion to intercept whatever communications they wish. In practice, one of the grounds set out in section 5(3) of RIPA must be satisfied, bulk interception must be proportionate to the aim sought to be achieved, and - at least at the macro level of selecting the bearers for interception - only external communications can be targeted.
338. As the ISC observed, it would be desirable for the criteria for selecting the bearers to be subject to greater oversight by the Commissioner (see paragraph 157 above). However, the Court has already noted that by its very nature a bulk interception regime will allow the authorities a broad discretion to intercept communications and, as such, it does not consider this fact alone to be fatal to the Article 8 compliance of the section 8(4) regime. While the discretion to intercept should not be unfettered - since the interception and filtering of a communication, even if it is subsequently discarded in near real-time, is sufficient to constitute an interference with a persons' rights under Article 8 of the Convention -�, more rigorous safeguards will be required at the third and fourth stages identified in paragraph 329 above, as any interference in such cases will be significantly greater.
339 . With regard to the selection of communications for examination, once communications are intercepted and filtered, those not discarded in near real-time are further searched; in the first instance by the automatic application, by computer, of simple selectors (such as email addresses or telephone numbers) and initial search criteria, and subsequently by the use of complex searches (see paragraph 6.4 of the IC Code at paragraph 90; see also the ISC report at paragraphs 151-159 above and the Government's observations in the present case). In Liberty and Others , the Court compared the predecessor of the section 8(4) regime unfavourably with the German system under consideration in Weber and Saravia , noting that the G10 Act authorised the Federal Intelligence Service to carry out monitoring of communications only with the aid of search terms which served, and were suitable for, the investigation of the dangers described in the monitoring order and which search terms had to be listed in the monitoring order ( Liberty and Others , cited above, § 68 and Weber and Saravia , cited above, § 32).
340 . This does not mean that selectors and search criteria need to be made public; nor does it mean that they necessarily need to be listed in the warrant ordering interception. In fact, in the Liberty proceedings the IPT found that the inclusion of the selectors in the warrant or accompanying certificate would "unnecessarily undermine and limit the operation of the warrant and be in any event entirely unrealistic" (see paragraph 44 above). The Court has no reason to call this conclusion into question. Nevertheless, the search criteria and selectors used to filter intercepted communications should be subject to independent oversight; a safeguard which appears to be absent in the section 8(4) regime. Indeed, the ISC report criticised the absence of any meaningful oversight of both the selectors and search criteria (see paragraph 157 above).
341 . As a result of the application of selectors and automated searches, an index is generated. Material not on the index is discarded. Only material on the index may be examined by an analyst, and only if it satisfies the two criteria in section 16 of RIPA, namely certification by the Secretary of State as to necessity (section 16(1); see paragraphs 78-85 above) and presence for the time being in the British Islands (section 16(2)).
342. As regards the certification by the Secretary of State, the ISC observed that the categories set out in the certificates were set out in very general terms (for example, "material providing intelligence on terrorism (as defined by the Terrorism Act 2000 (as amended)) including, but not limited to, terrorist organisations, terrorists, active sympathisers, attack planning, fund-raising") (see paragraph 156 above). Similarly, the Independent Reviewer of Terrorism Legislation recommended that the purposes for which material or data was sought should be spelled out by reference to specific operations or mission purposes (for example, "attack planning by ISIL in Iraq/Syria against the UK") (see paragraph 162 above). In order for this safeguard to be effective, the Court agrees that it would be highly desirable for the certificate to be expressed in more specific terms than it currently appears to be.
343. On the other hand, the exclusion of communications of individuals known currently to be in the British Islands is, in the opinion of the Court, an important safeguard, since persons of interest to the intelligence services who are known to be in the British Islands could be subject to a targeted warrant under section 8(1) of RIPA. The intelligence services should not be permitted to obtain via a bulk warrant what they could obtain via a targeted warrant.
344. According to paragraph 7.18 of the IC Code, periodic audits should be carried out to ensure that the requirements set out in section 16 of RIPA are being met and any breaches of safeguards should be notified to the Interception of Communications Commissioner (see paragraph 90 above). In his 2016 annual report, echoing comments also made in his 2014 and 2015 reports, the Commissioner observed that the process by which analysts selected material for examination, which did not require pre-authorisation by a more senior operational manager, relied mainly on the professional judgment of analysts, their training and subsequent management oversight (see paragraph 179 above).
345 . On balance, the Court agrees that it would be preferable for the selection of material by analysts to be subject at the very least to pre-authorisation by a senior operational manager. However, given that analysts are carefully trained and vetted, records are kept and those records are subject to independent oversight and audit (see paragraph 7.15 and 7.18 of the IC Code, at paragraph 90 above), the absence of pre-authorisation would not, in and of itself, amount to a failure to provide adequate safeguards against abuse.
346. Nevertheless, the Court must have regard to the operation of the section 8(4) regime as a whole, and in particular the fact that the list from which analysts are selecting material is itself generated by the application of selectors and selection criteria which were not subject to any independent oversight. In practice, therefore, the only independent oversight of the process of filtering and selecting intercept data for examination is the post factum audit by the Interception of Communications Commissioner and, should an application be made to it, the IPT. In Kennedy the Court held that the RIPA procedure for examining intercept material was sufficiently clear. That finding, however, was expressly based on the fact that unlike the regime examined in Liberty and Others , which concerned the indiscriminate capturing of data, that case was concerned with an interception warrant for one set of premises only; a fact which in and of itself limited the scope of the authorities' discretion to intercept and listen to private communications (see Kennedy , cited above, § 162). In a bulk interception regime, where the discretion to intercept is not significantly curtailed by the terms of the warrant, the safeguards applicable at the filtering and selecting for examination stage must necessarily be more robust.
347 . Therefore, while there is no evidence to suggest that the intelligence services are abusing their powers - on the contrary, the Interception of Communications Commissioner observed that the selection procedure was carefully and conscientiously undertaken by analysts (see paragraph 179 above) -�, the Court is not persuaded that the safeguards governing the selection of bearers for interception and the selection of intercepted material for examination are sufficiently robust to provide adequate guarantees against abuse. Of greatest concern, however, is the absence of robust independent oversight of the selectors and search criteria used to filter intercepted communications.
- The exemption of related communications data from the safeguards applicable to the searching and examining of content
348. The Article 8(4) regime permits the bulk interception of both content and related communications data (the latter being the "who, when and where" of a communication). However, section 16 applies only to "intercepted material" which, according to the interpretation provision in section 20 of RIPA, is defined as the content of intercepted communications (see paragraph 78 above). The related communications data of all intercepted communications - even internal communications incidentally intercepted as a "by-catch" of a section 8(4) warrant - can therefore be searched and selected for examination without restriction.
349. The Government contend that access to communications data is necessary to give effect to one of the section 16 safeguards, namely to determine whether a person is or is not in the British Islands. They further contend that as communications data is less intrusive than data relating to content (at least when compared on a like-for-like basis), its interception, storage and use should not be subject to the same six minimum requirements (see paragraph 307 above). Instead, the Court should simply ask whether the law was sufficiently clear to give the individual adequate protection against arbitrary interference.
350 . The Court has distinguished between different methods of investigation which result in different levels of intrusion into an individual's private life. According to the Court, the interception of communications represents one of the gravest intrusions, as it is capable of disclosing more information on a person's conduct, opinions or feelings (see Uzun v. Germany , no. 35623/05, § 52, ECHR 2010 (extracts))). Consequently, in Uzun the Court found that the interception of communications represented a greater intrusion into an individual's private life than the tracking of his vehicle via GPS (see Uzun , cited above, § 52). In Ben Faiza v. France , no. 31446/12, 8 February 2018, it further distinguished between the tracking of a vehicle, which nevertheless made it possible to geolocate a person in real time, and the lower level of intrusion occasioned by the transmission to a judicial authority of existing data held by a public or private body (see Ben Faiza , cited above, § 74).
351. However, thus far the Court has only declined to apply the minimum requirements test in secret surveillance cases which did not involve the interception of communications, and in which the degree of intrusion was not considered to be comparable to that caused by interception (see for example, R.E. v. the United Kingdom , no. 62498/11, 27 October 2015 and Uzun , cited above).
352. In any event, it is not necessary for the Court to decide whether the six minimum requirements apply to the interception of communications data since, save for the section 16 safeguards, the section 8(4) regime treats intercepted content and related communications data in the same way. It will therefore focus its attention on whether the justification provided by the Government for exempting related communications data from this safeguard is proportionate to the legitimate aim pursued; that is, ensuring the effectiveness of that safeguard in respect of content.
353. It is not in doubt that communications data is a valuable resource for the intelligence services. It can be analysed quickly to find patterns that reflect particular online behaviours associated with activities such as a terrorist attack and to illuminate the networks and associations of persons involved in such attacks, making it invaluable in fast-moving operations; and, unlike much data relating to content, it is not generally encrypted (see paragraphs 158, 163, 169, 176 and 301 above).
354. Furthermore, the Court accepts that the effectiveness of the section 16(2) safeguard depends on the intelligence services having a means of determining whether a person is in the British Islands, and access to related communications data would provide them with that means.
355 . Nevertheless, it is a matter of some concern that the intelligence services can search and examine "related communications data" apparently without restriction. While such data is not to be confused with the much broader category of "communications data", it still represents a significant quantity of data. The Government confirmed at the hearing that "related communications data" obtained under the section 8(4) regime will only ever be traffic data. However, according to paragraphs 2.24-2.27 of the ACD Code (see paragraph 117 above), traffic data includes information identifying the location of equipment when a communication is, has been or may be made or received (such as the location of a mobile phone); information identifying the sender or recipient (including copy recipients) of a communication from data comprised in or attached to the communication; routing information identifying equipment through which a communication is or has been transmitted (for example, dynamic IP address allocation, file transfer logs and e-mail headers (other than the subject line of an e-mail, which is classified as content)); web browsing information to the extent that only a host machine, server, domain name or IP address is disclosed (in other words, website addresses and Uniform Resource Locators ("URLs") up to the first slash are communications data, but after the first slash content); records of correspondence checks comprising details of traffic data from postal items in transmission to a specific address, and online tracking of communications (including postal items and parcels) (see paragraph 117 above).
356. In addition, the Court is not persuaded that the acquisition of related communications data is necessarily less intrusive than the acquisition of content. For example, the content of an electronic communication might be encrypted and, even if it were decrypted, might not reveal anything of note about the sender or recipient. The related communications data, on the other hand, could reveal the identities and geographic location of the sender and recipient and the equipment through which the communication was transmitted. In bulk, the degree of intrusion is magnified, since the patterns that will emerge could be capable of painting an intimate picture of a person through the mapping of social networks, location tracking, Internet browsing tracking, mapping of communication patterns, and insight into who a person interacted with (see paragraph 301 above).
357 . Consequently, while the Court does not doubt that related communications data is an essential tool for the intelligence services in the fight against terrorism and serious crime, it does not consider that the authorities have struck a fair balance between the competing public and private interests by exempting it in its entirety from the safeguards applicable to the searching and examining of content. While the Court does not suggest that related communications data should only be accessible for the purposes of determining whether or not an individual is in the British Islands, since to do so would be to require the application of stricter standards to related communications data than apply to content, there should nevertheless be sufficient safeguards in place to ensure that the exemption of related communications data from the requirements of section 16 of RIPA is limited to the extent necessary to determine whether an individual is, for the time being, in the British Islands.
- Duration of the secret surveillance measure
358. Pursuant to section 9 of RIPA (see paragraph 62 above), a section 8(4) warrant ceases to have effect at the end of the "relevant period" unless it is renewed. For warrants issued by the Secretary of State for reasons of national or economic security, the "relevant period" is six months, and for warrants issued by the Secretary of State for the purposes of preventing serious crime, the "relevant period" is three months. These warrants are renewable for periods of six and three months respectively. Warrants may be renewed at any point before their expiry date by application to the Secretary of State. The application must contain the same information as the original application; it must also contain an assessment of the value of the interception to date and explain why the continuation of interception is necessary, within the meaning of section 5(3), and proportionate (see paragraph 6.22-6.24 of the IC Code at paragraph 90 above). Paragraph 6.7 of the IC Code requires regular surveys of relevant communications links (see paragraph 90 above). Consequently, any application for renewal of a warrant would have to show that interception of those links continued to be of value, and continued to be necessary and proportionate (in the Convention sense).
359. Furthermore, the Secretary of State must cancel a warrant if satisfied that it is no longer necessary on section 5(3) grounds (see section 9 of RIPA at paragraph 62 above).
360. In Kennedy (cited above, § 161) the Court considered the same provisions on the duration and renewal of interception warrants (in that case, in the context of the section 8(1) regime) and found that the rules were sufficiently clear as to provide adequate safeguards against abuse. In particular, it noted that the duty on the Secretary of State to cancel warrants which were no longer necessary meant, in practice, that the intelligence services had to keep their warrants under continuous review. In light of the foregoing considerations, the Court sees no grounds upon which to reach a different conclusion in the present case. In particular, it sees no evidence to substantiate the applicants' claim that once issued, section 8(4) warrants could continue indefinitely regardless of whether they continued to be necessary and proportionate.
- Procedure to be followed for storing, accessing, examining and using the intercepted data
361 . As already noted, analysts may only examine material which appears on the automatically generated index. Prior to analysts being able to read, look at or listen to material on the index, they must make a record of why access to the material is necessary for one of the statutory purposes set out in section 5(3) of RIPA, and proportionate, having regard to whether the information could reasonably be obtained by less intrusive means (see section 16 of RIPA, at paragraph 79 above, and paragraph 7.15 of the IC Code, at paragraph 90 above). Pursuant to section 16(2), they cannot select material for examination using criteria that refer to the communications of individuals known currently to be in the British Islands (see paragraph 79 above). Paragraph 7.16 of the IC Code also requires the analyst to indicate any circumstances likely to give rise to a degree of collateral infringement of privacy, together with the measures taken to reduce the extent of that intrusion (see paragraph 90 above). Subsequent access by the analyst is limited to a defined period of time; although that period of time may be renewed, the record must be updated giving reasons for renewal (see paragraph 7.17 of the IC Code, at paragraph 90 above).
362. Paragraph 7.15 of the IC Code further requires that analysts examining intercepted material must be specially authorised to do so; must receive regular mandatory training regarding on the provisions of RIPA and specifically the operation of section 16 and the requirements of necessity and proportionality; and must be vetted (see paragraph 90 above). Furthermore, regular audits are carried out which must include checks to ensure that the records requesting access to material have been compiled correctly, and that the material requested falls within the matters certified by the Secretary of State (see paragraph 7.18 of RIPA, at paragraph 90 above).
363 . With regard to the storage of intercepted material, paragraph 7.7 of the IC Code requires that prior to its destruction, it must be stored securely and must not be accessible to persons without the required level of security clearance (see paragraph 90 above).
364. In light of the foregoing, and subject to its conclusions at paragraph 347 and 357 above, the Court would accept that the provisions relating to the storing, accessing, examining and using intercepted data are sufficiently clear.
- Procedure to be followed for communicating the intercepted data to other parties
365 . While material is being stored, section 15(2) of RIPA and paragraphs 7.2 of the IC Code require that the following are limited to the minimum necessary for the "authorised purposes": the number of persons to whom the material or data is disclosed or made available; the extent to which the material or data is disclosed or made available; the extent to which the material or data is copied; and the number of copies that are made (see paragraphs 72-77 and 90 above). Pursuant to section 15(4) and paragraph 7.2 of the IC Code, something is necessary for the authorised purposes if, and only if, it continues to be, or is likely to become, necessary for the purposes mentioned in section 5(3) of RIPA; for facilitating the carrying out of any of the interception functions of the Secretary of State; for facilitating the carrying out of any functions of the Interception of Communications Commissioner or of the IPT; to ensure that a person conducting a criminal prosecution has the information he needs to determine what is required of him by his duty to secure the fairness of the prosecution; or for the performance of any duty imposed on any person under public records legislation (see paragraphs 72-77 and 90 above).
366. Paragraph 7.3 of the IC Code prohibits disclosure to persons who have not been appropriately vetted and also by the need-to-know principle: intercepted material must not be disclosed to any person unless that person's duties, which must relate to one of the authorised purposes, are such that he or she needs to know about the intercepted material to carry out those duties (see paragraph 90 above). In the same way, only so much of the intercepted material may be disclosed as the recipient needs. Paragraph 7.3 applies equally to disclosure to additional persons within an agency, and to disclosure outside the agency. Pursuant to paragraph 7.4, it also applies not just to the original interceptor, but also to anyone to whom the intercepted material is subsequently disclosed (see paragraph 90 above).
367. According to paragraph 7.5 of the IC Code, where intercepted material is disclosed to the authorities of a country or territory outside the United Kingdom, the agency must take reasonable steps to ensure that the authorities in question have and will maintain the necessary procedures to safeguard the intercepted material, and to ensure that it is disclosed, copied, distributed and retained only to the minimum extent necessary. The intercepted material must not be further disclosed to the authorities of a third country or territory unless explicitly agreed with the issuing agency, and must be returned to the issuing agency or securely destroyed when no longer needed (see paragraph 90 above).
