Monday, July 14, 2014

Data Retention & Investigatory Powers (DRIP) Bill: a significant change in the law

The "emergency" Data Retention & Investigatory Powers (DRIP) Bill being rushed though Parliament this week sets out to -
  • make provision for data retention, now that the Court of Justice of the European Union has annulled the data retention directive; the asserted intention (of the Home Secretary) being to "maintain the status quo" by essentially re-enacting the Data Retention Regulations 2009 (S.I. 2009/859)
  • amend the grounds for issuing interception warrants or granting or giving certain authorisations or notices under Part 1 of the Regulation of Investigatory Powers Act (RIPA) 2000 
  • make provision to apply data retention and investigatory powers extra-territorially
  • expand the meaning of "telecommunications service
These stated intentions on the front page of the draft Bill alone create a clear impression that this measure goes significantly beyond an effort to "maintain the status quo". Reading the Bill itself, along with its associated 10 pages of draft regulations and 15 pages of explanatory notes only confirms this impression. The number of times the Home Secretary repeated last week that the new law was just about maintaining the status quo on data retention, in the face of those disagreeable European Court judges, was undermined by the lady herself adding that there is allegedly an
" increasingly pressing need to put beyond doubt the application of our laws on interception, so that communication service providers have to comply with their legal obligations irrespective of where they are based" (final para, Hansard, 10/07/14 Col 456)
If re-enacting the 2009 data retention regulations, this time as primary legislation, was all the government intended this could be done in significantly less than 32 pages of statute, regulations and explanatory notes. Whether to protect the UK from the EU law, as David Allen Green suggests, or otherwise, a new Bill could just say it was enacting the 2009 regulations as primary legislation. Job done.

Given how comprehensively the European Court of Justice dismantled the data retention directive that those regulations are based on - blanket indiscriminate data retention is a disproportionate interference with rights guaranteed under Articles 7 & 8 and 52(1) of the Charter of Fundamental Rights of the European Union -  that short cut to making the 2009 regs primary legislation would still be incompatible with the Charter. But it would be known law, just with brand spanking primary statute new foundations. (Even though it would be a law that the European Court has clearly stated is incompatible with those lily-livered human rights abhorrent to all true Brits, if prominent parliamentarians are to be believed). The extra provisions beyond that intent just make the Bill even more complex.

What if DRIP was just shoring up the 2009 regulations? Well blanket indiscriminate data retention has been outlawed by every high court that has considered it, including courts in Germany, Slovenia, Romania, Austria, Bulgaria, Sweden, Czech Republic and Cyprus and of course the European Court of Justice in April this year.

Yet the UK coalition government and their agreeable main opposition party don't stop just at giving our likely defunct data retention regulations the protection of parliamentary supremacy, to protect us from those big bad Europeans and their terribly un-British human rights that only protect pedophiles and terrorists. They go much further -
  • expanding data retention
  • providing the Secretary of State with Henry VIII powers to amend the law
  • expanding the reach of data retention and access, extra territorially
  • amending and expanding the scope of the incredibly complicated Regulation of Investigatory Powers Act (RIPA) 2000
  • amending and expanding the scope of what constitutes a "telecommunications service"
Clause 1 of DRIP, for example, attempts to re-enact the 2009 regulations, in addition to giving the Secretary of State, under sections 1(3), 1(4) and 1(7) wide ranging Henry VIII clause powers to amend the law, essentially as and when she likes. Section 1(1) puts a nominal brake on data retention by stating the Secretary of State can only order retention she considers "necessary and proportionate". However, given successive UK governments are repeatedly on record as claiming blanket surveillance is not just necessary and proportionate but "essential" to "save lives" that's not much of a practical restraint.

Some of the provisions of DRIP are seriously far reaching but mind numbing and I'd refer you in particular to excellent legal analyses by Steve Peers, Graham Smith, Liberty, the Open Rights Group, Privacy International, Big Brother Watch, Article 19 and English PEN and Tom Hickman who all do the job much better than I can on this.

