BAILII is celebrating 24 years of free online access to the law! Would you
consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it
will have a significant impact on BAILII's ability to continue providing free
access to the law.
Thank you very much for your support!
[New search]
[Help]
The Scrutiny of the Electronic Communications of Businesses: Striking the Balance Between the Power
to Intercept and the Right to Privacy?
Kirstie Best,
LLB Lecturer in Law, and
Rob McCusker,
BA MA Senior Lecturer in Law
School of Law, University College Northampton
© Copyright 2002 Kirstie Best and Rob McCusker
First Published in Web Journal of Current Legal Issues.
Summary
The Regulation of Investigatory Powers Act 2000 creates wide-ranging powers
of interception for public authorities and businesses. The nature, scope and
purpose of these powers are similar, despite the different nature of the bodies
exercising them. Public authorities are allowed a broad discretion to intercept
the communications of businesses (and others) in order to protect national
security and other important interests of the United Kingdom. Businesses have
been granted a discretion to intercept that is primarily exercisable in the
protection of their own business interests, but can also operate for the protection
of wider societal interests. The Act makes reference to human rights principles
but, it is argued, the inclusion of these principles within the interception
powers do not ensure that sufficient consideration is given to the right to
privacy.
Contents
Introduction
The use, or propensity for the use, of electronic communications for a wide
range of criminal activities has always made it extremely unlikely that governments
would be able or willing to leave such communications unobserved and unregulated.
The US National Security Council’s Director for Information Protection,
Jeffrey Hunker, has argued that although companies may once have dealt with
security breaches unilaterally, this approach is “...totally inappropriate
when we’re dealing with a world where what you’re experiencing
might be one facet of a much larger intelligence or terrorist or national
security threat. (Beiser 1999) In his introduction to the National Infrastructure
Security Co-ordination Centre Jack Straw (the then Home Secretary) noted that
“[t]he growth of global networked IT systems offers unprecedented benefits
for business. But it also creates new vulnerabilities. The number and sophistication
of electronic attacks will continue to increase and Government has a responsibility
to ensure that protection, proportionate to the threat, is in place for systems
critical to national well-being and economic prosperity. (<www.open.gov.uk/homeoffice>
January 2001). Furthermore, the US Attorney-General Janet Reno has stated
that the public and private sectors have to co-operate if cyber-crime is to
be tackled effectively. She argued that “...we all have a common goal
– to keep the nation’s computer network secure, safe and reliable.
(<www.bbc.co.uk/news> April
2000) These concerns have, in the United Kingdom, found legislative force
through the Regulation of Investigatory Powers Act 2000. This allows public
authorities to monitor the electronic communications of individuals and organisations,
and allows employers (in the public and private sectors) to monitor usage
by employees. This article analyses the justification for, and scope of, these
powers and examines whether an appropriate balance has been struck between
genuine security concerns and the right to privacy.
Top | Contents | Bibliography
The Justification for Interception by Government
Businesses, as well as governments, seemingly recognise the importance of
secure systems, mainly because consumer confidence is a pre-requisite for the
continued expansion of e-commerce. Businesses also recognise that such security
can only be attained through the use of encryption.
(1)
Thus, the British Chambers of Commerce has observed that cryptography “..provides
the basis for data protection and privacy and is also the key mechanism for
identifying the parties to transactions, for authenticating data and for providing
the digital signatures that are widely seen as an essential basis for electronic
transactions. (<
www.britishchambers.org.uk/news
and
policy.ict/ripbillsummary
p.12) However, in their keenness to exploit the web commercially, companies
have mostly forgotten the vulnerability to fraud of themselves and their customers.
To have devised adequate protection within websites for businesses would have
led to lengthy delays during which other, less scrupulous, competitors might
have obtained a market advantage (Ging 2000). Businesses’ primary motivation
is therefore the creation of profit, and the delay caused by implementing protection
for consumers simply reduces that profit margin. As Taitt
(2)
notes, “[t]he bottom line is there isn’t any incentive for these
companies to provide security. (Ging 2000)
The company that suffers a security breach is in a somewhat invidious position.
To reveal that the breach has occurred enables the effects of that breach to
become mitigated because, for example, consumers and credit card providers can
be notified and the requisite action taken. However, revealing that a security
breach has indeed occurred undermines public confidence in the company in particular
and in e-commerce in general. The likelihood of security breaches becoming known
in the public domain or business community, therefore, will be slight. A study
by the Computer Security Institute and the FBI, which surveyed 643 computer-security
professionals in large corporations, revealed that 70 percent of them had detected
unauthorised use of their computer systems in the previous year. Only 273 of
the 643 respondents were prepared to quantify the amount of money lost. However,
the losses revealed by those 273 alone amounted to $266 million for the year
(
www.library.northernlight.com
May 2000). Businesses, Stewart maintains, “..have an interest in minimizing
their security weaknesses, and that makes for an ambivalent relationship with
the security panic. It may bring unwanted government intervention and customer
concern, so businesses are inclined to play down the threat. (Stewart
2000)
Governments are aware of this protective reaction and this, in part, is what
drives their desire to be able to monitor e-mail and Internet traffic. For example,
the US Congress introduced the Cyberspace Electronic Security Act 1999. This
provides,
inter alia, law enforcement agencies with the right to gain
access to, and then decrypt, encrypted information into plaintext (i.e. readable
text) for the purposes of pursuing an investigation. Acting Attorney-General
Jon Jennings argued that “..the same encryption products that help facilitate
confidential communications between law-abiding citizens also pose a significant
and undeniable public safety risk when used to facilitate and mask illegal and
criminal activity. (<
www.bbc.co.uk/news>20
August 1999) Similarly, the White House noted that the Act “..would protect
the growing use of encryption for the legitimate protection of privacy and confidentiality
by businesses and individuals, while helping law enforcement agencies obtain
evidence to investigate and prosecute criminals despite their use of encryption
to hide criminal activity. (www.cdt.org/crypto/CESA) In the United Kingdom,
the desire to combat serious crime and terrorism underpinned the government’s
introduction of the Regulation of Investigatory Powers Act 2000 (Press Notice,
<
www.homeoffice.gov.uk/ripa/pnrip.htm>
February 2000). This Act establishes a comprehensive statutory framework for
regulating surveillance by both public authorities and private bodies. In particular,
it regulates the interception, acquisition and disclosure of communications
and traffic data, and the investigation of electronic data protected by encryption.
