Late last week it emerged that the UK government intended to railroad emergency surveillance legislation through Parliament just before the summer recess — meaning members of parliament would not be able to properly scrutinise the law.
The new Data Retention and Investigation Powers Bill (aka DRIP) is being ‘debated‘ in the House of Commons today — but a few days’ debate is a far cry from the lengthy scrutiny process usually afforded when the government tries to pass new legislation. Cue cries of ‘surveillance state stitch up’.
The government claims emergency legislation is necessary because a European Court of Justice (ECJ) ruling struck down European data retention powers back in April.
But that claim looks tenuous, to say the least, given the ECJ ruling took place three months ago — three months when the government could have been publicly debating what its response should be and drafting and debating new legislation.
Instead it’s done a deal with opposition MPs behind closed doors so that an ’emergency’ bill will be passed without serious opposition — and without proper scrutiny. Bottom line: this is democracy at its most undemocratic.
(The hearing of the bill is also taking place on the same day the government announced a cabinet reshuffle — which is keeping much of the political press busy.)
The government has also sought to claim that DRIP does not extend data retention powers but merely shores up existing powers, after their legality was cast into doubt by the ECJ ruling.
Again that claim has increasingly looked like spin. For one thing the bill extends UK state interception powers to overseas communications providers, not just UK-based companies. It also grants, what one former lawyer described to TechCrunch as “draconian and swingeing powers” to the UK Home Secretary to set rules for data retention.
The UK Home Secretary Theresa May euphemistically described DRIP’s overseas extension as “legal clarity” in a statement to Parliament when the draft bill was published last week.
That suggests the UK government has perhaps had no problems getting overseas comms providers to co-operate with it in the past to hand over data — but, in the wake of the ECJ ruling invalidating the European directive, may have been facing problems with that ‘co-operation’ as companies feared they could be accused of acting illegally under European law.
Today an open letter signed by fifteen of Internet law academics has slammed the government’s claim for DRIP being ‘business as usual data retention legislation’ as “false” — arguing that the legislation does indeed extend state surveillance powers through a significant expansion of UK interception powers overseas.
“The legislation goes far beyond simply authorising data retention in the UK,” they write. “In fact, DRIP attempts to extend the territorial reach of the British interception powers, expanding the UK’s ability to mandate the interception of communications content across the globe. It introduces powers that are not only completely novel in the United Kingdom, they are some of the first of their kind globally.”
The open letter follows in full at the end of this post.
Does DRIP constitute a significant expansion of UK state surveillance powers? Speaking to TechCrunch, John Salmon, senior partner at UK law firm Pinsent Masons said in his view it does not, but he also suggested the government is treading a fine line — with the risk of the legislation facing a challenge under European privacy or human rights law.
“There is still, I think, potential that the government could be challenged… What the European Court of Justice said is you’ve got to balance the right to privacy of the individual against the desire of government to detect crime. And that’s a careful and difficult balance which they felt the Data Retention Directive had got the wrong side of that balance,” said Salmon.
“I think the UK government is trying to get on the right side of that balance but one of the things that [the ECJ] talked about what this objective criteria. And what the [UK] government have put in [with DRIP] is very much up to the Secretary of State to make these [data retention] orders.
“What they haven’t said in that legislation is that the Secretary of State has to, for instance, be objective in deciding what they need to do. And secondly, the purposes for which our data are being retained again talks about crime, the detection of crime — whereas again the [European] Lord Justice talks about serious crime. The example he used was organised crime and terrorism, which is very different from any crime, clearly.”
DRIP does water down the prior European data retention directive retention period from up to two years, to up to one year. It also has a sunset clause, meaning it expires after two years — but there’s precious little past precedent for surveillance legislation being loosened over time. Quite the opposite.
“One does wonder whether they’ve gone far enough in watering it down,” Salmon added.
On the expansion of interception powers to overseas companies, he said the government’s argument is that “it was always supposed to cover these people, and this is them just trying to close a loophole”.
“It’s effectively the same power to intercept, it’s just potentially across a wider group of people,” he said. “Whether [the expansion of powers to overseas comms providers] will succeed or not I don’t know — I guess we’ll find out when they try and enforce these.”
“It’s not actually extending the interception power itself — it’s just extending it to a wider group of people. Whether you call that an extension or not I don’t know,” he added. “It is potentially extending it to a wider group of people, which they say they were always trying to cover in the first place. But it depends on how you define all that.”
On the risk of a challenge to the legislation, Salmon points out that the government may well be calculating that the time it would take for any legal challenge to be brought against DRIP would take longer than the lifespan of the bill itself.
“I guess the government probably are thinking well ultimately if it goes to court, then it would potentially get another referral to the ECJ which, as you know, is not exactly a swift process,” he added. “They’re going to get another two years.”
But with question marks hanging over the current implementation of an invalid European directive, Salmon said, in his view, the government does need to be “pro-active” — so he supports the rush to legislate.
“I agree with the idea of having emergency legislation, my own question is whether they’ve got the right balance or not — and I don’t know the answer to that,” he added.
Also speaking to TechCrunch, Danvers Baillieu, formerly of Pinsent Mason and now COO of Privax (the maker of the HideMyAss.com VPN), said the most worrying aspect of DRIP is that it sets up an overly broad framework for the Home Secretary to set rules for the retention of data.
“It would be nice if this kind of legislation wasn’t done in this way. If the meat of it was in the main primary legislation rather than having powers for the Secretary of State to issue notice… Basically clause 1 [of DRIP] says the Secretary of State may issue a retention notice and it may require just about anything — including ‘the retention notice may make different provision for different purposes’, that’s what it says in the bill. So a retention notice can pretty much tell you to do anything — other than hold anything longer than 12 months.”
