1. Introduction
Data retention returned to the headlines earlier this month when the High Court agreed that the Government’s controversial retention legislation could be challenged by judicial review.[1] The challenge has been brought by David Davis MP and Tom Watson MP. The basis of the application is that the provisions of DRIPA, s 1, and the Data Retention Regulations 2014[2] (made in pursuance of it), are contrary to EU law and, in particular, are in breach of the Directive on Privacy and Electronic Communications.[3] The application was initially refused but following the success of the appeal the case will now proceed to a full hearing. The Open Rights Group and Privacy International are acting as Interveners in the case.[4]
At the same time as DIPA and the Regulations have come under fire from campaigners, the Government is proposing to use the Counter-Terrorism and Security Bill to extend their remit to cover data generated as a result of internet communications.
The controversy illustrates the gulf between views as to where the balance should lie between the interests of security and the interests of privacy.
2. Communications data
It is important to start by appreciating which data are at issue. The retention rules relate to communications data, ie data about a communication but not the content of the communication. This can cover a wide range of information such as the time of a communication, where it was made from, whether it was to a mobile phone or a landline, the identity of the subscriber to the service as well as a range of other items. Once a call has been made, the companies that provide the communication services have no legitimate business reason to retain this information, apart from the small amount which is relevant to billing the customer, and that is only required for a relatively short period. On the other hand this information can be of great interest to investigators in dealing with the investigation of offences and in collecting intelligence. There is, therefore, a strong wish among many of those charged with the protection of security and the investigation of offences to require providers to retain all communications data, at least for a period of time, in case those data can yield useful intelligence.
In 2010, an attempt was made to extend the power to obtain communications data as well as the power to intercept the content of communications in the ill-fated Communications Data Bill (dubbed the ‘Snooper’s Charter’ by the press). The Bill and was referred for report to a Joint Committee of both Houses of Parliament, which reported in December 2012 that, while there was a case for further access to communications data, the Bill was too sweeping and required wholesale review. In April 2013 the Liberal Democrat leader, Nick Clegg, withdrew his party’s support for the Bill. Without support from both parties in the coalition it was not possible for the Government to take the bill forward. There is no doubt however that it remains the Government’s ambition to extend the retention of and access to communications data for investigative purposes. The passage of DRIPA, and its subsequent amendment via the Counter-Terrorism and Security Bill, would be a significant policy gain.
3. Legal framework
The legal background is complex, involving the border between EU and national competence, the application of the European Union Charter of Fundamental Rights and the impact of a significant ruling of the CJEU.
The starting point is Directive 2002/58/EC (the E-Privacy Directive). That Directive protects the privacy of communications data by requiring Member States to: ensure the confidentiality of those data;[5] to impose obligations on service providers to erase traffic data relating to users and subscribers or make such data anonymous once they are no longer needed for the service or for billing;[6] and to prohibit the processing of location data without user consent.[7] Article 15 of the E-Privacy Directive provides that these protections may be overridden by Member States in limited cases, where necessary, appropriate and proportionate to safeguard national security, defence, public security and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communications service.
These provisions impose clear restrictions on the powers of Member States to require the wholesale retention of communications data. The issue of retention was one of intense political debate in Europe in the early years of the 21st century; a debate that resulted eventually in the passage of Directive 2006/24/EC, (the Data Retention Directive). It will be noted that the Data Retention Directive was agreed and came into effect within a relatively short time after the Madrid and London bombings of 2004 and 2005 respectively. The Data Retention Directive mandated the retention, by providers of publicly available electronic communications services and networks, of specified categories of information related to electronic communications, such as the type of call, the duration of the call, the identity of the device used and the location of the user. It achieved this by providing that, by way of derogation from Articles 5, 6 and 9 of Directive 2002/58, Member States should adopt measures to ensure that specified data should be retained by providers of publicly available electronic communications services or of a public communications network within their jurisdiction. The data to be retained were listed in further Articles. It also provided that Article 15 did not apply to such data. In other words, as long as the retained data came from the list, there was no obligation that the retention should be limited to that necessary for the purposes listed in Article 15. This was a way of ensuring that all of the listed items of communications data should be retained, at least for a period of time. The maximum period of retention was set at 12 months, and whether that period was less than that was an issue for Member States to determine.
