Is the UK Data Retention and Investigatory Powers Act in breach of EU law?

This week the U.K. Parliament adopted the “Data Retention and Investigatory Powers Act,” or DRIP, a bill that would dramatically expand the government’s surveillance powers. In the runup to the vote, the GCHQ, civil service, and coalition and opposition leaders showed a flagrant disregard for parliamentary procedure and failed to allow an informed and public debate. The result is a terrible bill that would treat all citizens, in the U.K. and abroad, as surveillance targets.

However, we’ve found a loophole that might help us stop this damaging legislation from seeing the light of day. Shortly before the adoption of the bill, Access sent a letter to the European Commission to notify an infringement of procedure in the U.K. Parliament, which lead to a breach of E.U. law. According to the Directive on Technical Standards, E.U. Member States — including the U.K. — are required to inform the European Commission of any pending legislation setting down rules on Information Society services before their adoption, even if  the legislation is adopted under emergency procedure, as DRIP was. But the U.K. only notified the commission of the existence of the DRIP on the day of its adoption.

Compliance with the CJEU’s ruling

Furthermore, the European Commission has also been notified that the DRIP contravenes the recent judgement of the Court of Justice of the European Union (CJEU), which it invalidated the Data Retention Directive. Adopted in 2006, this directive required all telecommunications data — including mobile, landline phones, fax, and email — to be indiscriminately collected and retained by providers for a minimum of six months and up to two years. The CJEU found the directive to interfere with the fundamental rights to privacy and data protection guaranteed under the E.U. Charter of Fundamental Rights, and found it lacking safeguards, as it didn’t define clear rules limiting the retention, access and use of data retained by authorities.

The DRIP would not only re-enact the invalid directive, with no attempt at conforming to the CJEU judgment, but would also grant significant new authority to extend the territorial scope of the broad interception and communications acquisition powers under the Regulation of Investigatory Powers Act 2000 (“RIPA”).

Emergency procedure

Finally, the U.K. Parliament decided to negotiate the adoption of this bill under the “emergency procedure” rules, putting the negotiations on a fast track and limiting public debate. But this request for emergency procedures has neither a logical nor a legal basis. The U.K. knew from the Advocate General’s opinion on the Data Retention Directive delivered in December 2013 that the directive was likely to be overturned. Likewise, it had known for the past three months that the CJEU had in fact overturned the directive. The notion that a sudden emergency had been discovered is thus unfounded.

Next steps

The European Commission will have to respond to Access’ notification within 15 days and inform whether it decides to undertake measures to remedy these breaches of E.U. law.

As guardian of the treaties, the European Commission is legally obliged to enforce both the Directive and the CJEU ruling. The European Commission showed no compunction in taking action against member states for failing to implement the now illegal Data Retention Directive, we now urge it to be equally vigilant in its enforcement of European law for the benefit of European citizens.

Stay tuned for upcoming updates on this infringement procedure.