The detection, prevention and investigation of serious crime and national security are matters of enormous concern to government. Legislation requiring retention by service providers of matters such as telephone communications information (but not content of calls) has been considered necessary. Such data retention clearly impinges on the privacy of individuals. Following the 2004 Madrid Bombings, the European Union introduced new rules relating to data retention. The rules were in the Data Retention Directive 2006/24/EC.
In April 2014, the Court of Justice of the EU (CJEU) ruled that the directive was unlawful because it was held that there was a disproportionate interference with the right to respect for private life and with the right to the protection of personal data, enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union respectively. The Court's judgment is here.
Any new EU Directive would have to comply with ten requirements - see the Open Rights Group Briefing to MPs on Data Retention Legislation.
The 2006 Directive was implemented
into English Law by the Data Retention (EC Directive) Regulations 2009.
The government's response to this is to be announced in Parliament today - The Guardian 10th July.
More detailed discussion of this topic may be read at Oxford Human Rights Hub and at Brick Court Chambers.
Updates to follow ...............
The draft Data Retention and Investigatory Powers Bill
and Draft Regulations (issued 11th July)
Explanatory Notes - 15 pages
The Home Secretary's statement in Parliament 10th July
Report of the Statement and comments from Opposition and MPs
The CJEU declared the 2006 Directive and did not limit in any way the temporal effect of the judgment. Thus, the invalidity must date back to the date when the directive purported to become effective. This led to fears within government that legal action might have been taken against them for unlawful retention of data - see Out Law.com 24th June 2014.
Further analysis of the CJEU judgment is at the EU Law Analysis blog
Update 3 - Consequences of an invalid directive
Theresa May, in her statement to Parliament, was also confident that the 2009 regulations remained in force. This raises a tricky issue. The regulations were made under the power in section 2(2) of the European Communities Act 1972 which enables Ministers to implement EU obligations such as those imposed by a directive. On the one hand, it could be said that since the EU legal basis for the regulations had been removed then the national regulations would be automatically invalid. On the other hand, the national regulations could be seen as having a life of their own and, as a result, continuing in force in national law even though the directive had been invalidated.
The precise legal position is not as clear as might perhaps be expected. There is some discussion of this at Radiobruxelleslibera (25th April 2014) where the blog author states:
Interestingly, the question is what will happen with the current national legislations which have been enacted as transposiiton of the invalid directive. Although one could think that also these legislations have become invalid, this is not an automatic effect from the annulment judgment.
See also - "The Invalid Directive: The legal authority of a Union Act requiring domestic law making" - Thomas Vandamme. Alternatively, see this link.
Interestingly, The Advocate General concluded that the Data Retention Directive was invalid but recommended suspending the temporal effects of that finding until the EU legislature adopts, within a reasonable time period, the measures necessary to remedy the invalidity. See Press Release of 12th December 2013
Update 4 11th July:
In light of the CJEU judgment, it is apparent that in order to comply with human rights law any new legislation must:
- restrict retention to data that is related to a threat to public security and in particular restrict retention to a particular time period, geographical area and / or suspects or persons whose data would contribute to the prevention, detection or prosecution of serious offences (paragraph 59);
- provide exceptions for persons whose communications are subject to an obligation of professional secrecy (see paragraph 58 of the judgment);
- distinguish between the usefulness of different kinds of data and tailor retention periods on the basis of the data’s possible usefulness for the purposes of the objective pursued or according to the persons concerned (paragraph 63);
- ensure retention periods are limited to that which are ‘strictly necessary' (paragraph 64);
- empower an independent administrative or judicial body to make decisions regarding access to the data on the basis of what is strictly necessary (paragraph 62);
- restrict access and use of the data to the prevention, detection or prosecution of defined, sufficiently serious crimes (paragraphs 60-61);
- limit the number of persons authorised to access and subsequently use the data to that which is strictly necessary (paragraph 62);
- ensure the data is kept securely with sufficient safeguards to ensure effective protection against the risk of abuse and unlawful access (paragraph 66);
- ensure destruction of the data when it is no longer required (paragraph 67); and
- ensure the data is kept within the EU (paragraph 68).
Update 5 11th July:
The Data Retention and Investigatory Powers Bill - (DRIP has it has become known) - is concerned with both communications data (described by Theresa May as the who, where, when and how) and also interception (the ability to intercept and access the content of data). DRIP seeks to extend the law so that communication service providers based outside the UK must also comply with legal obligations. Theresa May said:
The Bill I am publishing today will ... put beyond doubt the fact that the existing legal framework, which requires companies to cooperate with UK law enforcement and intelligence agencies, also extends to companies that are based overseas but provide services to people here in the UK.
Theresa May said that the CJEU judgment did not consider the stringent controls and safeguards provided by domestic law under, for example, the Regulation of Investigatory Powers Act 2000 (RIPA).
Theresa May was also confident that the 2009 regulations remained in force albeit their legal basis (the 2006 Directive) had been removed. However, alongside the publication of DRIP, she published Draft Regulations.
Theresa May also announced a number of new measures "to reassure the public that their rights to security and privacy are equally protected."
- reduce the number of public authorities able to access communications data.
- publish an annual transparency report giving as much detail as possible – within obvious parameters – about the use of these sensitive powers.
- appoint a senior former diplomat to lead discussions with other governments to consider how we share data for law enforcement and intelligence purposes.
- establish a Privacy and Civil Liberties Board, based on the US model. This will build on the role of the Independent Reviewer of Terrorism Legislation and the Board will consider the balance between security and privacy and liberty in the full context of the threat we face from terrorism.
- review the interception and communications data powers we need – as well as the way in which those powers and capabilities are regulated – in the full context of the threats we face.
Further materials at Data Privacy
Draft Regulations issued by the Home Office on Friday 11th July. These will replace the 2009 Regulations.
Update 8: Media articles ....