The High Court gave judgment this morning on Liberty’s challenge
to the mandatory communications data retention provisions of the Investigatory
Powers Act (IPAct).
The big questions in the Liberty case were:
- What does the government have to do make the IPAct comply with EU law following the Tele2/Watson decision of the CJEU?
- Has the government done enough in its proposed amendments to the IPAct, designed to address two admitted grounds of non-compliance with EU law?
- When does it have to make changes?
In brief, the court has made a finding of non-compliance
with EU law limited to the two grounds admitted by the government. The court declared that Part 4 of the
Investigatory Powers Act 2016 is incompatible with fundamental rights in EU law
in that in the area of criminal justice:
(1) access to retained data is
not limited to the purpose of combating “serious crime”; and
(2) access to retained data is
not subject to prior review by a court or an independent administrative body.
As to timing to make changes, Liberty argued for no later
than 31 July 2018 and the government for no earlier than 1 April 2019. The
court decided that 1 November 2018 would be a reasonable time in which to amend
the legal framework (albeit with a suggestion that practical implementation might
take longer). In the meantime the existing IPAct data retention regime remains in
effect, although lacking the two limitations and safeguards that have led to
the admitted non-compliance with EU law.
The court observed, having noted that the question of
appropriate remedy took the court into ‘deep constitutional waters’:
“… we are not prepared to
contemplate the grant of any remedy which would have the effect, whether
expressly or implicitly, of causing chaos and which would damage the public
interest.
Nor do we consider that any
coercive remedy is either necessary or appropriate. This is particularly so in
a delicate constitutional context, where what is under challenge is primary
legislation and where the Government proposes to introduce amending legislation
which, although it will be in the form of secondary legislation rather than
primary, will be placed before Parliament for the affirmative resolution
procedure to be adopted.
On the other hand it would not be
just or appropriate for the Court simply to give the Executive a carte blanche
to take as long as it likes in order to secure compliance with EU law. The
continuing incompatibility with EU law is something which needs to be remedied
within a reasonable time. As long ago as July 2017 the Defendants conceded that
the existing Act is incompatible with EU law in two respects.”
Turning to the main remaining grounds relied upon by
Liberty:
1. Perhaps of greatest significance, the court rejected
Liberty’s argument that the question of whether the legislation fell foul of
the Tele2/Watson prohibition on general
and indiscriminate retention of communications data should be referred to the
CJEU. It noted a number of differences from the Swedish legislation considered
in Tele2/Watson and concluded:
“In the light of this analysis of the
structure and content of Part 4 of the 2016 Act, we do not think it could
possibly be said that the legislation requires, or even permits, a general and
indiscriminate retention of communications data. The legislation requires a
range of factors to be taken into account and imposes controls to ensure that a
decision to serve a retention notice satisfies (inter alia) the tests of
necessity in relation to one of the statutory purposes, proportionality and
public law principles.” The court declined to refer the point to the CJEU.
2. The question of whether national security is
within the scope of the CJEU Watson decision
would be stayed pending the CJEU’s decision in the reference from the Investigatory
Powers Tribunal in the Privacy
International case. The court declined to make a reference to the CJEU in
these proceedings.
3. Liberty argued that a ‘seriousness’ threshold should
apply to all other objectives permitted under Article 15(1) of the EU ePrivacy Directive,
not just to crime. The court held that other than for criminal offences the fact that national legislation does
not impose a “seriousness” threshold on a permissible objective for requiring
the retention of data (or access thereto) does not render that legislation
incompatible with EU law and that necessity
and proportionality were adequate safeguards. It declined to refer the point to
the CJEU.
4. A highly technical point about whether the CJEU Watson decision applied to ‘entity data’
as defined in the IPAct, or only to ‘events data’, was resolved in favour of
the government.
5. Liberty argued that retention purposes concerned
with protecting public health, tax matters, and regulation of financial
services/markets and financial stability should be declared incompatible. The
court declined to grant a remedy since the government intends to remove those
purposes anyway.
6. As to whether mandatorily
retained data has to be held within the EU, the court stayed that part of the
claim pending the CJEU’s decision in the IPT reference in the Privacy International case.
7. The part of the claim regarding notification of
those whose data has been accessed was also stayed pending the CJEU’s decision
in the IPT reference in the Privacy
International case.
By way of background to the decision, the IPAct was the government’s
replacement for DRIPA, the legislation that notoriously was rushed through Parliament in 4 days in July 2014 following the CJEU’s nullification of the EU Data
Retention Directive in Digital Rights
Ireland.
DRIPA expired on 31 December 2016. But even as the replacement
IPAct provisions were being brought into force it was obvious that they would
have to be amended to comply with EU law, following the CJEU decision in Tele2/Watson issued on 21 December 2016.
A year then passed before the government published a
consultation on proposals to amend the IPAct, admitting that the IPAct was
non-compliant with EU law on the two grounds of lack of limitation to serious
crime and lack of independent prior review of access requests.
That consultation
closed on 18 January 2018. Today’s judgment noted the government’s confirmation that legislation is due to be considered
by Parliament before the summer recess in July 2018.
In the consultation the government set out various proposals
designed to comply with Tele2/Watson:
- A new body
(the Office of Communications Data Authorisations) would be set up to give
prior independent approval of communications data requests. These have been
running at over 500,000 a year.
- Crime-related
purposes for retaining or acquiring events data would be restricted to serious
crime, albeit broadly defined.
- Removal of
retention and acquisition powers for public health, tax collection and
regulation of financial markets or financial stability.
The government's proposals were underpinned by some key
interpretations of Tele2/Watson. The
government contended in the consultation that:
- Tele2/Watson does not apply to national
security, so that requests by MI5, MI6 and GCHQ would still be authorised
internally. That remains an outstanding issue pending the Privacy International reference to the CJEU from the IPT.
- The
current notice-based data retention regime is not 'general and indiscriminate'.
It considered that Tele2/Watson's
requirement for objective targeted retention criteria could be met by requiring
the Secretary of State to consider, when giving a retention notice to a
telecommunications operator, factors such as whether restriction by geography
or by excluding a group of customers are appropriate. Today’s Liberty decision has found in the
government’s favour on that point. Exclusion of national security apart, this
is probably the most fundamental point of disagreement between the government
and its critics.
- Tele2/Watson applies to traffic data but
not subscriber data (events data but not entity data, in the language of the
Act). Today’s decision upholds the government’s position on that.
- Tele2/Watson does not preclude access by
the authorities to mandatorily retained data for some non-crime related
purposes (such as public safety or preventing death, injury, or damage to someone's
mental health). That was not an issue in today’s judgment.
As to notification, the government considered that the
existing possibilities under the Act are sufficient. It also considered that Tele2/Watson did not intend to preclude
transfers of mandatorily retained data outside the EU where an adequate level
of protection exists. These remain outstanding issues pending the Privacy International reference to the
CJEU from the IPT.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.