Drip, drip, DRIP: privacy draining away?

The data retention debate always starts with an incontrovertible truism: everyone wants the police to be as well-equipped as possible to combat crime and terrorism. But a much more controversial argument can be generated seamlessly from the above: the police must therefore collect as much data as possible about everyone, all the time, so that at any time, they can find out who did what, where, when and how.

No liberal person agrees with the latter sentence. It would be laughable to do so. It is clear that if we are not to live in an Orwellian police state, there must be limits on the security services in favour of privacy, free speech, transparency and autonomy. This balance is enshrined in countless international instruments, including the European Convention on Human Rights, article 8. Yet when we come to the digital world, the ease and cheapness of collecting online traffic data, and the current untested, almost religious, belief in big data and predictive profiling, encourage a “pile it high” approach and a cavalier rejection of civil liberties.

The recent Snowden revelations about covert NSA and GCHQ operations have rightly horrified (yet, shockingly, often failed to surprise) ordinary people. In their wake, the CJEU’s decision to strike down the Data Retention Directive was perhaps not that surprising – though the vehemence with which it did so certainly was. Its damning conclusion was that the directive was an “unjustified interference with the fundamental rights of practically the entire European population”, for the reasons given in the main article.

In response to such a clear and reasoned decision, any government would, one might have thought, have taken time to consider how best to recast its own national rules, especially the UK Government, which in the Human Rights Act 1998 explicitly pledged not to legislate in breach of the ECHR (and is also bound by the EU Charter of Rights).

In the three months after the decision, however, and even in the preceding year or more since the complaints were referred to the court, the UK authorities launched no public consultation, took no evidence on methods of data collection such as data preservation (freezing records around the time of an incident), which might be equally effective for policing but less invasive of privacy, nor produced any convincing evidence that blanket retention had actually delivered significant improvements on clean-up of serious crime.

Instead, with breathtaking contempt for parliamentary process and open democracy, the Government did nothing until 10 days before the recess, when it published the DRIP Bill on a weekend’s notice and forced it through an empty House in two days with all-party support and minimal scrutiny. To add salt to injury, the bill did precisely nothing to address the CJEU’s criticisms, but left these matters to be mulled over in hazy secondary legislation. Finally, the Act has a sunset clause of expiry on 31 December 2016 to address being “emergency” legislation. As a random wit said on Twitter, if a plumber did you an emergency job, would you be happy if he said he’d be back in two years to check it was OK?

Even more astonishingly, the Government used this socalled emergency legislation as an excuse to rush through extensions to the already controversial RIPA 2000, while claiming with an almost straight face that in fact the DRIP Act was doing nothing but retaining (sic) the legal status quo (that which had just been declared illegal by Europe’s highest court).

These extensions bear scrutiny. In an open letter from UK internet law academic experts, we pointed out that the bill actually went far beyond simply authorising data retention in the UK after the fall of the directive (if that was the intent, why not simply re-issue the 2009 Regulations as free-standing legislation?), to expanding the UK’s ability to mandate the interception of communications content across the globe, in a way unprecedented not just for UK law, but for most European nations. Our worried conclusion was that DRIP was “far more than an administrative necessity; it is a serious expansion of the British surveillance state”.

A final point important to readers of this Journal is the Scottish angle. In Parliament, Theresa May claimed the Scottish Government – which, of course, has an entirely separate criminal justice system, though RIPA and data retention are UK reserved matters – had been consulted. Kenny MacAskill, the Scottish Justice Secretary, however, seems not to have received the memo. Scotland has its own RIPA (Scotland) Act, which so far seems not to have been touched. This is an accident waiting to happen, especially with a Scottish referendum round the corner.