In the late 18th century, the philosopher Jeremy Bentham developed a new type of institutional establishment which had a singular advantage over its predecessors: It allowed the authorities to observe inmates without their being able to tell whether they were being watched. The name given to this new architectural form of state control was Panopticon, literally meaning “watch all.” In our modern digital world the bricks and mortar of Bentham’s Panopticon have been replaced by a network of cybersurveillance systems. Now the inmates are not incarcerated criminals, but potentially everyone on the planet, or at least anyone who has embraced the Internet. Certainly, that is what the revelations about PRISM seem to suggest. However, is the deployment of such all-encompassing and apparently indiscriminate surveillance systems itself lawful? Is this something, which as a matter of law, we are obliged to tolerate, despite its ostensibly chilling effect on civil liberties?
Answering those questions from the perspective of UK domestic law is not easy. This is not least because the law governing the use of surveillance by the state is complex and still relatively untested. Those who have dipped their toes into the murky world of surveillance law will know that there are typically three legal regimes which have to be considered, all of which focus to a greater or lesser extent on the concept of personal privacy.
First, there is Article 8 of the European Convention on Human Rights, incorporated into domestic law through the Human Rights Act 1998. Article 8 recognizes that all human beings enjoy a fundamental right to privacy. This right certainly extends to an individual’s private online activities. A state agency that snoops on an individual’s private e-activities will be acting unlawfully unless the interference with privacy rights can be justified. An interference will be justified only if it is both in accordance with the law and necessary in order to serve certain specified legitimate aims, including the aims of preserving national security, public safety or economic well-being. Importantly, an interference with privacy rights will not be lawful for Article 8 purposes if it is disproportionate. Put simply, the state cannot lawfully use a surveillance sledgehammer to crack a small, albeit socially offensive, nut.
Second, in the UK, there is the Data Protection Act 1998, derived from the European data protection directive. This is a fairly intricate enactment that embodies a number of detailed rules relating to the circumstances in which personal data, including not only written information, but also photographs, voice recordings and other recorded data, may lawfully be processed. The conceptual spinal cord on which the rules hang is that personal data must be managed in a way that avoids excessive infringements of privacy rights. In that sense, the effects of the Data Protection Act are similar to those of Article 8. The data protection rules will certainly provisionally apply to any personal data which may be obtained by the UK government from a foreign state and also to any the government may itself wish to transfer abroad.
However, critically, the rules are effectively disapplied in any case where the government certifies that this is necessary for the purposes of safeguarding national security. The scope for challenging a national security certificate is very limited.
Perhaps even more significantly, the affected individuals will only be able to contemplate a challenge if they know the state has disapplied the rules in their case.
The difficulty here is that the disapplication of the rules may itself result in a situation where individuals are kept in the dark about what is happening to their data.
Third, the UK has the Regulation of Investigatory Powers Act 2000 (RIPA). This fiendishly complex enactment is essentially intended to set out the circumstances in which secret surveillance activities undertaken by the state must be treated as lawful. Thus, for example, it sets out the circumstances in which individuals may lawfully be subject to surveillance (like using surveillance devices or covert human intelligence sources). It is clear that RIPA was enacted above all in order to ensure that the state was not using the veil of secrecy to conduct surveillance activities which unjustly interfered with the privacy rights of citizens.
However, a fundamental difficulty with RIPA, as with the Data Protection Act, is that it is difficult to detect when abuses are taking place. The secret nature of the surveillance being undertaken means that the subjects of the surveillance are themselves not in a position to hold the relevant authorities to account.
Standing back from the detail, two things become clear. First, as a matter of domestic law in the UK, any surveillance system deployed by the state must operate in a proportionate manner. It is hard to see how any surveillance system that enabled the state indiscriminately to capture data relating to millions of law-abiding citizens could ever satisfy the requirements of Article 8. Second, it is a fundamental precondition to the exercise of legal rights that individuals know whether their rights have been infringed. Keeping the public in a state of ignorance about the very existence of super-surveillance systems is constitutionally offensive.
Even if there are good reasons why individual operations must remain secret in the national interest, there surely can be no justification for keeping people in the dark about dramatic expansions in the surveillance state. If super-surveillance systems are as all-encompassing and indiscriminate as the revelations about PRISM tend to suggest, then all the more reason why these new modes of state watchfulness should be subject to robust scrutiny by both the public and the courts.
Of course, we could simply sit back and accept the assurances given to us by our political leaders that the state can be relied upon to regulate itself, that it will scrupulously turn its attentions only to those who clearly seek to threaten our comfortable existence. However, such a trusting, laissez-faire attitude is inherently naive. Our liberty as citizens depends very substantially on our ability to safeguard ourselves against arbitrary interference and excessive control by the state. If we abnegate our own responsibility to watch over the state’s burgeoning surveillance activities, the price we will pay is an inevitable loss of personal liberty in the face of an increasingly data-bloated and overweening state.