After Watson: Mandatory data retention by telecommunications operators
A recap of what happened in the UK, after CJEU's Tele2/Watson judgment
The Watson/Tele2 decision of the CJEU concerned section 1 and 2 of DRIPA and the Data Retention Regulations 2014. This contained the legislative scheme concerning the power of the Secretary of State to require communications service providers to retain communications data. Part 3 of the Counter-Terrorism and Security Act 2015 amended DRIPA so that an additional category of data - that necessary to resolve Internet Protocol addresses - could be included in a requirement to retain data.
The Grand Chamber affirmed its judgment in Digital Rights Ireland and rejected the submissions made by the Secretary of State. The safeguards in the DRIPA regime were and remain inadequate. In particular:
- EU law is engaged by arrangements governing access of material retained by communications providers. The contrary arguments are dismissed (§71-73).
- Retention of data is only proper for the purposes of preventing and detecting serious crime (including terrorism), given the seriousness of the interference with privacy involved in data retention (§115, 119).
- There must be prior review of a request for access by a court or other independent authority, following a reasoned request, save in cases of urgency (§120).
- There must be provisions for notification to persons whose data have been obtained, to enable their rights to be vindicated by complaint or legal proceedings (§121).
- Retained data must remain in the EU (§122).
Following the judgment of the European Court of Justice in Tele2/Watson, the Watson case was been remitted back to the UK Court of Appeal.
10 days after the Grand Chamber gave judgment (on 31 December 2016), the sunset clause in section 8(3) of DRIPA 2014 took effect. A sunset clause is a measure within a statute that provides that the law shall cease to have effect after a specific date.
However, existing DRIPA retention notices continued (at the latest) June 2017 by Schedule 9, paragraph 3 of the IPA 2016 . This provision of the 2016 Act was commenced on 30 December 2016 . These provisions are in effect a transitional arrangement to allow time for retention notices under DRIPA to be replaced by retention notices under Part 4 of the IPA when required. The provisions of Part 4 IPA have also been enacted, enabling new retention notices to be issued.
The case was remitted back in the Court of Appeal, where the government argued that because the legislative scheme which was challenged in the Watson/Tele2 has been repealed, (sections 1 and 2 of DRIPA were repealed with effect from 30 December 2016) the case can be dismissed. The government no longer pursued the appeals challenging the Orders of the Divisional Court dated 17 July 2015, in which the Divisional Court declared section 1 of RIPA to be inconsistent with EU law.
The government argued that the appeal could be disposed of based on an amended version of the Divisional Court’s Order . In submissions to the House of Lords, European Union Committee, as reported in the report ‘Brexit: the EU data protection package’, the government stated that:
“The judicial review proceedings concerning the Data Retention and Investigatory Powers Act 2014—aka DRIPA—have not yet concluded. We are currently waiting on the Court of Appeal’s response to the CJEU December 2016 judgment. However, in the light of the CJEU judgment, and in order to bring an end to the litigation, the Government have accepted to the Court of Appeal that the Act was inconsistent with EU law in two areas.” 
Whilst the Home Secretary indicated to the Court of Appeal that she is no longer pursued her appeal against the Order of the Divisional Court, that left unresolved whether the Government accepted the requirement to confine the bases for retention to ‘serious crime’ as per the Watson/Tele2 judgment. Further it left in force the transitional provisions which mirror the data retention powers challenged in Tele2/Watson, and which now expand what can be retained and who can be forced to retain communications data.
The Government maintained that the Order of the Divisional Court should be upheld insofar as “access to the data was not made dependent on a prior review by a court or an independent administrative body whose decision limits access to and use of the data to that which is strictly necessary for the purpose of attaining the objective pursued”.
However, the Government then sought to vary the Order of the Divisional Court of 17 July 2015 as follows:
“it does not lay down clear and precise rules providing for access to and use of communications data retained pursuant to a retention notice to be strictly restricted [to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating to such offences] in the area of prevention, investigation, detection and prosecution of criminal offences, to the objective of fighting serious crime";
([ ] indicates text to be deleted. bold indicates new text)
The government stated that this was consistent with paragraph 115 of the judgment , which referred to both the prevention of crime as well as ‘serious crime’. However, this may not go far enough in reflecting the emphasis elsewhere in that judgment on ‘serious crime’.