368. The Court considered very similar provisions in Kennedy ; although paragraph 7.5 is new, paragraphs 7.3, 7.4 and 7.6 in the 2016 IC Code are identical to paragraphs 6.4, 6.5 and 6.6 of the previous version. It was satisfied that the provisions on processing and communication of intercept material provided adequate safeguards for the protection of data obtained (see Kennedy , cited above, § 163). In the present case, however, the applicants have expressed concern about an aspect of the procedure which was not addressed in Kennedy ; namely, the requirement that disclosure and copying be "limited to the minimum necessary for the 'authorised purposes'", when something might be considered "necessary" for an "authorised purpose" if it was "likely to become necessary". As "likely to become necessary" is not further defined in RIPA or the IC Code, or indeed anywhere else, it could in practice give the authorities a broad power to disclose and copy intercept material. Nevertheless, it is clear that even if disclosure or copying is "likely to become necessary" for an "authorised purpose", the material can still only be disclosed to a person with the appropriate level of security clearance, who has a "need to know". Furthermore, only so much of the intercept material as the individual needs to know is to be disclosed; where a summary of the material would suffice, then only a summary should be disclosed.
369. Therefore, while it would be desirable for the term "likely to become necessary" to be more clearly defined in either RIPA or the IC Code, the Court considers that, taken as a whole, section 15 of RIPA and Chapter 7 of the IC Code provide adequate safeguards for the protection of data obtained.
- The circumstances in which intercept material must be erased or destroyed
370. Section 15(3) of RIPA and paragraph 7.8 of the IC Code require that every copy of intercepted material or data (together with any extracts and summaries) be destroyed securely as soon as retention is no longer necessary for any of the section 5(3) purposes (see paragraphs 74 and 90 above). In practice, this means that intercepted material which is filtered out in near real-time is destroyed. Similarly, following the application of selectors and search criteria, material which is not added to the analyst's index is also destroyed (see paragraphs 72-77 and 90 above).
371. Paragraph 7.9 provides that where an intelligence service receives unanalysed intercepted material and related communications data from interception under a section 8(4) warrant, it must specify maximum retention periods for different categories of the data which reflect its nature and intrusiveness. These specified periods should normally be no longer than two years, and should be agreed with the Interception of Communications Commissioner. So far as possible, all retention periods should be implemented by a process of automated deletion, which is triggered once the applicable maximum retention period has been reached for the data at issue (see paragraphs 72-77 above). Pursuant to paragraph 7.8, if intercepted material is retained, it should be reviewed at appropriate intervals to confirm that the justification for its retention is still valid under section 15(3) of RIPA (see paragraph 90 above).
372. According to the 2016 annual report of the Interception of Communications Commissioner, every interception agency had a different view on what constituted an appropriate retention period for intercepted material and related communications data. The retention periods for content ranged between thirty days and one year and the retention periods for related communications data ranged between six months and one year (see paragraph 186 above). Therefore, while the specific retention periods are not in the public domain, it is clear that they cannot exceed two years and, in practice, they do not exceed one year (with much content and related communications data being retained for significantly shorter periods).
373. Furthermore, where an application is lodged with the IPT, it can examine whether the time-limits for retention have been complied with and, if they have not, it may find that there has been a breach of Article 8 of the Convention and order the destruction of the relevant material. Where the retention has resulted in damage, detriment or prejudice, compensation may also be awarded. In the Liberty proceedings, brought by the applicants in the third of the joined cases, the IPT found that there had been a breach of Article 8 of the Convention by virtue of the fact that email communications of Amnesty International, which had been intercepted and accessed "lawfully and proportionately", had nevertheless been retained for longer than was permitted under GCHQ's internal policies. GCHQ was ordered to destroy the communications within seven days, and to provide a closed report within fourteen days confirming their destruction. A hard copy of the communications was to be delivered to the Commissioner (see paragraph 54 above).
374. Therefore, in the Court's view the provisions on the erasure and destruction of intercept material are also sufficiently clear.
- Supervision, notification and remedies
375. Supervision of the regime is carried out at a number of levels. First of all, according to the Interception of Communications Commissioner, a "critical quality assurance function [is] initially carried out by the staff and lawyers within the intercepting agency or the warrant-granting department" (see paragraph 180 above). The warrant-granting departments provide independent advice to the Secretary of State and perform important pre-authorisation scrutiny of warrant applications and renewals to ensure that they were (and remained) necessary and proportionate (see paragraph 180 above).
376. Secondly, section 8(4) warrants must be authorised by the Secretary of State. As already noted, while the Court has recognised judicial authorisation to be an "important safeguard against arbitrariness" (see Roman Zakharov , cited above, § 249), to date it has not considered it to be a "necessary requirement" (see, for example, Roman Zakharov , cited above, § 258; see also Klass and Others , cited above, § 51; Weber and Saravia , cited above, § 115; Kennedy , cited above, § 31; and Szabó and Vissy, cited above, § 77 ). Although desirable in principle, by itself it is neither necessary nor sufficient to ensure compliance with Article 8 of the Convention (see paragraphs 318 -320 above).
377. It is true that the Court has generally required a non-judicial authority to be sufficiently independent of the executive (see Roman Zakharov , cited above, § 258). However, it must principally have regard to the actual operation of a system of interception as a whole, including the checks and balances on the exercise of power, and the existence (or absence) of any evidence of actual abuse (see paragraph 320 above), such as the authorising of secret surveillance measures haphazardly, irregularly or without due and proper consideration (see Roman Zakharov , cited above, § 267).
378. In the present case there is no evidence to suggest that the Secretary of State was authorising warrants without due and proper consideration. The authorisation procedure was subject to independent oversight by the Interception of Communications Commissioner (recently replaced by the Investigatory Powers Commissioner following the coming into force of the Investigatory Powers Act 2016 - see paragraph 147 above), who was independent of the executive and the legislature, held or had held high judicial office, and was tasked with overseeing the general functioning of the surveillance regime and the authorisation of interception warrants in specific cases. The Commissioner reported annually to the Prime Minister and his report was a public document (subject to the non-disclosure of confidential annexes) which was laid before Parliament. In undertaking his review of surveillance practices, he was granted access to all relevant documents, including closed materials, and all those involved in interception activities had a duty to disclose to him any material he required. The obligation on the intelligence services to keep records ensured that he had effective access to details of surveillance activities undertaken (see paragraph 145 above). In 2016, 970 warrants were examined during twenty-�two interception inspections, representing 61% of the number of warrants in force at the end of the year and 32% of the total of new warrants issued in 2016 (see paragraph 185 above). As a consequence, in Kennedy the Court accepted that despite the fact that the section 8(1) warrant was authorised by the Secretary of State, sufficient independence was provided by the Interception of Communications Commissioner (see Kennedy , cited above, § 166).
379. Furthermore, the IPT has extensive jurisdiction to examine any complaint of unlawful interception: unlike in many other countries, its jurisdiction does not depend on notification of the interception to its subject (see paragraph 124 above), which means that any person who believes that he or she has been subject to secret surveillance may make an application to it (see paragraph 318 above). Its members must hold or have held high judicial office or be a qualified lawyer of at least ten years' standing (see paragraph 123 above). Those involved in the authorisation and execution of an intercept warrant are required to disclose to it all the documents it may require, including "below the waterline" documents which could not be made public for reasons of national security (see paragraph 127 above); it has discretion to hold oral hearings, in public, where possible (see paragraphs 131, 138 and 139 above); in closed proceedings it may appoint Counsel to the Tribunal also to make submissions on behalf of claimants who cannot be represented (see paragraph 142 above); and when it determines a complaint it has the power to award compensation and make any other order it sees fit, including quashing or cancelling any warrant and requiring the destruction of any records (see paragraph 128 above). The publication of the IPT's legal rulings further enhances the level of scrutiny afforded to secret surveillance activities in the United Kingdom (see Kennedy , cited above, § 167).
380. In any case, the Court notes that under the new Investigatory Powers Act 2016 warrants will have to be approved by judicial commissioners following their authorisation by the Secretary of State. Although this new procedure has not yet been implemented, the Investigatory Powers Commissioner and the deputy Investigatory Powers Commissioner have been appointed (see paragraph 197 above).
381. Therefore, while the Court considers judicial authorisation to be highly desirable and, in its absence, will generally require a non-judicial authority to be independent of the executive, in the present case, in view of the pre-authorisation scrutiny of warrant applications, the extensive post-authorisation scrutiny provided by the (independent) Commissioner's office and the IPT, and the imminent changes to the impugned regime, it would accept that the authorisation of section 8(4) warrants by the Secretary of State does not, in and of itself, give rise to a breach of Article 8 of the Convention.
382. Finally, the Court recalls that in light of the Edward Snowden revelations, there were three thorough independent reviews of the existing interception regimes, and none of the reviewing bodies found any evidence that deliberate abuse of interception powers was taking place (see paragraphs 148-172 above).
383. In light of the above considerations, the Court is of the opinion that the supervision and oversight of the bulk interceptions capable of providing adequate and effective guarantees against abuse.
- Proportionality
384. With regard to the proportionality of the bulk interception regime, the Court notes that the Independent Reviewer of Terrorism Legislation, examined a great deal of closed material and concluded that bulk interception was an essential capability: first, because terrorists, criminals and hostile foreign intelligence services had become increasingly sophisticated at evading detection by traditional means; and secondly, because the nature of the global Internet meant that the route a particular communication would travel had become hugely unpredictable. Although he and his team (including a person with the necessary technical background to understand the systems and techniques used by GCHQ, and the uses to which they could be put, an investigator with experience as a user of secret intelligence, including intelligence generated by GCHQ, and senior independent counsel with the skills and experience to challenge forensically the evidence and the case studies presented by the security and intelligence services) looked at alternatives to bulk interception (including targeted interception, the use of human sources and commercial cyber-defence products), they concluded that no alternative or combination of alternatives would be sufficient to substitute for the bulk interception power (see paragraph 176 above).
385. Similarly, while acknowledging the risks that bulk interception can pose for individual rights, the Venice Commission nevertheless recognised its intrinsic value for security operations, since it enabled the security services to adopt a proactive approach, looking for hitherto unknown dangers rather than investigating known ones (see paragraph 211 above).
386. The Court sees no reason to disagree with the thorough examinations carried out by these bodies and the conclusions subsequently reached. It is clear that bulk interception is a valuable means to achieve the legitimate aims pursued, particularly given the current threat level from both global terrorism and serious crime.
(γ) Conclusions
387 . In light of the foregoing considerations, the Court considers that the decision to operate a bulk interception regime was one which fell within the wide margin of appreciation afforded to the Contracting State. Furthermore, in view of the independent oversight provided by the Interception of Communications Commissioner and the IPT, and the extensive independent investigations which followed the Edward Snowden revelations, it is satisfied that the intelligence services of the United Kingdom take their Convention obligations seriously and are not abusing their powers under section 8(4) of RIPA. Nevertheless, an examination of those powers has identified two principal areas of concern; first, the lack of oversight of the entire selection process, including the selection of bearers for interception, the selectors and search criteria for filtering intercepted communications, and the selection of material for examination by an analyst; and secondly, the absence of any real safeguards applicable to the selection of related communications data for examination.
388. In view of these shortcomings and to the extent just outlined, the Court finds that the section 8(4) regime does not meet the "quality of law" requirement and is incapable of keeping the "interference" to what is "necessary in a democratic society". There has accordingly been a violation of Article 8 of the Convention.
B. The intelligence sharing regime
389. The applicants in the third of the joined cases complain that the respondent State's receipt of material intercepted by the NSA under PRISM and Upstream was in breach of their rights under Article 8 of the Convention. The applicants in the first of the joined cases complain more generally about the receipt of information from foreign intelligence services.
390. The Government argued that the applicants could not claim to be victims of the alleged violation within the meaning of Article 34 of the Convention since they could not possibly have been affected by the intelligence sharing regime. They did not contend, and had put forward no evidential basis for contending, that their communications had in fact been intercepted under PRISM/Upstream and subsequently shared with the United Kingdom intelligence services. Rather, they asserted only that their communications "might have been" subject to foreign interception conveyed to United Kingdom authorities, or that they "believed" that to be the case. As such, their complaint was an abstract one about the regime itself, and the Court should not entertain an abstract challenge when the applicants had available to them an effective remedy in the form of the IPT.
391. The applicants, on the other hand, submitted that on account of their global public interest activities and the very broad range of persons and organisations with which they were in contact, they were at genuine risk of having their communications obtained by a foreign intelligence service and requested by the United Kingdom authorities. They further submitted that there was no adequate remedy available under domestic law for the alleged breach of their Convention rights.
392 . The Court has accepted that an applicant could claim to be the victim of a violation occasioned by the mere existence of secret surveillance measures, or legislation permitting secret surveillance measures, if the following conditions were satisfied: first, the Court would examine whether the applicant could possibly be affected by the legislation permitting secret surveillance measures; and secondly, it would take into account the availability of remedies at the national level and adjust the degree of scrutiny depending on the effectiveness of such remedies. Where the domestic system did not afford an effective remedy, there would be a greater need for scrutiny by the Court and the individual would not need to demonstrate the existence of any risk that secret surveillance measures were applied to him. By contrast, if the national system provides for effective remedies, the individual may claim to be a victim of a violation occasioned by the mere existence of secret measures or of legislation permitting secret measures only if he is able to show that, due to his personal situation, he is potentially at risk of being subjected to such measures ( Roman Zakharov , cited above, § 171).
393. In the present case the Court has accepted that the IPT offers an effective remedy to anyone who wishes to complain about an interference with his or her communications by the United Kingdom authorities (see paragraphs 250-266 above).It has jurisdiction to investigate any complaint that a person's communications have been intercepted and, where interception has occurred, to examine the authority for such interception (see paragraph 124 above). This jurisdiction clearly extends to complaints about the receipt of intelligence from foreign intelligence services. Indeed, in the Liberty proceedings the IPT considered the applicants' complaints about both the section 8(4) regime and the intelligence sharing regime with equal diligence (see paragraphs 32-40 above). Consequently, the applicants can only claim to be "victims" on account of the mere existence of the intelligence sharing regime if they are able to show that, due to their personal situation, they were potentially at risk of having their communications obtained by the United Kingdom authorities through a request to a foreign intelligence service (see Roman Zakharov , cited above, § 171).
394. According to Chapter 12 of the IC Code, absent exceptional circumstances intelligence can only be requested from third countries where there is already a section 8(1) or section 8(4) warrant in place. This means that there must either be an Article 8(1) warrant in relation to the subject at issue, or a section 8(4) warrant and accompanying certificate which covers the subject's communications (see paragraph 90 above). However, section 8(4) warrants are relatively broad in scope, and the Court has already considered the general terms in which both warrants and accompanying certificates are drafted (see paragraphs 156 and 341 above). Moreover, it is clear from the Liberty proceedings that at least two of the applicants in the third of the joined cases had their communications lawfully intercepted and selected for examination by the United Kingdom intelligence services under the section 8(4) regime (see paragraphs 54 and 55 above). While there is no reason to believe that these applicants were themselves of interest to the intelligence services, their communications could have been obtained lawfully under the section 8(4) regime if, as they claim, they were in contact with persons who were. Similarly, their communications could lawfully be requested from a third country under the intelligence sharing regime if they were in contact with an individual who was the subject of a request.
395. The Court would therefore accept, on the basis of the information submitted to it, that the applicants were potentially at risk of having their communications requested from a foreign intelligence service. In addition, it would accept that they were also potentially at risk of having their communications obtained by a foreign intelligence service. Although the United States of America is not the only country from which the authorities of the respondent State might request intelligence, the submissions before this Court - and before the IPT - focused on the receipt of information from the NSA. While PRISM is a targeted scheme which allows intelligence material to be obtained from Internet Service Providers ("ISPs"), Upstream appears to be a bulk interception scheme similar to the section 8(4) regime. In other words, it permits broad access to global data, in particular that of non-US citizens, which can then be collected, stored and searched using keywords.
396. In light of the foregoing considerations, the Court would accept that the applicants were potentially at risk of having their communications obtained by the intelligence services of the respondent State under the intelligence sharing regime. As such, it finds that they can claim to be victims, within the meaning of Article 34 of the Convention, of the violation alleged to flow from the intelligence sharing regime.
397. The Court notes that this complaint is not manifestly ill-founded within the meaning of Article 35 § 3 (a) of the Convention. It further notes that it is not inadmissible on any other grounds. It must therefore be declared admissible.
398. The applicants submitted that even following the 9 October disclosure, there remained no basis in law for the intelligence sharing carried out by the intelligence services, and there was certainly no regime which satisfied the Court's "quality of law" requirements.
