One of a series of posts on the forthcoming Investigatory Powers Bill
Previous: Communications Data Retention, Part 3
Mandatory data retention purposes. The July 2015 High Court decision in the Davis/Watson judicial review of DRIPA followed the CJEU DigitalRights Ireland case in April 2014, which invalidated the EU Data Retention Directive. In July 2014, three months later, the UK government rushed DRIPA through Parliament in a few days as emergency legislation, replacing the previous secondary legislation which, since it implemented the now invalid Directive, was itself vulnerable to challenge.
The government did not claim at the time that DRIPA addressed every aspect of DRI. DRIPA made some accommodations, for instance enabling data retention notices served on communications service providers to specify different periods up to 12 months for retention of different classes of data. However the government could not rely in the court case on the newly flexible time period. Since it declined to give any details of DRIPA notices given to CSPs, the court had to assume that any notices that may have been given required retention for the full 12 months.
The CJEU in DRI set out a list of reasons why the Data Retention Directive did not comply with the Charter. However it left room for doubt as to whether every ground was a self-standing reason for invalidity, or whether only the cumulative list as a whole justified invalidating the Directive. The High Court had to grapple with this issue and decide which grounds, if any, were meant to be independent conditions for Charter compliance.
It decided that three requirements were stated with such emphasis as to be intended to be self-standing:
- the legislation must lay down clear and precise rules governing the scope and application of the measure; and imposing minimum safeguards sufficient to give effective protection against the risk of abuse and against any unlawful access to and use of the data (paragraphs 52 and 54);
- access to and use of data retained under a general retention regime must be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating to such offences (paragraph 61);
- "Above all", access must be dependent on a prior review by a court or an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued, and which intervenes following a reasoned request of those authorities (paragraph 62).
Following this judgment (subject to appeal) there is now a question mark over the purposes for which mandatorily retained communications data may be accessed, even if the government can devise an otherwise EU Charter-compliant retention regime.
While Article 15(1) of the EU Privacy and Data Retention Directive mentions national security as well as investigation of criminal offences as grounds to restrict certain of the privacy protections in the Directive, the CJEU DRI judgment was framed entirely in terms of crime or serious crime. The order made by the High Court disapplied DRIPA in the following terms, which exclude national security:
“in so far as access to and use of communications data retained pursuant to a retention notice is permitted for purposes other than the prevention and detection of serious offences or the conduct of criminal prosecutions relating to such offences”.
The High Court noted in its judgment:
“In their submissions on remedy following receipt of our draft judgment counsel for the [UK government] raised for the first time the question of whether access to retained data for national security reasons is within the scope of EU law. This was not raised in the oral or written arguments previously addressed to us and we decline to allow it to be raised at this late stage. Whether national security cases should have different provisions for authorisation of access to communications data will no doubt be the subject of careful thought when the new legislation is being drafted.” 
National security apart, the purposes for which communications data may currently be accessed under RIPA are considerably broader than either national security or serious offences and, subject to any appeal against the High Court judgment, will have to be revisited at least for mandatorily retained data.
Prior independent authorisation. The method of authorisation of access at least to mandatorily retained communications data will need to be reconsidered in the light of the DRIPA judicial review judgment (subject to appeal), so as to put in place prior authorisation by a court or independent administrative body.