Internet Blackout – it couldn't happen here, could it?

Egypt Internet Blackout (© Arbor Networks)

This excellent graphic from Arbor Networks shows how Internet traffic to and from Egypt fell off a cliff between 27 and 28 January 2011.  At about the same time mobile phone operators in Egypt reported that they were required to close down their networks in certain areas of the country.  Vodafone Egypt reported on 30 January 2011 (on its Group website, as its local website was unavailable outside of Egypt) that it had resumed voice call services.

The response in many parts of the world was understandably negative, particularly as the Internet blackout prevented contemporaneous reports coming out of Egypt on social media networks such as Twitter or Facebook.  The US Secretary of State, Hillary Clinton, was widely reported to be urging the Egypt Government to restore communications.

Could the UK Government do the same thing: order an Internet blackout and mobile phone network shutdown?

Internet Blackout

The Communications Act 2003 contains a broad power that could be used by a Secretary of State to close down the Internet, at least by ordering UK-based communications providers to close any international gateways.  Section 132 begins:

132 Powers to require suspension or restriction of a provider’s entitlement

(1)  If the Secretary of State has reasonable grounds for believing that it is necessary to do so—

(a)  to protect the public from any threat to public safety or public health, or

(b)  in the interests of national security,

he may, by a direction to OFCOM, require them to give a direction under subsection (3) to a person (“the relevant provider”) who provides an electronic communications network or electronic communications service or who makes associated facilities available.

(2)  OFCOM must comply with a requirement of the Secretary of State under subsection (1) by giving to the relevant provider such direction under subsection (3) as they consider necessary for the purpose of complying with the Secretary of State’s direction.

(3)  A direction under this section is—

(a)  a direction that the entitlement of the relevant provider to provide electronic communications networks or electronic communications services, or to make associated facilities available, is suspended (either generally or in relation to particular networks, services or facilities); or

(b)  a direction that that entitlement is restricted in the respects set out in the direction.

Whilst the word “reasonable” gives any affected communications provider the hope that a capricious direction of the Secretary of State could be reined in by an urgent judicial review, what amounts to a critical threat to public safety or, especially, national security is not a judgement a court is likely to wish to overturn.  In any event, Section 132 can itself be considered unnecessary in the light of Part 2 of the Civil Contingencies Act 2004.

This part of the 2004 Act replaced the Emergency Powers Act 1920.  It is highly recommended reading for any conspiracy theorist or anyone deeply cynical about the ability of politicians to act reasonably and sensibly in the event of any serious emergency affecting the UK.  In summary, the 2004 Act gives the Executive extraordinary powers to make emergency regulations.  Providing by regulation that internet service providers must deny access to international gateways or particular websites or servers could easily be achieved.

Mobile Phone Network Shutdown

The Secretary of State would not even need to consider making emergency regulations under the 2004 Act in order to shut down mobile phone networks.  A direction made under Section 132 of the Communications Act 2003 would suffice.  Each of the mobile phone operators has in their Wireless Telegraphy Act licences a provision in the same or substantially the same form as the following:

Ofcom may in the event of a national or local state of emergency being declared require the Radio Equipment to be modified or restricted in use, or temporarily or permanently closed down either immediately or on the expiry of such period as Ofcom may specify. Ofcom shall exercise this power by a written notice served on the Licensee or by a general notice applicable to holders of this class of Licence. (See Ofcom’s Template 2G Licence.)

So once Ofcom got the direction from the Secretary of State, it would have to do the dirty work and order the mobile phone operators to close down their networks.

Human Rights?

What about human rights, you might ask?  Article 10 of the European Convention on Human Rights is supposed to grant a right to freedom of expression, isn’t it? However, as even Wikipedia’s Article 10 page
helpfully points out, this is not an unqualified right.  Where in accordance with the law (see above) and necessary in a democratic society, the right can be restricted.

So, before you get too outraged about the Internet blackout and mobile phone shutdown in Egypt, consider this: arguably the legal tools are all available for the UK Government to do exactly the same in the UK right now.