399. With regard to the test to be applied, the applicants contended that an interference with the rights protected by Article 8 of the Convention was no less serious when a third State shared the intelligence with the respondent State than when the respondent State conducted the surveillance itself. In R.E. the Court held that in determining whether the six minimum requirements applied the decisive factor would be the level of interference with an individual's right to respect for his or private life, and not the technical definition of that interference ( R.E. , cited above, § 130). Since the degree of interference caused by the receipt of intelligence from third countries was similar to that caused by direct interception on the part of the respondent State, how that interference was technologically achieved should be irrelevant.
400. In the opinion of the applicants, the publication of the revised IC Code in 2016 was insufficient the remedy the flaws in the regime identified by the IPT as it simply applied the inadequate RIPA regime to the obtaining of data intercepted by a foreign Government.
401. The Government submitted that the intelligence sharing regime now had a basis in domestic law (namely, the Security Services Act 1989 ("the SSA") and the Intelligence Services Act 1994 ("the ISA"), as read with the Counter Terrorism Act 2008 ("the CTA"); the Human Rights Act 1998 ("the HRA"); the Data Protection Act 1998 ("the DPA"); the Official Secrets Act 1989 ("the OSA"); and Chapter 12 of the IC Code) and that law was clearly accessible.
402. They further argued that it was foreseeable as the law indicated the scope of any discretion and the manner of its exercise with sufficient clarity to give the individual adequate protection against arbitrary interference. They did not accept that the six criteria set down in Weber and Saravia (see paragraph 307 above) applied to an intelligence sharing regime in the same way as they applied to an interception regime. In this regard, the Court had expressly recognised that the strict standards developed in intercept cases did not necessarily apply in other surveillance cases (for example, Uzun , cited above). While some of the material obtained from foreign governments might be the product of intercept, that would not necessarily be the case and the intelligence services might not even know whether communications provided to them by a foreign Government were the product of intercept.
403. Even if the six minimum requirements did apply, the Government argued that they were satisfied. First, the regime was sufficiently clear as regards the circumstances in which the intelligence services could in principle obtain information from other States; they could only obtain information so far as it was necessary for the proper discharge of their functions, being the interests of national security, the economic well-being of the United Kingdom, and the prevention and detection of serious crime.
404. Moreover, the circumstances in which the intelligence agencies could obtain information under the intelligence sharing regime were defined and circumscribed by the IC Code. In this regard, the effect of Chapter 12 of the Code was to confirm that, other than in exceptional circumstances, the intelligence services could only request "raw intercept" from a foreign government if it concerned targets who were already the subject of an interception warrant under Part I of RIPA, that material could not be obtained by the intelligence services themselves, and it was necessary and proportionate to obtain it. In the absence of a warrant, a request could only be made if it did not amount to a deliberate circumvention, or otherwise frustrate the objectives, of RIPA. Furthermore, any request made in the absence of a warrant would be decided on by the Secretary of State personally, and if the request was for "untargeted" material, communications obtained could not be examined according to any of the factors mentioned in section 16(2) of RIPA.
405. The Government further contended that the intelligence sharing regime was sufficiently clear as regards the subsequent handling, use and possible onward disclosure of material. Not only were the intelligence services bound by the general constraints of proportionality in the HRA and the fifth and seventh data protection principles, but Chapter 12 of the IC Code also provided that intercepted communications data or content received from another State, regardless of whether it was solicited or unsolicited, analysed or unanalysed, was subject to exactly the same rules and safeguards as material obtained directly by the intelligence services by interception under RIPA. In other words, the safeguards set out in section 15 of RIPA also applied to intercept material obtained under the intelligence sharing regime.
406. Finally, the Government pointed out that the intelligence sharing regime was subject to the same oversight mechanisms as the section 8(4) regime, and none of these oversight bodies had revealed any deliberate abuse by the intelligence services of their powers. Furthermore, no evidence was found to suggest that the intelligence services had - or had attempted - to use the intelligence sharing regime to circumvent RIPA.
(b) The submissions of the third parties
(i) The Electronic Privacy Information Center ("EPIC")
407. EPIC submitted that the evolving technologies of the NSA and other intelligence agencies had created an almost unlimited ability to access, store and use personal information and private communications globally. However, no US law or regulation prohibited the NSA from conducting warrantless surveillance on foreign citizens abroad. Furthermore, in recent years the US had failed to adopt any meaningful reforms which would have provided adequate privacy and data protection safeguards for non-US persons.
408. Access Now contended that while Mutual Legal Assistance Treaties ("MLATs") offered a transparent and formal process for one State party to request intelligence for another, the operation of secret signals intelligence programmes (for example, the Five Eyes intelligence sharing network of which the United Kingdom, the US, Australia, Canada and New Zealand were members) were not transparent and were prohibited by international human rights standards. Such secret programmes were not necessary, since the relevant intelligence could be obtained under MLATs.
409. The members of the Bureau Brandeis coalition were plaintiffs in a case against the Netherlands. The Dutch authorities had accepted that data was exchanged with foreign intelligence partners (including the US) and that it could not be excluded that they had received information acquired by foreign services using methods that might infringe human rights. The coalition brought proceedings in which they argued that the NSA's mass data collection programs violated human rights guaranteed by the Convention. However, the Hague District Court said that under Dutch law, Dutch intelligence services were allowed to collaborate with the NSA, and the NSA was in turn bound by US law which, in general, did not conflict with the Convention's privacy requirements. The court further held that because the raw data was shared in bulk, less stringent safeguards were necessary than would apply when the data was examined and used, as there was a difference between receiving data and using it for individual cases. An appeal against this decision was dismissed in March 2017.
410. In their third party intervention before this Court, the coalition argued that the sharing of intelligence should only be permitted if it was accompanied by sufficient safeguards and the foreign authority had a sound legal basis for capturing the material. Otherwise, there could be a circumvention of the protection provided by Article 8 of the Convention. In other words, States should not be allowed to obtain material from foreign authorities that they could not lawfully capture themselves.
(iv) Center for Democracy and Technology ("CDT") and Pen American Center ("PEN America")
411. CDT and PEN America submitted that the interception regimes operated by the NSA would satisfy neither the "in accordance with the law" nor the "proportionality" requirements of Article 8 of the Convention, and these deficiencies tainted the lawfulness of the United Kingdom's intelligence sharing regime.
(v) The International Commission of Jurists ("ICJ")
412. The ICJ referred the Court to Articles 15 and 16 of the Articles of State Responsibility of the International Law Commission ("the ILC Articles"). They contended that, pursuant to Article 15, a Contracting State could be responsible for mass surveillance conducted by a non-Contracting State if they were acting in organised and structured forms of co-operation; and that, pursuant to Article 16, a Contracting State could be responsible for mass surveillance conducted by a non-Contracting State if it contributed to the surveillance programme and had actual or constructive knowledge of the breaches of international human rights obligations inherent in the system. The ICJ further submitted that Contracting States participating in or contributing to a mass surveillance programme were obliged to establish a system of safeguards for the protection of Article 8 rights, and were also under a duty to protect persons within their jurisdiction from violations of Article 8 rights caused by mass surveillance programmes.
(vi) Open Society Justice Initiative ("OSJI")
413. OSJI argued that States should not receive or request data from a third party in a manner that circumvents individuals' Article 8 rights. To ensure that this does not happen, they must put in place safeguards at the point when the material is first gathered, including prior scrutiny of the human rights record and interception laws and practices in the foreign State, and independent, preferably judicial, a posteriori oversight of any sharing arrangements to ensure that the safeguards are in place and enforced.
(vii) The Law Society of England and Wales
414. The Law Society previously submitted that the RIPA regime and associated Codes provided no robust or transparent safeguards for legally privileged material. Since the same safeguards applied to privileged material obtained by foreign States and disclosed to the intelligence services of the United Kingdom, the same deficiencies also tainted that regime.
(viii) Human Rights Watch ("HRW")
415. Although the present applications focused on the receipt of foreign intelligence from the United States, HRW believed that the network of States with which communications intelligence was shared was vastly larger. For example the "Five Eyes Alliance" comprised the United Kingdom, the United States, Australia, Canada and New Zealand, and there were also thought to be other, more restricted intelligence sharing coalitions (for example, the "Nine Eyes", adding Denmark, France, the Netherlands and Norway; the "Fourteen Eyes", adding Germany, Belgium, Italy, Spain and Sweden; and the "Forty-One Eyes", adding in others in the allied coalition in Afghanistan).
(i) The scope of the applicants' complaints
416 . This is the first time that the Court has been asked to consider the Convention compliance of an intelligence sharing regime. While the operation of such a scheme might raise a number of different issues under the Convention, in the present case the applicants' complaints focus on the Article 8 compliance of the regime by which the United Kingdom authorities request and receive intelligence from foreign Governments. The applicants do not complain about the transfer of intelligence from the United Kingdom intelligence services to foreign counterparts; nor do they invoke any other Convention Articles.
417 . In the Liberty proceedings (in which the IPT was only concerned with the receipt of information from the United States) the applicants submitted that information acquired from the NSA fell into three categories: material which the NSA had provided to the United Kingdom intelligence services unsolicited, and which on its face derived from intercept; communications which the United Kingdom intelligence services had either asked the NSA to intercept, or to make available to them as intercept; and material obtained by the NSA other than by the interception of communications. Although the complaint before the Court is somewhat wider than the one which was before the IPT, the applicants in the first of the joined cases having complained about the receipt of information from any foreign Government, the categories identified by the IPT are nevertheless apposite. As the Government, at the hearing, informed the Court that it was "implausible and rare" for intercept material to be obtained "unsolicited", the Court will restrict its examination to material falling into the second and third categories.
418. Material falling within the second category can be divided into two sub-categories: communications which the respondent State has asked a foreign intelligence service to intercept; and communications already intercepted by a foreign intelligence service, which are conveyed to the authorities of the respondent State upon their request. The Court will first deal with these two sub-categories together, before proceeding to consider the third category separately.
(ii) The nature of the interference
419. The Court has already found that the applicants can claim to be victims of the alleged violation of Article 8 of the Convention occasioned by the existence of an intelligence sharing regime. However, it is important to clarify at the outset the nature of the interference under consideration.
420. Although the impugned regime concerns intercepted communications, the interference under consideration in this case does not lie in the interception itself, which did not, in any event, occur within the United Kingdom's jurisdiction, and was not attributable to that State under international law. As the communications are being intercepted by foreign intelligence agencies, their interception could only engage the responsibility of the respondent State if it was exercising authority or control over those agencies (see, for example, Jaloud v. the Netherlands [GC], no. 47708/08, §§ 139 and 151 ECHR 2014 and Al-Skeini and Others v. the United Kingdom [GC], no. 55721/07, §§ 130-139, ECHR 2011). Even when the United Kingdom authorities request the interception of communications (rather than simply the conveyance of the product of intercept), the interception would appear to take place under the full control of the foreign intelligence agencies. Some of the third parties have invoked the ILC Articles, but these would only be relevant if the foreign intelligence agencies were placed at the disposal of the respondent State and were acting in exercise of elements of the governmental authority of the respondent State (Article 6); if the respondent State aided or assisted the foreign intelligence agencies in intercepting the communications where that amounted to an internationally wrongful act for the State responsible for the agencies, the United Kingdom was aware of the circumstances of the internationally wrongful act, and the act would have been internationally wrongful if committed by the United Kingdom (Article 16); or if the respondent State exercised direction or control over the foreign Government (Article 17). There is no suggestion that this is the case.
421. Consequently, the interference lies in the receipt of the intercepted material and its subsequent storage, examination and use by the intelligence services of the respondent State.
422. As with any regime which provides for the acquisition of surveillance material, the regime for the obtaining of such material from foreign Governments must be "in accordance with the law"; in other words, it must have some basis in domestic law, it must be accessible to the person concerned and it must be foreseeable as to its effects (see Roman Zakharov , cited above, § 228). Furthermore, it must be proportionate to the legitimate aim pursued, and there must exist adequate and effective safeguards against abuse. In particular, the procedures for supervising the ordering and implementation of the measures in question must be such as to keep the "interference" to what is "necessary in a democratic society" (see Roman Zakharov , cited above, § 232).
423. The parties dispute whether the six minimum requirements commonly applied in cases concerning the interception of communications (namely, the nature of offences which may give rise to an interception order; a definition of the categories of people liable to have their communications intercepted; a limit on the duration of interception; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which intercepted data may or must be erased or destroyed - see paragraph 307 above) should apply in the present case. It is true that the interference in this case is not occasioned by the interception of communications by the respondent State. However, as the material obtained is nevertheless the product of intercept, those requirements which relate to its storage, examination, use, onward dissemination, erasure and destruction must be present. Indeed, as the Venice Commission noted, as States could use intelligence sharing to circumvent stronger domestic surveillance procedures and/or any legal limits which their agencies might be subject to as regards domestic intelligence operations, a suitable safeguard would be to provide that the bulk material transferred could only be searched if all the material requirements of a national search were fulfilled and this was duly authorised in the same way as a search of bulk material obtained by the signals intelligence agency using its own techniques (see paragraph 216 above).
424. Furthermore, while the first and second of the six requirements may not be of direct relevance where the respondent State is not carrying out the interception itself, the Court is nevertheless mindful of the fact that if Contracting States were to enjoy an unfettered discretion to request either the interception of communications or the conveyance of intercepted communications from non-Contracting States, they could easily circumvent their obligations under the Convention. Consequently, the circumstances in which intercept material can be requested from foreign intelligence services must also be set out in domestic law in order to avoid abuses of power. While the circumstances in which such a request can be made may not be identical to the circumstances in which the State may carry out interception itself (since, if a State's own intelligence services could lawfully intercept communications themselves, they would only request this material from foreign intelligence services if it is not technically feasible for them to do so), they must nevertheless be circumscribed sufficiently to prevent - insofar as possible - States from using this power to circumvent either domestic law or their Convention obligations.
(iv) Application of the test to material falling into the second category
(α) Accessibility
425. The statutory framework which permits the United Kingdom intelligence services to request intercepted material from foreign intelligence agencies is not contained in RIPA. The British-US Communication Intelligence Agreement of 5 March 1946 specifically permits the exchange of material between the United States and the United Kingdom. More generally, the SSA (see paragraphs 98-99 above) and the ISA (see paragraphs 100-103 above) set out the function of the intelligence services and require that there be arrangements for ensuring that no information is obtained by them except so far as necessary for the proper discharge of their functions; and that no information is disclosed by them except so far as necessary for that purpose or for the purpose of any criminal proceedings.
426. Details of the internal arrangements referred to in the SSA and ISA were disclosed during the Liberty proceedings (the 9 October disclosure - see paragraphs 26-30 above) and those details have now been incorporated into the most recent IC Code (see paragraph 109 above).
427. Consequently, the Court considers that there is now a basis in law for the requesting of intelligence from foreign intelligence agencies, and that that law is sufficiently accessible. Furthermore, the regime clearly pursues several legitimate aims, including the interests of national security, public safety and the economic well-being of the country, the prevention of disorder or crime, and the protection of the rights and freedoms of others. It therefore falls to the Court to assess the foreseeability and necessity of the regime. As already indicated, it will do so by examining whether the law meets the following requirements by indicating: the circumstances in which intercept material can be requested; the procedure to be followed for examining, using and storing the material obtained; the precautions to be taken when communicating the material obtained to other parties; and the circumstances in which the material obtained must be erased or destroyed (see the third to sixth safeguards referred to in paragraph 307 above).
(β) The circumstances in which intercept material can be requested
428. Chapter 12 of the IC Code (see paragraph 109 above) states that, save in exceptional circumstances, the intelligence services may only make a request to a foreign government for unanalysed intercepted communications and/or associated communications data if an interception warrant under RIPA has already been issued by the Secretary of State, the assistance of the foreign government is necessary to obtain the particular communications because they cannot be obtained under the existing warrant, and it is necessary and proportionate for the intercepting agency to obtain those communications. A RIPA interception warrant means either a section 8(1) warrant in relation to the subject at issue; a section 8(4) warrant and an accompanying certificate which includes one or more "descriptions of intercepted material" covering the subject's communications; or, where the subject is known to be within the British Islands, a section 8(4) warrant and an accompanying certificate which includes one or more "descriptions of intercepted material" covering his or her communications, together with an appropriate section 16(3) modification.
429. Where exceptional circumstances exist, a request for communications may be made in the absence of a relevant RIPA interception warrant only if it does not amount to a deliberate circumvention of RIPA or otherwise frustrate its objectives (for example, because it is not technically feasible to obtain the communications via RIPA interception), and it is necessary and proportionate for the intercepting agency to obtain those communications. In such a case the request must be considered and decided on by the Secretary of State personally, and, pursuant to the revised IC Code, notified to the Interception of Communications Commissioner (see paragraph 109 above). According to information disclosed during the Liberty proceedings, and confirmed in the Government's submissions in the present case, no request for intercept material has ever been made in the absence of an existing RIPA warrant.
430. In light of the above considerations, the Court considers that the circumstances in which the respondent State may request interception or the conveyance of intercepted material are sufficiently circumscribed in domestic law to prevent the State from using this power to circumvent either domestic law or its Convention obligations.
