Blame it all on my roots

This month has seen two very different stories about emergency legislation emerge on either side of the Irish Sea. Here follows the results of my ruminating on the stories (my word of the week after seeing a professorship in non-ruminant science advertised).

In the UK, the Data Retention and Investigatory Powers (“DRIP”) Bill is before the House of Commons today.  After a debate on timing, at lunchtime today, it was agreed that all ‘stages’ be taken today. (Normally, legislation gets a broad second stage debate, consideration over a longer period (line by line) in a committee, and a final Commons stage).  It’s due before the House of Lords tomorrow.  Given the strong support for the truncated timing given by MPs earlier today (only 50 or so voted against), it’s very likely that the Commons will say yes – what the Lords make of it is to be seen.

I signed a letter about this legislation, which has provoked some interesting coverage (e.g. here, here and here).  I think that the Government is making a mistake in how it’s handling this legislation. It’s well known that the Court of Justice of the European Union found the Data Retention Directive invalid as a matter of EU law in April.  As Judith Rauhofer and I pointed out in our editorial (see part 4), this raised significant questions for the future of national measures adopted on the basis of it, as well as similar replacement measures. The CJEU declared the Directive invalid immediately and also made important points about what safeguards were required as a matter of EU law, including human rights.

Now this could have been a good opportunity for sober consideration of how to draft a new scheme, compatible with EU law and the European Convention on Human Rights, and informed by the engaging public debate on surveillance, security and technology. But readopting the bulk of the EU measure (without necessarily restoring lawfulness), along with some separate ‘clarifications’ (which may have merit in themselves or at least be the basis for further debate), is not a way for Government to establish and defend the legitimacy of data retention and surveillance. It’s inadvisable that this be construed as an emergency.  It’s clearly a matter of national importance and I do see the significance of the arguments put forward on the need to have a well-regulated system of intelligence and investigation. And something did have to be done after the CJEU’s decision – doing nothing would be, in my view, still a mistake.

But after the last few years of Snowden, the NSA, Wikileaks, well-founded fears about technological development and all that, now is the time to build support and trust. (The sad thing is that for a lot of people who don’t follow Parliament closely, they are paying attention today and not really seeing democratic deliberation at its best).  Today hasn’t achieved the goal of establishing trust and legitimacy, and I’d encourage readers to contact members of Parliament (especially the House of Lords) asking for a proper, careful debate.

Meanwhile, in Ireland, emergency legislation was one of the many proposals put forward to deal with a licensing decision (under the Planning & Development Acts – see part XVI) by Dublin City Council. The decision was significant because it pertained to proposed concerts by Garth Brooks. Promoters had already sold tickets (“subject to licence”) for five concerts at Croke Park (the largest stadium in the city), but the local authority only granted a licence for three.  (The full reasoned decision is published here).

One point that seemed to annoy some people was the inability of elected representatives to override this decision. A fair point, if one disregards the sorry history of planning corruption in Ireland and the need to apply the law in a consistent and transparent fashion. So with that in mind, ‘emergency legislation’ was proposed (one Bill was even drafted by an opposition member of the Dáil). Again, I’m not saying that the law is perfect – the controversy has highlighted some areas for procedural change in particular (I taught a course on entertainment law last year – and hereby offer my free services to any official body in Ireland that wants some suggestions).  Nor am I unsympathetic to the disappointed ticket-buyers (not least because, having been a teenager in 1990s Ireland, I truly understand that he has a serious fan base – in my day, local radio playlisters first and foremost). But for a licensing system to have credibility, responsible authorities have to be able to say no as well as yes; the sale of tickets for what is at the time an unlicensed event shouldn’t affect this. So while it can be tempting to call for a new law, that also deserves proper consideration – of models from other jurisdictions, for example.

Fortunately, despite a lot of posturing, the Irish parliament didn’t go down that route, and it looks like the concerts aren’t happening at all.  Here are some interesting things to read on the topic: Fergal Davis, Rebecca Moynihan & Jane Horgan-Jones, Gene Kerrigan.

Open letter from UK legal academics on surveillance

Full text also available at Slideshare and for download as PDF.

Tuesday 15th July 2014

To all Members of Parliament,
Re: An open letter from UK internet law academic experts

On Thursday 10 July the Coalition Government (with support from the Opposition) published draft emergency legislation, the Data Retention and Investigatory Powers Bill (“DRIP”). The Bill was posited as doing no more than extending the data retention powers already in force under the EU Data Retention Directive, which was recently ruled incompatible with European human rights law by the Grand Chamber of the Court of Justice of the European Union (CJEU) in the joined cases brought by Digital Rights Ireland (C-293/12) and Seitlinger and Others (C-594/12) handed down on 8 April 2014.

