The unveiling last Thursday of a a draft bill on surveillance powers that is to be rushed through Parliament brought to mind the story of the Dutch boy who finds a hole in a dyke on his way to school and puts his finger in it to plug the leak until help arrives to shore it up. The legislation is said to be necessary to plug what the Government regards as holes in the regime of surveillance and investigatory powers pending a full review. The fact that the bill is titled the Data Retention and Investigatory Powers Bill – the “DRIP” bill – may mean I am not the first person to draw the analogy. But the analogy may not be entirely apt. An examination of the DRIP Bill reveals that it is not addressing little holes in the regime but in fact profoundly important and substantial issues.
The DRIP Bill will be law by the end of the week. Its unveiling in draft form on Thursday came out of the blue. The use of emergency parliamentary procedure means that there is no time for any significant consultation or lobbying and parliamentary scrutiny will be minimal.
The use of emergency procedure to enact laws that are controversial and have significant impacts on individual rights is becoming a regrettably frequent occurrence. Just over a year ago, when the Government was fast-tracking through Parliament legislation overruling a court judgment that found that thousands of benefits sanctions had been unlawfully imposed, the House of Lords Constitution Committee lamented that it was the latest in “an undesirably long line of recent fast-track legislation” and registered its concerns with the House (a strong thing for that Committee to do – see 12th Report Session 2012-13 HL 155 §6).
As on the last occasion, the Government had already secured behind-closed doors support from the Labour Party to ensure the Bill would pass without hitch or significant scrutiny. A few key Labour members have been briefed on Privy Council terms about the DRIP Bill and the reasons for it. This means that they can’t tell anyone what they were told. The consequence is that the full reasons for the measure will not be made known to Parliament or the public. The Parliamentary process will be little more than a rubber-stamping exercise.
In a statement made to Parliament on Thursday the Home Secretary identified two issue that the Bill is intended to address. She said,
we now face two significant and urgent problems relating to both communications data and interception: first, the recent judgment by the European Court of Justice, which calls into question the legal basis upon which we require communication service providers in the UK to retain communications data; and secondly, the increasingly pressing need to put beyond doubt the application of our laws on interception, so that communication service providers have to comply with their legal obligations irrespective of where they are based. (Hansard, 10/07/14 Col 456)
In other words, two holes have appeared or been identified in UK’s surveillance and investigation capabilities and the DRIP Bill is intended to plug them.
The first relates to retention by private companies of communications data (the hole is: they don’t have to retain it), the second relates to the desire to require foreign companies to co-operate with interception warrants (the hole is: foreign companies say they don’t have to comply).
Before turning to examine the contents of the Bill let me make three initial points.
First, it is said that the content of the Bill is not intended to expand the UK’s surveillance capabilities at least as they have been understood and operated by government agencies. It is intended to ensure that there is a legal basis for what is already going on. Of course, this gives rise to serious questions as to whether everything that law enforcement and intelligence agencies have been doing has had a lawful basis. One view of the DRIP Bill is that it seeking to provide a lawful basis for the unlawful exercise of power by UK agencies.
Secondly, the legislation is presented as a temporary gap-plugging measure. It has a sunset clause of 31 December 2016. The intention is that a review of surveillance capabilities and powers will be conducted and published before the 2015 General election and Parliament will legislate on the issue in the next Parliament. David Anderson QC the Independent Reviewer of Terrorism Legislation has been announced as the person who will conduct the review. Such a review is overdue and David Anderson’s appointment is welcome. But it does mean that the big issue about the adequacy of legal safeguards under the current regime is being shelved for the time being. It must be hoped that this will result in a more thorough and wide-ranging review and that will look not only at interception and data retention but also obtaining intercept material from foreign liaison partners (which is not currently within the scope of the review as it is not addressed by the Regulation of Investigatory Powers Act 2000 (“RIPA”)).