(γ) Procedure to be followed for storing, accessing, examining and using the material obtained
431. By virtue of section 19(2) of the Counter-Terrorism Act 2008 ("CTA" - see paragraph 103), information obtained by any of the intelligence services in connection with the exercise of any of their functions may be used in connection with the exercise of any of their other functions. However, the intelligence services are data controllers for the purposes of the Data Protection Act 1998 and are required to comply with the data protection principles in Part 1 of Schedule 1 to the DPA. While compliance with these principles is subject to exemption by ministerial certificate, they cannot be exempted from the obligation to comply with the fifth and seventh data protection principles, which provide that personal data processed for any purpose shall not be kept for longer than is necessary for that purpose; and appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. A member of the intelligence services commits an offence under section 1(1) of the OSA (see paragraph 107 above) if he discloses, without lawful authority, any information relating to security or intelligence which is, or has been, in his possession by virtue of his position.
432. More specifically, Chapter 12 of the IC Code makes it clear that where intercepted communications content or communications data are obtained by the intelligence services from a foreign government in circumstances where the material identifies itself as the product of an interception, the communications content and communications data must be subject to the same internal rules and safeguards that apply to the same categories of content or data when they are obtained directly by the intelligence services as a result of interception under RIPA (see paragraph 109 above). This means that the safeguards in section 15 and 16 of RIPA, as supplemented by Chapter 7 of the IC Code, apply equally to intercepted communications and communications data obtained from foreign governments.
433. The Court has already given careful consideration to the safeguards in section 15 and 16 of RIPA, as supplemented by Chapter 7 of the IC Code, in its assessment of the section 8(4) regime (see paragraphs 361-363 above). In brief, material obtained from foreign intelligence agencies must be stored securely and must not be accessible to persons without the required level of security clearance. Access by the analyst is limited to a defined period of time, and if renewed, the record must be updated giving reasons for renewal. Before being able to examine material obtained from foreign intelligence agencies, specially authorised and vetted analysts must make a record of why access to the material is necessary for one of the statutory purposes set out in section 5(3) of RIPA, and proportionate. They cannot select material for examination using criteria that refer to the communications of individuals known currently to be in the British Islands (unless there is a warrant with a section 16(3) modification, or if, in the absence of a warrant, the Secretary of State has personally considered and approved the examination of those communications by reference to such factors).
434. Although the IPT had, in the Liberty proceedings, expressed concern that the section 16(2)(a) and (b) safeguards (which prevent intercepted material being selected for examination by reference to an individual known to be in the British Islands) did not appear to apply to material obtained from foreign governments in the absence of a warrant, the IC Code has since been amended to address this concern. Paragraph 12.5 now expressly provides that if a request made in the absence of a warrant is approved by the Secretary of State other than in relation to specific selectors, any communications obtained must not be examined by the intelligence services according to any factors as are mentioned in section 16(2)(a) and (b) of RIPA unless the Secretary of State has personally considered and approved the examination of those communications by reference to such factors (see paragraph 110 above).
435. In light of the foregoing, the Court would accept that the provisions relating to the storing, accessing, examining and using such material are sufficiently clear.
(δ) Procedure to be followed for communicating the material obtained to other parties
436. As with material intercepted directly pursuant to a RIPA warrant (see paragraphs 365-367 above), disclosure of material obtained from foreign intelligence agencies must be limited to the minimum necessary for the "authorised purposes" mentioned in section 5(3) of RIPA. In addition, disclosure to persons who have not been appropriately vetted is prohibited and material may only be disclosed to a person whose duties, which must relate to one of the authorised purposes, are such that he or she needs to know about the material to carry out those duties. In the same way, only so much of the intercepted material may be disclosed as the recipient needs.
437. Section 19(3), (4) and (5) of the CTA further provide that information obtained by MI5 and MI6 for the purposes of any of their functions may be disclosed by them for the purpose of the proper discharge of their functions; in the interests of national security; for the purpose of the prevention or detection of serious crime; or for the purpose of any criminal proceedings. Information obtained by GCHQ may be disclosed by it for the purpose of the proper discharge of its functions or for the purpose of any criminal proceedings (see paragraphs 104-105 above).
438. Moreover, a member of the intelligence services commits an offence under section 1(1) of the OSA if without lawful authority he discloses any information, document or other article relating to security or intelligence which is, or has been, in his possession by virtue of his position as a member of any of those services (see paragraph 107 above).
439. In light of the foregoing, the Court would also accept that the provisions relating to the procedure to be followed for communicating the material obtained to other parties are sufficiently clear.
(ε) The circumstances in which the material obtained must be erased or destroyed
440. Section 15(3) of RIPA and paragraph 7.8 of the IC Code require that every copy (together with any extracts and summaries) be destroyed securely as soon as retention is no longer necessary for any of the section 5(3) purposes (see paragraphs 74 and 90 above).
(ζ) Supervision and remedies
441. In nearly every case either a section 8(1) or 8(4) warrant will be in place, meaning that the Secretary of State (and, following the coming into force of IPA 2016, a judicial commissioner) will have authorised the interception. In exceptional circumstances, when a warrant is not in place, the Secretary of State must personally consider and decide upon the request, and the Interception of Communications Commissioner (now the Investigatory Powers Commissioner) must be notified. Therefore, in every case where a request has been made the Secretary of State will have deemed the interception to be necessary and proportionate (in the Convention sense).
442. Further oversight of the intelligence sharing regime is provided by the ISC, a cross-party Committee of Members of Parliament which exercises wide powers. Following an extensive review, on 13 July 2013 the ISC published a report in which it concluded that allegations "that GCHQ circumvented UK law by using the NSA's PRISM programme to access the content of private communications" were unfounded as GCHQ had complied with its statutory duties contained in the ISA (see paragraphs 148-�150 above).
443. Additional oversight was afforded by the Interception of Communications Commissioner, who was independent from both Government and the intelligence services. He was under a duty by section 58(4) of RIPA to make an annual report to the Prime Minister regarding the carrying out of his functions, which had to be laid before Parliament. As already noted, the Interception of Communications Commissioner has now been replaced by the Investigatory Powers Commissioner. On 17 October 2017, in a reply to a question posed by, inter alia , Privacy International, the new Commissioner confirmed that, like his predecessor, he had the power to oversee the Government's intelligence sharing agreements, and that he intended to use those powers actively to ensure effective oversight.
444. A final level of oversight is provided by the IPT, and its effectiveness was demonstrated in the Liberty proceedings by the fact that it was able to ensure disclosure of certain arrangements which have now been incorporated into the IC Code (see paragraph 109 above).
(η) Proportionality
445. The Court has always been acutely conscious of the difficulties faced by States in protecting their populations from terrorist violence, which constitutes, in itself, a grave threat to human rights (see, for example, Lawless v. Ireland (no. 3) , 1 July 1961, §§ 28-�30, Series A no. 3; Ireland v. the United Kingdom , 18 January 1978, Series A no. 25; and Öcalan v. Turkey [GC], no. 46221/99 , § 179, ECHR 2005-�IV) and in recent years it has expressly acknowledged - in response to complaints invoking a wide range of Convention Articles - the very real threat that Contracting States currently face on account of international terrorism (see, for example, Chahal v. the United Kingdom , 15 November 1996, § 79, Reports of Judgments and Decisions 1996-�V; A. and Others v. the United Kingdom [GC], no. 3455/05, § 181, ECHR 2009; A. v. the Netherlands , no. 4900/06, § 143, 20 July 2010; Trabelsi v. Belgium , no. 140/10, § 117, ECHR 2014 (extracts); and Othman (Abu Qatada) v. United Kingdom , no. 8139/09, § 183, ECHR 2012).
446. Faced with such a threat, the Court has considered it legitimate for Contracting States to take a firm stand against those who contribute to terrorist acts (see Othman , cited above, § 183). Due to the nature of global terrorism, and in particular the complexity of global terror networks, the Court accepts that taking such a stand - and thus preventing the perpetration of violent acts endangering the lives of innocent people - requires a flow of information between the security services of many countries in all parts of the world. As, in the present case, this "information flow" was embedded into a legislative context providing considerable safeguards against abuse, the Court would accept that the resulting interference was kept to that which was "necessary in a democratic society".
(θ) Conclusions
447. In light of the foregoing considerations, the Court considers that the domestic law, together with the clarifications brought by the amendment of the IC Code, indicate with sufficient clarity the procedure for requesting either interception or the conveyance of intercept material from foreign intelligence agencies. In this regard, it observes that the high threshold recommended by the Venice Commission - namely, that the material transferred should only be able to be searched if all the material requirements of a national search were fulfilled and this was duly authorised in the same way as a search of bulk material obtained by the signals intelligence agency using its own techniques - is met by the respondent State's regime. The Court further observes that there is no evidence of any significant shortcomings in the application and operation of the regime. On the contrary, following an investigation the ISC found no evidence whatsoever of abuse.
448. There has accordingly been no violation of Article 8 of the Convention.
(v) Application of the test to material falling into the third category
449 . The third category of material identified at paragraph 417 above is material obtained by foreign intelligence agencies other than by the interception of communications. However, as the applicants have not specified the kind of material foreign intelligence agencies might obtain by methods other than interception they have not demonstrated that its acquisition would interfere with their Article 8 rights. As such, the Court considers that there is no basis upon which it could find a violation of Article 8 of the Convention.
450. The applicants in the second of the joined cases complained that the regime for the acquisition of communications data under Chapter II of RIPA was incompatible with their rights under Article 8 of the Convention.
451. In both their application to the Court and their initial observations, the applicants in the second of the joined cases incorrectly referred to the Chapter II regime as a regime for the interception of communications data. The Court observes, however, that it is not an interception regime, but rather permits certain public authorities to acquire communications data from Communications Service Providers ("CSPs"). In view of the "fundamental legal misunderstanding" upon which the complaint was originally founded, the Government submitted that the applicants have put forward no factual basis whatsoever for concluding that their communications were acquired in this way, and that they did not contend that they had been affected, either directly or indirectly, by the regime. The Government further argued that neither of the two conditions identified by the Court in Roman Zakharov (cited above, § 171) were satisfied in respect of the Chapter II regime: the applicants did not belong to a group "targeted" by the contested legislation, and they had available to them an effective domestic remedy. Consequently, they could not claim to be victims of the alleged violation within the meaning of Article 34 of the Convention.
452. The applicants, on the other hand, submitted that they were entitled to bring the present complaint since they could possibly have been affected by the impugned legislation and no effective remedy was available at the domestic level.
453. In assessing victim status the Court is predominantly concerned with whether an effective remedy existed which permitted a person who suspected that he or she was subject to secret surveillance to challenge that surveillance (see Roman Zakharov , cited above, § 171). In the present case, although the Court accepted that there existed special circumstances absolving the applicants from the requirement that they first bring their complaints to the IPT (see paragraph 268 above), it nevertheless found that the IPT was an effective remedy, available in theory and practice, which was capable of offering redress to applicants complaining of both specific incidences of surveillance and the general Convention compliance of surveillance regimes (see paragraphs 250-266 above). Consequently, the applicants can only claim to be "victims" on account of the mere existence of the Chapter II regime if they are able to show that, due to their personal situation, they were potentially at risk of having their communications data obtained by the United Kingdom authorities through a request to a CSP (see Roman Zakharov , cited above, § 171).
454 . In this regard, the Court notes that the Chapter II regime is not a regime for the bulk acquisition of communications data; rather, as stated previously, it permits public authorities to request specific communications data. Nevertheless, a large number of public authorities are entitled to make such requests, and the grounds on which a request might be made are relatively wide. Given that the applicants in the second of the joined cases are investigative journalists who have reported on issues such as CIA torture, counterterrorism, drone warfare, and the Iraq war logs, the Court would accept that they were potentially at risk of having their communications obtained by the United Kingdom authorities either directly, through a request to a CSP for their communications data, or indirectly, through a request to a CSP for the communications data of a person or organisation they had been in contact with.
455. The Court would therefore accept that they were "victims" within the meaning of Article 34 of the Convention. As this complaint is not inadmissible on any other grounds, it must be declared admissible.
456. The applicants submitted that Chapter II of RIPA permitted the obtaining of communications data in a wide range of ill-defined circumstances, without proper safeguards. In particular, they submitted that the legal framework and attendant safeguards were informed by a fundamental but erroneous premise; namely, that the obtaining of communications data was necessarily less intrusive than the interception of content. In particular, the applicants complained that in most cases authorisation for the acquisition of communications data was provided by a designated person, who was not sufficiently independent of the executive or even of the agency requesting the disclosure.
457. Furthermore, they complained that Chapter II provided few limitations as to the basis on which communications data could be acquired, since section 22 of RIPA allowed a designated person to authorise the acquisition of communications data on a broad range of grounds, provided that he or she believed it "necessary". Finally, they argued that there were very few safeguards in respect of the handling and exploitation of communications data.
458. The Government pointed out that as the Chapter II regime was a targeted regime, there was nothing "unintentional" about its operation. On the contrary, the acquisition of communications data under it would always be intentional. It was therefore to be distinguished from regimes for the bulk interception or bulk acquisition of data.
459. The Government further argued that the amended Acquisition and Disclosure of Communications Data Code of Practice ("the ACD Code") provided adequate safeguards in respect of the retention of communications data acquired under the Chapter II regime, and that the Interception of Communications Commissioner provided an important degree of oversight of the operation of the regime.
(i) Existing case-law on the acquisition of communications data
460 . To date, the Court has only twice been called on to consider the Convention compliance of a regime for the acquisition by a public authority of communications data from a CSP: in Malone and, more recently, in Ben Faiza (both cited above). In Malone , the authorities had obtained the numbers dialled on a particular telephone and the time and duration of the calls from the Post Office, which, as the supplier of the telephone service, had acquired this data legitimately by a process known as "metering". While the Court accepted that the use of the data could give rise to an issue under Article 8 of the Convention, it considered that "by its nature" it had to be distinguished from the interception of communications, which was "undesirable and illegitimate in a democratic society unless justified" (see Malone , cited above, § 84). However, it was not necessary for the Court to consider this issue in any further detail, since, in the absence of any legal framework governing the acquisition of records from the Post Office, the Court found that the interference had no basis in domestic law (see Malone , cited above, § 87).
461. While Malone is now thirty-four years old, the Ben Faiza judgment was delivered in February 2018. In that case the Court was considering an order issued to a mobile telephone operator to provide lists of incoming and outgoing calls on four mobile telephones, together with the list of cell towers "pinged" by those telephones. Pursuant to the domestic law in question (Article 77-1-1 of the Criminal Procedure Code), prosecutors or investigators could, on the authorisation of the former, require establishments, organisations, persons, institutions and administrations to provide them with documents in their possession which were required for the purposes of the investigation. The Court accepted that the measure was "in accordance with the law", and that the law provided adequate safeguards against arbitrariness. In respect of those safeguards, the Court observed that a request under Article 77-1-1 was subject to the prior authorisation of the public prosecutor's office; this obligation could not be derogated from under penalty of nullity of the act; and the legality of such a measure could be reviewed in subsequent criminal proceedings against the person concerned and, if found to be unlawful, the criminal courts could exclude the evidence so obtained ( Ben Faiza , cited above, §§ 72-73) .
462. In adopting this approach, the Court distinguished between methods of investigation which made it possible to identify the past geographical position of a person and those which made it possible to geolocate him or her in real time, indicating that the latter was more likely to violate the right to respect for private life. Consequently, in the view of the Court, the transmission to a judicial authority of existing data held by a public or private body was to be distinguished from the establishment of a surveillance system, such as the ongoing monitoring of a telephone line or the placing of a tracking device on a vehicle ( Ben Faiza , cited above, § 74; see also paragraph 350 above) .
463 . The Court of Justice of the European Union has also addressed this issue. In Digital Rights Ireland v. Minister for Communications, Marine and Natural Resources and Others and Settinger and Others (Cases C-293/12 and C-594/12), the CJEU considered the validity of the Data Retention Directive, and in Secretary of State for the Home Department v. Watson and Others (C-698/15), the validity of domestic legislation containing the same provisions as that directive (see paragraphs 224 - 234 above). While its focus was on the retention of data by CSPs, it also considered the question of access to retained data by the national authorities. In doing so, it indicated that access should be limited to what was strictly necessary for the objective pursued and, where that objective was fighting crime, it should be restricted to fighting serious crime. It further suggested that access should be subject to prior review by a court or independent administrative authority, and that there should be a requirement that the data concerned be retained within the European Union. In light of the CJEU's findings, Liberty sought to challenge Part 4 of the IPA, which included a power to issue "retention notices" to telecommunications operators requiring the retention of data. In response, the Government conceded that Part 4 was incompatible with fundamental rights in EU law since access to retained data was not limited to the purpose of combating "serious crime"; and access to retained data was not subject to prior review by a court or an independent administrative body. The High Court held that the legislation had to be amended by 1 November 2018 (see paragraph 196 above).
