DRIPA overturned…. an explanation and comment

The ruling in the High Court that overturned the Data Retention and Investigatory Powers Act (DRIP) may well turn out to be a significant one. At the time that it was passed, academics and privacy advocates were deeply disturbed not just by the bill but by the way it was passed – I blogged a number of times on the subject, including an Open Letter from myself and other academics, and a comment on the shabby process through which it was passed.

Our concerns appear to have been well founded – hence the overturning of the law – but they are part of a much bigger process through which the whole of our surveillance system is being held up to scrutiny and found wanting. The Anderson Report, the RUSI report, the rulings of the Investigatory Powers Tribunal and now this High Court ruling show a growing feeling that the current situation is unacceptable. It is no longer sufficient for the authorities to say ‘trust us’ with surveillance. Indeed, the more that comes out, the less they appear deserving of that trust. The passing of DRIPA, without proper scrutiny, without proper debate, and ignoring the criticisms of experts, showed contempt for people and for the nation – it is a very good thing that it has now been overturned. What happens next is another matter – but one that we should watch very carefully indeed.

Below is a post from the LSE Media Policy Blog, by Lorna Woods, explaining today’s ruling, reposted with permission.


Explaining the ruling that overturned the UK’s Data Retention & Investigatory Powers Act

The British High Court just invalidated the UK’s bill on retention and investigation of communications data that was enacted in 2014 in the wake of the overturning of the EU Data Retention Directive by the European court. Lorna Woods of the University of Essex explains the ruling and its implications. 

In a very rare outcome, the English High Court has declared that the Data Retention and Investigatory Powers Act (DRIPA) is inconsistent with European Union law and therefore is “disapplied”, although the Court suspended the effect of its order until after 31 March 2016. Liberty to appeal was granted.

DRIPA was rushed through Parliament last summer, much to the consternation of many, as this judicial review action evidences. DRIPA had been enacted in the wake of the Digital Rights Ireland decision of the European Court of Justice invalidating the Data Retention Directive (2002/58/EC), and the recognition that some of the activities of the police and security forces in this country in terms of surveillance and data access in any event had at best very dubious legal authority. DRIPA went through on the basis, that rather than involving new principles, it constituted mere clarification of the law. It was on the basis of EU law following Digital Rights Ireland that this action was brought.

The Judgment

Argument in court concerned what Digital Ireland in fact said, and the impact a ruling on a directive should have on national legislation designed to implement it. The High Court argued that, although Digital Rights Ireland related to the Directive and not national legislation, the ECJ was questioning whether the EU legislature had, by instituting its data retention rules, overstepped the principle of proportionality in balancing the rights to privacy and data protection in the EU’s Charter on Fundamental Rights against law enforcement and national security objectives (see Articles 7, 8  on rights & Article 52(1) on limitations). The Court took the meaning of the case to be that:

‘the ratio of Digital Rights Ireland is that legislation establishing a general retention regime for communications data infringes rights under Articles 7 and 8 of the EU Charter unless it is accompanied by an access regime (laid down at national level) which provides adequate safeguards for those rights’. [para 89]

In terms of the criteria by which any domestic legislation should be judged, the English High Court held that “[w]e do not accept that the [ECJ’s ruling in Digital Rights Ireland] is authority for nothing more than the verdict [ie it only speaks to the validity of the directive], any more than we interpret the judgment as meaning that each criticism or concern which the Court expressed involves a fatal flaw in the legislation”. [para 90]. The English Court then came up with a three-part structure summarising the requirements of any such legislative scheme for it to be acceptable under EU law:

  • Derogation and limitations in relation to the protection of personal data must apply only is as far is strictly necessary, so any legislation must set down clear, precise rules regarding scope of derogation and safeguarding rights against risk of abuse;
  • Legislation establishing a general scheme of retention must expressly restrict the purposes for which the scheme is used to precisely defined serious crimes;
  • Prior review by a court is required [para 91]

The Court decided not to make a reference to the ECJ on the question, although similar questions are pending from a Swedish Court before the ECJon similar domestic legislation. The requirements in derived from Digital Rights Ireland were not satisfied by DRIPA.

