Yesterday’s invalidation of the Data Retention Directive opens up the question, what do the government and ISPs do next? Both are in a dubious legal situation now that data retention has no legal basis.
The Data Retention Directive is retrospectively invalid: not only is it gone, but in legal terms it never was. The UK Regulations are also gone, as the power for the Secretary of State to pass them under the European Communities Act 1972 (UK legislation) relied on the validity of the original Directive. The obvious conclusion is that, for now, data retention should stop. We have yet to hear any argument that the government could carry on using the ex-directive's powers, although of course it may try.
There may be older legislation that the government could try to use for some elements of data retention, especially S.94 of the Telecommunications Act 1984 which gives powers to order communications data retention, but it’s more likely that the government will need to legislate.
Without the Data Retention Directive, the only likely legal basis for retaining data is for business purposes. The Data Protection Act (DPA) allows for limited retention and processing of personal data, in order to provide you with the services you’ve asked for.
ISPs are in a difficult position if they retain data under the DPA. For retention, they should hold it for business purposes only; and lawful access should be defined by law before they hand it over. We believe they are obliged to stop retaining data and should destroy any data retained by virtue of the now invalid regulations. If companies continue to retain the data there is a risk that their own customers could launch claims for breaches of the DPA.
The government also needs to clarify whether it is still continuing to pay for retention of data that has no legal basis. Since the UK regulation that authorised these payments are now invalid, under what powers would the government make those payments?
ISPs need to think quickly about liability, retention and government payments; the government may need to legislate. If the government legislates it needs to take the ECJ judgement into account, to avoid having to rewrite the rules again if the EU introduces new data retention legislation. We’ve been given guidance to the limits of surveillance and data retention, including requirements to limit the uses and confine the retention to relevant data. It is essential that the UK takes notice of these requirements.
The government may consider reviving the rump Snooper’s Charter proposals, for data retention in mobile companies, but it is also an opportunity for Parliament to discuss surveillance in the round. The ECJ ruling validates the argument that mass data retention breaches our rights to privacy and protection of personal data, and is very significant for ORG's legal challenge to government surveillance at the European Court of Human Rights. Any new government legislation must limit surveillance to what is necessary for investigation, rather than allow blanket data collection across everyone’s communications.