EU Court Adviser Says UK Internet Spying Law Needs "Strict" Safeguards - ISPreview UK
The Advocate General for the Court of Justice of the European Union (CJEU) has said that the UK Government’s ‘Data Retention and Investigatory Powers Act’ (DRIP), which is a temporary precursor to the new Internet spying ‘Investigatory Powers Bill’ (IPBill), “may be compatible with EU law“.. with “strict” safeguards.

The DRIP Act was rushed into law in 2014 after the previous Regulation of Investigatory Powers Act 2000 (RIPA), which enabled the security services to snoop on telecoms and Internet services, was declared “invalid” by the European Court of Justice (here and here) because it breached the “fundamental right to respect for private life and the fundamental right to the protection of personal data“.

Under the plan DRIPA would exist as temporary legislation in order to keep the old RIPA law alive and it would expire at the end of 2016 (details), which is when the Government hoped to replace it with their new and much more extensive Investigatory Powers Bill (here).

However two ministers, David Davis MP (Conservative) and Tom Watson MP (Labour), opposed the apparent attempt to circumvent the ECJ ruling (DRIP was effectively RIPA with a few tweaks) and subsequently joined with civil rights groups in order to launch a Judicial Review of the law.

Last year the Divisional Court agreed that EU law requires an independent approval to access a person’s communications data, which was based off an earlier judgement in the Digital Rights Ireland case. The court initially advised that the following issues be resolved and then adopted into the DRIPA law by March 2016 (here).

Divisional Court Findings – Sections 1 and 2 of DRIPA:

  • Both fail to provide clear and precise rules to ensure data is only accessed for the purpose of preventing and detecting serious offences, or for conducting criminal prosecutions relating to such offences.
  • Access to data is not authorised by a court or independent body, whose decision could limit access to and use of the data to what is strictly necessary. The ruling observed that: “The need for that approval to be by a judge or official wholly independent of the force or body making the application should not, provided the person responsible is properly trained or experienced, be particularly cumbersome.”
The ruling could have made it difficult for the security services to conduct blanket surveillance of all citizens and it required more than a small change to the temporary legislation. Naturally the Government was concerned about this and lodged an appeal, which ended up questioning whether or not a past judgement in the Digital Rights Ireland case could be used as a basis for deciding the Judicial Review. The Court of Appeal then referred the issue back to the CJEU for clarification.

Court of Appeal Summary (20th Nov 2015)

In these circumstances we have come to the conclusion that we should refer the following questions to the CJEU:

  1. Did the CJEU in Digital Rights Ireland intend to lay down mandatory requirements of EU law with which the national legislation of Member States must comply?
  2. Did the CJEU in Digital Rights Ireland intend to expand the effect of Articles 7 and/or 8, EU Charter beyond the effect of Article 8 ECHR as established in the jurisprudence of the ECtHR?

We consider that the answers to these questions of EU law are not clear and are necessary in order for us to give judgement in these proceedings. For the reasons set out above, we exercise our discretion in favour of making a reference to the CJEU.
Today the CJEU’s Advocate General gave his NON-BINDING opinion on the legal challenge to DRIPA and, in a blow to the case, ruled that “a general obligation to retain data may be compatible with EU law“. However he also added that this would need to satisfy “strict requirements” and it is for the UK’s own national court system to determine whether those are being satisfied or not.

Henrik Saugmandsgaard Øe, CJEU Advocate General, said:

“First, the general obligation to retain data and the accompanying guarantees must be laid down by legislative or regulatory measures possessing the characteristics of accessibility, foreseeability and adequate protection against arbitrary interference.

Secondly, the obligation must respect the essence of the right to respect for private life and the right to the protection of personal data laid down by the Charter.

Thirdly, the Advocate General notes that EU law requires that any interference with the fundamental rights should be in the pursuit of an objective in the general interest. He considers that solely the fight against serious crime is an objective in the general interest that is capable of justifying a general obligation to retain data, whereas combating ordinary offences and the smooth conduct of proceedings other than criminal proceedings are not.

Fourthly, the general obligation to retain data must be strictly necessary to the fight against serious crime, which means that no other measure or combination of measures could be as effective while at the same time interfering to a lesser extent with fundamental rights. Furthermore, the Advocate General points out that that obligation must respect the conditions set out in the judgment in Digital Rights Ireland as regards access to the data, the period of retention and the protection and security of the data, in order to limit the interference with the fundamental rights to what is strictly necessary.

Finally, the general obligation to retain data must be proportionate, within a democratic society, to the objective of the fight against serious crime, which means that the serious risks engendered by that obligation within a democratic society must not be disproportionate to the advantages it offers in the fight against serious crime.”
The opinion carries with it a lot of weight and appears to support the calls for DRIP to only focus on serious crime, which is something that the UK courts will have to factor as that was the purpose of the whole exercise. On the other hand it’s by no means the knock-out blow that David Davis and Tom Watson might have originally hoped to achieve.

Mind you David Davis has this week withdrawn from the case, which is hardly surprising because he was recently appointed by new Prime Minister, Theresa May, to become the new Secretary of State for Brexit. Yes, the very person who he fought so valiantly against over DRIP has now appointed him to a role for leaving the EU, fun times indeed.

Jim Killock, Executive Director of Open Rights Group, said:

“The Advocate General has stated that data retention should only be used in the fight against serious crime, yet in the UK there are more than half a million requests for communications data each year. These do not only come from police but also local councils and government departments. It is difficult to see how the Government can claim that these organisations are investigating serious crimes.

The Opinion calls for strict safeguards yet in the UK, there is currently no judicial authorisation in the UK – police, local authorities and government departments can get internal sign off to access data. If the IP Bill is passed, data will be able to be analysed without a warrant through an intrusive tool known as the request filter.

It may be too late to end data retention under DRIPA, which expires at the end of the year, but the Government has the opportunity to ensure that the IP Bill complies with EU law. In particular, they should end the extension of mass data retention proposed in the Bill, which would see the UK become one of the only democracies to record its citizens’ web browsing history and provide a police search engine to scour it.”
At this point some might be wondering whether or not the vote to leave the EU will make all of this irrelevant and grant the UK Government free region to do as it pleases, although in order for the UK to continue doing business / sharing data with the EU then we might still have to sign-up to much of the same legislation. In any case that is still a few years away.

However perhaps the biggest question is over what impact this might have on the forthcoming IPBill, which proposes to go a lot further than DRIP. The Government may yet seek to reduce any conflict by stiffening its safeguards, but we’ll have to wait and see. One way or another, DRIP comes to an end this year.

UPDATE 4:51pm

The ISPA UK Chair, James Blessing, said: “The Opinion of the Advocate General, whilst non-binding, raises serious questions about UK data retention legislation. It calls into question some aspects of the Investigatory Powers Bill and ISPA therefore calls on the Home Office needs to ensure the legal framework around data retention is fully compliant with the final court judgement. It is vital to give industry certainty on what the rules are, maintain user confidence in online services and avoid another round of lengthy legal proceedings.”