In introducing the Bill to Parliament, the Home Secretary framed the legislation as a response to the CJEU’s decision on data retention, and as essential to preserve current levels of access to communications data by law enforcement and security services. The government has maintained that the Bill does not contain new powers.

On our analysis, this position is false. In fact, the Bill proposes to extend investigatory powers considerably, increasing the British government’s capabilities to access both communications data and content. The Bill will increase surveillance powers by authorising the government to;

  • compel any person or company – including internet services and telecommunications companies – outside the United Kingdom to execute an interception warrant (Clause 4(2));
  • compel persons or companies outside the United Kingdom to execute an interception warrant relating to conduct outside of the UK (Clause 4(2));
  • compel any person or company outside the UK to do anything, including complying with technical requirements, to ensure that the person or company is able, on a continuing basis, to assist the UK with interception at any time (Clause 4(6)).
  • order any person or company outside the United Kingdom to obtain, retain and disclose communications data (Clause 4(8)); and
  • order any person or company outside the United Kingdom to obtain, retain and disclose communications data relating to conduct outside the UK (Clause 4(8)).

The legislation goes far beyond simply authorising data retention in the UK. In fact, DRIP attempts to extend the territorial reach of the British interception powers, expanding the UK’s ability to mandate the interception of communications content across the globe. It introduces powers that are not only completely novel in the United Kingdom, they are some of the first of their kind globally.

Moreover, since mass data retention by the UK falls within the scope of EU law, as it entails a derogation from the EU’s e-privacy Directive (Article 15, Directive 2002/58), the proposed Bill arguably breaches EU law to the extent that it falls within the scope of EU law, since such mass surveillance would still fall foul of the criteria set out by the Court of Justice of the EU in the Digital Rights and Seitlinger judgment.

Further, the bill incorporates a number of changes to interception whilst the purported urgency relates only to the striking down of the Data Retention Directive. Even if there was a real emergency relating to data retention, there is no apparent reason for this haste to be extended to the area of interception.

DRIP is far more than an administrative necessity; it is a serious expansion of the British surveillance state. We urge the British Government not to fast track this legislation and instead apply full and proper parliamentary scrutiny to ensure Parliamentarians are not mislead as to what powers this Bill truly contains.

Signed,

Dr Subhajit Basu, University of Leeds
Dr Paul Bernal, University of East Anglia
Professor Ian Brown, Oxford University
Ray Corrigan, The Open University
Professor Lilian Edwards, University of Strathclyde
Dr Theodore Konstadinides, University of Surrey
Professor Chris Marsden, University of Sussex
Dr Karen Mc Cullagh, University of East Anglia
Dr. Daithí Mac Síthigh, Newcastle University
Professor David Mead, University of East Anglia
Professor Andrew Murray, London School of Economics
Professor Steve Peers, University of Essex
Julia Powles, University of Cambridge
Professor Burkhard Schafer, University of Edinburgh
Professor Lorna Woods, University of Essex

Open access to 2013 work

Open access versions of a couple of my 2013/4 publications and talks have recently been made available through the University of Edinburgh. These versions are the best possible permitted under the terms of the relevant publishers –  peer reviewed but not fully formatted for (print) publication in the journal in question. They are accessible without registration or charge to all.

Earlier publications continue to be available via my SSRN page without a need for a subscription, in various forms.

I’ll try and put all of this in one place soon!

Ten things to read about today’s data retention decision

I am a fair-weather blogger, and so I cannot remember the last time I had so many visits or retweets in a day.  Piggybacking on the unexpected traffic boost, here are ten things worth reading (from various sources) about the reason for that traffic – the finding by the Court of Justice of the EU that the Data Retention Directive is, on human rights grounds, invalid.  (My own post, Data retention parrot, is here).

I had plenty to choose from in putting this list together – fortunate that the decision was published when many of us legal academics are not teaching?

  1. The decision of the Court.  The early pages are taken up with reproducing the provisions of the legislation, so if you are familiar with the Directive, those pages are most skippable.
  2. Fiona de Londras, professor at Durham Law School, writing at Human Rights in Ireland. Special mention: discussion on whether “a more tailored, narrower approach” might survive scrutiny if the Directive is to be replaced (see also her lessons for the US, posted at The Conversation).
  3. “Cybermatron”, an expert in this field, writing on her blog. Special mention: highlighting weaknesses in the decision, including where the Court may have underappreciated the significance of the legislation and of this challenge.
  4. Steve Peers, professor at the University of Essex Law School, writing on his blog EU Law Analysis. Special mention: analysis of the current status of the (invalid) Directive, and options for states and the EU from this point on.
  5. Paul Bernal, lecturer at the UEA Law School, writing on his blog. Special mention: how the decision sits within the wider debate on and advocacy for privacy.
  6. Karlin Lillington, journalist, writing in the Irish Times. Special mention: the consequences for Ireland and the EU, by someone who has been instrumental in highlighting data retention practices for over a decade.
  7. Luke Scanlon, solicitor, Pinsent Masons, writing on Out-law. Special mention: impact on other legislation, including data protection present and future.
  8. Glyn Moody, author and journalist, writing for ComputerWorld UK. Special mention: explanation, point by point, of how the court’s decision relates to specific data retention practices.
  9. Gabriele Steinhauser, journalist, writing in the Wall Street Journal. Special mention: how the decision is being reported to an international audience, including the political dimension.
  10. Press release and FAQ on the decision from the European Commission (the ‘losing’ side, not that you would know that from the statement). Special mention: reading it with a straight face.