This repeals earlier, more limited, legislation such as the Interception of
Communications Act 1985, and is an attempt to ensure that the law is now in
line with technological developments.
(3)
Top | Contents | Bibliography
The Right to Privacy
While there appear to be reasonable justifications for the interception of
communications by public authorities, such actions do constitute a
prima
facie interference with the right to respect for private and family life,
home and correspondence (as protected by Article 8(1) of the European Convention
on Human Rights). Even where interference occurs in the context of the workplace
it may breach this right.
(4) The
rationale for this is that the opportunity to form relationships is an essential
component of one’s private life, and for many people the workplace is
the main forum for doing so. Further, it may be difficult to distinguish an
individual’s personal and professional activities, and their personal
residence from their professional premises. Therefore, a broad interpretation
of ‘private life’ is to be favoured, although the European Court
of Human Rights has suggested that a restriction to Article 8(1) might be more
easily justified where the context is professional rather than wholly personal.
Finally, the aim of Article 8(1) is to protect individuals against arbitrary
interference by public authorities, and such interference is objectionable regardless
of the context (
Niemietz, paras.29-31).
Article 8(2) does allow privacy to be limited ‘in accordance with the
law’, which means that interception must be regulated by clear, precise
and accessible legal rules (
Sunday Times v United Kingdom (1979) 2 EHRR 245). In the absence of such rules there is likely to be found a breach of Article
8(1). A breach is also likely if there is a failure to explicitly warn of the
possibility of interception. A lack of warning can create a reasonable expectation
of privacy that may be reinforced where an employee works in seclusion (i.e.
in their own office) and where some private use of telecommunications systems
is permitted.
(5) The interference
must also be proportionate, in response to a pressing social need, and for one
of the legitimate aims established by the Convention such as national security
or the prevention of crime (
Silver v United Kingdom (1983) 5 EHRR 347).
Since the Convention applies to natural and legal persons (
Sunday Times v
United Kingdom) both individuals and businesses can claim that interception
of their business communications by a public authority amounts to a breach of
Article 8(1).
Top | Contents | Bibliography
Regulation of Investigatory Powers Act 2000: General Power to Intercept
Part I (Chapter 1) of the 2000 Act makes it unlawful to intercept, without
lawful authority, telecommunications in the course of transmission. Section
1 has the effect of restricting the interception of,
inter alia, e-mail,
Internet access, fax, telephone calls (including mobile telephones), answer-phone
messages, pagers, and video conferencing links. Liability is different depending
on the circumstances of the interception. Section 1(1) and (2) establishes that
the intentional interception of communications (whether transmitted by public
or private telecommunications systems) will be a criminal offence if it occurs
without lawful authority.
(6) Section
1(3) creates a statutory tort (actionable by the sender or recipient) of unlawful
interception on a private telecommunications system where the person with lawful
control of that private system consents to (or carries out) the interception,
but there is no lawful authority within the meaning of the Act.
What amounts to lawful authority under section 1 will depend on whether the
interception is of a public or a private telecommunications system and who is
seeking to intercept. A public authority (such as the police) can intercept
communications on a public or private system under sections 3, 4 (both without
warrant) or 5 (with warrant). A private body (such as a non-public sector employer)
can only intercept communications transmitted via its own private system under
section 3 or 4 (both without warrant). While private bodies do not have the
same legal powers to intercept as public authorities, the 2000 Act provides
the former with overt legal authority to restrict privacy, whereas previously
their power lay solely in the absence of legal rules preventing such interceptions.
As a corollary, the subject of this interception (such as a private sector employee)
is also better protected from unjustified interceptions than previously. Similar
arguments also apply to the more comprehensive powers now available to public
authorities. However, the 2000 Act is not a panacea and the powers granted to
public authorities and private bodies may be criticised for failing to give
sufficient weight to the human rights of those whose communications are intercepted.
Top | Contents | Bibliography
The Interception Powers of Public Authorities
In relation to the interception powers granted only to public authorities,
section 5 provides a significant power to intercept any telecommunications.
The Secretary of State may issue a warrant authorising the interception of communications
on any telecommunications system (public or private). Such a warrant can only
be issued to persons specified in section 6, such as the Director-General of
the Security Service or the chief constable of a police force. The list is therefore
strictly limited to persons exercising a public function. Section 5(2) and (3)
states that a warrant should not be issued unless the Secretary of State believes
it to be necessary and proportionate on the grounds of national security, the
prevention and detection of serious crime, for the safeguarding of the economic
well-being of the United Kingdom, or in relation to an international mutual
assistance agreement. The Secretary of State must consider whether the information
could be reasonably obtained by means other than a warrant (section 5(4)), although
this suggests that a warrant can still be issued even if the information could
be reasonably obtained etc.
