Is EU data protection law hampering terrorism and serious crime investigations?

Irish high court

In February 2018 the Irish High Court will assess if Irish legislation governing the retention and access to telecommunications data is compatible with EU law. This will not be the first time a  case regarding EU data protection law and the retention and access to telecommunications emanated from Ireland. The Irish campaign group Digital Rights Ireland brought a case to the Irish courts that ended up in the EU’s Court of Justice of the European Union (CJEU) where the compatibility of the EU’s Directive 2006/24/EC with EU law protecting privacy rights and protection of personal data was examined. Introduced following the terrorist attacks in Madrid 2004 and London 2005, the 2006 Directive laid down an obligation on publicly available electronic communications services or public communications networks to retain certain data generated or processed by them that would assist in investigating and prosecuting terrorism and serious crime cases.

CJEU

In the case of Digital Rights (2014) the CJEU found the 2006 Directive would  for a number of reasons (reasons underpinned by the 1995 Data Protection Directive 95/46/EC and articles 7, right to privacy, and 8, protection of personal data in the EU’s Charter of Fundamental Rights and Freedoms – CFRF) the 2006 Directive was invalid.  Among those reasons it included that the retention of the data was indiscriminate, the grounds for limiting the rights were too broad and not sufficiently specific, there was a lack of judicial authorisation or scrutiny and there were insufficient safeguards protecting those rights.

In December 2016 the CJEU was again requested in the Tele2 case to examine the compatibility of EU law protecting personal data, this time with the statutes in Sweden and the UK that were then covering the retention and access to telecommunications data linked to investigations into terrorism and serious crime. In Tele2 the CJEU also examined article 52 CFRF and the EU’s 2002 e-Privacy Directive 2002/58/EC.  Both Sweden and the UK’s statutes were found to be incompatible with EU law and therefore invalid. In Tele2 the CJEU did recognise that fighting terrorism and serious crime was important enough to be an objective of general interest to limit citizens’ rights to protection of personal data but added:

‘…however fundamental it may be, it cannot itself justify that national legislation providing for the general interest and indiscriminate retention of all traffic and location data should be considered to be necessary for the purposes of that fight.’

The CJEU held that for the retention and access to telecommunications data to meet EU law requirements:

1. The limitation of the exercise of rights and freedoms must be provided for by law; and
2. The limitations must be subject to the principles of proportionality; and
3. The limitations must be necessary; and
4. The limitations must meet the general interest recognised by the EU.

It can be argued that in their judgement the CJEU’s guidance to both Member State legislators and state investigatory bodies, the CJEU itself has lacked being specific as to essential criteria necessary and must be present to ensure when the objectives of fighting crime and terrorism meet the limitations as to the grounds of general interest that justifies the lawful retention of telecommunications data. The same can be said regarding providing guidance on what grounds would justify necessity. Throughout the judgement in Tele2 the CJEU repeat that to be compatible with the principle of proportionality conditions laid down in national legislation must not exceed the limits to what is strictly necessary. On what is regarded as strictly necessary the CJEU state national legislation must be based on objective criteria defining the circumstances and conditions under which competent authorities can access the telecommunications data. The Court added, presumably as a guidance, that access can only be granted:

‘…in relation to the objective of fighting crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime.’

Adding:

‘[In] particular situations, where for example vital national security, defence or public security interests are threatened by terrorist activities, access to the data of other persons might also be granted where there is objective evidence from which it can be deduced that that data might, in a specific case, make an effective contribution to combating such activities.’ ([2016] All ER (D) 107, paragraph 119)

To ensure these conditions are fully met the CJEU held that as a general rule an authorisation to access and disclosure of telecommunications data be reviewed by either a court or an independent administrative body with the court or body’s decision being made following a reason request by the authorities that the purposes are for the prevention, detection or prosecution of crime. This echoed the CJEU’s decision in Digital Rights.

