Surveillance

On Emergency U.K. Data Retention Legislation

By Hugo Rosemont
Saturday, July 19, 2014, 4:00 PM

After Edward Snowden leaked, the UK Government dripped.

Or, to put it less metaphorically, a major controversy played out in the UK over the past week around the speed, tone and scope of the coalition Government's proposal to introduce, in little more than a week and through rushed emergency legislation, its (unfortunately abbreviated) bill on Data Retention and Investigatory Powers (DRIP). As I discuss below, the Government ultimately succeeded in navigating the legislation through Parliament, but not without serious questions being raised, both about the new law itself and about the manner of the Government’s approach.

Background to DRIP

The episode arose on 10 July when the Conservative Prime Minister, David Cameron, and the Liberal Democrat Deputy Prime Minister, Nick Clegg, announced at a Downing Street press conference that an agreement had been reached by the leaders of all three main UK political parties---the two of them plus Ed Miliband, the leader of the opposition Labour Party---to swiftly introduce new emergency security legislation on the retention of communications data and associated powers of interception. A Parliamentary statement by the Home Secretary, Theresa May, also outlined the proposal and clarified the Government’s reasons for introducing what some have seen as a highly illiberal measure.

According to the Government, new UK legislation on data retention was urgently needed for two main reasons. Firstly, a judgment by the European Court of Justice (ECJ) on 8 April struck down the EU Data Retention Directive, the pan-EU regulation that required communications service providers to retain the data of their customers for a stated period.  The Government thought the ruling created uncertainty around the legality of any longer requiring companies to retain communications data in the UK, thus presenting the risk that, without greater clarity, the companies could start deleting their records. Secondly, the Government argued in introducing the bill that communications providers also needed further clarity of a different sort: the companies had been questioning their legal responsibilities with regards to cooperation with the Government over the matter of electronic communications. The House of Commons Library produced a useful briefing note which outlined the rationale for, the main aspects of, and the initial reaction to the proposed legislation. Access to the bill and its associated documentation is also available.

In the eyes of the Government, therefore, there was after the ECJ decision an intolerable lack of legal certainty regarding both the responsibility of companies to retain their customers’ communications data (thus potentially making it inaccessible) and the state’s ability to access the content of communications (under a warrant, as appropriate). Judging by remarks of the Home Secretary in a Parliamentary Select Committee evidence session (watch from 15.56.40 here), the Government genuinely feared that a legal challenge, if successful, might remove the ability of the authorities to obtain communications data. In its efforts to promote the bill in this context, the Government’s argument was that the new legislation would simply serve to establish in domestic law the powers that were formerly granted to the Government under the EU Data Retention Directive. The official line was that the legislation would not introduce any new powers; it simply replaced earlier rules which had been knocked out by the ECJ.  (See more on this argument in the explanatory notes of the bill here.)

Turning on the Faucet of Emergency Legislation

Over the course of past week, many of the Government’s arguments were strongly questioned or challenged by legal commentators and civil society organizations. It is not possible in a short post to address each of these in detail; however---and perhaps of special interest to Lawfare readers---the bill’s proposal to allow for “extra-territoriality” provisions to apply to the UK’s existing domestic legal framework for communications interception, under the Regulation of Investigatory Powers Act (RIPA), generated a particularly heated discussion. In short, the intended effect was that foreign companies providing communications services to UK customers should, like UK companies, be legally required to cooperate with UK authorities where it is deemed necessary. This raised questions from critics over whether the provision actually constituted a ‘new’ power after all; in response, the Home Secretary stated the Government’s view that it always believed extra-territoriality applied to RIPA.

There was also a strong sentiment amongst many opponents of the bill that the Government did not take into account in the new legislation the reasons why the ECJ dismissed the Data Retention Directive in the first place.  One commentator, for example, argued that the Government was not addressing the significance of the court’s finding that it is the blanket storage of communications data that is so problematic. A serious question was therefore raised around whether DRIP would be compatible with EU law in its aim to make sure that all communications data should continue to be retained by identified companies. With the debate in full flow, one Government Minister contested the idea that the proposal contravened the European Convention on Human Rights.

In addition to numerous reservations being expressed over the desirability and lawfulness of DRIP, serious concern arose over the Government’s intention to pass the bill as “emergency” legislation; the Financial Times was amongst the first to express its disagreement at the speed with which the plans were being developed. Other commentators articulated even more bitter opposition. Having participated in a fiery television debate with a Government Justice Minister following the original announcement , Shami Chakrabarti, the leader of the human rights organization, Liberty, published a strong critique on the Government’s approach to DRIP. The backbench Conservative MP, David Davis, also published a piece which did not pull its punches.

Unfortunately, the debate often proceeded angrily as the events of the week developed. To summarize the tone of the discussions, the Government stood accused by critics of seeking to rush through an illiberal and unlawful legislative measure, completely lacking substantive debate or scrutiny, both publically and within Parliament. This was regrettable because this is clearly the most significant legislation on data retention and interception to have emerged in the UK in the aftermath of Snowden's leaks; it is entirely appropriate, therefore, that it should have been properly debated, especially given the tight timeline.

