Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Digital Rights Ireland: Communications Data Retention Prior To IPA

Download as pdf or txt
Download as pdf or txt
You are on page 1of 12

In November 2016 the Investigatory Powers Act (IPA) received Royal Assent.

IPA was
hailed by the Government as bringing the UKs surveillance framework into the 21st Century
and better allowing security and intelligence agencies to combat terrorism and serious crime.
IPA raises a range of concerns, with its progress through Parliament marked by sustained
opposition from civil liberties groups. One of the most controversial aspects of IPA is the
bulk communications data retention and disclosure framework in Parts 3 and 4. This article
concerns the compatibility of that framework with EU law in light of CJEU decisions in
Digital Rights Ireland1 (DRI) and Watson2. It will begin by briefly providing some
background, will then broadly set out the requirements that can be determined from these
decisions, and will proceed to take a more detailed analysis of these requirements in relation
to Parts 3 and 4 IPA.

Communications Data Retention Prior to IPA

Between 2009 and 2014, Internet Service Providers (ISPs) served notice by the Home
Secretary3 were required to store some communications data for 12 months4 under the Data
Retention (EC Directive) Regulations 2009 (the 2009 Regulations), pursuant to the Data
Retention Directive5 (DRD). This involved retaining metadata6, which is the who, when,
where, and for how long of data, rather than the content of communications (a common
analogy is that metadata is the envelope rather than the letter, which is content). In 2014 the
CJEU found in DRI that DRD was incompatible with Articles 7 (respect for private and
family life, including privacy of communications7) and 8 (protection of personal data8) of the
EUs Charter of Fundamental Rights9 (the Charter). As a result the Data Retention and
Investigatory Powers Act10 (DRIPA) was quickly passed in order to pre-empt challenges to
the 2009 Regulations based on DRI. The High Court subsequently followed DRI to find that
section 1 DRIPA was incompatible with the Charter and the Government was given until
April 2016 before it would be disapplied11. The Court of Appeal indicated that it was minded
to disagree with the High Court but referred to the CJEU for a preliminary ruling for
clarification12. In December 2016 the CJEU in Watson confirmed the incompatibility of
DRIPA-style retention. In any case, DRIPA was subject to a sunset clause meaning that it
would be automatically repealed on 31st December 201613. This was the impetus behind IPA.

1
Digital Rights Ireland v Minister for Communications, Marine and Natural Resources [2014] EUECJ C-293/12
2
Secretary of State for the Home Department v Tom Watson and others [2016] EUECJ C-698/15
3
Data Retention (EC Directive) Regulations 2009 (SI 2009/859) reg.10
4
2009 Regulations regs 4-5
5
Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of
publicly available electronic communications services or of public communications networks and amending
Directive 2002/58/EC [2006] OJ L105/54
6
2009 Regulations reg.2; Sch.1, Pt 3
7
Charter of Fundamental Rights of the European Union 2012/C 326/02 (Charter of Fundamental Rights), art.7
8
Charter of Fundamental Rights, art.7
9
DRI [2014] EUECJ C-293/12
10
Data Retention and Investigatory Powers Act 2014 (DRIPA 2014)
11
David Davis and others v Secretary of State for the Home Department [2015] EWHC 2092 (Admin)
12
Secretary of State for the Home Department v David Davis and others [2015] EWCA Civ 1185
13
DRIPA 2014 s.8(3)
Casting the Dragnet: Communications Data Retention under the Investigatory Powers Act

Digital Rights Ireland and Watson

DRI and Watson together provide the requirements in EU law to which IPA must conform
both in terms of the retention of communications data and in terms of access to retained data.

DRI considered the validity of DRD in relation to Articles 7 and 8 of the Charter read
alongside Article 52(1), which states that for interferences with Charter rights to be
potentially justifiable they must respect the essence of those rights14. The CJEU held that
legislation permitting the retention only of metadata and requiring measures be adopted to
protect the security and integrity of retained data does not adversely affect the essence of
Articles 7 and 8, respectively, and so constitutes a potentially justifiable interference with
those rights15. According to DRI, retention may be justified provided it satisfies an objective
of general interest16 (such as, but not necessarily limited to, fighting serious crime or
terrorism17), and is limited to what is strictly necessary to pursue the objective18. Access to
retained data for the purpose of fighting crime should be limited only to offences determined
by objective criteria to be sufficiently serious to justify the interference with Articles 7 and
819. Access should also be subject to prior review by a court or independent administrative
body20.