(ii) The approach to be taken in the present case
464 . The appropriate test in the present case will therefore be whether the Chapter II regime was in accordance with the law; whether it pursued a legitimate aim; and whether it was necessary in a democratic society, having particular regard to the question of whether it provided adequate safeguards against arbitrariness.
(iii) Examination of the Chapter II regime
465 . No interference can be considered to be "in accordance with law" unless the decision occasioning it complies with the relevant domestic law. It is in the first place for the national authorities, notably the courts, to interpret and apply the domestic law: the national authorities are, in the nature of things, particularly qualified to settle issues arising in this connection. The Court cannot question the national courts' interpretation, except in the event of flagrant non-observance or arbitrariness in the application of the domestic legislation in question (see Mustafa Sezgin Tanrıkulu , cited above, § 53; see also, mutatis mutandis , Weber and Saravia , cited above, § 90).
466. The Court observes that the Chapter II regime has a clear basis in both section 22 of RIPA and the ACD Code. However, as a Member State of the European Union, the Community legal order is integrated into that of the United Kingdom and, where there is a conflict between domestic and law and EU law, the latter has primacy. Consequently, the Government have conceded that Part 4 of the IPA is incompatible with EU law because access to retained data was not limited to the purpose of combating "serious crime"; and access to retained data was not subject to prior review by a court or an independent administrative body. Following this concession, the High Court ordered that the relevant provisions of the IPA should be amended by 1 November 2018 (see paragraph 196 above).
467. It is therefore clear that domestic law, as interpreted by the domestic authorities in light of the recent judgments of the CJEU, requires that any regime permitting the authorities to access data retained by CSPs limits access to the purpose of combating "serious crime", and that access be subject to prior review by a court or independent administrative body. As the Chapter II regime permits access to retained data for the purpose of combating crime (rather than "serious crime") and, save for where access is sought for the purpose of determining a journalist's source, it is not subject to prior review by a court or independent administrative body, it cannot be in accordance with the law within the meaning of Article 8 of the Convention.
468 . Accordingly, the Court finds that there has been a violation of Article 8 of the Convention.
III. ALLEGED VIOLATION OF ARTICLE 10 OF THE CONVENTION
469. The applicants in the third of the joined cases complained under Article 10 of the Convention about the section 8(4) regime and the intelligence sharing regime, arguing, in particular, that the protection afforded by Article 10 was of critical importance to them as NGOs involved in matters of public interest, who were exercising a role of public watchdog of similar importance to that of the press; and the applicants in the second of the joined cases, being a journalist and newsgathering organisation, complained under Article 10 of the Convention about both the section 8(4) regime and the Chapter II regime.
470. Article 10 of the Convention provides as follows:
"1. Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. This Article shall not prevent States from requiring the licensing of broadcasting, television or cinema enterprises.
2. The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of health or morals, for the protection of the reputation or rights of others, for preventing the disclosure of information received in confidence, or for maintaining the authority and impartiality of the judiciary."
1. The applicants in the third of the joined cases
471 . The Court has already found that as a general rule the IPT has shown itself to be a remedy, available in theory and practice, which is capable of offering redress to applicants complaining about both specific incidences of surveillance and the general Convention compliance of a surveillance regime (see paragraphs 250-266 above). The Court has, however, accepted that there existed special circumstances absolving the applicants in the first and second of the joined cases from the requirement that they exhaust this remedy (see paragraph 268 above), but as the applicants in the third of the joined cases challenged the Convention compliance of both the section 8(4) regime and the intelligence sharing regime before the IPT, they cannot benefit from the "absolution" afforded to the other applicants. Therefore, as they did not complain before the IPT that the intelligence sharing regime was incompatible with Article 10 of the Convention, this complaint must be declared inadmissible for failure to domestic remedies within the meaning of Article 35 § 1 of the Convention.
472. Furthermore, although these applicants did complain before the IPT that the section 8(4) regime was not compatible with Article 10, in doing so they primarily relied on the same arguments invoked in respect of their Article 8 complaint. Insofar as they sought to argue that Article 10 could apply to their investigatory activities as NGOs, this argument was only raised on 17 November 2014 (the first and second open hearings having taken place in July and October 2014). As the IPT considered that this argument could have been raised at any time, in its judgment it had been raised far too late to be incorporated into the ambit of the Liberty proceedings (see paragraph 47 above).
473. Therefore, with regard to the Article 8(4) complaint, the Court finds that insofar as the applicants in the third of the joined cases seek to rely on the special protection afforded by Article 10 of the Convention to journalists, they have not exhausted domestic remedies within the meaning of Article 35 § 1 of the Convention. Their complaints under this head must also be declared inadmissible.
474 . Finally, the Court considers that the more general Article 10 complaint - which the applicants raised before the IPT in good time - gives rise to no separate argument over and above that arising out of Article 8 of the Convention. It is not, therefore, necessary to examine this complaint.
2. The applicants in the second of the joined cases
475. As the Court has acknowledged that the applicants in the second of the joined cases were, exceptionally, absolved from the requirement that they first bring their complaints to the IPT, they cannot be said to have failed to exhaust domestic remedies within the meaning of Article 35 § 1 of the Convention. As their complaints are not inadmissible on any other ground, they must, therefore, be declared admissible.
476 . Moreover, the applicants in the second of the joined cases are a journalist and a newsgathering organisation, who complain about the interference with confidential journalistic material occasioned by the operation of both the section 8(4) regime and the Chapter II regime. As such, their complaints raise separate issues to those raised under Article 8 of the Convention, which will be examined below.
477. The applicants argued that as freedom of the press constituted one of the essential foundations of a democratic society, and the protection of journalistic sources was one of the cornerstones of freedom of the press, Article 10 of the Convention imposed additional and more exacting requirements where an interference gave rise to a significant risk of revealing journalistic sources or confidential journalistic material. In this regard, they submitted that surveillance measures which ran a significant risk of identifying journalistic source material had to be justified by an "overriding public interest" ( Sanoma Uitgevers B.V. , cited above, §§ 51 and 90, 14 September 2010 and Goodwin v. the United Kingdom , 27 March 1996, § 39 Reports of Judgments and Decisions 1996-�II); and authorisation could only be granted by a judge or other independent adjudicative body.
478. The applicants submitted that as journalists involved in matters of public interest, who were exercising a role of public watchdog, the protection afforded by Article 10 was of critical importance to them.
479. In respect of the section 8(4) regime, the applicants argued that the interception of material gathered through bulk surveillance was not attended by adequate safeguards. First of all, the definition of "confidential journalistic material" in the IC Code of Practice was too narrow, as it was limited to material acquired for the purpose of journalism and held subject to an undertaking to hold it in confidence. This definition was inconsistent with the Court's broader definition (for example, in Telegraaf Media Nederland Landelijke Media B.V. and Others v. the Netherlands , no. 39315/06, § 86, 22 November 2012). Secondly, the regime did not comply with the strict requirements of Article 10 where surveillance measures might reveal journalistic source material (in the applicants' submissions, the existence of an "overriding public interest" and judicial - or at least independent - authorisation).
480. With regard to the Chapter II regime, the applicants complained that the ACD Code failed to recognise that communications data could be privileged, and that the obtaining of communications data which constituted confidential journalistic material was as intrusive as obtaining content, since a single piece of communications data could reveal the identity of a journalist's source, and when aggregated and subjected to modern data-�mining technology, it could reveal an enormous range of (journalistically privileged) information. The applicants further complained that in most cases authorisation for the acquisition of communications data was provided by a designated person, who was not sufficiently independent of the executive, or even of the agency requesting the disclosure. While an additional safeguard now existed requiring that applications made in order to identify a journalist's source be authorised by a judge, they did not apply where the identification of the source was incidental rather than intended.
481. In the Government's submissions, prior authorisation was the only respect in which the applicants contended that the position regarding the "in accordance with the law" test might differ under Article 10 from that under Article 8, and in respect of which they asserted that their identity as journalists might be material to the analysis. However, there was no authority in the Court's case-law for the proposition that prior judicial (or independent) authorisation was required for a strategic monitoring regime by virtue of the fact that some journalistic material might be intercepted in the course of that regime's operation. On the contrary, the Court had drawn a sharp and important distinction between the strategic monitoring of communications and/or communications data, which might inadvertently "sweep up" some journalistic material, and measures that targeted journalistic material, particularly for the purposes of identifying sources, where prior authorisation would be required.
482. With regard to Chapter II of RIPA, the Government pointed out that pursuant to the amended Acquisition and Disclosure of Communications Data Code of Practice ("the ACD Code"), where the identification of a journalist's source was intended, judicial authorisation was required. As there was nothing "unintentional" about the operation of the Chapter II regime, the acquisition of communications data under it would always be intentional and further safeguards were not required for the unintentional acquisition of material disclosing a journalist's source.
483. The Government further argued that the ACD Code provided for the protection of confidential material, including journalistic material. Such material should only be retained where necessary and proportionate for one of the authorised purposes in section 15(4) of RIPA; it must be destroyed securely when its retention was no longer needed for those purposes; and, if retained, there had to be adequate information management systems in place to ensure that retention remained necessary and proportionate. Where it was retained or disseminated to an outside body, reasonable steps had to be taken to mark it as confidential, and where any doubt existed, legal advice had to be sought about its dissemination. Finally, any case where confidential material was retained had to be notified to the Commissioner as soon as reasonably practical and the material had to be made available to the Commissioner on request.
2. The submissions of the third parties
(a) The Helsinki Foundation for Human Rights
484. The Helsinki Foundation submitted that the protection of journalistic sources was undermined not only by the surveillance of the content of journalists' communications, but also by the surveillance of related metadata which could, by itself, allow for the identification of sources and informants. It was especially problematic that confidential information could be acquired without the journalists' knowledge or control, thereby depriving them of their right to invoke confidentiality, and the ability of their sources to rely on guarantees of confidentiality.
485. The NUJ and the IFJ submitted that the confidentiality of sources was indispensable for press freedom. They also expressed concern about the possible sharing of data retained by the United Kingdom with other countries. If confidential journalistic material were to be shared with a country which could not be trusted to handle it securely, it could end up in the hands of people who would harm the journalist or his or her source. In the interveners' view, the safeguards in the updated IC and ACD Codes of Practice were not adequate, especially where the journalist or the identification of his or her source was not the target of the surveillance measure.
(c) The Media Lawyers' Association ("MLA")
486. The MLA expressed deep concern that domestic law was moving away from the strong presumption that journalistic sources would be afforded special legal protection, since surveillance regimes allowed the authorities to intercept journalists' communications without the need for prior judicial authorisation. Since the protection of journalists' sources was one of the core components of Article 10, more robust protection was required.
487 . The Court reiterates that freedom of expression constitutes one of the essential foundations of a democratic society and that the safeguards to be afforded to the press are of particular importance. The protection of journalistic sources is one of the cornerstones of freedom of the press. Without such protection, sources may be deterred from assisting the press in informing the public about matters of public interest. As a result the vital public-watchdog role of the press may be undermined, and the ability of the press to provide accurate and reliable information may be adversely affected (see, inter alia , Sanoma Uitgevers B.V. , cited above, § 50; Weber and Saravia , cited above, § 143; Goodwin , cited above, § 39; and Roemen and Schmit v. Luxembourg , no. 51772/99, § 46, ECHR 2003-IV).
488. The Court has always subjected the safeguards for respect of freedom of expression in cases under Article 10 of the Convention to special scrutiny. Having regard to the importance of the protection of journalistic sources for press freedom in a democratic society, an interference cannot be compatible with Article 10 of the Convention unless it is justified by an overriding requirement in the public interest ( Sanoma Uitgevers B.V. , cited above, § 51; Goodwin , cited above, § 39; Roemen and Schmit , cited above, § 46; and Voskuil v. the Netherlands , no. 64752/01, § 65, 22 November 2007).
489 . The Court has recognised that there is "a fundamental difference" between the authorities ordering a journalist to reveal the identity of his or her sources, and the authorities carrying out searches at a journalist's home and workplace with a view to uncovering his or her sources (compare Goodwin , cited above, with Roemen and Schmit , cited above, § 57). The Court considered that the latter, even if unproductive, constituted a more drastic measure than an order to divulge the source's identity, since investigators who raid a journalist's workplace have access to all the documentation held by the journalist ( Roemen and Schmit , cited above, § 57). However, the Court has also drawn a distinction between searches carried out on journalists' homes and workplaces "with a view to uncovering their sources", and searches carried out for other reasons, such as the obtaining of evidence of an offence committed by a person other than in his or her capacity as a journalist ( Roemen and Schmit , cited above, § 52). Similarly, in Weber and Saravia , the only case in which the Court has considered, in abstracto , the Article 10 compliance of a secret surveillance regime on account of the potential for interference with confidential journalistic material, it considered it decisive that the surveillance measures were not aimed at monitoring journalists or uncovering journalistic sources. As such, it found that the interference with freedom of expression could not be characterised as particularly serious ( Weber and Saravia , cited above, § 151).
(b) The application of the general principles to the present case
490 . With regard to the question of victim status, the Court recalls that in Weber and Saravia it expressly recognised that the impugned surveillance regime had interfered with the first applicant's freedom of expression as a journalist ( Weber and Saravia , cited above, §§ 143-145). In the present case, the applicants in the second of the joined cases are journalists and can similarly claim to be "victims" of an interference with their Article 10 rights by virtue of the operation of the section 8(4) regime.
491. For the reasons set out in respect of the Article 8 complaint, the Court considers that - save for its concerns about the oversight of the selection process and the safeguards applicable to the selection of related communications data (see paragraph 387 above) - the section 8(4) regime was in accordance with the law (see paragraphs 387-388 above). Furthermore, it pursued the legitimate aims of protecting interests of national security, territorial integrity and public safety, and preventing disorder and crime.
492. With regard to "necessity", the Court reiterates that, having regard to the importance of the protection of journalistic sources for the freedom of the press in a democratic society, an interference could not be compatible with Article 10 of the Convention unless it was justified by an overriding requirement in the public interest ( Weber and Saravia , cited above, § 149). In this regard, it notes that the surveillance measures under the section 8(4) regime - like those under the G10 Act which were considered in Weber and Saravia -� are not aimed at monitoring journalists or uncovering journalistic sources. Generally the authorities would only know when examining the intercepted communications if a journalist's communications had been intercepted. Consequently, it confirms that the interception of such communications could not, by itself, be characterised as a particularly serious interference with freedom of expression ( Weber and Saravia , cited above, § 151). However, the interference will be greater should these communications be selected for examination and, in the Court's view, will only be "justified by an overriding requirement in the public interest" if accompanied by sufficient safeguards relating both to the circumstances in which they may be selected intentionally for examination, and to the protection of confidentiality where they have been selected, either intentionally or otherwise, for examination.
493. In this regard, paragraphs 4.1 - 4.8 of the IC Code require special consideration to be given to the interception of communications that involve confidential journalistic material and confidential personal information (see paragraph 90 above). However, these provisions appear to relate solely to the decision to issue an interception warrant. Therefore, while they might provide adequate safeguards in respect of a targeted warrant under section 8(1) of RIPA, they do not appear to have any meaning in relation to a bulk interception regime. Furthermore, the Court has already criticised the lack of transparency and oversight of the criteria for searching and selecting communications for examination (see paragraphs 339, 340, 345 and 387 above). In the Article 10 context, it is of particular concern that there are no requirements - at least, no "above the waterline" requirements - either circumscribing the intelligence services' power to search for confidential journalistic or other material (for example, by using a journalist's email address as a selector), or requiring analysts, in selecting material for examination, to give any particular consideration to whether such material is or may be involved. Consequently, it would appear that analysts could search and examine without restriction both the content and the related communications data of these intercepted communications.
494. Safeguards do exist in respect of the storing of confidential material once identified. For example, paragraph 4.29 of the IC Code (see paragraph 90 above) provides that such material should only be retained where it is necessary and proportionate for one of the authorised purposes in section 15(4) of RIPA, and it must be destroyed securely when it is no longer needed for one of these purposes. Furthermore, according to paragraph 4.30, if it is retained or disseminated to an outside body, reasonable steps should be taken to mark the information as confidential; and paragraph 4.31 requires that the Interception of Communications Commissioner be notified of the retention of such material as soon as reasonably practicable, and such material should be made available to him on request.
495. Nevertheless, in view of the potential chilling effect that any perceived interference with the confidentiality of their communications and, in particular, their sources might have on the freedom of the press and, in the absence of any "above the waterline" arrangements limiting the intelligence services' ability to search and examine such material other than where "it is justified by an overriding requirement in the public interest", the Court finds that there has also been a violation of Article 10 of the Convention.
496. The applicants in the second of the joined cases also complained under Article 10 of the Convention about the regime for the acquisition of communications data from CSPs.
