Open Rights Group (ORG) and Privacy International (PI) have intervened in a judicial review of the Data Retention and Investigatory Powers Act (DRIPA). The case has been brought by Tom Watson MP and David Davis MP, represented by Liberty.
The Claimants have been granted permission to proceed to a substantive hearing and ORG and PI have been given permission to make a further written intervention.
Dan Carey, solicitor at Deighton Pierce Glynn, acting for ORG and PI, said: "It is unusual for an application to intervene to be granted prior to the grant of permission in a judicial review, but it was important in this case, as both Open Rights Group and Privacy International have a wealth of knowledge of how data retention works in practice and its implications for our privacy. The emphasis that we placed on the EU law context (the Data Protection Directive and the E-Privacy Directive) appears to have been material to the court’s decision to grant permission. I am pleased that we also have permission to make further submissions for the substantive hearing next year.
IN THE HIGH COURT OF JUSTICE CO ref: CO/3794/2014 ADMINISTRATIVE COURT
B E T W E E N:
R (on the application of David Davis MP and Tom Watson MP)
The Secretary of State for the Home Department
Open Rights Group and Privacy International
Interveners’ submissions pursuant to order of Silber J
The relevant question for the Court
Contrary to what is said by Blake J. in paragraph 1 of his decision rejecting permission, the Claimants’ application for relief is not confined to a declaration of incompatibility; they seek an order disapplying section 1 of the Data Retention and Investigatory Powers Act 2014 (“the 2014 Act”). They are correct to do so because that section and the Data Retention Regulations 2014 (“the 2014 Regulations”) adopted thereunder (“the relevant provisions”) are contrary to EU law and in particular, in breach of the Directive on privacy and electronic communications 2002/58/EC (“PECD”).
Section 1 of the 2014 Act is concerned with the retention of ‘communications data’, which has the meaning given to it under s. 21(4) of the Regulation of Investigatory Powers Act (“RIPA”), namely traffic data and any data relating to the communication save for its contents, including location data. The starting point in relation to such data is the PECD, which provides for EU-wide harmonisation of the level of protection to be afforded by national laws to the processing of personal data in the electronic communications sector. Its provisions complement and particularise those provided in the Data Protection Directive 95/46 (“the DPD”): Article 1 PECD. The PECD provides for an individual right to confidentiality, erasure and anonymity of one’s ‘communications’ or ‘traffic data,’1 obliging Member States to:
a) ensure the confidentiality of such data through the adoption of national legislation prohibiting ‘storage’ or ‘other kinds of interception or surveillance’ without the user’s consent, save where legally authorised in accordance with Article 15(1): Article 5(1)-(3) PECD (recital (3) Data Retention Directive 2006/24/EC (“DRD”).
b) require electronic communications providers to erase traffic data relating to subscribers and users or make it anonymous when it is no longer needed for the purpose of the transmission of the communication, save where it is necessary to retain the data for billing purposes and/or where legally authorised under Article 15(1): Article 6 PECD (recital (3) DRD).
c) Require service providers to offer the possibility of non-identification for callers (Article 8).