Watson addressed the question of the compliance of bulk data retention with the ePrivacy
Directive21 read alongside Articles 7, 8, and 52(1) of the Charter22. In doing so the CJEU
drew the purposes for which data may be retained narrower than in DRI to include only
national security, defence, public security23, and serious crime24. The court also went much
further than DRI in finding that in order to be proportionate retention must be an exception
rather than the rule25, as well as being limited to what is strictly necessary for the purpose
being sought26. Watson also addressed the question of requirements for access to retained
data27. The court found that the purposes for which retained data can be accessed must
genuinely and strictly correspond to the same purposes for which it can be retained28. In order
to be proportionate, access to retained data must be limited to what is strictly necessary29. In

14
Charter of Fundamental Rights, art.52(1)
15
DRI [2014] EUECJ C-293/12 at [39]-[40]
16
DRI [2014] EUECJ C-293/12 at [38]
17
DRI [2014] EUECJ C-293/12 at [42]
18
DRI [2014] EUECJ C-293/12 at [46], [52]
19
DRI [2014] EUECJ C-293/12 at [60]
20
DRI [2014] EUECJ C-293/12 at [62]
21
Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the
electronic communications sector [2002] OJ L201/37 (ePrivacy Directive)
22
Watson [2016] EUECJ C-698/15 at [62]
23
Watson [2016] EUECJ C-698/15 at [90]
24
Watson [2016] EUECJ C-698/15 at [102]
25
Watson [2016] EUECJ C-698/15 at [104]
26
Watson [2016] EUECJ C-698/15 at [96]
27
Watson [2016] EUECJ C-698/15 at [114]
28
Watson [2016] EUECJ C-698/15 at [115]
29
Watson [2016] EUECJ C-698/15 at [116]

2
Casting the Dragnet: Communications Data Retention under the Investigatory Powers Act

order to ensure that this is the case, access must normally be subject to prior review by a
court or an independent administrative body30. Further, persons whose data has been accessed
should be notified as soon as doing so would not jeopardise an investigation31.

Seven requirements can broadly be distilled from DRI and Watson that IPA must satisfy. The
first four relate to retention under Part 4. These are that retained data must exclude content,
that ISPs must be required to ensure the security and integrity of retained data, that the
purpose being sought by retention can only extend to national security, defence, public
security, and fighting serious crime, and that retention must be proportionate with data
retained as an exception rather than as the rule and only to the extent strictly necessary for the
purpose being sought. The final three relate to obtaining data under Part 3. These are that
access to data must be only for a purpose genuinely and strictly corresponding to those for
which it can be retained, that in order to be proportionate data can be accessed only to the
extent strictly necessary, and that there are required safeguards and oversight mechanisms.

Communications Data Retention under IPA

Part 4 IPA provides for the bulk retention of communications data. ISPs who have been
served a retention notice are required to retain all relevant communications data covered by
the retention notice sent from devices connected to their network for a maximum of 12
months32.

The Nature of Retained Data

DRI established that legislation permitting the acquisition of knowledge of the content of a
communication would be contrary to the essence of Article 7 of the Charter and thus
unjustifiable33. Retention must therefore not include the content of communications in order
to be a potentially justifiable interference with Article 7.

The data that ISPs may be required to retain under IPA is relevant communications data34.
This is defined as a subset of communications data that identifies the sender or recipient of a
communication; the time or duration of a communication; the type, method, pattern, or fact of
communication; the system from, to, or through which a communication is transmitted; or the
location of any such system35. Communications data includes certain types of entity data and
events data, on one hand, and explicitly excludes the content of communications, on the
other36. As communications data excludes content, the first step in determining whether
retention is in fact contrary to the essence of Article 7 is to look at how IPA defines content.

