DRIPA overturned…. an explanation and comment

The ruling in the High Court that overturned the Data Retention and Investigatory Powers Act (DRIP) may well turn out to be a significant one. At the time that it was passed, academics and privacy advocates were deeply disturbed not just by the bill but by the way it was passed – I blogged a number of times on the subject, including an Open Letter from myself and other academics, and a comment on the shabby process through which it was passed.

Our concerns appear to have been well founded – hence the overturning of the law – but they are part of a much bigger process through which the whole of our surveillance system is being held up to scrutiny and found wanting. The Anderson Report, the RUSI report, the rulings of the Investigatory Powers Tribunal and now this High Court ruling show a growing feeling that the current situation is unacceptable. It is no longer sufficient for the authorities to say ‘trust us’ with surveillance. Indeed, the more that comes out, the less they appear deserving of that trust. The passing of DRIPA, without proper scrutiny, without proper debate, and ignoring the criticisms of experts, showed contempt for people and for the nation – it is a very good thing that it has now been overturned. What happens next is another matter – but one that we should watch very carefully indeed.

Below is a post from the LSE Media Policy Blog, by Lorna Woods, explaining today’s ruling, reposted with permission.

Explaining the ruling that overturned the UK’s Data Retention & Investigatory Powers Act

The British High Court just invalidated the UK’s bill on retention and investigation of communications data that was enacted in 2014 in the wake of the overturning of the EU Data Retention Directive by the European court. Lorna Woods of the University of Essex explains the ruling and its implications. 

In a very rare outcome, the English High Court has declared that the Data Retention and Investigatory Powers Act (DRIPA) is inconsistent with European Union law and therefore is “disapplied”, although the Court suspended the effect of its order until after 31 March 2016. Liberty to appeal was granted.

DRIPA was rushed through Parliament last summer, much to the consternation of many, as this judicial review action evidences. DRIPA had been enacted in the wake of the Digital Rights Ireland decision of the European Court of Justice invalidating the Data Retention Directive (2002/58/EC), and the recognition that some of the activities of the police and security forces in this country in terms of surveillance and data access in any event had at best very dubious legal authority. DRIPA went through on the basis, that rather than involving new principles, it constituted mere clarification of the law. It was on the basis of EU law following Digital Rights Ireland that this action was brought.

The Judgment

Argument in court concerned what Digital Ireland in fact said, and the impact a ruling on a directive should have on national legislation designed to implement it. The High Court argued that, although Digital Rights Ireland related to the Directive and not national legislation, the ECJ was questioning whether the EU legislature had, by instituting its data retention rules, overstepped the principle of proportionality in balancing the rights to privacy and data protection in the EU’s Charter on Fundamental Rights against law enforcement and national security objectives (see Articles 7, 8  on rights & Article 52(1) on limitations). The Court took the meaning of the case to be that:

‘the ratio of Digital Rights Ireland is that legislation establishing a general retention regime for communications data infringes rights under Articles 7 and 8 of the EU Charter unless it is accompanied by an access regime (laid down at national level) which provides adequate safeguards for those rights’. [para 89]

In terms of the criteria by which any domestic legislation should be judged, the English High Court held that “[w]e do not accept that the [ECJ’s ruling in Digital Rights Ireland] is authority for nothing more than the verdict [ie it only speaks to the validity of the directive], any more than we interpret the judgment as meaning that each criticism or concern which the Court expressed involves a fatal flaw in the legislation”. [para 90]. The English Court then came up with a three-part structure summarising the requirements of any such legislative scheme for it to be acceptable under EU law:

  • Derogation and limitations in relation to the protection of personal data must apply only is as far is strictly necessary, so any legislation must set down clear, precise rules regarding scope of derogation and safeguarding rights against risk of abuse;
  • Legislation establishing a general scheme of retention must expressly restrict the purposes for which the scheme is used to precisely defined serious crimes;
  • Prior review by a court is required [para 91]

The Court decided not to make a reference to the ECJ on the question, although similar questions are pending from a Swedish Court before the ECJon similar domestic legislation. The requirements in derived from Digital Rights Ireland were not satisfied by DRIPA.

Next Steps

Although the Court ordered disapplication, which means the law will not be enforced, it suspended the effect of that order to allow the Government time to re-legislate. It seems that there is a growing consensus that some change to allow proper safeguards is required – as can been seen in the Anderson Report and in the RUSI Report. It is to be hoped that this time, the Government gives adequate notice to allow proper scrutiny of the proposed measures: a lack of scrutiny has been an ongoing concern about the passage of DRIPA and other measures in this area.

This case will no doubt give rise to a number of legal questions – and leave to appeal has been granted – but two immediate questions occur. The first relates to the scope of the disapplication: the Secretary of State for the Home Department who was defending DRIPA in this case raised at the last minute whether national security fell within the scope of EU law. If it does not, the arguments raised here would not apply to it. The Court did not deal with this argument as it was raised at the least minute. Secondly, if the High Court accepts that DRIPA is incompatible with EU law, as it has just argued, then how does it have the power to suspend disapplication until March next year? According to the ECJ, EU law is supreme and needs no intervention from the domestic legal systems to make it so. From that perspective, today’s disapplication could not be delayed. The Government now needs to prioritise re-legislating on the retention and investigation of communications data.