This is very similar to the Secretary of State’s original power to
authorise interception under warrant (section 2 of the 1985 Act), and the 2000
Act does little to address criticisms levelled at the 1985 Act. While the 1985
Act was found to comply with the Convention (Christie v United Kingdom App.No.21482/93),
it is still objectionable that the Secretary of State issues warrants since
this is suggestive of a lack of independence and a conflict of loyalties. In
Klass the European Court of Human Rights stated that powers of surveillance
required independent, effective and continuous control, and that a judge is
the best guarantor of an impartial and proper application of procedures. However,
the Court acknowledged that while judicial control is desirable, ministerial
control is sufficient particularly where national security is in issue (paras.55-6).
Although the inclusion of proportionality within section 5 is positive, the
Secretary of State is left with a wide and subjective discretion as to whether
or not the warrant is necessary. Further, the grounds on which the warrant may
be issued are broad and lacking in precise meaning. This would seem to conflict
with the well-established principle that, particularly with secret surveillance
powers, the law should be clear and detailed so that the circumstances and conditions
governing the use of such powers are adequately indicated. Only in this way
can the rule of law be upheld, and arbitrary interference prevented (Kopp,
paras.63-4, 71-2; Amann v. Switzerland App.No.27798/95, paras.54-7).
Part I (Chapter II) of the 2000 Act allows public authorities to acquire
and disclose communications data obtained from public and private telecommunications
systems. Section 21 establishes that this does not refer to the contents of
a communication but to data relating to the identity of the person, the apparatus,
or location from which the communication is sent or received. Thus, the telephone
number, e-mail address and headers, and the location of mobile telephones can
all be discovered (Cape 2001, p.21). Sections 22 and 23 establish that public
authorities (as designated by the Secretary of State) can require a telecom
operator (of a public or private system) to obtain and disclose data if this
is necessary and proportionate, and for a ground such as national security (or
for any other purpose specified by Secretary of State). Authorisation for the
exercise of this power comes from the public authority itself.
This type of information gathering was covered by section 1 of the Interception
of Communications Act 1985, but this was not clear from its wording and its
scope required clarification from the House of Lords.
(7)
A warrant was required, but only in relation to public telecommunications systems.
Businesses are therefore now better protected than previously in that the terms
of Chapter II are less ambiguous than the 1985 Act. Equally though, a business
is now clearly legally obliged to disclose this information and will be liable
for a failure to do so. As with section 5, this power can be criticised since
the authorisation is on broad and imprecise grounds and the procedure lacks
the appearance of impartiality since public authorities authorise their own
exercise of the powers under Part 1 (Chapter II).
Top | Contents | Bibliography
Disclosure of Decryption Keys to Public Authorities
Under Part III of the 2000 Act the disclosure of encrypted electronic data
(or the key for decryption) can be ordered by a public authority where that
data has come into their possession by lawful means, and there are reasonable
grounds to believe that it would be necessary and proportionate for national
security, for the purpose of preventing or detecting crime, or in the interests
of the economic well-being of the United Kingdom (or that it is necessary for
the effective exercise of a statutory power or duty). An order can only be made
if it is not reasonably practicable to obtain the information in any other way
(section 49). It is an offence to fail to comply with a disclosure notice (section
53). Section 55 imposes a duty on authorities who have come into possession
of a key to ensure that the key is only used to obtain specified information,
and that it is used reasonably and proportionately to the minimum extent necessary.
A failure to adhere to these requirements can give rise to a civil claim. This
power did not exist under the 1985 Act so, while businesses are now protected
against some disclosure requests by the criteria laid down in Part III, they
are also now under a clear statutory duty to disclose where the Part III criteria
are met.
Nevertheless, the Act does make reference to important human rights norms
such as proportionality, and the requirement of reasonableness underpins the
Part III power. The explicit reference to Convention principles can be taken
as demonstrating Parliament’s clear intention that these intrusive powers
must be exercised in accordance with Convention jurisprudence (this is of course
supported by the Human Rights Act 1998, discussed below). Further, a section
49 notice should normally be issued by a circuit judge, except where the encrypted
data has been obtained through an authorised interception, lawful search of
property, or some other warrant or authorisation (Schedule 2). This goes some
way to addressing concerns about the independence of the authorising procedure.
Top | Contents | Bibliography
Practical Difficulties Resulting from the 2000 Act
Encryption is deemed to be an inevitable facet of the successful expansion
of e-commerce. The fact that criminals may utilise encryption in their own communications
raises a concomitant need for law enforcement agencies to be able to intercept
and decipher coded e-traffic. As Freeh (then FBI Director) noted as far back
as 1997, “[u]nbreakable encryption will allows drug lords, spies, terrorists
and even violent gangs to communicate about their crimes and their conspiracies
with impunity." (Andrews 2000, p.4) The Chief Investigations Officer for HM
Customs and Excise also noted that “..60 percent of our drug seizures
are related to the interceptions of communications and that the ability,
therefore, to be able to intercept e-traffic quickly and clearly was essential
(Andrews 2000, p.4). The British and American governments have therefore sought
to justify their respective pieces of legislation by the fact that the very
possibility of the utilisation of encryption by criminal groups requires that
governments have a concomitant right to access the plaintext of those otherwise
hidden communications.