30
Watson [2016] EUECJ C-698/15 at [120]
31
Watson [2016] EUECJ C-698/15 at [121]
32
Investigatory Powers Act 2016 (IPA 2016) s.87
33
DRI [2014] EUECJ C-293/12 at [39]
34
IPA 2016 s.87(1)
35
IPA 2016 s.87(11)
36
IPA 2016 s.261(5)

3
Casting the Dragnet: Communications Data Retention under the Investigatory Powers Act

Under IPA content in this context is any element of a communication, or data attached to or
associated with a communication, which reveals anything that might reasonably be
considered to be the meaning of that communication37. This does not include any meaning
arising from the mere fact of the communication having occurred or from data relating to the
transmission of the communication. This may be compared with the definition of relevant
communications data under DRIPA, which excludes data revealing the content of a
communication38, rather than the meaning. It seems that in replacing DRIPA Parliament has
chosen not to carry over a definition that excludes content generally from communications
data, instead providing one that excludes only the meaning of a communication. However, it
is not clear precisely what the meaning of a communication extends to. It is also not clear
that data revealing the meaning of a communication is the same as data providing knowledge
of its content. It is quite conceivable that there could be elements of a communication that
provide knowledge of its content, and so would be impermissible to retain per DRI, but do
not reveal its meaning and so would not be considered to be content for the purposes of IPA.
This could be, for example, a telephone number conveyed in the body of an email (i.e.
providing knowledge of some of the content), but not text surrounding it that relates to it and
provides context (i.e. revealing the meaning of the email).

It is not clear that all data providing knowledge of the content of a communication is
explicitly not communications data. So it is necessary to look at what is explicitly included in
order to determine whether or not retention under IPA interferes with the essence of Article 7
of the Charter. Entity data is that which is about an entity (a person or a thing39) or an
association between an entity and a telecommunication system (a system for transmitting
communications electronically40) or telecommunications service (a service providing access
to or use of a telecommunication system41) and which identifies or describes the entity42.
Events data is that which describes an event on, in, or by means of a telecommunication
system and consisting of one or more entities engaging in a specific activity at a specific
time43. The kinds of entity data or events data that may be considered to be communications
data include, inter alia, data held by an ISP about a customer and relating to a service
provided to them, data included as part of a communication for the purposes of the system by
which it is being communicated, and data which is held by an ISP about the architecture of a
telecommunication system and is not about a specific person44. In this a telephone number in
the body of an email would not be events data or entity data and so, while perhaps not content
for the purposes of IPA, it would not be considered to be communications data and could not
be retained. Communications data therefore appears to include only metadata relating to the

37
IPA 2016 s.261(6)
38
DRIPA 2014 s.2(2)
39
IPA 2016 s.261(7)
40
IPA 2016 s.261(13)
41
IPA 2016 s.261(11)
42
IPA 2016 s.261(3)
43
IPA 2016 s.261(4)
44
IPA 2016 s.261(5)

4
Casting the Dragnet: Communications Data Retention under the Investigatory Powers Act

functioning of telecommunication systems, the provision of telecommunications services, and


the transmission of communications rather than data which would provide knowledge of
the content of a communication. As relevant communications data is a subset of
communications data, it is also limited to metadata. Retention of metadata is not contrary to
the essence of Article 7 and is therefore capable of being justified provided it is for permitted
purposes and is proportionate to those purposes.

The Security of Retained Data

DRI held that legislation providing for bulk data retention must set out rules for protecting the
data retained by ISPs. These must require a high level of protection and security be applied to
the data and require the data to be irreversibly destroyed at the end of the retention period45.
They should also require retained data to be kept within the EU, and compliance must be
subject to review by an independent authority as per Article 8 of the Charter46. Watson
restated these four requirements47.

IPA requires that ISPs must destroy data once its retention is no longer authorised under Part
4, provided its retention isnt otherwise authorised by law48. Destruction may take place at
monthly or shorter intervals as appear to the ISP to be reasonably practicable49. The
Information Commissioner must review ISPs compliance with requirements under Part 4
relating to the integrity, security, or destruction of retained data50. To that extent IPA meets
the requirements of DRI and Watson. However, in terms of the level of protection applied to
retained data and the requirement data be kept in the EU, IPA is not in compliance.

