The Data Retention and Investigations Powers Bill hit the headlines last week – but what’s it all about?
Prime Minister David Cameron announced last week that the Government is taking emergency measures to fast-track new legislation, The Data Retention and Investigations Powers Bill (DRIP), which will force communications service providers (i.e. telcos and ISPs, together CSPs) to store communications data (including call and internet search metadata) for 12 months.
This announcement follows the CJEU’s ruling that the Data Retention Directive 2006/24/EC (the “Directive“), which requires CSPs to store communications data for up to two years, is invalid for contravening the right to privacy and data protection and the principle of proportionality under the EU Charter of Fundamental Rights (the “Charter“). The CJEU was particularly concerned about the lack of restrictions on how, why and when data could be used.
The thinking behind the move
The PM said that the measure was necessary to protect existing interception capabilities which protect against paedophiles, terrorists and other serious criminals. Cameron said DRIP will address the CJEU’s concerns and provide a clear legal basis for companies to retain such communications data and also stressed that it would cover the retention of only metadata, such as the time, location and frequency of communications, and would not cover the content of communications.
DRIP is intended as a temporary measure and is to expire in 2016, ensuring that in the short term, UK security and law enforcement agencies can continue to function while giving Parliament time to modernise and improve the Regulation of Investigatory Powers Act 2000 (RIPA).
While Cameron has insisted that the measure does not impose new obligations on CSPs and would not legitimise new intrusions on civil liberties, DRIP faces criticism that it extends on the already far-reaching interception rights under RIPA and also contravenes the Charter.
CSPs already maintain significant data storage and retrieval systems purely to comply with the Directive and are unable to recoup these costs other than from their general business operations. It is not yet clear whether this costly legislative burden will extend to additional CSPs not already covered.
Meanwhile in Europe…
Britain is the first EU country to seek to rewrite its laws to continue data retention since the CJEU decision. By comparison, the German courts viewed Germany’s implementation of the Directive as far exceeding constitutional limits on the right of informational self-determination. In Germany’s Telecommunication Act 2012, the data retention provisions were deleted. The EU Commission commenced EU Treaty violation proceedings against Germany however the result of the CJEU ruling has rendered the proceedings groundless.
In response to the CJEU decision, Austria has now also declared its data retention laws to be unconstitutional and data retention obligations have been significantly limited.
It remains to be seen how other EU countries will respond to the CJEU decision and whether this will lead to a patchwork of CSP data retention standards throughout the EU and also the implications of the resulting conflict between national data retention standards and EU fundamental rights.
Esra Tekdağ is an associate at Fieldfisher