Your life on file
Was emergency legislation to permit continued retention of communications data needed, or justified? Does it simply restate previous powers? Should legal professionals be concerned?
On 8 April 2014, the Court of Justice of the European Union handed down a judgment on joined cases brought by Digital Rights Ireland (C-293/12) and Seitlinger and Others (C-594/12), stating that the EU Data Retention Directive 2006/24/EC was invalid. While this did not make major headlines at the time, it was a very important decision as the UK’s Data Retention (EC Directive) Regulations 2009 took their authority from the directive, leaving the retention of communications data in a sort of limbo.
On 10 July, draft emergency legislation to replace the regulations was published by the coalition Government in the form of the Data Retention and Investigatory Powers Bill (DRIP). DRIP also included amendments to the Regulation of Investigatory Powers Act 2000 (RIPA). Using an emergency fast-track process, DRIP received its first reading in the House of Commons on 14 July and by the evening of 17 July it had passed through all stages in both Houses and was an Act of Parliament. This gave no time for any realistic input from civil society, or serious consideration by MPs or peers other than those who had been party to the proposal. It appears that there has been no consultation with the Scottish Government, Parliament or other stakeholders.
The Government stated that the urgency for this legislation stemmed from the CJEU judgment (discussed below), which implicitly made the regulations invalid. This meant that there was a risk that communications data would be deleted, making it very difficult for investigatory authorities to carry out investigations. The urgency is also said to result from communications providers outside the UK starting to resist compliance with interception requests under RIPA. It is hard to see how these can have been allowed to become so urgent. The CJEU judgment was made on 8 April and the reluctance of communications providers has been growing over a considerable period of time. It may well have become urgent, but it cannot have happened overnight.
As further justification, the Government stated that the bill introduced no new powers and was merely restoring the status quo. As far as the regulations are concerned, this is almost certainly true. However, with respect to the RIPA amendments, this statement is definitely controversial. An open letter to Parliament signed by 15 very distinguished internet law academics (www.law.ed.ac.uk/__data/assets/pdf_ file/0003/158070/Open_letter_UK_internet_law_academics. pdf; see also next feature) details five ways in which they believe it extends RIPA, in particular with respect to enforcing the compliance of organisations outside the UK. The European Digital Rights group (EDRI) also specifically states that the Government’s claim is “untruthful”.
The law in this area is very complex and is impacted by both data protection and human rights legislation. This actually makes it very difficult to say with certainty whether new powers are involved, as existing powers are unclear.
The directive was created in an attempt to harmonise a situation where, according to recital 5, “several member states have adopted legislation providing for the retention of data by service providers for the prevention, investigation, detection, and prosecution of criminal offences”. The data retained is electronic communications traffic data (including data relating to the routing, duration or time of a communication, the location of sending and receiving equipment and the identity of subscribers who are party to the communication). While this data does not include the content of communications, it does give a great deal of information about the behaviour of private individuals.
Even though recital 21 of the directive, referring to article 5 of the Treaty on European Union, states that “In accordance with the principle of proportionality, as set out in that Article, this Directive does not go beyond what is necessary in order to achieve those objectives”, the CJEU ruled that the mass, indiscriminate surveillance and retention of data on all citizens permitted by the directive was disproportionate to the legitimate aim of fighting serious crime. The judgment also points out that the directive claims to respect principles enshrined in articles 7 and 8 of the Charter of Fundamental Rights of the European Union, specifically respect for private life and communications and the protection of personal data.
In particular, the CJEU stated that, among other things, the directive failed to:
a) restrict retention of data to a particular time period, geographical area and/or suspects or persons whose data would contribute to the prevention, detection or prosecution of serious offences;
b) provide exceptions for persons whose communications are subject to the obligation of professional secrecy;
c) ensure that retention periods are limited to that which is strictly necessary;
d) empower an independent body to make decisions regarding access to the data on the basis of what is strictly necessary;
e) limit access and use of the data to that which is strictly necessary;
f) ensure the data is kept within the EU.
It seems clear that any legislation introduced in the UK needs to address these criticisms.
It is well accepted that, in order to combat terrorism and serious crime, the police and other authorities need access to communications data. The judgment states that the retention of communications data may be considered appropriate for attaining the objective of the prevention of offences and the fight against crime, and that this is a very important objective. However, the conclusion reached in the judgment is that retention of data for all citizens is not strictly necessary, and that the principle of proportionality indicates that the interference with individual privacy is too strong.
It is also clear that some investigations need to be able to intercept the content of some specific communications, both internal and external to the UK, and that, subject to appropriate safeguards, this is a necessary power.
DRIP consists essentially of two parts, “Retention of relevant communications data”, and “Investigatory powers”, with the latter being considerably longer. Its stated purposes include the amendment of the grounds for issuing interception warrants, or granting or giving certain authorisations or notices under RIPA and making provision about the extraterritorial application of RIPA.
The Act does effectively reinstate the powers of the regulations, except that a great deal of the detail is now included in the secondary legislation, the Data Retention Regulations 2014, which were passed immediately after DRIP.
There has not been much time to consider the extent to which DRIP addresses the issues raised in the CJEU judgment. However, it would appear to have several shortcomings. It limits the maximum data retention period to 12 months, and increases reviews by the Interception of Communications Commissioner from annually to twice yearly.
None of the other issues appear to have been addressed. Of particular concern to members of the legal professions is the lack of any exceptions for persons whose communications are subject to the obligation of professional secrecy.
In a democratic society it is very disappointing that legislation with such far-reaching privacy issues has been introduced in such a fashion; it passed through the House of Commons on the day of the cabinet reshuffle. It is hard to believe that a Government which had confidence in its bill could not have found time to expose it to at least some level of public scrutiny.
Tim Musson is director of Computer Law Training Ltd and convener of the Law Society of Scotland's Privacy Law Committee