In my last blog I questioned whether the state was capable of giving police sufficient powers to protect us from people like “Fred in the shed”, whose “human rights”, as granted to him by the European Convention on Human Rights, can appear to give him the edge over those he might wish to harm when he went on-line. I explained that I would use this blog to have a quick look at some of the Convention rights and freedoms and see if I can draw any conclusions as to how they might be applied to material accessed on the internet.
Article 6 provides that “It is unlawful for a public authority to act in a way which is incompatible with a Convention right.” This suggests that the police have to tread very carefully when doing anything that could be construed as observing, or interfering, with Fred. He remains innocent until there is any evidence to establish otherwise. The police therefore have to follow recognised standards of behaviour, and remain publically accountable for their actions.
Article 2(1) provides that “Everyone’s right to life shall be protected by law.” This suggests that the police ought to be able to do things to prevent Fred from committing crimes that threaten other people’s lives, but not necessarily to use those same powers to detect his involvement in absolutely all other types of crimes.
Article 5(1) provides that “Everyone has the right to liberty and security of person.” This suggests that the police have to treat Fred with the same degree of civility and respect as everyone else enjoys.
Article 8 (1) provides that “Everyone has the right to respect for his private and family life, his home and his correspondence.” And, in 8(2), “There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.” This is the really hard one, as it’s not clear what Fred’s “correspondence” really means in an internet world. Is this just the content of his emails, or does it extend to, say, detailed records of his surfing habits on the internet too? Back in 1993, Parliament only appeared to allow service providers to keep some of Fred’s web browsing history for 4 days. In it’s Retention of Communications Data (Code of Practice) Order 2003 (SI 2003 No 3175), only certain types of web activity logs were specified as being able to be retained. They were: “Proxy server logs (date/time, IP address used, URL’s visited, services)” and the restrictions were quite clear: “The data types here will be restricted solely to Communications Data and exclude content of communication. This will mean that storage under this code can only take place to the level of www.homeoffice.gov.uk/……" and for just 4 days.
Obviously, this place somewhat of a restriction on that the state would like to do, so the Data Retention (EC Directive) Regulations 2009 (SI 2009 No 859) came into force on 6 April 2009, which appear to allow the state to require certain providers to retain more types of web activity logs, and for longer. What the state had to do was to write to the relevant providers to tell them what it wanted them to do. But it’s not clear whether these Regulations will actually provide the police with what they are after. The wording of the SI refers to “ Data necessary to trace and identify the source, the destination, the date, time and duration, [and] the type of a “communication”, together with “Data necessary to identify users’ communication equipment (or what purports to be their equipment).” So what if Fred is just surfing the internet, and not actually making a “communication” ? Is the state able to force internet service providers to retain such logs? Dunno. Perhaps an opportunity has been missed. But although the state can’t insist, it might be possible for a company (such as an internet service provider) to explain to Fred that it had decided to retain all internet records for its own marketing and customer care purposes for a set period, and then allow him to go to another internet service provider if this condition were unacceptable.
(And, if the service provider had found a way of retaining this information, the state might well consider allowing the police to use their RIPA powers to acquire it, when deemed proportionate and necessary.)
Article 10(1) provides that “Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.” And, in 10(2), “ The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such … restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of health or morals, for the protection of the reputation or rights of others, for preventing the disclosure of information received in confidence…” This appears to mean that there should be few restrictions on just what Fred is allowed to access on the internet. Of course any links to unlawful sites must be blocked, but the state needs to exercise very great care when trying to prohibit access to – or censor - other types of material on the internet, such as those the state might find distasteful. But although the state can’t insist, it might be possible for a company (such as an internet service provider) to explain to Fred that it had decided to block access to particular types of material, and allow him to go to another internet service provider if this condition were unacceptable.
Article 17 provides that “Nothing in this Convention may be interpreted as implying for any State, group or person any right to engage in any activity or perform any act aimed at the destruction of any of the rights and freedoms set forth herein or at their limitation to a greater extent than is provided for in the Convention”. So, Fred appears to be protected from inteference with (or forcing internet providers to record) his internet browsing habits, for example, as the Convention does not appear to give the state the specific right to exercise such powers in the first place. But as I have suggested in my comments on Article 8, although the state can’t insist, it might be possible for a company (such as an internet service provider) to explain to Fred that it had decided to retain all internet records for its own marketing and customer care purposes for a set period, and allow him to go to another internet service provider if this condition were unacceptable. (And thus it may be made available to the police, when proportionate and necessary.)
Finally, Article 1 of Part II of something known as the First Protocol to the Convention is relevant, as it refers to the protection of property: “Every natural or legal person is entitled to the peaceful enjoyment of his possessions. No one shall be deprived of his possessions except in the public interest and subject to the conditions provided for by law and by the general principles of international law”. This is of particular help to service providers, as it forms the basis on which they can argue that costs incurred in retaining communications records, beyond the period they need for their own business purposes, should be met by the state. The Data Protection Act requires personal information to be deleted as soon as the data controller no longer has a legitimate use for it – so this is the sugar that sweetens the medicine that has to be swallowed when providers are required to do things which ordinarily they would not.
I appear to be concluding that the state can’t properly protect the public from Fred in the shed, because the European Convention on Human Rights gets in the way. But companies, such as internet service providers, might be able to circumvent some of those restrictions if they really wanted to. Data protection legislation can allow personal information be used for a wide range of purposes, provided the data controller's privacy policy fairly sets out just how the information that will be provided or generated by people will be used.
Can data protection legislation really provide the band aid to patch over these gaps in human rights legislation? That’s a huge question, and one that needs to be considered in another blog.