In the UK, some data were already being retained by some providers under voluntary arrangements made under the Anti-Terrorism Crime and Security Act 2001 (ATCSA) but these arrangements have never been regarded by all providers as affording a wholly secure legal basis for such retention. Directive 2006/24/EC provided a secure legal base. It was implemented in the UK by regulations made under s 2 of the European Communities Act 1972. These regulations, the Data Retention (EC Directive) Regulations 2009[8] provided for the retention of the listed categories of data for the maximum period allowed by the Directive. It should be noted that the voluntary arrangements under the ATCSA remain in place.
The passage of the Data Retention Directive did not remove the opposition to the practice of wholesale retention. The measure met with legal as well as political opposition in several Member States [9] although it continued to be supported by the European Commission. Two legal challenges to the Directive were taken to the CJEU, one emanating from Ireland and the other from Austria. In both cases the challenges were based on Articles 7 and 8 of the European Charter of Fundamental Rights and Article 8 of the European Convention on Human Rights. In April 2014 the CJEU ruled that Directive 2006/24 was void ab initio. The ruling was a landmark decision in overturning the entire instrument and has been the subject of much practical and academic discussion.[10]
The ruling of the CJEU placed the UK implementing provisions in jeopardy. As noted earlier, the 2009 Regulations had been implemented using the powers set out in the European Communities Act 1972. Section 2(2) of that Act provides that the Government may pass delegated legislation:
(a) for the purpose of implementing any EU obligation of the United Kingdom, or enabling any such obligation to be implemented, or of enabling any rights enjoyed or to be enjoyed by the United Kingdom under or by virtue of the Treaties to be exercised; or
(b) for the purpose of dealing with matters arising out of or related to any such obligation or rights or the coming into force, or the operation from time to time of subsection (1) above.
The CJEU ruling meant that the UK no longer had any EU obligations in relation to data retention; accordingly 2009 Regulations no longer fell within the provisions of the 1972 Act. The 2009 Regulations did not crumble to dust because there is a presumption in UK law that secondary legislation is valid until it is challenged and overruled by the courts. They did, however, become extremely vulnerable to challenge on judicial review and the legal basis for retention of communications data by service providers became extremely shaky.
4. Government response
The response of the UK Government was to pass DRIPA and its accompanying replacement regulations, the Data Retention Regulations 2014.[11] DRIPA was rushed through Parliament as fast-track legislation only a week before Parliament went into summer recess. It includes a ‘sunset clause’ under which it will be repealed on 31 December 2016.
DRIPA is largely an enabling measure, which empowers the Secretary of State to make regulations that set out the new rules on retention to replace those in the 2009 Regulations. It also includes provisions which amend the Regulation of Investigatory Powers Act 2000. DRIPA and RIPA are closely linked. RIPA is the legislation that governs access to retained communications data as well as powers to intercept the content of communications. DRIPA amends definitions in RIPA and covers the extent of the powers of the UK to serve notices on telecommunications service providers that are based outside the UK, but provide services within the UK.
As might be anticipated criticisms have been directed at both aspects of DRIPA.
5. Retention provisions
5.1 Definitions
These are covered in DRIPA, s 2. The definitions used in RIPA have been adopted. This is a change from the 2009 Regulations which used definitions drawn from the EU telecommunications framework. There are two core definitions: ‘communications data‘ and ‘telecommunications service‘. The latter is dealt with below (see 6.1).
Communications data
Directive 2006/24 defined the data that could be the subject of retention requirements by reference to the definitions of ‘traffic data‘ and ‘location data‘ from the E-Privacy Directive, plus the related data necessary to identify the subscriber or user. The RIPA definition appears to be significantly wider, as it covers any information held or obtained about those to whom services are provided.