Some DRIP Downsides

Both the Government’s hasty approach to DRIP and the outrage that was levelled towards it by some opponents clouded several issues which deserved to be debated and understood more widely. Firstly, the Government’s inclusion of a “sunset clause” within the DRIP legislation---the bill proposed that the act would automatically be repealed on 31st December 2016, thus ensuring that the whole issue must be readdressed in the next Parliament---was greeted with unduly harsh criticism. On the contrary, it should have been seen as a welcome move in the circumstances that the Government included such a protection to allow for future debate on the matter. Interestingly, it was reported at the beginning of the week (Monday) that the Labour Party planned to table amendments designed to encourage greater scrutiny of the law, with other MPs suggesting that the timing of the proposed sunset period should be changed to until the end of 2014. Whilst some of the Labour Party’s ideas were taken into account, the second proposal for a different end-date was ultimately rejected. A separate amendment, that would have made the legislation lapse in 2015, was tabled in the Lords---but was also withdrawn.

Secondly, when announcing this legislation the Government also revealed a suite of additional, potentially significant initiatives. Perhaps of particular interest to Lawfare readers is that the UK Government intends to establish a new “Privacy and Civil Liberties Oversight Board,” based on the US model, which it said would be designed “to ensure that civil liberties are properly considered in the formulation of Government policy on counter-terrorism.” Caution has already been urged on how to introduce the new structure, because of the risks associated with the plan that the Board should replace the longstanding role of another oversight body, the Independent Reviewer of Terrorism Legislation.  The proposal nevertheless offers the opportunity for serious additional scrutiny of UK legislation and activities in the counter-terrorism field. Separately, the Government also made clear its intention to appoint a senior former UK diplomat to take forward discussions with the US Government and companies in particular on how “to establish a new international agreement for sharing data between legal jurisdictions.” This too would seem to naturally align with several core Lawfare topics, and is particularly important to get right: many US-owned telecommunications companies, after all, provide services to UK citizens.

Finally, the public-private sector dynamics which clearly informed this legislation have been remarkably little commented upon. Most significantly, the statement of the need (as the Government viewed it) to provide clarity to the private sector on its legal obligations regarding cooperation was tabled as one of the two main justifications for actually introducing DRIP. The role and scope of the private sector’s involvement in (and potential influence upon) security provision is one of the key issues of our times that must continue to be properly debated. In this context, the question of whether it could ever be desirable that emergency CT legislation be formed with the concerns of companies being such a prominent factor warrants greater discussion.

To be clear, the aim of highlighting these additional issues is not to try in some way to dismiss the concerns that were raised by opponents of DRIP; for the avoidance of doubt, I would actually agree with those who argued that it was undesirable to pass CT legislation so quickly, and that it was unfortunate that the timing of the Prime Minister’s ‘reshuffle’ of his Cabinet fell on the same day (15 July) that the bill was debated (in its compressed timetable) in the House of Commons.

However, it can also be suggested that there was sufficient cross-party support and scrutiny of the bill in Parliament to be able to establish the Act’s legitimacy. Having secured an overwhelming majority of votes in the House of Commons (scroll down to the bottom of this account to see the voting record), the bill then passed to the Lords. Whilst over the course of two days of its own scrutiny serious reservations over DRIP were expressed in “theother place,” the chamber ultimately did not block the bill. After lunch on Thursday, it was reported that the legislation had been waved through by the Lords and would therefore be successfully passed in law. Later that afternoon, it was confirmed that DRIP had received Royal Assent to become an Act of Parliament.

The manner in which the events of the past week transpired was suboptimal for one final reason. As a result of the discussions around DRIP largely focusing on legal nuances and procedural issues (however important), the validity of the original purpose of the legislation was arguably never properly debated, and therefore it might not be understood by a wider audience. In essence, the UK Government was arguing that the relevant companies should continue to store communications data for a certain period, and that the authorities should continue to have the ability to legally access (under warrant) the content of communications where appropriate for security purposes (such as countering terrorism or serious organized crime). The reality is that that few (if any) serious commentators on either side of the debate on DRIP appeared to oppose the principle that the authorities should be granted such ability in certain circumstances.

***

In the end, the result was that the DRIP legislation passed through Parliament. The enactment of the bill into law should of course not be taken by the authorities as being a ‘carte blanche’ enabling them to access on a whim any communications data, or intercept the content of our communications at will - that would obviously be deeply worrying and, contrary to some perceptions, the legislation is not intended for such scenarios. Against this backdrop, a further possible lesson from this episode is that, provided the response is proportionate and concerns for civil liberties are always taken into account, there should be a greater acceptance of the principle that the authorities genuinely do need such capability in some circumstances. Indeed, this should be one of the main starting points from which discussions on the development of legislation can sensibly proceed in this sensitive area.

Hugo Rosemont is an independent security analyst and PhD Candidate at King’s College, London.