While prima facie the guidance provided by the CJEU in Tele2,  seems clear and laudable, this guidance only applies to certain investigations into serious crime or terrorism, and would arguably be more pertinent to serious crime investigations rather than terrorism investigations. Understanding why the CJEU limits its guidance that at times seems at variance with national courts, especially those in Member States with a common law legal system like Ireland and the UK could be explained in the rules concerning statutory interpretation. In common law jurisdictions the courts apply one of three rules, the literal rule, the golden rule and the mischief rule. In essence the courts apply the literal rule where statutes are to be interpreted using the ordinary meaning of the language of the statute unless a statute explicitly defines some of its terms otherwise. In other words, the law is to read, word for word and should not divert from its true meaning. The golden rule applies where the courts see an application of the literal rule leading to an absurdity, then the courts may then apply a secondary meaning. The mischief rule should only be applied where there is ambiguity in the statute where under the mischief rule the court’s role is to suppress the mischief the Act is aimed at and advance the remedy.

However, these traditional statutory interpretation rules are not seen as applicable when interpreting national law with EU directives and considering the CJEU’s decision making. This could be due to virtually all of continental European states’ jurisdciaitons not having a common law legal system, with their courts’ role being solely statutory interpretation, which is what is seen with the CJEU. In these circumstances two methodological rules have been identified in CJEU case law, the interpretative priority rule and the presumption of compliance rule.

Regarding the interpretative priority rule, national courts must favour the interpretation of the national legislation which is the most consistent with the result sought by the directive. The aim here is to achieve an outcome compatible with the provisions of the directive that is consistent within all of the Member States. The presumption of compliance rule is a presumption that the national court intended to transpose the directive fully into national law with a court assuming that the national legislature intended to comply entirely with the requirements of the directive. The presumption of compliance rule can result in problematic consequences in the event the national legislation or the ruling by the national court contains inadvertent inconsistencies with EU law. This occurs where a specific objective of an enactment in national law contradicts the directive’s requirements as subsequently interpreted by the CJEU and there is no indication the national legislature realised the presence of the inconsistency.

Compared to national courts in common law jurisdictions who have traditionally been granted a much wider leverage in their statutory interpretation rules, the EU rules could be perceived as fettering the national court judges’ traditional decision making and limiting in relation to guidance provided in judgements regarding how EU law is applied. This is relevant not just to national legislatures, but also to agencies that particular EU law applies to. It is submitted that this is because common law jurisdictions are used to having both the ratio of the case and obitur dictum in their case reports where, in most cases, common law courts’ obitur is generally more extensive than that seen in case reports on European judgements. Accepting that obitur is not the decision only persuasive argument, a wider and more expansive obitur is also useful in guiding agencies’ actions when applying the law in circumstances that do not quite match those in the facts of a case report. As seen in both the CJEU’s decisions in Digital Rights and Tele2 the guidance provided is more limiting than that seen in Member States’ national courts with a common law legal system when interpreting non-EU national law. This may be due to the difficult task that in trying to harmonise EU law among 28 Member States and the variance of legal procedures among those states, the CJEU is trying not to be too prescriptive in its decision making that could result in either providing too wide or narrow an interpretation of EU law.

The impact these cases have had on EU Member States’ national law can be seen in the following. In response to the Digital Rights decision, the UK introduced the Data Retention and Investigatory Powers Act 2015 that required communications operators to retain telecommunications data up to a period not exceeding 12 months. It also allowed for authorisation of interception warrants to UK intelligence and policing agencies to access the communications data when necessary in the interests of national security, to prevent or detect serious crime or to safeguard the UK’s economic well-being. This was the UK statute that the CJEU in Tele2 found to be incompatible with EU law. In March 2015 a national Dutch court in The Hague followed the CJEU’s decision in Digital Rights and found Holland’s surveillance and data retention law fell under the EU law and the CFRF. As the Dutch law failed to conform adequately to articles 7 and 8 of the CFRF, along with the court also finding insufficient safeguards, the Court suspended the Dutch law.Applying the Digital Rights decision similar legal issues were found in the respective domestic statutory provisions regarding surveillance of communications post-Digital Rights by the respective judiciaries in Sweden, Romania and Belgium where their respective courts have held their legislation to be in breach of EU law. This raises the question of how can state bodies investigating terrorism and serious crime legally access telecommunications data?

