[Update: DRIP became law on Thursday 17 July 2014. The Act is available here. Post-Act analysis here.]
Three months after the EU Court of Justice invalidated the EU Data Retention Directive, the UK government has burst into feverish action with emergency legislation to replace the 2009 Data Retention Regulations. Those Regulations, made under the European Communities Act, are nominally still in place but highly vulnerable to judicial review following the demise of the Directive.
In reality DRIP cannot square the circle. Indeed the newly published Impact Assessment recognises that the legislation does not overcome all the ECJ stumbling blocks, claiming only to address the ECJ judgment “where possible” and “to the extent practicable”. It also acknowledges the “Risk of being perceived as ignoring the ECJ judgment”.
[Update: The Home Office Human Rights Memorandum published by the Joint Committee on Human Rights on 16 July 2014 says in paragraph 33 (p. 8) that the Bill, together with existing domestic legislation, addresses "the majority of the criticisms of the Directive set out in the ECJ's judgment". The Committee has written to the Home Secretary asking her to provide the Committee with "a further detailed memorandum setting out in full the Government's analysis of precisely how UK law satisfies, or will satisfy, each of the requirements set out in paras 54 to 68 of the CJEU's judgment.]
Why, if the intention is to continue the status quo, does DRIP not simply continue to use the definitions in the Communications Act 2003? The Explanatory Note (para 53) says that this is to "ensure uniform definitions across access and retention regimes".
With all this in mind, it is instructive to list the ECJ's specific grounds for invalidating the Data Retention Directive and consider how DRIP does and does not address them. [Update: the government has now published a Note making its own comparison.]
The powers specifically earmarked for abolition were under
the Trade Descriptions Act 1968, The Health and Safety at Work Act 1974, the
Criminal Justice Act 1987, the Consumer Protections Act 1987, the Environmental
Protection Act 1990, the Social Security Administration Act 1992, the
Competition Act 1998, the Financial Services and Markets Act 2000 and the Enterprise
Act 2002.
18 months ago this issue was addressed in some detail, as regards communications data notices, in the report of the Joint Committee on the draft Communications Data Bill (paras 230 to 243) published in December 2012.
The DRIP clarification has two distinct aspects. One is whether, as a matter of interpretation, the warrantry and communications data acquisition provisions of RIPA can apply to conduct outside the UK. The second is how a RIPA warrant or a notice can be served on an entity outside the UK and the entity made subject to the relevant duty under RIPA. This is important since no-one is obliged to do anything under these RIPA provisions unless they are served with or given the appropriate warrant or notice.
DRIP then provides that the duties to comply with such warrants and notices apply whether or not the person is within the United Kingdom. In the case of interception warrants knowing failure to comply with the duty can give rise to criminal liability under RIPA S11(7).
DRIP then goes to great lengths to devise ways of serving warrants and notices within the UK on non-UK entities. For communications data acquisition notices this can even include oral notification. Whether this elaboration is simply a question of practicality or perhaps reflects a deeper concern that serving government warrants and notices outside the UK might be regarded as executive acts violating the territorial sovereignty of another State is a matter for speculation.
[Updated with minor amendments 21.40 12 July 2014, 10.50 13 July 2014; and 12.17 13 July 2014 to take account of Home Office statement on telecommunications services reported in The Sunday Times; 14:42 15 July 2014 regarding professional secrecy. Further updated 23:11 16 July 2014 to take account of Home Office Human Rights Memorandum; and 09:48 22 July 2014 to include the government's point by point Note on compliance with the ECJ judgment and a reference to the enacted legislation.]
Three months after the EU Court of Justice invalidated the EU Data Retention Directive, the UK government has burst into feverish action with emergency legislation to replace the 2009 Data Retention Regulations. Those Regulations, made under the European Communities Act, are nominally still in place but highly vulnerable to judicial review following the demise of the Directive.
What does DRIP (the inevitable acronym with which the Data
Retention and Investigatory Powers draft Bill has been saddled) do? With so much material appearing at such short notice, considered analysis is difficult. Here are some first impressions.