However, the British Chambers of Commerce (BCC) has argued that the 2000
Act is “..likely to create a legal environment which will inhibit investment,
impede the evolution of e-commerce, impose direct and indirect costs on business
and the consumer, diminish overall trust in e-commerce, disrupt business-to-business
relationships, place UK companies at a competitive disadvantage, and create
a range of legal uncertainties which will place a growing number of businesses
in a precarious position. (<
www.britishchambers.org.uk/newsandpolicy.ict/ripbillsummary>
p.1) The BCC's chief concern lies in the provisions concerning cryptography,
which it maintains “...is now universally seen as a critical technology
on which e-commerce will depend. (at p.12) Cryptographic technology,
however, is only as good as the security under which the keys that unlock the
coded language are kept. While the 2000 Act provides (section 49(2)) that a
notice requiring disclosure by the key holder of encrypted information may be
given on reasonable grounds, it also provides that, where there appears to be
more than one person in possession of the key, notice will not be given (section
49(5) and (6)). Further, in “special circumstances those subsections
will not apply (section 49(7)); what those circumstances are, or could be, is
not disclosed. The BCC argues that this lack of clarification places businesses
in a difficult strategic position. It notes that “[w]here a security risk
can be quantified, a business decision can be made on whether the level of risk
is tolerable or whether steps need to be taken to counter it. But when such
a risk is of unknown extent, security decisions have to err on the side of caution
by planning on the assumption that it is a much larger risk than it may turn
out to be. (at p.12)
The propensity for small fledgling e-businesses to rely on third party operators
is deemed by the BCC to be a crucial issue in the future development of e-commerce.
For the e-businesses and their consumers alike, the presence or perception of
secure web-sites will be essential. As the BCC note, “..a hosting company
will not only have to manage its own keys but also the keys of many of its clients.
This is an enormous security challenge in its own right but the addition of
a requirement that all such keys might have to be supplied to UK government
authorities could easy turn a difficult job into an impossible one. (at
p.13) The BCC proceeds to argue that for e-commerce to grow there has to be
a high degree of mutual trust between business, the consumer and government.
It is trust, the BCC argues, which “...is predicated to a large extent
on a demonstrated commitment to privacy and confidentiality. (at p.21)
Consequently, the BCC argues, the release of encrypted information to outside
parties, whether in plaintext or coded with decryption keys, will “...immediately
erode the trust relationship between the commercial organisation and intermediaries,
agents, third parties, clients and customers. (at p.21)
To conclude, in the context of interception by public authorities, the 2000
Act seems to be adequately drafted in terms of allowing public authorities sufficient
powers of interception and disclosure. However, this is at the expense of both
privacy and commercial interests, and while privacy maybe a less important factor
to consider when interception is of business communications, the adverse commercial
repercussions of these powers require that they be more limited. Thus, businesses
may feel aggrieved that public authorities can access sensitive information
on grounds that lack precision and, mainly, on the authorisation of the Secretary
of State or a public authority that may be seen as having a vested interest
in the interception. A better balance could be achieved between the perceived
need to intercept, the right to privacy and commercial interests if judicial
authorisation was always required, and if this could only be granted following
a detailed examination of the justification for the particular interception.
This would give the process the appearance of impartiality (which it currently
lacks), even if the grounds for a particular interception could not be explained
in detail to the subject of the interception due to security and other investigatory
considerations.
Top | Contents | Bibliography
The Justification for Interception by Employers
The 2000 Act also provides employers with a legal right to intercept the
communications of their employees. This has highlighted a degree of hypocrisy
within the business community. During the passage of the 2000 Act, businesses,
supported by the Confederation of British Industry, argued that to allow public
authorities to examine their clients’ accounts, websites and e-mail would
compromise the security of their operations and have a concomitant impact upon
an already suspicious and cautious consumer base. Conversely, those same companies
are adamant that they should be granted unlimited access to the telecommunications
of their employees to safeguard, as they see it, the interests both of their
businesses and consumers.
Such interference seemingly creates a conflict between the business interests
of the employer and the privacy interests of employees. However, where the interception
is of the employer’s own private telecommunications system and the employer
undertakes it in order to ensure that the system is not being misused by employees,
it may be argued that individual privacy is not in issue and should not be protected.
After all, it is perfectly legitimate for an employer to expect employees to
be working in the interests of the business rather than putting its telecommunications
system to personal use. Such use may waste work time and resources, and could
also be for damaging purposes (such as obtaining and circulating pornographic
material, spreading computer viruses, or industrial espionage).
This view was implicit within the Interception of Communications Act 1985
since it left the regulation of private telecommunications systems to the discretion
of the organisation controlling the system. It also finds support in the sole
dissenting opinion from the European Commission of Human Rights in
Halford.
In dissent Mr H.G. Schermers argued (at p.541) that where an organisation interferes
with communications transmitted via their own system (a system which it therefore
controls and pays for), there is not an interference with private life.
(8)
Hence, the commercial interests of the employer, as protected by the interception,
will automatically prevail over any interests of the employee.
Top | Contents | Bibliography
The Privacy Rights of Employees
However, the European Court in Halford found that employees do have
a legitimate expectation of privacy in the workplace, and this expectation can
only be forfeited if the employer intercepts communications with the consent
and knowledge of employees and does so within a legal framework of regulation.
Applying the decision in Niemietz, a legitimate restriction to an employee’s
privacy maybe more easily justified though because of the professional, rather
than wholly personal, context in which it occurs.
