MI5 admitted that personal data had been unlawfully processed and retained between the period of 2016 and 2019 due to failures in retention, review and destruction practicies.
See pg.79 of the open judgment for a summary of the failings of MI5 in their handling of personal data in particular.
For further, more detailed, context regarding the case see the Privacy International press release.
In a judgment handed down on 18 May 2022 the High Court has considered what information be BBC can publish in a story pertaining to the actions of an alleged MI5 covet human intelligence source (“CHIS”).
The BBC alleged that X was a CHIS and had been psychologically and sexually abusive to two female partners.
The judgment can be found here: https://www.bailii.org/ew/cases/EWHC/QB/2022/1189.html
The judgment is in two parts- one heard in public and the other in private. The private hearing was held to be necessary so that the Court could hear submissions about information that, if released to the public, would make the identity of the alleged CHIS known.
Mr Justice Chamberlian comments: “The court must be alert to the possibility of “jigsaw” identification. One piece of information may on its own seem innocuous, but when taken together with other information known to a particular malign actor, it may lead to the identification of an individual with greater or lesser confidence. The threat of jigsaw identification is a familiar feature of arguments against disclosure in closed material proceedings in the national security context. It is regularly deployed as a basis for refusing to disclose information known only from covert sources. But, although the court must be alive to the threat of jigsaw identification, it must also be astute not to allow the threat to justify a blanket prohibition on disclosure of any piece of the jigsaw.“
at p.24
The BBC’s article on the case can be found here: https://www.bbc.co.uk/news/uk-61528286
The intial BBC coverage of this matter here: https://www.bbc.co.uk/news/uk-61508520
And details of one of X’s former partners’ legal action to be taken against MI5 here: https://www.bbc.co.uk/news/uk-politics-61521569
The College of Policing has published guidance on the application of facial recognition software.
The guidance comes following the case of Bridges in which the Court of Appeal criticised the South Wales Police Forces use of live facial recognition software. TPP has covered the Bridges appeal in depth.
In a case which reinforces and is underpinned by the principle of open justice, the court has found that an interim hearing concerning the airing of a BBC programme about an MI5 agent who was allegedly “a dangerous extremist and misogynist” should be heard in public.
“The BBC wants to broadcast a programme about an individual, “X”. The programme is to include the allegations that X is a dangerous extremist and misogynist who physically and psychologically abused two former female partners; that X is also a covert human intelligence source (variously referred to as a “CHIS” or an “agent”) for the Security Service (“MI5”); that X told one of these women that he worked for MI5 in order to terrorise and control her; and that MI5 should have known about X’s behaviour and realised that it was inappropriate to use him as a CHIS.”
“The programme is to include the allegations that X is a dangerous extremist and misogynist who physically and psychologically abused two former female partners; that X is also a covert human intelligence source …; that X told one of these women that he worked for MI5 in order to terrorise and control her; and that MI5 should have known about X’s behaviour and realised that it was inappropriate to use him as a CHIS.”
See INFORRM for further details. The now made public judgment can be found on Bailli here.
In Hyderabad, Telengana, a case has been brought against the police concerning the use of facial recognition software, Aljazeera reports.
One of the tactics the article explores is utilising bulk message senders such as Mitto.
The BBC cites that the firms’ database has over 10bn images. The ICO has issued a provisional notice to stop further processing of the personal data of people in the UK and to delete any such data following alleged serious breaches of the UK’s data protection laws.
In a joint investigation with the Australian Information Commissioner (“AIC”) the ICO concluded that the data, some scraped from the internet, was being processed, in the case of UK persons, unlawfully in some instances.
Clearview AI Inc’s services were being used on a free trial basis by some law enforcement agencies. This has been confirmed to no longer be the case.
The ICO’s preliminary view is that Clearview AI Inc appears to have failed to comply with UK data protection laws in several ways including by:
Information Comissioner Elizabeth Denham commented:
“I have significant concerns that personal data was processed in a way that nobody in the UK will have expected. It is therefore only right that the ICO alerts people to the scale of this potential breach and the proposed action we’re taking. UK data protection legislation does not stop the effective use of technology to fight crime, but to enjoy public trust and confidence in their products technology providers must ensure people’s legal protections are respected and complied with.
Clearview AI Inc’s services are no longer being offered in the UK. However, the evidence we’ve gathered and analysed suggests Clearview AI Inc were and may be continuing to process significant volumes of UK people’s information without their knowledge. We therefore want to assure the UK public that we are considering these alleged breaches and taking them very seriously.”
This is one of the largest fines issued under the GDPR to date. Clearview now has the opportunity to respond, both in the UK and Australia (the AIC has found breaches of Australian privacy laws).
It’s unsurprising that its database, said to have included images scraped from social media, has drawn the attention of regulators. Facial recognition services have been at the forefront of recent data analytics scrutiny and data protection enforceability.
The ICO press release can be found here and the AIC press release here.
The previous statement of the ICO on the conclusion of the joint investigation can be found here.