FaceTimeskypewhatsapp

Especially since the introduction of the e-Privacy Directive in 2002  we have seen the growth in forms of communication and the ways in which people carry out transactions from banking online, shopping online (including booking travel), send messages and speak to each other in various messaging services including Skype and FaceTime where people can converse while seeing each other. There are also encrypted messaging services that have been used by criminals and terrorists from Telegram to WhatsApp. Recently the likes of WhatsApp has been the preferred form of communication by criminals and terrorists as it is encrypted and apart from sending written messages, with this App individuals can send recorded voice messages to each other as well as pictorial images. Once cannot compare the technological wizardry that was the Nokia mobile phone to the i-Phones we have now that are in essence pocket sized computers. As such it is time the EU looked to introduce legislation that allows for internet and communications service providers to retain their telecommunications data for at least up to 12 months and allow state investigative bodies investigating acts of terrorism and serious crime access to that data. Since 2007 there have bee too many examples of how effective access to this data has been in the arrest and subsequent conviction of terrorists and those committing serious crime.

No doubt some reading this will have concerns over the state conducting widespread surveillance on its citizens and cite the US’ NSA and the Snowden revelations. In the protestations of the potential for state surveillance of telecommunication data an anomaly exists as many mobile phone and internet users do not appear to be so hesitant in passing on personal data, including sensitive data to private companies, including communications and internet service providers. In his book ‘Dawn of the New Everything: A Journey Through Virtual Reality’  the former Facebook president, Jaron Lanier says that based on the information individuals provide who they become friends with, what they buy and the news they consume is based on these providers’ algorithms adding that internet companies monitor their users’ habits and interests, which they feed into those companies’ algorithms. Yet, once the state agencies say it wants communications and internet service providers to retain their data in order to gain access to that data when the circumstances exist in relation to serious crime and terrorism, many individuals express a deep concern that the state is turning into a big brother state monitoring their every movement. This is not the case as many senior security service and police officers regularly state, the resources in both staffing levels and equipment are limited and as such both the security services and the police literally cannot monitor the electronic communications of every citizen, they can only target those who pose a threat to state security or who are involved in criminality.

The interests of national security and personal rights are not exclusive issues, but are inclusive and in today’s society we must all accept that state bodies investigating terrorism and organised crime must be able to have access to telecommunications data to deal effectively with terrorists and criminals. As such it is time the EU stopped paying lip service to this notion and fully recognised this by introducing legislation that allows this while effectively balancing citizens’ rights.

My terrorism book cover

You can read more detail on these issues in my forthcoming book ‘Terrorism: law & Policy‘ and I am currently writing an article on this issue and the Irish Dwyer appeal case that will be published after the appeal hearing.

New York Terrorist Attack: What measures can be taken to prevent vehicle attacks?

new-york-terror-truck attackSaipov

In the late afternoon on Tuesday 31st October 2017, Sayfullo Saipov, an Uzbek citizen who arrived in the US in2010 and became a legal US resident, drove a truck down a cycleway in lower Manhattan, New York, killing 8 people and injuring 11 more. After crashing the truck, Saipov emerged from the vehicle wielding a pellet gun and paintball gun. NYPD officers shot Saipov who received serious but non-fatal injuries and was arrested. The cosmopolitan make-up of New York was seen in the victims where five of those killed were Argentinian and another victim who died was Belgian. Within an hour of the attack New York authorities declared this was a terrorist incident. Saipov left a note in the truck claiming he committed the attack on behalf of the group Islamic state (IS), adding ‘ISIS lives forever’. At the time of writing IS have yet to claim responsibility for the attack, but as I have said in previous blogs, IS do claim responsibility for many attacks where they do not give direct orders or have any direct contact with the attacker.