d) prohibit the processing (including retention), of location data unless that data is made anonymous or is processed with the user’s consent and even then the user must “continue to have the possibility, using simple means and free of charge, of temporarily refusing the processing of such data for each connection to the network or for each transmission of a communication”: Article 9 PECD (recital (3) DRD).2
By Article 15 of the PECD, Member States can exceptionally restrict the rights set out in Articles 5, 6, 8(1)-(4) and 9 when “necessary, appropriate and proportionate [...] to safeguard national security (i.e State security), defence, public security, and the prevention, investigation, detention and prosecution of criminal offences or of unauthorised use of the electronic communications system, as referred to in Article 13(1) of Directive 95/46”. The Article 29 Working Party Data Protection Group3 stated in its Opinion 5/20024 that the:
“..retention of traffic data for purposes of law enforcement should meet strict conditions under Article 15 (1)..: i.e. in each case only for a limited period and where necessary, appropriate and proportionate in a democratic society. Where traffic data are to be retained in specific cases, there must therefore be a demonstrable need, the period of retention must be as short as possible and the practice must be clearly regulated by law, in a way that provides sufficient safeguards against unlawful access and any other abuse. Systematic retention of all kinds of traffic data for a period of one year or more would be clearly disproportionate and therefore unacceptable in any case.” (emphasis added)
The DRD was enacted under Article 95 EC Treaty (now 114 TFEU) to require Member States to oblige communications providers to retain data and provide state access to it. It did not purport to comply with the strict requirements of Article 15 of the PECD. Indeed, it was adopted to derogate from Articles 5, 6 and 9 of the PECD: (Article 3 DRD) and amended the PECD so as to disapply the strict exception requirements of Article 15 in relation to that data: Article 15(1)(a)- (b) PECD. As AG Cruz Villalón stated in his opinion of 12 December 2013 in Case C-293/12 Digital Rights Ireland Ltd it ”derogate[d] from the derogating rules which are laid down in Article 15(1) of [the PECD]”.
The Secretary of State accepts that the PECD applies to the communications data at issue but says that the relevant provisions comply with the strict requirements of Article 15: §26 Summary Grounds. The question for this court therefore, is whether that is so. The interveners submit that it is not and certainly, that the arguability threshold for permission purposes is met in relation to that question.
In construing Article 15 and deciding whether the relevant provisions comply with it, the Court must ensure protection for individual rights under Articles 7 and 8 of the Charter of Fundamental Rights (“the Charter”) and Article 8 of the European Convention on Human Rights (“ECHR”): Case C-390/12 Pfleger and ors 30 April 2014 at §36. Further, the Court must interpret the exceptions in Article 15 strictly: Case C-119/12 Josef Probst v mr.nexnet GmbH judgment 22 November 2012, at §23.
The relevant provisions do not meet the requirements of Article 15 PECD
First, for inter alia all the reasons set out by the Claimants, the relevant provisions do not comply with Articles 7 and 8 of the Charter or Article 8 ECHR, which they must do in order to meet the requirements of Article 15 PECD and EU law generally.
Secondly, the relevant provisions largely duplicate/re-enact the UK regime under the Data Retention (EC Directive) Regulations 2009 SI 859/2009 (“the 2009 Regulations”) that implemented the DRD.5 Indeed, the Government notes to the Bill state that the “legislation will mirror the provisions of the existing Data Retention Regulations, and create a clear basis in domestic law for the retention of communications data”. This was considered necessary to avoid data held by companies being deleted following the judgment in Digital Rights Ireland.6 Thus, the scope of the data to which retention obligations may apply under the relevant provisions is identical to that under the 2009 Regulations: (s.2(1) 2014 Act definition of ‘relevant communications data’). Just as was the case under the 2009 Regulations, under the new regime a telecommunications operator is only required to retain data when the Secretary of State issues a notice requiring it to do so, which may set out the extent to which the relevant data retention requirements are to apply: see Regulation 10 of the 2009 Regulations and s.1 of the 2014 Act. Importantly, retention notices adopted under the 2009 Regulations which were not revoked prior to the 2014 Regulations entering into force continue to have effect: Regulation 14 of the 2014 Regulations. Accordingly, in reality, the 2014 Regulations do little more than continue the regime that was intended to implement the DRD7. The DRD has been declared unlawful by the CJEU in Digital Rights Ireland, such that the original 2009 implementing measures (and the ‘notices’ issued thereunder) necessarily fail, as do the relevant provisions, which are in essence the same.8
The Government’s position is that “the new regime contains a series of safeguards that were not present in the Directive”: §4 Summary Grounds. In reality those safeguards are neither ‘new’ nor come close to meeting the objections of the CJEU to the DRD. Most obviously, as stated above, existing retention notices, which provide for widespread and systematic retention as mandated by the DRD, continue in force. Indeed, following the judgment of the CJEU the Government advised communications providers to carry on retaining data as required by the 2009 Regulations.9 ‘New’ safeguards have no relevance to that position; the mandatory requirements of the DRD are given effect by notices issued under the 2009 Regulations.
