HomepageCommercial LawPrivate LawPublic Law & Human RightsCriminal LawEU & International LawCareers

Accessibility

Have Irlen Syndrome, or need different contrast? Click the button below for options.

Background Colours

Subscribe

Enter you email address below to subscribe to free customisable article notifications.

Alternatively, click the button below for our various RSS Feeds (available journal wide, or per section).

From DRIP to an ocean of trouble for the UK Legislature

© Banksy.

About The Author

Thomas Horton (Former Writer)

Thomas studied Law at the University of Birmingham, and graduated with a 2:1 in July 2013. In the elapsed time, Thomas has worked for law firm HowardKennedyFsi LLP as a paralegal in the property department. Thomas has also been awarded a Major Scholarship by the Honourable Society of the Inner Temple and will begin the BPTC with City Law School in September 2014.

Many legal blogs and national news sources revealed their broadside to the government’s passing of the Data Retention and Investigatory Powers (“DRIP”) Bill by means of emergency legislation on 17 July 2014. Here at Keep Calm Talk Law, we decided to take a reserved approach, waiting for the Bill to pass through Parliament and then to see what various news sources and commentators have thought about the Bill, in order to provide comprehensive analysis of the reason, the passing and the ramifications of the now Data Retention and Investigatory Powers Act 2014 (“DRIPA”).

Why was emergency legislation necessary?

The requirement for DRIPA derives from the European Court of Justice’s (“ECJ”) decision in Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and others (Irish Human Rights Commission intervening) [2014] WLR (D) 164 delivered 8 April 2014. Chris Bridges has previously discussed the decision of the ECJ in his superb article for Keep Calm Talk Law: ‘It's not the end of the line for data retention’. For those that are familiar with this judgment, it is suggested that you proceed to the next subheading. Alternatively, direct your attention to Bridges’ article, and continue to read below.

The case saw the ECJ determining the validity of [the Data Retention] Directive 2006/24/EC (“the Directive”). The Directive concerned (as you can infer from its title referred to above) data retention. In particular, the Directive aimed to ensure that providers of publicly available communications services were to retain data ‘for the investigation, detection, and prosecution of criminal offences [such as organised crime and terrorism]’ (Recital 11 and Article 1 of the Directive). Digital Rights Ireland Ltd (Case C293/12) brought an action challenging the legality of national legislative and administrative measures concerning the retention of data relating to electronic communications, and ultimately asked the (Irish) High Court to declare the invalidity of the Directive and Part 7 of the Criminal Justice (Terrorist Offences) Act 2005, which required telephone communication service providers to retain data for the purposes referred to above. The High Court, unable to make a determination of the validity of the Directive without there being examination of the Directive, referred the case to the ECJ for examination of the validity of the Directive.

Specifically, as referred to at paragraph 18 of its judgment, the ECJ were asked to consider the following questions:

  1. Is Directive 2006/24 compatible with the right of citizens to move and reside freely within the territory of the Member States laid down in Article 21 TFEU?
  2. Is Directive 2006/24 compatible with the right to privacy laid down in Article 7 of the Charter of Fundamental Rights of the European Union (“CFREU”) and Article 8 of the European Convention on Human Rights (“ECHR”)?
  3. Is Directive 2006/24 compatible with the right to the protection of personal data laid down in Article 8 CFREU?
  4. Is Directive 2006/24 compatible with the right to freedom of expression laid down in Article 11 CFREU and Article 10 ECHR?

Case C-594/12 joined Digital Rights’ case, which concerned a referral from the Verfassungsgerichtshof (the Austrian Constitutional Court) who similarly sought examination of the validity of the Directive, and the national statutory instrument through which it had been implemented (Article 102a of the Telekommunikationsgesetz 2003) in regards to the rights enshrined in the Charter of Fundamental Rights of the European Union (“CFREU”). Summarily, the opinion of the Austrian Constitutional Court was ‘that the retention of data affects almost exclusively persons whose conduct in no way justifies the retention of data relating to them’ (paragraph 20 ECJ judgment). The Austrian Constitutional Court, therefore, sought examination, in particular, of the requirements encapsulated in the Directive and the scope of the protection of fundamental rights, as detailed in Article 52 CFREU.

The ECJ recognised the need for the amount of data to be retained (paragraph 26 ECJ judgment and Article 5 of the Directive) in order to trace specific suspects. However, it was concurrently accepted that the retention of such data for the purpose of possible access to them directly affects Article 7 CFREU (respect for private and family life). Additionally, the ECJ stated that as a result of the Directive’s effect upon Article 7 CFREU (as one would, perhaps, change the way that they use electronic communication service providers because of the retention of data), Article 11 CFREU (freedom of expression and information) was brought into consideration. Furthermore, the ECJ stated that the processing of such data brought Article 8 CFREU (protection of personal data) into consideration.

