Across the EU, data retention legislation stemming from the now defunct Data Retention Directive has been subject to challenge. Most recently, the UK High Court has declared the Data Retention and Investigatory Powers Act 2014 (“DRIPA”) to be unlawful. DRIPA was successfully challenged by MPs Tom Watson and David Davis, who were supported by the human rights organisation, Liberty. Their challenge was founded on an argument based on EU law, particularly human rights considerations. The High Court ruled certain retention obligations under DRIPA should be disapplied, on grounds of inconsistency with the protections under Article 7 (Respect for private and family life) and Article 8 (Protection of personal data) of the Charter of Fundamental Rights of the European Union (the “Charter“).
Background to DRIPA 2014
In 2014, the Court of Justice of the European Union (the “CJEU”) in Digital Rights Ireland found the Data Retention Directive to be invalid. This Directive formed the basis for the retention of communications data under the UK’s Data Retention (EC Directive) Regulations 2009. In response to the Directive’s invalidity, the UK Parliament introduced DRIPA to bridge the potential gap in the legislation.
DRIPA contains expansive powers allowing the UK government to order telecommunications companies to retain communications data for a maximum of 12 months where it is considered “necessary and proportionate”. While the data to be retained does not include the content of the communication, it does include the time and duration of a communication, the telephone number or email address of the originator and recipient, and sometimes the location of the device from which the communication was made.
The implications of non-compliance with DRIPA are serious. Under the UK’s 2014 Data Retention Regulations, the Secretary of State may issue proceedings against a public communications company seeking to compel their compliance with DRIPA. The Information Commissioner also has powers to audit compliance with DRIPA requirements.
What did the Court decide?
DRIPA was widely criticised given the speed with which it was introduced and the expansive nature of the powers granted to the State. However, the Court emphasised it was not deciding whether the powers conferred by DRIPA were excessive or not. Instead, the High Court was simply deciding the “comparatively dry” issue of whether or not the DRIPA provisions were compatible with EU law as set out by the CJEU in Digital Rights Ireland. In that decision, the CJEU determined that the Directive was disproportionate in light of fundamental rights concerning respect for private and family life and protection of personal data. The High Court deemed it clear that DRIPA, an “identically worded domestic statute”, also exceeded the limits of proportionality.
Consequently, the Court declared the relevant sections of DRIPA, in establishing a general retention regime for communications data, is inconsistent with EU law. In particular, the Court objected to the lack of clear rules restricting access and use of retained data to the investigation or prosecution of serious criminal offences and the fact that the access was not dependent on prior independent administrative/judicial review.
What effect will this have?
The judgment will not have immediate effect as the order was suspended until 31 March 2016 to allow time for the UK Parliament to legislate for proper safeguards. The unlawful sections of DRIPA will remain in force until then. It is important to note that DRIPA has a sunset clause causing it to be repealed on 31 December 2016. Therefore, the UK government is already working to replace DRIPA with a permanent and potentially more expansive legislation. The anticipated impact of this decision for public telecommunications companies in respect of data security law is in fact limited. Rather, in wake of the Home Secretary’s recent statements indicating the resurrection of the Draft Communications Data Bill 2012, we can expect that there will be no dramatic reduction in UK state powers in relation to the retention of communications data. The interplay between EU law rights and UK national security measures is likely to be a source of continued litigation in future.