Catt v the United Kingdom - police powers to retain personal data in "extremism database" violates the rights of peace activist

Privacy International welcomes the judgment of the European Court of Human Rights in Catt v the United Kingdom.

The Court found that the UK violated the right to privacy (Article 8 of the European Convention on Human Rights) of Mr John Catt, a peace movement activist, who despite having never being convicted of any offence, had his name and other personal data included in a police database known as the “Extremism Database”. 

The Court found problematic "the variety of definitions of the term “domestic extremism” and the "significant ambiguity over the criteria being used by the police to govern the collection of the data in question." (para 97 above) It ruled that there was no "pressing need to retain" the personal data of Mr Catt in the police database and that constituted a violation of his right to privacy. In particular, the retention of his data concerning peaceful protest had neither been shown to be generally necessary, nor necessary for the purposes of a particular inquiry.

This case is important because it challenges the powers of the police to surveill individuals in public spaces and retain personal information about them.

Privacy International, in its third party intervention, identified a range of new technologies that the police can deploy to surveill individuals in public spaces, whether physical spaces, such as participating in demonstrations, or digital ones, such as on social media platforms. These technologies include facial recognition, body worn cameras, CCTV and automated number plate recognition technology. In addition to the surveillance of physical spaces, police authorities are collecting data from social media sources, to monitor social media posts and related data. Other technologies used by the police and highlighted by Privacy International include Mobile Phone Extraction and IMSI catchers.

Governments (and companies) argue that this collection and analysis of this information has little impact on people’s privacy as and when it relies “only” on publicly available information. This inaccurate representation fails to account for the intrusive nature of collection, retention, use, and sharing of a person’s personal data obtained from public places and through social media. The privacy intrusion is furthered when publicly available data sets are aggregated. 

In fact, left unregulated, the routine collection and processing of publicly available information for intelligence gathering may lead to the kind of abuses observed in other forms of covert surveillance operations.

The European Court today confirmed that collection and processing of such information obtained from public spaces must be regulated by law and limited to what is necessary and proportionate to achieve a legitimate aim.

In particular the Court "recalls the importance of examining compliance with the principles of Article 8 where the powers vested in the state are obscure, creating a risk of arbitrariness especially where the technology available is continually becoming more sophisticated (see Roman Zakharov v. Russia [GC], no. 47143/06, § 229, ECHR 2015, and Szabó and Vissy v. Hungary, no. 37138/14, § 68, 12 January 2016). Unlike the present case, those cases dealt with covert surveillance. However, the Court considers it should be guided by this approach especially where it has already highlighted concerns relating to the ambiguity of the state’s powers in this domain (see paragraph 105 above)."

This important finding should apply to the range of technologies used by the police and security and intelligence agencies. It is essential that the gathering, use and retention of data by the Police using all forms of technology meets the tests of being in accordance with law, pursuing a legitimate aim and being necessary in a democratic society. As this case demonstrates, too often this is not the case. This challenge began with Mr Catt exercising his right of access to his data and pursuing this legal challenge, as a result of which the police are being held to account. But it is essential that protections are implemented in advance of the roll out of new technologies.

The European Court further highlighted the "heightened level of protection" that data revealing a political opinion should enjoy (see para 123 above). Enhanced safeguards are vital in an era where democratic processes are threatened by the intrusiveness of new technologies.

Privacy International remains concerned by the current lack of adequate legislation and policies to regulate the use of these technologies by police forces in the UK. The adoption in May 2018 of the Data Protection Act 2018 (implementing the EU Law Enforcement Directive), which heightens the safeguards for the processing of personal data by police forces is a positive step. But the new technologies adopted by the police to surveill individuals in public spaces (whether online or offline) require additional safeguards and robust oversight.