In the late 18th century, the philosopher Jeremy Bentham developed a new type of institutional establishment which had a singular advantage over its predecessors: It allowed the authorities to observe inmates without their being able to tell whether they were being watched. The name given to this new architectural form of state control was Panopticon, literally meaning “watch all.” In our modern digital world the bricks and mortar of Bentham’s Panopticon have been replaced by a network of cybersurveillance systems. Now the inmates are not incarcerated criminals, but potentially everyone on the planet, or at least anyone who has embraced the Internet. Certainly, that is what the revelations about PRISM seem to suggest. However, is the deployment of such all-encompassing and apparently indiscriminate surveillance systems itself lawful? Is this something, which as a matter of law, we are obliged to tolerate, despite its ostensibly chilling effect on civil liberties?
Answering those questions from the perspective of UK domestic law is not easy. This is not least because the law governing the use of surveillance by the state is complex and still relatively untested. Those who have dipped their toes into the murky world of surveillance law will know that there are typically three legal regimes which have to be considered, all of which focus to a greater or lesser extent on the concept of personal privacy.
First, there is Article 8 of the European Convention on Human Rights, incorporated into domestic law through the Human Rights Act 1998. Article 8 recognizes that all human beings enjoy a fundamental right to privacy. This right certainly extends to an individual’s private online activities. A state agency that snoops on an individual’s private e-activities will be acting unlawfully unless the interference with privacy rights can be justified. An interference will be justified only if it is both in accordance with the law and necessary in order to serve certain specified legitimate aims, including the aims of preserving national security, public safety or economic well-being. Importantly, an interference with privacy rights will not be lawful for Article 8 purposes if it is disproportionate. Put simply, the state cannot lawfully use a surveillance sledgehammer to crack a small, albeit socially offensive, nut.
Second, in the UK, there is the Data Protection Act 1998, derived from the European data protection directive. This is a fairly intricate enactment that embodies a number of detailed rules relating to the circumstances in which personal data, including not only written information, but also photographs, voice recordings and other recorded data, may lawfully be processed. The conceptual spinal cord on which the rules hang is that personal data must be managed in a way that avoids excessive infringements of privacy rights. In that sense, the effects of the Data Protection Act are similar to those of Article 8. The data protection rules will certainly provisionally apply to any personal data which may be obtained by the UK government from a foreign state and also to any the government may itself wish to transfer abroad.
However, critically, the rules are effectively disapplied in any case where the government certifies that this is necessary for the purposes of safeguarding national security. The scope for challenging a national security certificate is very limited.