Data retention directive "invalid"
Peter Fairbrother
zenadsl6186 at zen.co.uk
Thu Apr 10 21:57:42 BST 2014
On 10/04/14 10:33, Nicholas Bohm wrote:
> On 09/04/2014 21:41, Clive D.W. Feather wrote:
>> Peter Fairbrother said:
>>> However I don't think it actually matters much whether the Regulations
>>> are invalid or whether they are technically still valid but you don't
>>> have to obey them.
>>>
>>> I haven't (yet) come across a credible theory which demands that they
>>> still must be obeyed ...
>> The Regulations were made legally. We may believe that a lack of valid
>> Directive behind them makes them ultra vires, but no court has said that
>> yet. Until one does, you're surely bound to obey them.
>>
>
> No, it's a defence to a claim (civil or criminal) based on infringement
> of secondary legislation that it is invalid eg (as in this case) for
> being ultra vires. If it's void, it's void, and doesn't depend on a
> court to say so.
OK, assuming that the Regulations are void or invalid, let's look at
what law still exists regarding data retention to see whether an ISP can
retain data, whether they can give that retained data to the Police, or
whether they are allowed to, or required to, delete it (assuming it is
no longer needed for billing and suchlike purposes).
I can find two bits of perhaps relevant law, the voluntary Code of
Practice issued under the Anti-Terrorism, Crime and Security Act 2001
and the somewhat draconian section 94 of the Telecommunications Act 1984.
The CoP is so similar to the Regulations in effect, eg in the periods
and types of data to be retained, that it is almost certainly also
disproportionate in it's effect on Article 8 rights (absent the
consideration of preserving National Security, below).
Assuming that that is the case then an ISP cannot rely on the CoP as
legal protection for data retention, and must delete the retained data
once it is no longer needed for billing purposes.
In any case, under the ATCSA CoP they can delete the retained data if
they wish to, as the CoP is voluntary.
If an ISP has agreements with the Home Office regarding distributing
data to Police forces etc, I don't think these can be enforced.
Certainly they cannot be enforced if the CoP is invalid, and probably
not otherwise if it is only partly disproportionate, which it almost
certainly is.
Bye-bye SPOCs? In their present form, quite probably.
There is one fly in that ointment though, the reason for retaining the
data. Under the CoP the reason for processing the data is given as:
“NATIONAL SECURITY:~ Retention of communications data for the purpose of
safeguarding national security or for the purposes of prevention or
detection of crime or the prosecution of offenders which may relate
directly or indirectly to national security”.
I have commented before on how unclear that is, whether the crime must
relate to national security, and that elsewhere in the CoP the actual
reasons include considerations of combating crime in general, rather
than solely for purposes of preserving national security.
However if the reason for retaining the data is solely preserving
"national security" then the EU law which says the that the UK law must
be proportionate *does not apply*, as matters of national security are
not in the competences granted to the EU.
Actually it's a bit more complicated than that. The people who decide
what is and isn't matters of "national security" are the EU Courts, not
the national (UK) courts, and on this particular matter there is also a
Declaration in the Treaty of Lisbon as follows:
" Declaration 20. Declaration on Article 16 of the Treaty on the
Functioning of the European Union.
The Conference declares that, whenever rules on protection of personal
data to be adopted on the basis of Article 16 could have direct
implications for national security, due account will have to be
taken of the specific characteristics of the matter. It recalls that the
legislation presently applicable (see in particular Directive 95/46/EC)
includes specific derogations in this regard. "
Which again is pretty wooly, but definitely excludes an absolute right
for UK Gov to order retain data retention for reasons given as "national
security". But let's assume that UK Gov can demand data retention for
purposes of national security.
Now the EU "principle of the minimum action" clauses come in. If data is
to be retained for reasons of national security, then under those
clauses it cannot be used for other purposes if those other purposes are
disproportionate to the interference with Article 8 rights.
There is a tiny bit of fudge room for UK Gov here; if the purposes are
both national security and combating crime then both of these have to
weighed on one side of the scales, not just combating crime - but I'm
pretty sure that in otherwise similar circumstances the ECJ would come
to a similar conclusion, and disallow the use of retained data for other
purposes like detection and prevention of crime as being
disproportionate. And they'd be really pissed off if UK Gov tried.
In other words, maybe UK Gov can mandate data retention in a manner
similar to the Directive and Regulations for purpose of securing
national security - but that data can't then be used for other purposes
like combating crime (or even combating terrorism, most likely, except
insofar as it affects national security).
Of course there will likely be a different and hopefully better data
retention directive in due course.
As to the somewhat draconian section 94 of the Telecommunications Act
[1], the considerations are mostly exactly the same as above. The
section is pretty draconian, allowing the SoS to require an ISP to do
almost anything in the cause of national security - but only legal
anythings, it doesn't allow him to require something which would
otherwise be unlawful or illegal (apart from some stuff in the
Communications Act 2003).
For instance he can't require an ISP to install a black box under s.94,
or retain comms data for reasons other than necessary national security.
-- Peter Fairbrother
[1] s94 of Telecommunications Act 1984, as amended:
94 Directions in the interests of national security etc.
(1)The Secretary of State may, after consultation with a person to whom
this section applies, give to that person such directions of a general
character as appear to the Secretary of State to be necessary in the
interests of national security or relations with the government of a
country or territory outside the United Kingdom.
(2)If it appears to the Secretary of State to be necessary to do so in
the interests of national security or relations with the government of a
country or territory outside the United Kingdom, he may, after
consultation with a person to whom this section applies, give to that
person a direction requiring him (according to the circumstances of the
case) to do, or not to do, a particular thing specified in the direction.
(2A)The Secretary of State shall not give a direction under subsection
(1) or (2) unless he believes that the conduct required by the direction
is proportionate to what is sought to be achieved by that conduct.
(3)A person to whom this section applies shall give effect to any
direction given to him by the Secretary of State under this section
notwithstanding any other duty imposed on him by or under Part 1 or
Chapter 1 of Part 2 of the Communications Act 2003 and, in the case of a
direction to a provider of a public electronic communications network,
notwithstanding that it relates to him in a capacity other than as the
provider of such a network.
(4)The Secretary of State shall lay before each House of Parliament a
copy of every direction given under this section unless he is of opinion
that disclosure of the direction is against the interests of national
security or relations with the government of a country or territory
outside the United Kingdom, or the commercial interests of any person.
(5)A person shall not disclose, or be required by virtue of any
enactment or otherwise to disclose, anything done by virtue of this
section if the Secretary of State has notified him that the Secretary of
State is of the opinion that disclosure of that thing is against the
interests of national security or relations with the government of a
country or territory outside the United Kingdom, or the commercial
interests of some other person.
(6)The Secretary of State may, with the approval of the Treasury, make
grants to providers of public electronic communications networks for the
purpose of defraying or contributing towards any losses they may sustain
by reason of compliance with the directions given under this section.
(7)There shall be paid out of money provided by Parliament any sums
required by the Secretary of State for making grants under this section.
(8)This section applies to OFCOM and to providers of public electronic
communications networks.
More information about the ukcrypto
mailing list