DRIP, now with its accompanying provisional draft
regulations which appeared on the Home Office website yesterday afternoon, has
to square a circle. Ideally it should make
a plausible attempt to address the 15 or so fundamental rights grounds on which
the ECJ held that the Data Retention Directive was invalid. But at the same time DRIP has to deliver on
Theresa May’s 10 July statement to the House of Commons that it maintains the
status quo until 31 December 2016, when the sunset clause kicks in.In reality DRIP cannot square the circle. Indeed the newly published Impact Assessment recognises that the legislation does not overcome all the ECJ stumbling blocks, claiming only to address the ECJ judgment “where possible” and “to the extent practicable”. It also acknowledges the “Risk of being perceived as ignoring the ECJ judgment”.
[Update: The Home Office Human Rights Memorandum published by the Joint Committee on Human Rights on 16 July 2014 says in paragraph 33 (p. 8) that the Bill, together with existing domestic legislation, addresses "the majority of the criticisms of the Directive set out in the ECJ's judgment". The Committee has written to the Home Secretary asking her to provide the Committee with "a further detailed memorandum setting out in full the Government's analysis of precisely how UK law satisfies, or will satisfy, each of the requirements set out in paras 54 to 68 of the CJEU's judgment.]
We can frame two simple questions.
- Does DRIP merely maintain the status quo?
- If so, how far is maintaining the status quo permissible in the light of the ECJ decision?
First, however, we should recognise that DRIP does far more
than replace the 2009 Data Retention Regulations. It makes substantive changes to the
interception warrants, interception capability and communications data access
provisions of the Regulation of Investigatory Powers Act (RIPA). The Home Secretary has justified these amendments
on a different basis from the data retention legislation: an urgent need to
clarify, in particular, the territorial scope of RIPA's interception and communications
data acquisition provisions.
These are the non-data retention aspects of DRIP.- Clause 4 addresses the government’s concern that it should be able to apply RIPA to non-UK companies that provide communications services to the UK public.
- Clause 5 broadens the RIPA definition of telecommunications services. The Explanatory Note says this is so that webmail providers are clearly caught. The change will also have implications for data retention because of crossover into DRIP.
- Clause 3 places a further restriction on the general purposes for which interception warrants and communications data acquisition notices can be issued. This will bring RIPA into line with the existing codes of practice.
In relation to data
retention, does DRIP merely maintain the status quo?
Putting Clauses 3 to 5 aside, let us focus on the claim that
for data retention DRIP merely maintains the status quo. This splits into three questions:- Are the same providers as before required to retain data?
- Are they required to retain the same data?
- Are the retention periods the same?
Are the same providers
as before required to retain data?
This is difficult to answer, as the government is shifting
from one existing set of definitions to another and then amending them for good
measure. Conspiracy theorists will smell
a rat. Even the more generous may chalk up another example of the
obscurantist law-making for which this field is notorious.
The 2009 Data Retention Regulations were based on EU
definitions of publicly available electronic communications services and
networks in the EU communications Framework Directive, implemented in the UK by
the Communications Act 2003.
DRIP, however, abandons those EU definitions and
instead adopts the homegrown RIPA definitions of public telecommunications systems
and service. It then amends the latter, which
has been in place for 14 years.Why, if the intention is to continue the status quo, does DRIP not simply continue to use the definitions in the Communications Act 2003? The Explanatory Note (para 53) says that this is to "ensure uniform definitions across access and retention regimes".
It is anyone's guess at this stage whether these changes
will cast a wider net than the existing 2009 Regulations. That would require detailed comparison of
the two sets of definitions and a truckload of hypotheticals. What is quite clear, however, is that they broaden the RIPA definitions.
The existing
RIPA definition of telecommunication service is framed in terms of a service
consisting in the “provision of access to, and of facilities for making use of,
a telecommunications system”: two discrete elements related to the
telecommunications system.
DRIP Clause 5 says that the RIPA definition is now to cover
a service that “consists in or includes facilitating the creation, management
or storage of communications transmitted, or that may be transmitted, by means
of such a system.”
The Explanatory Note (para 71) says that this is in order to
ensure that companies who provide internet-based services, such as webmail, are
caught. Although para 18 of the
Explanatory Note says that the amendment is “for the purposes of communications
data and interception requests”, it also applies to the new mandatory data
retention regime under DRIP.
On the face
of it the amendment could apply not just to webmail, but to any remote storage service
(bearing in mind that the meaning of “communication” under RIPA is effectively anything
capable of being transmitted). The word “facilitating” is a red
flag for broad interpretation. There is obvious potential for this to cover a very broad spectrum of activities. It is exactly the type of provision that deserves the fullest Parliamentary scrutiny.