“We’ll see what differences there are [vs existing UK data retention legislation] when the Secretary of State uses her powers to bring in secondary legislation — so a statutory instrument or something — or gives direction to communication providers to retain data,” he added.
“It’s very broad and vague legislation that grants very broad and swingeing and draconian powers — potentially. Well it grants those draconian and swingeing powers and they could potentially be exercised in that way by the government if it chose to do so without any further legislation being required.”
On the interception point, Baillieu said DRIP certainly clarifies the situation for overseas comms providers that do have some presence in the UK — although those who do not may well be able to ignore the law.
“The obvious practical significance of this is it certainly clarifies beyond any doubt that companies like Microsoft, that operate Skype, or Google and Twitter or Facebook and all these other big companies, that are not UK companies, don’t have servers in the UK for actually storing data, but obviously have office in the UK, are obliged to comply with a RIPA [Regulation of Investigatory Powers Act] notice,” he said. “I don’t know, as a matter of course whether Google and Facebook were already complying or not.
“Now obviously the question is if a company doesn’t have a presence in the UK… what are they going to do about it? And in the same way that if we get a notice, here at HideMyAss.com, obliging us to hand over documents to let’s say the Chinese or frankly any foreign country we tell them to get stuffed. Because we’re not subject to their laws. So extraterritoriality is, in theory, a very nice thing to have but it’s of little power if you don’t have the policemen who can go and enforce it.”
Baillieu added that one downside of the legislation’s extraterritoriality requirement may therefore be to discourage some overseas companies from siting a European HQ in the UK. Although he added that such a requirement isn’t likely to be hugely offputting either. “I wouldn’t want to overstate it,” he added.
The open letter on DRIP signed by 15 UK Internet law academics follows below in full.
[Image by greg westfall via Flickr]
Tuesday 15th
July 2014
To all members of the House of Commons,
Re: An open letter from UK internet law academic experts
On Thursday 10 July the Coalition Government (with support from the
Opposition) published draft emergency legislation, the Data Retention and
Investigatory Powers Bill (“DRIP”). The Bill was posited as doing no more
than extending the data retention powers already in force under the EU Data
Retention Directive, which was recently ruled incompatible with European
human rights law by the Grand Chamber of the Court of Justice of the European
Union (CJEU) in the joined cases brought by Digital Rights Ireland (C-293/12) and
Seitlinger and Others (C-594/12) handed down on 8 April 2014.
In introducing the Bill to Parliament, the Home Secretary framed the legislation
as a response to the CJEU’s decision on data retention, and as essential to
preserve current levels of access to communications data by law enforcement
and security services. The government has maintained that the Bill does not
contain new powers.
On our analysis, this position is false. In fact, the Bill proposes to extend
investigatory powers considerably, increasing the British government’s
capabilities to access both communications data and content. The Bill will
increase surveillance powers by authorising the government to;
• compel any person or company – including internet services and
telecommunications companies – outside the United Kingdom to execute an
interception warrant (Clause 4(2));
• compel persons or companies outside the United Kingdom to execute an
interception warrant relating to conduct outside of the UK (Clause 4(2));
• compel any person or company outside the UK to do anything, including
complying with technical requirements, to ensure that the person or
company is able, on a continuing basis, to assist the UK with interception at
any time (Clause 4(6)).
• order any person or company outside the United Kingdom to obtain, retain
and disclose communications data (Clause 4(8)); and
• order any person or company outside the United Kingdom to obtain, retain
and disclose communications data relating to conduct outside the UK (Clause
4(8)).
The legislation goes far beyond simply authorising data retention in the
UK. In fact, DRIP attempts to extend the territorial reach of the British
interception powers, expanding the UK’s ability to mandate the interception of
communications content across the globe. It introduces powers that are not only
completely novel in the United Kingdom, they are some of the first of their kind
globally.
Moreover, since mass data retention by the UK falls within the scope of EU law,
as it entails a derogation from the EU’s e-privacy Directive (Article 15, Directive
2002/58), the proposed Bill arguably breaches EU law to the extent that it falls
within the scope of EU law, since such mass surveillance would still fall foul
of the criteria set out by the Court of Justice of the EU in the Digital Rights and
Seitlinger judgment.
Further, the bill incorporates a number of changes to interception whilst the
purported urgency relates only to the striking down of the Data Retention
Directive. Even if there was a real emergency relating to data retention, there is
no apparent reason for this haste to be extended to the area of interception.
DRIP is far more than an administrative necessity; it is a serious expansion of the
British surveillance state. We urge the British Government not to fast track this
legislation and instead apply full and proper parliamentary scrutiny to ensure
Parliamentarians are not mislead as to what powers this Bill truly contains.
Signed,
Dr Subhajit Basu, University of Leeds
Dr Paul Bernal, University of East Anglia
Professor Ian Brown, Oxford University
Ray Corrigan, The Open University
Professor Lilian Edwards, University of Strathclyde
Dr Theodore Konstadinides, University of Surrey
Professor Chris Marsden, University of Sussex
Dr Karen Mc Cullagh, University of East Anglia
Dr. Daithí Mac Síthigh, Newcastle University
Professor David Mead, University of East Anglia
Professor Andrew Murray, London School of Economics
Professor Steve Peers, University of Essex
Julia Powles, University of Cambridge
Professor Burkhard Schafer, University of Edinburgh
Professor Lorna Woods, University of Essex