Section 92 IPA covers the integrity and security of data retained by ISPs. Retained data is
required to be of the same integrity, and subject to at least the same security and
protection51 as data on the system from which it is derived. The storage and processing of
that data is regulated by the Privacy and Electronic Communications (EC Directive)
Regulations 200352. Regulation 5 thereof requires that ISPs take appropriate53 technical and
organisational measures, which must at least ensure that data can be accessed only by
authorised personnel (a requirement repeated in IPA54) for legally authorised purposes55. It
also requires that data must be protected against accidental or unlawful destruction,
accidental loss or alteration, and unauthorised or unlawful storage, processing, access or

45
DRI [2014] EUECJ C-293/12 at [67]
46
DRI [2014] EUECJ C-293/12 at [68]
47
Watson [2016] EUECJ C-698/15 at [122]-[123]
48
IPA 2016 s.92(2)
49
IPA 2016 s.92(3)
50
IPA 2016 s.244
51
IPA 2016 s.92(1)(a)
52
Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)
53
2003 regulations, reg.5(1)
54
IPA 2016 s.92(1)(b)
55
2003 Regulations reg.5(1A)(a)

5
Casting the Dragnet: Communications Data Retention under the Investigatory Powers Act

disclosure56 (again a requirement repeated in IPA57). Regulation 5(4) defines appropriate


in this context. A measure is appropriate where, taking into account the state of technological
developments and the cost of implementation, it is proportionate to the risks being
safeguarded against58. However, DRI requires that when securing retained data ISPs are to
ensure a particularly high level of protection and security without regard to economic
considerations59. As such, the requirement that ISPs secure retained data with the same
security and protection as data on the system from which it is derived does not meet the
standard set by the CJEU. Further, IPA does not require that data retained by ISPs be kept
within the EU. The Data Protection Act 1998 places restrictions on the transfer of personal
data to countries outside the EEA60, which would include relevant communications data
insofar as it permits the individual to whom the data relates to be identified61. But Watson
says that the legislation permitting retention must itself provide for retained data to be kept
within the EU62. This means that relying on other legislation, such as the Data Protection Act,
is not permissible.

As IPA fails to meet these requirements, the storage of retained data by ISPs provided for by
IPA constitutes an unjustifiable interference with Article 8 of the Charter.

Purposes for Which Data May be Retained

Watson held that data retention is only permissible for a limited number of purposes as
permitted by the ePrivacy Directive read in conjunction with Articles 7 and 8 of the Charter.
Article 5(1) of the ePrivacy Directive says that as a general rule a users data may not be
stored by another person without the consent of that user63. This is subject to exceptions
permitted by Article 15(1) of that directive (explicitly including data retention) for various
purpose including to safeguard national security, defence, and public security, and for
fighting crime64. Acknowledging that the interference with Articles 7 and 8 of the Charter
posed by bulk data retention is very far-reaching andparticularly serious65, Watson held
that in terms of fighting crime only the purpose of fighting serious crime is a permissible
exception66.

Section 87(1) IPA provides that retention notices may require an ISP to retain relevant
communications data for one of the purposes set out in section 61(7)67. While these purposes

56
2003 Regulations reg.5(1A)(b)
57
IPA 2016 s.92(1)(c)
58
2003 Regulations reg.5(4)
59
DRI [2014] EUECJ C-293/12 at [67]
60
Data Protection Act 1998 Sch.1, para.8
61
Data Protection Act 1998 s.1(1)
62
Watson [2016] EUECJ C-698/15 at [122]
63
ePrivacy Directive art.5(1)
64
ePrivacy Directive art.15(1)
65
Watson [2016] EUECJ C-698/15 at [100]
66
Watson [2016] EUECJ C-698/15 at [102]
67
IPA 2016 s.87(1)

6
Casting the Dragnet: Communications Data Retention under the Investigatory Powers Act

include national security and fighting crime68, this is not limited only to serious crime.
Further, section 61(7) sets out a variety of other purposes including, among others, protecting
public health, assessing or collecting any taxes or duties payable to government departments,
preventing death or injury, assisting investigations into alleged miscarriages of justice,
assisting in identifying someone who is deceased or otherwise unable to identify themselves,
and the regulation of financial services markets69. Accordingly, the purposes for which data
can be required to be retained under IPA go beyond those which are permitted by Watson.

Proportionality of Data Retention

The principle of proportionality requires that limitations on Articles 7 and 8 of the Charter are
permitted only so far as they are strictly necessary70. As such, DRI and Watson both set out
requirements that must be met in order for a retention regime to be strictly necessary and thus
proportionate.

