Personal Data and the Security Services – the risks of non compliance
We look at the recent case of Liberty & Others v Security Service & others which concerns the extent to which MI5 complied with the statutory safeguards required by both the Regulation of Investigatory Powers Act 2000 (RIPA 2000) and the Investigatory Powers Act 2016 (IPA 2016) in respect of the retention and use of personal data.
What are the practical implications of this case?
This is an interesting, but fact heavy, case about the failings of the security service to properly comply with the relevant legislation.
Practitioners in the fields of privacy and human rights will find this of interest, particularly as failures to properly abide by the relevant statutory framework for holding and using personal data, and breaches of the duty of candour, lead to the unlawful granting of warrants over a three-year period. Privacy practitioners will also be interested to see the concessions made by MI5 under the Human Rights Act 1998 claim, that their actions breached Article 8 rights of relevant individuals.
In addition, all those practitioners dealing with cases in the Investigatory Powers Tribunal will be interested in the analysis of section 31(2A) of the Senior Courts Act 1981 (SCA 1981) and the application of the ‘not substantially different’ doctrine in Tribunal cases.
Finally, the Tribunal makes some interesting observations about the relief to be granted in circumstances of widespread non-compliance with the statutory regime, and how the Tribunal will use its discretion to consider the appropriateness of relief sought.
What was the background?
The claim focuses on allegations that MI5 consistently failed to comply with the statutory safeguards required by RIPA and IPA in relation to the acquisition and holding of personal data, and in particular in relation to its ‘retention, review and disposal’ (‘RRD’). At the same time that such alleged compliance failures were ongoing in relation to the use of personal data, warrants were being granted, which brought into question their lawfulness if such warrants were obtained on the assumption that there had been compliance with the statutory framework.
While MI5 accepted that it was aware of a ‘very high risk’ that it was in breach of its statutory obligations from May 2016 onwards, such that it was required to notify the Investigatory Powers Commissioner of the issues, it failed to do so until 2019. The case looks at whether MI5's failures to treat the personal data appropriately and in line with the statutory safeguards commenced before 2016 and/or extended beyond the RRD requirements (although this aspect was dealt with in a closed (judgment). These matters were also relevant to the Privacy International v Secretary of State for Commonwealth Affairs claim and whether MI5 was in breach of its duty of candour in those proceedings.
Given the necessary relationship between MI5 and the Home Office, there is also significant factual investigation into the scope of MI5's reporting of these issues and the extent to which any reporting was consistent with MI5's internal understanding of the issues.
What did the court decide?
The Tribunal found that there were 'serious failings in compliance with the statutory obligations' from late 2014 onwards such that the holding of data in this way was unlawful.
MI5 had breached the duty of candour in the Privacy International v SoS Commonwealth Affairs case by failing to make disclosure of such failings. The Tribunal will consider written submissions as to whether that case should be re-opened.
The Home Office failed to make adequate enquiries to understand the scale or seriousness of the risks. Accordingly, the SoS breached the duty set out in Secretary of State for Education v Tameside MBC  AC 1014 by not making adequate enquiries about compliance with the statutory safeguards: it was irrational not to do so.
Warrants issued between 2016 and 2019 were unlawful because of the failure to meet the safeguarding requirements. MI5 failed in its duty of candour to bring such non-compliance to the attention of SoS when seeking to obtain warrants. Such warrants were obtained in breach of Article 8 ECHR.
As to the availability of relief (and per Meta Platforms v CMA  CAT 26 (not reported by LexisNexis®UK), SCA 1981, s 31(2A) did not apply to the Tribunal. While it has statutory jurisdiction over the whole UK, section 31(2A) does not have application in Scotland, which caused obvious difficulties. In any event, it was not safe to assume that the decisions made to grant warrants would have been the same had proper disclosure been provided on the compliance issues.
No order for the quashing of warrants, or destruction of data, could be made without damaging national security. The Tribunal used its discretion to grant declaratory relief only.
- Court: The Investigatory Powers Tribunal
- Judges: Lord Justice Edis, Mrs Justice Lieven, Mr Charles Flint KC
- Date of judgment: 30 January 2023
This article was first published by LexisPSL on 7 March 2023.