Dark times for data protection in Europe – has the UK lost the plot?

The US government is vast. Its spying capabilities are vast too, and their precise nature – as well as what happens to you if you whistleblow about it – are the topics of upcoming film A Good American.

But you can’t really talk about the NSA without talking eventually about GCHQ, the UK equivalent. The Snowden leaks in 2013 showed how closely the two countries had collaborated in developing mass surveillance programs aimed at their own populations; but just two days ago, further leaks showed that the ‘collect it all’ ethos which came to dominate the American agency originated in the English countryside.

Still from A Good American: NSA's Bad Aibling listening post (now BND)

So in this third post on the issues raised in A Good American, we’re looking at the NSA’s friends in Britain, and how the UK’s current approach contrasts with developments in Europe. Three years since the first documents showing the extent of mass surveillance were leaked by Edward Snowden, even the US government has rolled back some of its spying, though not nearly far enough for many civil liberty advocates. The EU, meanwhile, has been getting tougher on companies sharing EU citizens’ data with the US.

But in the UK, where privacy protections are already poor, the government is apparently determined to increase mass surveillance to unprecedented levels.

The upcoming Investigatory Powers Bill (often referred to as IP Bill) passed its third reading in the House of Commons earlier this summer. All that stands in its way now is the unelected House of Lords, which somewhat ironically often does a better job at halting bad legislation than the elected chamber does. So far however it has met very little resistance; the fact that the bill was considered while everyone was distracted by ‘Brexit’ might, a cynic would say, have been no mistake.

Dubbed the ‘Snooper’s Charter’, the bill has been rushed through parliament by a right-wing government. Its last incarnation, the Draft Communications Bill, was a favourite of then-Home Secretary Theresa May, but her party’s liberal coalition partners eventually blocked it in 2013. That bill would have forced internet and mobile phone companies to keep records of every person’s communications, including online activity, and was strongly criticised by privacy campaigners.

May didn’t give up though, and when the Conservatives scraped a majority in the 2015 election, she appeared on the BBC within hours to gleefully announce the return of this “key example” of unfettered Conservative policy.

Theresa May in 2013, as Home Secretary. Photo: Policy Exchange. License: CC BY 2.0

And what an example it is. Every website you visit, when you visited it, and on what device, is information that soon could be held by your ISP, for government agencies to access if ‘justified’. The internet company won’t have a choice, by the way. The cost of this data storage could be in the billions, and the government is proposing no cap on what it shells out. Bella Sankey, campaigner with Liberty, says it’s akin to “asking shopkeepers to take a photo of someone that comes into their shop, and keep it in a file.”

There’s also the sweeping new powers for the police to hack devices and networks; a truly worrying prospect for anyone familiar with the treatment of protestors and activists in the UK. Sankey explains the implications for this:

“So-called “thematic powers” interception allow for very broad targeting both in terms of interception and hacking. Whole organisations, groups or locations can be targeted by one warrant. And despite the intrusiveness of hacking capabilities, there are no safeguards such as a requirement for an audit trail, and so no way to ensure that evidence isn’t tampered with.”

The ‘collect it all’ approach which the NSA became famous for across the pond seems to have been enthusiastically adopted by the British authorities and, in this bill, applied to a myriad of different methods of surveillance. It’s not just the blanket interception of foreign and domestic communications data, but also the acquisition of ‘personal datasets’: basically any list you might conceivably be on, from flight registers to customer databases of private companies, to NHS records and tax documents. The problems with this are obvious; vast numbers of completely innocent people will be on these files, with personal details ranging from financial to medical and everything in between caught up in the net.

“The IP Bill is the most draconian and broad-ranging surveillance legislation of any democratic country.”

Sometimes the hype around surveillance can sound a little hysterical, but a range of experts have condemned the UK’s current trajectory – including Bill Binney, the former NSA analyst whose story of whistleblowing and persecution is documented in the upcoming film A Good American. Binney told tech journal Wired in January this year that bulk acquisition was so inefficient that it would “cost lives” if implemented; and added that the IP Bill would take the UK down a “totalitarian” path.

If this is a pet project of the Conservatives, it’s worth remembering also that previous Labour governments massively increased surveillance, and indeed the Labour Party voted this bill through in June this year. Their reasoning was that enough safeguards had been added in amendments to the bill. Prime Minister May has made much of the ‘double-lock’ authorisation – basically bringing in judicial oversight of the spying – but campaigners say it’s a facade.

“The safeguards proposed in the IP Bill are woefully insufficient”, said Harmit Kambo, director of campaigns at Privacy International. “We don’t have double-lock authorisation: we actually have a political authorisation process with rubber-stamping by people who are not serving judges.”

