Data Retention Law: An Update
11 September 2014
In a controversial move in July 2014, the Government pushed through the Data Retention and Investigatory Powers Act 2014 (“DRIPA”) and corresponding Data Retention Regulations 2014 (“2014 Regulations”) as emergency legislation to replace the Data Retention (EC Directive) Regulations 2009 (“2009 Regulations).
The move came as a result of the decision of the European Court of Justice (“ECJ”) in the case of Digital Rights Ireland Limited wherein the ECJ held the European Community’s Data Retention Directive 2006 (“Directive”), on which the UK legislation is based, to be invalid. The Directive was invalidated on the basis that it was in breach of the right to privacy and protection of personal data provisions contained in the European Charter of Fundamental Rights (“Charter”). The heart of the ECJ’s argument was that the Directive authorised such vast privacy intrusions that stringent safeguards were required to make such intrusion proportionate.
Depending on your perspective, the ECJ’s decision was either a substantial step forward for digital privacy, or a substantial step backwards in preventing and responding to terrorism and serious crime. The Government claims that the new legislation was introduced in response to this decision.
What does DRIPA contain?
DRIPA substantively replicates the data retention provisions contained in clauses 1 and 2 of the 2009 Regulations whereby powers to require service providers to retain communications data are granted to the Secretary of State. DRIPA continues to apply the specific data retention requirements scheduled to the 2009 Regulations. This includes storage of telephone numbers, name and address of registered users of the telephone number, date, time and duration of calls, and IMEI numbers of the phone called (IMEI numbers are the identifying numbers on all mobile phones which can be used to identify the owner). Neither DRIPA nor the 2014 Regulations further restrict the types of data that telecommunications providers may be asked to retain.
Clause 3 limits the ability of the Government to intercept a communication on the basis of “the economic well-being” of the UK to situations where this also involves national security. This limitation was not previously contained in the 2009 Regulations and is therefore a welcome restriction on the right to breach privacy.
Although the Government has claimed that DRIPA is about maintaining existing capabilities and not introducing new ‘snooping’ laws, DRIPA does cast a wider net than the 2009 Regulations. In clause 4 of DRIPA the Government extends the scope of Part 1 of the Regulation of Investigatory Powers Act 2000 (“RIPA”) in relation to both interception and communications data by adding specific provisions. The entire regime is now placed on an extra-territorial basis, placing a duty on non-UK entities providing communications services in the UK to comply with interception warrants. Further, clause 5 expands the definition of “telecommunications service” contained in RIPA to include e.g. webmail/remote storage services and some social media traffic data.
Compatibility of DRIPA and 2014 Regulations with EU fundamental rights
DRIPA does not, and does not purport to, address every separate criticism of the Directive made in the Digital Rights Ireland Limited case. Indeed, DRIPA does not even mention the Charter, which has led many to question whether the new legislation is in fact compatible.
In broad terms, the proportionality problem identified by the ECJ can be addressed in two ways: by reducing the level of the privacy intrusions and/or introducing more effective safeguards. It is, however, clear that DRIPA has not in any way reduced the extent of privacy intrusion.
The 2014 Regulations do appear at least to aim to provide additional safeguards. Two safeguards in particular are referred to in the explanatory memorandum to the 2014 Regulations. The 2009 Regulations imposed an absolute 12 month retention period where a relevant notice had been served on a telecoms provider. In contrast, the 2014 Regulations allow different types of data to be retained for shorter periods when appropriate. Although this may appear to be an improvement, neither DRIPA nor the 2014 Regulations include any objective criteria for the calculation of retention periods with regards to particular types of communications data. Given the open-ended nature of this new legislation, the risk is that blanket, indiscriminate 12 month retention periods will continue to be the norm.
Secondly, the 2009 Regulations did not place any statutory duty on the Secretary of State to consult telecoms providers prior to issuing a notice, although such consultation was carried out in practice. Although the 2014 Regulations do make prior consultation a statutory obligation, it is arguably not an additional safeguard in practice.
Further, the ECJ specifically criticised the fact that the 2009 Regulations apply even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even a remote one, with serious crime. The new legislation continues to enable blanket and suspicionless retention of all relevant communications data generated by the entire UK population.
Furthermore, the new legislation does not provide for exemptions from a retention requirement with regard to the communication of individuals that are subject to obligations of profession secrecy, another criticism contained in the ECJ ruling.
However, the Government has attempted to address fears of intrusion into privacy providing for a statutory code of practice on data retention to be issued by the Secretary of State. There will be review and reporting obligations based on the powers and capabilities of DRIPA. A new Independent and Civil Liberties Board will also be created to consider the balance between the threat and concerns for civil liberties.
The issue as to whether DRIPA offers sufficient safeguards for achieving an acceptable balance between security and privacy in practice remains to be seen.
The Future of DRIPA and the 2014 Regulations
The whole of DRIPA is subject to automatic repeal on 31 December 2016, by which time a review of this area of law should have taken place. In the meantime, DRIPA has been heavily criticised and is being challenged by “Liberty”, a civil rights group, on behalf of MPs Tom Watson and David Davis, who criticised the Government reinstating a policy which had fallen into serious disrepute.
However, the level of protection given to our personal data remains substantially the same as it has been since 2009 and it is likely that data will continue to be stored in this way until the sun sets on DRIPA on 31 December 2016.
For more information, please contact Rachel McAllister .