The opinion of the court is declared at paragraph 37 of its judgment:

… [T]he interference caused by Directive 2006/24 with the fundamental rights laid down in Articles 7 and 8 of the Charter is, as the Advocate General has also pointed out, in particular, in paragraphs 77 and 80 of his Opinion, wide-ranging, and it must be considered to be particularly serious. Furthermore, as the Advocate General has pointed out in paragraphs 52 and 72 of his Opinion, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance.

The ECJ went on to confirm that the Directive saw the EU legislature ‘exceed the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter’. As failure to comply with those Articles had already been found, a discussion of Article 11 was unnecessary.

Importantly, the ECJ referred to specific aspects of the Directive that resulted in its invalidity, i.e. those points that caused a failure to justify the encroachments the Directive made upon fundamental rights (paragraphs 56-69 ECJ judgment):

  1. Even though Article 1(2) and 5(2) of the Directive do not permit the retention of content of communication or information using an electronic communications network, when Article 3 and 5(1) are read in conjunction, and the need for the retention of all detailed data concerning fixed telephony, mobile telephony, Internet access, Internet e-mail and Internet telephony, then such data does fall under the ambit of the Directive. Accordingly, the Directive provides for an ‘interference with the fundamental rights of practically the entire European population’ (paragraph 56 ECJ judgment); there is no exception to being subject to this retention of data regardless of there being, for example, no link between an individual and crimes being investigated.
  2. There is no objective criterion to limit the access of national authorities to the information collected and their subsequent use of the information for the prevention of and prosecution for offences; there is no provision for a valid reason to severely interfere with the fundamental rights enshrined in Articles 7 and 8 CFREU.
  3. There is no set criterion for determining how long the data should be held for, despite the minimum (six months) and maximum (twenty-four months) periods referred to in Article 6 of the Directive. Moreover, there is an absence of security to prevent unlawful access to the vast amount of sensitive and personal information that is required to be retained. At paragraph 62, the court stated:

Above all, the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued and which intervenes following a reasoned request of those authorities submitted within the framework of procedures of prevention, detection or criminal prosecutions. Nor does it lay down a specific obligation on Member States designed to establish such limits.

Does DRIPA reflect the ECJ’s decision?

The Directive discussed in the previous section had been accordingly transposed into UK law through the 2009 Data Retention Regulations (“2009 Regulations”); however, following the decision of the ECJ, amongst other considerations, amendment was needed. The Home Secretary, Theresa May MP delivered a statement to Parliament on 10 July 2014 highlighting the need for amendment. Firstly, May referred to the need to amend legislation to include the variety of communication platforms being used, and then proceeded to refer to two urgent problems that needed to be resolved, explaining the reason for the introduction of DRIPA:

… [W]e now face two significant and urgent problems relating to both communications data and interception. First, the recent judgement [sic] by the European Court of Justice that calls into question the legal basis upon which we require communication service providers in the UK to retain communications data. And second, the increasingly pressing need to put beyond doubt the application of our laws on interception, so communication service providers have to comply with their legal obligations, irrespective of where they are based.

DRIPA has replaced the 2009 Regulations and presents the Government’s new legislative basis of requiring telephone and Internet companies to retain communications data following the determination that the Directive was ultra vires. DRIPA builds upon the requirement of telephone and Internet companies to provide the Government with communications data as detailed under Chapter II Part I of the Regulation of Investigatory Powers Act 2000 (“RIPA”). This position is clear from s. 1 DRIPA, which provides the Secretary of State with the power by notice to require a telecommunications provider to retain data for purposes listed in s. 22(2) RIPA.

Unsurprisingly, as a result of inadequate scrutiny of the DRIP Bill, there does not appear to have been any consideration paid to the ECJ’s comments at paragraph 62 of its judgment referred to above. Moreover, with the broad definition of ‘telecommunications service’ (see s. 2(1) DRIPA) as provided for by s. 2(1) RIPA, the entire population of the UK is exposed to this measure, correlative to the ECJ’s comments at paragraph 56 of its judgment:

“telecommunications service” means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service)

Furthermore, s. 5 DRIPA extends the meaning of “telecommunications service” to now include services ‘facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system’. Tom Hickman interestingly points out in his article (supplementary to his analytical, original article of the DRIP Bill) for the UK Constitutional Law Association that this extension, for example, would include access to ‘[vast] amounts of [a company’s stored] data about their customers and the usage of the company’s services for their own business purposes. The data can be stored for many years and are used for the company’s own business analysis purposes’. So whilst the scope of the types of data has been extended, to possibly even concern data older than the maximum twelve-month retention period provided for in s. 1(5) DRIPA, no “review” has been added to consider the validity of the Secretary of State’s request for communications data.