Next Steps

Although the Court ordered disapplication, which means the law will not be enforced, it suspended the effect of that order to allow the Government time to re-legislate. It seems that there is a growing consensus that some change to allow proper safeguards is required – as can been seen in the Anderson Report and in the RUSI Report. It is to be hoped that this time, the Government gives adequate notice to allow proper scrutiny of the proposed measures: a lack of scrutiny has been an ongoing concern about the passage of DRIPA and other measures in this area.

This case will no doubt give rise to a number of legal questions – and leave to appeal has been granted – but two immediate questions occur. The first relates to the scope of the disapplication: the Secretary of State for the Home Department who was defending DRIPA in this case raised at the last minute whether national security fell within the scope of EU law. If it does not, the arguments raised here would not apply to it. The Court did not deal with this argument as it was raised at the least minute. Secondly, if the High Court accepts that DRIPA is incompatible with EU law, as it has just argued, then how does it have the power to suspend disapplication until March next year? According to the ECJ, EU law is supreme and needs no intervention from the domestic legal systems to make it so. From that perspective, today’s disapplication could not be delayed. The Government now needs to prioritise re-legislating on the retention and investigation of communications data.

This article gives the views of the author and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics and Political Science.


 

Ethical policing of the internet?

acpoheaderThe question of how to police the internet – and how the police can or should use the internet, which is a different but overlapping issue – is one that is often discussed on the internet. Yesterday afternoon, ACPO, the Association of Chief Police Officers, took what might (just might, at this stage) be a step in a positive direction towards finding a better way to do this. They asked for help – and it felt, for the most part at least, that they were asking with a genuine intent. I was one of those that they asked.

It was a very interesting gathering – a lot of academics, from many fields and most far more senior and distinguished than me – some representatives of journalism and civil society (though not enough of the latter), people from the police itself, from oversight bodies, from the internet industry and others. The official invitation had called the event a ‘Seminar to discuss possible Board of Ethics for the police use of communications data’ but in practice it covered far more than that, including the policing of social media, politics, the intelligence services, data retention and much more.

That in itself felt like a good thing – the breadth of discussion, and the openness of the people around the table really helped. Chatham House rules applied (so I won’t mention any names) but the discussion was robust from the start – very robust at one moment, when a couple of us caused a bit of a ruction and one even almost got ejected. That particular ruction came from a stated assumption that one of the weaknesses of ‘pressure groups’ was a lack of technical and legal knowledge – when those of us with experience of these ‘pressure groups’ (such as Privacy International, the Open Rights Group and Big Brother Watch) know that in many ways their technical knowledge is close to as good as it can be. Indeed, some of the best brains in the field on the planet work closely with those pressure groups.

That, however, was also indicative of one of the best things about the event: the people from ACPO were willing to tell us what they thought and believed, and let us challenge them on their assumptions, and tell them what we thought. And, to a great extent, we did. The idea behind all of this was to explore the possibility of establishing a kind of ‘Board of Ethics’ drawing upon academia, civil society, industry and others – and if so, what could such a board look like, what could and should it be able to do, and whether it would be a good idea to start with. This was very much early days – and personally I felt more positive after the event than I did before, mainly because I think many of the big problems with such an idea were raised, and the ACPO people did seem to understand them.

The first, and to me the most important. of those objections is to be quite clear that a board of this kind must not be just a matter of presentation. Alarm bells rang in the minds of a number of us when one of the points made by the ACPO presentation was that the police had ‘lost the narrative’ of the debate – there were slides of the media coverage, reference to the use of the term ‘snoopers’ charter’ and so forth. If the idea behind such a board is just to ‘regain the narrative’, or to provide better presentation of the existing actions of the police so as to reassure the public that everything is for the best in the best of all possible worlds, then it is not something that many of the people around the table would have wanted to be involved in.  Whilst a board like this could not (and probably should not) be involved in day-to-day operational matters, it must have the ability to criticise the actions, tactics and strategies of the police, and preferably in a way that could actually change those actions, tactics and strategies. One example given was the Met Police’s now notorious gathering of communications data from journalists – if such actions had been suggested to a ‘board of ethics’ that board, if the voices around the table yesterday were anything to go by, would have said ‘don’t do it’.  Saying that would have to have an effect – or if it had no effect, would have had to be made public – if the board is to be anything other than a fig leaf.

