call +44 20 7096 1079
July 09, 2014

Briefing to MPs on Data Retention legislation

Data retention: policy briefing - PDF

Update Jul 14: Briefing based on proposed DRIP bill



It is rumoured that the government is to introduce "emergency" legislation in response to a judgment by the Court of Justice of the European Union (CJEU) in April 2014 which held that the EU Data Retention Directive was unlawful on the grounds that it breached human rights. The invalidation of the Directive means that the British law implementing the Directive and requiring UK communication service providers retain communications data for a 12 month period is equally invalid. Any legislation mandating data retention must now comply with the ten points set out in the CJEU judgment, as outlined below. In particular, blanket data retention is unlawful.

The CJEU judgment reflects a commitment made in the Coalition’s Programme for Government which pledged: "[The] Ending of storage of internet and email records without good reason."

One of the key factors behind the rumoured legislation may be a judicial review claim filed against the Home Secretary in 2011 asserting the unlawfulness of UK data retention legislation.[1] The judicial review was initially stayed pending the outcome of the CJEU judgment and until now the judicial review proceedings have not been public knowledge. The Home Secretary has now confirmed that she has notified the High Court of the CJEU judgment. The judicial review claim will therefore proceed. If the judicial review is successful, the UK Regulations will be declared unlawful by a UK Court. The proposed legislation is an attempt to avoid this. Unless any new legislation takes account of the CJEU judgment it will also be open to immediate challenge.

The decision by the Court of Justice of the European Union 
On 8 April 2014 the CJEU ruled on the lawfulness of the Data Retention Directive (Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC) in the Digital Rights Ireland case (joined cases C-293/12 and C-594/12). [2]


The CJEU concluded that in adopting the Data Retention Directive “the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality,” as a result of a wide-ranging and serious interference with individual rights and the lack of sufficient safeguards to ensure effective protection of those rights. The CJEU found the Data Retention Directive to be in breach of Articles 7 and 8 of the EU Charter of Fundamental Rights and Freedoms as well as Article 8 of the European Convention on Human Rights (ECHR). [3] As a result the CJEU declared the Data Retention Directive invalid.

The CJEU decision had the effect of rendering unlawful the UK's regulations implementing the Data Retention Directive, the Data Retention (EC Directive) Regulations 2009 (the Regulations). The Regulations fail to comply with EU law and the ECHR on the same grounds that the Data Retention Directive fails to comply. In addition, the Regulations were made pursuant to s2(2) European Communities Act 1972, which empowers the Government to make provision for implementing any 'EU obligation'. As the Data Retention Directive has been found to be unlawful, the Regulations were not required to give effect to an EU obligation and are consequently outwith the statutory powers under which they were made, rendering them ultra vires.

The CJEU identified several characteristics of the Data Retention Directive that rendered the regime disproportionate. The effect of this was to define the limits of permissible data retention pursuant to human rights law and EU law. Any new UK legislation must be proportionate. It must not exhibit those characteristics of the Data Retention Directive that were found to be disproportionate. It is for the Government to demonstrate that any new proposal is proportionate in light of the CJEU's findings.

The criteria laid down by the judgment
In light of the ruling, it is apparent that in order to comply with human rights law any new legislation must:

  1. restrict retention to data that is related to a threat to public security and in particular restrict retention to a particular time period, geographical area and / or suspects or persons whose data would contribute to the prevention, detection or prosecution of serious offences (paragraph 59);
  2. provide exceptions for persons whose communications are subject to an obligation of professional secrecy (see paragraph 58 of the judgment);
  3. distinguish between the usefulness of different kinds of data and tailor retention periods on the basis of the data’s possible usefulness for the purposes of the objective pursued or according to the persons concerned (paragraph 63);
  4. ensure retention periods are limited to that which are ‘strictly necessary' (paragraph 64);
  5. empower an independent administrative or judicial body to make decisions regarding access to the data on the basis of what is strictly necessary (paragraph 62);
  6. restrict access and use of the data to the prevention, detection or prosecution of defined, sufficiently serious crimes (paragraphs 60-61);
  7. limit the number of persons authorised to access and subsequently use the data to that which is strictly necessary (paragraph 62);
  8. ensure the data is kept securely with sufficient safeguards to ensure effective protection against the risk of abuse and unlawful access (paragraph 66);
  9. ensure destruction of the data when it is no longer required (paragraph 67); and
  10. ensure the data is kept within the EU (paragraph 68).

