The ruling in the High Court that overturned the Data Retention and Investigatory Powers Act (DRIP) may well turn out to be a significant one. At the time that it was passed, academics and privacy advocates were deeply disturbed not just by the bill but by the way it was passed – I blogged a number of times on the subject, including an Open Letter from myself and other academics, and a comment on the shabby process through which it was passed.
Our concerns appear to have been well founded – hence the overturning of the law – but they are part of a much bigger process through which the whole of our surveillance system is being held up to scrutiny and found wanting. The Anderson Report, the RUSI report, the rulings of the Investigatory Powers Tribunal and now this High Court ruling show a growing feeling that the current situation is unacceptable. It is no longer sufficient for the authorities to say ‘trust us’ with surveillance. Indeed, the more that comes out, the less they appear deserving of that trust. The passing of DRIPA, without proper scrutiny, without proper debate, and ignoring the criticisms of experts, showed contempt for people and for the nation – it is a very good thing that it has now been overturned. What happens next is another matter – but one that we should watch very carefully indeed.
Below is a post from the LSE Media Policy Blog, by Lorna Woods, explaining today’s ruling, reposted with permission.
Explaining the ruling that overturned the UK’s Data Retention & Investigatory Powers Act
The British High Court just invalidated the UK’s bill on retention and investigation of communications data that was enacted in 2014 in the wake of the overturning of the EU Data Retention Directive by the European court. Lorna Woods of the University of Essex explains the ruling and its implications.
In a very rare outcome, the English High Court has declared that the Data Retention and Investigatory Powers Act (DRIPA) is inconsistent with European Union law and therefore is “disapplied”, although the Court suspended the effect of its order until after 31 March 2016. Liberty to appeal was granted.
DRIPA was rushed through Parliament last summer, much to the consternation of many, as this judicial review action evidences. DRIPA had been enacted in the wake of the Digital Rights Ireland decision of the European Court of Justice invalidating the Data Retention Directive (2002/58/EC), and the recognition that some of the activities of the police and security forces in this country in terms of surveillance and data access in any event had at best very dubious legal authority. DRIPA went through on the basis, that rather than involving new principles, it constituted mere clarification of the law. It was on the basis of EU law following Digital Rights Ireland that this action was brought.
Argument in court concerned what Digital Ireland in fact said, and the impact a ruling on a directive should have on national legislation designed to implement it. The High Court argued that, although Digital Rights Ireland related to the Directive and not national legislation, the ECJ was questioning whether the EU legislature had, by instituting its data retention rules, overstepped the principle of proportionality in balancing the rights to privacy and data protection in the EU’s Charter on Fundamental Rights against law enforcement and national security objectives (see Articles 7, 8 on rights & Article 52(1) on limitations). The Court took the meaning of the case to be that:
‘the ratio of Digital Rights Ireland is that legislation establishing a general retention regime for communications data infringes rights under Articles 7 and 8 of the EU Charter unless it is accompanied by an access regime (laid down at national level) which provides adequate safeguards for those rights’. [para 89]
In terms of the criteria by which any domestic legislation should be judged, the English High Court held that “[w]e do not accept that the [ECJ’s ruling in Digital Rights Ireland] is authority for nothing more than the verdict [ie it only speaks to the validity of the directive], any more than we interpret the judgment as meaning that each criticism or concern which the Court expressed involves a fatal flaw in the legislation”. [para 90]. The English Court then came up with a three-part structure summarising the requirements of any such legislative scheme for it to be acceptable under EU law:
- Derogation and limitations in relation to the protection of personal data must apply only is as far is strictly necessary, so any legislation must set down clear, precise rules regarding scope of derogation and safeguarding rights against risk of abuse;
- Legislation establishing a general scheme of retention must expressly restrict the purposes for which the scheme is used to precisely defined serious crimes;
- Prior review by a court is required [para 91]
The Court decided not to make a reference to the ECJ on the question, although similar questions are pending from a Swedish Court before the ECJon similar domestic legislation. The requirements in derived from Digital Rights Ireland were not satisfied by DRIPA.
Although the Court ordered disapplication, which means the law will not be enforced, it suspended the effect of that order to allow the Government time to re-legislate. It seems that there is a growing consensus that some change to allow proper safeguards is required – as can been seen in the Anderson Report and in the RUSI Report. It is to be hoped that this time, the Government gives adequate notice to allow proper scrutiny of the proposed measures: a lack of scrutiny has been an ongoing concern about the passage of DRIPA and other measures in this area.
This case will no doubt give rise to a number of legal questions – and leave to appeal has been granted – but two immediate questions occur. The first relates to the scope of the disapplication: the Secretary of State for the Home Department who was defending DRIPA in this case raised at the last minute whether national security fell within the scope of EU law. If it does not, the arguments raised here would not apply to it. The Court did not deal with this argument as it was raised at the least minute. Secondly, if the High Court accepts that DRIPA is incompatible with EU law, as it has just argued, then how does it have the power to suspend disapplication until March next year? According to the ECJ, EU law is supreme and needs no intervention from the domestic legal systems to make it so. From that perspective, today’s disapplication could not be delayed. The Government now needs to prioritise re-legislating on the retention and investigation of communications data.
This article gives the views of the author and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics and Political Science.