I got the impression that this was taken on board – and though there were other things that also rang alarm bells in quite a big way, including the reference on one of the slides to ‘technology driven deviance’ and the need to address it (Orwell might have rather liked that particular expression) it felt, after three hours of discussion, as though there were more possibilities to this idea than I had expected at the outset. For me, that’s a very good thing. The net must be policed – at least that’s how I feel – but getting that policing right, ensuring that it isn’t ‘over-policed’, and ensuring that the policing is by consent (which was something that all the police representatives around the table were very clear about) is vitally important. I’m currently far from sure that’s where we are – but it was good to feel that at least some really senior police officers want it to be that way.

I’m not quite clear what the next steps along this path will be – but I hope we find out soon. It is a big project, and at the very least ACPO should be applauded for taking it on.

Politics, surveillance and trust….

ThemistoclesThemistocles grinned; it made me like him. “There you see it – that’s how we do it here. Among you Medes, I’m told, there are many men so honorable that everyone trusts them. We’re not like that at all – we never trust one another. So what we do instead is make sure that each side’s represented, so that every rascal’s got two worse looking over his shoulder.”

Gene Wolfe, Soldier of Arete.

I’ve always liked those words, put into the mouth of Themistocles by Gene Wolfe. Soldier of Arete is one of my favourite books – giving a very different perspective on the Ancient Greeks. Wolfe tries (and for me succeeds) to give a sense of what life might really have been like – not a place of divine nobility or unattainable grace, but a place inhabited by real people. Themistocles was one of the most successful of Athenian generals and politicians – someone around at the early days of what we these days call democracy. Wolfe’s version of Themistocles is a very much a likeable character, and a very grounded one. His view of democracy, of honour and of trust is one that seems both very real and very appropriate even for these days. Honour and trust are all very well, but for things to work well, we always need someone looking over people’s shoulders.

That’s particularly relevant to surveillance. ‘Quis custodiet ipsos custodes?’, to borrow another classical source. Who watches the watchmen? At the Intelligence and Security Committee ’round table’ sessions on Tuesday (about which I wrote here) it was one of the key issues – as were the issues of honour and trust. The first question that Sir Malcolm Rifkind asked at our table was whether we thought the intelligence services acted with ‘good faith’. I understood him to mean, essentially, whether we trusted them. Whether we thought they were honourable people. My answer was that I did think they were acting in good faith – but that that is not enough. I’m not like the Mede with which Themistocles was talking in Soldier of Arete, who thought some people are so honourable that they can be trusted completely. Good faith is a good start, but it’s not nearly enough. Limits on surveillance, controls, balances and strong oversight are still needed, no matter whether the intelligence services are acting in ‘good faith;’, and regardless of whether they are honourable, trustworthy people. Even the most able and honourable people need to be overseen. They make mistakes. They can be misled. They can be confused. They can be given poor information and make inappropriate decisions. And are we sure they are honourable and acting in good faith? It doesn’t matter if almost all of them are – even a single person who isn’t and is given free rein is capable of creating a disaster.

That’s not to say, of course, that trust isn’t important. At a certain level, we have to trust people – human life would be impossible if we didn’t. In things like surveillance, that trust, however, needs to be earned. It needs to be demonstrated that people are worthy of what trust we give them – and right now, after the Snowden revelations, trust in the intelligence services is in a great deal of doubt. It needs to be rebuilt – and that means much more transparency is needed to start with, but also much more understanding. It needs to be made clear that those in authority understand why people are bothered by this. It means that they need take our worries and concerns seriously.

Right now, too, it means that they can’t expect us to take what they tell us on trust. It means there should be a little more humility, a little more of what might be called ‘grace’. The way that the Data Retention and Investigatory Powers Act (DRIP) was steamrollered through parliament this summer showed none of this. The reverse: it showed contempt for people, and a huge amount of disrespect. The whole process, rather than helping to rebuild the trust, to demonstrate the good faith, to show that they are honourable people, reduced that trust, demonstrated bad faith, and suggested that they are far from honourable. And that goes for the ‘honourable members’ of parliament and for the intelligence services who presumably suggested the bill. I say ‘presumably’, because we really don’t know, and never got the chance to find out. Sir Malcolm Rifkind admitted on Tuesday that he didn’t understand RIPA: how many of the MPs who passed DRIP understood what they were passing? My guess is that they ‘trusted’ the people telling them it was needed, and decided that was enough.

Well, for me it wasn’t. Not nearly enough. We need much more – and I’m waiting.