[An earlier version of this post appeared at The Justice Gap, here]
Thursday’s announcement by David Cameron and Nick Clegg that the coalition was going to expedite emergency surveillance legislation is something that should concern all of us, not just privacy activists. The speed with which the Data Retention and Investigatory Powers bill (‘DRIP’) is being brought into play, the lack of consultation and the breadth of its powers should matter to everyone. There is a reason that legislation usually requires time and careful consideration – and with a contentious issue like surveillance this is especially true. This is a shabby process, for what seems to be a very shady law. And, as David Davis MP has suggested, the ‘emergency’ is theatrical, not real. The need for new legislation was entirely predictable – and politicians and civil servants should have known this.
A predictable emergency
The trigger for the legislation was the ruling by the ECJ, on 8th April, that the Data Retention Directive was invalid – more than three months ago – but the signs that new legislation was needed have been there for far longer. The ruling by the ECJ exceeded the expectations of privacy advocates – but not that significantly, and the declaration that the directive was invalid should have been an outcome that civil servants and politicians were prepared for. Indeed, the Data Retention Directive has been subject to significant challenge since its inception in 2005. Peter Hustinx, the European Data Protection Supervisor in 2010 called it:
“…without doubt the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects.”
Across Europe there have been protests and legal challenges to data retention throughout its history, from 30,000 people on the streets of Germany in 2007 to the declaration that data retention itself was unconstitutional in Romania. The challenge that eventually brought down the directive began in 2013.
The signs have been there in the UK too, and for far longer than three months. The Communications Data Bill – more commonly and appropriately known as the Snoopers’ Charter – was effectively abandoned well over a year ago, after a specially set-up parliamentary committee, after taking detailed evidence, issued a damning report. At that stage, even before the revelations of Edward Snowden reared their ugly head, the need for further legislation was evident.
So why, given all these warnings, has this emergency been manufactured, and why is legislation being pushed through so quickly? Is it that those behind the bill are concerned that if it received full and detailed scrutiny, the full scale and impact of the bill will become evident and, like the Snoopers’ Charter before it, it will fail? It is hard not to think that this has played some part in the tactics being employed here. What would there be to lose by delaying this a few months?
Companies like data too…
The suggestion that if the legislation isn’t pushed through this quickly then companies will suddenly start deleting all their communications data is naïve to say the least. Firstly, it’s hardly in most communications providers’ interest to delete all that data – actually, rather the opposite. Back in 2007, Google attempted to use the existence of data retention legislation as an excuse not to delete search logs – companies generally like having more data, as they (just like the authorities) believe they can get value from it. Moreover, businesses don’t often change their practices at the drop of a hat, even if they want to. They might, however, if they’re required to by law – and that may well be the real key here. Legal challenges to specific practices by specific companies in terms of data retention may well be in the offing – but this would take time, far more time than the few days – less than a week – that MPs are being given to pass this legislation.
The underlying point here is that there is a reason that the Data Retention Directive was declared invalid by the ECJ, and a reason that both privacy advocates and academics have been concerned about it from the very beginning. The mass collection of communications data breaches fundamental rights – and DRIP, just like the Communications Data Bill before it, does authorise the mass collection of this data. It has the same fundamental flaws as that bill – and a few extras to boot. With the very limited time available to review the bill so far, it appears to extend rather than limit the powers available through the contentious Regulation of Investigatory Powers Act (RIPA) rather than limit them or modernise them (see for example the analysis by David Allen Green in the FT here – registration needed), and attempt to extend powers outside the UK in a way that is at the very least contentious – and in need of much more scrutiny and consideration.
Most importantly, it still works on the assumption that there is no problem with collecting data, and that the only place for controls or targeting is at the accessing stage. This is a fundamentally flawed assumption – morally, legally and practically. At the moral level, it treats us all as suspects. Legally it has been challenged and beaten many times – consistently in the European Court of Human Rights, in cases from as far back as Leander in 1987, and now in the ECJ in the declaration of invalidity of the Data Retention Directive. Practically, it means that data gathered is vulnerable in many ways – from the all too evident risks of function creep that RIPA has demonstrated over the years (dog-fouling, fly-tippers etc) to vulnerability to leaking, hacking, human error, human malice and so forth. Moreover, it is the gathering of data that creates the chilling effect – impacting upon our freedom of speech, of assembly and association and so forth. This isn’t just about privacy.
Nick Clegg made much of the concessions and safeguards in the new bill, emphasising that this isn’t a Snoopers’ Charter Mark 2, but it is hard to be enthusiastic about them at this stage. There is a sunset clause, meaning that DRIP will expire in December 2016 – but there is nothing in the bill itself to say that it won’t be replaced by similar ‘emergency’ legislation, railroaded through parliament in a similar way. Moreover, December 2016 is well after the election – and the Lib Dems are currently unlikely to still have any influence at that stage. Julian Huppert in particular, my MP in Cambridge, is in a very precarious position. Without him, it’s hard to see much Lib Dem resistance to either the Tories or the Labour Party who set the ball rolling on mass surveillance state in the Blair years.
The rest of the safeguards are difficult to evaluate at this stage – they were originally said to be contained in secondary legislation that was not published with the bill itself, but when that secondary legislation was actually released, at around 4pm on Friday afternoon, it contained almost none of what had been promised. For example, the suggestion that the number of bodies able to use RIPA was to be restricted, was entirely absent. This list doesn’t just include the police and intelligence services, but pretty much all local authorities, and bodies like the food standards agency and the charities commission – another part of the function creep of RIPA. The breadth and depth of the surveillance that this bill, in combination with RIPA, would not only allow but effectively normalise, is something that should be of the deepest concern to anyone who takes civil liberties seriously.
The shabbiest of processes
This is just one part of the shabbiness of the process. Two more crucial documents, ‘Impact Assessments’ performed by the Home Office concerning the data retention and interception aspects of the bill, were also released – but without even a mention, so that the first that was heard of them by most concerned people was early on Saturday morning, when vigilant investigators found them all but hidden on the Home Office website. Two documents, full of technical details looking at why the laws were ‘needed’ and what the risks and benefits of the laws would be, the alternatives and so forth, pretty much hidden away. These, together with the Bill itself and the Regulations, combine to produce something with a serious level of both legal and technical complexity – something that needs very careful study and expert analysis. And to do this analysis, we are given essentially one weekend, and no warning.
How serious this is was highlighted by a brief twitter conversation between David Allen Green and MP Julian Huppert this morning:
David Allen Green (@JackofKent) is asking a straight and direct, technical and legal question – and Julian Huppert can’t answer it. Julian is perhaps the most technically expert of the entire House of Commons – if he doesn’t understand the bill, its impact and how it changes the current situation, how much less can other MPs? And yet they are expected to debate the bill on Monday, and pass it almost immediately. This is patently wrong – and highlights exactly why parliament generally has significant time for analysis and for debate, and parliamentary committees call experts to give testimony, to tease out these kinds of answers. Julian Huppert should not be criticised for not knowing the answer to the question – but he should be criticised for supporting a bill without allowing the time for these questions to be asked, investigated and answered. They need to be.
This is an wholly unsatisfactory state of affairs. Indeed, the whole thing is highly unsatisfactory, and in a democratic society, it should be unacceptable. That our MPs seem willing to accept it speaks volumes.
The key documents can be found here:- study them if you have time!
The draft bill
The draft regulations
The impact assessment for interception
The impact assessment for data retention.