497. In considering the applicants' Article 8 complaint, the Court concluded that the Chapter II regime was not in accordance with the law as it permitted access to retained data for the purpose of combating crime (rather than "serious crime") and, save for where access was sought for the purpose of determining a journalist's source, it was not subject to prior review by a court or independent administrative body (see paragraph 467 above).
498. The Court acknowledges that the Chapter II regime affords enhanced protection where data is sought for the purpose of identifying a journalist's source, In particular, paragraph 3.77 of the ACD Code provides that where an application is intended to determine the source of journalistic information, there must be an overriding requirement in the public interest, and such applications must use the procedures of the Police and Criminal Evidence Act 1984 ("PACE") to apply to a court for a production order to obtain this data (see paragraph 117 above). Pursuant to Schedule 1 to PACE, an application for a production order is made to a judge and, where the application relates to material that consists of or includes journalistic material, the application should be made inter partes (see paragraph 121 above). The internal authorisation process may only be used if there is believed to be an immediate threat of loss of human life, and that person's life might be endangered by the delay inherent in the process of judicial authorisation (paragraphs 3.76 and 3.78-3.84 of the ACD Code - see paragraph 117 above).
499. Nevertheless, these provisions only apply where the purpose of the application is to determine a source; they do not, therefore, apply in every case where there is a request for the communications data of a journalist, or where such collateral intrusion is likely. Furthermore, in cases concerning access to a journalist's communications data there are no special provisions restricting access to the purpose of combating "serious crime". Consequently, the Court considers that the regime cannot be "in accordance with the law" for the purpose of the Article 10 complaint.
500 . In respect of the complaints under Article 10 of the Convention, the Court therefore finds a violation in respect of the section 8(4) regime and the Chapter II regime.
IV. ALLEGED VIOLATION OF ARTICLE 6 OF THE CONVENTION
501 . The applicants in the third of the joined cases further complained under Article 6 of the Convention that the limitations inherent in the IPT proceedings were disproportionate and impaired the very essence of their right to a fair trial.
502. Article 6 provides, as relevant:
"1. In the determination of his civil rights and obligations or of any criminal charge against him, everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal established by law. Judgment shall be pronounced publicly but the press and public may be excluded from all or part of the trial in the interests of morals, public order or national security in a democratic society, where the interests of juveniles or the protection of the private life of the parties so require, or to the extent strictly necessary in the opinion of the court in special circumstances where publicity would prejudice the interests of justice."
503. In particular, the applicants contended that there was a lack of independence and impartiality on the part of the IPT, evidenced by the fact that in November 2007 there had been a secret meeting between it and the Security Services which, they alleged, resulted in the adoption of a protocol pursuant to which MI5 agreed not to search or disclose any bulk data holdings relating to complainants; that they were not effectively represented in the closed proceedings; that the IPT failed to require the defendants to disclose key internal guidance; and that, following the hearing, the IPT had made its determination in favour of the wrong party.
504. The Government submitted that Article 6 of the Convention did not apply to surveillance proceedings, since the Commission and the Court had consistently held that decisions authorising surveillance did not involve the determination of "civil rights and obligations" within the meaning of Article 6 § 1. They further contended that even if Article 6 did apply, when the proceedings were taken as a whole the applicants could not be said to have been denied the right to a fair trial. In particular, they observed that the applicants did not have to overcome any evidential burden to apply to the IPT; there was scrutiny of all the relevant material, open and closed, by the IPT, which had full powers to obtain any material it considered necessary; material was only withheld where the IPT was satisfied that there were appropriate public interest and national security reasons for doing so; and finally, the IPT appointed Counsel to the Tribunal who in practice performed a similar function to that of a Special Advocate in closed material proceedings. With regard to the meeting in 2007 between MI5 and the IPT, they advised the Court that at the meeting MI5 had indicated that, for the purposes of IPT proceedings, it would not routinely conduct searches of "reference data-bases", being databases containing information about the population generally (such as the Voter's Roll or telephone directories), for any mention of a complainant's name; instead, such searches would only be carried out if the data was "relevant or had been relied on in the course of an investigation".
505. In their third party intervention, the ENNHRI submitted that the principle of equality of arms - being a core aspect of Article 6 of the Convention - was incompatible with the exclusion of one party from a hearing in which the other participates, other than in exceptional circumstances where adequate procedural safeguards provide protection from unfairness and no disadvantage ensues.
506. To date, neither the Commission nor the Court has found that Article 6 § 1 of the Convention applies to proceedings relating to a decision to place a person under surveillance. For example, in Klass v. Germany the Commission found that Article 6 § 1 was not applicable either under its civil or under its criminal limb (see Klass and Others , cited above, §§ 57-�61) and, more recently, in Association for European Integration and Human Rights and Ekimdzhiev (cited above, § 106) the Court "did not perceive anything in the circumstances of the case that could alter that conclusion".
507. However, the IPT has itself gone further than this Court. In its joint Ruling on Preliminary Issues of Law in the British-Irish Rights Watch Case , it accepted that Article 6 applied to "a person's claims under section 65(2)(a) and to his complaints under section 65(2)(b) of RIPA, as each of them involves "the determination of his civil rights' by the Tribunal within the meaning of Article 6(1)" (see paragraph 137 above). Consequently, when the matter came before the Court in Kennedy it did not consider it necessary to reach a conclusion on the matter, since it held that, even assuming that Article 6 § 1 applied to the proceedings in question, there had been no violation of that Article ( Kennedy , cited above, §§ 177-�179 and §§ 184-191).
508. In the present case, it is similarly unnecessary for the Court to reach any firm conclusion on the question of the applicability of Article 6 of the Convention since, for the reasons set out below, it considers that the applicants' complaint is manifestly ill-founded.
509. With regard to the applicants' general complaints concerning the procedure before the IPT, including the limitations on disclosure and the holding of public hearings in the interests of national security, the Court recalls that similar complaints were made in Kennedy and the Court, having considered the relevant procedural rules, concluded that in order to ensure the efficacy of the secret surveillance regime, and bearing in mind the importance of such measures to the fight against terrorism and serious crime, the restrictions on the applicant's procedural rights were both necessary and proportionate and did not impair the very essence of his Article 6 rights ( Kennedy , cited above, §§ 177-179 and §§ 184-191).
510. The Court sees no reason to come to a different conclusion in the present case. It has already found, in paragraphs 250-265 above, that in view of the IPT's extensive power to consider complaints concerning the wrongful interference with communications pursuant to RIPA, it was an effective remedy, available in theory and practice, which was capable of offering redress to persons complaining of both specific incidences of surveillance and the general Convention compliance of a surveillance regime. Furthermore, these extensive powers were employed in the applicants' case to ensure the fairness of the proceedings; in particular, there was scrutiny of all the relevant material, open and closed, by the IPT; material was only withheld from the applicants where the IPT was satisfied that there were appropriate public interest and national security reasons for doing so; and finally, the IPT appointed Counsel to the Tribunal to make submissions on behalf of the applicants in the closed proceedings.
511. Insofar as the applicants complain about the meeting between the IPT and the intelligence services in 2007, the Court considers that, in view of the IPT's specialist role, the fact that its members met with the services to discuss procedural matters does not, of itself, call into question its independence and impartiality. Furthermore, the applicants have not adequately explained how the 2007 meeting impacted on the fairness of their IPT proceedings in 2014 and 2015. Although the applicants appear to suggest that the resulting protocol might have affected the IPT's ability to access information held about them, the Government's explanation of the protocol (namely, that it concerned an agreement not to conduct searches of databases containing information about the population generally, such as the Voter's Roll or telephone directories, unless the data was "relevant or had been relied on in the course of an investigation") confirms that it could have had no impact on the fairness of the IPT proceedings in the present case.
512. Finally, it would appear that the error regarding the identity of the applicants whose rights were violated was an administrative mistake (see paragraph 53 above) and, as such, does not indicate any lack of rigour in the judicial process.
513 . Accordingly, the Court considers that the complaint under Article 6 § 1 of the Convention must be rejected as manifestly ill-founded pursuant to Article 35 § 3 (a) of the Convention.
514 . The applicants in the third of the joined cases further complained under Article 14 of the Convention, read together with Articles 8 and 10, that the section 8(4) regime was indirectly discriminatory on grounds of nationality because persons outside the United Kingdom were disproportionately likely to have their private communications intercepted; and section 16 of RIPA provides additional safeguards only to persons known to be in the British Islands.
515. Article 14 provides as follows:
"The enjoyment of the rights and freedoms set forth in [the] Convention shall be secured without discrimination on any ground such as sex, race, colour, language, religion, political or other opinion, national or social origin, association with a national minority, property, birth or other status."
516. However, the applicants have not substantiated their claim that persons outside the United Kingdom are disproportionately likely to have their private communications intercepted under the section 8(4) regime. First of all, although the regime targets "external communications", this is defined as "a communication sent or received outside the British Islands". This does not, therefore, exclude the interception of communications where one of the parties is in the British Islands. Secondly, and in any event, it has already been acknowledged that "internal communications" (where both the sender and receiver are in the British Islands) are frequently - and lawfully - intercepted as a by-catch of a section 8 (4) warrant.
517. Insofar as section 16 prevents intercepted material from being selected for examination according to a factor "referable to an individual who is known to be for the time being in the British Islands", any resulting difference in treatment would not be based directly on nationality or national origin, but rather on geographical location. In Magee v . the United Kingdom , no. 28135/95, § 50, ECHR 2000-�VI the Court held that as such a difference in treatment could not be explained in terms of personal characteristics, it was not a relevant difference in treatment for the purposes of Article 14 of the Convention and did not amount to discriminatory treatment within the meaning of Article 14 of the Convention (see Magee , cited above, § 50).
518. In any event, the Court is of the view that any difference in treatment based on geographic location was justified. The Government have considerable powers and resources to investigate persons within the British Islands and do not have to resort to interception of their communications under a section 8(4) warrant. They do not, however, have the same powers to investigate persons outside of the British Islands.
519. Accordingly, the Court considers that the complaint under Article 14 of the Convention, read together with Articles 8 and 10, must be rejected as manifestly ill-founded pursuant to Article 35 § 3(a) of the Convention.
VI. APPLICATION OF ARTICLE 41 OF THE CONVENTION
520. Article 41 of the Convention provides:
"If the Court finds that there has been a violation of the Convention or the Protocols thereto, and if the internal law of the High Contracting Party concerned allows only partial reparation to be made, the Court shall, if necessary, afford just satisfaction to the injured party."
521. The applicants did not submit any claim in respect of pecuniary or non-pecuniary damage. Accordingly, the Court considers that there is no call to award them any sum on that account.
522. The applicants in the first and second of the joined cases made a claim for costs and expenses incurred before the Court. The applicants in the first of the joined cases claimed GBP 208,958.55 in respect of their costs and expenses; and the applicants in the second of the joined cases claimed GBP 45,127.89. The applicants in the third of the joined cases made no claim in respect of costs and expenses.
523. The Government did not comment on the sums claimed.
524. According to the Court's case-law, an applicant is entitled to the reimbursement of costs and expenses only in so far as it has been shown that these have been actually and necessarily incurred and are reasonable as to quantum. In the present case, regard being had to the documents in its possession and the above criteria, the Court considers it reasonable to award the applicants in the first of the joined cases the sum of EUR 150,000 for the proceedings before the Court; and the applicants in the second of the joined cases the sum of EUR 35,000 for the proceedings before the Court.
525. The Court considers it appropriate that the default interest rate should be based on the marginal lending rate of the European Central Bank, to which should be added three percentage points.
1. Declares , unanimously, the complaints made by the applicants in the third of the joined cases concerning Article 6, Article 10, insofar as the applicants rely on their status as NGOs, and Article 14 inadmissible;
2. Declares , unanimously, the remainder of the complaints made by the applicants in the third of the joined cases admissible;
3. Declares , by a majority, the complaints made by the applicants in the first and second of the joined cases admissible;
4. Holds , by five votes to two, that there has been a violation of Article 8 of the Convention in respect of the section 8(4) regime;
5. Holds , by six votes to one, that there has been a violation of Article 8 of the Convention in respect of the Chapter II regime,
6. Holds , by five votes to two, that there has been no violation of Article 8 of the Convention in respect of the intelligence sharing regime;
7. Holds , by six votes to one, that, insofar as it was raised by the applicants in the second of the joined cases, there has been a violation of Article 10 of the Convention in respect of the section 8(4) regime and the Chapter II regime;
8. Holds, unanimously, that there is no need to examine the remaining complaints made by the applicants in the third of the joined cases under Article 10 of the Convention;
9. Holds , by six votes to one,
(a) that the respondent State is to pay the applicants, within three months from the date on which the judgment becomes final in accordance with Article 44 § 2 of the Convention, the following amounts, to be converted into the currency of the respondent State at the rate applicable at the date of settlement:
(i) to the applicants in the first of the joined cases: EUR 150,000 (one hundred and fifty thousand euros), plus any tax that may be chargeable to the applicants, in respect of costs and expenses;
(ii) to the applicants in the second of the joined cases: EUR 35,000 (thirty-five thousand euros), plus any tax that may be chargeable to the applicants, in respect of costs and expenses;
(b) that from the expiry of the above-mentioned three months until settlement simple interest shall be payable on the above amounts at a rate equal to the marginal lending rate of the European Central Bank during the default period plus three percentage points; and
10. Dismisses , unanimously, the remainder of the applicants' claim for just satisfaction.
Done in English, and notified in writing on 13 September 2018, pursuant to Rule 77 §§ 2 and 3 of the Rules of Court.
Abel Campos
Linos-Alexandre Sicilianos
Registrar
President
In accordance with Article 45 § 2 of the Convention and Rule 74 § 2 of the Rules of Court, the following separate opinions are annexed to this judgment:
(a) partly concurring, partly dissenting opinion of Judge Koskelo, joined by Judge Turković; and
(b) joint partly dissenting and partly concurring opinion of Judges Pardalos and Eicke.
L.-A.S.
A.C.
List of Applicants
App. No. |
Applicants |
Big Brother Watch | |
English PEN | |
Open Rights Group | |
Dr Constanze Kurz | |
Bureau of Investigative Journalism | |
Alice Ross | |
Amnesty International Limited | |
Bytes For All | |
The National Council for Civil Liberties ("Liberty") | |
Privacy International | |
The American Civil Liberties Union | |
The Canadian Civil Liberties Association | |
The Egyptian Initiative For Personal Rights | |
The Hungarian Civil Liberties Union | |
The Irish Council For Civil Liberties Limited | |
The Legal Resources Centre |
PARTLY CONCURRING, PARTLY DISSENTING OPINION OF JUDGE KOSKELO, JOINED BY JUDGE TURKOVIĆ
1. I have voted, and agree, with the majority as regards points 1 to 3 of the operative provisions of the judgment, which concern the admissibility of the complaints. I have also joined the majority in finding a violation of Article 8 in respect of both the section 8(4) regime and the Chapter II regime. As regards the section 8(4) regime, however, I am not able in all respects to subscribe to the reasons given by the majority. As far as the intelligence sharing regime is concerned, unlike the majority, I have voted for finding a violation of Article 8.
I. The RIPA section 8(4) regime
2. The present case concerns legislation providing for secret surveillance, by means of bulk interception, of electronic communications which qualify as "external" (for an understanding of the concept of "external" communications see paragraphs 69-71 of the judgment). It is important to note that this type of secret surveillance of communications is not limited to certain already known or identified targets but is aimed at the discovery of threats and hitherto unknown or unidentified targets which might be responsible for threats (see paragraph 284 of the judgment). The relevant threats are broadly framed and comprise threats to national security or to the economic well-being of the country as well as threats arising from serious crime (see §§ 57-59).
3. It is obvious that such an activity - an untargeted surveillance of external communications with a view to discovering and exploring a wide range of threats - by its very nature takes on a potentially vast scope, and involves enormous risks of abuse. The safeguards against those risks, and the standards which under the Convention should apply in this regard, therefore raise questions of the highest importance. I am not convinced, in the light of present-day circumstances, that reliance on the Court's existing case-law provides an adequate approach to the kind of surveillance regimes like the one we are dealing with here. A more thorough reconsideration would be called for. I acknowledge that this would be a task for the Court's Grand Chamber. I will only raise some concerns which, in my view, require attention in this regard.
(i) The context of earlier case-law
4. Apart from the recent Chamber judgment in Centrum för Rättvisa v. Sweden (no. 35252/08, 19 June 2018), which is not yet final, the Court's case-law has not dealt with the present kind of surveillance but with regimes which, as a matter of either law or fact, have been narrower in scope. Furthermore, in the light of current developments, I consider that reliance on the line of existing case-law is no longer an adequate basis for assessing the standards which under the Convention should govern this particular domain.
5. The Court's case-law on secret surveillance of communications essentially dates back to Klass and Others v. Germany (cited in the judgment) which was decided by the Plenary Court four decades ago, and the admissibility decision in Weber and Saravia v. Germany (also cited in the judgment), which concerned an amended version of the same German legislation and was decided twelve years ago, in response to a complaint lodged in the year 2000.