DRI requires that retention legislation provides clear and precise rules governing the scope
and application of interferences with Charter rights71, and established two grounds for
determining the strict necessity of data retention. The first is that retention cannot cover all
persons, all means of electronic communication, and all communications data without any
differentiation, limitation or exception and cannot cover people for whom there is no
evidence capable of suggesting that they have a link, even indirectly or remotely, with serious
crime72. Additionally, retention must include safeguards for data subject to professional
confidentiality, and must require a relationship between the data being retained and a threat to
public security73. In particular, the latter means that retention should be limited to a particular
time period, geographical location, or circle of people likely to be involved in serious crime,
or to people for whom the retention of their data could contribute to fighting serious crime.
The second ground is that the period of time for which data is to be retained should
distinguish between types of data based on their possible usefulness74. The length of the
retention period should be based on objective criteria to ensure that it is limited to what is
strictly necessary75.

Watson found that general and indiscriminate retention76 as the rule rather than the
exception77, covering all users without differentiation, limitation, or exception according to

68
IPA 2016 s.61(7)(a)-(b)
69
IPA 2016 s.61(7)(c)-(j)
70
Satakunnan Markkinaporssi and Satamedia [2008] EUECJ C-73/07 at [56]; Volker und Markus Schecke [2010]
EUECJ C-92/09 at [77]
71
DRI [2014] EUECJ C-293/12 at [54]
72
DRI [2014] EUECJ C-293/12 at [57]-[58]
73
DRI [2014] EUECJ C-293/12 at [58]-[59]
74
DRI [2014] EUECJ C-293/12 at [63]
75
DRI [2014] EUECJ C-293/12 at [64]
76
Watson [2016] EUECJ C-698/15 at [97]
77
Watson [2016] EUECJ C-698/15 at [104]

7
Casting the Dragnet: Communications Data Retention under the Investigatory Powers Act

the objective pursued78, and not requiring any particular relationship between the data to be
retained and the purpose of retention79, exceeds the limits of what is strictly necessary and
cannot be considered to be justified, within a democratic society80. The requirement that
retention must be an exception rather than the rule goes beyond the limits established in DRI,
which permitted such bulk retention provided the required limitations and exceptions were
clearly set out. Watson says that legislation must place retention itself as an exception to the
general rule set out in Article 5 of the ePrivacy Directive. As such, and while the judgment
says that targeted retention is permissible provided it is limited to what is strictly necessary81,
the result of Watson is that bulk data retention can never be considered to be strictly
necessary and thus can never be proportionate.

IPA fails to meet the proportionality requirements of either DRI or Watson. Retention notices
may be tailored to an extent, including by requiring that only data which meets a certain
description82 or is from a certain time period83 is retained. But section 87 does allow for ISPs
to be required to retain all data84 indiscriminately, without differentiation, limitation, or
exception, and without clear safeguards for data subject to professional confidentiality.
Further, section 87 does not require any relationship between data to be retained and the
purpose being pursued or any link between that data and a threat to public security. Nor does
it require the retention period, while limited to a maximum of 12 months85, to be determined
based on objective criteria and limited to what is strictly necessary. Finally, section 87 does
not set out clear and precise rules on the scope and application of retention. Instead the
Secretary of State can issue notices containing other requirements, or restrictions, in relation
to the retention of data86 and making different provision for different purposes87. As such,
section 87 does not provide only for retention that is justified as a strictly necessary and
therefore proportionate interference with Articles 7 and 8 of the Charter as per DRI. Perhaps
most significantly, IPA allows for bulk retention as the rule rather than the exception,
exceeding the limits of what can be considered strictly necessary, and so cannot be
proportionate as per Watson.

Access to Communications Data

78
Watson [2016] EUECJ C-698/15 at [105]
79
Watson [2016] EUECJ C-698/15 at [106]
80
Watson [2016] EUECJ C-698/15 at [107]
81
Watson [2016] EUECJ C-698/15 at [109]-[111]
82
IPA 2016 s.87(2)(b)
83
IPA 2016 s.87(2)(c)
84
IPA 2016 s.87(2)(b)
85
IPA 2016 s.87(3)
86
IPA 2016 s.87(2)(d)
87
IPA 2016 s.87(2)(e)

8
Casting the Dragnet: Communications Data Retention under the Investigatory Powers Act

Part 3 IPA provides for the disclosure of communications data to relevant public authorities
upon request88. Relevant public authorities include those public authorities listed in Schedule
489 as well as local authorities90.