This article gives the views of the author and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics and Political Science.


Open letter on rule of law and surveillance

I am one of the signatories on an open letter to the members of the House of Commons – a letter set out below. The subject matter is UK surveillance law – and in particular the democratic process surrounding surveillance law. The signatories – academic researchers whose specialities are related to surveillance law, whether from the legal, technical or technological, socio-political or media-studies angle – are concerned that the democratic process is not effectively bypassed or short-cut as it has been in the last few years. We come from a wide variety of backgrounds and have very different perspectives on privacy, surveillance, security and so forth – but we share, I believe, the belief that proper scrutiny, proper debate, and proper legal processes should be followed.

Similarly, political backgrounds shouldn’t matter – this isn’t in any way a party political issue, but one that should transcend party politics. Politicians of all parties should care about the political process, and should want important political decisions to be made with the best information, and after proper consideration and debate. That has been conspicuous by its absence in recent years.

There is a lot at stake here, and parliamentarians, like most people, do not have the technical or even legal knowledge to be able to make good judgments over this kind of thing without taking an appropriate amount of time, talking with the appropriate experts, and doing their best to understand the issues. That, in theory at least, is what the full parliamentary process should allow for. Laws should not, except where absolutely necessary, be pushed through without proper debate. Significant changes should not be made through processes that were designed for small, procedural and detailed changes. New ideas should not be introduced at late stages of a bill without the chance for proper debate. All of these have happened in the last few years – we should do our best to stop that happening in the future. A new parliament, with new parliamentarians, should provide an opportunity for that.

Here is the letter.


An open letter to all members of the House of Commons,

Dear Parliamentarian,

Ensuring the Rule of Law and the democratic process is respected as UK surveillance law is revised

Actions Taken Under the Previous Government

During the past two years, the United Kingdom’s surveillance laws and policies have come under scrutiny as the increasingly expansive and intrusive powers of the state have been revealed and questioned in the media. Such introspection is healthy for any democracy. However, despite a need for transparency in all areas of lawmaking, and in particular in areas of controversy, the previous Government repeatedly resisted calls for an open and transparent assessment and critique of UK surveillance powers. Instead, in response to legal challenges, it extended the powers of the state in the guise of draft Codes of Practice and “clarifying amendments.” As we welcome a new Government we expect another round of revisions to UK surveillance laws, with the likelihood that the Queen’s Speech will signal a revival of the Communications Data Bill. At this time we call on the new Government, and the members of the House, to ensure that any changes in the law, and especially any expansions of power, are fully and transparently vetted by Parliament, and open to consultation from the public and all relevant stakeholders.

Last year, in response to the introduction of the Data Retention and Investigatory Powers Bill (“DRIP”), a number of leading academics in the field – including many of the signatories to this letter – called for full and proper parliamentary scrutiny of the Bill to ensure Parliamentarians were not misled as to what powers it truly contained. Our concern emanated from the Home Secretary’s attempt to characterise the Bill, which substantially expanded investigatory powers, as merely a re-affirmation of the pre-existing data retention regime.[1]

Since that letter was written, it has become apparent that the introduction of the DRIP Bill was not the only time an expansion of surveillance powers was presented in a way seemingly designed to stifle robust democratic consideration. In February 2015, the Home Office published the draft Equipment Interference Code of Practice.[2] The draft Code was the first time the intelligence services openly sought specific authorisation to hack computers both within and outside the UK. Hacking is a much more intrusive form of surveillance than any previously authorised by Parliament. It also threatens the security of all internet services as the tools intelligence services use to hack can create or maintain security vulnerabilities that may be used by criminals to commit criminal acts and other governments to invade our privacy. The Government, though, sought to authorise its hacking, not through primary legislation and full Parliamentary consideration, but via a Code of Practice.

The previous Government also introduced an amendment via the Serious Crimes Act 2015, described in the explanatory notes to the Bill as a ‘clarifying amendment’.[3] The amendment effectively exempts the police and intelligence services from criminal liability for hacking. This has had an immediate impact on the ongoing litigation of several organisations who are suing the Government based in part on the law amended, the Computer Misuse Act 1990.[4]

The Way Ahead

The new Conservative Government has announced its intention to propose new surveillance powers through a resurrection of the Communications Data Bill. This will require internet and mobile phone companies to keep records of customers’ browsing activity, social media use, emails, voice calls, online gaming and text messages for a year, and to make that information available to the government and security services. We also anticipate this Parliament will see a review of the Regulation of Investigatory Powers Act 2000, which currently regulates much of the Government’s surveillance powers. The Independent Reviewer of Terrorism Legislation, David Anderson QC, has conducted an independent review of the operation and regulation of investigatory powers, with specific reference to the interception of communications and communications data. The report of that review has been submitted to the Prime Minister, but has yet to be made public: when it is made public, parliamentary scrutiny of the report and any recommendations made following it will be essential.

