This month, the European Commission responded to a letter sent on behalf of 21 digital rights organisations – including Access, Foundation for Information Policy Research (FIPR), EDRi, Initiative für Netzfreiheit, AKVorrat, and EFF – outlining several violations of E.U. law in the passage of the Data Retention and Investigatory Powers Act (DRIP) in the United Kingdom.
The letter, addressed to the Internal Market Commissioner Michel Barnier and Home affairs Commissioner Cecilia Malmström, drew attention to the violations of E.U. law carried out by the U.K. government in its adoption of the DRIP, a law that concerningly expands surveillance powers of law enforcement and intelligence services and mandates data retention.
The Commission’s response is vague and noncommittal, as nowhere does it indicate whether it will take action on any of the three potential violations of EU law (the failure to notify the Commission of the impending legislation before adopting it, the lack of approval for the emergency procedure, and, finally, the clear inconsistency with the recent CJEU ruling on data retention).
More about those violations
First, the U.K. government failed to notify the Commission about the DRIP in its draft stage, as required by a little known procedural law called the Directive on Technical Standards. The Commission’s letter confirms that the DRIP was only submitted a “as basic text” on the day of the adoption of the Bill.
The second infringement relates to the request for emergency procedure. Approval from the Commission on an urgency procedure would have allowed the U.K. government to speed up the adoption of the DRIP, skipping the so-called “standstill period,” a three-month window designed to allow companies and the EU Commission to come forward with complaints if they believe the proposed law will hinder the EU internal market. But this only works if the Commission recognises the need for such a procedure, which in this case it did not.
In its response, the Commission confirms that while adopting the DRIP, the U.K. government acted “without awaiting the views of the Commission.” However, it does not indicate if action will be taken to address this clear breach of E.U. law.
Finally and disappointingly, the Commission does not go into detail on the non-compliance of the DRIP with the CJEU ruling of last April overturning the E.U. Data Retention Directive. Over the years, several reports and statistics have demonstrated that blanket data retention is neither necessary nor proportionate to the detection, investigation, and prosecution of serious crime. Nevertheless, the Commission vigorously enforced this Directive during the past eight years it was in effect, taking member states to court for refusing to implement this controversial piece of legislation.
Next Steps
The Commission’s response indicates that it is, “assessing the claims concerning the potential breaches of EU law invoked in the letter”, which are being dealt with under an initial complaint filed by Access (see this post for more details).
While a recent EU internal legal document asserts that the CJEU ruling makes “general and blanket data retention in Europe no longer possible,” the U.K. government not only ignored the ruling, but proposed a new bill that actually expands surveillance powers.
The big question is, will the European Commission stand by while the U.K. government implements an invasive surveillance law on the dubious grounds of the need for an urgent new data retention law to “protect citizens,” opposing the spirit of the CJEU ruling and contravening EU procedural law?
Find the response of the European Commission to the open letter sent by 21 digital rights organisations here.