The Home Office is reported in the Sunday Times (13 July 2014, subscription) as saying, in relation to this amendment to RIPA: "The bill clarifies how the current definition should be interpreted, but this cannot change or extend the meaning of the definition in RIPA to capture new services." This is twaddle. In effect the amendment says "A shall be taken to include B." To the extent that B covers anything not within A, new services are captured. Even if different views might exist on whether B does in fact cover things not within A, to suggest that the amendment 'cannot' capture new services is nonsense.
The Home Office is reported in the Sunday Times (13 July 2014, subscription) as saying, in relation to this amendment to RIPA: "The bill clarifies how the current definition should be interpreted, but this cannot change or extend the meaning of the definition in RIPA to capture new services." This is twaddle. In effect the amendment says "A shall be taken to include B." To the extent that B covers anything not within A, new services are captured. Even if different views might exist on whether B does in fact cover things not within A, to suggest that the amendment 'cannot' capture new services is nonsense.
Are they required to
retain the same data?
The Explanatory Notes stress that a DRIP notice (i.e. a
notice by the Secretary of State to a public telecommunications operator) cannot
require retention of data types additional to those specified in the existing
legislation. This is achieved by defining 'relevant communications data' by
reference to the Schedule to the 2009 Regulations, which sets out the specific
types of communications data that a CP could be required to retain.
The definition also carries through the important
qualification that such data is caught only so far as it is generated or
processed in the UK by public telecommunications operators in the process of
supplying the telecommunications services concerned. In other words, a PTO cannot be required to create data if it does
not generate or process it in the course of supplying those services.
Generally, this appears faithfully to replicate the 2009
Regulations. However the adoption and
amendment of the RIPA definitions of telecommunications services and systems
(see above) could conceivably affect the scope of data falling within
"relevant communications data".
Are the retention
periods the same?
The existing 2009 Regulations mandate retention for 12
months. DRIP (subject to an apparent drafting defect) provides for a maximum
retention period of 12 months, while enabling shorter periods to be specified
for different purposes.
The defect is that if no regulations were in place specifying
a maximum retention period under S1(4)(b), then the Secretary of State could apparently
issue a notice under S1(2)(c) requiring retention for longer than 12 months. It
is hard to believe that the government intends this to be a possibility. The provisional draft regulations do specify
a maximum period of 12 months.
Is maintaining the
status quo for data retention permissible after the ECJ judgment?
The extent to which the government will in the new
legislation address the grounds on which the ECJ invalidated the Data Retention
Directive was initially unclear, since much is to be implemented through
secondary legislation requiring affirmative resolutions of the Commons and the
Lords. DRIP and the now published
provisional draft regulations go some way to addressing the ECJ judgment,
although it was always difficult to see how any form of general mandatory data
retention could comply with some of the more fundamental issues identified in
the ECJ judgment.
There may be room for debate about whether the ECJ intended
to lay down that every objection identified in the judgment is a self-standing
issue that has to be overcome independently in national legislation; and if so how
each one should be overcome. It does
have to be remembered that:
- The ECJ was assessing the compatibility of EU legislation with the EU Charter of Fundamental Rights and Liberties.
- The question of whether national legislation also has to comply with the EU Charter was not before the Court (although following the subsequent Pfleger decision of the ECJ it is very likely that national legislation does have to comply with the Charter, for reasons explained by Professor Steve Peers here).
- National legislatures may have a certain degree of latitude (margin of appreciation) in how they comply with the Charter.
- The ECJ judgment may in some respects have applied stricter standards under the Charter than the European Court of Human Rights in Strasbourg has done in respect of the Convention. If so, that could open up the possibility that a Minister might certify DRIP compliance with the European Convention on Human Rights while not complying with all aspects of the ECJ judgment.
With all this in mind, it is instructive to list the ECJ's specific grounds for invalidating the Data Retention Directive and consider how DRIP does and does not address them. [Update: the government has now published a Note making its own comparison.]
Issue [paragraph number in
ECJ judgment]
|
National legislation
|
Generality
●
Applies to all means of electronic communication (use widespread and
of growing importance in people’s everyday lives) [56]
●
All subscribers and registered users [56]
●
Interference with fundamental rights of practically the entire
European population [56]
●
All persons, all means of electronic communication without any
differentiation, limitation or exception [57]
|
The ECJ's comments on generality referred specifically to the
datatypes listed in Article 5 of the Directive. Those were replicated in the Schedule to
the 2009 Regulations.
