Blame it all on my roots

This month has seen two very different stories about emergency legislation emerge on either side of the Irish Sea. Here follows the results of my ruminating on the stories (my word of the week after seeing a professorship in non-ruminant science advertised).

In the UK, the Data Retention and Investigatory Powers (“DRIP”) Bill is before the House of Commons today.  After a debate on timing, at lunchtime today, it was agreed that all ‘stages’ be taken today. (Normally, legislation gets a broad second stage debate, consideration over a longer period (line by line) in a committee, and a final Commons stage).  It’s due before the House of Lords tomorrow.  Given the strong support for the truncated timing given by MPs earlier today (only 50 or so voted against), it’s very likely that the Commons will say yes – what the Lords make of it is to be seen.

I signed a letter about this legislation, which has provoked some interesting coverage (e.g. here, here and here).  I think that the Government is making a mistake in how it’s handling this legislation. It’s well known that the Court of Justice of the European Union found the Data Retention Directive invalid as a matter of EU law in April.  As Judith Rauhofer and I pointed out in our editorial (see part 4), this raised significant questions for the future of national measures adopted on the basis of it, as well as similar replacement measures. The CJEU declared the Directive invalid immediately and also made important points about what safeguards were required as a matter of EU law, including human rights.

Now this could have been a good opportunity for sober consideration of how to draft a new scheme, compatible with EU law and the European Convention on Human Rights, and informed by the engaging public debate on surveillance, security and technology. But readopting the bulk of the EU measure (without necessarily restoring lawfulness), along with some separate ‘clarifications’ (which may have merit in themselves or at least be the basis for further debate), is not a way for Government to establish and defend the legitimacy of data retention and surveillance. It’s inadvisable that this be construed as an emergency.  It’s clearly a matter of national importance and I do see the significance of the arguments put forward on the need to have a well-regulated system of intelligence and investigation. And something did have to be done after the CJEU’s decision – doing nothing would be, in my view, still a mistake.

But after the last few years of Snowden, the NSA, Wikileaks, well-founded fears about technological development and all that, now is the time to build support and trust. (The sad thing is that for a lot of people who don’t follow Parliament closely, they are paying attention today and not really seeing democratic deliberation at its best).  Today hasn’t achieved the goal of establishing trust and legitimacy, and I’d encourage readers to contact members of Parliament (especially the House of Lords) asking for a proper, careful debate.

Meanwhile, in Ireland, emergency legislation was one of the many proposals put forward to deal with a licensing decision (under the Planning & Development Acts – see part XVI) by Dublin City Council. The decision was significant because it pertained to proposed concerts by Garth Brooks. Promoters had already sold tickets (“subject to licence”) for five concerts at Croke Park (the largest stadium in the city), but the local authority only granted a licence for three.  (The full reasoned decision is published here).

One point that seemed to annoy some people was the inability of elected representatives to override this decision. A fair point, if one disregards the sorry history of planning corruption in Ireland and the need to apply the law in a consistent and transparent fashion. So with that in mind, ‘emergency legislation’ was proposed (one Bill was even drafted by an opposition member of the Dáil). Again, I’m not saying that the law is perfect – the controversy has highlighted some areas for procedural change in particular (I taught a course on entertainment law last year – and hereby offer my free services to any official body in Ireland that wants some suggestions).  Nor am I unsympathetic to the disappointed ticket-buyers (not least because, having been a teenager in 1990s Ireland, I truly understand that he has a serious fan base – in my day, local radio playlisters first and foremost). But for a licensing system to have credibility, responsible authorities have to be able to say no as well as yes; the sale of tickets for what is at the time an unlicensed event shouldn’t affect this. So while it can be tempting to call for a new law, that also deserves proper consideration – of models from other jurisdictions, for example.

Fortunately, despite a lot of posturing, the Irish parliament didn’t go down that route, and it looks like the concerts aren’t happening at all.  Here are some interesting things to read on the topic: Fergal Davis, Rebecca Moynihan & Jane Horgan-Jones, Gene Kerrigan.

Ten things to read about today’s data retention decision

I am a fair-weather blogger, and so I cannot remember the last time I had so many visits or retweets in a day.  Piggybacking on the unexpected traffic boost, here are ten things worth reading (from various sources) about the reason for that traffic – the finding by the Court of Justice of the EU that the Data Retention Directive is, on human rights grounds, invalid.  (My own post, Data retention parrot, is here).

