Threat of legal action not terrorism behind calls for emergency data retention legislation

Open Rights Group (ORG) has responded to government calls for emergency legislation that would require ISPs and telecoms companies to keep records of our phone calls, texts and internet usage as ‘spin’.  The digital rights organisation believes that it is the threat of legal action from organisations like ORG, not the threat of terrorism, that are behind the calls for legislation.

Executive Director, Jim Killock, said:

“The government is tacitly admitting that our current data retention laws are illegal and that they are required to re-legislate. The European Court has ruled that data retention should be limited and blanket retention cannot be justified because it interferes with our right to privacy. However Theresa May actually wants to increase the amount of communications data that is kept about us.”

In April, the European Court of Justice (CJEU) struck down the Data Retention Directive because it breached our rights to privacy and protection of personal data. Since then, ORG has written to the government to ask them to stop trying to enforce EU data retention laws that are no longer valid. In addition, over 1,500 Open Rights Group supporters have contacted their ISPs asking them to stop retaining their data.

ORG is calling for any new legislation to include the guidance issued by the CJEU (below), in particular to recognise that blanket retention cannot be justified because it interferes with our right to privacy and should therefore be limited.

The CJEU ruling means there is likely no legal basis for the continuing retention of data by ISPs. Most experts believe that the Data Retention Regulations 2009, which oblige ISPs to keep these records, are now invalid.

The CJEU judgement defined the following limits to data retention under human rights law. They said that legislation must:

– provide exceptions for people whose communications must be confidential for legal reasons

– restrict retention to data that is related to a threat to public security and in particular restrict retention to a particular time period, geographical area and / or set of individuals likely to be involved in a serious crime or persons whose data would contribute to the prevention or prosecution of crime

– restrict access to defined, sufficiently serious crimes

– limit access to that which is strictly necessary

– empower an independent administrative or judicial body to make decisions about access to the data on the basis of need

– distinguish between the usefulness of different kinds of data and relate retention periods to that question

– keep retention periods as low as possible, i.e. to periods that are ‘strictly necessary’

– ensure the data is kept securely

– ensure destruction of the data when it is no longer needed

– ensure the data is kept within the EU.