Will Tesco rescue News International, James Murdoch and Rebekah Brooks?

© Copyright Steve Daniels

Tesco Supermarkets Ltd –v- Nattrass [1972] AC 153 is a well known case that describes and limits the application of what is known as the attribution or identification principle. This determines under what circumstances a company can be considered to have committed a criminal offence as a result of the acts or omissions of any of its directors or employees.   In the words of Lord Reid (at paragraph 170):

A living person has a mind which can have knowledge or intention or be negligent and he has hands to carry out his intentions. A corporation has none of these: it must act through living persons, though not always one or the same person. Then the person who acts is not speaking or acting for the company. He is acting as the company and his mind which directs his acts is the mind of the company. There is no question of the company being vicariously liable. He is not acting as a servant, representative, agent or delegate. He is an embodiment of the company or, one could say, he hears and speaks through the persona of the company, within his appropriate sphere, and his mind is the mind of the company. If it is a guilty mind then that is the guilt of the company. It must be a question of law whether, once the facts have been ascertained, a person in doing particular things is to be regarded as the company or merely as the company’s servant or agent. In that case any liability of the company can only be a statutory or vicarious liability.

In practice this has meant that there has to be a close connection between the acts or omissions of any particular employees and the company itself; in many cases, successful prosecutions of companies have only followed where the criminal offence has been committed by a managing director/sole or majority shareholder in a small company (see my earlier post on corporate manslaughter).

When the News of the World royal correspondent Clive Goodman and inquiry agent Glenn Mulcaire were found guilty for offences under the Regulation of Investigatory Powers Act 2000 (RIPA) (and Criminal Law Act 1977), it appeared at the time that the interception of communications by them was, as far as the News of the World was concerned, the act of one rogue reporter and his agent.  In the words of the last ever editor of News of the World, Colin Myler, to the Press Complaints Commission, the episode concerning Clive Goodman and Glenn Mulcaire was “an exceptional and unhappy event in the 163 year history of the News of the World, involving one journalist”.  There was no suggestion that News International was considered for prosecution at the time Clive Goodman and Glenn Mulcaire were prosecuted.

In light of more recent events, there are indications that the scope of hacking by Glenn Mulcaire for News of the World was much more widespread than merely working for one rogue reporter. There are also suggestions that involvement of the editors at the time, Andy Coulson (arrested today) and Rebekah Brooks, means that there is a real prospect that if they can be considered to be the controlling mind of News International for the purposes of RIPA criminal offences, then News International could itself be prosecuted under RIPA.

This leads to another interesting conclusion. RIPA, like many Acts of Parliament, includes a provision that catches directors of companies that are prosecuted for a criminal offence. The RIPA version of this provision states, at section 79(1):

79 Criminal liability of directors etc.

(1) Where an offence under any provision of this Act other than a provision of Part III is committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of—

(a) a director, manager, secretary or other similar officer of the body corporate, or

(b) any person who was purporting to act in any such capacity,

he (as well as the body corporate) shall be guilty of that offence and liable to be proceeded against and punished accordingly.

So if editors of newspapers are considered sufficiently close to a newspaper to be its controlling mind for the purposes of a relevant criminal offence, and directors of that newspaper neglected to ensure that practices and procedures in the company were lawful or condoned the illegal practices that enabled the newspaper to score many scoops, then those directors may also be criminally liable.  In this light, the statement by James Murdoch concerning the closure of the News of the World makes interesting reading.

It should be noted that given current company case law following Tesco Supermarkets v Nattrass, it is a big “if” to consider that the identification principle would result in News International being successfully prosecuted as a result of actions by its editor(s). Consequently, the prospect of James Murdoch or other directors facing prosecution is even more remote.

Advertisements

DoJ, Wikileaks and Twitter: Stones and Glasshouses

WL Helping HandThere seems to be a degree of outrage on many social media channels about the Department of Justice in the United States obtaining a court order to require the US-based social media platform Twitter, and possible Facebook and Google as well, to reveal account information about certain users who are alleged to be involved with Wikileaks. There should be no doubt amongst UK social media commentators or users that the law in the UK is more generous to government authorities than anything in the US.

