DRIPA 2014 – court turns off the data tap 

04/08/2015

R (on the application of Davis MP and others) v Secretary of State for the Home Department (Open Rights Group and others intervening) [2015] EWHC 2092 (Admin), [2015] All ER (D) 180 (Jul)

What’s the background to this case? 

In claims for judicial review brought by four individuals including two serving MPs, Lord Justice Bean sitting with the Honourable Mr Justice Collins in the Divisional Court held that DRIPA 2014, s 1 is inconsistent with EU law in so far as:

it does not lay down clear and precise rules providing for access to and use of communications data retained pursuant to a retention notice to be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating to such offences, and

access to the data is not made dependent on a prior review by a court or an independent administrative body whose decision limits access to and use of the data to what is strictly necessary for the purpose of attaining the objective pursued

The court therefore disapplied DRIPA 2014, ss 1 and 2, although that element of the order is suspended until 31 March 2016.

What happens next? How long does the government have to implement a new data retention law? 

DRIPA 2014 already contains (at DRIPA 2014, s 8(3)) a ‘sunset clause’ bringing its provisions to an end on 31 December 2016. This is reflective of the speed with which it was passed through both Houses–the Bill was fast-tracked through Parliament, passing through all its stages in the Commons on a single day, 15 July 2014, the Lords on 16 and 17 July 2014 and receiving the Royal Assent on 17 July 2014. The necessity for the fast-tracking of DRIPA 2014 was occasioned by the Court of Justice of the European Union’s (CJEU) ruling in Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and others, Re Landesregierung and others: C-293/12 and C-594/12 [2014] IP & T 622, which had struck down Directive 2006/24/EC. The UK’s existing data retention regulations (the Data Retention (EC Directive) Regulations 2007, SI 2007/2199 and the Data Retention (EC Directive) Regulations 2009, SI 2009/859) had been based upon that Directive, and the government was concerned that those regulations may no longer have been legally sound without it, hence the need for primary UK legislation.

Regardless therefore of any order by the Administrative Court in this case, by virtue of the sunset clause in DRIPA 2014 the government was already required to enact further legislation in relation to data retention during this parliament. The significance of the ruling in this case is that the court has identified clear parameters that any such new legislation must meet in order to comply with EU law (as set out in Digital Rights Ireland) and the court has accelerated the timetable by which that must be accomplished, giving the government until 31 March 2016. Furthermore, the court has hinted in the strongest terms it felt able to adopt that any bill laid as a replacement for DRIPA 2014 should be afforded a proper timetable in Parliament.

The mandatory requirements for a lawful legislative regime governing data retention as identified by the Administrative Court from the CJEU’s decision in Digital Rights Ireland are as follows:

a) Any legislation must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards sufficient to give effective protection against the risk of abuse and against any unlawful access to and use of that data.

b) Access to and use of retained data must be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating to such offences.

c) Above all, access to retained data must be made dependent upon a prior review by a court or an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary, such review to be initiated by a reasoned request.

The court recognised in the light of (c) above that further legislative change may well have to be accompanied by the setting up of an appropriate judicial or administrative body capable of properly authorising access to any retained data. It was partly for that reason that the court adopted the 31 March 2016 date for the disapplication of DRIPA 2014, ss 1 and 2 rather than the earlier date of January 2016 that had been urged upon it by the claimants.

What does this mean for any data that have already been collected? 

Continuity will be achieved so long as a new statutory regime is in place by 31 March 2016. It is to be noted that the court has declared DRIPA 2014, ss 1 and 2 unlawful not on the basis that blanket retention is itself necessarily unlawful, but because the access conditions provided for in DRIPA 2014 are not sufficiently robust to meet the criteria laid down in Digital Rights Ireland.

The issue of the lawfulness of blanket retention will soon be addressed by the CJEU in a referral from the Stockholm Administrative Court of Appeal in the case of Tele2 Sverige AB v Post och Telestyrelsen: C-203/15. It is unlikely, however, that any final judgment in the Swedish case will be available as guidance to the UK Parliament in its drafting of the new data retention regime to come into force after 31 March 2016.

Will this be appealed? 

Permission to appeal was granted by the Administrative Court because of the public importance of the case. The defendant had belatedly sought a reference to the CJEU, but this was declined.

Is this likely to mean that aspects of David Anderson QC’s report will be implemented? 

Both David Anderson QC’s recent report and a surveillance review by the Royal United Services Institute in July 2015 have recommended prior judicial approval in relation to some or all authorisation for interception warrants. These, coupled with the findings of the Administrative Court, make it likely that any new regime is implemented by the government in relation to data retention and access is highly likely to include some kind of mechanism for prior judicial approval where access to retained data is sought.

This is the first time that MPs have successfully judicially reviewed the government. Can you see this happening more on other matters? 

The circumstances of this case were unusual in that the legislation was rushed through Parliament in a deal struck between the government and the leader of the opposition as a result of the CJEU’s finding in Digital Rights Ireland. Furthermore, the provision for the blanket retention of data made no distinction in relation to the retention of potentially privileged material, including correspondence between MPs and their constituents. This latter aspect of the case was not required to be ruled on however, with the court simply noting that special consideration was to be given to applications concerning access to data involving communications with lawyers, MPs, or journalists.

Jonathan Price was interviewed by Alex Heshmaty. 

This article was first published on Lexis®PSL IP & IT on 4 August 2015

Leave a Reply

Your email address will not be published.