No change in DRIP, which replicates the 2009 Schedule/Article 5 list.
|
Suspicionless
●
Applies even to persons for whom no evidence capable of suggesting a
link, even indirect or remote, with serious crime [58]
●
No relationship required between data retained and a threat to public
security: not restricted to:
•
data pertaining to:
-
particular time period
-
particular geographical zone
-
circle of particular persons likely to be involved in serious crime
[59]
•
persons whose data for other reasons could contribute to prevention,
detection or prosecution of serious offences [59]
|
These objections all go to the very heart of a requirement on
communication service providers to retain communications data of all
users. It is difficult to see how DRIP
could address these (as a matter of retention, rather than access) without
fundamentally altering the nature of the retention to something targeted at specific
categories of communications relating to likely suspects and associates.
Not addressed. |
Specific rights
●
Applies to persons whose communications are subject to professional
secrecy [58]
|
Again, it is difficult to see how this could be addressed (as a
matter of retention) without moving to some kind of targeted scheme.
Not addressed [Update: Not addressed as a matter of retention. Intention is that Communications Data Code of Practice will be amended regarding access (See Comms Data Factsheet)]. |
Access and use
● No objective criterion to
determine limits of access to data and subsequent use for prevention,
detection or prosecution of sufficiently serious offences [60]
● Leaves serious crime definition to
national law [60]
● No substantive and procedural
conditions relating to access and subsequent use
•
Left to member States to define procedures and conditions in
accordance with necessity and proportionality [61]
•
In particular no objective criteria re restriction of number of
persons authorised to access and subsequently use to that strictly necessary
[62]
|
Should be capable of being addressed in national legislation.
The government is relying in part on the provisions of RIPA governing access to communications data to satisfy these requirements.
RIPA is not the only legislation that can be used to require access to
communications data. The use of other
powers is discouraged in the Communications Data Code of Practice, but not
forbidden. The government addresses this under DRIP S1(6) by limiting access
to mandatorily retained data to RIPA authorisations and notices, court orders
or other judicial authorisation or warrant, or regulations under DRIP. (See 'Joining
DRIP to RIPA', below)
|
Independent
supervision
●
Above all, access not dependent on prior review by court or
independent administrative body following a reasoned request
•
No obligation on MS to establish such limits [62]
|
Capable of being addressed in national legislation.
But this requirement for prior review by a court or independent body is contrary to the scheme of RIPA, whose communications data acquisition notices are not (save for local authorities) subject to any such requirement. Nothing in DRIP or the provisional draft regulations addresses this objection. The government may perhaps seek to suggest that the ECJ has set a higher threshold than applies under the European Convention on Human Rights. |
Retention period
●
No distinction between categories of data on basis of:
•
possible usefulness
•
persons concerned [63]
●
No objective criteria limited to strict necessity on which to base
determination of retention period [64]
|
Capable of being addressed in national legislation.
The government's intention appears to be to leave this aspect to the terms of individual retention notices issued by the Secretary of State, who is required in general terms to act in a way that he considers to be necessary and proportionate. DRIP itself and the provisional draft regulations do no more than set an overall maximum 12 months retention period. |
Data protection issues
|
Various issues raised by the ECJ concerning matters such as data
security and destruction of data are addressed in the provisional draft regulations,
which also introduce oversight of these aspects by the Information
Commissioner.
|
Joining DRIP to RIPA
The government is relying on the necessity, proportionality and safeguards provisions of RIPA that govern access to communications data in
order to address some of the implications of the ECJ judgment.
However, RIPA is not the only legislation that can be used
to access retained communications data. Other
powers exist which do not enjoy RIPA's safeguards. The use of other non-specific
powers is deprecated in the Communications Data Code of Practice (para 1.3),
but not forbidden.
The draft Communications Data Bill proposed in 2012 would
have prevented such powers being used to acquire communications data. The draft Explanatory Note to Clause 24
stated:
"123. This clause introduces
Schedule 2 to the Bill which contains repeals of certain general information
powers so far as they enable public authorities to secure the disclosure by a
telecommunications operator of communications data without the consent of the
operator. Clause 24 therefore ensures that operators are not required by law to
obtain and disclose communications data other than in cases where the relevant
statutory framework expressly guarantees the substantive protections of Article
8 and Directive 2002/58/EC (Directive on privacy and electronic
communications)."