‘Communications data’ are defined in RIPA, s 24 as any of the following:
(a) any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunications system by means of which it is being or may be transmitted;
(b) any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person-
(i) of any postal service or telecommunications service; or
(ii) in connection with the provision to or use by any person of any part of a telecommunication system;
(c) any information not falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by a person providing a postal service or telecommunications service’.
This definition is applied to DRIPA, to the extent that it applies in relation to telecommunications services and systems (ie postal operators are not covered).
The Secretary of State’s powers to serve retention notices and require retention of data, however, relate only to a sub-set of communications data, the ‘relevant communications data’. which comprise communications data of the kind mentioned in the schedule to the 2009 Regulations (as far as such data are generated or processed in the UK by public telecommunications operators in the process of supplying the telecommunications services concerned). It includes unsuccessful call attempts as long as the data are stored or logged in the UK. In other words, the Secretary of State can only require retention of the same types of communications data that he could under the 2009 Regulations. He may however also make regulations which relate to the wider category of communications data retained by service providers under the voluntary code of practice under ACTSA, s 102.
It should be noted here that the proposed amendments in the Counter-Terrorism and Security Bill 2014 would extend the current definition of ‘relevant communications data’ to cover communications data related to internet access and communications (see 8 below).
Communications service providers
The obligation to retain data can be imposed on a wider range of service providers than was previously the case under the 2009 Regulations. The definition of such a communications service in RIPA has been extended and now includes any case where a service, ‘consists in or includes facilitating the creation, management or storage of communications transmitted or that may be transmitted by means of such a system.’
This change to RIPA is explained in more detail at 6.1 below.
5.2 Retention obligations
Section 1(1) of DRIPA provides for the service of retention notices on the operators of public telecommunications services, requiring them to retain relevant communications data if the Secretary of State considers that the requirement is necessary and proportionate for one or more of the purposes falling within RIPA, s 22(2).[12] Under s 1(2) of DRIPA, the retention notice may:
? relate to a particular operator or any description of operators;
? require the retention of all data or any description of data;
? specify the period or periods for which data are to be retained;
? contain other requirements, or restrictions, in relation to the retention of data;
? make different provisions for different purposes; and
? relate to data whether or not in existence at the time of the giving or coming into force of the notice.
The Secretary of State has no duty to serve a notice, unlike under the 2009 Regulations, but the overall scheme, which involves the service of notices on a few large providers rather than many smaller, secondary providers, remains the same.
Subsections 1(3) and (4) of DRIPA provide that the Secretary of State may make regulations making further provisions dealing with the retention of relevant communications data. These reflect the terms of the 2009 Regulations and cover:
? requirements before a notice can be given;
? maximum retention periods (which must not exceed 12 months[13]);
? the content, coming in to force, review, variation or revocation of notices;
? the integrity and security of the data, access to the data, disclosure and destruction of retained data;
? enforcement or auditing of compliance with the requirements;
? a code of practice in relation to restrictions on powers;
? reimbursement of costs; and
? the repeal of the 2009 Regulations and transitional provisions.
5.3 The 2014 Regulations
The 2014 Regulations came into effect on 31 July 2009. They effectively duplicate the retention obligations under the 2009 Regulations. They provide that a communications service provider is only required to retain data when made subject to a notice issued by the Secretary of State. They revoke the 2009 Regulations subject to savings provisions which provide that retention notices issued under the 2009 Regulations which have not already been fully revoked before the 2014 Regulations came into effect continue to have effect.[14] In effect, therefore, the position of service providers subject to existing notices remains unchanged.
5.4 Other provisions
Section 1(6) of DRIPA, which did not come into force with the rest of DRIPA, provides that a public telecommunications operator who retains relevant communications data by virtue of a retention notice under s 1 must not disclose those data, except under Chapter 2 of Part 1 of RIPA or a court order or other judicial authorisation or warrant or as approved by the regulations made under s 1(3). This provision would remove the various powers under which communications data can be obtained by public authorities outside the framework of RIPA. The existence of these residual powers has been criticised as undermining the safeguard provisions in RIPA.
