UK courts hacking away at surveillance powers

The free flow of information across the internet depends on trust: If users can’t ensure that their ideas, transactions, and search queries will remain confidential, they are less likely to express themselves. The exercise of the right to freedom of expression is enabled by another human right — privacy. Backed by hard evidence, this conclusion is gaining recognition among human rights experts and bodies.


Last week, the UK High Court issued an opinion explaining how emergency legislation passed last summer — the Data Retention and Investigatory Powers Act of 2014 (DRIPA) — violates EU law. The decision, which came in a case brought by UK civil liberties groups and individual  Members of Parliament, struck down the first part of the act. Unfortunately, as the UK rights group Liberty points out, the ruling will not have immediate effect, and “[t]he unlawful sections of DRIPA will remain in force until the end of March 2016 to allow time for the Government to legislate properly. At that point they will cease to have effect.”

While positive in effect, the ruling failed to correctly interpret a previous decision by the Court of Justice of the European Union (CJEU). That decision, known as the Digital Rights Ireland case (DRI), invalidated the controversial Data Retention Directive for breaching the fundamental rights to privacy and data protection. The UK Court failed to recognize the full scope of the CJEU’s decision, which explained that not only access to retained data but also the mere retention of data constitutes an interference with the rights to privacy and data protection. The CJEU went into great detail explaining how the mandated blanket retention of everyone’s data constituted “an interference with the fundamental rights of practically the entire European population”, highlighting the serious risks of those practices.

However, regardless of the rationale, the UK Parliament will now have to go back to the drawing board if it expects to keep its data retention mandates. Access urges members of Parliament to abide by the Court’s decision and reject any attempt to re-authorize these mandates. Data retention is antithetical to human rights standards, slows innovation online, and makes users less secure. The longer data is stored, the more vulnerable it is to state surveillance and malicious attacks that lead to fraud and abuse.

Previously, the entire DRIPA was set to sunset on December 31, 2016, timed with the sunset of the broader Regulation of Investigatory Powers Act (RIPA). Section two of DRIPA, which extended the extraterritorial reach of the UK’s authority to compel providers to assist with surveillance orders or build in interception capabilities, was untouched by the Court’s order.

Data retention standards in the EU post-DRI

In the aftermath of the CJEU ruling on data retention from last year, reactions from member states have been inconsistent. Several EU countries, including Romania, Austria, Bulgaria, and Slovenia, have followed the guidance of the CJEU and repealed national legislation that breaches fundamental rights (see here and here). Belgium and Germany had initially repealed their law but are now considering new proposals for mandatory data retention. The Dutch government may also try to repackage its legislation which was struck down by the District Court of the Hague earlier this year. Even more offensive, a few countries, including the UK and France, have enacted even broader data retention mandates. Other countries, like Poland, Italy, and Portugal, have maintained their legislation on data retention while waiting on guidance from the EU Commission on next steps to take, which is still lacking.

As the Commission continues to stay silent,  failing to fulfil its duty as Guardian of the Treaties to ensure uniform compliance with the CJEU’s rulings, court cases on data retention are piling up. The existing Swedish national law has been brought before the CJEU by a Swedish ISP, Bahnhof, to determine its validity. After more than a year of inaction, the EU Commission must act expeditiously and bring clarity on the impact and consequence of the ruling on national implementation to avoid further breaches of fundamental rights.

Data retention mandates harm users, and slows innovation

UN Special Rapporteur David Kaye’s recent report on encryption and anonymity online found that “broad mandatory data retention policies limit an individual’s ability to remain anonymous.” The government’s ability to require retention, the Special Rapporteur wrote, “has inevitably resulted in the State having everyone’s digital footprint.” Retention also “increases the potential for theft and disclosure of individual information,” exposing everyone to greater risk of fraud and abuse.

Not only human rights, but innovation and the continued growth of the internet economy are harmed by data retention mandates. Such barriers discourage new competitors like startups from entering the market, and deter growth across borders, as our recently published  Digital Rights & Business Memo makes clear. Vodafone has spoken out against the Australian data retention proposal as wasteful, unnecessary for business purposes, and costly both in terms of the financial costs of storage as well as in harm to its reputation. According to the telco, “It is perceived by consumers that IP-identifier information could be used for surveillance activities” — meaning that privacy-conscious users would be deterred from using the company’s services under a retention law. Moreover, Vodafone points to the fact that the two-year retention mandate is a longer duration than most retention laws require, without justification: most data requested by law enforcement agencies is less than six months old, the company says.

For its part, US provider Verizon told Congress, “we have learned that the longer we keep records beyond what we need them, the greater the risks to the privacy of our customers.”

The UK should rethink other proposals that damage the integrity of systems

The UK has promoted several policies over the last year that would have an unacceptable impact on the rights of users. One of the most extreme examples is reflected in Prime Minister David Cameron’s continued remarks on encryption technologies. PM Cameron has expressed a desire to push forward a ban of certain encryption in a bill this fall. The extraterritoriality provision of the DRIPA would mean that this ban could be enforced by the government against any internet company that can be accessed within UK borders. This ban would not only harm the human rights of UK citizens, but also harm their security, and the rights and security for users around the world who rely on encryption to keep themselves safe. With the renewed examination of data retention, it is possible these two topics could be tied together in a single bad legislative package.

What next?

Over the next six months, we can likely see a new data retention mandate go through the Parliament. Access believes these mandates, and other harmful provisions, should be rejected, and instead the UK should focus on rights-respecting laws and policies. The International Principles on the Application of Human Rights to Communications Surveillance explain, “states should not compel service providers or hardware or software vendors to build surveillance or monitoring capability into their systems, or to collect or retain particular information purely for State Communications Surveillance purposes.” Access recently published an Implementation Guide for these principles, which recommends that providers retain user data for “no longer than it is necessary for the Provider in the ordinary scope of business.” Any law that requires otherwise harms users’ human rights and puts their security at risk.

We’ve also started an email list to organize civil society opposition to these mandates around the world, and we encourage you to contact us if you’d like to join.