So does Europe provide a pro-privacy counterpart to the increasingly extreme UK? Kambo thinks not. “France and Germany are both calling for measures which would downgrade encryption”, he explains, “so it’s not straightforward. The IP Bill is the most draconian and broad-ranging surveillance legislation of any democratic country. But it is part of a wider fabric of more authoritarian surveillance measures across the world.”

Pam Cowburn introducing a workshop. Photo: Open Rights Group. License: CC BY-SA 3.0

Pam Cowburn, Communications Director at Open Rights Group, says the spate of surveillance laws in European countries is “perhaps unsurprising given the high profile terrorist attacks that have taken place over the last two years. Since December 2014, France has passed four laws that extend surveillance. However, after the Court of Justice of the European Union struck down the [EU’s] Data Retention Directive in 2014, many European countries have also ended data retention practices.”

Many countries – but not the UK. A final ruling from the CJEU is expected in a matter of weeks on whether the UK’s current data retention law (DRIPA) is legal. This could affect the future of the IP Bill, as the legal arguments are similar – but will the UK listen?

Individual member states across the EU vary hugely in terms of privacy and surveillance. Germany, Romania and the Czech Republic have strong legal frameworks to protect data privacy – while at the other end of the scale the UK and Sweden have little or no constitutional protections, and states such as Poland and Hungary are actively removing such protections, as part of their shift towards right-wing authoritarianism.

The perception that things are better at a EU level comes partly from the role of the European Court of Human Rights; as Cowburn says, the EU’s internet surveillance directive was ruled invalid (this had obliged ISPs and telecom companies to retain customer metadata). In January this year the court again ruled in favour of privacy, objecting to Hungary’s unconstitutional mass surveillance programme. But the human rights court belongs to the Council of Europe, not to the EU; almost all European countries are signed up to the council – and therefore the human rights convention – whereas only 28 states are members of the EU.

European Court of Human Rights. Photo: Latvian Foreign Ministry. License: CC BY-NC-ND 2.0

Another significant ruling took place when the Court of Justice of the European Union (which does belong to the EU) overturned the US-EU data-sharing pact, Safe Harbour, in October last year. The pact regulated how companies could move customer’s data – including cloud computing and social media sites which use US-based servers. The case came in the wake of the Snowden leaks, with growing concern that EU citizens’ data could be snooped on by the NSA when moved to US-based storage. The new pact, Privacy Shield, looks likely to be challenged at the same court next year.

Countries moving towards greater surveillance of their population, like the UK and Hungary, can therefore be restrained by the European courts – though of course the ‘Brexit’ vote casts this into doubt, as the UK prepares to leave the EU. While the British Government, Cowburn tells us, might now be “tempted” to ignore the upcoming ruling on its previous data retention bill (DRIPA) at the European Court of Justice, doing so would put the UK in a bad position for exit negotiations.

What will Brexit mean for data protection?

Whether rulings like that will be enough to trip up the IP Bill’s enthusiasts remains to be seen, but as Pam Cowburn explains, the mass-surveillance model being developed in the UK is admired by authoritarian governments elsewhere. “The impact of the IP Bill will go beyond Europe – the Chinese government has already pointed to UK and US surveillance laws when passing their own much-criticised surveillance law at the end of 2015”.

All that now stands in the way of the IP Bill becoming law is a final reading in the House of Lords, which looks likely to take place before 2017. The bill’s sponsor and main proponent, Theresa May, is now Prime Minister. The other project close to her heart – along with deporting tens of thousands of desperate people – is the crusade to withdraw the UK from the European Convention on Human Rights. Only two other European states are not signatories to the human rights convention: Kazakhstan and Belarus. Both, incidentally, use mass surveillance against citizens to quash dissent.

Though these moves towards bulk surveillance have a lot of critics, it should be noted that they also have a fair degree of support in the general population. In the UK this support is just over 50 per cent, according to the last poll. Amid growing fear of terrorist attacks and (contested) reports that terrorist cells use encrypted communication to organise, calls for encryption-busting legislation are coming from France, Germany and the UK, and bulk surveillance is defended as the only way to catch the next potential bomber. Next week, we’ll look at these proposals and ask: is this just the sacrifice we have to make in order to avoid further catastrophe?

A Good American in cinemas

Moving Docs is bringing A Good American to cinemas across Europe. Screenings are ongoing in Spain; from 15 September in the UK, together with Take One Action and The Guardian Live; and from 12 November in Greece.

This post was written by Jen Stout for Film & Campaign on behalf of Scottish Documentary Institute, a Moving Docs partner.