6. Amendments to RIPA
DRIPA introduces three sets of amendments to RIPA:
? amendment of the definition of a ‘telecommunications service’;
? amendments to clarify that RIPA warrants can be served on providers outside the UK; and
? amendments to place references to national security on the face of the provisions dealing with economic interest of the UK.
6.1 Definitions
‘Telecommunications service‘
The powers under RIPA in relation to both the interception of the content of communications and to the disclosure of communications data apply to telecommunications services as defined in s 2. The term has been amended and significantly extended by DRIPA. The amendment means that the power to intercept and also the powers over communications data cover a wider range of data than was previously the case. This has been achieved by the additions of a further subsection (8A) to the definition as follows:
For the purposes of the definition of ‘telecommunications service’ in subsection (1) the cases in which a service is to be taken to consist in the provision of access to and of facilities for making use of, a telecommunications system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.
The definition in subsection (1) reads:
‘telecommunications service’ means any service that consists in the provision of access to, and of facilities for making use of, any telecommunications system (whether or not one provided by the person providing the service) and ‘telecommunications system’ means any system (including the apparatus comprised in it) which exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy’.
The Explanatory Notes[15] to DRIPA suggest that the amendment is required to clarify that web mail services are covered by RIPA. However, the amendment appears to cover areas far wider than webmail, in particular it might be regarded as covering systems which are used for holding and managing information that may be shared with others, such as social media sites.
6.2 Service of interception warrants on non-UK companies
DRIPA includes provisions dealing with the service of warrants under RIPA on companies based outside the UK which supply communications services within the UK. The Explanatory Notes to DRIPA state that the provisions ‘put beyond doubt’ that the relevant provisions of RIPA have extra-territorial effect. The Notes state:
‘While RIPA has always had implicit extraterritorial effect, some companies based outside the United Kingdom, including some of the largest communications providers in the market, have questioned whether the legislation applies to them. These companies argue that they will only comply with requests where there is a clear obligation in law. When RIPA was drafted it was intended to apply to telecommunications companies offering services to United Kingdom customers wherever those companies were based. It is now important to make that clear on the face of the legislation’.
Section 4 of DRIPA provides for the following:
? the service of warrants of interception on persons outside the UK, providing that the warrants may relate to conduct outside the UK. It also includes provisions dealing with the practicalities of such services;
? a duty on those on whom warrants are served to give effect to the warrant, enforceable by civil proceedings, including where the person is outside the UK;
? factors to be taken into account when determining whether steps for giving effect to a warrant are reasonably practicable;
? a clarification that the Secretary of State’s powers to give a notice requiring the maintenance of a permanent interception capacity may be exercised in respect of a provider based outside the UK, or in respect of conduct outside the UK, as long as the service being provided is to the public in the UK;
? that a person served with an interception notice has a duty to comply with it which may be enforced by civil proceedings for an injunction;
? that an authorisation or notice for the obtaining of communications data may relate to conduct outside the UK and be served on a person outside the UK; and
? that a person served with an authorisation or notice for obtaining communications data is under a duty to comply which may be enforced by civil proceedings.
6.3 Other amendments
DRIPA also amends RIPA, s 5 to clarify that a warrant may be issued only for the purpose of safeguarding the economic well-being of the UK where it appears to the Secretary of State to be relevant to the interests of national security. The wording previously referred only to safeguarding the economic interests of the UK.
A final amendment deals with reports by the Interception of Communications Commissioner and duties imposed on the independent reviewer of terrorism legislation.