“I am satisfied that the
extent of range to which these devices can capture audio is well beyond the
range of video that they capture, and in my view cannot be said to be
reasonable for the purpose for which the devices are used by the Defendant,
since the legitimate aim for which they are said to be used, namely crime
prevention, could surely be achieved by something less. A great deal of the
purpose could be achieved without audio at all, as is the case with the bulk
of CCTV systems in use in public places in this country, or by a microphone that only picks up sound within a small diameter of the device.Melissa Clarke HHJ. at p.137
That finding means that I am satisfied that the processing of such audio
data by the Defendant as data controller is not lawful. The extent of the
range means that personal data may be captured from people who are not
even aware that the device is there, or that it records and processes audio
personal data, or that it can do so from such a distance away, in breach of
the first principle.”
In Fairhurst a neighbour complained that use of several cameras, including a Ring doorbell, amounted to nusiance, harassment and breach of the Data Protection Act 2018.
The claims of harassment and data protection succeeded. It was, in particular, noted that the audio recording capabilities of the devices were much broader in than the video recording capability. As the above quote shows, the extent processing of the audio recording data was such that it was unlawful under data protection laws.
The audio recording capability of the Ring device extended 40-68ft (12-20m).
Amazon released a statement following the finding in the case: “We strongly encourage our customers to respect their neighbours’ privacy and comply with any applicable laws when using their Ring product.”
The case serves as a cautionary tale for those seeking to implement surveillance around their homes that impinge upon their neighbours.
INFORRM has an excellent case comment for interested readers. As does the Guardian.
The Investigatory Powers Tribunal has held that general warrants cannot be used by the intelligence services to bulk surveil in a manner unless the purpose for the warrant is so specific as to be objectively ascertainable.
In the High Court on January 8 judgement was entered for the claimants responding to the question:
“Does section 5 of [the 1994 Intelligence Services Act] permit the issue of a ‘thematic’ computer hacking warrant authorising acts in respect of an entire class of people or an entire class of such acts?”
The Court found it did not.
In citing 250 year of caselaw the Court considered common law principles had well established an aversion to general warrants. They are simply to broad in scope, being able to apply to whoever or whatever the warrant searcher wishes accordingly:
at p.30
It was up to the Secretary of State in this instance to decide the legality, proportionality and necessity of the application for a warrant and limit it in scope in so far as was absolutely necessary. Giving such discretion to an executing official in this case would be unlawful.
Further the Court stated plainly that the common law was strongly averse to statutory construction permitting such warrants to be lawful.
It went on to state:
at p.48
The Court then went on to provide further guidance as to what could or not be achieved by a warrant:
“ A warrant in respect of “any device used at the Acacia Avenue Internet Café during the period of six months from the date of issue of the warrant” would in our view be sufficiently specific, as would “anyone who appears on the FCDO Ruritanian diplomatic list during the period of six months from the date of the warrant”.”
at p.52
As for the impermissible broad brush approach:
at p.53
The case represents a significant step in providing greater clarity around the restrictions on surveillance tools and the interpretation of legislation in light of the common law concerning general warrants.
A step towards safeguarding privacy, certainly, in the curtailment of investigatory powers in the bulk interception of communications. It also acts as a reinforcement of the checks and balances role of the Secretary of State in approving such tools to be used.
The Privacy International press release following the judgement can be found here.
“It has now been
made clear beyond peradventure that members of the Security
Services owe a lifelong duty not to discuss their service experience
with the media….” Lord Kieth of Kinkel, The Spycatcher case at p.27, [1990] 1 AC 109
The above quote from the infamous Spycatcher case has long been entrenched under English Law.
However, it has been advanced that for Article 10 freedom of expression rights to be safeguarded there must be an implementation of a public interest defence to disclosing information that would otherwise be criminalised under the Offical Secrets Acts (“OSAs”).
Practically, cases such as that of Edward Snowden highlighted at an international level the need for such a defence to be clear, practical and consistently applied to ensure that they are effective at safeguarding the public interest and operating as a defence to disclosure in what can be the most sensitive of cases.
In the case of Shayler it was considered whether the provisions of the OSAs were compatible with Article 10 of the Convention. It was concluded that the provisions of the Act, whilst a prima facie limitation on Shayler’s right to freedom of expression, were a proportionate means of achieving a legitimate aim. The case highlighted the critical question- does our legislative framework sufficiently protect freedom of expression in this highly sensitive area? At that time it was consider it did, leaving the question of whether a public interest defence in disclosure was required to fall away.
As is, current OSA legislation does not yet provide a defence where public interest in the disclosure of information is advanced. Rather it has been left primarily unacknowledged by statute that this can cut both ways in article 10 cases where disclosures were made that would otherwise constitute criminal offences under the OSA’s.
It was in the Law Commission’s Report into antiquated spying laws published on 1 September 2020 that it was recommended a statutory public interest defence be introduced to the current framework. It was suggested that the means of the disclosure as well as the subject matter of the disclosure being in the public interest should be factors in the application of any defence.
However, the detail of the defence was not considered at length as it was considered that further consultation would be required for any recommendations to be made.
It is in the context that the campaign for such a defence has launched. Matrix’s Chamber’s press release reveals that person spearheading the campaign is “Janus Friis, a philanthropic technology entrepreneur”. Friis has instructed Mischon de Reya’s James Libson, Ben Brandon and Katy Colton and in turn Alex Bailin QC and Jessica Jones of Matrix Chambers. They are working with communications consultancy Powerscourt and have submitted a evidence to the Joint Committee on Human Rights.
The Telegraph has coverage of this development.
The Privacy Perspective 