While the Court in
Halford was dealing with an interception by a public
sector employer, its reasoning must be applied also to the private sector since
the Convention places both negative and positive obligations upon signatory
states. The negative obligation is that a state should not interfere with rights
unless this is in accordance with the law and necessary in a democratic society.
Thus, public authorities can only legitimately intercept the communications
of individuals and businesses where there is clear legal authority to do so,
(9)
for the protection of a legitimate aim, and in a manner that is a proportionate
response to a pressing social need. The state also has a positive obligation
to protect rights from interference by others (
Marckx v Belguim (1979) 2 EHRR 330).
In
X and Y v Netherlands ((1985) 8 EHRR 235, para.23)
the Court stated this could require the implementation of measures protecting
private life against the actions of other private individuals and organisations.
(10)
In the context of the United Kingdom, the negative obligation meant that
legislative reform of the interception of communications by public authorities
was required, since the
Halford situation was not covered by the 1985
Act (and did not meet the requirements of necessity
etc). The positive
obligation required that the legislative reforms had to go beyond simply dealing
with the lacuna demonstrated by
Halford. The law also had to protect
communications from interference by other bodies not covered by the 1985 Act,
such as private sector employers. A continuing failure to do so would have rendered
the government vulnerable to challenge for a breach of its positive obligation
to protect privacy.
Top | Contents | Bibliography
The Horizontal Effect of the Human Rights Act 1998
The protection of human rights in the private, as well as the public, sector
is also supported by the Human Rights Act 1998 through its incorporation of
the Convention into domestic law. The 1998 Act has a direct effect on public
authorities and an indirect effect on private bodies. Public authorities are
directly (vertically) bound since section 6(1) of the 1998 Act states that it
is unlawful for a public authority to act incompatibly with Convention rights.
(11)
The 1998 Act also has a horizontal effect whereby Convention rights are indirectly
enforceable against private bodies. This is achieved through sections 3 and
6 of the Act. Section 3(1) requires that the domestic courts interpret existing
and future legislation (so far as it is possible to do so) in a way compatible
with Convention rights (incompatible legislation remains valid). Section 3 is
not worded to limit its effect only to legislation concerning public authorities,
so it can apply to wholly private disputes.
Private bodies can also be indirectly bound by the 1998 Act since section
6(3)(a) defines a ‘public authority’ as including courts and tribunals.
Therefore, in an action against a private body (for example, an employee suing
for unfair dismissal) a human rights claim can be attached. The main cause of
action is not the rights issue since these cannot be directly enforced against
the private body (since section 6 only requires public authorities to act compatibly).
Nevertheless, the court or tribunal is obliged to consider the human rights
issue and must resolve it, through the application and interpretation of common
law, equity or legislation, in a manner compatible with the Convention.
(12)
The positive obligation imposed on states by the European Convention on Human
Rights also lends weight to the argument that section 6 should have horizontal
effect. Firstly, because the courts are part of the state they are subject to
the Convention obligations, and these feed through into domestic law via section
6 and are imposed on the courts as public authorities (Davies 2000, p.839; Lester
and Pannick 2000, p.381; Hunt 1998, pp.435-6). Secondly, section
2 of the 1998 Act requires that the courts must take Convention jurisprudence
into account when interpreting Convention rights. Thus, the positive obligation
will also come to form a part of domestic jurisprudence through this route (Bamforth
1999, pp.166-8).
The end result is that just as an individual or business can now claim privacy
rights against public authorities in both international and domestic law, a
private body (such as a business) may also find itself vulnerable to privacy
claims from other private bodies (such as employees). However, just as the public
authority may be able to show a legal justification for its interference with
rights, equally a business may also be able to justify its interference. In
particular, as a ‘legal person’ a business could monitor the communications
of its employees in order to protect its own right to peaceful enjoyment of
possessions (Article 1, First Protocol) against threats to its trade secrets
or reputation (Bingley 2000, p.5). The restriction to an employee’s privacy
could then be justified as falling within Article 8(2) ‘for the protection
of the rights and freedoms of others.’
Top | Contents | Bibliography
The Interception Powers of Employers
Given that human rights norms extend to the workplace and govern relationships
between employer and employee, it would be expected that the interception powers
of employers would be explicitly granted subject to these norms. However, the
powers created by the 2000 Act are notable for their lack of sufficient reference
to these standards.
Sections 3 and 4 of the 2000 Act provide businesses with powers to intercept
the telecommunications of their employees (and to an extent, those involving
other businesses). Section 3(1) establishes that interception will be lawful
where the interceptor has reasonable grounds for believing both the sender and
the intended recipient have consented. This allows businesses to intercept communications
between employees, including where their employee is communicating with another
business (and enables public authorities to intercept communications between
businesses). The difficulty here is what amounts to ‘reasonable grounds’
and ‘consent’. This could be shown by requiring explicit verbal
or written consent from all those likely to be affected. This would be easy
to obtain from employees, since it could be included as a clause within the
contract of employment (although such consent may be given unwillingly or unwittingly).
There are practical difficulties with obtaining consent from non-employees;
a rider could be attached to e-mail messages, but this would only be read after
the recipient had already opened and read the main message. Further, it would
seem rather cumbersome to have to preface telephone calls with a consent clause
(although this would be easy to attach to answer phones or voice mail). These
difficulties may be overcome through the passage of time, whereby the expectation
of all employees (and businesses) is that their telecommunications will be monitored
and their consent is implicit from their continuing employment (or continuing
to do business with a particular company). However, such routine and potentially
blanket monitoring by businesses would be disproportionate given the difficulties
of obtaining genuine consent and given the additional powers available under
section 4 (discussed below). Where the interception is by a public authority,
explicit consent should be obtained for every interception to ensure that the
interference is indeed necessary and proportionate.