Purposes for Which Data May be Obtained

Watson determined that the purposes for which communications data may be accessed must
genuinely and strictly91 correspond to one of those established by Article 15(1) of the
ePrivacy Directive read alongside Articles 7 and 8 of the Charter, namely national security,
defence, public security, and fighting serious crime.

DRI requires that serious crime be defined by objective criteria92. In IPA this is defined as
offences where an individual with no previous convictions could reasonably be expected to
be imprisoned for three years or more, or those that involve violence, result in substantial
financial gain, or involve a large number of people acting together for a common purpose93,
satisfying DRIs requirement.

However, communications data can be obtained in the pursuit of several purposes beyond
those permitted by Watson. These include, among others, for protecting public health, for
assessing or collecting any taxes or duties payable to government departments, for preventing
death or injury, and for assisting investigations into alleged miscarriages of justice94. This
does not satisfy the requirement in Watson limiting the purposes for which communications
data can be obtained.

Proportionality of Disclosure

As with retention, Watson holds that access to data must not exceed the limits of what is
strictly necessary in order to be proportionate95. In particular, this means that legislation must
provide clear and precise rules indicating in what circumstances and under which conditions
data may be obtained for permitted purposes96. Legislation must provide that access normally
be granted only to the data of individuals suspected of serious criminality (those suspected of
planning, committing, having committed, or being implicated in a serious crime)97.

88
IPA 2016 Pt.3
89
IPA 2016 s.70
90
IPA 2016 s.73
91
Watson [2016] EUECJ C-698/15 at [115]
92
DRI [2014] EUECJ C-293/12 at [46], [52]
93
IPA 2016 s.263(1)
94
IPA 2016 s.61(7)
95
Watson [2016] EUECJ C-698/15 at [116]
96
Watson [2016] EUECJ C-698/15 at [117]
97
Watson [2016] EUECJ C-698/15 at [119]

9
Casting the Dragnet: Communications Data Retention under the Investigatory Powers Act

In terms of the circumstances in which communications data can be accessed under IPA, this
can only be for use in a specific investigation or operation98. Some communications data
takes the form of Internet Connection Records (ICRs). These are defined in section 62(7) as
the subset of communications data generated or processed by an ISP in the process of
supplying an internet connection to a customer that identifies, or assists in identifying, the
online service that is being used via that connection (which could be a particular website,
email service, messaging service, etc.)99. Disclosure of communications data other than ICRs
is not limited only to that concerning individuals suspected of any criminality, let alone
serious criminality.

Several conditions apply to obtaining ICRs that do not apply to obtaining other
communications data. Local authorities may not obtain ICRs in order to access data that can
only be obtained through ICRs100. For public authorities that are not local authorities, ICRs
may only be disclosed where one of three conditions is met101. The first is that it is necessary
to identify unknown persons or devices using a known internet service, but this is not limited
to individuals suspected of serious criminality102. The second relates to obtaining data for
purposes other than fighting crime103. The third, which does relate to the purpose of fighting
crime, is that obtaining an ICR is necessary either to determine which service is being used,
when it is being used, and how it is being used by a person or device whose identity is
known, or to determine where or when a known person or device is accessing or running
software which involves making available or acquiring material whose possession is a
crime104. However, this third condition is not limited only to the purpose of fighting serious
crime, but also to other relevant crime105. As such, ICR disclosure is also not limited only to
those of individuals who are suspected of serious criminality, and is therefore not limited
only to what is strictly necessary.

The communications data disclosure framework established by IPA does not therefore
provide for a proportionate interference with fundamental rights.

Safeguards and Oversight

Both DRI and Watson require that requests for access normally be subject to prior review by
a court or an independent administrative body106. This is to ensure that access to
communications data is limited to what is strictly necessary. Watson further required that
persons whose data has been accessed be notified once it is possible to do so without

98
IPA 2016 s.61(1)
99
IPA 2016 s.62(7)
100
IPA 2016 s.62(1)
101
IPA 2016 s.62(2)
102
IPA 2016 s.62(3)
103
IPA 2016 s.62(4)
104
IPA 2016 s.62(5)
105
IPA 2016 s.62(6)
106
DRI [2014] EUECJ C-293/12 at [62]; Watson [2016] EUECJ C-698/15 at [120]

10
Casting the Dragnet: Communications Data Retention under the Investigatory Powers Act

jeopardising an investigation107. IPA does not provide for individuals whose data has been
disclosed to be notified.