DoJ, Wikileaks and Twitter: Stones and Glasshouses

There seems to be a degree of outrage on many social media channels about the Department of Justice in the United States obtaining a court order to require the US-based social media platform Twitter, and possible Facebook and Google as well, to reveal account information about certain users who are alleged to be involved with Wikileaks. There should be no doubt amongst UK social media commentators or users that the law in the UK is more generous to government authorities than anything in the US.

US Law

The court order against Twitter was made under 18 USC §2703(d), which is an order made on application to a magistrate judge (and not a subpoena, as is being widely reported). These orders can only be granted where it is shown by the applicant government entity that there are reasonable grounds for believing that the information it will obtain from the respondent communications providers will be relevant and material to an ongoing criminal investigation. Whilst we are not experts in US law, we believe that orders under 18 USC §2703(d) enable the government entity making the application to obtain what we in the UK would call the communications data (see below) for a particular account from a respondent communications provider and details about the subscriber or customer for that account. The contents of any communication can only be demanded if they are over 180 days old, otherwise another criminal evidence procedure is required. As far as we are aware, in the US there is no federal statutory obligation on communications providers to retain communications data, but 18 USC §2703(f) does provide for data preservation orders.

UK Law

This post explains the relevant UK law, which shows that not only can similar communications data to the Twitter account information sought by the Department of Justice be obtained by government entities in the UK from UK communications providers, but that information can be demanded for much broader purposes than in connection with an ongoing criminal investigation. 

In the Regulation of Investigatory Powers Act 2000 (“RIPA”), “communications data” is defined as being (section 21(4) of RIPA):

(a)  any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted;

(b)  any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person—

(i)  of any postal service or telecommunications service; or

(ii)  in connection with the provision to or use by any person of any telecommunications service, of any part of a telecommunication system;

(c)  any information not falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by a person providing a postal service or telecommunications service.

Whilst it is unclear to what extent communications data under RIPA includes web page or other internet usage data, the definition of traffic data was carefully drafted to exclude web page information (rider at s.21(6)).

Whilst communications providers had no standing obligation to retain data under RIPA, a designated person (as defined in sections 25(1) and (2)) may require any telecommunications operator of a telecommunications system that is “in possession of, or be capable of obtaining, any communications data” to obtain that data, if not already in the operator’s possession, and disclose it (section 22(4)).  However, the grounds under RIPA upon which communications data can be ordered to be obtained are the most extensive in any UK legislation.  They include, for example, matters such as “for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department” (section 22(2)(f)).  The original purposes have also been extended by the Regulation of Investigatory Powers (Communications Data) (Additional Functions and Amendment) Order 2006 (all these purposes together being the “RIPA Purposes”).

The scope of these RIPA Purposes was addressed in the Home Office Acquisition and Disclosure of Communications Code of Practice, which came into effect on 1 October 2007 (the “RIPA Code”). The RIPA Code seeks to emphasis that any action by a designated person or a person authorised by them is “necessary and proportionate” (see paragraphs 2.1, 3.5, 3.7, 3.31 and 3.48). However, it does not contain much in the way of guidance on how a designated person is to assess what is “necessary and proportionate”.

Any notice given by the delegated person to a communications provider is only valid for a maximum of one month (section 23(4)), but it would appear that under RIPA the acquisition period for the relevant communications data which is the subject of the notice, can be unlimited.  The RIPA Code states that any notice must give the start date and end date for the acquisition of data, but with limits on future end dates, so that where a notice relates to the acquisition of communications data that will or may be generated in the future, the future period is restricted to no more than one month from the notice date (paragraph 3.44).

In practice government entities in the UK do not have to consider seeking an order under section 22 of RIPA to preserve communications data, as the UK has for a number of years implemented a data retention regime.  Communications providers in the UK are required to retain communications data under the Data Retention (EC Directive) Regulations 2009 (the “Data Retention Regulations”), which implement Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 (the “Data Retention Directive”) on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks. The Regulations do not set out the purposes for data retention, but it is stated in the Data Retention Directive that the intention is to “ensure that the data is available for the purposes of the investigation, detection and prosecution of serious crime” (Art.1(1))(the “Data Retention Directive Purposes”)(emphasis added).