If legalese leaves you cold there are quite a lot of nicely digestible articles floating around various corners of the web outlining the issues including those from the following cast of characters -
I should here, though, before closing draw your attention to Clauses 5 and 6 of DRIP. Clause 5 states:
"5 Meaning of "telecommunications service"
In section 2 of the Regulation of Investigatory Powers Act 2000 (meaning of "interception" etc), after subsection (8) insert - 
"(8A) For the purposes of the definition of "telecommunications service" in subsection (1), the cases in which a service is to be taken to consist in the provision of access to, and of facilities for making use of, a telecommunication system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system."
It seems that in attempting to bring services like Twitter and Facebook further into the data retention and investigatory powers fold, the government has managed to expand the scope of what is meant by "telecommunications service". It would now seem to encompass email listservs, webmail servers (as it says in the explanatory notes), social media providers like Facebook, app providers, retailers, gaming sites, the whole spectrum of website controllers/operators, bloggers, broadcast, print and online media and you can probably think of many more. I wonder if they'll try to use it as leverage on the good folk at the Guardian
Dear Mr Rusbridger,
Subject to the provisions of the DRIP Act 2014 we require that you retain and provide us with access, in the first instance, to the metadata and content of all your primary sources on GCHQ surveillance ...
I suspect even Mr Rusbridger's adversaries in the bulk of the mainstream press might suddenly find themselves on his side on the mass surveillance debate were that to happen.

Clause 6(3) of the Bill is the so-called sunset clause which says the law times out aka gets repealed on 31 December 2016. The history of such sunset clauses is that they get continually renewed - especially with nominally labelled anti-terrorist legislation. No politician can risk being accused of being soft on terrorism. If the government were serious that this is a temporary emergency measure to allow for a free and full debate on the matters it addresses the sunset clause would be three months, or at the very longest, expire at the end of this year. Not 2 and half years from now, when whichever government is in power can, if I may mix my metaphors, kick the sunset clause into the long grass with little concern about  political opposition.

Bottom line

The bottom line on DRIP is
  • DRIP is a major change in UK data retention, surveillance and investigatory powers laws
  • it involves the cementing into statute blanket indiscriminate data retention and therefore affects everyone in the UK
  • this blanket indiscriminate data retention activity was considered a serious and disproportionate breach of the right privacy by the European Court of Justice
  • I consider this an abuse of the rule of law
  • this data retention element of DRIP alone undermines UK citizens rights in the context of the Charter of Fundamental Rights of the EU and must presumably, therefore, as a direct challenge to the European Court of Justice (ECJ) ruling (in joined cases C-293/12 and C-594/12) declaring the data retention directive invalid, be open to legal challenge at European level.
  • DRIP additionally expands the immensely complex Regulation of Investigatory Powers Act (RIPA) 2000 interception powers, including the extra-territorial reach of those powers
  • DRIP, having been agreed behind closed doors by the leadership of the three biggest political parties, is being rushed through Parliament without proper parliamentary scrutiny 
  • the Home Secretary has admitted in evidence to the Home Affairs Select Committee today that MPs will not know the full details of the law they are being asked to pass this week
  • this appears to me to be an affront to the principle of Parliamentary sovereignty
  • clause 5 expands the scope of the meaning of "communications service" to a degree that it could be interpreted to mean any entity using a computer and the internet
  • there is no emergency that justifies rushing this ill thought out law through - no ongoing serious crime investigations will be put at risk, as communications service providers have a long history of cooperating willingly with the police on such matters; I suspect as in the past they would be perfectly willing to continue to retain and provide access to communications of suspects about whom law enforcement authorities have reasonable cause to harbour suspicion
  • the "be afraid of terrorists and pedophiles" line is wearing very thin
The entire DRIP enterprise is a mess which if it does, as is likely, get passed in haste this week, we will all come to regret at our leisure. Some commentators have amusingly labelled it the Dangerous Logs Act. The sad thing about that particular joke is that many of the MPs, following their party line and voting DRIP through in the next few days, will not get it.

No comments: