Last week, the High Court ruled that the Data Retention and Investigatory Powers Act 2014 (DRIPA) was inconsistent with EU law.
The case was originally presented as a human rights challenge, but the central questions that were examined in court concentrated on whether or not the powers conferred by DRIPA were compatible with EU law. These were questions that ORG brought to the court. In answering this question, Lord Justice Bean and Mr Justice Collins confirmed that EU law, as set out by the Court of Justice of the EU in the case Digital Rights Ireland (DRI), is indeed applicable to UK law.
The High Court ultimately found that DRIPA was incompatible with EU law and referred to two Court criteria laid down by the CJEU in the DRI judgment. Firstly, DRIPA failed to provide clear and precise rules regarding the access to and use of the retained communications data. Secondly, DRIPA does not make prior review by a court or an independent administrative body a mandatory requirement for access to the retained data.
Although it is now clear that the DRI judgment applies to UK law, not all of the CJEU's demands have been accepted by the UK courts. One of the remaining issues is that the retention of data should be restricted to a particular time period, geographical area and/or persons. However, the High Court thought that such a restriction would be completely impractical. According to the High Court:
“The CJEU cannot have meant that CSPs [communication service providers] can only lawfully be required to retain the communications data of “suspects or persons whose data would contribute to the prevention, detection or prosecution of serious criminal offences”. Such a restriction would be wholly impracticable. Rather the Court must be understood to have held that a general retention regime is unlawful unless it is accompanied by an access regime which has sufficiently stringent safeguards to protect citizens’ rights set out in Articles 7 and 8 of the Charter.”
This makes way for general retention practices which may be over-broad. We should note that the CJEU in DRI was specifically concerned about the proportionality of any interference with the rights guaranteed under the Charter. It is difficult to see how such general retention powers can be proportional, given that they affect even persons for whom no evidence exist to suggest their involvement in serious crime.
The High Court ruled that a general retention regime must be accompanied by an access regime, whereby there must be prior review by a court or an independent administrative body.
An access regime is necessary to ensure that the access to and use of such data is strictly restricted for the purposes such as national security, defence and public security. However, an over-broad data retention practice may not be counteracted simply with a narrower access regime. This is because broad retention practices create a large pool of personal information that can still be preyed upon by those who are not authorised to access it. Data retention in a generalised manner also creates a chilling effect, capable of undermining the freedom to information as users' distrust of the internet as a means of communication grows.
The High Court has also opened the question of UK's authorisation regime for data requests. The CJEU judgment requires independent prior review for access to retained data. This judgment does not address personal data held by telecoms companies for business purposes or with consent from users. The access regime for personal data retained or just held is provided under RIPA, which allows for self-authorisation by the police. It would be highly impractical to run two separate access regimes for retained and other personal data. Now that the court has flagged this matter up, the Parliament has the opportunity to reconsider the access regime as a whole.
The High Court's judgment is very welcome as it asserts the supremacy of EU law which has properly considered the retention and protection of data. A similar question with regards to the general retention of data has also arisen in Sweden, with their courts asking the CJEU to clarify if:
“Retention [may] nevertheless be permitted where access by the national authorities to the retained data is determined as described below; security requirements are regulated as described below; and all relevant data are to be retained for six months … and subsequently deleted…..?”
This issue is still ongoing as the CJEU's final opinion is yet to be seen. Worryingly, the CJEU may not hear from civil society intervenors. Similarly, we can expect the UK government to appeal the decision and perhaps request a reference back to the CJEU. Meanwhile, other countries – including Belgium, the Netherlands, Germany, Austria, Bulgaria, Romania and others have removed data retention from their laws. So far, their police seem to be detecting crime without major complaints.