State surveillance and data retention
- YourSpace is an online social media and messaging platform. It is expanding its operations across the EU and wants particularly to provide its services in the UK. The YourSpace board have been advised they may need to comply with s. 71 (including s. 71(9)(f)) of the Investigatory Powers Act 2016. YourSpace is concerned about the costs that such a retention requirement will entail for it and seeks your legal advice on the potential viability of a successful legal challenge against any retention issued on it under s. 71.
Advise YourSpace.
To answer this question I would expect the student to discuss:
- The scheme for retention notices found in the Investigatory Powers Act.
- The legal basis for the striking out of the original Data Retention Directive as found in Digital Rights Ireland. They should note that the court held that Directive 2006/24 (now repealed) did not lay down any objective criterion by which the number of persons authorised to access and subsequently use the data retained is limited to what is strictly necessary in the light of the objective pursued. Above all, the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued and which intervenes following a reasoned request of those authorities submitted within the framework of procedures of prevention, detection or criminal prosecutions. Nor does it lay down a specific obligation on Member States designed to establish such limits. They should note that the scheme for retention notices found in the Investigatory Powers Act gives not subject to “a prior review carried out by a court or by an independent administrative body”
- They should then discuss the Davis & Ors challenge to DRIPA. They should note that the High Court found DRIPA s.1 to be unlawful as “section 1 of the Data Retention and Investigatory Powers Act 2014 is inconsistent with European Union law in so far as: (a) it does not lay down clear and precise rules providing for access to and use of communications data retained pursuant to a retention notice to be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating to such offences; and (b) access to the data is not made dependent on a prior review by a court or an independent administrative body whose decision limits access to and use of the data to what is strictly necessary for the purpose of attaining the objective pursued.” However they should note that the Court of Appeal did not believe it was the intent of the CJEU to lay down a mandatory requirement automatically applicable to national legislation. In fact the court thought this was highly unlikely: ‘we consider that it would be surprising if the CJEU were here seeking to lay down a mandatory minimum standard of universal application without referring to any of the relevant case law and without any consideration of the competing considerations.’
- Based on the outcome of the Davis & Ors before the CJEU the student should be able to answer the question as to whether the scheme for retention notices found in the Investigatory Powers Act is legal at European Law.
- Systematic mass and indiscriminate data retention can never be compatible with the right to private life and to data protection. Such data retention contradicts the very essence of the right to private life.
This is a very open question and there are many ways to answer this. Here is one outline:
- Begin with a discussion of privacy as a fundamental right. This is beyond the scope of this book but any law student should be familiar with this – see for example Nissenbaum Privacy in Context: Technology, Policy, and the Integrity of Social Life or Wacks Privacy: A Very Short Introduction.
- In order deal with the surveillance challenges to privacy. Starting with CCTV and the lack of an effective regulatory framework beyond the Data Protection Act. A discussion of the provisions of the CCTV Code of Good Practice and the Protection of Freedoms Act 2012. This may be set against the estimated number of cameras (including HD cameras) in the UK and the observations of Dubbeld in her paper Observing Bodies: Camera Surveillance and the Significance of the Body.
- Next is RFID tracking. A short explanation of how RFID functions leads on to a discussion of RFID regulation (or lack thereof). Identification of the five primary RFID threats as outlined in the 2003 joint position statement with the proposed minimum guidelines and prohibited activities. The only UK regulation is the seven-page document Data Protection Technical Guidance: Radio Frequency Identification. The EU Action Plan.
- Location services are now a bigger problem than RFID by some degree. Like RFID though it is under-regulated. Note that in the UK geo-location technology is regulated by an industry code of practice dating from 2006 which is massively out of date. While the Regulation of Investigatory Powers Act can be used if data is intercepted this does little for individuals with Smartphones which automatically (and with contractual permission) track them.
- An analysis of data retention provisions. Are they balanced? Is there significant protection for the individual? A discussion of the government’s proposed Communications Capabilities Development Programme. Good students may note that TEMPORA (which has become public knowledge since the book was written seems to already meet or even exceed this).