6. As the Court noted in Klass and Others , the German legislation then at issue (the G 10) laid down a series of limitative conditions which had to be satisfied before a surveillance measure could be imposed. Thus, the permissible restrictive measures were confined to cases in which there were factual indications for suspecting a person of planning, committing or having committed certain serious criminal acts ; measures could only be ordered if the establishment of the facts by another method was without any prospect of success or considerably more difficult; even then, the surveillance could cover only the specific suspect or his presumed "contact-persons". Thus, the Court observed, " so-called exploratory or general surveillance [was] not permitted by the contested legislation " (see Klass and Others , § 51).
7. In this regard, the RIPA section 8(4) regime which is at issue in the present case is different from that in Klass and Others in that the section 8(4) regime does encompass what the Court then referred to as "exploratory" surveillance and which in fact constitutes an essential and critical feature of this particular regime. Consequently, the scope and purpose of the surveillance regime now at issue is wider than that addressed in Klass and Others .
8. In Weber and Saravia , the complaint concerned a revised version, adopted in 1994, of the German G 10, whereby the scope of permissible surveillance was extended to cover the monitoring of international wireless telecommunications (see Weber and Saravia , § 88) in order to allow a "strategic surveillance" of such communications by means of catchwords. According to the Government's submissions in that case, at the relevant time merely some ten per cent of all telecommunications were conducted by wireless means, and thus potentially subject to monitoring. In practice, monitoring was restricted to a limited number of foreign countries. The telephone connections of the State's own (i.e. German) nationals living abroad could not be monitored directly. The identity of persons telecommunicating could only be uncovered in rare cases in which a catchword had been used (ibid., § 110).
9. The surveillance regime at issue in Weber and Saravia covered international wireless communications traffic, i.e. traffic transmitted via microwave or satellite, the latter operating through a survey of the downlink to Germany. Line-bound international communications were not subject to monitoring except where the risk of a war of aggression was concerned.
10. It is noteworthy that at the time of the surveillance regime which gave rise to the complaint in Weber and Saravia , strategic monitoring was mainly carried out on telephone, telex and fax communications. In those days, surveillance did not extend to email communications (see the judgment of the Federal Constitutional Court of 14 July 1999, 1BvR 2226/94, 1 BvR 2420/95, 1 BvR 2437/95, Rn 230, according to which, at the time of the hearing of the case in 1999, an expansion of strategic monitoring to email communications was only being planned for the future). One significant feature of communications by email, apart from the fact that nowadays they are so common, is that the identity of both the sender and recipient is usually directly available. Furthermore, many currently used means of communication or access to information through the Internet were only at embryonic stages at the time of the domestic complaint in Weber and Saravia .
(ii) The context of the present case
11. My point with the remarks above is to draw attention to the factual environment against the background of which those earlier cases were adjudicated, and the dramatic changes that have occurred since. The applicants have indeed referred to the technological "sea change" which has taken place.
12. What is important to note in this regard is that the technological "sea change" has had a twofold impact. On the one hand, technological developments have advanced the means by which surveillance of communications can be carried out. On the other hand, new technologies have revolutionised the ways in which people communicate, access, use and share information. That change is deeper than just a matter of volume. The digital age has in some respects transformed people's lifestyles.
13. As a result of these changes, the potential exposure nowadays of a vast range of communications and other online activities to secret surveillance is far greater than before. In the wake of such developments, the potential risks of abuse arising from such surveillance have increased as well. Thus, the factual context in which "exploratory" or "strategic" secret surveillance operates is dramatically different from the circumstances that still prevailed a couple of decades ago, when the Weber and Saravia application was lodged, let alone four decades ago, when Klass and Others was decided. In the light of such changes, it is problematic and troubling to approach the question of the necessary safeguards against abuse simply by applying standards that were considered sufficient under significantly or even essentially different factual circumstances.
14. Furthermore, the "sea change" in terms of technologies and digitalised lifestyles is not the only development to be taken into consideration. The threats on account of which surveillance of communications is considered necessary have also changed. In this regard, too, the picture is twofold. One the one hand, for instance, there have been real and well-known aggravations in the risks of international terrorism. On the other, there is also increasing evidence of how various threats can be invoked, rightly or wrongly, in order to justify measures that entail restrictions on individual rights and freedoms. The notion of terrorism, for instance, may sometimes be used quite loosely and opportunistically in a desire to legitimise interferences with such rights and freedoms. Especially where secret surveillance is conducted in order to discover and explore broadly formulated threats such as those to national security or the nation's economic well-being, the need for real safeguards through independent control and review is obvious.
15. There is yet another "sea change" calling for heightened attention in the assessment of the necessary standards in the context of secret surveillance of communications. It is the degradation of respect for democratic standards and the rule of law of which there is increasing evidence in a number of States. While I am not suggesting that the present respondent State is a case in point in this regard, the Convention standards must nevertheless be considered in the light of the fact that such developments testify to the actual or potential fragility of safeguards, institutional arrangements and the underlying assumptions that in ideal circumstances might appear adequate in order to minimise the risks of abuse. In fact, the same threats that are invoked to justify secret surveillance may also serve to reinforce tendencies toward a weakening of the checks and balances which underpin adherence to the rule of law and democratic governance.
16. In line with the majority, I agree that the Contracting States must enjoy a wide margin of appreciation in determining whether the protection of national security requires the kind of surveillance of communications which is at issue in the present case (paragraph 314 of the present judgment). However, given the high risks of abuse, which at worst may undermine not only individual rights and freedoms but democracy and the rule of law more generally, the margin must be narrow when it comes to the necessary safeguards against abuse.
17. Under the impugned legislation, one of the striking features is that all of the supervisory powers entrusted to authorities with independence from the executive are of an ex post nature. Another striking feature is that not only are the general protective aims of the legislation very broadly framed, but also the specific authorisations (warrants and certificates) issued by the Secretary of State appear to be formulated in very broad and general terms (see paragraphs 156 and 342). Furthermore, the concrete search and selection criteria which are applied to filter intercepted communications for reading of their content are determined by the analysts conducting the surveillance (see paragraphs 157, 340 and 345-46 of the present judgment). As indicated by the domestic findings, the latter are not even subject to any meaningful subsequent oversight by independent bodies (see paragraphs 157 and 340).
18. Ever since Klass and Others , the Court has indeed held that in view of the risk that a system of secret surveillance for the protection of national security may undermine or even destroy democracy under the cloak of defending it, the Court must be satisfied that there exist adequate and effective guarantees against abuse (see Klass and Others , §§ 49-50). This assessment depends on all the circumstances of the case, such as the nature, scope and duration of the possible measures, the grounds required for ordering them, the authorities competent to authorise, carry out and supervise them, and the kind of remedy provided by the national law (ibid., § 50).
19. As discussed above, in the light of the changes in both the nature and scope of surveillance and in the prevailing factual realities, the circumstances have indeed evolved in such a way and to such an extent that I find it difficult to accept that the adequacy of safeguards should nevertheless be assessed simply by relying on the case-law that has arisen under different legal and factual framework conditions.
20. In particular, given the present overall context, I question the approach according to which prior independent control by a judicial authority should not be a necessary requirement in the system of safeguards.
21. Already in Klass and Others , when considering the initial stage of control, the Court stated that, in a field where abuse was potentially so easy in individual cases and could have such harmful consequences for democratic society as a whole, it was in principle desirable to entrust supervisory control to a judge (see Klass and Others , § 56). Under the G 10 legislation, judicial control was replaced by an initial control effected by an official qualified for judicial office and by the control provided by the Parliamentary Board and the G 10 Commission. In that case the Court concluded that, having regard to the nature of the supervisory and other safeguards provided for by the G 10, the exclusion of judicial control did not exceed the limits of what might be deemed necessary in a democratic society. The Court noted that the Parliamentary Board and the G 10 Commission were independent of the authorities carrying out the surveillance and vested with sufficient powers and competence to exercise an effective and continuous control. Furthermore, the democratic character was reflected in the balanced membership of the Parliamentary Board, on which the opposition was represented and was thus able to participate in the control of the measures ordered by the competent Minister, who was accountable to the Bundestag. The Court found that the two supervisory bodies could, in the circumstances of the case, be regarded as enjoying sufficient independence to give an objective ruling (ibid.).
22. As indicated above, in my view the legal and factual circumstances of that case, which go back four decades, cannot be considered comparable to the situation now under consideration. It is somewhat striking that in Weber , despite the important changes in the legislative and factual framework, the Court succinctly stated that it saw no reason to reconsider the conclusion in Klass and Others (see Weber and Saravia , § 117). In any event, in the light of the circumstances prevailing at the present time, such reconsideration seems to me to be indispensable.
23. Where, as in the present case, the interception (as a matter of technical necessity) encompasses vast volumes of communications traffic in an indiscriminate manner, without being linked to any kind of prior elements of suspicion related to the threats by reason of which the surveillance is conducted, everything in terms of the protection of individuals and their rights depends on whether and how the subsequent stages of the treatment of the intercepted communications provide effective and reliable safeguards for those rights, and against any abuse of the surveillance. Under such circumstances, given the potential intrusiveness of the surveillance and the abundant risks of abuse, I consider that it cannot be appropriate that all the ex ante safeguards remain in the hands of the executive. I think the applicants are right to argue that there is a need for an "updating" of the standards as regards prior independent judicial authorisation. It seems to me to be important that the authorities of the executive branch should be required to explain and justify before an independent judicial authority the grounds on which a particular surveillance should be authorised, and to account for the search criteria on the basis of which the intercepted communications will be filtered and selected for a review of their content.
24. In this respect, I am not convinced by the arguments advanced by the majority in support of the position that prior judicial control is unnecessary (paragraphs 318-20). The majority acknowledge that judicial authorisation is not inherently incompatible with the effective functioning of bulk interception (paragraph 318). Indeed, the recent case of Centrum för Rättvisa v. Sweden (cited above) offers an illustration, as it deals with Swedish legislation under which prior judicial authorisation is required.
25. The main argument against imposing such a requirement appears to be that it would not entail a sufficient safeguard, and that even in the absence of prior judicial authorisation the existence of independent oversight by the IPT and the Interception of Communications Commissioner provide adequate safeguards against abuse. In my view, it is obvious that prior judicial authorisation cannot in itself be sufficient and that further, robust safeguards such as those in place in the UK are indeed required. However, the fact that a given safeguard would not be sufficient is not enough to support a conclusion that it should not be considered necessary. In my opinion, it is quite essential to have in place an adequate system of safeguards, including controls exercised by independent bodies, both ex ante and ex post .
26. While the safeguards ex post that are provided for in the UK legislation and practice appear to set a good model in this domain, this does not in my view suffice to remedy the fact that the authorisation and implementation of the surveillance are wholly in the hands of the executive authorities, without any independent control ex ante. In this respect, the system of safeguards is even weaker than that considered by the Court in both Klass and Others and Weber and Saravia, in that under the German G 10 regime, although the surveillance was not subject to prior authorisation by a court, it had to be authorised by the G 10 Commission (see Weber and Saravia , cited above, § 115), which was not an executive branch body (ibid., § 25). Moreover, according to the judgment of the Federal Constitutional Court of 14 July 1999 (cited above, Rn 87), a list of search concepts was part of each restriction order, whereas in the present case it has transpired that the search and selection criteria are determined by the analysts operating the surveillance and are not subject to any prior supervision, nor any meaningful subsequent oversight (see paragraphs 157, 340 and 345-46 of the present judgment).
27. In sum, what we have before us now is a regime of secret surveillance, the reach of which under the prevailing factual circumstances is unprecedented, and under which a very wide operational latitude is left to the services operating the surveillance, without any independent ex ante control or constraint, and under which the search and selection criteria are not even ex post subject to any robust independent control. I find such a situation highly problematic. An independent ex ante control is all the more important because of the secret nature of the surveillance, which in practice reduces the possibility that individuals will have recourse to the safeguards available ex post .
28. I also consider that the remarks made by the majority in paragraph 319 of the judgment are not capable of supporting a conclusion according to which prior independent judicial authorisation should not be required. Rather, the argument that even judicial scrutiny may fail its function serves to underline the crucial importance which attaches to the requirement that such control must have effective guarantees of independence, in order to meet the proper standards of the necessary safeguards.
29. In short, while I agree with the conclusions set out in paragraph 387 of the judgment, I do not consider those shortcomings to be the only ones that justify a finding of a violation of Article 8 in the present case. In particular, taking into account the present legal and factual context, I do not believe that the necessary safeguards in the circumstances of surveillance based on the bulk interception of communications can be sufficient without including an independent ex ante judicial control. The position according to which prior judicial control of authorisations for secret surveillance of communications was a desirable but not a necessary safeguard stems from Klass and Others which, firstly, concerned a more limited surveillance regime than the one now at issue and did not permit "exploratory surveillance" at all, and which, secondly, was decided four decades ago against the backdrop of factual circumstances that in many relevant respects were different from those prevailing today. That position was later, in Weber and Saravia , carried over to a surveillance regime which did have more similarities with the RIPA section 8(4) regime but nevertheless operated in conditions very different from those prevailing in the modern digitalised societies. For the reasons outlined above, that position should, in my view, no longer be maintained by the Court.
II. The intelligence-sharing regime
30. It is easy to agree with the principle that any arrangement under which intelligence from intercepted communications is obtained via foreign intelligence services, whether on the basis of requests to carry out such interception or to convey its results, should not be allowed to entail a circumvention of the safeguards which must be in place for any surveillance by domestic authorities (see paragraphs 216, 423 and 447). Indeed, any other approach would be implausible.
31. On this basis I consider, in sum, that the shortcomings referred to above in the context of the section 8(4) regime also attach to the intelligence-sharing regime (see paragraphs 109 and 428-29). I therefore conclude that the safeguards have not been adequate and that there has been a violation of Article 8 in respect of this regime also.
JOINT PARTLY DISSENTING AND PARTLY CONCURRING OPINION OF JUDGES PARDALOS AND EICKE
1. For the reasons set out in more detail below, we are unfortunately, not able to agree with the majority in relation to two aspects of the judgment in this case; namely
(a) that the applicants in the first and second of the joined cases had shown "special circumstances absolving them from the requirement to exhaust" domestic remedies by first bringing proceedings before the IPT (§§ 266-268 and operative part § 3; "admissibility"); and
(b) that there has been a breach of Article 8 of the Convention in respect of the section 8(4) regime (§ 388 and operative part § 4; "the section 8(4) regime").
2. In relation to the latter issue our position is reinforced by the contrast between the conclusions reached by the majority in this case and that reached in the judgment in Centrum För Rättvisa v. Sweden , no. 35252/08(not yet final); a judgment adopted by the Third Section of this Court on 19 June 2018, a mere two weeks before the final deliberations in this case. In that case, the Court concluded, unanimously, that, despite having identified "some areas where there is scope for improvement" (§ 180) and "making an overall assessment and having regard to the margin of appreciation enjoyed by the national authorities in protecting national security" (§ 181), the Swedish system of signals intelligence provided adequate and sufficient guarantees against arbitrariness and the risk of abuse; as a consequence, it was held that the relevant legislation met the "quality of law" requirement, that the "interference" established could be considered as being "necessary in a democratic society" and that the structure and operation of the system were proportionate to the aim sought to be achieved.
3. That said, we agree both with:
(a) the underlying general principles identified by the Court both in this case and in Centrum För Rättvisa to be applied in relation to these aspects of the case; as well as
(b) the conclusion of the majority in this case that, for the reasons given in the judgment, there has been no breach of Article 8 of the Convention in relation to the intelligence sharing regime (§§ 447-448 and operative part § 6) and that there is no need to examine the remaining complaints made by the applicants in the third of the joined cases under Article 10 of the Convention.
4. In relation to the findings that there has been a breach of the Convention in relation to the Chapter II regime (§§ 468 and 500, operative part §§ 5 and 7) as well as the conclusions under Article 41 of the Convention (operative part § 9), one of us (Judge Pardalos) considered that her conclusion on the admissibility of the first and second of the joined cases invariably determined the related substantive issues against the applicants in those cases. By contrast, Judge Eicke considered that, the Court having decided that the first and second cases were, contrary to his view, admissible he was required, as a member of that Court, to go on and decide those cases on the merits by reference to the evidence and pleadings before the Court.
5. As indicated above, we agree with the majority that, for the reasons they give, the IPT is and has been an effective remedy "since Kennedy was decided in 2010" (§ 268); i.e. a remedy which is "available in theory and practice" and "capable of offering redress to applicants complaining of both specific incidences of surveillance and the general Convention compliance of surveillance regimes" (§ 265). Consequently, applicants before this Court will be expected to have exhausted this domestic remedy before the Court has jurisdiction to entertain their application under Article 35 § 1 of the Convention.
6. In addition to the purely legal point that, under Article 35 § 1, the Court "may only deal with the matter after all domestic remedies have been exhausted", we would underline what the majority says in § 256 about the invaluable assistance derived by the Court, in examining a complaint before it, from the "elucidatory" role played by the domestic courts (in this case the IPT) both generally as well as in the specific context of considering the compliance of a secret surveillance regime with the Convention.