In the Data Retention Regulations “communications data” is defined as being “traffic data and location data and related data necessary to identify the subscriber or user”.  Traffic data means “data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication”(Regulation 2).  This definition is slightly different from that set out at section 21(4) of RIPA)(see above); the most clear differences are that in RIPA location data is expressly included and defined (at sections 21(6) and (7)), and the more broad definition of traffic data.  In particular, the definition of traffic data in the Data Retention Regulations does not exclude from the definition of traffic data, data to the level of web page information.

Under the Data Retention Regulations public communications providers are required to retain the communications data set out in Regulation 4 and the Schedule.  This is generally data necessary to: (a) to trace and identify the source of a communication; (b) to identify the destination of a communication; (c) to identify the date, time and duration of a communication; (d) to identify the type of communication; or (e) to identify users’ communication equipment (or what purports to be their equipment).  The retention period for all communications data retained under is twelve (12) months (Regulation 5).  The Data Retention Regulations do not include an access regime for any retained communications data, but merely state that access may only be obtained only in specific cases and as permitted or required by law (Regulation 7).

Other Relevant Legislation

Data Protection Act 1998

The Data Protection Act 1998 (“DPA”) fifth data protection principle (at paragraph 5 of Part I of Schedule 1) provides that personal data shall not be retained than is necessary for the specified and lawful purpose(s) of the data controller.  Consequently, communications providers ought to state in any fair processing notice made available to their customers that communications data is being retained as required by the Regulations and may be disclosed to public authorities permitted to access the communications data under RIPA, even though most of this processing will be subject from the subject information provisions (as defined at section 27(2) of the DPA) under an exemption in Part IV of the DPA (section 28 (National security) and section 29 (Crime and taxation) being the most obvious).

Communications providers will be relying, in most cases, on the lawful purpose set out in paragraph 5 of Schedule 2 of the DPA (processing necessary for the administration of justice, to carry out statutory functions or functions of the Crown, a Minister of the Crown or a government department or for “the exercise of any other functions of a public nature exercised in the public interest by any person”), or, where the communications data contains sensitive personal data, on the purposes set out at paragraph 7 of Schedule 3 of the DPA (as paragraph 5 of Schedule 2, except without the ‘functions of a public nature exercised in the public interest’ purpose).

Human Rights Act 1998

Article 8(2) of the European Convention of Human Rights (the “Convention”), incorporated into UK law by the Human Rights Act 1998 (“HRA”), provides that “there shall be no interference by a public authority with the exercise of this [Article 8 privacy] right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.” (the “Art 8(2) Purposes”).

The principle of retention of communications data for the Data Retention Directive Purposes, which are narrower than the Art 8(2) Purposes, is therefore lawful under the Convention and the HRA. What is open to question is the lawfulness of any of the Data Retention Regulations’ retention periods and the interference with data subjects’ rights to privacy where retention (and access) is carried out for RIPA Purposes that go beyond those set out at Article 8(2).

[We found the post “Thoughts on the DOJ wikileaks/twitter court order” by Christopher Soghoian on his slight paranoia blog interesting – and useful to confirm our understanding of 18 USC § 2703.]

The Daily Mail, Dorries and Data Protection

Community Trade Mark E7490592

Our last two posts addressed the position of Nadine Dorries MP under the Data Protection Act 1998 (the “DPA”) in respect of sensitive personal data concerning her partner’s wife posted on the MP’s website in her Personal Statement to the Press (here and here).

It appears that the Personal Statement to the Press may have been made in anticipation of a story being published in the Daily Mail the following day on the MP’s new relationship. In that story the same sensitive personal data was published, raising the question of whether the Daily Mail was itself potentially in breach of the DPA.

There is one material difference between the two cases. The Daily Mail, being a news organisation, can rely on the exemption at section 32 of the DPA. This applies where the processing of personal data, including the publication of it, is done for the special purposes of journalism, literature or art.  It is not a complete exemption from the provisions of the DPA, but it does permit a journalism organisation which “reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest” to breach a data protection principle (section 32(1)(b)) to breach a data protection principle where it “reasonably believes that, in all circumstances, compliance [with the data protection principle] is incompatible [for the purposes of journalism]” (section 32(1)(c)).