Blanket data retention is unlawful
To meet these criteria, the Regulation of Investigatory Powers Act 2000 and accompanying Orders - which govern retention of, and access to, communications data - will require substantive revision. It is essential that any new legislative proposal is subjected to full parliamentary scrutiny in order to ensure the above criteria are met. The first criterion is particularly crucial as it prohibits automatic blanket retention of communications data. Any proposal that seeks to either maintain blanket retention or continue the current access regime would fail to meet these criteria. Such a proposal would be contrary to the ECHR as incorporated by the Human Rights Act 1998 (HRA) and EU law for the same reasons that the Data Retention Directive has been found unlawful. Bringing forward such legislation would also breach the Rule of Law and abrogate the Government's human rights obligations. It is also important that any new regulations do not purport to have retrospective effect.

The Government has not previously attempted to re-legislate provisions that have been found unlawful through breaches of fundamental rights. Any attempt do so now would set a dangerous precedent. Further, this is not an 'emergency'. The Government has had three months to consider the judgment of the CJEU.

The Government may seek to argue that new primary legislation does not need to comply with the fundamental rights set out in the Charter. This is misleading for two reasons. First, parallel rights are contained in the HRA. The Digital Rights Ireland case was brought primarily on the basis of Charter rights because it sought to challenge EU legislation. All new legislation must comply with the rights contained in the ECHR as incorporated by the HRA. Secondly, in bringing in new legislation in an area that was until April governed by an EU Directive, it is arguable that the Government is acting in the scope of EU law. This is the test that has been applied by the CJEU in respect of the application of Charter rights [4] and it is the test set out in the Explanations Relating to the Charter of Fundamental Rights. [5]

 
The judicial review
A judicial review claim [6] has been filed against the Home Secretary. Until now the judicial review proceedings have not been public knowledge. The proceedings challenge the legality of the Data Retention (EC Directive) Regulations 2009 and in particular their compatibility with Article 8 of the ECHR and Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The judicial review also alleges that the Regulations are ultra vires the European Communities Act 1972 for the reasons discussed above. The Claimant is seeking an order quashing the Regulations. If the judicial review is successful, the Regulations will be declared unlawful by a UK Court. The proposed legislation is an attempt to avoid this. Any new regulations could also be subject to judicial review if they do not comply with the Digital Rights Ireland judgment.

Recommendations

  1. Parliament must be given an adequate opportunity to consider any new proposal, including through pre-legislative scrutiny.
  2. Any proposal must meet the criteria set out by the CJEU, and in particular it must not permit blanket retention.

For more information please contact:

Elizabeth Knight, Legal Director, Open Rights Group
elizabeth@openrightsgroup.org

Isabella Sankey, Policy Director, Liberty
bellaS@liberty-human-rights.org.uk

Carly Nyst, Legal Director, Privacy International
carly@privacyinternational.org

 

1. Tracey Cosgrove v Secretary of State for the Home Department, CO/ 7701/2011
2. Judgment in Digital Rights Ireland case (joined cases C-293/12 and C-594/12) available at http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d0f130de7889f80874a44de0af9c9af3af41afa0.e34KaxiLc3eQc40LaxqMbN4OaNyQe0?text=&docid=150642&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=15846
3. The European Convention on Human Rights is incorporated into domestic law by the Human Rights Act 1998
4. See Åkerberg Fransson case, C-617/10
5. Explanations Relating to the Charter of Fundamental Rights (2007/C 303/02), Explanation on Article 51 — Field of application
6. Tracey Cosgrove v Secretary of State for the Home Department, CO/ 7701/2011