2014-07-10

As reported a few days ago, the U.K. is set to introduce emergency legislation to make up for a recent ruling by Europe’s top court, which struck down an EU-wide law forcing communications firms to hang on to subscriber data for law enforcement purposes.

The emergency Data Retention and Investigation Powers (DRIP) Bill, which will be introduced in Parliament next week with cross-party support, will only be valid until the end of 2016, allowing the next government to decide what it wants to do at that point (a general election will take place in 2015). During that time, a full review of the controversial Regulation of Investigatory Powers Act (RIPA) will also take place – RIPA being the legislation that allegedly backs up the U.K.’s web surveillance activities, among other things.

In the meantime, though, Britons will get a fast-tracked DRIP Act so that spies and law enforcement can continue to see who called or emailed whom and when during the previous year. According to a statement from Number 10 Downing Street:

“Unless they have a business reason to hold this data, internet and phone companies will start deleting it which has serious consequences for investigations – investigations which can take many months and which rely on retrospectively accessing data for evidential purposes.”

Uncertainty over legality

It is 3 months since the Court of Justice of the European Union (CJEU) struck down the EU-wide Data Retention Directive for having insufficient privacy safeguards. The U.K.’s own data retention legislation was just a transposition of that directive into national law, so the CJEU ruling effectively scrapped it.

Prime Minister David Cameron insisted at a press conference on Thursday that the emergency legislation was being announced “at the first available opportunity”. Cameron’s sidekick, Deputy Prime Minister Nick Clegg, said the struck-down directive “didn’t have all the checks and balances which we have in our domestic provisions.” Ergo, he suggested, the new law would be comply with EU privacy legislation.

When it made its ruling in April, the CJEU said :

“We anticipate that the Commission, taking into account the Court’s judgment, will now reflect on the need for a new Directive, which will also prevent member states from keeping or imposing the same legal obligations nationally as laid out in the now invalid Data Retention Directive.”

However, Michele Cercone, the spokesman for EU home affairs commissioner Cecilia Malmström, said the effect of the ruling was to make it as if the directive had never existed, effectively removing harmonization between EU member states on the data retention issue:

“It is for member states to decide on national legislation and possible follow-ups. The judgement of the court only concerns the EU directive.”

“Safeguards” include new U.S. data deal

Apart from the limited period of validity and the promised RIPA review, the extra “safeguards” in the DRIP Bill include the establishment of a U.S.-style Privacy and Civil Liberties Oversight Board (essentially an enhancement of the existing “independent reviewer of terrorism legislation” role), new restrictions on the number of public bodies that can access communications data, and new annual transparency reports.

The Downing Street statement also said:

“We will appoint a senior diplomat to lead discussions with the American government and the internet companies to establish a new international agreement for sharing data between legal jurisdictions.”

A Downing Street spokeswoman said this was a reference to the fact that, while RIPA already applies to U.S. web firms operating in the U.K., some of those companies have challenged this. She said the new law would provide “clarification”.

“For example, the U.S. has the Wiretap Act, which companies will be concerned about, how complying with our interception laws fits with their own domestic interception laws,” she said.

It’s not clear how this new transatlantic effort will line up with the data protection negotiations already going on between Europe and the U.S. at the moment.

Controversy

There’s a great deal of debate going on about this new law, particularly regarding its fast-tracking. Campaigners such as the Open Rights Group said the new law may actually increase the amount of information held by service providers for surveillance purposes.

However, Liberal Democrat MP Julian Huppert, who has been a very vocal campaigner for digital rights in the past, insisted that there was nothing new in the new law, as far as the U.K. is concerned:

“We need legislation to allow communications data to be available, but not to store more than is already allowed. And in this post-Snowden world, we need to move towards keeping less, and finding better and more proportionate ways to do so. We need to completely rewrite the law in this area. But that cannot be done quickly. We have to get it right, which will take a lot of work from many experts … So I think it is right to agree to a stop-gap. A piece of legislation that can be passed quickly, but crucially will automatically expire at the end of 2016, giving time to write something better, and the certainty of knowing it will not just become entrenched.”



Show more