Section 3(3) authorises interception by providers of telecommunications services
if this is for purposes relating to the provision or operation of the service,
or the enforcement of any enactment relating to the use of that service. Where
the interception is by the provider of a public service, this power is unproblematic
since it seems to be concerned with the general good running of the service.
In relation to private telecommunications systems, the rationale is unclear,
since it seems to replicate the powers to intercept under section 4(2) and the
Lawful Business Practice Regulations (discussed below).
Section 4 lays down various powers to intercept, most of which will be applicable
only to public telecommunications service providers (such as where the interception
relates to someone outside of the United Kingdom). However, section 4(2) allows
the Secretary of State to make regulations authorising ‘legitimate practices’
in relation to the interception of telecommunications by businesses (private
and public sector). The communications must relate to business transactions,
or take place in the course of business. Only services or apparatus specifically
for use in relation to that business can be intercepted. Section 4(3) expressly
limits this power to the person providing or using a telecommunications service
for business purposes.
The resulting Telecommunications (Lawful Business Practice) (Interception
of Communications) Regulations 2000 (Statutory Instrument No.2699) allow the
monitoring and recording of communications without the consent of sender or
recipient, provided that this is carried out by, or with the consent of, the
system controller. They appear to also allow businesses (whether public or private)
to monitor traffic data (certainly this is the view of the Data Protection Commissioner).
The Regulations only authorise the interception of communications relating to
the system controller’s business, where the system is provided for business
use and where the business has taken reasonable efforts to inform potential
users of the system that communications might be intercepted. This provides
businesses with a significant power to intercept the telecommunications of their
employees on several grounds: to establish the existence of facts relevant to
business; to ascertain compliance with regulatory or self-regulatory procedures
relevant to the business; to ascertain or demonstrate standards that ought to
be achieved by those using the telecommunications systems; in the interests
of national security or to prevent or detect crime; to investigate or detect
the unauthorised use of any telecommunications system; and to ensure the effective
operation of the system. Incoming communications can be monitored (not recorded)
without consent to check on whether communications are relevant to business.
The Regulations fail to achieve a suitable balance between the business needs
of employers and the privacy rights of employees, even given that such rights
may be legitimately diluted in the context of the workplace. There is a lack
of clarity in the grounds for interception, thus providing a broad discretion
to employers and meaning that different businesses are likely to apply different
standards to their employees. There is no mechanism provided for weighing the
necessity, or the proportionality of the interception. The Regulations also
fail to provide a clear rationale for monitoring; there is no indication as
to whether it is intended only for serious abuses or whether trivial behaviour
will also be covered.
This wide discretion may be fettered by the Draft Code of Practice issued
by the Data Protection Commissioner under the Data Protection Act 1998 (www.britishlibrary.net/govt.html/).
The relationship between the Regulations and the Draft Code is unclear, but
the Commissioner has stated that they are not contradictory and that the latter
adds detail to the legal framework provided by the former (Goodwin 2000, p.12).
The Code states that monitoring should be for a specific business purpose (properly
targeted at an identified risk) and that its impact on rights should be monitored.
It should be lawful, open, clear and fair. An employee’s privacy and autonomy
should not be unnecessarily intruded upon through the widespread use of monitoring
or the revelation of personal details thus acquired. The intrusion should also
be proportionate to the benefits of monitoring to the reasonable employer. The
least intrusive methods should always be favoured. For example, traffic data
rather than content should be monitored; the time spent on the Internet should
be recorded rather than specific sites visited (Draft Code, pp.26-33).
The legal status of the Code is unclear, but it would be prudent for businesses
to adhere to the principles it expounds since private and public bodies are
bound by human rights norms. To apply the Regulations without reference to the
Code would leave businesses vulnerable to legal challenge. The remedy for those
affected could be either criminal or civil, as outlined in section 1 of the
2000 Act. Thus, an employee can obtain redress in this way, or possibly through
arguing that monitoring is a breach of the implied term of trust and confidence
between employer and employee. However, it is preferable for employers to adhere
to the legal and non-legal standards required of them since many employees would
probably be unwilling or unable to pursue legal action for a breach. Alternatively,
it could be argued that until the status of the Code is clarified businesses
have been given carte blanche to monitor and intercept staff e-mail,
without necessarily having due regard for the letter of the law within the Regulations.
To conclude, in relation to the interception powers of employers, the 2000
Act and the resulting Regulations have failed to achieve a balance between the
needs of employers and the rights of employees. The Draft Code goes some way
to redressing this imbalance, but the uncertainties regarding its legal status
undermine its ability to ameliorate the effects of the Regulations. It would
be preferable for the Act and the Regulations to be amended so that the interception
powers can only be exercised with explicit reference to human rights norms.
Thus, the requirements of the Draft Code should be implemented, and in addition,
interception should only occur where genuine consent has been sought (even if
not ultimately given) and where there is a clearly made out justification for
that interception which would stand up to independent scrutiny. Such measures
are particularly important since it would not be reasonable or practicable for
an employer to seek prior independent authorisation for business-related interceptions.