Publication, it is clear, includes making the journalistic material available to the public or any section of the public by any media (from section 32(6)).

A subject of any journalistic material retains their right to bring an action for compensation, including damages for distress (section 13(2)(b)), which means that any newspaper wishing to publish must weigh up the risk of being sued under the DPA and a court finding that newspaper could not have had a reasonable belief that the publication was in the public interest.  There are extremely few cases on this point, but perhaps the most notable is the Naomi Campbell case.  She brought a case against the Mirror as a result of pictures being published of her leaving a Narcotics Anonymous meeting.  The data protection aspect of the case was thoroughly described by the Master of the Rolls, Lord Phillips, when the case was appealed to the Court of Appeal (Naomi Campbell v Mirror Group Newspapers [2002] EWCA Civ 1373, subsequently appealed to the House of Lords [2004] UKHL 22).  At the Court of Appeal it was determined that the publication was in the public interest so that the section 32 exemption applied.  In the House of Lords the case was determined upon the basis of the balance of rights under the Human Rights Act 1998 rather than expressly dealing with the DPA, but this can be implied from section 32(1)(b) as being the balance between the right to freedom of expression and the right to privacy.

So in deciding whether the Daily Mail has breached the DPA, you have to consider, as a court would, whether there were grounds for a reasonable belief that publication of information on her partner’s wife was in the public interest.

Nadine Dorries Press Statement: enforcement and remedy

ICO Data protection cases received and closed (source ICO)

In our previous post we reviewed in the context of yesterday’s personal statement to the press by Nadine Dorries MP, whether the publication of a person’s medical condition on a website could be unlawful under the Data Protection Act 1998 (the “DPA”). If our view that there has been a breach of the DPA is supported, what are the potential consequences for Nadine Dorries MP and what remedies are available to her partner’s wife (“W”), under the DPA?

Firstly, breach of a data protection principle is not of itself a criminal offence. Nothing Nadine Dorries has done appears to be within the scope of any of the criminal offences under the DPA. The disclosures she made in her blog are even within the scope of her notification properly made to the Information Commissioner’s Office (“notification” is the accurate term for the registration of a data controller’s processing purposes required under section 17 of the DPA). So any enforcement action taken by the Information Commissioner against the MP will not include prosecution at this stage.

Nadine Dorries could still be prosecuted if she fails to comply with an enforcement notice made by the Information Commissioner, but as the nature of any enforcement notice would be an order by the Information Commissioner not to breach the relevant data protection principle again, this is unlikely. However, the current practice of the Information Commissioner’s Office is to seek undertakings from breaching data controllers that they will remedy the breach and will behave lawfully in future. Whilst enforcement by enforcement notice is described in Part V of the DPA, this practice of undertakings is non-statutory. It appears that this use of undertakings makes criminal prosecution even more unlikely, as a breach of an undertaking would then lead to an enforcement notice, not directly to a prosecution.

However, the Information Commissioner does have the ability to impose monetary penalties of up to £500,000 for serious breaches of the DPA. All the elements that give the Information Commissioner the power under the DPA to impose a monetary penalties may be present in the Nadine Dorries case: there is a deliberate breach of the first data protection principle in circumstances that would cause W distress. The question is therefore whether the breach is “serious” or the distress “substantial” for the purposes of section 55A(1) of the DPA. As required by section 55C of the DPA, the Information Commissioner has published guidance on how it would determine whether a breach warrants action under section 55A (or 55B), but this does not give sufficient assistance to be able to conclude that Nadine Dorries would be given a notice of intent to impose a monetary penalty, were the Information Commissioner to investigate this case. However, the guidance does suggest that breaches that involve medical data and distress as a result of wrongful processing of medical data are more likely to be in the serious/substantial camp.

