Controversial surveillance legislation hustled through parliament last summer has been ruled unlawful by the UK High Court, which argued that the vague terms and descriptions of powers in the Data Retention and Investigatory Powers Act 2014 (DRIPA) renders the act incompatible with human rights under European law.
In a 44-page ruling, Lord Justice David Bean and Mr Justice Andrew Collins criticised the lack of clarity and detail in spelling out the terms and conditions under which communications data can be intercepted by police and intelligence agencies, declaring the act “incompatible with the British public’s right to respect for private life and communications and to protection of personal data under Articles 7 and 8 of the EU Charter of Fundamental Rights”.
It is a decision that must have caused howling with both joy and indignation from both sides of the House of Commons, as the legal action that led to this ruling was a cross-party effort by Conservative MP David Davis and Labour MP Tom Watson. The judgment makes for interesting and instructive reading, providing as it does an overview of the fissures emerging between how national legislatures, led by the UK, regard their relationship to the European Union’s institutions.
Precedence of international law
DRIPA, one in a series of laws supporting controversial surveillance powers passed by successive UK governments, establishes the principle by which anti-terrorism measures and national security priorities take precedence over human rights considerations. However, the judgment rules that the EU Charter of Fundamental Rights must take precedence, and in doing so requires the UK government to undo its own act of parliament – a significant precedent by a British court.
David Anderson QC, the Independent Reviewer of Terrorism Legislation, comments that this ruling confirms the already well-established supremacy of EU over national law. But it also underscores the UK’s truculence in complying with this principle compared to other European nations.
Human rights online
The judgment also adds to international recognition, such as from the UN, that the way people use the internet is a human rights issue.
It does not refer to the wider geopolitical context of issues around the internet’s design, governance and use – from Wikileaks to the Snowden revelations, to the recent appointment of Joe Cannataci as the first UN Special Rapporteur on Privacy. But reading between the lines, it reflects the quiet sea-change underway in national and international courts as they start to comprehend the legal and political challenges of a world increasingly dependent upon computer networks and communication.
What this ruling makes more apparent is the lack of appropriate and affordable legal means for people to rectify violations of those rights. A recent report from the Council of Europe’s Commissioner for Human Rights on the rule of law on the internet, and a move to incorporate human rights into the heart of the internet’s governing bodies such as ICANN demonstrate that the debate is moving in that direction. The Right to Be Forgotten rulings are another example of courts deciding that human rights trump the technocratic approach.
Access regime poorly governed
It’s good news that those with power to enforce these principles are doing so, with courts correcting the government’s misuse of terrorist threats and abuse of the spirit of the law that governs the democratic process.
However, while the ruling is a positive step towards more robust checks and balances to abuses of executive power, it draws a distinction between its opinion on controversial EU laws governing blanket data retention, and its judgment that DRIPA lacks adequate standards governing access to that data.
Data retention and access to it may be legally distinct, but through mandatory data retention regulations EU member state governments have access to considerable details of our private lives online. With retention periods varying from six months to two years across the EU, this scale of data retention has been a source of friction between EU nations, and a bone of contention for civil liberties groups.
In 2014 the Court of Justice of the European Union (CJEU) ruled that the 2006 EU Data Retention Directive violated the same elements (Articles 7 and 8) of the EU Charter of Fundamental Rights as DRIPA. This ruling may have made the DRIPA legally redundant at the time it was hurried into law, but this did not diminish its political significance in the Conservative government’s use of cybersecurity rhetoric.
Why is the fine line between retention and access important? As privacy expert and online human rights advocate, the late Caspar Bowden noted in one of his interventions, this is much more than an academic distinction:
Ubiquitous personal communication technologies are here to stay. Because of exponentially falling data storage costs, two contrasting states of society can be envisaged … either that individuals determine whether and when their history is recorded, subject to exceptions, or that data will exist about everyone all the time. This is the policy choice between data retention and preservation, and it is a sharp dichotomy.
Bowden puts his finger on the political dimensions to legalities about the rights implications of the intimate entanglement of internet media and communications with everyday life, politics, and business. So the question remains: why do we permit governments and companies to retain so much data, about so many people, for so much of the time? I hope this judgment on access will be a first step along the path of the “broader-reaching change to data retention” David Anderson suggests may be in the air.