Saturday, 12 July 2014

Dissecting DRIP - the emergency Data Retention and Investigatory Powers Bill

[Update: DRIP became law on Thursday 17 July 2014. The Act is available here. Post-Act analysis here.]

Three months after the EU Court of Justice invalidated the EU Data Retention Directive, the UK government has burst into feverish action with emergency legislation to replace the 2009 Data Retention Regulations.  Those Regulations, made under the European Communities Act, are nominally still in place but highly vulnerable to judicial review following the demise of the Directive.

What does DRIP (the inevitable acronym with which the Data Retention and Investigatory Powers draft Bill has been saddled) do? With so much material appearing at such short notice, considered analysis is difficult.  Here are some first impressions.
DRIP, now with its accompanying provisional draft regulations which appeared on the Home Office website yesterday afternoon, has to square a circle.  Ideally it should make a plausible attempt to address the 15 or so fundamental rights grounds on which the ECJ held that the Data Retention Directive was invalid.  But at the same time DRIP has to deliver on Theresa May’s 10 July statement to the House of Commons that it maintains the status quo until 31 December 2016, when the sunset clause kicks in.

In reality DRIP cannot square the circle. Indeed the newly published Impact Assessment recognises that the legislation does not overcome all the ECJ stumbling blocks, claiming only to address the ECJ judgment “where possible” and “to the extent practicable”.  It also acknowledges the “Risk of being perceived as ignoring the ECJ judgment”.

[Update: The Home Office Human Rights Memorandum published by the Joint Committee on Human Rights on 16 July 2014 says in paragraph 33 (p. 8) that the Bill, together with existing domestic legislation, addresses "the majority of the criticisms of the Directive set out in the ECJ's judgment". The Committee has written to the Home Secretary asking her to provide the Committee with "a further detailed memorandum setting out in full the Government's analysis of precisely how UK law satisfies, or will satisfy, each of the requirements set out in paras 54 to 68 of the CJEU's judgment.]

We can frame two simple questions.
  1. Does DRIP merely maintain the status quo?
  2. If so, how far is maintaining the status quo permissible in the light of the ECJ decision?
First, however, we should recognise that DRIP does far more than replace the 2009 Data Retention Regulations.  It makes substantive changes to the interception warrants, interception capability and communications data access provisions of the Regulation of Investigatory Powers Act (RIPA).  The Home Secretary has justified these amendments on a different basis from the data retention legislation: an urgent need to clarify, in particular, the territorial scope of RIPA's interception and communications data acquisition provisions.
These are the non-data retention aspects of DRIP.
  • Clause 4 addresses the government’s concern that it should be able to apply RIPA to non-UK companies that provide communications services to the UK public.
  • Clause 5 broadens the RIPA definition of telecommunications services. The Explanatory Note says this is so that webmail providers are clearly caught.  The change will also have implications for data retention because of crossover into DRIP.
  • Clause 3 places a further restriction on the general purposes for which interception warrants and communications data acquisition notices can be issued.  This will bring RIPA into line with the existing codes of practice.
Whatever the merits of the non-data retention amendments (more on that below), it is debatable why any of them requires emergency legislation to be fast-tracked through Parliament at such breakneck speed.  They seem to be taking a piggy-back ride on the government’s urgent need for primary legislation in the wake of the ECJ’s data retention decision.

In relation to data retention, does DRIP merely maintain the status quo?
Putting Clauses 3 to 5 aside, let us focus on the claim that for data retention DRIP merely maintains the status quo.  This splits into three questions:
  • Are the same providers as before required to retain data?  
  • Are they required to retain the same data?
  • Are the retention periods the same?
Are the same providers as before required to retain data?
This is difficult to answer, as the government is shifting from one existing set of definitions to another and then amending them for good measure.  Conspiracy theorists will smell a rat. Even the more generous may chalk up another example of the obscurantist law-making for which this field is notorious.

The 2009 Data Retention Regulations were based on EU definitions of publicly available electronic communications services and networks in the EU communications Framework Directive, implemented in the UK by the Communications Act 2003.
DRIP, however, abandons those EU definitions and instead adopts the homegrown RIPA definitions of public telecommunications systems and service.  It then amends the latter, which has been in place for 14 years.

Why, if the intention is to continue the status quo, does DRIP not simply continue to use the definitions in the Communications Act 2003?  The Explanatory Note (para 53) says that this is to "ensure uniform definitions across access and retention regimes".  

It is anyone's guess at this stage whether these changes will cast a wider net than the existing 2009 Regulations.  That would require detailed comparison of the two sets of definitions and a truckload of hypotheticals.  What is quite clear, however, is that they broaden the RIPA definitions.
The existing RIPA definition of telecommunication service is framed in terms of a service consisting in the “provision of access to, and of facilities for making use of, a telecommunications system”: two discrete elements related to the telecommunications system. 
DRIP Clause 5 says that the RIPA definition is now to cover a service that “consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.”