Top | Contents | Bibliography
Continuing Conflicting Interests
The Privacy Foundation has noted, as a portent perhaps of the UK situation,
that roughly one in three of the USA’s 40 million employee population
who use e-mail or the Internet at work (and 100 million workers or 27 percent
world-wide) are monitored (
www.zdnet.co.uk
July 2001). More worrying perhaps is that a survey carried out by KLegal (part
of KPMG) has already discovered that 20 percent of employers were breaking the
Regulations by monitoring their staff’s e-mail
without informing
them that such monitoring was taking place (McAuliffe 2001).
One of the driving forces behind the corporate desire to intercept communications
arguably lies with the recent influx of potent and costly e-mail borne viruses
such as the ‘Love Bug’ and ‘Anna Kournikova’. The security
of e-mail is indeed becoming an increasingly serious issue given that it is
both a preferred mode of global communication and a common and simple vehicle
for the introduction and dissemination of viruses and trojans. It is the convenience
and user-friendly nature of e-mails that lies at the heart of the problem. It
appears that many corporations’ security warnings regarding, for example,
the opening of attachments, go unheeded by employees and thus provide a vehicle
by which viruses can infiltrate and disrupt corporations. The US National Infrastructure
Protection Center [sic] revealed in December 2000 that it had traced several
virus attacks likely to coincide with Christmas. Hackers apparently exploit
the feelings of Christmas spirit amongst employees by circulating festive e-mail
attachments which enthused employees treat in a less-guarded manner than might
otherwise be the case (Lee, p.5). Ironically, the threat feared by businesses
most, that of e-mail corrupted with viruses, is likely to arrive via personal
rather than work related e-mail, but the Regulations prohibit such e-mails being
intercepted.
(13) The overwhelming
majority of security breaches are caused by a company’s own staff,
either through deliberate intent or unwitting carelessness on their part.
As Goodwin argues, “[d]isgruntled former employees, people who are careless
with their passwords, and dishonest staff with a little IT knowledge, can be
far more devastating to a business than an external attack. (Goodwin
2000a, p.16)
However, organisations typically spend 80 percent of their security budget
protecting themselves against external threats, and only 20 percent on implementing
internal security despite the fact that 80 percent of security breaches come
from within companies (
IT Week 19 February 2001, p.36).
Further,
the Department of Trade and Industry in the UK has reported that only 14 percent
of UK companies had an information security policy (
IT Week 26 March
2001, p.51). Therefore, while businesses could argue that the Regulations do
not allow for effective monitoring of personal communications, businesses themselves
also need to rethink their policy regarding where the security threat comes
from and how it may be ameliorated. However, it is highly unlikely that a company
would be able to prevent all employees from using e-mail for non-business purposes
(Rogers 2000, p.6). Such a policy would also raise difficult issues regarding
the legitimate use of telecommunications by employees, and the extent of their
right to privacy when they do so.
Top | Contents | Bibliography
Conclusion
There are legitimate reasons that justify the interception of some communications
by public authorities and businesses, although the latter may indeed feel that
they do not presently have sufficiently broad powers of interception. However,
on the whole the 2000 Act disproportionately favours the interceptors rather
than the subjects of the interception. A more appropriate balance can be achieved
between the security needs of interceptors (whether public authorities or businesses)
and the privacy rights and commercial interests of the subject (whether a business
or an employee). Thus, the authorisation of interception should generally be
by an impartial third party, and authorisation only granted on clear and detailed
grounds that have been objectively assessed. Interception should always be a
proportionate response to a security concern. Finally, where interception is
premised on consent, genuine consent should be sought from the subject of the
interception. Where such consent is not given, or where it is not reasonable
to obtain consent, then it is even more important that the interception is objectively
justified. These amendments would not unduly hinder legitimate interceptions,
but would give an appropriately greater weight to human rights principles and
the right to privacy.
However, following the terrorist attacks in New York, the government's purported
justification for increased interception will become more and more difficult
to dislodge. Similarly, employers may argue that their right to monitor their
employees will become an indispensable component of the government's security
measures. At that juncture, the arguments advanced above regarding the balance
to be achieved between human rights and security will need to be reassessed
since, arguably, a greater propensity towards interception should be matched
by greater safeguards for the subject of the interception.
Top | Contents
Bibliography
Andrews, S (2000) ‘Who Holds the Key? A Comparative Study of US and
European Encryption Policies’ 2 The Journal of Information, Law and
Technology 4.
Bamforth, N (1999) ‘The Application of the Human Rights Act 1998 to
Public Authorities and Private Bodies’ 58(1) Current Legal Problems
159.
Bingley, L (2000) ‘Watchers Must Watch Out’ IT Week October
9, p.5.
Cape, E (2001) ‘The Right to Privacy – RIP?’ Legal Action
January, p.21.
Davies, G (2000) ‘The “horizontal effect of the Human
Rights Act’ NLJ June 2, p.839.
Goodwin, B (2000) ‘E-Mail Monitor Laws will Lead to more confusion’
Computer Weekly October 12, p.12.
Goodwin, B (2000a) ‘Cybercrime – An Inside Job’ Computer
Weekly August 31, p.16.
Hunt, M (1998) ‘The “Horizontal Effect of the Human Rights
Act’ Public Law 423.
Lee, C (2000) ‘Viruses and Hacking for Xmas’ IT Week December
11, p.5.
Lester, A and Pannick, D (2000) ‘The Impact of the Human Rights Act
on Private Law: the Knight’s Move’ 116 Law Quarterly Review
380.
McAuliffe, W (2001) 'One in Five Employers Snoop on Staff E-Mail' <
www.zdnet.co.uk>
January 17.
Rogers, A (2000) ‘You Got Mail But Your Employer Does Too: Electronic
Communication and Privacy in the 21st Century’ 5(1) Journal
of Technology Law & Policy 6.