I had plenty to choose from in putting this list together – fortunate that the decision was published when many of us legal academics are not teaching?

  1. The decision of the Court.  The early pages are taken up with reproducing the provisions of the legislation, so if you are familiar with the Directive, those pages are most skippable.
  2. Fiona de Londras, professor at Durham Law School, writing at Human Rights in Ireland. Special mention: discussion on whether “a more tailored, narrower approach” might survive scrutiny if the Directive is to be replaced (see also her lessons for the US, posted at The Conversation).
  3. “Cybermatron”, an expert in this field, writing on her blog. Special mention: highlighting weaknesses in the decision, including where the Court may have underappreciated the significance of the legislation and of this challenge.
  4. Steve Peers, professor at the University of Essex Law School, writing on his blog EU Law Analysis. Special mention: analysis of the current status of the (invalid) Directive, and options for states and the EU from this point on.
  5. Paul Bernal, lecturer at the UEA Law School, writing on his blog. Special mention: how the decision sits within the wider debate on and advocacy for privacy.
  6. Karlin Lillington, journalist, writing in the Irish Times. Special mention: the consequences for Ireland and the EU, by someone who has been instrumental in highlighting data retention practices for over a decade.
  7. Luke Scanlon, solicitor, Pinsent Masons, writing on Out-law. Special mention: impact on other legislation, including data protection present and future.
  8. Glyn Moody, author and journalist, writing for ComputerWorld UK. Special mention: explanation, point by point, of how the court’s decision relates to specific data retention practices.
  9. Gabriele Steinhauser, journalist, writing in the Wall Street Journal. Special mention: how the decision is being reported to an international audience, including the political dimension.
  10. Press release and FAQ on the decision from the European Commission (the ‘losing’ side, not that you would know that from the statement). Special mention: reading it with a straight face.

Apologies to those omitted – additional links welcome, through the comments sections below.

The data retention parrot

One of the most-read posts on this site is a 2009 set of ten questions about data retention legislation in Ireland. It was written with a mixture of anger and detail. Today’s post contains neither. Instead, it’s relieved – but hurried.

This morning, the Court of Justice of the European Union (CJEU) ruled in a set of cases regarding the validity, from a human rights point of view, of the Data Retention Directive (which provides for the retention by service providers of phone and Internet communications data across the EU for set periods, for the purpose of subsequent access by public authorities). Here’s the decision as posted on Scribd; official link to follow. Cases C-293/12 and C-594/12.

The Advocate General had already given his Opinion in late 2013, which was in some respects very critical of the Directive, but his recommendations were also a bit limited.  Of the cases that the CJEU heard, the one I know best (unsurprisingly) is the challenge made in Ireland by Digital Rights Ireland (High Court decision of 2010). This, and other cases starting in Austria, were sent to the EU court for a ruling on points of EU law.

Here are my first-look highlights from today’s decision.

1. The Directive raises serious issues of compatibility with the fundamental rights protected under EU law (privacy and data protection) – and it is not proportionate, and therefore invalid. This was clearly flagged by the Advocate General and will be the big headline today, rightly.  I’m just going to add some more observations, but the big result shouldn’t be ignored!

2. On the other hand, the proposal of the Advocate General (that the effect of declaring it invalid be suspended to allow better legislation to be introduced; paras 154-158 of his Opinion) has been entirely ignored in the decision, and only alluded to in a footnote in the accompanying press release. If I’m reading it right, this idea has simply disappeared.  The Directive is dead and, legally speaking, should never have existed.

3. There are important warning signs to the European bodies for the (inevitable) attempt to draft a replacement. Because of the nature of the rights and the infringements, discretion of the legislative bodies “is reduced, with the result that review of that discretion should be strict” (paras 47-8). Shroud-waving should also be avoided; “the fight against serious crime, in particular against organised crime and terrorism, is indeed of the utmost importance in order to ensure public security and its effectiveness may depend to a great extent on the use of modern investigation techniques. However, such an objective of general interest, however fundamental it may be, does not, in itself, justify” a retention measure such as this one (para 51). There are a range of specific criticisms outlined from para 58 onwards that would surely be relevant, e.g. application to the whole population, temporal or geographic restrictions, lack of a definition of serious crime, inadequate limits on access/use, a retention period plucked out of the air. Export outside the EU (topical!) is also highlighted at para 68.