The Explanatory Note (para 71) says that this is in order to ensure that companies who provide internet-based services, such as webmail, are caught.  Although para 18 of the Explanatory Note says that the amendment is “for the purposes of communications data and interception requests”, it also applies to the new mandatory data retention regime under DRIP.  
On the face of it the amendment could apply not just to webmail, but to any remote storage service (bearing in mind that the meaning of “communication” under RIPA is effectively anything capable of being transmitted). The word “facilitating” is a red flag for broad interpretation.  There is obvious potential for this to cover a very broad spectrum of activities.  It is exactly the type of provision that deserves the fullest Parliamentary scrutiny. 

The Home Office is reported in the Sunday Times (13 July 2014, subscription) as saying, in relation to this amendment to RIPA: "The bill clarifies how the current definition should be interpreted, but this cannot change or extend the meaning of the definition in RIPA to capture new services." This is twaddle.  In effect the amendment says "A shall be taken to include B." To the extent that B covers anything not within A, new services are captured.  Even if different views might exist on whether B does in fact cover things not within A, to suggest that the amendment 'cannot' capture new services is nonsense.  
Are they required to retain the same data?
The Explanatory Notes stress that a DRIP notice (i.e. a notice by the Secretary of State to a public telecommunications operator) cannot require retention of data types additional to those specified in the existing legislation. This is achieved by defining 'relevant communications data' by reference to the Schedule to the 2009 Regulations, which sets out the specific types of communications data that a CP could be required to retain.

The definition also carries through the important qualification that such data is caught only so far as it is generated or processed in the UK by public telecommunications operators in the process of supplying the telecommunications services concerned.  In other words, a PTO  cannot be required to create data if it does not generate or process it in the course of supplying those services. 
Generally, this appears faithfully to replicate the 2009 Regulations.  However the adoption and amendment of the RIPA definitions of telecommunications services and systems (see above) could conceivably affect the scope of data falling within "relevant communications data".

Are the retention periods the same?
The existing 2009 Regulations mandate retention for 12 months. DRIP (subject to an apparent drafting defect) provides for a maximum retention period of 12 months, while enabling shorter periods to be specified for different purposes. 

The defect is that if no regulations were in place specifying a maximum retention period under S1(4)(b), then the Secretary of State could apparently issue a notice under S1(2)(c) requiring retention for longer than 12 months. It is hard to believe that the government intends this to be a possibility.  The provisional draft regulations do specify a maximum period of 12 months.
Is maintaining the status quo for data retention permissible after the ECJ judgment?
The extent to which the government will in the new legislation address the grounds on which the ECJ invalidated the Data Retention Directive was initially unclear, since much is to be implemented through secondary legislation requiring affirmative resolutions of the Commons and the Lords.  DRIP and the now published provisional draft regulations go some way to addressing the ECJ judgment, although it was always difficult to see how any form of general mandatory data retention could comply with some of the more fundamental issues identified in the ECJ judgment. 

There may be room for debate about whether the ECJ intended to lay down that every objection identified in the judgment is a self-standing issue that has to be overcome independently in national legislation; and if so how each one should be overcome.  It does have to be remembered that:
  • The ECJ was assessing the compatibility of EU legislation with the EU Charter of Fundamental Rights and Liberties.
  • The question of whether national legislation also has to comply with the EU Charter was not before the Court (although following the subsequent Pfleger decision of the ECJ it is very likely that national legislation does have to comply with the Charter, for reasons explained by Professor Steve Peers here).
  • National legislatures may have a certain degree of latitude (margin of appreciation) in how they comply with the Charter.
  • The ECJ judgment may in some respects have applied stricter standards under the Charter than the European Court of Human Rights in Strasbourg has done in respect of the Convention.  If so, that could open up the possibility that a Minister might certify DRIP compliance with the European Convention on Human Rights while not complying with all aspects of the ECJ judgment.
In any event the main Impact Assessment now makes tolerably clear that the government has not tried to comply with the full implications of the ECJ judgment. 

With all this in mind, it is instructive to list the ECJ's specific grounds for invalidating the Data Retention Directive and consider how DRIP does and does not address them. [Update: the government has now published a Note making its own comparison.]

Issue [paragraph number in ECJ judgment]
National legislation
Generality
          Applies to all means of electronic communication (use widespread and of growing importance in people’s everyday lives) [56]
          All subscribers and registered users [56]
          Interference with fundamental rights of practically the entire European population [56]
          All persons, all means of electronic communication without any differentiation, limitation or exception [57]
The ECJ's comments on generality referred specifically to the datatypes listed in Article 5 of the Directive.  Those were replicated in the Schedule to the 2009 Regulations.
 