As regards the safeguards said to be provided in the relevant provisions (set out in §§7-8 Summary Grounds), these do not meet the criticisms of the CJEU in Digital Rights Ireland. Most importantly, they fail entirely to specify restrictions on the S/S’s entitlement to issue a retention notice. The new regime does not lay down the clear and precise rules that the CJEU has said are needed to govern the scope and application of the measure in question and to impose minimum safeguards: §§54-55, 65 Digital Rights Ireland. In particular, there is nothing in the relevant provisions that requires a retention notice issued by the Secretary of State:
a) to be person- or crime- specific. Indeed there is no obligation on the S/S to satisfy herself that there is any connection (even indirect) between the person whose data is being collected and a situation which is liable to give rise to criminal prosecutions. The data retention obligation in the notice not only can but, having regard to the stated purpose behind the legislation, is likely to capture the data of persons for whom there is no evidence capable of suggesting their conduct might have a link, even an indirect or remote one, with a serious crime, which the Court explicitly criticised: §58 – 59 Digital Rights Ireland.
b) to exclude persons whose communications are subject to professional secrecy obligations: §58 ibid
c) to be confined to the minimum period ‘strictly necessary’: §62 ibid
d) to ensure that the data is retained within the EU: §68 ibid.
11. Finally, rules governing restrictions on access to retained data are insufficient. Under Part II of RIPA a wide range of public authorities can obtain access and do so for purposes not confined to safeguarding national security or the prevention, detection or prosecution of defined, sufficiently serious crimes: §§60-62 ibid.
12. The S/S’s response is to say “[...] that having one’s communications retained by a telecommunications operator [...] is relatively minor.” The CJEU in Digital Rights Ireland took the opposite stance, the AG considering that the interference was “particularly serious”: §70 and the CJEU considering it potentially so great that it could in fact have an effect on the use of communications and consequently on freedom of expression: §§27-28 judgment, creating as it does a ‘vague sense of surveillance’: Opinion AG Cruz Villalón §§52, 72.
13. For the reasons stated above, the Claimants’ challenge is clearly arguable such that permission should be granted.
4 December 2014
JESSICA SIMOR QC
1 ‘Traffic data’ is defined in Article 2(b) PECD as data processed for the purpose of the conveyance of a communication on an electronic communications network or for the purposes of billing. ‘Electronic communications network’ is defined in Directive 2002/21 as a common regulatory framework for electronic communications, networks and services: see Article 2 PECD.
2 These provisions are implemented by the Privacy Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426). However, Regulation 28 exempts communications providers from the requirements of these Regulations where exemption is required for the purpose of safeguarding national security, which is determined by the issue of a certificate signed by a Minister of the Crown, which “shall be conclusive evidence of that fact”. It also provides for certain questions relating to such certificates to be determined by the Information Tribunal referred to in section 6 of the Data Protection Act 1998.
3 Article 29 of Directive 95/46 provided for the establishment of this Working Group.
4 Concerning the precursor to the DRD (Draft Council Framework Decision, Doc 8958/04).
5 The DRD was first implemented by The Data Retention (EC Directive) Regulations 2007 (revoked and superseded by the 2009 Regulations) with respect to fixed network and mobile telephony. Pursuant to Article 15.3 of the DRD the UK had postponed its application to the retention of communications data relating to internet access, internet telephony and internet e-mail (these in fact being covered by the Retention of Communications Data (Code of Practice) Order 2003 (adopted under Part 11 of the Anti-Terrorism, Crime and Security Act 2001). The 2009 Regulations covered all these data forms.
6 They are set out by the Government in notes published by the Home Office on its website https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/330510/Factsheet_Data_Retention.pdf.
7 Even if such notices expire on 1/1/2015 (see r.14(4)), r.14(6) appears to envisage their re-issue on the same terms.
8 It is understood this is subject to legal challenge in R (Cosgrove) v S/S for the Home Department CO 7701/2011.
9 HC Deb June 2014 c445W.