The Government seeks to protect us. Or so they suggest in the new Data Retention and Investigatory Powers Bill (DRIP). Announced on 10th July, this new Bill is being pushed through Parliament at lightning speed to compensate for the Court of Justice of the EU’s ruling in the joined cases of Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others (C-293/12) and Kärntner Landesregierung and Others (C-564/12), that the Data Retention Directive 2006/24 was invalid.The apparent good intentions of the Government to bridge the gap that would otherwise form when the Directive ceases have not been applauded. Tom Watson MP dubbed it “democratic banditry resonant of a rogue state”, as reported in the Guardian.Introduced to Parliament shortly after its announcement, the Bill lays out the powers of the Secretary of State, where necessary and proportionate, to order retention notices in the name of a public telecommunications company compelling them to retain relevant communications data whether or not such data is in existence at the time. This test is subject to a list of exceptions laid down in section 22(2) of the Regulation of Investigatory Powers Act 2000, paragraphs (a) to (h). A maximum period of 12 months is provided for telecommunications companies to retain users’ data.
It is reasonable to consider that this data will be used by various public authorities in the fight against organised crime and terrorism, in line with the Directive. The Bill is clearly a replacement for the 2009 Regulations which cease to be in effect with the Directive (although a “sunset clause” could theoretically bring about its end on 31st December 2016). Indeed communications data is defined to be of the kind mentioned in the Schedule to the Regulations. There is a strong national security flavour underpinning the Bill.
The inclusion of a proportionality test, while a cornerstone of EU law and the European Convention on Human Rights, adopts the safeguard laid out in the Digital Rights Ireland case. It can be inferred from the Court’s decision that legislation governing this area of law must lay out clear and precise rules, as well as proportionate measures to govern the scope and application of the scheme, complemented by safeguards to use in practice. In turn this must be balanced with respect for human rights so as to redress the imbalance provided by the blanket ban which the 2006 Directive permitted. The risk of abuse and unlawful access highlighted in the Digital Rights decision requires these guarantees. As the Court said, the scheme “entails an intereference with the fundamental rights of practically the entire European population”.
Put into practice, the new regime proposed by the Bill would have to create a targeted system by which to use the powers of surveillance and data retention. This is severely undermined by the ruling of the ECJ that the fight against serious crime, while of the utmost importance for public authorities, did not justify a measure such as that in Directive 2006/24. It was not necessary “for the purpose of that fight”, tipping the balance in favour of protecting human rights. For those who were not suspects, the collection of special personal data, such as the name and address of the subscriber/registered user of the phone-line or internet user IDs, made it possible for telecommunication companies to create a “faithful and exhaustive map of a large portion of a person’s conduct” in the sphere of his private life.
At its most extreme, there were real fears raised by Advocate-General Cruz Villalón that a “complete and accurate” picture of a user’s identity could be created. Paired with the risk that such data may be used for unlawful or malicious purposes, this exacerbates concerns as to the practicality of this arrangement across all sectors of the population. The Bill poses a permanent threat to residents of the United Kingdom, throughout the period for which data is retained.
While Benjamin Franklin may have gone a bit far in suggesting that “he who sacrifices freedom for security deserves neither”, there is truth in the need for a compromise in this Bill. Lessons need to be learnt from the Court’s decision if the Government is to ensure that the Bill doesn’t face a challenge on similar grounds to that of the Directive. This is particularly pertinent when considering the similarities between the two. For now however commentators are proving themselves unafraid to raise their objections to all aspects of the Bill. Shami Chakrabati of the human rights group Liberty voiced strong criticism that the Bill contravenes the ruling of the ECJ and is being pushed through all stages too quickly. There’s a strong argument to suggest that the speed with which the Bill is passing through Parliament is wholly insufficient if we are to ensure that proper safeguards are at the heart of the Bill. Sufficient debate must be had before anything reaches fruition.
The right to privacy, at the forefront of any liberal’s mind, is an obvious cause for concern. As I have already said above, the new proposals are liable to make people live in fear of surveillance. On the face of it, DRIP poses a threat to the core right protected under Articles 7 and 8 of the European Charter and Article 8 of the European Convention on Human Rights. For one, an interference with fundamental rights on the protection of personal data is inevitable, where the Bill provides for the processing of personal data. The special personal data being collected, while not personal information in the ordinary sense, could nevertheless provide what is essentially a road-map of conduct for those who are not suspects. A broadbrush approach is in this sense, and the opinion of the Advocate-General, undesirable even if some do say that it is a cruel necessity in order to protect national security.
It is imperative to reach equilibrium. The protection of personal data must be balanced with considerations of what is necessary in a democratic society to protect public health, safety, morals or any other warranted exceptions as per the qualifications in the Charter and ECHR. There is significant case law before the European Court on Human Rights attesting to the finding that a public authority storing data relating to the private life of an individual, as defined in Digital Rights, interferes with the right to respect for private life in Article 8(1) ECHR; see Leander v Sweden and Amann v Switzerland. In April the ECJ ruled in Google Spain v AEPD and Mario Costeja González (2014) Case C-131/12 that there was a “right to be forgotten”. Google was responsible for the processing of personal data that appeared in search result links, namely the specific ones which referenced Mr González having his home repossessed and the subsequent court case. The information presented on the internet potentially concerned a vast number of aspects of his private life. It was a win when the ruling balanced the right to privacy and data protection in EU law, taking into account the different roles played by public figures and private persons.
While clearly the data in hand is not of the same ilk as that at the centre of DRIP, the González judgment raises a fundamental point which we can transfer to the current discussion. Resort must be had to balancing privacy and data protection, as rights in the EU Charter, with the objective of protecting national security.
Many commentators note the British government’s lack of enthusiasm for protecting fundamental freedoms and civil liberties at all costs. We only need to think about the, now repealed, Anti-Terrorism, Crime and Security Act 2001, famously criticsed by Lord Bingham for its sheer and unfailing disregard for human rights. Introduced following the tragedy that was 9/11, Part IV was repealed following the issuing of a declaration of incompatibility in A.(F.C.) and others (F.C.) v. Secretary State Home Department  UKHL 56.
The detention pending deportation regime to which suspects were exposed according to the subjective determination of the Secretary of State, led to the Lords quashing the derogation from Article 5 of the ECHR on the grounds of a public emergency. The case is an interesting read for it brilliantly analyses the reasons for implementing the detention regime. In particular it thoroughly addresses the issue of “public emergency” and whether indeed there was one. This is worth bearing in mind when you consider that the Directive from which the Government is clearly drawing influence in its Bill was implemented following the Madrid and London bombings of 2005. Perhaps the Government’s new Bill will have the air of rights (dis)compliance found in preceding pieces of legislation?
The Labour proposal of compulsory bi-annual reporting by the Communications Commissioner on the functioning of the Bill may go some way to allaying fears that the scheme will follow in the footsteps of its arbitrary forebearers. Alternatively, a review by a court or other independent administrative body should be mooted in order to limit the access to data and ensure that any access is strictly necessary to attain the objectives outlined in the Bill. Without these being considered, there is clearly a need for stronger safeguards, and this was already addressed in the Digital Rights judgment.
If the Bill were to succeed it is crucial that it makes up for the failings of the Directive by laying down “clear and precise rules governing the extent of the interference with the fundamental rights” enshrined in various legal instruments to which the UK is party.