The UK government has confirmed it will introduce emergency legislation next week that will require Internet and phone companies to keep records of customer metadata.
It said the aim of the new emergency legislation is to maintain existing data retention powers, after a European Court of Justice (ECJ) ruling — back in April — struck down European data retention powers on the grounds that they were too broad.
The UK government argues that without a new law, communications companies might start deleting user metadata, which would jeopardise law enforcement and security agencies’ abilities to conduct investigations and gather retrospective data for “evidential purposes.”
The coalition has secured cross-party support for the move, meaning it will be able to rush the legislation through parliament with the support of opposition MPs.
That support has been secured on the basis of the law having a two-year sunset clause, and a new oversight board being set up to have eyes on the functioning of the powers and ensure civil liberties are “properly considered” in the formulation of new counter-terrorism policy.
The board will be called The Privacy and Civil Liberties Oversight Board, and will be based on a US model — with the government citing David Anderson’s existing role as the Independent Reviewer of Terrorism Legislation as its inspiration here. The board will report annually, detailing the frequency with which the police and security services are using the powers.
The government also plans to appoint a senior diplomat to lead discussions with the US government and Internet companies to “establish a new international agreement for sharing data between legal jurisdictions.”
Another measure it detailed today was a restriction to the number of public bodies that are able to approach phone and Internet companies to ask for comms data. “Some bodies will lose their powers to access data altogether while local authorities will be required to go through a single central authority who will make the request on their behalf,” the government said.
The sunset clause means the bill will terminate at the end of 2016 — requiring new legislation to be brought in by the next UK government (a general election is due to be held in 2015) if the data retention powers are to continue beyond that point.
Between now and the end of 2016, the government said it intends to conduct a full review of the UK’s Regulation of Investigatory Powers Act, to make recommendations for how it could be “reformed and updated”.
The European Data Retention Direction, which was struck down by the ECJ, required phone companies and ISPs to store users’ comms metadata information — such as email subjects, to/from info and location data — for up to two years. But the court ruled that the breadth of the directive overreached what was required to fight crime and terrorism and invaded citizens’ privacy — leaving people “feeling that their private lives are the subject of constant surveillance”.
Evidently the UK government takes a different view — although the new powers reduce the length of time companies are required to retain data to up to one year, rather than two.
In a statement today, Prime Minister David Cameron said: “It is the first duty of government to protect our national security and to act quickly when that security is compromised. As events in Iraq and Syria demonstrate, now is not the time to be scaling back on our ability to keep our people safe. The ability to access information about communications and intercept the communications of dangerous individuals is essential to fight the threat from criminals and terrorists targeting the UK.”
“No government introduces fast track legislation lightly. But the consequences of not acting are grave. I want to be very clear that we are not introducing new powers or capabilities – that is not for this Parliament. This is about restoring two vital measures ensuring that our law enforcement and intelligence agencies maintain the right tools to keep us all safe,” he added.
In addition to security concerns, the government said another trigger for the fast tracked legislation was a call by “some companies” for a “clearer legal framework” regarding the retention of customer data for law enforcement and UK intelligence agency purposes.
That call is set against the backdrop of ongoing leaked revelations from the cache of documents taken by former NSA contractor Edward Snowden, which has shone a light on government surveillance activities — including goings on inside the UK’s GCHQ agency.
In just two examples of the pressure being put on UK government about its surveillance activities in the wake of the Snowden revelations, earlier this month a group of ISPs filed a legal complaint with the UK’s Investigatory Powers Tribunal over how the UK spy agency GCHQ reportedly operates.
While, last month, mobile carrier Vodafone published a highly detailed report into state surveillance requests — including the UK — that called for greater transparency and enhance accountability from governments, and amendments to legislation to prevent states secretly accessing their infrastructure.
The UK government said today that the new emergency Data Retention and Investigation Powers Bill will “respond to the ECJ judgment on data retention and bring clarity to existing law in response to CSPs’ [communications service providers’] requests”.
However the new bill has drawn criticism from privacy campaigners — not least for the lack of parliamentary scrutiny being afforded to the legislation, despite the ECJ ruling being handed down three months ago.
In a statement, Shami Chakrabarti, director of privacy and civil liberties campaign group Liberty, singled out the legislative rush-job for particular criticism: “The government says it’s only plugging loopholes but its existing blanket surveillance practice has been found unlawful. We are told this is a paedophile and jihadi ’emergency’, but the court judgment they seek to ignore was handed down over three months ago and this isn’t snooping on suspects but on everyone.
“We are promised greater scrutiny and debate but not until 2016, as it seems that all three party leaders have done a deal in private. No privacy for us and no scrutiny for them. Will Clegg and Cameron’s ‘debate for the future’ really comfort voters and companies today?”
Update: Giving a speech to the House of Commons today, the UK Home Secretary, Theresa May, made it clear that, in her view, the powers in the new legislation are still inadequate — saying they “will not tackle the wider problem of declining communications data capability” — bringing back the specter of a more wide-ranging ‘Snoopers’ Charter’ being introduced by a future Tory government.
May said: “The House will understand that I want to be clear, as I said earlier, that this legislation will merely maintain the status quo. It will not tackle the wider problem of declining communications data capability, to which we must return in the next Parliament. But it will ensure, for now at least, that the police and other law enforcement agencies can investigate some of the criminality that is planned and takes place online. Without this legislation, we face the very prospect of losing access to this data overnight, with the consequence that police investigations will suddenly go dark and criminals will escape justice. We cannot allow this to happen.”
The Home Secretary’s statement to parliament also makes it explicitly clear that the new legislation applies to companies based overseas — if they provide services to people living in the UK.
May argued that “legal clarity” was required on this point so that overseas communications providers are aware of what the UK government can access by law. ” We need to make sure that major communication service providers cooperate with the UK’s security and intelligence and law enforcement agencies when they need access to suspects’ communications,” she said.
“With technology developing rapidly and the way in which we communicate changing all the time, the communication service providers that serve the UK but are based overseas need legal clarity about what we can access,” she added.
“The Bill I am publishing today will therefore put beyond doubt the fact that the existing legal framework, which requires companies to cooperate with UK law enforcement and intelligence agencies, also extends to companies that are based overseas but provide services to people here in the UK.”
While the UK government is clearly attempting to couch the new legislation as more of the same and business as usual, critics will surely seize on May’s ‘clarification’ that overseas firms are also now subject to the legislation as evidence that domestic state surveillance capabilities have been expanded on the sly, without the chance for proper scrutiny.