Emergency data laws announced

In April the Court of Justice of the European Union (CJEU), in the case Digital Rights Ireland and Seitlinger and Others, unexpectedly declared that the Data Retention Directive was invalid.

The purpose of the directive was to harmonise Member States’ provisions on the retention of certain personal data by the telecoms industry such as land line providers and mobile phone companies. The 'metadata' collected would typically include information about the time that texts and e-mails were sent, and where they were sent from, but not the actual content of the information itself.

We wrote extensively about the repercussions of this decision at that time: A week is a long time in the world of data protection and Data Retention: What Next?

Since then, the government and industry have been in regulatory limbo—until now.

This morning David Cameron and Nick Clegg announced that they are bringing forward emergency legislation—the Data Retention and Investigatory Powers Bill (explanatory notes here)—to allow the law enforcement and intelligence agencies to 'maintain existing capabilities'.

It is certainly unusual for a bill to be pushed through Parliament so quickly. Many MPs, who got wind of this development last night, rushed to Twitter to express their concerns (which may explain the spelling mistakes):

That said, the Sun's Political Editor, Tom Newton Dunn, thinks civil libertarians shouldn't be too concerned, saying on Twitter that those 'in angst over data laws should read the small print' and that the Deputy Prime Minister has got 'huge concessions' from the Prime Minister.

He finished by stating simply, 'spooks not happy'.

Passing legislation in this area is certainly challenging from a political and legal point of view. Lexis®PSL (£) interviewed Rosemary Jay, a senior attorney at Hunton & Williams in April. Here's what she had to say at the time on adopting any new data retention laws:

The question of whether the UK could legislate (ie pass a national law) is difficult, as this is an area in which the EU has legislated and the CJEU decided that it was appropriate for it to do so. It is not clear whether it is now an area of shared competence or exclusive to the EU. Given the political sensitivity, it may be some time before there is a consensus at EU level to form the basis of a replacement directive.

She went on to say:

Even if the UK can legislate it cannot ignore the ruling of the CJEU. Leaving aside questions on the so-called UK opt-out of the Charter [eg EU Charter of Fundamental Rights], the finding was not simply on the right to data protection in the Charter but also the right to private life and that is independently part of UK law under the Human Rights Act 1998. Any replacement measure which failed to take account of the CJEU decision would be the subject of immediate challenge. Realistically any replacement UK measure will have to take account of the ruling.

Interestingly, the Bill new contains a 'sunset clause' which states that 'it will be repealed on 31 December 2016'. In theory the doctrine of parliamentary sovereignty (where a current Parliament cannot bind a future Parliament) means that this automatic repeal could itself be repealed and thus make the law permanent. From a political point of view, however, this would undoubtedly prove to be difficult for any government to do this. Aside from the Bill, between now and 2016 the government has also committed itself to hold a full review of the Regulation of Investigatory Powers Act 2000 in order to make recommendations for how it could be reformed and updated (this Act regulates the how public bodies may carry out covert surveillance and has been subject to criticism where it has been misused such as where a council monitored a family to see whether they lived in the right school catchment area). The government has further stated that it is looking to:

appoint a senior diplomat to lead discussions with the American government and the internet companies to establish a new international agreement for sharing data between legal jurisdictions

and to:

establish a Privacy and Civil Liberties Oversight Board on the American model, to ensure that civil liberties are properly considered in the formulation of government policy on counter-terrorism. This will be based on David Anderson's existing role as the Independent Reviewer of Terrorism Legislation.

Finally, the Coalition states that it:

will restrict the number of public bodies that are able to approach phone and internet companies and ask for communications data. Some bodies will lose their powers to access data altogether while local authorities will be required to go through a single central authority who will make the request on their behalf.

Time to put 31 December 2016 in the diaries? The debate will no doubt rumble on in the background until then. It is likely to be loud and messy. Many commentators will remain concerned about the vague and open-ended nature of some of the clauses within the Bill (such as clause 1(3) which states, 'the Secretary of State may by regulations make further provision about the retention of relevant communications data'). The government will, over the next few days and weeks, try to put these concerns to bed. I suspect that for many people they won't succeed. In the meantime, you might find it useful to update your knowledge on surveillance on a more micro level: the workplace. Check out our post: Avoiding trouble when monitoring staff or customers: lessons from Snowden. Any thoughts? Any comments? Just want to say 'hi'? Contact us below. PS Here's an article and video from BloombergBusinessweek which explains what 'metadata' is all about: What Can Your Metadata Reveal About You? Update: 11 July 2014 There has been a lot of commentary on Twitter overnight. Here's a flavour of them:

Area of Interest