British Chambers of Commerce (2000) The Economic Impact of the Regulation
of Investigatory Powers Bill, www.britishchambers.org.uk/newsand policy.ict/ripbillsummary
June 12.
Footnotes
(1)
Encryption, also referred to as cryptography, is the "..use of mathematical
or other methods to hide the content of messages or files". This definition
is taken from A Report of the President's Working Group on Unlawful Conduct
on the Internet (2000)
The Electronic Frontier: The Challenge of Unlawful
Conduct Involving the Use of the Internet, www.cybercrime.gov/unlawful.
(2)
Technical Director of Buchanan International, Internet security experts.
(3)
A number of cases revealed technological loopholes within the 1985 Act. For
example, in
R v Effick [1994] 99 CrAppR 312 the House of Lords held that
cordless telephones were not part of the public telecommunications system, so
interception of such telephones could occur without obtaining a warrant. This
and other loopholes are detailed in the Justice report (1998)
Under Surveillance:
Covert Policing and Human Rights Standards, (London). The 2000 Act also
regulates forms of surveillance by public authorities (such as visual observation
through human sources) which previously had no legal basis and lacked compliance
with the requirements of the European Convention on Human Rights. A comprehensive
critique of the 2000 Act can be found in Akdeniz, Y, Taylor, N and Walker, C
‘Regulation of Investigatory Powers Act (1): BigBrother.gov.uk: State
surveillance in the age of information and rights’ [2001]
CrimLR
73.
(5)
Halford v UK (1997) 24 EHRR 523, paras. 44-51. There was also a finding
of breach in
Halford because the 1985 Act only regulated the interception
of communications transmitted by a public telecommunications system, whereas
Halford’s phone was part of her employer’s private telecommunications
system. The restriction to her privacy was therefore not ‘in accordance
with the law’.
(6)
Section 2(1) defines ‘telecommunications system’ to mean any system
for ‘the transmission of communications by any means involving the use
of electro-magnetic energy’. A private telecommunications system is defined
(in section 2(1)) as one which is not available to the public in the United
Kingdom but is attached to a public telecommunications system. Therefore, a
wholly internal system, without any means of connecting with the public system,
is not covered by the Act; Milgate, H (2000) ‘Interception of Communications’
NLJ December 15, p.1862. Section 2(2) states that interception, for the
purposes of Chapter 1, occurs where the contents of a communication are intercepted.
Logging the number or destination of communications does not amount to interception,
(section 2(5)), but it is regulated under Chapter II of the Act.
(7)
Morgans v DPP [2000] WLR 386, per Lord Hope of Craighead at paras.48-54.
Prior to the 2000 Act, the statutory basis for such practices was contentious.
Arguably, it was not covered by the 1985 Act but was dealt with instead under
the Telecommunications Act 1984 and the Data Protection Act 1984;
Under Surveillance,
p.17.
(8)
Niemietz and
Huvig were distinguished since here public authorities
were searching premises owned by private bodies. Therefore, an employer may
be protected from interference by public authorities, but an employee cannot
be protected where the employer wishes to interfere.
(9)
As shown in
Malone where the European Court of Human Rights found that
regulating the interception of communications by means only of administrative
guidelines was a breach of Articles 8 and 13.
(10)
The negative and positive obligations imposed by the European Convention on
Human Rights are discussed in detail in Harris, D J O’Boyle, M and Warbrick,
C (1995)
Law of the European Convention on Human Rights (Butterworths),
pp.19-22.
(11)
The analysis that follows is based on the arguments set out in Bamforth, N (1999)
‘The Application of the Human Rights Act 1998 to Public Authorities and
Private Bodies’ 58(1)
CLJ 159 and (2001) ‘The True “Horizontal
Effect of the Human Rights Act 1998’ 117
LQR 34, Hunt, M
(1998) ‘The “Horizontal Effect of the Human Rights Act’
PL 423, and Lester, A and Pannick, D (2000) ‘The Impact of the Human
Rights Act on Private Law: the Knight’s Move’ 116
LQR 380.
As has been discussed in the Law Quarterly Review (2000), there are widely differing
views as to the possible horizontal effect of the Act. Sir Richard Buxton (2000)
‘The Human Rights Act and Private Law’
116
LQR 48,
argues against a horizontal effect principally on the basis that the nature
of Convention rights is not to impose obligations on private parties. Conversely,
Sir William Wade (2000) ‘Horizons of Horizontality’ 116
LQR
217, argues in favour of a full horizontal effect whereby the courts are obliged
to enforce rights (even against private parties) since they constitute legal
norms which are integral to the justice system. We have applied a simplified
version of what seems to be, broadly, the consensus view; that the 1998 Act
will have an indirect horizontal effect.
(12)
Hunt, pp.338-41; Hunt, Lester and Pannick, and Wade (amongst others) see section
6 as being the main basis for horizontal effect (although Lester describes this
as a ‘diagonal’ effect whereby human rights principles are incrementally
woven into private law). Bamforth (2001), pp.38-40, argues that section 6 does
not impose a duty on the courts since there is no sanction for breach of that
‘duty’.
(13)
Given the manner in which the Regulations define a “communication
that can be intercepted, section 2(b)(i) and (ii).
BAILII:
Copyright Policy |
Disclaimers |
Privacy Policy |
Feedback |
Donate to BAILII
URL: http://www.bailii.org/uk/other/journals/WebJCLI/2002/issue1/kb-rm1.html