The United Kingdom wants access to your data — all your data. An emergency bill shrouded in secrecy is speeding through the Commons and expected to pass next week. Its passage will mean that phone and internet companies will have to retain user data for a period of 12, or even 24, months.
“Regardless of where you stand on the decision of the European Court of Justice, can you honestly say that you want a key decision about how your personal data is stored to be made by a stitch up behind closed doors and clouded in secrecy? None of your MPs have even read this legislation, let alone been able to scrutinise it,” writes Tom Watson, a British Labour party member of parliament (MP). “The very fact that the government is even considering this form of action, strongly suggests that it has an expectation that the few people on the Liberal Democrat and Labour front benches who have seen this legislation are willing to be complicit.”
This piece of U.K. legislation, called the Data Retention and Investigation Powers Bill, is a knee-jerk response to a ruling by the European Court of Justice that declared the European Parliament’s Data Retention Directive invalid earlier this year. That directive itself was issued by the European Union in 2006, and required member states to store their citizens’ telecommunications data for at least six months — at most two years — in order to enable law enforcement to access IP addresses, geolocation data, e-mails, call logs, text conversations, web history, and other information. The European Union’s highest court struck it down on April 8, 2014.
The court ruled that “the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data,” adding that:
Although the retention of data required by the directive may be considered to be appropriate for attaining the objective pursued by it, the wide-ranging and particularly serious interference of the directive with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary.
Firstly, the directive covers, in a generalised manner, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.
Secondly, the directive fails to lay down any objective criterion which would ensure that the competent national authorities have access to the data and can use them only for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights in question, may be considered to be sufficiently serious to justify such an interference. On the contrary, the directive simply refers in a general manner to “serious crime” as defined by each Member State in its national law. In addition, the directive does not lay down substantive and procedural conditions under which the competent national authorities may have access to the data and subsequently use them. In particular, the access to the data is not made dependent on the prior review by a court or by an independent administrative body.
Thirdly, so far as concerns the data retention period, the directive imposes a period of at least six months, without making any distinction between the categories of data on the basis of the persons concerned or the possible usefulness of the data in relation to the objective pursued. Furthermore, that period is set at between a minimum of six months and a maximum of 24 months, but the directive does not state the objective criteria on the basis of which the period of retention must be determined in order to ensure that it is limited to what is strictly necessary. The Court also finds that the directive does not provide for sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data. It notes, inter alia, that the directive permits service providers to have regard to economic considerations when determining the level of security which they apply (particularly as regards the costs of implementing security measures) and that it does not ensure the irreversible destruction of the data at the end of their retention period.
Lastly, the Court states that the directive does not require that the data be retained within the EU [European Union]. Therefore, the directive does not fully ensure the control of compliance with the requirements of protection and security by an independent authority, as is, however, explicitly required by the Charter. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data.
To ensure compliance with human rights law, the court outlined some guidelines: restricting data retention to threats to public security, a specific period, a specific location, and a specific suspect, and limiting the period of retention to only that which is deemed absolutely necessary.
The U.K.’s Data Retention and Investigation Powers Bill is being sold as a measure against “terrorists,” specifically, “radicalized Brits returning from Syria.”
“It is the first duty of government to protect our national security and to act quickly when that security is compromised,” said the prime minister of the United Kingdom, David Cameron, in a press statement. “As events in Iraq and Syria demonstrate, now is not the time to be scaling back on our ability to keep our people safe. The ability to access information about communications and intercept the communications of dangerous individuals is essential to fight the threat from criminals and terrorists targeting the UK. No government introduces fast-track legislation lightly. But the consequences of not acting are grave.”
In order to ensure the law doesn’t overstep the right to privacy, the following measures have been promised: the creation of a Privacy and Civil Liberties Board that will examine the effects of the law on citizens; annual transparency reports about how the powers are used by the government; a restriction on the agencies capable of asking for access to data; an agreement with the United States and internet companies to establish an international agreement for data sharing between jurisdictions; a sunset clause that will force this law to expire in 2016; and a review the Regulation of Investigatory Powers Act, a 14-year-old act from parliament that has led to a number of prosecutions relating to the abuse of government investigative powers.
Nothing has been said of how generalized the data retention will be, however. Unsurprisingly, privacy activists in the U.K. are worried. Speaking to the Guardian, Emma Carr, who is acting director of the surveillance watch group Big Brother Watch, said, “It is a basic principle of a free society that you don’t monitor people who are not under suspicion. […] The EU’s data retention laws privatized snooping, meaning companies were paid by governments to record what citizens were doing and retain that information for a year. We need to get back to a point where the police monitor people who are actually suspected of wrongdoing rather than wasting millions every year requiring data to be stored on an indiscriminate basis.”
Header image by Ludovic Bertron.