US Law

The court order against Twitter was made under 18 USC §2703(d), which is an order made on application to a magistrate judge (and not a subpoena, as is being widely reported). These orders can only be granted where it is shown by the applicant government entity that there are reasonable grounds for believing that the information it will obtain from the respondent communications providers will be relevant and material to an ongoing criminal investigation. Whilst we are not experts in US law, we believe that orders under 18 USC §2703(d) enable the government entity making the application to obtain what we in the UK would call the communications data (see below) for a particular account from a respondent communications provider and details about the subscriber or customer for that account. The contents of any communication can only be demanded if they are over 180 days old, otherwise another criminal evidence procedure is required. As far as we are aware, in the US there is no federal statutory obligation on communications providers to retain communications data, but 18 USC §2703(f) does provide for data preservation orders.

UK Law

This post explains the relevant UK law, which shows that not only can similar communications data to the Twitter account information sought by the Department of Justice be obtained by government entities in the UK from UK communications providers, but that information can be demanded for much broader purposes than in connection with an ongoing criminal investigation. 

In the Regulation of Investigatory Powers Act 2000 (“RIPA”), “communications data” is defined as being (section 21(4) of RIPA):

(a)  any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted;

(b)  any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person—

(i)  of any postal service or telecommunications service; or

(ii)  in connection with the provision to or use by any person of any telecommunications service, of any part of a telecommunication system;

(c)  any information not falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by a person providing a postal service or telecommunications service.

Whilst it is unclear to what extent communications data under RIPA includes web page or other internet usage data, the definition of traffic data was carefully drafted to exclude web page information (rider at s.21(6)).

Whilst communications providers had no standing obligation to retain data under RIPA, a designated person (as defined in sections 25(1) and (2)) may require any telecommunications operator of a telecommunications system that is “in possession of, or be capable of obtaining, any communications data” to obtain that data, if not already in the operator’s possession, and disclose it (section 22(4)).  However, the grounds under RIPA upon which communications data can be ordered to be obtained are the most extensive in any UK legislation.  They include, for example, matters such as “for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department” (section 22(2)(f)).  The original purposes have also been extended by the Regulation of Investigatory Powers (Communications Data) (Additional Functions and Amendment) Order 2006 (all these purposes together being the “RIPA Purposes”).

The scope of these RIPA Purposes was addressed in the Home Office Acquisition and Disclosure of Communications Code of Practice, which came into effect on 1 October 2007 (the “RIPA Code”). The RIPA Code seeks to emphasis that any action by a designated person or a person authorised by them is “necessary and proportionate” (see paragraphs 2.1, 3.5, 3.7, 3.31 and 3.48). However, it does not contain much in the way of guidance on how a designated person is to assess what is “necessary and proportionate”.

Any notice given by the delegated person to a communications provider is only valid for a maximum of one month (section 23(4)), but it would appear that under RIPA the acquisition period for the relevant communications data which is the subject of the notice, can be unlimited.  The RIPA Code states that any notice must give the start date and end date for the acquisition of data, but with limits on future end dates, so that where a notice relates to the acquisition of communications data that will or may be generated in the future, the future period is restricted to no more than one month from the notice date (paragraph 3.44).

In practice government entities in the UK do not have to consider seeking an order under section 22 of RIPA to preserve communications data, as the UK has for a number of years implemented a data retention regime.  Communications providers in the UK are required to retain communications data under the Data Retention (EC Directive) Regulations 2009 (the “Data Retention Regulations”), which implement Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 (the “Data Retention Directive”) on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks. The Regulations do not set out the purposes for data retention, but it is stated in the Data Retention Directive that the intention is to “ensure that the data is available for the purposes of the investigation, detection and prosecution of serious crime” (Art.1(1))(the “Data Retention Directive Purposes”)(emphasis added).

In the Data Retention Regulations “communications data” is defined as being “traffic data and location data and related data necessary to identify the subscriber or user”.  Traffic data means “data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication”(Regulation 2).  This definition is slightly different from that set out at section 21(4) of RIPA)(see above); the most clear differences are that in RIPA location data is expressly included and defined (at sections 21(6) and (7)), and the more broad definition of traffic data.  In particular, the definition of traffic data in the Data Retention Regulations does not exclude from the definition of traffic data, data to the level of web page information.

