House of Lords - Constitution Committee

Surveillance: Citizens and the State - Constitution Committee Contents

Memorandum by Dr Victoria Williams[1]

SUMMARY

The Information Commissioner has recently repeated calls for Privacy Impact Assessment (PIA) to be required before new surveillance technologies are introduced. In evidence to the Home Affairs Committee inquiry entitled "A Surveillance Society?" he has referred to models of PIA in common law jurisdictions including under the US E-Government Act 2002. In this submission it is argued that to apply concepts of PIA to public places requires more than merely importing the model of personal data privacy and requires consideration of the impact on society, but that we have to be wary of introducing excessively subjective concepts. Entering public space leads to issues such as freedom of association and of speech becoming more relevant than data privacy alone.

It is concluded that if PIA is to be applied to new surveillance projects, consideration needs to be given to procedural requirements for publication and review linked in some way to planning or budgetary approval by analogy with the US E-Government Act arrangements which link budget with PIA compliance.

It is suggested that by analogy with US civil liberties law it will be necessary to consider whether technologies which observe public space ought to be rebuttably presumed to create a risk of "chilling" the free exercise of rights of association and free expression protected by Articles 10 and 11 of the Convention, for the purposes of scoring the societal impact of surveillance during the PIA process. The law makers need to engage in significant Constitutional review of the basis on which the State and similar bodies are permitted to observe people in public space and what rights to freedom from surveillance the public have in respect of social activity in that space, before it will be practical to attempt to assess the impact of surveillance.

1. I am grateful for this opportunity to present this submission to the Committee. These observations have as their backdrop the recently renewed calls by the Information Commissioner for Privacy Impact Assessments (PIA's) similar to those required for data collection systems in some other jurisdictions such as under the US E-Government Act 2002, to be carried out prior to the use of what the Commissioner called "initiatives and technologies which could otherwise accelerate the growth of a surveillance society".[2] The Commissioner's reference to "new surveillance technologies" comes at a time when all of the following are available technologies:

2. Before the recent calls for PIAs the issue had been canvassed in the context of the National Identity Register and ID Card scheme, in the form of a proposal that the government should be under a duty to commission and publish the results of PIA's as and when details of information appearing on the face of the ID card were proposed by way of legislation.[13]

3. In some contexts in the UK the PIA is seen as good practice on a voluntary basis. The Department of Constitutional Affairs (now the Ministry of Justice) promoted the use of PIA's in the context of public sector data sharing. Its response to consultation on the Government paper "Privacy and Data-sharing: the way forward for public services", recommended that "Where appropriate, organisations should use ... Privacy Impact Assessments, to initiate an open dialogue with the public and with stakeholders around new data-sharing initiatives".[14]

4. Acceptance of the appropriateness of PIA is more limited when one turns to the context of the high-profile National Identity Scheme and the ANPR[15] project. The Secretary of State's recently stated position[16] was that no privacy impact assessment had been produced, or was planned, for either system.

PRIVACY IMPACT ASSESSMENT & SURVEILLANCE

5. The final "Surveillance Society" report commissioned for the International Data Protection and Privacy Commissioners' Conference provided a composite definition of Privacy Impact Assessment:[17]

— an approach and a philosophy that holds promise by instilling a more effective culture of understanding and practice within organisations that process personal data;

— a form of risk-assessment, which therefore cannot escape the uncertainties of identifying and estimating the severity and likelihood of the various risks that may appear, to privacy, life-chances, discrimination equality and so on;

— a tool for opening up the proposed technologies or applications to in-depth scrutiny, debate and precautionary action within the organisation(s) involved;

— an early-warning technique for decision-makers and operators of systems that process personal information, enabling them to understand and resolve conflicts between their aims and practices, and the required protection of privacy above or the control of surveillance; and

— ideally, a public document, leading to gains in transparency and in the elevation of public awareness of surveillance issues and dangers may be realised; in turn, it may assist regulatory bodies in carrying out their work effectively".

THE US E-GOVERNMENT ACT 2002[21]

6. The Information Commissioner's recent suggestions refer to the position in overseas jurisdictions such as the USA where the PIA process is mandatory in data collection contexts under the E-Government Act 2002. In US law a PIA is described as "an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks".[22]

7. The 2002 Act sec 208(b)[23] creates legal obligations for the production of PIA's in relation to government agency IT systems, but the principle may be capable of expansion to surveillance systems, as advocated by Professor D Mulligan, of UC Berkeley School of Law in submissions to the Department of Homeland Security Data Privacy and Integrity Advisory Committee in June 2006,[24] and canvassed in the "Surveillance Society" report itself.