Furthermore, and perhaps more importantly, leaving the Divisional Court’s Order in place as the ‘last word’ on the domestic lawfulness of the government’s data retention regime, would have had two big impacts. Firstly, the Divisional Court’s Order related solely to measures for accessing and using retained data. The Divisional Court made clear that they deemed a general indiscriminate data retention regime to be lawful if it was accompanied by a sufficiently limited access regime (paragraph 89 of the Divisional Court’s judgment). This was not the ratio of the Watson/Tele2 judgment, in which the CJEU constrained the scope of both retention and access regimes. Secondly, the amendment above also has the effect of changing the Divisional Court’s order from one confining the basis of data access and use to serious criminal offences alone to a mere limitation on the crime prevention basis of access, thus leaving untouched the many other bases for data access contained in s22 Regulation of Investigatory Powers Act 2000 (“RIPA”) (and which remain in force).
Court of Appeal
Despite the Government's arguments, a hearing took place on 8 December 2017 and the Court of Appeal ruled in its judgment dated 30 January 2018 that:
"DRIPA was in consistent with EU law to the extent that it permitted access to retained data, where the objective pursued by that access was not restricted solely to fighting serious crime, or where access was not subject to prior review by a court of an independent administrative authority."
Prior to the hearing, on 30 November 2017 the Government produced a consultation on communications data retention post Watson.
Part 4 IPA
DRIPA has gone in name but not in substance. Part 4 of the IPA is in force and authorises the Government to issue ‘retention notices’ to telecommunications operators obliging them to retain communications data.
The power to retain data under the 2016 Act is in some respects wider than in DRIPA. For example, it includes a power to direct retention of internet connection records  (section 86(11)) and expands the definition of communication service providers (telecommunications operators), thus increasing those in respect of whom it can require to comply with retention notices. 
In addition, s.87(9)(b) contains a power for the Defendant to require telecommunications providers to generate and begin to retain communications data to which they potentially have access, even though they do not generate, process or retain that data in the course of their business.
None of the safeguards identified as necessary by the CJEU in Watson are provided for by the 2016 Act. In particular:
(1) There is no provision for judicial or independent authorisation for access to retained data, save in respect of an application to identify a journalistic source (sections 61 and 77).
(2) Retention and access are permitted for purposes other than serious crime (section 61(7)).
(3) Data need not be retained within the EU (section 92 and 97).
(4) There is no requirement for notification of access to the data subject.
The replacement for DRIPA (Part 4 of the 2016 Act) therefore suffers from the same defects as DRIPA itself.
Part 4 is subject to challenge by Liberty. On 14 June 2016 Liberty were granted permission to apply for Judicial Review in relation to Part 4 of the Act. The Government have now indicated their position on that part of the claim. They have accepted the ‘inconsistency’ with EU law identified in Tele2/Watsonin respect of DRIPA, will affect the IPA. They state therefore that they do not contest the claim that Part 4 of the IPA is, in its current form, ‘inconsistent with EU law on these grounds.’
The government stated that the intend to ensure that the IPA is amended, in particular in relation to prior judicial approval or independence authorisations for retained communications data.
They state that the IPA:
- it does not ensure that, in the area of criminal investigations, access to and use of retained communications is restricted to the object of fighting crime;
- access to retained data is not subject to prior review by a court or an independent administrative body.
Note the lack of mention of serious crime; the sole focus on access to and use of communications data as opposed to retention; and what appears to be a restrictive interpretation of Tele2/Watson as confining only the crime fighting basis for retention/access, rather than as prohibiting all non-crime related grounds.
Data Retention and Acquisition Regulations 2018
The Data Retention and Acquisition Regulations 2018 entered into force on 31 October 2018. The regulations concern the retention of communications data by telecommunications and postal operators and the acquisition of communications data by public authorities.
The Regulations bring into force the Communications Data Code of Practice and amend Parts 3 and 4 of the Investigatory Powers Act 2016, to comply with the ECJ ruling. 
The amendments to the Acts include:
- A new power for the Investigatory Powers Commissioner to authorise communications data requests made by a public authority. This power will be delegated to a new body, the Office for Communications Data Authorisations.