Under the Data Retention Regulations public communications providers are required to retain the communications data set out in Regulation 4 and the Schedule.  This is generally data necessary to: (a) to trace and identify the source of a communication; (b) to identify the destination of a communication; (c) to identify the date, time and duration of a communication; (d) to identify the type of communication; or (e) to identify users’ communication equipment (or what purports to be their equipment).  The retention period for all communications data retained under is twelve (12) months (Regulation 5).  The Data Retention Regulations do not include an access regime for any retained communications data, but merely state that access may only be obtained only in specific cases and as permitted or required by law (Regulation 7).

Other Relevant Legislation

Data Protection Act 1998

The Data Protection Act 1998 (“DPA”) fifth data protection principle (at paragraph 5 of Part I of Schedule 1) provides that personal data shall not be retained than is necessary for the specified and lawful purpose(s) of the data controller.  Consequently, communications providers ought to state in any fair processing notice made available to their customers that communications data is being retained as required by the Regulations and may be disclosed to public authorities permitted to access the communications data under RIPA, even though most of this processing will be subject from the subject information provisions (as defined at section 27(2) of the DPA) under an exemption in Part IV of the DPA (section 28 (National security) and section 29 (Crime and taxation) being the most obvious).

Communications providers will be relying, in most cases, on the lawful purpose set out in paragraph 5 of Schedule 2 of the DPA (processing necessary for the administration of justice, to carry out statutory functions or functions of the Crown, a Minister of the Crown or a government department or for “the exercise of any other functions of a public nature exercised in the public interest by any person”), or, where the communications data contains sensitive personal data, on the purposes set out at paragraph 7 of Schedule 3 of the DPA (as paragraph 5 of Schedule 2, except without the ‘functions of a public nature exercised in the public interest’ purpose).

Human Rights Act 1998

Article 8(2) of the European Convention of Human Rights (the “Convention”), incorporated into UK law by the Human Rights Act 1998 (“HRA”), provides that “there shall be no interference by a public authority with the exercise of this [Article 8 privacy] right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.” (the “Art 8(2) Purposes”).

The principle of retention of communications data for the Data Retention Directive Purposes, which are narrower than the Art 8(2) Purposes, is therefore lawful under the Convention and the HRA. What is open to question is the lawfulness of any of the Data Retention Regulations’ retention periods and the interference with data subjects’ rights to privacy where retention (and access) is carried out for RIPA Purposes that go beyond those set out at Article 8(2).

[We found the post “Thoughts on the DOJ wikileaks/twitter court order” by Christopher Soghoian on his slight paranoia blog interesting – and useful to confirm our understanding of 18 USC § 2703.]

Comparative law: chalk and cheese

Charles Russell Brand Image

On the same day as the Telecommunications Regulatory Authority (TRA) of the United Arab Emirates (UAE) announced a ban on BlackBerry Messenger, E-Mail and Web-browsing services from 11 October 2010, the Emirates News Agency (ENA) published a comparative law paper on aspects of US, UK and UAE telecommunications law (see pervious post Blast! BlackBerry blanked for links).  No author is cited on the ENA study, but it seems to imply that the banning of BlackBerry services by the TRA UAE was a regulatory measure that could have been taken appropriately and proportionately by Ofcom under UK telecommunications law.

In this post I set out why I consider this to be a fundamentally mistaken analysis.

Section 132 Communications Act 2003

The UK analysis begins with a discussion of section 132 of the Communications Act 2003, which permits the Secretary of State, upon reasonable grounds where considered necessary to protect against threats to public safety, public health or in the interests of national security, to order that certain networks or services are suspended or restricted.  Immediately it can be seen that the grounds upon which the Secretary of State can act are more narrow than in the UAE, where the TRA UAE can act on the grounds of public interest.  As the provision states that the Secretary of State must only act on reasonable grounds, by implication these must also be published.

Further weight is given to this implied obligation of the Secretary of State (and Ofcom) to publish their reasons for acting from the fact that this section has its roots in European Union law.  The Explanatory Notes that were published with the Communications Bill in the House of Lords state that the clause which was enacted as section 132 was the UK expression of the derogation permitted at Article 3(1) of the Authorisation Directive 2002/21/EC.  This only permits member states of the EU to suspend or restrict networks or services as set out at Article 52(1) TFEU (formerly Article 46(1) TEC), being the public safety, public health and national security grounds.  However, Recital (4) of the Authorisation Directive makes clear that it provides for a regulatory regime which allows operators to “benefit from objective, transparent, non-discriminatory and proportionate rights, conditions and procedures”.