The Explanatory Notes to the DRIP Bill (paragraph 100) aims to provide a recognition and solution to the ECJ’s concerns (those concerns being a clear breach of Articles 7 and 8 CFREU and a need to recognise a decision that is binding on the UK Government):

In relation to data retention, in addressing the ECJ’s concerns, where possible, the new legislation will go even further in safeguarding privacy. It is assessed that implementation of the proposed legislation is capable of being fully compliant with the Data Protection Principles and the Data Protection Act 1998.

However, and as has been neatly pointed out by Amberhawk’s 'Hawktalk' blog post, s. 28 of the Data Protection Act (“DPA”) exempts the protections afforded under Part II of that Act if required for the purposes of national security. The purpose of the Directive, the 2009 Regulations, and DRIPA that has been made (“apparently”) in light of the invalidity of the former, have all been for: ‘combating crime and fighting terrorism’ (Statement, Theresa May MP). Surely, then, it would be a rare occurrence when the DPA would provide adequate protection of the sort intimated through the ECJ’s decision? The Impact Assessment, which underpins the aforementioned statement from the Explanatory Notes, does not make particular reference to the prevention of terrorism, and only briefly refers to the DPA. It could be inferred, therefore, that, on the occasions where communications data is necessarily requested for the investigation and prosecution of terrorist activities, this provides for a valid derogation from Articles 7 and 8 CFREU. Nevertheless, the ECJ stated at paragraph 54 of its judgment that legislative models providing for such instances ‘must lay down clear and precise rules governing the scope and application of the measure in question’ and ‘[impose] minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data’.

The DPA does not prima facie demonstrate adequate protection to provide a lawful derogation from fundamental rights. This position is even more unsurprising in consideration of s. 35(1) DPA:

Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.

Such considerations would undoubtedly have been raised if greater scrutiny of the Bill had been possible; the frustration of lawyers towards the use of emergency legislation in this context is self-evident. DRIPA still allows for blanket retention of data and goes further than the antecedent law.

What else did DRIPA introduce?

As previously mentioned, DRIPA builds upon the requirement of telephone and internet companies to provide the Government with communications data under RIPA. One of the matters that DRIPA has attempted to clarify is whether an interception warrant, and a notice for the provision of data, which differs from a data retention notice, has extraterritorial effect.

Detailed analysis of whether the “status quo” has been maintained by the DRIP Bill (as it then was) has been provided in Graham Smith’s excellent article (Smith has additionally published a similarly excellent post-enactment analysis). Smith highlights that, according to the Explanatory Note, DRIPA’s provisions providing for extraterritorial effect of the RIPA requirements were, in effect, subject to scrutiny as the ‘intent’ of RIPA was subject to Parliamentary scrutiny when enacted in 2000. The following analysis of what DRIPA has clarified will demonstrate how unacceptable it is that DRIPA was passed without thorough scrutiny.

Theresa May states in her statement to parliament that:

With technology developing rapidly and the way in which we communicate changing all the time, the communication service providers that serve the UK but are based overseas need legal clarity about what we can access.

This concern develops from the absence of any provision in RIPA expressing its extraterritorial effect; Tom Hickman’s initial analysis of the DRIP Bill suggests that the desire to provide for an extraterritorial application of requiring companies to intercept communications and provide communications data stems from those companies ‘doubt[ing] that the UK government has any power to do this’.

S. 4 DRIPA provides the Secretary of State with the power to place an obligation upon companies, irrespective of their location, to intercept communications (s.4(2) DRIPA) and provide communications data (s. 4(8) DRIPA). Furthermore, a company’s failure to adhere to an interception warrant is backed by criminal sanctions as detailed in s. 11 RIPA, which the aforementioned provision supplements. The scope of this power to intercept communications is vast and hints at the practices used by UK intelligence agencies. As Hickman further noted in his article, this development places companies that are served with an interception warrant in a difficult situation if the adherence to the warrant is contrary to the law of the state that they are based in. Additionally, if a company were to disclose that a warrant has been issued, they would similarly face criminal sanctions under s. 19 RIPA.

In conjunction with the expansion of the ability to require companies to retain data, the newly internationally effective powers postulate a severe disregard for fundamental rights by the UK government and ignorance to the need to thoroughly scrutinize provisions that enhance governmental powers over data concerning its objects. Gary Slapper’s tweet on the proposed passing of the DRIP Bill brilliantly encapsulates the scenario that the government has created:

[There is] [s]omething of an incongruity when a P[rime] M[inister] who trumpets Magna Carta and British freedoms then pivots to pass #DRIP and hasten an Orwellian state.