Apologies to those omitted – additional links welcome, through the comments sections below.

The data retention parrot

One of the most-read posts on this site is a 2009 set of ten questions about data retention legislation in Ireland. It was written with a mixture of anger and detail. Today’s post contains neither. Instead, it’s relieved – but hurried.

This morning, the Court of Justice of the European Union (CJEU) ruled in a set of cases regarding the validity, from a human rights point of view, of the Data Retention Directive (which provides for the retention by service providers of phone and Internet communications data across the EU for set periods, for the purpose of subsequent access by public authorities). Here’s the decision as posted on Scribd; official link to follow. Cases C-293/12 and C-594/12.

The Advocate General had already given his Opinion in late 2013, which was in some respects very critical of the Directive, but his recommendations were also a bit limited.  Of the cases that the CJEU heard, the one I know best (unsurprisingly) is the challenge made in Ireland by Digital Rights Ireland (High Court decision of 2010). This, and other cases starting in Austria, were sent to the EU court for a ruling on points of EU law.

Here are my first-look highlights from today’s decision.

1. The Directive raises serious issues of compatibility with the fundamental rights protected under EU law (privacy and data protection) – and it is not proportionate, and therefore invalid. This was clearly flagged by the Advocate General and will be the big headline today, rightly.  I’m just going to add some more observations, but the big result shouldn’t be ignored!

2. On the other hand, the proposal of the Advocate General (that the effect of declaring it invalid be suspended to allow better legislation to be introduced; paras 154-158 of his Opinion) has been entirely ignored in the decision, and only alluded to in a footnote in the accompanying press release. If I’m reading it right, this idea has simply disappeared.  The Directive is dead and, legally speaking, should never have existed.

3. There are important warning signs to the European bodies for the (inevitable) attempt to draft a replacement. Because of the nature of the rights and the infringements, discretion of the legislative bodies “is reduced, with the result that review of that discretion should be strict” (paras 47-8). Shroud-waving should also be avoided; “the fight against serious crime, in particular against organised crime and terrorism, is indeed of the utmost importance in order to ensure public security and its effectiveness may depend to a great extent on the use of modern investigation techniques. However, such an objective of general interest, however fundamental it may be, does not, in itself, justify” a retention measure such as this one (para 51). There are a range of specific criticisms outlined from para 58 onwards that would surely be relevant, e.g. application to the whole population, temporal or geographic restrictions, lack of a definition of serious crime, inadequate limits on access/use, a retention period plucked out of the air. Export outside the EU (topical!) is also highlighted at para 68.

4. Although it wasn’t necessary to rely on it to reach today’s result (see paras 69-70) , the CJEU makes some very important comments about the relationship between surveillance and speech:

In such circumstances, even though, as is apparent from Article 1(2) and Article 5(2) of Directive 2006/24, the directive does not permit the retention of the content of the communication or of information consulted using an electronic communications network, it is not inconceivable that the retention of the data in question might have an effect on the use, by subscribers or registered users, of the means of communication covered by that directive and, consequently, on their exercise of the freedom of expression guaranteed by Article 11 of the Charter. (para 28)

(Bonus points for channelling Vizzini)

5. The Court makes significant use of the ECtHR’s decision in S & Marper v UK (about DNA databases) – three separate references, all ‘by analogy’ regarding article 8 ECHR. The significance of S was clear at the time and today’s opinion demonstrates how it valuable it is in terms of analysing questions of law and technology – especially chilling and cumulative effects.  It’s also further evidence of the way that the CJEU builds on ECtHR rulings.

6. The Court endorses the Advocate General’s point about perception. It’s not a point unknown to those in the field (especially through the jurisprudence of the German courts and others), but it’s still not fully grasped in the UK and Ireland; data retention of this nature is “likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance” (para 37). (Which, for the record, is a bad thing).

Those are some first thoughts, and are really an extension of even earlier thoughts posted on Twitter. More later if I can!