7 Challenges to DRIPA
DRIPA has been the subject of intense criticism since its first appearance. It is claimed that the retention provisions are disproportionate and do not include adequate safeguards to protect the privacy rights of individuals. The absence of measures to guarantee proportionality and provide safeguards proved fatal to Directive 2006/54 before the CJEU and could prove fatal to both DRIPA and the 2014 Regulations. The position of the UK Government on the other hand is that many of the necessary safeguards are already present in UK law because they are included in RIPA; that DRIPA provides additional safeguards so far as they are needed and that neither DRIPA nor the Regulations made under it impose any additional requirements beyond those which currently appear in the 2009 Regulations.
In relation to the amendments to RIPA, concerns have been voiced that the amendments significantly extend the category of providers that are subject to RIPA, and extend the reach of RIPA to overseas service providers. Moreover, although DRIPA has been presented by the Government as being aimed at addressing the problems caused by the finding of the CJEU that Directive 2006/24/EC was invalid ab initio,[16] these changes are not connected to the problems caused by the ruling on Directive 2006/24 and there was no justification for the Government including the provisions in a Bill rushed through as an emergency measure.
The challenge to DRIPA therefore rests on the argument that it does not meet the terms of the CJEU decision and breaches the Human Rights Act 2000 and the Charter Rights. Those who oppose DRIPA argue that the Charter Rights are applicable because, in legislating in an area which, until April 2014, was the subject of EU legislation, the Government is acting within the scope of EU law.[17]
The question of the applicability of the Charter Rights has already given rise to comment. On the face of the matter it appears that, as the CJEU found that Directive 2006/24/EC was void ab initio, it must be as though it has never existed. If it never existed, then the EU has not in fact exercised its competence in that field and the power to act remains with Member States under Article 15(1) of Directive 2002/58 which provides that Member States can adopt measure to restrict the obligations to erase communications data (which would otherwise apply) where:
such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system as referred to in Article 13(1) of Directive 95/46/EC. To this end Member States may inter alia adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down by this paragraph.
However, as Professor Steve Peers has pointed out on his blog at www.eulawanalysis.blogspot.co.uk, there is existing case law to the effect that, where Member States derogate from EU rules (in this case on the erasure of communications data), they are still subject to EU human rights obligations. As a result the Charter Rights would continue to apply to the national retention legislation. The Government, it appears, takes the position that DRIPA and the 2014 Regulations legitimately fall within the derogation in Article 15 and, irrespective of whether the Charter Rights do apply, the safeguards provided in DRIPA and in RIPA meet the appropriate standards as set out by the CJEU.
Now that permission has been granted for a full hearing, no doubt these arguments will be canvassed at length. At the same time battle lines are being drawn up over the further amendments proposed under the Counter-Terrorism and Security Bill.
8. Counter-Terrorism and Security Bill 2014
The Bill passed its Second Reading on 2 December 2014 and is currently in Committee. The bulk of the Bill deals with the exclusion of individuals from the UK and the prevention and investigation of terrorism. Clause 17 proposes further amendments to the definitions in DRIPA. The amendments would extend the definition of communications data to include information related to internet access service or an internet communications service which:
‘…may be used to identify, or assist in identifying, which internet protocol address, or other identifier, belongs to the sender or recipient of a communication’.
It would exclude data which only show the identity of the communications service through which the communication is transmitted or data that are processed in the course of providing the service. It would however, taken with the extension of the definition of telecommunications service in DRIPA (see 6.1 above), extend the range of data which could be subject to retention notices and subsequent access under RIPA. As such, it would mark a step towards meeting the aims of the Government to extend the scope of the data available for investigation without the need to bring forward specific legislation.
The Government recognises that it lacks sufficient cross-party support to resurrect the ill-fated ‘Snooper’s Charter’. There was speculation that a revised version would appear in the Queen’s Speech in 2013 and again in 2014 but it has never made an appearance. In her speech to Parliament on the 14 January after the Paris attacks, Theresa May, the Home Secretary, made it clear that the Government remains committed to such legislation:
Every day that passes without the proposals in the Communications Data Bill, the capabilities of the people who keep us safe diminishes. And as those capabilities diminish, more people find themselves in danger and – yes – crimes will go unpunished and innocent lives put at risk.
