The data retention bill means we have no privacy rights at all

That day is not far. mumpfpuffel, CC BY-NC-SA

On July 15, with the support of all three main parties, the UK parliament passed the data retention and investigatory powers (DRIP) bill. According to home secretary Theresa May, the bill was designed in the interest of national security.

DRIP gives the government the power to retain certain type of customer data for up to two years. This type of information, also known as metadata, can include logs of when, where and to whom phone calls were made and the details of internet browsing history. This data potentially enables organisations to create profiles of citizens’ private lives.

A manufactured emergency?

DRIP was written up as “emergency legislation” in response to a ruling by the European Court of Justice (ECJ) in April, which invalidated a previously approved 2006 directive that allowed telecom firms to store data on citizens’ communications for up to two years. The ECJ ruling argued that the previous directive failed to provide sufficient safeguards against misuse of personal data and disproportionately interfered with the fundamental rights of privacy and protection of personal data.

While the ruling was hailed in some European Union member states as a victory for privacy and data protection, the British government’s response was rather less celebratory. A government spokesman said: “We cannot be in a position where service providers are unable to retain this data.”

Prime minister David Cameron argued that the ECJ’s decision created an emergency because legal uncertainty in British Law could lead to companies deleting their customers’ data and overseas firms refusing British requests for intercept warrants. This could jeopardise the work being done by security services to combat organised crime and terrorism.

However, one MP described the so-called emergency as “theatrical”, while another branded the rushed legislative process as “a stitch up” which would not allow the House of Commons enough time to discuss the law properly. The move to push the bill through was also questioned by campaign group Liberty who asked why the government had waited until now to address the issue when the ECJ’s judgement was given in April.

Greater democratic oversight

There are some features of the bill that could be used to bring surveillance legislation under greater democratic control and enhance oversight and transparency. The bill’s clauses include, for instance, a commitment to carry out a “tip to toe” review of the existing Regulation of Investigatory Powers Act (2000) which forms the foundation of surveillance laws in England and Wales. The bill also proposes the creation of a new Privacy and Civil Liberties Oversight Board which would seek to scrutinise and inform legislation on surveillance.

I know what you did last night. lightmash, CC BY-NC-SA

Despite some plus points, a study we are part of looks at how organisations handle our personal information. Our results show that the ECJ was right, that the system as the government wants it doesn’t have sufficient safeguards.

The study is part of a project called Increasing Resilience in Surveillance Societies, where we documented the experience of citizens trying to use the law to access their data and obtain information from a range of organisations about how their data is used, stored and shared. European and national legislation allows citizens to make access requests to organisations to obtain their personal information.

Accessing your own data

Our study found serial malpractice and obfuscation on the part of public and private sector organisations when citizens sought clarification of what these organisations knew about them.

On average, four out of ten subject access requests made to organisations in the study failed to achieve a successful outcome. In a fifth of cases, citizens could not even find out who to contact to be able to make such requests.

In more than half the cases (56%) when requests could be made, organisations failed to provide sufficient information about who they had shared personal data with. Organisations also frequently (71%) failed to explain whether (and if so how) personal data had been subject to processes such as customer profiling. The results of our study raise questions about whether citizens can, in reality, exercise their rights to know how their personal data is being used and shared.

When national security is invoked, exercising one’s right of access becomes even harder. The DRIP bill gives the UK government the right to know the details of every call or tweet we make. While falling short of knowing the precise content, they will know the precise location of the call and the recipients of the call.

This is not targeted surveillance, it is mass surveillance of all our communications data. This is big data in action. This data can be mined to provide detailed profiles of our interactions with our families and friends, our colleagues and our associates, and all our online transactions.

With the DRIP bill in place, when we try to exercise our rights, organisations can invoke national security exemptions. This effectively means we have no privacy rights at all. And, even if the DRIP bill has an expiry date set in December 2016, there seems to be no guarantee that the British government will provide a law that protects the fundamental rights of privacy and protection of personal data.