FAQ: Privacy International UK Supreme Court Judgment
Details of case:
 UKSC 22
15 May 2019
What two questions was the Supreme Court asked to answer?
- Whether section 67(8) of RIPA 2000 “ousts” the supervisory jurisdiction of the High Court to quash a judgment of the Investigatory Powers Tribunal for error of law?
- Whether, and, if so, in accordance with what principles, Parliament may by statute “oust” the supervisory jurisdiction of the High Court to quash the decision of an inferior court or tribunal of limited statutory jurisdiction?
What does the judgment say, in brief?
As to question 1, the language used in section 67(8) of RIPA is not sufficiently clear to oust the supervisory jurisdiction of the High Court to quash a judgment of the Investigatory Powers Tribunal (IPT) for error of law. Accordingly, Privacy International can resume its challenge at the High Court to a decision of the IPT regarding the UK government's hacking powers (described in more detail below).
As to question 2, the Court divided as to the answer. Three of the justices concluded that there was a "strong case for holding that, consistently with the rule of law, binding effect cannot be given to a clause which purports wholly to exclude the supervisory jurisdiction of the High Court to review a decision of an inferior court or tribunal, whether for excess or abuse of jurisdiction, or error of law." Several of the others adopted a narrower interpretation of the requirements of the rule of law, and one declined to address the question.
Who said what in the judgment?
The judgment is composed of four opinions. The opinion of Lord Carnwath (with whom Lady Hale and Lord Kerr agree) together with that of Lord Lloyd-Jones on the first question mean that Privacy International's judicial review may proceed.
Lord Sumption (with whom Lord Reed agrees) and Lord Wilson dissented and would have dismissed the appeal.
What is a judicial review?
A judicial review is a challenge to the lawfulness of a decision by a public body. It is not a direct appeal of the decision. A judicial review may only be brought if the public body has made an error of law, or acted unfairly or unreasonably.
The history of the case
What is this all about?
A growing number of governments around the world are embracing hacking to facilitate their surveillance activities. Yet hacking presents unique and grave threats to our privacy and security. It is extremely intrusive, capable of allowing the government hacker to access information sufficient to build a detailed profile of a person, as well as altering or deleting that information. At the same time, hacking not only undermines the security of targeted systems, but also has the potential to compromise the internet as a whole. You can read more about our concerns on government hacking here.
What is hacking?
The term "hacking" is difficult to define. For these safeguards, Privacy International posits the following definition: Hacking is an act or series of acts, which interfere with a system, causing it to act in a manner unintended or unforeseen by the manufacturer, user or owner of that system. System refers both to any combination of hardware and software or a component thereof. Privacy International recognises that there may be instances of government hacking that do not conform to this definition and should nonetheless be subject to scrutiny.
How did we find out about GCHQ's hacking capabilities?
The Snowden disclosures revealed sweeping hacking operations conducted by the UK signals intelligence agency, the Government Communications Headquarters (GCHQ). The disclosures indicated that GCHQ uses hacking techniques to gain access to potentially millions of devices, including computers and mobile phones. They documented how GCHQ could, among other things: activate a device’s microphone or webcam, identify the location of a device with high-precision, log keystrokes entered into a device, collect login details and passwords for websites and record Internet browsing histories on a device, and hide malware installed on a device.
What was our initial challenge about?
Our initial claim in the Investigatory Powers Tribunal (IPT) in 2014 was about GCHQ's computer hacking operations. We alleged that GCHQ hacking violates Articles 8 and 10 of the European Convention on Human Rights, which respectively protect the right to privacy and the right to freedom of expression and also were unlawful under UK law. In February 2016, the IPT held that GCHQ hacking is lawful under UK law and the European Convention on Human Rights. The IPT further concluded that GCHQ may hack inside and outside of the UK using "thematic warrants." Thematic warrants are general warrants covering an entire class of property, persons or conduct, such as "all mobile phones in London."
What has happened since the IPT's decision?
Privacy International challenged the IPT's decision that GCHQ hacking is lawful via two avenues.
First, in May 2016, we filed a claim for judicial review before the English High Court challenging the UK Government's use of general warrants to hack inside and outside the UK. We argued that thematic warrants undermine 250 years of English law, which requires that a warrant must target an identified individual or individuals. The High Court questioned whether it could hear a judicial review of the IPT. In February 2017, the High Court found in favour of the Government. In November 2017, the Court of Appeal upheld the decision of the High Court. In May 2019, the Supreme Court reversed the Court of Appeal's decision. The Supreme Court decided that the language used in section 67(8) of RIPA does not remove the supervisory jurisdiction of the High Court to quash a judgment of the Investigatory Powers Tribunal (IPT) for error of law. Accordingly, Privacy International can resume its challenge at the High Court regarding the UK government's hacking powers.
Second, in August 2016, we, together with five internet and communications service providers, filed an application to the European Court of Human Rights (ECtHR) challenging GCHQ's hacking powers outside of the UK. That case was communicated in November 2018 and is still pending before the ECtHR. It has been stayed pending the Supreme Court’s decision.
What are the ramifications of the Supreme Court's judgment?
The UK Supreme Court has agreed with Privacy International that the Tribunal tasked with overseeing the UK intelligence services cannot escape the oversight of the English High Court. The leading judgment of Lord Carnwath confirms the vital role of the courts in upholding the rule of law. The Government’s reliance on an ‘ouster clause’ to try to remove the IPT from judicial review failed. The judgment confirms hundreds of years of legal precedent condemning attempts to remove important decisions from the oversight of the ordinary courts.
What are the next steps after the Supreme Court's judgment?
Following the judgment of the Supreme Court, the High Court will examine the merits of our initial challenge on the UK Government's use of general warrants to hack inside and outside the UK.
PI's 10 Necessary Hacking Safeguards:https://privacyinternational.org/feature/957/government-hacking-and-surveillance-10-necessary-safeguards
Hacking explainer video: https://privacyinternational.org/video/2068/video-government-hacking-101