The repercussions of yesterday’s landmark ruling of the Court of Justice of the European Union that the Data Retention Directive is invalid, and has been so since its inception are likely to be complex and wide-ranging. Lawyers, academics, politicians and activists have been reading, writing, thinking and speculating about what might happen. With the directive declared invalid, what will happen to the various national implementations of that directive – in the UK, for example, we have The Data Retention (EC Directive) Regulations 2009. Will it need to be repealed? Will it need to be challenged – and if so how, and by whom? What will the various communications service providers – the ISPs, the telecommunications companies and so forth – do in reaction to the declaration? What will happen to other legislation that at least in part relies on retained data – the Regulation of Investigatory Powers Act 2000 (RIPA) for example. Will the police and intelligence services change what they do in any way, shape or form? Will the various governments attempt some kind of replacement for the Data Retention Directive? If so, what form will it take?
These are just some of the open questions – and the answers to them are only just starting to emerge. Some will be clear – but a great many will be very messy, and will take a lot of time, energy and heartache to sort out. The question that should immediately spring to mind is how that all this mess, and the resultant wastes of time, energy, expertise and heartache could have been avoided. Actually, the answer is simple. It could have been avoided if privacy had been taken seriously to start with.
For a long time, privacy hasn’t been taken nearly seriously enough. It hasn’t been taken seriously by the big operators on the internet – Facebook, Google, Apple, Microsoft, Yahoo! and so forth. Their policies and practices have treated privacy as a minor irritant, dealt with by obscure and unfathomable policies that people will at best scroll through and click OK at the bottom of without reading. Their products have treated privacy as an afterthought, almost an irrelevance – a few boxes to tick to satisfy the lawyers, that’s all. Privacy hasn’t been taken seriously by the intelligence agencies or the police forces either – just the province of a few geeks and agitators, the tinfoil hat brigade. It hasn’t been taken seriously by some of the open data people – the furore over care.data is just one example.
Privacy, however, does matter. It matters to ordinary people in their ordinary lives – not just to geeks and nerds, not just to ‘evil-doers’, not just to paranoid conspiracy theorists. And when people care enough about things, they can often find ways to make sure that those things are treated with respect. They fight. They act. They work together – and often, more often than might immediately seem apparent, they find a way to win. That was how the Communications Data Bill – the ‘Snoopers’ Charter’ was defeated. That is why Edward Snowden’s revelations are still reverberating around the world. That’s why behavioural advertising has the bad name that it does – and why the Do Not Track initiative started, and why the EU brought in the ‘Cookies Directive’, with all its flaws.
All these conflicts – and the disaster that is the Data Retention Directive – could have been avoided or at least ameliorated if the people behind these various initiatives, laws, processes and products had taken privacy seriously to start with. This is one of the contentions of my new book, Internet Privacy Rights – people believe they have rights, and when those rights are infringed, they care about it, and increasingly they’re finding ways to act upon it. Governments, businesses and others need to start to understand this a bit better if they’re not going to get into more messes like that that surrounds the Data Retention Directive. It’s not as though they haven’t had warnings. From the very start, privacy advocates have been complaining about the Directive – indeed, even before its enactment the Article 29 Working Party had been strongly critical of the whole concept of mass data retention. That criticism continued over the years, largely ignored by those in favour of mass surveillance. In 2011, Peter Hustinx, the European Data Protection Supervisor, called the Data Retention Directive “the most privacy-invasive instrument ever” – and that was before the revelations of Edward Snowden.
They should have listened. They should be listening now. Privacy needs to be taken seriously.
Paul Bernal, April 2014
Internet Privacy Rights – Rights to Protect Autonomy is available from Cambridge University Press here. Quote code ‘InternetPrivacyRights2014’ for a 20% discount from the CUP online shop.