Möglicher Anschlag mit Lastwagen auf Weihnachtsmarkt

Once more we have witnessed an attack where a vehicle has been driven into people. We have seen a number of attacks of this nature in the last 18 months from Nice, July 2016, the Berlin Christmas Market, December 2016, three attacks in the UK in 2017, Stockholm, April 2017, Barcelona, August 2017 and now New York. In total these attacks have killed 136 people with many more injured.

This raises a number of questions, including if we should expect more of these type of attacks and, importantly, what can be done to prevent these attacks? To the first question it appears the answer is yes, we should expect more of these attacks to occur in the near future. It is an easy form of low-level attack to carry out that can have the maximum, impact in terms of casualties. In IS’ online magazine, Rumiyah, issue 3 contained an article detailing the best methods to use in preparing and carrying out a vehicle attack. Other issues have published articles on how to carry out the most effective knife attacks and in kidnapping western hostages. Even though IS has lost control of a lot of geographical territory, its propaganda media is still effective, especially in influencing individuals to follow IS’ narrative and carry out attacks in the group’s name. So, unfortunately it is highly likely that we will see more attacks of this nature.
In relation to whether anything can be done to prevent these types of attack we are approaching seasonal time of year in western states with events ranging from Thanksgiving celebrations in Canada and the US, Christmas Markets and other open air public events through to New Year’s Eve celebrations. It is of paramount importance that we all play our part in preventing attacks, not in leaving it solely to the security services and the policing agencies. Local governments and business should regularly review there contingency plans and where events are planned to ensure sufficient resilience has been built in to prevent terrorist attacks. This can range from ensuring sufficient and effective physical barriers as in place to having effective evacuation facilities.

UK-Security-expo-2017

In the UK this comes under the Protect strand of the CONTEST counter-terrorism policy. With colleagues, I will be advocating this at the UK Security Expo 2017 exhibition that is being held at London’s Olympia exhibition centre 29th and 30th November 2017.

radio sheffield logo

I discuss the New York attacks and issues above in more details in my interview with BBC Radio Sheffield. The interview is 1 hour 9 minutes 10 seconds in

The £4 Billion Refurbishment of the Palace of Westminster: An Opportunity to Incorporate Sate of the Art Security

westminster

The Palace of Westminster is to undergo a major refurbishment at a cost estimated to be between £4 billion – £7 billion that is due to start 2019-2020. It is not the first time that MP’s and Lords will have to move to temporary accommodation as following the 1834 fire that destroyed virtually all of the old Palace building MP’s were temporarily relocated to Buckingham Palace. Built during the 1840’s, the Palace does not have modern security provisions built into it. The major refurbishment is an excellent opportunity to ensure that this iconic old Parliament building will combine old world charm with contemporary security.

Sputnik logo

You can read my discussion on this issue with Chris Summers from Sputnik News on the link.

Islamist Terrorism Conviction: Madihah Taheer

Mirza-Madihah-Taheer

Madihah Taheer, a 21 year-old woman who was married to Islamist Ummar Mazra was convicted on the 26th October at Woolwich Crown Court for plotting acts of terrorism that would have occurred in Birmingham. Mazra had earlier pleaded guilty to the offence and Taheer were arrested in march 2017, shortly after the Westminster bridge terrorist attack (the two incidents are not linked). Although Taheer denied the offence saying she was manipulated by Mazra and did not believe Mazra would carry out the attack, evidence presented by the prosecution at her trial revealed the opposite and that she was deeply imbued with the Islamist narrative of the group Islamic State.