The argument that in assessing compliance with the ECJ
judgment DRIP should be read together with RIPA’s safeguards is difficult to
maintain if other powers exist that may not have similar safeguards. DRIP therefore addresses this in S1(6) by
limiting access to mandatorily retained data to RIPA authorisations and notices,
court orders or other judicial authorisation or warrant, or regulations under
DRIP. Part 3 of the provisional draft
regulations also applies this limitation to data retained voluntarily under S.102
ACSA 2001.
DRIP's RIPA provisions
The new provisions in DRIP include Clauses 4 and 5, outlined
briefly above. According to the Explanatory Note, these measures are only
intended to clarify the intent of the current legislation and therefore were
subject to Parliamentary scrutiny when RIPA was enacted in 2000.
RIPA extra-territoriality
Clause 4 attempts to address the government’s concern that
it should be able to apply RIPA interception capability notices, interception
warrants and communications data acquisition notices to non-UK companies that
provide communications services to the UK public.18 months ago this issue was addressed in some detail, as regards communications data notices, in the report of the Joint Committee on the draft Communications Data Bill (paras 230 to 243) published in December 2012.
The DRIP clarification has two distinct aspects. One is whether, as a matter of interpretation, the warrantry and communications data acquisition provisions of RIPA can apply to conduct outside the UK. The second is how a RIPA warrant or a notice can be served on an entity outside the UK and the entity made subject to the relevant duty under RIPA. This is important since no-one is obliged to do anything under these RIPA provisions unless they are served with or given the appropriate warrant or notice.
As to the first aspect, none of the existing RIPA provisions
contain any clear territorial limitation on the location of conduct that can be
authorised or required under a warrant or communications data notice. That contrasts with the criminal offence of
unauthorised interception which is explicitly confined to conduct within the
United Kingdom.
However location of conduct is only part of the issue. A person located outside the UK may engage in
conduct within the UK. A person located within
the UK may engage in conduct outside the UK; and a person located outside the
UK may engage in conduct outside the UK.
How these different scenarios map
onto the different aspects of RIPA is, and always has been, fearfully difficult to understand.
The Joint Committee said:
"The terms in which RIPA is
drafted appear to impose no limits on the telecommunications operators which
may be required to disclose communications data, as long as they operate in the
United Kingdom i[t] does not matter where they may be based."
As to location of conduct, now DRIP states explicitly that a
warrant, a capability maintenance notice and a communications data acquisition
notice may each relate to conduct outside the UK.DRIP then provides that the duties to comply with such warrants and notices apply whether or not the person is within the United Kingdom. In the case of interception warrants knowing failure to comply with the duty can give rise to criminal liability under RIPA S11(7).
DRIP then goes to great lengths to devise ways of serving warrants and notices within the UK on non-UK entities. For communications data acquisition notices this can even include oral notification. Whether this elaboration is simply a question of practicality or perhaps reflects a deeper concern that serving government warrants and notices outside the UK might be regarded as executive acts violating the territorial sovereignty of another State is a matter for speculation.
As for data retention notices, DRIP provides that they can
be given to an operator (or description of operators) by giving or publishing
it in such manner as the Secretary of State considers appropriate for bringing
it to the attention of the operator or description of operators to whom it
relates.
Telecommunications
services
As explained above, the amended definition of
telecommunications services under DRIP Clause 5 applies both to data retention
under DRIP and to RIPA. [Updated with minor amendments 21.40 12 July 2014, 10.50 13 July 2014; and 12.17 13 July 2014 to take account of Home Office statement on telecommunications services reported in The Sunday Times; 14:42 15 July 2014 regarding professional secrecy. Further updated 23:11 16 July 2014 to take account of Home Office Human Rights Memorandum; and 09:48 22 July 2014 to include the government's point by point Note on compliance with the ECJ judgment and a reference to the enacted legislation.]
This point was brought up in the House of Commons Committee discussion of Clause 4 earlier today (Dominic Raab and Julian Lewis).
ReplyDeletehttp://www.parliament.uk/business/publications/hansard/commons/todays-commons-debates/read/unknown/862/