No change in DRIP, which replicates the 2009 Schedule/Article 5 list.  
Suspicionless
          Applies even to persons for whom no evidence capable of suggesting a link, even indirect or remote, with serious crime [58]
          No relationship required between data retained and a threat to public security: not restricted to:
         data pertaining to:
-           particular time period
-           particular geographical zone
-           circle of particular persons likely to be involved in serious crime [59]
         persons whose data for other reasons could contribute to prevention, detection or prosecution of serious offences [59]
These objections all go to the very heart of a requirement on communication service providers to retain communications data of all users.  It is difficult to see how DRIP could address these (as a matter of retention, rather than access) without fundamentally altering the nature of the retention to something targeted at specific categories of communications relating to likely suspects and associates.

Not addressed.
Specific rights
      Applies to persons whose communications are subject to professional secrecy [58]
Again, it is difficult to see how this could be addressed (as a matter of retention) without moving to some kind of targeted scheme.

Not addressed [Update: Not addressed as a matter of retention. Intention is that Communications Data Code of Practice will be amended regarding access (See Comms Data Factsheet)].
Access and use
      No objective criterion to determine limits of access to data and subsequent use for prevention, detection or prosecution of sufficiently serious offences [60]
      Leaves serious crime definition to national law [60]
      No substantive and procedural conditions relating to access and subsequent use
         Left to member States to define procedures and conditions in accordance with necessity and proportionality [61]
         In particular no objective criteria re restriction of number of persons authorised to access and subsequently use to that strictly necessary [62]
Should be capable of being addressed in national legislation. 

The government is relying in part on the provisions of RIPA governing access to communications data to satisfy these requirements. 
RIPA is not the only legislation that can be used to require access to communications data.  The use of other powers is discouraged in the Communications Data Code of Practice, but not forbidden. The government addresses this under DRIP S1(6) by limiting access to mandatorily retained data to RIPA authorisations and notices, court orders or other judicial authorisation or warrant, or regulations under DRIP. (See 'Joining DRIP to RIPA', below)
Independent supervision
      Above all, access not dependent on prior review by court or independent administrative body following a reasoned request
         No obligation on MS to establish such limits [62]
Capable of being addressed in national legislation.

But this requirement for prior review by a court or independent body is contrary to the scheme of RIPA, whose communications data acquisition notices are not (save for local authorities) subject to any such requirement.  Nothing in DRIP or the provisional draft regulations addresses this objection. The government may perhaps seek to suggest that the ECJ has set a higher threshold than applies under the European Convention on Human Rights.
Retention period
      No distinction between categories of data on basis of:
         possible usefulness
         persons concerned [63]
      No objective criteria limited to strict necessity on which to base determination of retention period [64]
Capable of being addressed in national legislation.

The government's intention appears to be to leave this aspect to the terms of individual retention notices issued by the Secretary of State, who is required in general terms to act in a way that he considers to be necessary and proportionate.  DRIP itself and the provisional draft regulations do no more than set an overall maximum 12 months retention period.
Data protection issues
Various issues raised by the ECJ concerning matters such as data security and destruction of data are addressed in the provisional draft regulations, which also introduce oversight of these aspects by the Information Commissioner.

Joining DRIP to RIPA
The government is relying on the necessity, proportionality and safeguards provisions of RIPA that govern access to communications data in order to address some of the implications of the ECJ judgment. 

However, RIPA is not the only legislation that can be used to access retained communications data.  Other powers exist which do not enjoy RIPA's safeguards. The use of other non-specific powers is deprecated in the Communications Data Code of Practice (para 1.3), but not forbidden.
The draft Communications Data Bill proposed in 2012 would have prevented such powers being used to acquire communications data.  The draft Explanatory Note to Clause 24 stated:

"123. This clause introduces Schedule 2 to the Bill which contains repeals of certain general information powers so far as they enable public authorities to secure the disclosure by a telecommunications operator of communications data without the consent of the operator. Clause 24 therefore ensures that operators are not required by law to obtain and disclose communications data other than in cases where the relevant statutory framework expressly guarantees the substantive protections of Article 8 and Directive 2002/58/EC (Directive on privacy and electronic communications)."
The powers specifically earmarked for abolition were under the Trade Descriptions Act 1968, The Health and Safety at Work Act 1974, the Criminal Justice Act 1987, the Consumer Protections Act 1987, the Environmental Protection Act 1990, the Social Security Administration Act 1992, the Competition Act 1998, the Financial Services and Markets Act 2000 and the Enterprise Act 2002.