Thirdly, in an attempt to off-set the inevitable concerns raised by stop-gap legislation in such a sensitive area, the Government announced several initiatives to increase scrutiny and oversight of surveillance powers. These include (i) publication of an “annual transparency report”; (ii) the appointment of a former diplomat to review intelligence sharing with foreign governments, (iii) the establishment of a “privacy and civil liberties board” to “build on the role of the independent reviewer” of terrorism legislation. These proposals currently remain sketchy and the degree to which they will provide meaningful transparency and oversight cannot yet be judged.
Let us then turn to the content of the DRIP Bill.
The first hole: retention of Communications Data
The first hole identified by the Home Secretary arises from the judgment of the CJEU on 8 April 2014 in Digital Rights Ireland Ltd v Minister for Communications (Joined Cases C 293/12 and C 594/12) in which the court ruled that the Data Retention Directive was invalid. That ruling held the consequence (although the Government has not openly accepted this) that the implementing regulations– the The Data Retention (EC Directive Regulations) 2009 SI 859/2009- are ultra vires as the absence of an obligation under the Directive deprives them of their legal basis in domestic law.
The Directive and the Regulations were the means by which the Government required telephone and internet companies to retain “communications data” on individuals for up to a year. The information could then be obtained and used in criminal investigations and for intelligence purposes.
Communications data is information about when, where and by whom communications have been made. It is well known that communications data, although it does not include the content or terms of the actual communications, is extremely revealing about a persons’ activities and usually much more interesting to law enforcement and intelligence agencies than the content of communications.
Communications data includes information about internet services used, the user ID and time and duration of use. In the case of mobile telephones it includes when they were used, the name and address of persons who used them and the duration and destination of the communication. It also includes the location where a mobile telephone was used and even information identifying the movement, direction of travel and location from time to time of mobile devices. It was stressed in Parliament that this type of information has been instrumental in obtaining criminal convictions in cases such as that of Ian Huntley, by placing his victims Holly Wells and Jessica Chapman close to his house, even though their mobile phone had been switched off.
But this undoubted utility also shows that this type of data is enormously revealing about a person’s movements, activities, interests and associations. It in principle enables a degree of surveillance of a person of interest that totalitarian regimes infamous for the extent and depth of their surveillance could only have dreamt of. It therefore requires the strongest possible safeguards.
The invalidity of the Data Retention Directive does not affect the powers of the Government to require companies to provide it with communications data as this power is set out in Chapter II of Part I of RIPA. But the Government says that it is concerned that there is now no requirement that companies must continue to retain such data and they will begin to destroy it unless a new law is put in place.
Clause 1 of the DRIP Bill therefore provides that the Secretary of State may by notice require a communications service provider to retain data for purposes connected with protecting national security, public health, economic well being of the country and other purposes. A notice cannot require data to be retained for more than one year.
In practice it is likely that such notices would operate in a blanket fashion requiring telecommunications and internet companies to retain all data they possess or all data within certain broad categories.
There is no doubt that the legislation in this respect addresses a genuine problem that requires primary legislation to fix. It is much less clear that it is appropriate for government to be addressing the issue by fast-track legislation which avoids Parliamentary scrutiny. It was not lost on the opposition that the Government has had several months to introduce legislation to Parliament. Yvette Cooper the Shadow Home Secretary stated:
there will be serious concern, in Parliament and throughout the country, about the lateness of this legislative proposal, and about the short time that we have in which to consider something so important (Hansard, Col. 459)
Quite. Connected to this lack of opportunity for Parliamentary scrutiny is the fact that the legislation does not seek to remedy the serious problems with the regime of data retention which led the CJEU to find that it breached basic human rights.
The court said for example that the Data Retention Directive failed to restrict data retention to data pertaining to a particular time period, area or group of persons likely to be involved in serious crime and it did not specify any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of fighting crime. Furthermore in paragraph 62 it held:
Above all, the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued and which intervenes following a reasoned request of those authorities submitted within the framework of procedures of prevention, detection or criminal prosecutions.
It concluded that there was a violation of the right of respect for private life and the right to protection of personal data as protected by Articles 7 and 8 of the Charter of Fundamental Rights of the EU.