7. For the reasons set out below, however, we disagree with the conclusion reached by the majority (§ 268) that there existed, in this case, "special circumstances" absolving the applicants in the first and second of the joined cases from satisfying this requirement.
8. Firstly, as the majority implicitly accepts (§ 267), the case of Kennedy is clearly distinguishable on its facts from the present case. After all, the applicant in that case had already brought a specific complaint about the section 8(1) regime before the IPT before applying to this Court. Consequently, unlike the applicants in the first and second of these joined cases, Mr Kennedy was not inviting the Court to consider his general complaint entirely in abstracto . Furthermore, in its judgment in that case, the Court considered it "important" that his challenge was (consequently) exclusively a challenge to primary legislation. By contrast, in the present cases the scope of each of the regimes complained of (bulk interception, intelligence sharing and the acquisition of communications data) is significantly broader than that of the section 8(1) regime, and the applicants' complaints concern not only primary legislation, but the overall legal framework governing those regimes (including the alleged absence of any relevant arrangements or other safeguards). Consideration of the broader legal framework necessarily requires an examination of both RIPA and the relevant Codes of Practice, together with any "below the waterline" arrangements and/or safeguards. In view of the much broader scope of both their complaints and the impugned regimes, none of which had been the subject of any examination by the IPT, it should have been evident to the applicants in the first and second of the joined cases - who were, at all times, represented by experienced counsel - that, unlike Kennedy , this was a case in which the general operation of these regimes required further elucidation, and in which the IPT, on account if its "extensive powers ... to investigate complaints before it and to access confidential information" would have been capable of providing a remedy.
9. There is, therefore, also no basis for any suggestion that our approach seeks, in any way, to overturn or "disapply" the Court's unanimous ruling in Kennedy . The simple fact is that, in our view, the two are clearly and obviously distinguishable.
10. Secondly, the first applicant, was clearly informed by the Government, in their response to the letter before action of 26 July 2013 (§ 19), that their complaints could be raised in the IPT, a court established specifically to hear allegations by citizens of wrongful interference with their communications as a result of conduct covered by that Act and a court endowed with exclusive jurisdiction to investigate any complaint that a person's communications have been intercepted and, where interception has occurred, to examine the authority for such interception. This letter was, of course, sent at around the same time as the ten human rights organisations which are the applicants in the third of the joined cases, no doubt recognising the need to have exhausted existing effective domestic remedies before applying to this Court, lodged their complaints before the IPT (June to December 2013; § 21). It was also four years after the UK Supreme Court, in its judgment in R (on the application of A) v B [2009] UKSC 12, had confirmed the exclusive jurisdiction of the IPT and its ability, as demonstrated by its decisions in Kennedy (IPT/01/62 & 77, [2003] UKIPTrib 01_62_77) and The British-Irish Rights Watch and others v Security Service, GCHQ and the SIS (IPT/01/77, [2004] UKIPTrib 01_77 ), to adjust the procedures before it as necessary so as to ensure that disputes before it can be determined justly.
11. Thirdly and in any event, even if, contrary to our view, the applicants in the first and second of the joined cases would have been entitled to rely on Kennedy at the time they lodged their applications with the Court they nevertheless accepted before this Court (§ 241), by reference to the judgment in Campbell and Fell v. the United Kingdom , 28 June 1984, §§ 62-63, Series A no. 80, that in light of any finding by the Court to the effect that the IPT is an effective remedy, they would now be required to go back and exhaust unless it would be unjust to require them to do so. As these applicants' complaints concern the general operation of the impugned regimes, rather than specific complaints about an interference with their rights under the Convention, they would still be entitled to raise them before the IPT now.
12. Many of the complaints advanced in the first and second of the joined applications (including, in particular, all of those relating to the Chapter II regime, the sharing of non-intercept material with foreign governments and the lack of protection for confidential journalistic material and journalistic sources under the section 8(4) regime) were not addressed in the Liberty proceedings and have not yet been determined by the IPT. Consequently, there is no reason to doubt that if the applicants were now to raise those complaints before the IPT, they would have "a reasonable prospect of success". In fact, in respect of the Chapter II complaint it may be thought that they would have a more than reasonable prospect of success. After all, as the majority records in § 463 of the judgment, the Government, in response to a challenge brought by Liberty, recently conceded that Part 4 of the IPA (which included a power to issue "retention notices" to telecommunications operators requiring the retention of data) was incompatible with fundamental rights in EU law: R (The National Council for Civil Liberties (Liberty)) v Secretary of State for the Home Department & Anor [2018] EWHC 975 (Admin). As Chapter II of RIPA, like Part 4 of the IPA, permits access to data for the purpose of combating crime (as opposed to "serious crime"), this concession lead the majority to find a violation of Article 8 of the Convention in relation to the Chapter II regime (§ 467) which would suggest that the applicants had a strong basis for challenging, at the domestic level, the compliance of the Chapter II regime with EU law and, indeed, the Convention.
13. The same could not necessarily be said about those complaints raised by the first and/or second of the joined cases which were determined by the IPT in the Liberty proceedings; however, those issues were, of course, also raised by the applicants in the third of the joined cases and would therefore (and in fact have been) considered and determined by the Court on its merits.
14. As a result, and in clear contrast with the ultimate conclusion in Campbell and Fell , there is here therefore no evidence to suggest that "it would be unjust now to find these complaints inadmissible for failure to exhaust domestic remedies" ( ibid. at § 63). Consequently, in our view, both the requirements of Article 35 § 5 of the Convention as well as the application of the principle of subsidiarity, in fact, required such a finding.
15. The point made in the judgment about the fundamental importance of the "elucidatory" role of the domestic courts is further underlined by the complaint made in relation to the Chapter II regime. After all, as the judgment records in § 451, in both their application to the Court and their initial observations, the applicants in the second of the joined cases had incorrectly referred to the Chapter II regime as a regime for the interception of communications data; rather than a regime which permits certain public authorities to acquire communications data from Communications Service Providers ("CSPs"). This "fundamental legal misunderstanding" led the Government to submit inter alia that the applicants had put forward no factual basis whatsoever for concluding that their communications were acquired in this way, and that they did not contend that they had been affected, either directly or indirectly, by the regime.
16. As noted above, the Court's conclusion on the Chapter II regime was, of course, ultimately based on the concession by the Government in R (The National Council for Civil Liberties (Liberty)) v Secretary of State for the Home Department & Anor [2018] EWHC 975 (Admin) which enabled the majority to find that the equivalent language in the Chapter II regime was "not in accordance with the law" within the meaning of Article 8 of the Convention (§ 467). However, had that not been the case, this Court would have been confronted with the task of considering in detail whether the regime's attendant safeguards were sufficient to satisfy the requirements of the Convention; and that (1) on the basis of a case initially advanced on the basis of a "fundamental legal misunderstanding" about the nature of the regime, (2) without any assistance or findings by the IPT in relation to what the attendant safeguards, both above and below the waterline, in fact were and/or (3) any reasoned conclusion by the IPT as to whether or not they satisfied the requirements of Article 8 (or could be made to satisfy the requirements of Article 8 by means of further disclosure akin to that ordered on 9 October 2014 in the proceedings brought by the applicants in the third of the joined applications). This would plainly have been a wholly undesirable state of affairs.
17. As indicated above, there is much in the judgment of the majority we agree with.
18. Firstly, we agree with the majority (as well as with the unanimous judgment in Centrum För Rättvisa ) in relation to the relevant general principles as set out in the judgment. In particular we agree with the affirmation by the majority (as well as the judgment in Centrum För Rättvisa and the report by the Venice Commission) that while the Court has considered prior judicial authorisation to be an important safeguard, and perhaps even "best practice", it has also repeatedly confirmed that, by itself, such prior judicial authorisation is neither necessary nor sufficient to ensure compliance with Article 8 of the Convention (§ 320).
19. Secondly, we also agree with the majority in identifying as potential shortcomings (or, to use the language in Centrum För Rättvisa "areas where there is scope for improvement") in the operation of the section 8(4) regime "the lack of oversight of the entire selection process, including the selection of bearers for interception, the selectors and search criteria for filtering intercepted communications, and the selection of material for examination by an analyst; and secondly, the absence of any real safeguards applicable to the selection of related communications data for examination" (§ 387).
20. Finally, we agree with the majority as to the correct approach to be applied when considering whether the system under review satisfied the requirement of being "necessary in a democratic society" under Article 8 § 2 of the Convention, namely that:
"... regard must be had to the actual operation of the system of interception, including the checks and balances on the exercise of power, and the existence or absence of any evidence of actual abuse (see Association for European Integration and Human Rights and Ekimdzhiev, cited above, § 92) (§ 320)
... it must principally have regard to the actual operation of a system of interception as a whole, including the checks and balances on the exercise of power, and the existence (or absence) of any evidence of actual abuse (...), such as the authorising of secret surveillance measures haphazardly, irregularly or without due and proper consideration (see Roman Zakharov, cited above, § 267) (§ 377)."
21. Where we disagree is (again) in the application of that approach to the system under review.
22. Before setting out in little more detail the basis for our disagreement we note in passing that this Court's underlying approach appears to be in clear contrast to the approach taken by the CJEU in Digital Rights Ireland v. Minister for Communications, Marine and Natural Resources and Others and Settinger and Others (Cases C-293/12 and C-594/12) and Secretary of State for the Home Department v. Watson and Others (C-698/15). In the former case, the CJEU was considering the validity of the Data Retention Directive, and in the latter, the validity of domestic legislation containing the same provisions as that directive. While its focus was on the retention of data by CSPs, it also considered the question of access to retained data by the national authorities. In doing so, it indicated that access should be limited to what was strictly necessary for the objective pursued and, where that objective was fighting crime, it should be restricted to fighting serious crime. It further suggested that access should be subject to prior review by a court or independent administrative authority, and that there should be a requirement that the data concerned be retained within the European Union. Therefore, while there is some similarity in the language used by the two courts, the CJEU appears to have adopted a more prescriptive approach as regards the safeguards it considers necessary. This may be due to the fact that in both cases it was considering the rights guaranteed by reference to Articles 7 (Respect for private and family life) and 8 (Protection of personal data) of the Charter of Fundamental Rights. However, while in Watson the CJEU declined to state whether the protection provided by Articles 7 and 8 of the Charter was wider than that afforded by Article 8 of the Convention, we can but note that, on the one hand, Article 52 § 3 of the Charter of Fundamental Rights, while recognising the ability of EU law providing more extensive protection, is clearly expressed by reference to "rights" guaranteed by the Convention (rather than "Articles") corresponding to "rights" contained in the Charter and that, on the other hand, this Court has, at least since the 1978 judgment of the Plenary Court in Klass and Others v. Germany , Series A no. 28, consistently protected the right to the protection of personal data under Article 8 of the Convention. In any event, in Ben Faiza v. France , no. 31446/12, 8 February 2018, which was decided one year after Watson , and four years after Digital Rights Ireland , this Court did not follow the CJEU's approach, preferring instead to follow its well-established approach and to review the impugned regime as a whole in order to evaluate the adequacy of the available safeguards.
23. In any event, applying this Court's well-established approach, it is in our view, clear from the (in the context of secret surveillance cases unusually) extensive and detailed (publicly available) evidence in relation to the operation of the section 8(4) regime (summarised over some 35 pages in the judgment) that, despite the identified areas where there is scope for improvement, these are not, in themselves, sufficiently significant to justify the conclusion that "the section 8(4) regime does not meet the 'quality of law' requirement and is incapable of keeping the 'interference' to what is 'necessary in a democratic society'" (§ 388). On the contrary, adopting the approach of this Court in Centrum För Rättvisa , § 181, it is clear in our view that, making an overall assessment and having regard to the margin of appreciation enjoyed by the national authorities in protecting national security, the section 8(4) regime does provide adequate and sufficient guarantees against arbitrariness and the risk of abuse. As a result, we concluded that the relevant legislation meets the "quality of law" requirement and the "interference" established can be considered as being "necessary in a democratic society" and that there was, therefore, no violation of Article 8 of the Convention.
24. In this context, the contrast to the judgment in Centrum För Rättvisa is instructive. After all, in that case the Court applied the same general principles to the Swedish bulk interception regime and concluded, unanimously, that there was no breach of Article 8 of the Convention. Conscious of the difficulty - at times - in making detailed meaningful comparisons between different interception regimes, it is nevertheless noteworthy that the regime under consideration in that case, while equipped with judicial prior authorisation:
(a) was completely shrouded in secrecy with the Court having little meaningful information at all either about the actual generic operation of the system (including the actual operation of the Foreign Intelligence Court ("FIC") itself) or the impact of the system on and/or operation of safeguards in relation to any individual;
(b) provided that, in principle, the FIC should hold public hearings but found that there has never been a public hearing, all decisions are confidential and no information is disclosed to the public about the number of hearings, the number of permits granted or rejected, the reasoning of the court's decisions or the amount or type of search terms being used. While the FIC is assisted by the "privacy protection representative" whose role it is to protect the "interests of the general public" he or she does not appear on behalf of or represent the interests of any affected individual. Furthermore, the privacy protection representative cannot appeal against a decision by the FIC or "report any perceived irregularities to the supervisory bodies";
(c) was concerned with interception by the National Defence Radio Establishment ("FRA") on behalf of, and which, therefore, required communication of the intercept material to, a much wider group "clients" ("the Government, the Government Offices, the Armed Forces and, as from January 2013, the Security Police and the National Operative Department of the Police Authority");
(d) provided for authorisation of interception for a greater number (eight) of "purposes" ("1) external military threats to the country, 2) conditions for Swedish participation in international peacekeeping or humanitarian missions or threats to the safety of Swedish interests in the performance of such operations, 3) strategic circumstances concerning international terrorism or other serious cross-border crimes that may threaten essential national interests, 4) the development and proliferation of weapons of mass destruction, military equipment and other similar specified products, 5) serious external threats to society's infrastructure, 6) foreign conflicts with consequences for international security, 7) foreign intelligence operations against Swedish interests, and 8) the actions or intentions of a foreign power that are of substantial importance for Swedish foreign, security or defence policy");
(e) had similar difficulties to those identified in relation to the UK regime to separate out non-external communications between a sender and receiver within the respective State at the point of collection;
(f) allows for the communication of intercept product not only to other states but also to "international organisations" (not further defined) where that is "not prevented by secrecy and if necessary for the FRA to perform its activities within international defence and security cooperation" and "it is beneficial for the Swedish government or Sweden's comprehensive defence strategy" and without any provision requiring the third country/international organisation recipient to protect the data with the same or similar safeguards as those applicable internally; and
(g) provided for an obligation to notify the subject of an intercept after the event; an obligation which, however, "had never been used by the FRA, due to secrecy.
25. Considering the accepted difficulty in making a meaningful comparison between two or more distinct interception regime together with the different conclusions reached by this Court at about the same time, in our view, further underlines the importance of the Court adopting an approach of asking whether, taking "an overall assessment and having regard to the margin of appreciation enjoyed by the national authorities in protecting national security" the system adopted provides adequate and sufficient guarantees against arbitrariness and the risk of abuse, even if there may be individual aspects of any system which might be capable of being altered or improved. Such an approach properly reflects the role of the Convention, which is to set down "minimum standards" that can be applied across all Member States. Provided that - following an overall assessment - the Court finds that a system for bulk interception provides adequate and sufficient guarantees against arbitrariness and abuse, in view of the very different regimes in operation in different States, it will not be appropriate for it to be too prescriptive about the way in which those regimes should operate (although it may, as it did both in Centrum För Rättvisa and in this case, identify those aspects of the regime which could be improved upon). Applying this approach to the Court's supervisory jurisdiction in the present case (as it was in Centrum För Rättvisa ), the Court should have given due weight to the fact that the domestic courts and authorities have subjected both the UK system as a whole as well as the individual complaints at issue to detailed and extensive scrutiny by express reference to the Convention standards and this Court's case law and should have found that there was, here, no breach of Article 8 of the Convention.
26. Since the adoption of this judgment on 3 July 2018, the IPT has handed down yet another judgment in relation to another, unrelated, aspect of the UK's surveillance regime: Privacy International v Secretary of State for Foreign and Commonwealth Affairs (Rev 1) [2018] UKIPTrib IPT_15_110_CH (23 July 2018). For obvious reasons this judgment was not available for consideration by the Court when it reached its conclusions on the question of exhaustion of domestic remedies (and we have heard no submissions on it). That said, it seems to us that this careful and detailed judgment provides yet further support (if any was necessary) that, in principle, the IPT is an effective remedy for the purposes of Article 35 § 1 of the Convention which applicants will be required to have exhausted before this Court has jurisdiction to entertain their application.
[1] As the United Kingdom is leaving the European Union in 2019, it granted royal assent to the Data Protection Act 2018 on 23 May 2018, which contains equivalent regulations and protections.