The argument that in assessing compliance with the ECJ judgment DRIP should be read together with RIPA’s safeguards is difficult to maintain if other powers exist that may not have similar safeguards.  DRIP therefore addresses this in S1(6) by limiting access to mandatorily retained data to RIPA authorisations and notices, court orders or other judicial authorisation or warrant, or regulations under DRIP.  Part 3 of the provisional draft regulations also applies this limitation to data retained voluntarily under S.102 ACSA 2001.
DRIP's RIPA provisions

The new provisions in DRIP include Clauses 4 and 5, outlined briefly above. According to the Explanatory Note, these measures are only intended to clarify the intent of the current legislation and therefore were subject to Parliamentary scrutiny when RIPA was enacted in 2000. 
RIPA extra-territoriality
Clause 4 attempts to address the government’s concern that it should be able to apply RIPA interception capability notices, interception warrants and communications data acquisition notices to non-UK companies that provide communications services to the UK public.

18 months ago this issue was addressed in some detail, as regards communications data notices, in the report of the Joint Committee on the draft Communications Data Bill (paras 230 to 243) published in December 2012.

The DRIP clarification has two distinct aspects. One is whether, as a matter of interpretation, the warrantry and communications data acquisition provisions of RIPA can apply to conduct outside the UK. The second is how a RIPA warrant or a notice can be served on an entity outside the UK and the entity made subject to the relevant duty under RIPA.  This is important since no-one is obliged to do anything under these RIPA provisions unless they are served with or given the appropriate warrant or notice.

As to the first aspect, none of the existing RIPA provisions contain any clear territorial limitation on the location of conduct that can be authorised or required under a warrant or communications data notice.  That contrasts with the criminal offence of unauthorised interception which is explicitly confined to conduct within the United Kingdom.
However location of conduct is only part of the issue.  A person located outside the UK may engage in conduct within the UK.  A person located within the UK may engage in conduct outside the UK; and a person located outside the UK may engage in conduct outside the UK.  How these different scenarios map onto the different aspects of RIPA is, and always has been, fearfully difficult to understand.
The Joint Committee said:
"The terms in which RIPA is drafted appear to impose no limits on the telecommunications operators which may be required to disclose communications data, as long as they operate in the United Kingdom i[t] does not matter where they may be based."
As to location of conduct, now DRIP states explicitly that a warrant, a capability maintenance notice and a communications data acquisition notice may each relate to conduct outside the UK.

DRIP then provides that the duties to comply with such warrants and notices apply whether or not the person is within the United Kingdom. In the case of interception warrants knowing failure to comply with the duty can give rise to criminal liability under RIPA S11(7).

DRIP then goes to great lengths to devise ways of serving warrants and notices within the UK on non-UK entities.  For communications data acquisition notices this can even include oral notification.  Whether this elaboration is simply a question of practicality or perhaps reflects a deeper concern that serving government warrants and notices outside the UK might be regarded as executive acts violating the territorial sovereignty of another State is a matter for speculation. 
As for data retention notices, DRIP provides that they can be given to an operator (or description of operators) by giving or publishing it in such manner as the Secretary of State considers appropriate for bringing it to the attention of the operator or description of operators to whom it relates.
Telecommunications services
As explained above, the amended definition of telecommunications services under DRIP Clause 5 applies both to data retention under DRIP and to RIPA. 

[Updated with minor amendments 21.40 12 July 2014, 10.50 13 July 2014; and 12.17 13 July 2014 to take account of Home Office statement on telecommunications services reported in The Sunday Times; 14:42 15 July 2014 regarding professional secrecy. Further updated 23:11 16 July 2014 to take account of Home Office Human Rights Memorandum; and 09:48 22 July 2014 to include the government's point by point Note on compliance with the ECJ judgment and a reference to the enacted legislation.]

2 comments:

  1. There's something about clause 4 I don't understand, perhaps you could shed light on it? Namely, the compulsion on overseas providers to comply with British law / warrant, and provide the data the government requests.

    In the case of overseas entities that have an UK (physical) presence (e.g. Google, Apple, Amazon etc) I can see how it might be enforced through the British courts.

    However, if an overseas email provider (not one of the big ones) is based solely outside of the UK and doesn't have UK servers, nor a UK physical or financial presence (I'm thinking fastmail here), then how can the UK government compel a foreign company to comply when they aren't accountable to UK law?

    In which case if a person switched to a non-UK email provider, with no UK presence, and no inclination to obey the jurisdiction of courts outside of their own country, and used https to make the metadata and content of the emails invisible to the UK ISP through which we connect, then no data would be available to the UK authorities --- meaning through the general data sweep being proposed, of course if the intelligence services targeted a specific individual then all bets are off.

    Thoughts?

    ReplyDelete
    Replies
    1. This point was brought up in the House of Commons Committee discussion of Clause 4 earlier today (Dominic Raab and Julian Lewis).

      http://www.parliament.uk/business/publications/hansard/commons/todays-commons-debates/read/unknown/862/

      Delete