Our response to the Government's post-Watson Comms Data Code
RESPONSE OF PRIVACY INTERNATIONAL TO THE CONSULTATION ON THE GOVERNMENT’S PROPOSED RESPONSE TO THE RULING OF THE COURT OF JUSTICE OF THE EUROPEAN UNION ON 21 DECEMBER 2016 REGARDING THE RETENTION OF COMMUNICATIONS DATA
[Full response below]
Introduction
The consultation is in response to the judgment in Tele2 Sverige AB v Post-och telestyrelsen (Case-203/15) and R (Watson) v Secretary of State for the Home Department (Case C-698/15) [“Watson judgment”].
The case concerned section 1 and 2 of DRIPA and the Data Retention Regulations 2014. This contained the legislative scheme concerning the power of the power of the Secretary of State to require communications service providers to retain communications data. Part 3 of the Counter-Terrorism and Security Act 2015 amended DRIPA so that an additional category of data – that necessary to resolve Internet Protocol addresses – could be included in a requirement to retain data.
The European Court of Justice held that the ePrivacy Directive (2002/58/EC) when read in light of the EU Charter of Fundamental Rights, prohibits national legislation from imposing data retention obligations unless it is ‘strictly necessary’ for the purpose of fighting ‘serious crime’ and that measures allowing for ‘general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication’ are not permitted. The European Court of Justice held that law enforcement agencies can only access the retained data where it is ‘strictly necessary’ for the purpose of fighting serious crime and where such access has been approved following a prior review by a court or independent authority.
Privacy International intervened in the case together with Open Rights Group and made submissions that both an obligation to retain and an obligation to disclose or grant access to personal data are data-processing activities covered by the ePrivacy Direction and the Data Protection Directive.
Privacy International believes that the Government’s Draft Code of Practice for Communications Data and the proposed amendments to Parts 3 and 4 IPA fail to fully implement the European Court of Justice’s judgment in Tele2 Sverige AB v Post-och telestyrelsen (Case-203/15) and R (Watson) v Secretary of State for the Home Department (Case C-698/15), which specified a number of EU law requirements a regime governing the retention and acquisition of communications data must meet.
The Government has sought to circumvent express mandatory safeguards identified in the court judgment by:
- Proposing that entity data does not form part of communications data to which the Watson judgment applies;
- Removing the application of the judgment from ‘data held for business purposes’.
- Re-defining serious crime for retention and access purposes;
- Avoiding independent judicial oversight;
In addition, the consultation has failed to identify issues concerning:
- Transitional provisions of the Investigatory Powers Act 2016 which result in unlawful access and retention;
- The broad definition of telecommunications operators which significantly expands those upon whom data retention notices can be served.
Cumulatively, these actions taken by the Government and its proposals undermine the judgment and provide for a data retention regime which is general and indiscriminate. The judgment stated:
Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.
Article 15(1) of Directive 2002/58, as amended by Directive 2009/136, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights, must be interpreted as precluding national legislation governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union.
[emphasis added]
The CJEU gave clear and unequivocal guidance as to the requirement of EU law in relation to data retention regime, stating as follows (emphasis added):
“102: Given the seriousness of the interference in fundamental rights concerned represented by national legislation which, for the purpose of fighting crime, provides for the retention of traffic and location data,only the objective of fighting serious crime is capable of justifying such a measure.
103. Further, while the effectiveness of the fight against serious crime, in particular organised crime and terrorism, may depend to a great extent on the use of modern investigation techniques, such an objective general interest, however fundamental it may be, cannot in itself justify that national legislation providing for the general and indiscriminate retention of all traffic and location data should be considered to be necessary for the purpose of that fight.
112. Having regard to all the foregoing, the answer to the first question referred to in Case C-203/15 is that Article 15(1) of the Directive 2002/58, read in light of Articles 7, 8 and 11 and Article 52(1) of the Charter, must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.
In A Question of Trust, David Anderson QC stated[1]that “If one thing is certain, it is that the road to a better system must be paved with trust:
Public consent to intrusive laws depends on people trusting the authorities, both to keep them safe and not to spy needlessly on them.
This in turn requires knowledge at least in outline of what powers are liable to be used, and visible authorisation and oversight mechanisms in which the wider public, as well as those already initiative into the secret world, can have confidence.
(e) Service providers (particularly the overseas providers whose cooperation is so necessary) crave the trust of their customers, and can earn it only by assuring them that their data will only be released in accordance with a visible legal framework and on ethical and independently controlled grounds.
He stated that obligatory data retention requires service providers to retain and make available valuable communications data relating to effectively the whole population. He goes on to emphasise the need for accessible and foreseeable laws; powers exercised only when strictly necessary and proportionate; for a clear and comprehensive system of authorisation, monitoring and oversight; and for effective remedy.
In our submission, the proposals in the Consultation which relate to amendments to the Investigatory Powers Act 2016 and the Draft Code of Practice for Communications Data not only fail to implement the judgment but provides for a law that is neither accessible nor foreseeable; where powers are not limited to exercise when strictly necessary and proportionate and where the system for authorisation, monitoring and oversight is opaque. Finally, the failure to give due consideration or attempt to formulate a system of notification undermines the basic requirement for effective remedy.
The attempt of the Government to undermine the judgment of the CJEU will have repercussions for an adequacy decisionin relation to data transfers. Post Brexit, for third countries looking to exchange data with the EU, the GDPR provides for two broad options. The first would be for the UK to receive an ‘adequacy decision’ from the European Commission certifying that it provides a standard of protection which is “essentially equivalent” to EU data protection standards.
However, as noted by the House of Lords Brexit Committee[2]:
“When considering an adequacy decision, the European Commissioner will look at a third country’s data protection framework in the round, including national security legislation. If the UK were to seek an adequacy decision, the UK would no longer be able to rely on the national security exemption in the Treaty on the Functioning of the European Union that is currently engaged when the UK’s data retention and surveillance regime is tested before the Court of Justice of the European Union.
113. Continuing UK alignment with the EU data protection laws could come into tension with the Government’s preferred approach to data retention and surveillance for national security purposes. While the UK remains a member of the EU, national security is the sole responsibility of each Member State, as outlined in the TFEU (article 4.2). However, the boundaries between Member State competence over national security and EU competence over data protection and retention are increasingly being tested before the CJEU.”
Thus, if the UK government continue to seek to undermine the decision of the CJEU in pursuing the proposals set out in this consultation and failing to give effect to the mandatory safeguards, this together with other national security measures, will threaten an adequacy decision.
We do however, note one aspect of transparency this consultation has highlighted. At page 14 of the Consultation document is states that:
“Section 90(13) of the Act requires the Secretary of State to keep a data retention notice under review, and revoke a notice where retention is no longer necessary and proportionate, or vary it where retention of communications data relating to a particular service offered by the provider is not necessary and proportionate. Law enforcement has engaged with over 700 telecommunications and postal operators in the past two years, less than 25 of these are or have ever been subject to a data retention notice.”
Given the Government are prepared to state how many operators are receiving data retention notices in the consultation document, this demonstrates that a publicly available central register documenting the number of telecommunications operators served with notices can be maintained.
We recommend the Investigatory Powers Commissioner maintain a publicly available central register documenting the number of telecommunications operators served with notices, to be established without delay.
[1]https://terrorismlegislationreviewer.independent.gov.uk/wp-content/uploads/2015/06/IPR-Report-Print-Version.pdfpara 13.3
[2]House of Lord, European Union Committee, 3rdReport of Session 2017-19 “Brexit: the EU data protection package”.