8. Before doing either of the following activities (the first of which is perhaps most relevant here), under US law a government agency comes under several obligations in relation to production of PIA's. The activities which trigger the PIA obligation are:

(i) developing or procuring information technology that collects, maintains, or disseminates information that is in an identifiable form, or

(ii) initiating a new collection of information that will be collected, maintained, or disseminated using information technology; and which includes any information in an identifiable form permitting the physical or online contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, 10 or more persons, other than agencies, instrumentalities, or employees of the Federal Government.

9. The PIA obligations

In circumstances where the obligation is triggered, ie under (i) or (ii) above, each agency is obliged to:

(i) conduct a privacy impact assessment;

(ii) ensure the review of the privacy impact assessment by the Chief Information Officer, or equivalent official, as determined by the head of the agency; and

(iii) if practicable, after completion of the review make the privacy impact assessment publicly available through the website of the agency, publication in the Federal Register, or other means. The requirement to make the PIA publicly available may be varied or waived for security reasons or to protect classified, sensitive, or private information contained in the PIA.

10. The filing of the PIA forms part of the funding process. Agencies must, where a PIA is required by the Act, provide the Office of Management and Budget with the PIA for an information technology system for which funding is sought.

THE ADEQUACY OF PRIVACY IMPACT ASSESSMENT AND OF ARTICLE 8 IN PUBLIC SURVEILLANCE

11. Whilst in general citizens expect privacy in the sense that they will not usually be eavesdropped upon or observed by the State in our own private spaces, it is trite to say that the very act of appearing in the town centre or travelling between locations brings with it a different expectation. In many contexts that may be the whole point of the exercise; perhaps even deliberately in order to be captured on CCTV.[25] The presence of CCTV has been said to be comparable in character to the presence of an individual observer.[26] An argument supportive of the general observation of public places by the State using technological means is that any person going about his or her business openly is well aware that anyone else can see or hear them and that the State is no different from the citizen in terms of its right to watch a general scene, subject to the existing law of data protection. Thus in Peck v UK[27] the ECHR reiterated that "the monitoring of the actions of an individual in a public place by the use of photographic equipment which does not record the visual data does not, as such, give rise to an interference with the individual's private life". It is clear that the extent to which recording surveillance material fails to respect Article 8 rights is itself dependent largely on factors such as the context of the recording, the use to which it is put and the legal reasons for it.

12. At the root of the present debate over surveillance technology, and calls for PIA to be extended to it, appears to be not merely concern over the collection of conventionally personal data but also concern over the impact which mass surveillance may have on society. The Commissioner in evidence to the Home Affairs Committee inquiry stated at para. 5:

"... the Commissioner's concern is to ensure that full consideration is given to the impact on individuals and society [...]. The issues are complex, difficult and controversial. They raise questions about the nature of society, about the role of the state, about the activities of commercial bodies and the about the autonomy of citizens".

13. To encapsulate such concerns within a framework for surveillance PIA seems to require that we develop a clearer idea of the extent to which, if at all, society and its democratic activities of free speech and assembly ought to be protected from State surveillance. It also requires that we know what we mean by "impact" in that context, as opposed to impact in the context of solely personal data privacy. There is a risk of recourse being had to philosophically valid but practically difficult questions such as such as "What ... a new audio-visual scheme for monitoring public places or private shopping precincts, implies for personal autonomy and dignity, social solidarity, or the texture of social interactions".[28], [29]

RIGHTS OF FREE SPEECH AND FREE ASSOCIATION UNDER ARTICLES 10 AND 11

14. In the United States the courts have recognized that citizens should be able to remain anonymous vis a vis the State whilst in the course of exercising certain constitutionally protected social rights, most notably rights to free speech and freedom to associate. It is unconstitutional for a law to require those who wish to canvass religious material door-to-door to have to identify themselves to the authorities via a broadly applicable permit scheme.[30] Moreover the US courts also recognize that a law which has the effect of discouraging the exercise of constitutionally protected rights may itself be struck down:[31] the so called "chilling effect" which has to a degree also been recognized in European human rights especially in the context of Article 10 (freedom of expression) (eg Steel and Morris v UK and Steur v Netherlands).[32]

15. The extent to which US Constitutional rights such as those under the First[33] and Fourth[34] Amendments may be infringed by public observational surveillance remains, it appears, an uncertain matter in terms of decided case law,[35] but the arguments under US law were aired to a degree in Vo v City of Garden Grove et al[36] in which the Court of Appeal of the State of California refused to hold that an ordinance requiring the placement of CCTV[37] in "cyber-cafes" affected First Amendment (free speech) activity any more than did the legitimate presence of a security guard, nor was there any legally protected privacy interest. (Though it was accepted that the ordinance in question did at least implicate First Amendment rights). The Vo judgment was subject to one very strongly worded dissenting judgment by Sills, J expressing the view that the Ordinance "literally forces a `Big Brother' style telescreen to look over one's shoulder while accessing the Internet".

