On 10 July, the UK government announced cross-party backing for emergency legislation designed to ensure that the police and security services can continue to access communications data held by communications service providers for the purpose of investigating criminal activity and protecting national security. This is in response to the recent CJEU judgment of 8 April 2014 in joined cases (C-293/12 Digital Rights Ireland & C-594/12 Seitlinger) which declared the Data Retention Directive (2006/24/EC) invalid (as discussed here in a previous post).
The draft Data Retention and Investigatory Powers Bill (the “Bill“) provides powers to introduce secondary legislation to replace the Regulations which implemented the Data Retention Directive in the UK (the “2009 Regulations“), and seeks to clarify the scope of obligations that can be imposed on telecommunications service providers based outside the UK under the Regulation of Investigatory Powers Act 2000 (“RIPA”).
Key points to note on the Bill are that:
- it is not intended to introduce any “new powers or capabilities”, but seeks to “strengthen and clarify” existing powers in a fashion compatible with the CJEU judgments mentioned above
- no additional categories of communications data can be requested to be retained
- rather than the existing fixed 12 month retention period, the retention period can be flexed subject to a maximum period of 12 months
- the scope of RIPA is amended to give it express extraterritorial effect, so that it covers service providers outside the UK who are providing services to UK customers
- a sunset clause has been included which will ensure automatic expiry of the legislation by the end of 2016, the idea being that more comprehensive replacement legislation will be introduced in the next Parliament before then.
In addition, the UK Government has promised to:
- undertake a full review of RIPA and its powers and operation
- establish a Privacy and Civil Liberties Oversight Board, to ensure that civil liberties are properly considered in the formulation of government policy on counter-terrorism
- restrict the number of public bodies that are able to approach phone and internet companies and ask for communications data
- publish annual transparency reports on a more extensive basis than at present
- appoint a senior diplomat to lead discussions with the American government and internet companies to establish a new international agreement for sharing data between legal jurisdictions.
The new legislation and its emergency nature has already been criticised in some quarters. While the expressed intention to review and improve the whole regime on a more permanent basis in the near future is sensible, it will be interesting to see how that plays out in practice. There have been some hints that that review will involve a request for further powers. It is also the case that in the past some emergency legislation has ended up being extended for much longer than originally intended.