DRIP: Convenience or Necessity?

What is beyond doubt is that the UK police seem to use data on a pretty routine basis. Some will be ‘retained data’, some will not. But our agencies make around 500,000 RIPA demands a year, under internal supervision.

This stands in stark contrast to most of the continent. While Poland seems even more data-hungry than the UK, nearly half of our EU partners have now abandoned data retention. Many were very reluctant in the first place. Data requests in some countries are negligible: Germany for instance records low thousands of requests.

What can we conclude? We’d have to argue that the UK was an extremely different place to Europe, where crime could only be detected through data to conclude that data retention is truly “essential”. This seems pretty unlikely although we’ve found people are willing to argue that the UK really is different. Far more likely, it seems to us is that the police are just used to using data as a routine practice in the UK, where other police forces are not. After all, it is cheap and easy: from a police point of view it could save costs even if they don’t solve many more crimes.

The question for the UK to answer is not whether data can contribute to policing but whether it is justified to retain data of innocent people on a blanket basis. The charge that Jack Straw and Lord Howard made in Parliament was that civil libertarians who asked for “targeted” retention were asking the police to be “clairvoyant” as they would have to know in advance whether somebody would commit a crime and become of interest. That is the argument for blanket retention in a nutshell. We don’t know who the criminals will be so we will keep all of the data all of the time.

The problem with this argument is that it swiftly extends itself to every kind of activity you can imagine. Your smart meter can tell the police if you’re growing cannabis or playing with chemicals, your Oyster card can help pinpoint whether you were near a crime scene; your car’s GPS tools can tell the police where you went. Your library might tell us if you’ve an unhealthy interest in chemistry or nuclear physics. Why not keep all of this data? Failing to do so, in Jack Straw’s terms, risks aiding criminals.

That’s why the line being drawn at “necessary and proportionate” is so important. This is the legal test for removing someone’s right to privacy. The alternative—justifying any invasion of privacy on the basis of its possible efficacy in extreme cases—means anything goes.

Under Article 8 of the European Convention on Human Rights, any interference with the right to privacy must be “necessary in a democratic society.” An interference will be considered “necessary in a democratic society” if:

(1) it answers a “pressing social need”; and

(2) it is proportionate to the legitimate aim pursued and if the reasons justifying it are “relevant and sufficient”.

(S and Marper v the United Kingdom, Applications nos. 30562/04 and 30566/04)

An interference will not be considered disproportionate if it is restricted in its application and effect, and safeguards exist to prevent arbitrary treatment. (MS v Sweden 74/1996/693/885) It was on proportionality and necessity grounds that the UK’s DNA database was found to violate Article 8, owing to “the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences.” It failed to “strike a fair balance between the competing public and private interests.” (S and Marper v the United Kingdom)

A similar test is set out in the Charter of Fundamental Rights, where “subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives…” (Article 52). This was the test applied by the Court of Justice of the European Union (CJEU) in the Digital Rights Ireland case.

As the CJEU noted, proportionality requires that acts are “appropriate for attaining the legitimate objectives pursued by the legislation at issue and do not exceed the limits of what is appropriate and necessary in order to achieve those objectives” (paragraph 46). In practice, this means that “legislation must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data” (paragraph 54).

It was on the grounds of necessity and proportionality that the Data Retention Directive was found unlawful. It did not “lay down clear and precise rules governing the extent of the interference” and entailed “a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary”(paragraph 65). In particular, blanket retention was disproportionate (paragraph 59).

The Data Retention and Investigatory Powers Bill does nothing to address blanket retention. Blanket data retention is disproportionate on the basis that it goes far beyond what is required to meet the aimof investigating and prosecuting crime. It therefore cannot be said to be strictly necessary. Blanket retention exceeds the limits of what is appropriate. And the reasons provided by the Government are sufficient to justify some retention, but are not sufficient to justify blanket retention.

The Government is portraying the choice as retention of all data or no retention at all. This is a false dichotomy. here is an alternative: targeted retention. This would comply with the CJEU judgment. Targeted retention may be used not only in circumstances where a suspect has been identified, but also permits retention of all data in a particular area or all data of people belonging to a particular organisation or to everyone for a specific period of time (see paragraph 59 of the judgment). In addition, the police have many other methods and powers, including seizing physical evidence. And it should also be noted that some data is retained for business purposes in any event. Further, as all types of data proliferate, the necessity of data retention becomes more questionable.

For all these reasons Jack Straw is wrong to assert that for targeted retention to be successful one would have to know in advance whether somebody would commit a crime. He may be right that in very rare cases a criminal will be caught using blanket retention who would not be caught using targeted retention. But constructing a universal retention regime on the basis of a few rare incidents is the very definition of disproportionate.

In striking a balance between the legitimate aim and privacy, Courts also take account of harms including the fear instilled by ubiquitous surveillance, the chilling effect on freedom of speech and the risk of future abuse. Policing is not the only interest to be taken into account. Politicians should also pause to consider whether they would be content for rogue governments to grant themselves the broad powers contained in DRIP. We must apply the same standards to all governments to avoid being open to the charge of hypocrisy.

There is also a debate to be had regarding whether the resources dedicated to building up mass surveillance systems could be better spent on targeted and more intelligent investigations.

The recent vote also saw many Lib Dems moving towards accepting data retention, on the pragmatic justification that it can be useful in crime detection. Whilst the Government is undoubtedly correct that it is convenient for the police to rely on communications data, this does not mean it is necessary or proportionate for them to do so.

Currently all three main parties are sacrificing the idea of “necessary and proportionate” from being one that limits data retention to one that relies purely on access controls. This leaves us no defence against a quickly developing surveillance state. The Liberal Democrats should think very carefully about whether they have made the right decision in backing the DRIP Act. They could make the argument that this was an emergency measure and they do not support the idea of blanket collection. We have to hope that they quickly attempt to make the distinction rather than backing the Home Office view, which is designed to justify growing pervasive surveillance.

The same applies to the Labour party who should use the luxury of opposition to reconsider the mistakes they made in government. It would be wishful thinking to expect the Conservative party to change its mind while in power. However their backbenchers should recall their experience of Labour’s excesses and the Conservative view of these in Opposition. Politicians need to do a great deal more than accepting the Home Office’s assertions without challenge, which stand in sharp contrast to recent European human rights judgments.