Government spin that data retention laws need to be revised to deal with terrorism, as reported by the Guardian on Saturday, is a simple attempt to mislead the public.
The real reason they need to legislate on data retention is that they are asking ISPs to operate illegally by retaining data, since the CJEU struck the Data Retention Directive down.
The government knows they are at high risk of legal action from ORG, Privacy International, Liberty and others, and of that legal action succeeding. ORG wrote to the government to ask them to stop trying to enforce EU data retention laws, as they had been invalidated. Thousands of ORG supporters wrote to ISPs to ask them to stop retaining their data illegally. One way or another, this law is likely to be struck down, and the government knows it.
ISPs have obeyed the government’s instructions to continue to retain data, which is in itself quite dubious. It is courts that decide what the law is, not governments. Parliament legislates, and governments must obey the law. The government does not decide what the law is.
Theresa May has long made it clear that she wants to extend data retention to cover mobile phone records, that are currently not kept because of the complexities of administering “Network Address Translation” caused by using single IP addresses for many mobile phone users. Currently data retention applies to phone records, customer data, IP addresses and email logs at your broadband ISP.
But now all retention too must abide by the CJEU judgement, which has clearly delineated the limits to data retention under human rights law. They have said that it must:
provide exceptions for people whose communications must be confidential for legal reasons
restrict retention to data that is related to a threat to public security and in particular restrict retention to a particular time period, geographical area and / or suspects or persons whose data would contribute to the prevention or prosecution of crime
restrict access to defined, sufficiently serious crimes
limit access to that which is strictly necessary
empower an independent administrative or judicial body to make decisions about access to the data on the basis of need
distinguish between the usefulness of different kinds of data and relate retention periods to that question
keep retention periods as low as possible, i.e. to periods that are ‘strictly necessary'
ensure the data is kept securely
ensure destruction of the data when it is no longer needed
ensure the data is kept within the EU
Will any new UK data retention law, drafted and published this week meet these criteria? It doesn’t seem likely, and if not, then Parliament must be given time to consider it in line with the demands of the judgement. This paragraph, in particular, needs the attention of our legislators:
Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to beinvolved, in one way or another, in a serious crime, or (ii) to persons who could,for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences.
That is a clear call to draw a line and stop blanket data retention. As the court says in their press statement, it is a ”serious interference with fundamental rights of citizens to privacy”. Any new law needs to scale back, not increase, the UK's data retention laws.