4. Although it wasn’t necessary to rely on it to reach today’s result (see paras 69-70) , the CJEU makes some very important comments about the relationship between surveillance and speech:

In such circumstances, even though, as is apparent from Article 1(2) and Article 5(2) of Directive 2006/24, the directive does not permit the retention of the content of the communication or of information consulted using an electronic communications network, it is not inconceivable that the retention of the data in question might have an effect on the use, by subscribers or registered users, of the means of communication covered by that directive and, consequently, on their exercise of the freedom of expression guaranteed by Article 11 of the Charter. (para 28)

(Bonus points for channelling Vizzini)

5. The Court makes significant use of the ECtHR’s decision in S & Marper v UK (about DNA databases) – three separate references, all ‘by analogy’ regarding article 8 ECHR. The significance of S was clear at the time and today’s opinion demonstrates how it valuable it is in terms of analysing questions of law and technology – especially chilling and cumulative effects.  It’s also further evidence of the way that the CJEU builds on ECtHR rulings.

6. The Court endorses the Advocate General’s point about perception. It’s not a point unknown to those in the field (especially through the jurisprudence of the German courts and others), but it’s still not fully grasped in the UK and Ireland; data retention of this nature is “likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance” (para 37). (Which, for the record, is a bad thing).

Those are some first thoughts, and are really an extension of even earlier thoughts posted on Twitter. More later if I can!

When Irish eyes are watching

Last year, I was invited to give a ‘response’ to two very interesting papers at a seminar of the British Association for Comparative Law. The papers, by Paula Giliker and Elspeth Christie Reid, were on the evolution of breach of confidence and privacy, primarily in relation to England and Scotland. (Eric Clive wrote up his notes from the day here).

The papers, including a developed version of my comparative comments, are now being published in Juridical Review. A slightly earlier version of my contribution is available on SSRN through the University of Edinburgh School of Law Working Paper Series (here’s the series, and while there why not also download my colleague Judith’s latest paper on big data and small government…).

My article is a short one, and the main thing I hope it does is remind some UK-based readers of the interesting things that have happened in Ireland in relation to the privacy cause of action. I do spent a good deal of space talking about Sullivan v Boylan [2013] IEHC 104, which is a particularly useful contribution to the English and Scottish debates on how to handle the evolving questions of privacy and confidence. I also talk a bit about New Zealand.

Beyond breach of confidence: an Irish eye on English and Scottish privacy law

This article is based on comparative comments (with special attention paid to Irish law) presented at a seminar on breach of confidence and privacy. It is first argued that a continuing uncertainty regarding the role of statute in relation to privacy is common to the development of doctrines in both England and Scotland, with similar anxieties present in other jurisdictions. In the absence of statutory clarity, the questions arising out of debate on the nature of the cause of action, and the consequences of variation in definitions of “privacy”, are considered – with special attention to developments in Ireland and New Zealand. The relationship between the evolution of breach of confidence and the human rights framework is also noted. Finally, the prospects for law reform and/or convergence across jurisdictions in the United Kingdom are assessed.

(Sorry if you expected this post would be about this; words fail me on that subject, I’m afraid).

FISA, NSA and PRISM: behind the headlines

My Edinburgh colleague Judith Rauhofer (who has a particular research and teaching interest in privacy, data protection, and information), along with Caspar Bowden (who many readers will know through his writing and advocacy on privacy), has just launched a very timely paper on data protection in ‘the cloud’, with a particular emphasis on data stored in the US and subject to US law on access to data. Judith and Caspar have been making this argument well before the current PRISM/NSA reporting, and the paper makes it clear how there are already a number of important legal issues that require attention. The paper engages with recent scholarship on cloud computing itself (e.g. the Queen Mary projects) and the proposed new Regulation on data protection. It also contains a very detailed analysis of FISA. But the key argument, and the one that deserves the most attention from those who have reacted with alarm to recent news reports, is that about the obligations of European institutions to protect fundamental rights; both the Charter and Convention are discussed.

The paper is now available on SSRN:

Protecting Their Own: Fundamental Rights Implications for EU Data Sovereignty in the Cloud