The DRIP Bill does not attempt to meet the requirements articulated by the CJEU. (nor do the draft regulations, now available, which will be made under the Act when passed). The Government has suggested that the protections under domestic law, for example as provided by the Data Protection Act 1998, provide adequate safeguards. But apart from the fact that the Data Protection Act itself implements EU law and such data protection rules were no answer in Digital Rights Ireland, the new powers essentially derogate from data protection laws. There is therefore no reason to think that the Charter of Fundamental Rights of the EU would not be just as much violated by the DRIP Bill after it becomes law as by the Data Retention Directive. Even if the new legislation falls outside the scope of EU law (which is doubtful as data protection is generally speaking within the scope of EU law: e.g. RFU v Viagogo Ltd  1 WLR 3333) Article 8 of the European Convention on Human Rights imposes analogous requirements to those under the Charter of Fundamental Rights of the EU.
It is remarkable that the Government has not attempted to address the issues raised by the CJEU in Digital Rights Ireland and is introducing a law which appears straightforwardly incompatible with the right to privacy and contrary to a court judgment which is binding on the UK Parliament.
The second hole: interception of communications in other countries
The second hole that DRIP Bill is seeking to plug is entirely unconnected with the ruling of the CJEU and with the Data Protection Directive.
Under Chapter I of Part I of RIPA government agencies can obtain and serve interception warrants allowing them to intercept communications between private individuals. The Home Secretary informed Parliament that technological changes have meant that increasingly internet and telephone companies which provide services accessible to persons in the UK are based outside the UK and she referred to “growing uncertainty among communication service providers about our interception powers” and that service providers “based overseas need legal clarity about what we can access”.
Implicit in these statements is the fact that government agencies have been requiring companies based overseas to intercept communications or facilitate the interception of communications on behalf of UK government agencies. It seems that these foreign companies have begun to doubt that the UK government has any power to do this.
These doubts are understandable. It is a basic principle that legislation must expressly provide for extraterritorial effect if such effect is intended, more especially where the effect is to establish criminal offences on the part of persons who reside abroad, and RIPA includes no such express provision. On the contrary, various provisions of RIPA make clear that it was designed to operate alongside mutual assistance agreements which provide a specific mechanism for government agencies to obtain information through foreign authorities under mutual assistance laws. It seems that government agencies have been going direct to foreign private companies, without the need for involvement or even knowledge of foreign governments.
Clause 4 of the DRIP Bill makes express provision for service of interception warrants on companies abroad imposing on them an obligation, backed by criminal sanctions, to secure the interception of communications.
The DRIP Bill also provides that in determining whether a company or person has a defence under RIPA of having taken all steps which were “reasonably practicable” to take to facilitate the interception, regard is to be had to whether what they were being required to do by the UK agency was unlawful under the law of the foreign state (Clause 4(4)). However it falls short of stating that a person or company based overseas can refuse to cooperate if cooperation with a UK agency will involve the company or its employees breaking the law of a foreign country.
The scope of these powers should not be underestimated. It is most likely that the power to require interception by a foreign company would arise in tandem with what is called an external communications warrant issued under section 8(5) of RIPA. This applies where the sender or one or more recipient of a communication is overseas. In such cases none of the protections relating to the need for warrants to be targeted at certain people or premises apply. The Government can obtain a warrant for blanket interception of external communications on the basis that this is necessary in the interests of national security. Conditions on the search of such material should be imposed under the warrant, but these are not set out in law and the scope and nature of any such protections are unknown.
The breadth of the power under section 8(5) has been highlighted by the Snowden disclosures which have suggested that GCHQ taps into transatlantic cables containing internet and other communications traffic under a warrant issued under section 8(5) and a program known as TEMPORA. In theory at least, if RIPA has extra territorial scope, UK government agencies could obtain internet and email traffic in other parts of the world, without even the limitation that it passes through the UK, simply by requiring a foreign company to intercept the communications on their behalf by the Secretary of State issuing a warrant to this effect. That would give the UK authorities enormously wide scope for interception of communications and for obtaining internet and telecommunications traffic around the world.