This is not – as I have heard it said – ‘letting the government snoop on your emails’. It is allowing the police and the security services, under a tightly regulated and controlled regime, to find out the ‘who, where, when and how’ of a communication but not its content, so they can prove and disprove alibis, identify associations between suspects, and tie suspects and victims to specific locations. It is too soon to say for certain, but it is highly probable that communications data was used in the Paris attacks to locate the suspects and establish the links between the two attacks. Quite simply, Mr Speaker, if we want the police and the security services to protect the public and save lives, they need this capability.
The Explanatory Notes to DRIPA state that it is envisaged that when communications data policy is considered in the next Parliament, legislation conferring further powers may be proposed.[18] It seems however that the combination of the changes brought in by DRIPA and the Counter-Terrorism and Security Bill will mean that at least some of the ground may have been covered before that occurs.
9. What happens next?
The timetable for the hearing of the judicial review case brought by David Davis MP and Tom Watson MP is not known. It may be several months before it comes to a full hearing. In the interim, the Government appears to be determined to press on with the changes proposed in the Counter-Terrorism and Security Bill. Even if the judicial review case is successful, the Government will have bought valuable time for the investigative agencies and the service providers. While DRIPA and the 2014 Regulation may be the subject of challenge, it will take time as well as effort to overturn them. UK courts cannot overturn primary legislation even on grounds that it fails to comply with the Human Rights Act 2000 or the Charter Rights. The Supreme Court can only refer the impugned Act to Parliament. A case may take months or even years to go through that process. In the meantime, the Government and the affected service providers will remain able to rely on the new Regulations. In the area of communications data we may be looking forward to a game of cat and mouse between those who oppose and those who support wholesale retention for some time yet.
Rosemary Jay is a Senior Attorney with Hunton & Williams. Rosemary is the author of Sweet & Maxwell’s Data Protection Law & Practice, now in its fourth edition, a contributing editor to The White Book and an editor of the Encyclopedia of Data Protection and Privacy. She is a Fellow of the British Computer Society and writes and lecturers widely on data protection matters.
The views expressed in this article are those of the author and do not represent the views of Hunton & Williams.
This article is prepared as a matter of general comment only and does not constitute legal advice.
|
99900.13675 EMF_EU 42557747v1 |
[1] R (David Davis MP and Tom Watson MP) v Secretary of State for the Home Department. , 8 December 2014 Mr Justice Lewis
[2] S.I. 2014 No.2042
[3] Directive 2002/58/EC
[4] The Interveners’ submissions are available at www. Openrightsgroup.org
[5] Article 5 of Directive 2002/58
[6] Article 6 of Directive 2002/58
[7] Article 9 of Directive 2002/58
[8] SI 2009 No 859
[9] It was deemed unconstitutional in both the Czech Republic and Romania
[10] See for example Julia Hornle at http://www.scl.org/site.aspx?i=ed36865 and The Data Retention Directive Never Existed by Judith Rauhofer and Daithi Mac Sihigh available at www.law.ed.ac.uk
[11] Draft regulations were published on the Home Office web site at the same time as the Bill was published.
[12] Section 22(2) of RIPA: in summary, these grounds arise where the obtaining of communications is necessary: in the interests of national security; for preventing or detecting crime; in the UK’s economic interests; in the interests of public safety; to protect public health; for taxation-related purposes; for preventing death or serious injury; or for any purpose (not falling within the list above) which is specified by the Secretary of State.
[13] s 1(5)
[14] reg 14
[15] Available at http://www.legislation.gov.uk/ukpga/2014/27/notes/contents
[16] Joined cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger respectively
[17] The Charter Rights only apply to the actions of the Commission and Member States where they are acting within the scope of EU law see Article 51 – Field of Application
[18] Paragraph 32 Explanatory Notes on the Data Retention and Investigation Act 2014.
