On Tuesday, MPs voted overwhelmingly for the Data Retention and Investigatory Powers Bill (DRIP) in a rushed day of readings that Labour MP Tom Watson called, “democratic banditry resonant of a rogue state”. The new law will oblige internet and phone companies to retain data about our personal calls, text messages, emails and internet use and keep it for up to 12 months. This information, the Prime Minister claimed, is, “the foundation for prosecutions of paedophiles, drug dealers and fraudsters,” and as such, a new Bill had to be passed through Parliament in a matter of days.
Why the emergency? The Prime Minister cited developments that had happened, 'in recent weeks', including the striking down of the EU Data Retention Directive 2006/24/EC by the Court of Justice of the European Union (CJEU). In fact, this happened over three months ago, on April 8. In its ruling, the Court found that blanket data retention severely interfered with our fundamental rights to respect for private life and to the protection of personal data. The Directive did not include sufficient restrictions to limit this intrusion to what is “strictly necessary” and was found invalid.
The CJEU's ruling immediately raised questions about the legal status of national legislation that implemented the Directive. In the UK, this was the Data Retention Regulations 2009. In April, Open Rights Group wrote to the Home Office's lawyers seeking to challenge the Regulations. The Government side-stepped the issue and simply said there was an existing challenge to the Regulations. Open Rights Group also wrote to the telecoms companies as did 1,500 of our supporters. This from Virgin Media was a typical response: “the UK government's current position is that although the Directive was held to be invalid, our own Data Retention Regulations are still in force and we must comply with them until such time as they are struck down by a UK court”.
The Home Office's Keep Calm and Carry On approach to data retention came to a swift end last week. We do not know if it was the threat of legal action by Open Rights Group and other NGOs that led to this ‘emergency’, as any legal action would be likely to take several months to get a result. But forcing legislation through in a week, before Parliament breaks for the summer, denies us the public debate and parliamentary scrutiny that this law deserves.
The Prime Minister has insisted that the legislation, “was not introducing new powers or capabilities” but the clue was in the name. Unsurprisingly, the Data Retention and Investigatory Powers Bill deals with both data retention and investigatory powers. Three of the Bill's six original clauses (there are now eight) did not concern the Data Retention Regulations but the Regulation of Investigatory Powers Act (RIPA), in itself an enormous and problematic piece of legislation in need of review.
Two of these clauses increase the government's surveillance powers. Firstly, there is the redefinition of “telecommunications service” to include webmail services, such as Gmail. Media lawyer David Allen Green, says this could also, “mean almost anything on the web: things stored on the cloud and so on”, potentially giving the government access to even more of our communications. Secondly, they will be able to issue interception warrants for communications data to companies outside of the UK, increasing their networks of data collection. In an open letter to the government yesterday, the GNI network, a group of companies, civil society organizations, investors and academics, expressed concern that this extension could give, “justification for such actions by other governments, including those that seek to limit freedom of expression and other human rights online”.
But even if the government were right about the extent of DRIP's powers, reinstating data retention still means that they are ignoring the central premise of the CJEU ruling: blanket data retention breaches our fundamental human rights. Other European countries, including Austria, Belgium, Bulgaria, Germany, Greece, Romania and Sweden, have already rejected data retention. Any new UK legislation remains within the scope of EU law. It should therefore comply with CJEU rulings, as well as the European Convention of Human Rights.
The threat of paedophiles, terrorists and criminals may seem like a compelling argument for data retention but the British public deserves scrutiny not hysteria when it comes to legislation that affects our civil liberties.