The U.K. Data Retention and Investigatory Powers Act 2014 (the ‘‘DRIP Act’’) received Royal Assent on July 17, 2014, and came into force with immediate effect.
This emergency legislation was passed speedily through the House of Commons and the House of Lords, being somewhat of a band aid in light of the European Court of Justice’s decision of April 8, 2014, in the Digital Rights Ireland case (Joined Cases C-293/12 and C-594/12), in which it declared the EU Data Retention Directive (2006/24/EC) (the ‘‘Directive’’) to be invalid.
The DRIP Act replaces the U.K. Data Retention (EC Directive) Regulations 2009 (the ‘‘Regulations’’), and confirms that companies can be required to retain certain types of communications data for up to 12 months (rather than the fixed 12 months provided in the Regulations), so that this data may later be acquired by law enforcement and used in evidence.
The DRIP Act also clarifies that anyone providing a ‘‘communication service’’ to customers in the U.K., regardless of where that service is provided from, should comply with lawful requests made under the U.K. Regulation of Investigatory Powers Act 2000 (‘‘RIPA’’). This was previously considered to be a grey area, and this clarification has significant ramifications for those providing communication services in the U.K. from overseas.
The DRIP Act is not without its critics, however. Many argue that it raises more questions than it answers and that it goes too far, especially with respect to the powers which can now be exercised against providers of communication services based outside the U.K. Subsequent legal challenges have also been lodged against it on the basis the new rules (like the old rules) continue to insufficiently protect individuals’ privacy rights.