- Allowing for internal authorisation of requests in cases with urgency or in cases of national security where the request is made by intelligence agencies.
- A new threshold of “serious crime”, which includes offences where an adult may be sentenced to imprisonment for at least 12 months and any offence committed by a body corporate.
- The removal of three of the previous statutory purposes for retaining and acquiring communications data: public health; collecting any tax or other charge payable to a government department; and exercising functions relating to the regulation of financial services and markets or financial stability.
- Adding additional considerations that must be taken into account by the Secretary of State before a retention notice is issued to a telecommunications or postal operator. These considerations include: which of the operator’s services the notice specifically relates to, whether it would be appropriate to restrict the retention notice by geography or by groups of customers, and the statutory purpose to be achieved.
 Schedule 9 section 3(3) …cease to apply in relation to any retention notice under section 1o f the Act of 2014 – (a) at the end of the period of six months beginning with the commencement day, or (b) if earlier, on the revocation in full of the notice;
 The Explanatory Note to SI No.1233 (C.85) states: Regulation 2 brings into force the repeal of sections 1 and 2 of the Data Retention and investigatory Powers Act 2014 (c.27), which provide for communications data retention. Schedule 9 of the 2016 Act provides that a retention notice given under the 2014 Act continues to have effect for a period of 6 months from the 30thDecember (“the transitional period”) as if it were a notice given under Part 4 of the 2016 Act. Schedule 9 (3) Retention of communications data: 1. A retention notice under section 1 of DRIPA which is in force immediately before the commencement day is to be treated, on or after that day, as a retention notice under section 87 of this Act...2. In particular: 1. Anything which, immediately before the commencement day, is in the process of being done by virtue of, or in relation to, a retention notice under section 1 of the Act 2014 may be continued as if being done by virtue of, or in relation to, a retention notice under section 87 of this Act, and 2. Anything done by virtue of, or in relation to, a retention notice under section 1 of the Act of 2014 is, if in force or effective immediately before the commencement day, to have effect as if done by virtue of, or in relation to, a retention notice under section 87 of this Act so far as that is required for continuing its effect on or after the commencement day.
 IPA (Commencement No. 1 and Transitional Provisions) Regulations 2016 (SI 2016/1233)
 Remember, it was the Divisional Court who found against the Government, in light of Digital Rights Ireland, and subsequently the Court of Appeal who referred the case to the European Court of Justice, but indicated they favoured the Government’s arguments.
 Baroness Williams of Trafford, Minister of State, Home Officehttps://publications.parliament.uk/pa/ld201719/ldselect/ldeucom/7/7.pdf
  … Further, since the objective pursued by that legislation must be proportionate to the seriousness of the interference in fundamental rights that that access entails, it follows that, in the area of prevention, investigation, detection and prosecution of criminal offences, only the objective of fighting serious crime is capable of justifying such access to the retained data.
 The definition of communications data to be retained and accessed now includes ‘Internet Connection Records’: which entails (but is not solely limited to) providing a record of the internet websites visited by an internet user;
 Prior to the Investigatory Powers Act, legislationreferred to ‘public’ telecommunications operators. The IPA has dropped the ‘public’ and refers simply to telecommunications operators. A telecommunications operator is defined at section 261(10)as a person who “(a) offers or provides a telecommunications service to persons in the UK, or (b) controls or provides a telecommunications system” in or controlled from the UK. At 261(11) ‘Telecommunications service’ is ‘any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system’ and at 261(13) a ‘Telecommunication system’ is ‘a system…that exists…for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy.’
The draft codes indicate the breadth of interpretation. See §2.10 – 2.14 https://www.privacyinternational.org/sites/default/files/Privacy%20International%20-%20Response%20to%20Consultation%20on%20IPA%20Codes%20of%20Practice%20-%20April%202017.pdf
“For the avoidance of doubt, the Defendants would resist any application for an Order that required the disapplication of any aspect of the current legislation before Parliament has been given an opportunity to amend the legislation to comply with EU law as clarified by the CJEU. These powers, which Parliament approved only last year, are vital to the police and intelligence agencies in arresting and prosecuting criminals and preventing terrorist attacks.”