The foreign company will be put in a very difficult position if, as seems likely, providing the information would be contrary to civil or criminal laws of the foreign country. The DRIP Bill perhaps gives them more comfort than previously but as I have noted it falls short of providing them with a defence that the company or it’s employees would be acting contrary to the laws of the foreign state. What is a foreign company to do? Foreign companies could not even reveal the fact that they had been served with a warrant without committing another offence: RIPA s.19.
The full consequences of the power have not been explained and given the fast-track procedure, they will not be the subject of parliamentary scrutiny before the bill becomes law. It will be apparent from my description of the provisions of the DRIP Bill relating to extra-territorial effect that they raise big issues, and complex issues, both of law and policy, including potentially issues of foreign policy.
These provisions have not been triggered by an event or judgment such as the decision in the Digital Rights Ireland case. No doubt the Government is very concerned about loss of information currently supplied to it by companies based in foreign countries but this is hardly persuasive if it had no right to be obtaining this information in the first place. It is highly unsatisfactory that these powers should be introduced without debate and without Parliament having a clear understanding of what laws it is enacting or a full appreciation of the consequences that the laws could have.
A third hole: creating, managing and storing messages online
It also appears that the Government fears that at present certain forms of internet use to which it wishes to have access–and probably has been gaining access–fall outside the ambit of the interception powers in Chapter I of Part I of RIPA.
This was not one of the problems identified by the Home Secretary in her statement to Parliament; but included within the DRIP Bill is a new definition of telecommunication service. Let me first of all explain the relevance of this definition. Under Chapter I of Part I of RIPA the Secretary of State may authorise the interception of communications which are being transmitted by a telecommunications system (or those which have been transmitted and are being stored by a telecommunications system). The definition of telecommunications system is therefore central to the scheme of the Act. It identifies the scope of the services that can be required to allow covert access to content data by government agencies under interception warrants.
The current definition of telecommunications service contained in section 2 of RIPA states that:
“telecommunications service” means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service)
A telecommunications system is defined broadly as any system for facilitating communications electronically.
Clause 5 of the DRIP Bill provides that a telecommunications service shall henceforth include services, “facilitating the creation, management or storage of communications transmitted, or that may be transmitted” by means of a telecommunications system.
The purpose and effect of this change is not self-evident. It will include within the ambit of Chapter I of Part I of RIPA web-based services that enable the creation, management and storage of messages on the internet but where the actual transmission of the message is separate service. The Explanatory Notes say that it is intended to “ensure that internet-based services, such as webmail, are included in the definition” of telecommunications services. It seems rather doubtful however that ordinary webmail services are the intended objects of this change given that such services ordinarily consist in the provision of access to and facilitates for making use of a system for transmitting electronic mail. One rather suspects that something else is going on here and it is very troubling that such a potentially significant change is being made without properly explaining the purpose behind it.
When RIPA was enacted internet use was still in its infancy. The technological changes which now enable government agencies to obtain enormous quantities of data on the personal lives of individuals were not anticipated.
The holes in the legal regime that are sought to be plugged by the DRIP Bill are just the latest to have appeared. This month the Investigatory Powers Tribunal will hear cases challenging (i) the scope of external communications warrants under section 8(4) of RIPA in respect of the TEMPORA program (explained above) and (ii) the absence of legal rules governing the receipt of material from foreign governments which has been obtained by those governments from their own interception programs (often without safeguards). A comparable case before the Strasbourg Court has been stayed pending these hearings.
It is clear that the RIPA regime is not fit for its current purpose. That now appears to be recognised on all sides. But it does not bode well for the review of the legislation that the Government is so apparently unwilling to facilitate informed debate and understanding, even at a general level, of very intrusive powers that it asks society in general, and Parliament in particular, to grant it.
Tom Hickman is a Reader in public law at University College London and a barrister at Blackstone Chambers.
Suggested citation: T. Hickman, ‘Plugging Gaps in Surveillance Laws or Authorising the Unlawful? Concerns about the DRIP Bill. ‘ U.K. Const. L. Blog (14th July 2014) (available at http://ukconstitutionallaw.org/).