Data retention directive "invalid"

Wed Apr 9 12:31:40 BST 2014

Peter
Thanks. I remembered overnight (I'm in the US) that had been a power in ATCSA to create a mandatory code, so you've saved me researching to check whether that power still exists :-)

Cheers
Andrew

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238

> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Peter Fairbrother
> Sent: 09 April 2014 00:39
> To: ukcrypto at chiark.greenend.org.uk
> Subject: Re: Data retention directive "invalid"
> 
> On 08/04/14 17:05, Andrew Cormack wrote:
> >>Francis Davey <fjmd1a at gmail.com> writes
> >>> Although I haven't had any practical involvement in this
> >>> regulatory area for many years, my inclination is that UK
> >>> regulations predate the transposition of the Directive, and that
> >>> Plan B in the UK would be to fall back onto voluntary
> >>> arrangements made in the immediate aftermath of 9/11.
> >>>
> >>> The Data Retention (EC Directive) Regulations 2007 and 2009 _are_
> >>> the transposition of the EU directive.
> >>
> >> Did they repeal the earlier Regs? -- Roland Perry
> >
> > The post-9/11 stuff is UK primary legislation - the Anti-Terrorism,
> > Crime and Security Act 2001. As far as I can see that would need a UK
> > court to declare incompatibility under the Human Rights Act. That's
> > the normal way UK primary legislation is challenged. Until Parliament
> > responds to a declaration by amending the law, ATCSA will stay.
> 
> A voluntary Code of Practice for communications data retention
> 
> www.opsi.gov.uk/si/si2003/draft/5b.pdf
> 
> was issued under ATCSA Part 11 s.102, but as far as I know no mandatory
> Directions relating to data retention were ever issued under ATCSA.
> 
> While AFAICS the s.102 power to revise the CoP still exists, the power
> of the SoS to make an order containing such directions has lapsed
> (ATCSA
> s.105).
> 
> 
> 
> 
> 
> 
> I'll just mention another issue, "serious crime" vs "national
> security",
> which I think may get complicated.
> 
> The EU Court of Justice said that the Directive was deficient in that
> the restrictions to the right to privacy caused by the Directive were
> not proportionate to what it is was trying to achieve, the prevention,
> investigation, detection and  prosecution of serious crime [1]
> (including terrorism [2]).
> 
> [1]
> http://www.scribd.com/doc/216980523/Judgment-of-the-ECJ-in-Digital-
> Rights-Ireland-data-retention-challenge
>   para 18 and 41.
> 
> [2] ibid, para 24
> 
> 
> However, while some measure like the Directive may be disproportionate
> to achieving the prevention etc of serious crime, it may be
> proportionate (or otherwise made lawful) when used to achieve the aim
> of
> safeguarding National Security.
> 
> 
> eg see ACTSA ss.102(3)(a) and ss.102(3)(b), also referred to in ss.
> 104(1), though ss.102(3)(b) is a bit wooly -
> 
> "necessary-
> (a)for the purpose of safeguarding national security; or
> (b)for the purposes of prevention or detection of crime or the
> prosecution of offenders which may relate directly or indirectly to
> national security."
> 
> does the crime or just the offender have to (may?) relate to national
> security?
> 
> Actually Part 11 of ATCSA is all pretty wooly as to the reasons for
> retaining data, eg cf 102(5) "... the retention of any communications
> data is justified on the grounds that failure to retain the data would
> be likely to prejudice national security, the prevention or detection
> of
> crime or the prosecution of offenders" with 102(3), above.
> 
> 
> 
> 
> -- Peter Fairbrother