As the law requires that surveillance powers must be employed proportionate to any harm to privacy caused (as required by Article 8 of the European Convention on Human Rights and Article 12 of the Universal Declaration of Human Rights) we believe that any expansion or change to the UK’s surveillance powers should be proposed in primary legislation and clearly and accurately described in the explanatory notes of any Bill. The Bill and its consequences must then be fully and frankly debated in Parliament. When reaching an assessment of the proportionality, of any measure that restricts rights, both our domestic courts and the European Court of Human Rights place great stock on the degree and quality of Parliamentary involvement prior to any measure being adopted. If the matter ever came to before the courts one issue examined would be the nature of any “exacting review” undertaken by MPs into the necessity of extending these powers. The Government should not be permitted to surreptitiously change the law whenever it so desires, especially where such changes put our privacy and security at risk.

This letter has been prepared and signed by 38 academic researchers. We are comprised of people from both sides of this issue – those who believe that increased powers are a reasonable response to an emerging threat, and those who think them an unjustified extension of state interference. Our common goal is to see the Rule of Law applied and Parliamentary oversight reasserted. We are calling on all members of the House of Commons, new and returning, and of all political persuasions to support us in this by ensuring Parliamentary scrutiny is applied to all developments in UK surveillance laws and powers as proposed by the current Government.



Andrew Murray (contact signatory) – Professor of Law, London School of Economics  a.murray@lse.ac.uk

Paul Bernal (contact signatory) – Lecturer in Information Technology, Intellectual Property and Media Law University of East Anglia Paul.Bernal@uea.ac.uk

Anne Barron – Associate Professor of Law, London School of Economics

Subhajit Basu – Associate Professor of Law, University of Leeds

Sally Broughton Micova – Deputy Director LSE Media Policy Project, Department of Media and Communications, London School of Economics

Abbe E.L. Brown – Senior Lecturer, School of Law, University of Aberdeen

Ian Brown – Professor of Information Security and Privacy, Oxford Internet Institute

Ray Corrigan – Senior Lecturer in Maths, Computing and Technology, Open University

Angela Daly – Postdoctoral Research Fellow, Swinburne Institute for Social Research, Swinburne University of Technology

Richard Danbury – Postdoctoral Research Fellow, Faculty of Law, University of Cambridge

Catherine Easton – Lecturer in Law, Lancaster University School of Law

Lilian Edwards – Professor of E-Governance, Strathclyde University

Andres Guadamuz – Senior Lecturer in Intellectual Property Law, University of Sussex

Edina Harbinja – Lecturer in Law, University of Hertfordshire

Julia Hörnle – Professor in Internet Law, Queen Mary University of London

Argyro P Karanasiou – Senior Lecturer in Law, Centre for Intellectual Property, Policy & Management (CIPPM), Bournemouth University

Theodore Konstadinides – Senior Lecturer in Law, University of Surrey

Douwe Korff – Emeritus Professor of International Law, London Metropolitan University, Associate of the Oxford Martin School, University of Oxford

Mark Leiser – Postgraduate Researcher, Strathclyde University

Orla Lynskey – Assistant Professor of Law, London School of Economics

David Mead – Professor of UK Human Rights Law, UEA Law School, University of East Anglia

Robin Mansell – Professor, Department of Media and Communication, London School of Economics

Chris Marsden – Professor of Law, University of Sussex

Steve Peers – Professor of Law, University of Essex

Gavin Phillipson – Professor, Law School, University of Durham

Julia Powles – Researcher, Faculty of Law, University of Cambridge

Andrew Puddephatt – Executive Director, Global Partners Digital

Judith Rauhofer – Lecturer in IT Law, University of Edinburgh

Chris Reed – Professor of Electronic Commerce Law, Queen Mary University of London

Felipe Romero-Moreno – Lecturer in Law, University of Hertfordshire

Burkhard Schafer – Professor of Computational Legal Theory, University of Edinburgh

Joseph Savirimuthu – Senior Lecturer in Law, University of Liverpool

Andrew Scott – Associate Professor of Law, London School of Economics

Peter Sommer – Visiting Professor, Cyber Security Centre, De Montfort University

Gavin Sutter – Senior Lecturer in Media Law, Queen Mary University of London

Judith Townend – Director of the Centre for Law and Information Policy, Institute of Advanced Legal Studies, University of London

Asma Vranaki – Post-Doctoral Researcher in Cloud Computing, Queen Mary University of London

Lorna Woods – Professor of Law, University of Essex



[1] https://paulbernal.wordpress.com/2014/07/15/open-letter-from-uk-legal-academic-experts-re-drip/

[2] https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/401863/Draft_Equipment_Interference_Code_of_Practice.pdf

[3] http://www.legislation.gov.uk/ukpga/2015/9/notes/division/3/2/2/4

[4] https://www.privacyinternational.org/?q=node/584