Requests from local authorities for disclosure of communications data require the approval of
a judge108, and so meet the required standard. But requests for data from public authorities
other than local authorities can normally be authorised by senior officers within the
requesting authority without requiring approval by a judge109 (although the approval of a
Judicial Commissioner is required for authorisations that would identify a journalistic
source110). Senior officers may not normally grant authorisations for investigations they are
working on111, and there are certain procedural requirements112. And before a senior officer
within a relevant public authority can approve a request they must normally consult a Single
Point of Contact (SPoC), an individual within the authority responsible for advising others
internally on requests113. SPoCs advise on issues including the lawfulness of proposed
authorisations, whether it is reasonably practicable to obtain the data sought, and any cost
implications of a request114.

In order to determine whether in terms of public authorities other than local authorities the
approval regime satisfies the requirements of Watson it is necessary at this point to attempt to
determine what the CJEU may mean by independent in this context. The CJEU has
previously discussed this115 in relation to the requirement for independent oversight of
compliance with the Data Protection Directive116. In that instance the court concluded that
independent normally means a status which ensures that the body concerned can act
completely freely, without taking any instructions or being put under any pressure117. In its
view supervisory authorities must act objectively and impartially. For that purpose, they
must remain free from any external influence118. The CJEU went on to say that this
precludes not only any influence exercised by the supervised bodies, but also any directions
or any other external influence, whether direct or indirect, which could call into question the
performance by those authorities of their task119. Independence in the context of supervision
of data protection, relevant to both the ePrivacy Directive and to Article 8 of the Charter and
thus to access to retained data under IPA, appears to require both objectivity and impartiality,
and, to that end, freedom from any external influence. The Communications Data Draft Code

107
Watson [2016] EUECJ C-698/15 at [121]
108
IPA 2016 s.75
109
IPA 2016 ss.61-66
110
IPA 2016 s.77
111
IPA 2016 s.63
112
IPA 2016 s.64
113
IPA 2016 s.76
114
IPA 2016 s.76(5)-(6)
115
Commission v Germany [2010] EUECJ C-518/07
116
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data 95/46/EC
[1995] OJ L281/31
117
Commission v Germany [2010] EUECJ C-518/07 at [18]
118
Commission v Germany [2010] EUECJ C-518/07 at [25]
119
Commission v Germany [2010] EUECJ C-518/07 at [30]

11
Casting the Dragnet: Communications Data Retention under the Investigatory Powers Act

of Practice says that SPoCs provide objective judgement120, but the code does not require
SPoCs to act impartially. The code also states that senior officers shall take account of the
SPoCs advice in assessing the necessity of an authorisation121. SPoCs do not, however, have
the power to block requests and are themselves permitted to authorise requests if they are also
senior officers122. As such, it seems that in relation to public authorities other than local
authorities the framework is not compatible with the requirements established in DRI and
Watson that access to communications data be subject to independent prior review.

Part 3 IPA therefore does not provide the safeguards required to ensure that access to
communications data is limited to what is strictly necessary and therefore proportionate to the
purpose being sought.

Conclusion

There are serious issues with the communications data retention and disclosure framework
under IPA. While retention does appear to be limited to metadata, Parts 3 and 4 IPA do not
meet other requirements established by the CJEU. IPA does not require a particularly high
level of protection be applied to retained data or that it be kept in the EU. Retention notices
can be issued in pursuit of a range of purposes other than those permitted. Retention is
indiscriminate and is the rule rather than the exception. The length of the retention period is
not objectively determined and limited to what is strictly necessary. IPA does not provide
clear and precise rules governing the scope and application of retention. Communications
data can be accessed for a variety of purposes other than those permitted. Access is not
limited to data of individuals suspected of serious criminality. Finally, the oversight regime
does not provide for independent prior review or for individuals whose data has been
accessed to be notified when appropriate. Parts 3 and 4 IPA are therefore an unjustifiable
interference with Article 15(1) of the ePrivacy Directive read alongside Articles 7 and 8 of
the Charter.

120
Home Office, Communications Data Draft Code of Practice, Autumn 2016, para.4.33
121
Home Office, Communications Data Draft Code of Practice, Autumn 2016, para.4.19
122
IPA 2016 s.76(8)

12

You might also like