European Court of Human Rights holds UK's "Extremism Database" falls foul of privacy and data retention laws

Catt v The United Kingdom (Case No. 43514/15), European Court of Human Rights, 24 January 2019 

Summary

The European Court of Human Rights (ECHR) has held that an "Extremism Database" maintained by UK police violated an activist's right to privacy under Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (the Convention).

Facts

The applicant, John Catt, had long been involved in various peace movements and anti-war demonstrations, including by Smash EDO, an organisation dedicated to ending weapons manufacturing. Smash EDO demonstrations were heavily policed due to issues of criminality and public disorder. Although the applicant was twice arrested at demonstrations, he had never been convicted of any offence.

In 2010 the applicant made a request to the police under section 7 of the Data Protection Act 1998 (DPA) for information relating to him. Police disclosed 66 relevant records, ranging from his name, address, date of birth and appearance, from a database known as the "Extremism Database". Although many of the records related to the applicant's involvement with Smash EDO, thirteen related to his attendance at unrelated events, including trade union conferences, political protests and pro-Gaza demonstrations. When the applicant requested that these records be deleted, the police declined.

The applicant initiated proceedings against the police in January 2011 for their refusal to delete the data, arguing that the data was not "necessary" within the meaning of Article 8(2) of the Convention. The matter progressed through the UK High Court, Court of Appeal and Supreme Court, with the key issue whether the retention of data in the Extremism Database to combat "domestic extremism" justified invading the applicant's privacy.

The UK Supreme Court eventually ruled in favour of the UK Government, finding that retaining the applicant's data was a lawful interference of privacy under Article 8 on the basis that:

• the interference was minor, because the "primary facts" of the information retained on the applicant (name, activities, appearance) were already in the public domain;

• the interference was justified, despite the applicant's clean record, because it enabled police to better assess the risks posed and tactics used by groups associated with criminality, and investigate related crimes (including identifying witnesses); and

• the interference was sufficiently safeguarded, because it could only be used for policing purposes and was periodically reviewed according to rational and proportionate criteria.

The applicant appealed to the ECHR in September 2015. The Equality and Human Rights Commission and Privacy International were later included in proceedings as third party interveners.

Decision

Article 8 of the Convention states:

(1) Everyone has the right to respect for his private and family life, his home and his correspondence.

(2) There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. (Emphasis added.)

The ECHR accepted that the retention of the applicant's data interfered with his Article 8 right to privacy. The key questions for the ECHR to consider were therefore:

(a)         Was the interference in accordance with the law?

(b)        Was the interference necessary in a democratic society?

In accordance with the law

The Court considered Article 8 required the relevant measure to not simply accord with a domestic law, but "afford adequate legal protection against arbitrariness and… indicate with sufficient clarity the scope and discretion conferred on the competent authorities and the manner of its exercise" (at 94).

The Court felt the scope of police powers and the criteria used to collect and manage data in the Extremism Database was too ambiguous. The Court took particular issue with the differing definitions of "domestic extremism" used by government and police, and the fact that data could be stored indefinitely.

However, the Court concluded that the Extremism Database was managed in accordance with the law, because it was regulated by legislation and a code of practice, data was protected from disclosure to third parties, and the applicant could apply for data to be deleted. The Court also noted that, although the Database was not public knowledge until after proceedings commenced, it was "possible to deduce that the police were likely to be maintaining such a database" from publicly available information (at 98).

Necessary in a democratic society

The Court considered interference necessary in a democratic society if it:

(a) answers to a “pressing social need”;

(b) is proportionate to the legitimate aim pursued; and

(c) the reasons adduced by the national authorities to justify it are relevant and sufficient (at 109)

It was noted that the EHCR should only overrule domestic courts' assessment of the merits of an Article 8 case where there are compelling reasons for doing so. However, the Court felt that the decision to retain data relating to the applicant's political opinions did not account for that data's heightened sensitivity under the Convention and the DPA. This was considered central to the current case, and on that basis the Court deemed it necessary to intervene.

The Court concluded that although there was a pressing need to collect the applicant's data, there was no pressing need for it to be retained in the manner it was. Particular emphasis was placed on the fact that data would be retained for at least six years (and potentially indefinitely), and that the applicant's request for deletion of his data was refused without explanation, despite police and domestic courts concluding that the applicant was not considered a danger to anyone.

The Court also rejected the Government's argument that reviewing the database and deleting the entries would be too burdensome, stating that:

"…it would be entirely contrary to the need to protect private life under Article 8 if the Government could create a database in such a manner that the data in it could not be easily reviewed or edited, and then use this development as a justification to refuse to remove information from that database" (at 127).

Accordingly, the Court held in favour of the applicant.

Commentary

The ECHR judgment appears to strike a careful balance between protecting personal privacy and the need for detailed intelligence in investigating and preventing crime. The Court held that the collection of sensitive data, even from innocent parties, was not only legally permissible but necessary for police to understand and combat groups with a history of public disorder and criminality. However, the Court also held that data must be protected by adequate safeguards. Without clear processes for reviewing whether data needed to be retained, the Court felt that the Extremism Database went beyond what was proportionate and  necessary. In the end it was a failure of method that determined the case in the applicant's favour.

This decision serves as a reminder to Australians of the importance of the right to privacy, which could be ensured here with a Charter of Rights. In the meantime, the Australian Parliament should strengthen the safeguards in our own metadata retention regime, which requires telecommunications companies to retain all citizens’ data for at least two years. This data has been accessed not only in the investigation of serious crimes, but to track down parking fines.

The decision is available here.

Daniel Barnett is a lawyer at Ashurst