18 July 2015

DRIPA

In the UK the High Court has ruled in Davis & Ors v Secretary of State for the Home Department [2015] EWHC 2092 (Admin) [PDF] that the Data Retention and Investigatory Powers Act 2014 (DRIPA) - the UK mandatory metadata retention scheme - is “inconsistent with European Union law”.

The UK legislation requires requires telcos and ISPs  to retain traffic  data for a year, ie a shorter period than retention under the Australian regime introduced earlier this year.

It was challenged by Labour MP Tom Watson and the Conservative MP David Davis. The Government has announced that  it would appeal against the ruling and has - no surprises - offered the standard rationale that the absence of mandatory retention may result in police and investigators losing data that could save lives.

The Court declared that section 1 of the Act “does not lay down clear and precise rules providing for access to and use of communications data” and should be “disapplied”. DRIPA does not provide for independent court or judicial scrutiny to ensure that only data deemed “strictly necessary” is examined; and that there is no definition of what constitutes “serious offences” in relation to which material can be investigated.

The judgment in Davis states -
The challenge is to the validity of s 1 of DRIPA and the Regulations made under it as being contrary to European Union law, as expounded in the decision of the Grand Chamber of the Court of Justice of the European Union (“the CJEU”) in Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and others and the conjoined case of Kärntner Landesregierung, Michael Seitlinger, Christof Tschohl and others delivered on 8th April 2014 and reported at [2015] QB 127. We shall refer to this decision as “Digital Rights Ireland”.
At common law, Acts of the United Kingdom Parliament are not open to challenge in the courts. But the position under EU law is different. Decisions of the CJEU as to what EU law is are binding on the legislatur es and courts of all Member States. The subtleties of the relationship between UK domestic courts and the European Court of Human Rights at Strasbourg arising, since 2000, from the duty under s 2(1) of the Human Rights Act 1998 to “take account” of the jurisprudence of that court, do not arise. The claimants (as a fallback to their EU law arguments) have pleaded an alternative claim for a declaration under s 4 of the HRA 1998 that s 1 of DRIPA is incompatible with their Convention rights; but this was scarcely mentioned in oral argument. Indeed, as will be seen later in this judgment, it was mainly counsel for the Home Secretary, not counsel for the claimant s, who asked us to take account of the jurisprudence of the Strasbourg c ourt in support of his arguments.
The present claims involve, as did Digital Rights Ireland, the CJEU’s interpretation of Articles 7 and 8 of the Charter of Fundamental Rights of the EU. Article 7 provides: “Everyone has the right to resp ect for his or her private and family life, home and communications.” Article 8 provides:
“1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.”
The first of these Articles is in identical terms to Article 8(1) of the ECHR, except that the word “correspondence” is replaced by “communications”. The second has no counterpart in the ECHR. ...
The extent of the State’s powers to require the retention of communications data and to gain access to such retained data are matters of legitimate political controversy both in the UK and elsewhere. The Queen’s Speech opening the new Parliament on 27 May 2015 indicated that “new legislation will modernise the law on communications data”. To take one example from abroad, on 2 June 2015 the US Congress passed one statute (the USA FREEDOM Act) restricting the data re tention powers previously conferred by another statute passed in 2001 (the USA PATRIOT Act). It is not our function to take sides in this continuing debate, nor to say whether in our opinion the powers conferred by DRIPA are excessive or not. We have to decide the comparatively dry question of whether or not they are compatible with EU law as expounded by the CJEU in Digital Rights Ireland.
The Court concludes - 
The application for judicial review succeeds. The Claimants are entitled to a declaration that section 1 of the Data Retention and Investigatory Powers Act 2014 is inconsistent with European Union law in so far as:
a) it does not lay down clear and precise rules providing for access to and use of communications data retained pursuant to a retention notice to be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating to such offences; and
b) access to the data is not made dependent on a prior review by a court or an independent administrative body whose decision limits access to and use of the data to what is strictly necessary for the purpose of attaining the objective pursued.