Challenging inter-state breaches of privacy

Will the recent US spying revelations force the EU to strengthen its data protection law? Rosemary Jay examines the debate surrounding reform and highlights the challenges involved in taking legal action for inter-state breach of privacy.

Are there any international agreements defining the rules of international snooping?

The term ‘international snooping’ covers a potentially wide range of activities. The most obvious meaning is the interception of communications taking place in one jurisdiction by an agency (usually a security agency) of another state. The two main questions are:

  • whether the interception itself is unlawful, and
  • whether the identity and intention of the party doing the interception is an additional factor

As an example, it would be unlawful in the UK for a wife to tap her husband’s phone via the public network but it would not amount to espionage or spying. State espionage (as opposed to industrial espionage) is used to describe the situation when an agent of one state clandestinely obtains secret information about another state or the activities of another state with some element of intent to cause detriment. Espionage of this type is usually a crime under a country’s own law but there is no international treaty or agreement banning such espionage. Press reports since the allegations that US agencies listened to the German Chancellor’s calls have described a no-spying agreement between the UK, US, Australia, Canada and New Zealand. However, assuming that those reports are correct, this agreement is not contained in a formal, publicly available international treaty.

It appears therefore that there may be some agreements between some states restricting such activities but these do not take the form of published formal treaties.

Could actions be brought by individuals of one state for breach of privacy by another?

Like laws against espionage, privacy laws and laws against interception of communications are different in different countries. Again, there are several questions:

  • what form of legal action, if any, could a victim take?
  • could a victim take action against a perpetrator based outside its own territory?
  • if that is possible, could such an action be taken or enforced against a state or a state agency?

An individual is not likely to be able to bring criminal charges as, in many countries, these can only be brought by public prosecutors. Even in countries such as the UK where private prosecutions can be brought for some offences, these are not likely to cover unlawful interception. An individual would therefore have to bring a civil case in respect of the interception. Such cases can be brought for breach of the privacy of communications or, in some countries, for the specific breach of the privacy of communications. However, there are significant challenges in bringing such claims.

What are the challenges of bringing such a claim?

The party bringing the claim would probably have to show that the interception took place within its jurisdiction in order to bring the action in its own courts. If it could do so it could possibly launch an action against the responsible state agency from the other country. There would be evidential problems (how could the person prove who was carrying out the interception) and all sorts of practical problems with serving papers and seeking to summon evidence. In addition, such a claim could raise security issues in the victim’s own country. However, even if all these hurdles could be overcome and the victim succeeded in the case, they would have to ask the courts of the other state to enforce the judgment. The state agency might well have immunity and in any case the courts of that state would be unlikely to be willing to enforce any order or judgment.

What action is being proposed by the EU to tackle abuses of privacy?

The EU has a data protection regime based on an existing EU-wide Directive 95/46/EC. Every country in the EU has data protection legislation as a result. There are also EU-wide rules on e-privacy and the privacy of communications.

In 2012 the European Commission proposed a new data protection regime and issued a draft regulation which, if passed, would be directly applicable throughout the EU. The draft has been the subject of intense debate and is still being considered by the European Parliament and the Council. It has not yet been agreed but the Commission hopes it will be resolved before the European Parliamentary elections in 2014.

The draft regulation was not proposed directly to tackle abuses of privacy but its effect would be to introduce a more stringent regime to govern data protection. It does not however cover interception rules which would have to be reviewed separately.

The one provision which has some relevance to the question of access to information by non-EU agencies is a provision that organisations in the EU must refer any orders and requests for information served on them by non-EU authorities to the data protection authorities for authorisation before they release information. However, this is not relevant to debates about ‘snooping’ which by its nature is clandestine.

What are the wider concerns feeding into this debate?

There seems to be some real confusion around this. Interception is regulated by different laws to those that regulate privacy although there are overlaps. The interception debate is not actually relevant to the debates on the draft regulation. As noted above, the draft regulation does not deal with interception. The draft regulation is concerned with the tighter control and regulation of personal data. It will make no difference to interception or spying by non-EU states whether the draft regulation goes through or not. It will make a difference potentially to requests made to EU organisations, as noted above.

What should lawyers consider in light of the recent revelations?

The issues are practical ones for clients to review their security and take appropriate steps to make it as protective as possible. Organisations also need to know what disclosures they are making and transfers of data taking place so they can be prepared for the new provisions. There are important issues being considered in the debates on the draft regulation and we would urge those with an interest in the area to make comments and give feedback to the Ministry of Justice which is leading for the UK on the instrument.

Rosemary Jay joined Hunton & Williams from Pinsent Masons LLP where she was head of the information law practice. Prior to that, she was head of the legal office of the Data Protection Register (now the Information Commissioner) for 12 years. She has practised in privacy law for nearly 25 years and is recognised as one of the top lawyers in the area of data protection in the UK. She advises on high-level privacy, data protection and confidentiality issues and her practice covers all areas of information law.

Rosemary wishes to thank Jaymini Philp for her input. Jaymini is an associate with the firm, whose practice focuses on EU and UK data protection issues.

This post was originally published in Lexis®PSL IP&IT on 6 November 2013.

Area of Interest