It is an increasing feature of debates about the mass retention of data that nobody wants to be the person that says yes or no. It is so clearly problematic to retain huge amounts of personal data, and in some cases to analyse it, that it is hard to see how it could ever be reconciled with the right to privacy.
However, who is prepared to stand up against these practices when police or others say it is necessary for their work?
That is the dilemma facing the Court of Justice of the European Union (CJEU) in their decision on the Davis-Watson (now just Watson) challenge to the Data Retention and Investigatory Powers Act (DRIPA). The CJEU were asked by the UK courts how EU law might restrict domestic data retention law, as the EU court had found the EU’s Data Retention Directive 2006 to be unlawful, after a challenge from Digital Rights Ireland (DRI). Open Rights Group intervened in the Watson case with Privacy International, and made oral submissions at the CJEU, thanks to the many hundreds of supporters that joined to help us challenge DRIPA in the courts.
The Advocate General’s opinion on this essentially appears to say that it may be possible – if difficult – to justify mass data retention, when there is literally no other means of solving serious crimes. However, he says that this decision has to be made in a national context, and is therefore up to national courts. In his Opinion, he states that the extent of EU law is to set compulsory minimum guidelines around any data retention scheme, that they must only relate to metadata, rather than content, and to insist that any scheme must protect the “essence” of the right to privacy.
Retention schemes must relate to serious crimes, not other, less important concerns. As with what the “essence” of the right to privacy could be interpreted to mean by our domestic courts, the same problem exists for what should be classified as a “serious” crime. There is no continuously applicable definition of what a serious crime is across English criminal law. Should “serious” crime be interpreted to mean: offences that are indictable only (which means they can only be tried in the Crown Court) such as murder, rape and false imprisonment; offences which are so serious that only the National Crime Agency should investigate them, such as human trafficking, kidnap and extortion; or offences which could attract Serious Crime Prevention Orders under the Serious Crime Act 2007 in the interests of public protection, such as drug and firearms trafficking. Or will the bar be set so low as to include offences which could attract a maximum of a six month custodial sentence at the Magistrates’ Court, such as common assault or criminal damage under £5,000?
The Opinion makes it clear that independent authorisation of access requests is absolutely critical to safeguard any retention scheme. It also notes that this is absent from the UK’s regime, which allows police officers to make these decisions. By reiterating the original criteria that the CJEU outlined for data retention in the DRI judgment, the Advocate General makes it clear that he believes a UK court should insist on independent authorisation as part of the minimum requirements under EU law.
The CJEU leaves it open to make further challenges to the proportionality of data retention. In the UK, this would require our Supreme Court and possibly the European Court of Human Rights to decide whether our own schemes are proportionate.
In some senses, this may be the natural balance, in the absence of more codified EU requirements and the longstanding assumption that domestic courts apply EU law directly, but it is also something of a cop out. If the UK becomes increasingly out of step with EU norms, would it still be reasonable to say that national courts should decide these balances, when it is every EU citizen that engages with the UK whose rights are affected? Why should different member states, each with the same right to privacy, come to wildly different conclusions about the legitimacy of data retention? And they have, with many EU countries simply ruling data retention incompatible with domestic constitutional privacy rights.
The interesting and difficult problem with data and Internet based services is that free expression and privacy are very often impacted. Unlike the sale of many traditional goods, human rights have to be a consideration.
This problem will not go away, even if the UK leaves the ambit of the CJEU and perhaps EU law altogether. The EU’s legal framework would insist that guarantees exist. This led Max Schrems to speculate that there could be a challenge to any data protection arrangement between a Brexit UK and the EU if our current surveillance laws are still in place. The new Investigatory Powers Bill (IP Bill), which will replace DRIPA, would in his view make a nonsense of the UK’s claims to protect data and privacy.
The government may be tempted to play down or ignore these concerns, as it has done in the past. This is tempting, as the IP Bill will need to be challenged afresh.
However, this clash is not something where Theresa May or Amber Rudd are simply in control of events, and can face down opponents. The courts will be forced to make judgments, sooner or later, and the EU and its legal system will be under increasing pressure to ensure that the UK has sufficient respect for the rule of law and fundamental rights as it concludes agreements with us as an external partner. The safe option is to do everything possible to comply with these judgements, so that they do not become a matter of dispute in our new relationship with the EU.