Where do we go from here?

S. 8 DRIPA provides a “sunset clause”; s. 1-7 DRIPA will be repealed as of 31 December 2016. A sunset clause is defined as follows:

A provision in a Bill that gives it an 'expiry date' once it is passed into law. 'Sunset clauses' are included in legislation when it is felt that Parliament should have the chance to decide on its merits again after a fixed period.

One cannot help but consider the existence of a sunset clause is tantamount to a recognition that what has been enacted is, in the eyes of those that have enacted the statute, somewhat unacceptable. S. 8 is to be considered in regards to s. 7 DRIPA, which imposes an obligation upon the Secretary of State to appoint an ‘independent reviewer of terrorism legislation to review the operation and regulation of investigatory powers’. This position has been granted to David Anderson QC, whose updates and progress as Independent Reviewer of Terrorism Legislation can be accessed here. S. 7(3) DRIPA requires that the review is to be completed by May 2015, and a report is subsequently to be sent to the Prime Minister, just in time for the next general election (7 May 2015). One can only hope that David Anderson’s appointment will provide for the bringing to light of the concerns that have been highlighted in this article and those of other commentators. As Gail Kent has stated in her article for Stanford Law School’s Centre for Internet and Society:

This is an important opportunity to discuss what we mean by privacy online and the justification we need to intrude on this privacy relative to the type of crime being committed.

Despite DRIPA’s inclusion of a sunset clause and provision for an independent review of investigatory powers, a likely Judicial Review of DRIPA, announced by Liberty acting on behalf of David Davis MP and Tom Watson MP, could predetermine its invalidity. Liberty is arguing that:

[DRIPA] is incompatible with Article 8 of the European Convention on Human Rights (ECHR), the right to respect for private and family life, and Articles 7 and 8 of the EU Charter of Fundamental Rights, respect for private and family life and protection of personal data.

Simply put, Liberty will be submitting the argument explored in the first section of this article that allowed the ECJ to arrive at the conclusion that the Directive saw the EU legislature act ultra vires. The progress of this application for Judicial Review is eagerly anticipated, and a future article for Keep Calm Talk Law will provide detailed grounds upon which Liberty and the Government will seek to find support for their position. As Tom Watson has aptly elucidated, ‘you cannot make good laws behind closed doors’; the government should brace itself for a comeuppance for an inappropriate use of the process of emergency legislation.

For the latest articles straight to your inbox, you can subscribe for free. Alternatively, follow @KeepCalmTalkLaw on Twitter or Like us on Facebook.

Tagged: Anti-Terror, Criminal Law, European Union, Judicial Review, Privacy Law, Technology

Comment / Show Comments (0)

You May Also Be Interested In...

Communications Data: A Critical Investigative Tool or a Charter to Snoop?

17th Jul 2018 by Andrew D Parker

Enhancing Privacy and Data Protection: The GDPR and the Road Ahead

5th Jun 2018 by Dena Anee

An Introduction to the GDPR and its Impact on Competition Law

25th May 2018 by İnayet Aydeniz Baytaş

Dead on Arrival: The Investigatory Powers Act 2016

29th Sep 2017 by Alexios Ektor Koursopoulos

‘The right to be forgotten’ – the answer to revenge porn?

2nd Sep 2015 by Helen Morse

Is There Really a ‘Right’ to be Forgotten?

17th May 2014 by Chris Bridges

Section Pick September

Cherry v AG for Scotland, Part I: Is a No-Deal Brexit Necessarily Implied?

Editors' Pick Image

View More

KCTL News

Keep Calm Talk Law: Moving Forward

3rd Sep 2019

Changing of the Guard: Moving Keep Calm Talk Law Forward

12th Aug 2018

An Anniversary or Two: Four Years of Keep Calm Talk Law

11th Nov 2017

Rising from the Ashes: The Return of Keep Calm Talk Law

18th Nov 2016

Two Years On, Keep Calm Talk Law’s Legacy is Expanding

11th Nov 2015

Twitter

Javascript must be enabled for the Twitter plugin to function. Click below to visit us on Twitter.

Free Email Subscription

Subscribe to Keep Calm Talk Law for email updates, and/or weekly roundups. You can tailor your subscription on activation. Both fields are required.

Your occupation / Career stage is used to tailor your subscription and for readership monitoring.

Uncheck this box if you do not want to receive our monthly newsletter.

By clicking the Subscribe button, you agree to our privacy policy and terms of service. Please ensure you read these in full.

Free Subscription