YouGov :"POLL - Blunkett's proposals on internet privacy: for or against"

Caspar Bowden cb at fipr.org
Fri, 14 Dec 2001 13:48:05 -0000 

> [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of
> Ian G Batten
...
> As of the final version of the Terrorism Act, is it
> OK to just keep no logs?

To be honest, I have no bloody idea at the moment - am trying to figure out
for a Press Release. Seems to me to leave four or five utterly fundamental
DPA and HRA issues dangling.

The wording we now have as law is not a FIPR amendment but was drafted on
the hoof by LibDems at Report stage and reads :
http://www.publications.parliament.uk/pa/ld200102/ldbills/033/02033--b.pdf

"S.102(6) - A code of practice or agreement under this section may contain
any such
provision as appears to the Secretary of State to be necessary-
a) for the purpose of safeguarding national security [unchanged]
b) for the purposes of prevention or detection crime or prosecution of
offenders WHICH MAY RELATE DIRECTLY OR INDIRECTLY TO NATIONAL SECURITY"
(amendment was what was added in caps)

This is what Blunkett had to say about it (my caps):

http://www.publications.parliament.uk/pa/cm200102/cmhansrd/cm011213/debtext/
11213-36.htm

"On part 11, we had a suggestion from those who have been extremely busy on
the Liberal Democrat Benches that we should separate out, because it is
about not access but retention, those parts of data that someone could
second-guess as being relevant to terrorists, as opposed to organised
criminals and others. They have considered it necessary to press that.
...Part 11 therefore suggests that we should try to separate out those parts
of data. As I tried to explain on a number of occasions, including last
night, IT IS NOT POSSIBLE TO DO THAT, BUT PARADOXICALLY, BECAUSE IT IS NOT
POSSIBLE TO DO IT, IT IS NOT REASONABLE TO SUGGEST THAT WE CANNOT DO IT
[sic - caspar]. I am therefore prepared to accept the amendments that have
been tabled. In order to be able to implement what they want, we will have
to retain the data, so that it can be accessed to test out whether the
intelligence services are right in believing that it is relevant in tackling
terrorists. That is how stupid the Liberal Democrats are."

Moreover Information Commisisoner's comments on Bill of 13th Nov say:
http://www.dataprotection.gov.uk/dpr/dpdoc1.nsf/24afa328dcbf83d8802568980043
e730/f6a74d509b82423b80256b030054b3c4?OpenDocument

*)"the simple existence of a voluntary code containing provisions relating
to retention would not necessarily mean that such periods were relevant to
judging whether data are held longer than necessary for the communications
providers own purposes. Once data were no longer needed for the purposes of
the communications provider, they should be deleted. The proposed
legislation imposes no duty to retain for the law enforcement purposes of
public authorities; it is not clear how the simple power proposed can
overcome the duty to delete imposed by the 1998 Act. Concerns over Human
Rights Act compliance would further weaken the reliance to be placed on such
a code in an enforcement context"

*) "The first requirement of Article 8(2) is that the measures proposed are
"in accordance with the law"...the law concerned must be accessible and
precise (i.e. foreseeable in its consequences). ...There must therefore be a
concern that the proposed legislation would be incompatible with Convention
rights as it fails to satisfy this basic requirement for precision and
foreseeability in the delineation of the Secretary of State's powers"

*) The Info Commissioner said in 2000 annual report (citing Article 19 Ctee)
that blanket data retention on the whole population was "disproportionate
general surveillance" and therefore in itself  incompatible with the Human
Right Act (Art.8 of ECHR)
http://news6.thdo.bbc.co.uk/hi/english/uk/newsid%5F830000/830968.stm

Also....

*) Commenting on the latest amendment by the Telecoms Council to the new
draft Communications Privacy Directive, the European Commission has said on
6th December said:

".. for the minutes of the 6 December 2001 Council meeting of Ministers of
Telecommunications Concerning Article 15(1) of Proposed Directive on
processing of personal data and protection of privacy in the electronic
communications sector The Commission interprets the second sentence of
Article 15, paragraph 1,(To this end Member States may inter alia provide
for the retention of data for a limited period justified on the grounds laid
down in this paragraph, in accordance with the general principles of
Community law.) as merely adding a possible example of measures that Member
States may take under the circumstances and conditions laid down under
Article 15, paragraph 1. This phrase does not legally alter the substance
of, or add any element to, the first sentence of Article 15. Nor does it
exempt any measures that Member States may take from verification of their
respect for their obligations under the Directive and under Community law
generally, including the obligation to respect fundamental rights and
general principles of Community law such as those enshrined in the European
Union Charter of Fundamental Rights and the European Convention on Human
Rights."

I would paraphrase this as saying, no matter how much UK and other govts.
try and bend the wording of the new Directive on traffic data, blanket
retention on the whole population (solely for law enforcement purposes,
beyond period of business utility) is still illegal under ECHR and Charter
of Fundamental Rights.

Some, some questions about the amendment :

1) Does that "which may relate directly or indirectly" have any force
whatsoever (after all, it 'may' NOT)

2) Does it extend or even suffice to provide legal basis for ISPs/telco
blanket retention beyond what is already done for legitimate business
purposes ?

3) Can subject access requests still be made or does DPA S.28 exemption now
provide mechanism for blocking all subject access with a catch-all national
security Ministerial certificate
(http://www.hmso.gov.uk/acts/acts1998/80029--d.htm#28)

4) Article 19 Ctee still believes (and Commission hinting) that blanket data
retention (other than for allowed business purposes) anyway conflicts with
ECHR Art.8 (and EU Charter of Fundamental Rights ?). But how does that now
interact with national security, directly/indirectly, stuff ?

5) Does 2nd DP principle (data not to be used for purpose 'incompatible'
with original purpose) bite on restricting purposes for which data RETAINED
under ATCS can be OBTAINED under RIP Pt.I Ch.II

Beats me
--
Caspar Bowden                           www.fipr.org
Director, Foundation for Information Policy Research
Tel: +44(0)20 7354 2333