So if the Information Commissioner takes no action, what direct remedy does W have under the DPA? It is recognised by privacy advocates that the DPA provides limited remedies to individuals. The only remedy they have for past breaches, which requires court action, is a right to compensation for damage under section 13 of the DPA. In almost all cases, this must be actual damage (i.e. recovery of costs, losses or expenses suffered or incurred as a result of the DPA breach) rather than distress. Damages for distress alone are only possible in a limited set of circumstances, which do not apply to this Nadine Dorries case unless it can be argued that the issue of a personal press statement was for the “purposes of journalism” (section 3(1) of the DPA). There is no case law on what this phrase means.  In addition, there is no recital in the Data Protection Directive 95/46/EC that gives any assistance on what this provision was intended to cover.  Therefore in our opinion it would be a brave claimant that would try to obtain damages for distress under the DPA by claiming that the issue of a statement on a blog was caught by what the DPA calls this “special purpose”.

This leads to the uncomfortable conclusion that W may have no direct DPA remedy herself, and must rely on the Information Commissioner to take action to give her some redress for the distress she may have suffered as a result of details of her alcoholism being published in breach of the DPA.  However, the development of a right to privacy under cases such as Max Mosely v News of the World [2008] EWHC 1777 (QB) or Naomi Campbell v Mirror Group Newspapers [2004] UKHL 22 show that a privacy remedy made be available as a result of judicial intervention where no statutory remedy under the DPA is provided.

Domestic purposes abuse?

Nadine Dorries MP (© http://www.TheyWorkForYou.com)

Today, Nadine Dorries MP issued on her blog a personal statement to the press. In the statement she describes how she has embarked upon a romantic relationship with an old family friend. However, the statement also includes personal statements from her new partner and her partner’s daughter. From these secondary statements the wife of the partner can be identified, and she is stated to be a long-term alcoholic and a domestic abuser.

You will note that we have not named the partner, his wife or his daughter. To do so would mean that we would be processing personal data, including sensitive personal data, about these individuals. For the reasons set out in this post, we consider that such processing, being done without the explicit consent of the wife of the partner, would be unlawful under Data Protection Act 1998 (the “DPA”).

The first question that needs to be answered in connection with the press statement is whether the DPA applies at all. Whilst the DPA would apply to our use of the partner’s family personal data, there is a question as to whether the disclosure of this information on Nadine Dorries’ blog is within the scope of the DPA. This is because section 36 of the DPA exempts processing for domestic purposes by an individual. There is no UK case law to assist in determining where the boundary lies for this domestic purposes exemption, but there can be little doubt that if the courts were asked to consider these circumstances, they would be bound by the Court of Justice of the European Union decision in Case 101/01 Bodil Lindqvist.  We would expect a UK court to apply the Bodil Lindqvist decision to find that the publication by an MP of personal data of third parties on the internet was not covered by the section 36 exemption.  Section 36 is clearly the implementation in the UK of the second limb of Article 3(2) of the Data Protection Directive 95/46/EC. The Bodil Lindqvist case facts are very similar to this Nadine Dorries case; both cases involve the publication of personal data, including sensitive personal data, on the internet in circumstances where a non-commercial, private purpose was or could be claimed. The Court of Justice was particularly influenced by Recital (12) of the Directive to decide that internet publication could not be considered to be domestic processing within the exemption at Article 3(2):

(12) Whereas the protection principles must apply to all processing of personal data by any person whose activities are governed by Community law; whereas there should be excluded the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses;

The next question, having decided that the DPA applies, is whether there has been any breach of the DPA by disclosing the personal statements. To comply with the First Data Protection Principle under the DPA, a data controller (in essence, the owner of the data or the one who decides what to do with it) must process the data in accordance with one of the appropriate conditions set out in two schedules to the DPA: Schedule 2 for “ordinary” personal data or Schedule 3 for sensitive personal data. For the purposes of this post, “ordinary” personal data is data which identifies an individual and which is not sensitive personal data. Sensitive personal data is defined in section 2 of the DPA as:

In this Act “sensitive personal data” means personal data consisting of information as to—

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Even taking the most favourable interpretation of this definition to the information disclosed about the partner’s wife, it is clear that information about her alcoholism (physical or mental health or condition) is sensitive personal data. There does not appear to be any legitimate purpose under Schedule 3 that would permit the disclosure of this information without the explicit consent of the partner’s wife. It therefore appears that the disclosure is unlawful.

Having decided that the publication of a third party’s medical condition, if it is without explicit consent, is unlawful, raises the question of the consequences. We will deal with this in our next post.