Once ordered, Ofcom is required to give operators directions to implement the Secretary of State’s order.  It should be noted that section 132 (and its sister section, section 133) come under the heading of “Powers to deal with emergencies“.  Headings in statutes in UK legislation can be used as extrinsic aids to interpretation.  Given that other provisions in the Communications Act 2003 and elsewhere provide the regulatory means to obtain communications data or traffic data (which phrases have specific meaning under UK telecommunications law) routinely, a UK court would be likely to find that section 132 only applied to urgent threats requiring imminent action.  It is unlikely that a perceived threat that has been in existence since the introduction of BlackBerries, at least since June 2007 for BlackBerry 8800 or December 2009 for BlackBerry Bold for Etisalat, would be considered to be an emergency. 

Enforcement Powers of Ofcom

As the UK has an authorisation regime, all communications providers must comply with general conditions made by Ofcom under section 45 of the Communications Act 2003.  These are analogous to standard licence conditions for licensed operators.  The ENA paper describes Ofcom’s suspension powers following breaches of these general conditions, as well as conditions dealing with premium rate services or provisions concerning the supply of requested information to the regulator.  This is largely irrelevant when considering the TRA’s actions, other than to note that Ofcom can under certain circumstances order the suspension of services.  However, under UK administrative law, any Ofcom order to suspend services made without reasoning that showed their regulatory action to be objective, transparent, non-discriminatory and proportionate would immediately be vulnerable to an appeal to the Competition Appeal Tribunal (under section 192 of the Communications Act 2003).  Merely stating that a direction was made upon the grounds of public safety, public health or national security would not be sufficient.  No regulatory intervention could be made under UK law on public interest grounds alone.

Interception

The EMA paper faithfully sets out the interception of communications regime under UK telecommunications law.  It notes that interception by a public telecommunications operator in accordance with the terms of a properly authorised warrant is lawful, and notes that public telecommunications operators are required to maintain interception capabilities.  Where necessary, encryption keys and decryption technologies must also be disclosed in order to enable the relevant persons to decrypt interception information obtained by them under a warrant.

Right to Privacy

The starting point for UK telecommunications law on access to communications or traffic data is the right to privacy, which is set out in the Human Rights Act 1998.  This incorporates the European Convention of Human Rights into UK law.  Article 8 of the Convention states:

Article 8 – Right to respect for private and family life

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

It is extremely difficult to imagine the circumstances that would need to exist in the UK so that a provision similar to the  TRA’s Article 11.1 of the Policy on Radiocommunications dated 23 July 2008, which prohibits the use of any encryption techniques unless authorised by TRA, would be considered “necessary in a democratic society”.

Divergent Approaches

The laws of the UK start with the presumption that encryption is lawful and permitted.  A regulatory mechanism exists to enable the relevant authorities to obtain access to encrypted communications, and the encryption keys and decryption technologies, where necessary and on an exception basis, in order to monitor or intercept certain communications in the interests of public safety, public health and national security subject to justiciable warrants (see Part IV of the Regulation of Investigatory Powers Act 2000).

 The UK system has recently (18 May 2010) been the subject of a ruling of the European Court of Human Rights (in the case of Kennedy v United Kingdom (Application 26839/05)), where it was determined to be consist with Article 8(2) of the Convention.  The case also illustrates how a citizen can challenge an interception warrant.

The TRA UAE Policy on Radiocommunications describes a fundamentally different approach.  In UAE the default presumption appears to be that encryption is not lawful or permitted.  It is only permitted by the TRA or competent authorities where the encryption is determined not to be a threat to public interest, safety or national security. 

Conclusion

In summary, the UK approach is that communications are a private matter, with the default position that all encryption or signalling methods being lawful unless subject of specific direction in order to protect against threats to public safety or public health or in the interests of national security.

In contrast, the UAE approach is that communications are not a private matter, with the default position that any form of encryption is not lawful, unless permitted by the TRA UAE.  Permission will not be granted if TRA UAE consider that refusing permission would be in the public interest, safety or national security interest.  This is not to suggest that this default position and regulatory approach is wrong, it just tackles the question of lawful encryption in a fundamentally different way from the UK.

What is wrong is to imply that the UAE and UK telecommunications regimes are in any way equivalent or comparable, given these diametrically opposed starting points, merely because both systems provide regulators with similar emergency and enforcement powers.  The approaches to privacy, and the systems that implement them, are as different as chalk and cheese.