West Mids CTU logoMI5 logo

Following an MI5 operation tracking Mizra, he was arrested by the West Midlands Counter-Terrorism Unit  along with his sister for the offence. From Whats App conversations between Mizra and Taheer evidence revealed how there was little doubt that she was influenced by the violence in Islamic Sate’s narrative. For the UK 2017 has been a year where there have been five terrorist attacks, four influenced by Islamism, one allegedly by the extreme far right, but operations like this show how the UK’s security services and police are working on preventing further attacks from happening and the work they put into keeping the UK safe. We can all support them by reporting an suspicious activity to the Anti-Terrorism Hotline 0800 789 321

 

Parsons Green Terrorism Incident, London

parsons green bombparsons green bomb 1

At 8.20 am (BST) on Friday 15th September 2017 an IED exploded on a London Underground train at Parsons Green station on the District Line injuring 29 people. Fortunately no one was killed or seriously injured. That may due in part to reports coming out that the IED was crudely made. This indicates it was constructed by a person with little or no experience or knowledge of explosives. Even though a timer was attached, again it was a basic, crude device. This has led to speculation as to whether Parsons Green was not the perceived target as Parsons Green has not been perceived as a location subject to a high risk of terrorist attacks as there are more likely high risk locations further down the District Line such as St. James Park, Westminster, Embankment or Temple.

The Metropolitan Police has confirmed the bomb attack is a terrorist incident. At the time of writing there is speculation as to who is responsible. This has not been helped by the US President, Donald Trump’s tweet earlier today saying, ‘Another attack in London by a loser terrorist. These are sick and demented people who were in the sights of Scotland Yard. Must be proactive.’ [My emphasis] There is no doubt that this incident has been committed by a person influenced by any form of extremist cause, not just an Islamist one.

I would be surprised if it was someone acting under the political cause of the extreme far right as it is not their style of attack, they tend to attack individuals (and it looks like they too are using vehicles as seen in Charlottesville, US and outside Finsbury Park mosque in London – allegedly). Also this type of attack could alienate any potential far right followers as the majority of victims would have been white UK citizens. Again, I think it is highly unlikely it is someone linked to dissident Irish republicanism such as the new IRA as dissident Irish republicans have never attempted this type of attack and during the Irish Troubles the Provisional IRA’s England Department gave coded warnings when targeting civilian targets. From what information that is released to date, I think this has been carried out by someone inspired by the Islamist narrative, potentially by Islamic State. It may seem strange the bomber did not stay with the device, looking to kill themselves in the explosion, but as we have seen in recent attacks in Europe like Barcelona last month, the terrorist escaped the scene. Recently the UK and other western states have suffered attacks by people inspired by the Islamist narrative who have not received any formal training at camps in the likes of Syria or Iraq, hence why we have seen low level attacks easy to carry out by using vehicles driven into crowds and knife attacks.

rumiyah cover

One source of information Islamic State is using to inspire individuals and recruit them to their cause is the online magazine Rumiyah (Islamic for Rome).The first issue was published in September 2016 and apart from containing propaganda outlining their military actions in countries where they are losing territory, Rumiyah encourages Muslims to carry out their military jihad in western countries like the UK. To aid them, Rumiyah contains articles advising on the best and most effective ways to carry out attacks like those we have recently witnessed.

It is important that if the Parsons Green station attack is another Islamic State inspired attack that all Muslims are not treated with disdain or seen as potential terrorists or terrorist sympathisers, as nothing is further from the truth and this would play into Islamic State’s hands in their propaganda war. I know of many Imams who have barred radicals from their mosques and members if the Muslim community who have passed on information to the police of suspected terrorist activity. It is worth noting that Islamic State do not just kill the kuffar who are Christians, they have killed more Muslims than any other group, Muslims Islamic State see as the murtaddin (Muslims who reject Islam). Those that Islamic State as murtaddin are not Muslims who have rejected Islam, they are Muslims who have rejected Islamic State as the evil group they are. Islamic State have carried out pogroms on many Muslims, killing literally thousands such as Shia Muslims and Kurdish Muslims who they see as apostates.

What can we do to help with these attacks? If you are suspicious of anything or have a feeling something is not right report it to the police or security or phone the anti-terrorist hotline 0800 555 111. The police will handle all information with sensitivity and it is better to be safe than sorry.