The Data Retention Directive: Life after Death?

News & Analysis
The Data Retention Directive: Life after Death?

As privacy and free expression advocates hail the demise of the Data Retention Directive at the hands of the European Court of Justice, one large question is looming in the midst of celebration.

Now what? 

More specifically, what will be its impact of the national laws of the European Union countries? What steps should EU governments be taking to ensure the Court’s decision is given effect? What are the implications for communications service providers who have been collecting and storing data in accordance with the Directive for many years? How can we ensure that this harmful practice is ceased immediately?

The uncertainties that appear in the aftermath of this significant decision need clarity. The Court was clear that this type of indiscriminate and blanket retention interferes with the right to privacy, and we must ensure that Government does not seek to conduct mass surveillance on metadata through other means. .

Whither British data retention?

In the United Kingdom, it appears that the legislation that implements the Directive - the Data Retention (EC Directive) Regulations 2009 - is rendered ultra vires as a result of the Court’s decision to invalidate the Directive. The power of the Secretary of State to pass the 2009 Regulations is conditional upon the existence of a valid EU Directive. Because the Court retroactively invalidated the Directive, the Secretary of State is retroactively deprived of the power to make the 2009 Regulations, meaning that the Regulations now lack legal effect.

As a result, there is no longer any duty on communication providers to retain communications data or to provide it to the Secretary of State. Equally, all previous orders issued under the Regulations are themselves ultra vires, and therefore void.

However, there remain other avenues under which the British government may try to demand that communications providers retain their customers’ communications data. Section 12 of the Regulation of Investigatory Powers Act allows the Secretary of State to impose on telecommunication providers reasonable obligations to ensure that they can “provide assistance in relation to interception warrants”. While this power is primarily used to compel service providers to build interception capability into their infrastructure, the government might also claim it provides a basis for the retention of communications data. Provisions in the Telecommunications Act 1984 may be similarly manipulated to authorise retention.

It is essential that the British government immediately disclose any orders that have the effect of mandating data retention in terms similar to those required by the Directive. If the government starts seeking to achieve mass data retention through such alternate means it would be a deliberate attempt to circumvent the demands of Britain’s human rights obligations.

For this reason, Privacy International has written to the Home Office demanding such disclosure and seeking confirmation of the invalidity of the 2009 Regulations.

What next for service providers?

The end of mandatory data retention should prompt a huge sigh of relief for communications service providers, who bore a considerable logistical burden under the regime. But, with the exception of one Swedish internet service provider, which has - perhaps, controversially - deleted all retained data in the aftermath of the Court’s decision, the communications sector has yet to respond publicly to this week’s developments.

This is likely due to the uncertainty that remains as to the effect of domestic legislation pertaining to data retention in light of the Directive’s invalidation. However, communications service providers have received government compensation for costs incurred in giving effect to the Directive. It would be disappointing to discover that service providers thereby had an economic incentive for retaining their customer’s data. Whether that is the case may soon become apparent if service providers decide to continue to facilitate data retention in an attempt to maintain that compensation.