One of a series of posts on the forthcoming Investigatory
Powers Bill
Previous: Communications Data Retention, Part 3
Mandatory data retention purposes. The July 2015 High Court
decision in the Davis/Watson judicial review of DRIPA followed the CJEU DigitalRights Ireland case in April 2014, which invalidated the EU Data Retention
Directive. In July 2014, three months
later, the UK government rushed DRIPA through Parliament in a few days as
emergency legislation, replacing the previous secondary legislation which, since
it implemented the now invalid Directive, was itself vulnerable to challenge.
The government did not claim at the time that DRIPA
addressed every aspect of DRI. DRIPA made some accommodations, for instance
enabling data retention notices served on communications service providers to
specify different periods up to 12 months for retention of different classes of
data. However the government could not
rely in the court case on the newly flexible time period. Since it declined to give any details of DRIPA
notices given to CSPs, the court had to assume that any notices that may have
been given required retention for the full 12 months.
The CJEU in DRI set out a list of reasons why the Data
Retention Directive did not comply with the Charter. However it left room for doubt as to whether
every ground was a self-standing reason for invalidity, or whether only the
cumulative list as a whole justified invalidating the Directive. The High Court had to grapple with this issue
and decide which grounds, if any, were meant to be independent conditions for
Charter compliance.
It decided that three requirements were stated with such
emphasis as to be intended to be self-standing:
- the
legislation must lay down clear and precise rules governing the scope and
application of the measure; and imposing minimum safeguards sufficient to give
effective protection against the risk of abuse and against any unlawful access
to and use of the data (paragraphs 52 and 54);
- access to
and use of data retained under a general retention regime must be strictly
restricted to the purpose of preventing and detecting precisely defined serious
offences or of conducting criminal prosecutions relating to such offences
(paragraph 61);
- "Above
all", access must be dependent on a prior review by a court or an
independent administrative body whose decision seeks to limit access to the
data and their use to what is strictly necessary for the purpose of attaining
the objective pursued, and which intervenes following a reasoned request of
those authorities (paragraph 62).
Following this judgment (subject to appeal) there is now a
question mark over the purposes for which mandatorily retained communications
data may be accessed, even if the government can devise an otherwise EU
Charter-compliant retention regime.
While Article 15(1) of the EU Privacy and Data Retention
Directive mentions national security as well as investigation of criminal
offences as grounds to restrict certain of the privacy protections in the
Directive, the CJEU DRI judgment was framed entirely in terms of crime or
serious crime. The order made by the
High Court disapplied DRIPA in the following terms, which exclude national
security:
“in so far as access to and use of communications data retained pursuant to a retention notice is permitted for purposes other than the prevention and detection of serious offences or the conduct of criminal prosecutions relating to such offences”.
The High Court noted in its judgment:
“In their submissions on remedy following receipt of our draft judgment counsel for the [UK government] raised for the first time the question of whether access to retained data for national security reasons is within the scope of EU law. This was not raised in the oral or written arguments previously addressed to us and we decline to allow it to be raised at this late stage. Whether national security cases should have different provisions for authorisation of access to communications data will no doubt be the subject of careful thought when the new legislation is being drafted.” [123]
National security apart, the purposes for which
communications data may currently be accessed under RIPA are considerably
broader than either national security or serious offences and, subject to any
appeal against the High Court judgment, will have to be revisited at least for mandatorily retained data.
Prior independent authorisation. The method of authorisation
of access at least to mandatorily retained communications data will need to be
reconsidered in the light of the DRIPA judicial review judgment (subject to appeal), so as to put
in place prior authorisation by a court or independent administrative body.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.