16. In terms of ECHR case law under Articles 10[38] and 11,[39] at least where unjustified interference with rights under Article 8 is also shown, it appears to have been accepted in principle that keeping files about a person's political activities, gained from "surveillance" in a broad sense (including for example keeping newspaper cuttings on file) can amount to a violation even in the absence of direct evidence that there is a practical impact on the practical exercise of those rights. In Segerstedt-Wiberg and others v Sweden,[40] the ECHR was prepared to rely upon the fact that it had found a violation of Article 8 as implying a corresponding violation of Articles 10 and 11, stating that (at para 107): "the storage of personal data related to political opinion, affiliations and activities that is deemed unjustified for the purposes of Article 8 § 2 ipso facto constitutes an unjustified interference with the rights protected by Articles 10 and 11".

17. The Judgment in Segerstedt-Wiberg does not consider whether there could be circumstances where surveillance which did not also infringe Article 8 might nonetheless infringe Articles 10 and 11, absent proof of practical interference with (or penalty imposed for) exercise those rights. However the decision does at least suggest that rights of expression and of association could be infringed by the mere storage of surveillance information, presumably more especially so if "chilling" effects were to be plausibly suggested.

18. There is a dearth of empirical research evidence as to the impact, if any, which surveillance has on the actual exercise of rights of free speech or free association by citizens. Politically the principle that the monitoring of assembly is to be avoided was propounded in the "Declaration of the Committee of Ministers on human rights and the rule of law in the Information Society" in the context of protecting Article 11 rights in cyberspace. There appears to be no principled reason to believe that the same idea is irrelevant to "real space" assembly:

CONCLUSIONS

19. The conclusions which I suggest can be drawn from the above when we try to adapt PIA to surveillance contexts fall into two categories:

(i) matters of practice and procedure in relation to possible mandatory PIA, based on models such as the E-Government Act 2002, insofar as those can be adapted to surveillance contexts;

(ii) matters of law and principle in relation to the framework of rights to privacy by which the "impact" in a Privacy Impact Assessment of public surveillance may be gauged.

20. (i) Matters of practice and procedure

As to (i) it seems to this author that "surveillance" PIA would risk becoming mere paperwork unless linked to a clear set of requirements for:

— publication;

— review;

— approval by a competent authority; and

— a link between adequate PIA approval and planning, regulatory or funding decisions.

21. It would appear less than ideal for a surveillance PIA exercise to be required in the absence of any scope for practical control. The linkage between PIA and budgeting under the E-Government Act 2002 may perhaps be seen as an example of such practical control.

22. (ii) Matters of law and principle to be applied in PIA for surveillance contexts

As to (ii) it suggested that an extension of PIA to cover surveillance requires more than mere procedure. It requires that the legislature develops a clear set of principles to be applied to assessing the social impact, rather than merely the personal data privacy impact, of public surveillance. Failing to do so would risk a "surveillance PIA" which adds little to existing personal data privacy safeguards.

23. Whilst the rights to respect for private life, home and correspondence in Art. 8 of the Convention, and the provisions of the data protection legislation provide a basis for a right to protection from abuses of personal data privacy whether in private places or outdoors, conventional notions of privacy impact do not translate well into public behavioural settings where observation may be thought to affect or chill the exercise of other more social rights, which more or less presuppose a public or semi-public stage upon which the individual appears.

24. The conclusion drawn here is that the lawmakers should carry out an exercise of constitutional review as to whether the law ought to presume (axiomatically) that systems which observe public places create a risk of chilling the exercise of rights such as free speech and free assembly. That would require consideration whether surveillance which impacts, or has the potential to impact upon, anonymity in social space would lose points on social impact grounds, rather than purely personal privacy grounds, in a surveillance PIA. It would also require consideration as to whether greater constitutional protections than exist at present are required for free speech and association rights in public places, independently of purely personal data privacy protections.

1 June 2007

0,,2055082,00.html