Data retention directive "invalid"

Peter Fairbrother zenadsl6186 at zen.co.uk
Thu Apr 10 21:57:42 BST 2014


On 10/04/14 10:33, Nicholas Bohm wrote:
> On 09/04/2014 21:41, Clive D.W. Feather wrote:
>> Peter Fairbrother said:
>>> However I don't think it actually matters much whether the Regulations
>>> are invalid or whether they are technically still valid but you don't
>>> have to obey them.
>>>
>>> I haven't (yet) come across a credible theory which demands that they
>>> still must be obeyed ...
>> The Regulations were made legally. We may believe that a lack of valid
>> Directive behind them makes them ultra vires, but no court has said that
>> yet. Until one does, you're surely bound to obey them.
>>
>
> No, it's a defence to a claim (civil or criminal) based on infringement
> of secondary legislation that it is invalid eg (as in this case) for
> being ultra vires.  If it's void, it's void, and doesn't depend on a
> court to say so.

OK, assuming that the Regulations are void or invalid, let's look at 
what law still exists regarding data retention to see whether an ISP can 
retain data, whether they can give that retained data to the Police, or 
whether they are allowed to, or required to, delete it (assuming it is 
no longer needed for billing and suchlike purposes).

I can find two bits of perhaps relevant law, the voluntary Code of 
Practice issued under the Anti-Terrorism, Crime and Security Act 2001 
and the somewhat draconian section 94 of the Telecommunications Act 1984.


The CoP is so similar to the Regulations in effect, eg in the periods 
and types of data to be retained, that it is almost certainly also 
disproportionate in it's effect on Article 8 rights (absent the 
consideration of preserving National Security, below).

Assuming that that is the case then an ISP cannot rely on the CoP as 
legal protection for data retention, and must delete the retained data 
once it is no longer needed for billing purposes.

In any case, under the ATCSA CoP they can delete the retained data if 
they wish to, as the CoP is voluntary.

If an ISP has agreements with the Home Office regarding distributing 
data to Police forces etc, I don't think these can be enforced. 
Certainly they cannot be enforced if the CoP is invalid, and probably 
not otherwise if it is only partly disproportionate, which it almost 
certainly is.

Bye-bye SPOCs? In their present form, quite probably.




There is one fly in that ointment though, the reason for retaining the 
data. Under the CoP the reason for processing the data is given as: 
“NATIONAL SECURITY:~ Retention of communications data for the purpose of 
safeguarding national security or for the purposes of prevention or 
detection of crime or the prosecution of offenders which may relate 
directly or indirectly to national security”.

I have commented before on how unclear that is, whether the crime must 
relate to national security, and that elsewhere in the CoP the actual 
reasons include  considerations of combating crime in general, rather 
than solely for purposes of preserving national security.

However if the reason for retaining the data is solely preserving 
"national security" then the EU law which says the that the UK law must 
be proportionate *does not apply*, as matters of national security are 
not in the competences granted to the EU.



Actually it's a bit more complicated than that. The people who decide 
what is and isn't matters of "national security" are the EU Courts, not 
the national (UK) courts, and on this particular matter there is also a 
Declaration in the Treaty of Lisbon as follows:

" Declaration 20. Declaration on Article 16 of the Treaty on the 
Functioning of the European Union.

The Conference declares that, whenever rules on protection of personal 
data to be adopted on the basis of Article 16 could have direct 
implications for national security, due account will have to be
taken of the specific characteristics of the matter. It recalls that the 
legislation presently applicable (see in particular Directive 95/46/EC) 
includes specific derogations in this regard. "

Which again is pretty wooly, but definitely excludes an absolute right 
for UK Gov to order retain data retention for reasons given as "national 
security". But let's assume that UK Gov can demand data retention for 
purposes of national security.



Now the EU "principle of the minimum action" clauses come in. If data is 
to be retained for reasons of national security, then under those 
clauses it cannot be used for other purposes if those other purposes are 
disproportionate to the interference with Article 8 rights.

There is a tiny bit of fudge room for UK Gov here; if the purposes are 
both national security and combating crime then both of these have to 
weighed on one side of the scales, not just combating crime - but I'm 
pretty sure that in otherwise similar circumstances the ECJ would come 
to a similar conclusion, and disallow the use of retained data for other 
purposes like detection and prevention of crime as being 
disproportionate. And they'd be really pissed off if UK Gov tried.

In other words, maybe UK Gov can mandate data retention in a manner 
similar to the Directive and Regulations for purpose of securing 
national security - but that data can't then be used for other purposes 
like combating crime (or even combating terrorism, most likely, except 
insofar as it affects national security).



Of course there will likely be a different and hopefully better data 
retention directive in due course.



As to the somewhat draconian section 94 of the Telecommunications Act 
[1], the considerations are mostly exactly the same as above. The 
section is pretty draconian, allowing the SoS to require an ISP to do 
almost anything in the cause of national security - but only legal 
anythings, it doesn't allow him to require something which would 
otherwise be unlawful or illegal (apart from some stuff in the 
Communications Act 2003).

For instance he can't require an ISP to install a black box under s.94, 
or retain comms data for reasons other than necessary national security.



-- Peter Fairbrother


[1] s94 of Telecommunications Act 1984, as amended:


94 Directions in the interests of national security etc.

(1)The Secretary of State may, after consultation with a person to whom 
this section applies, give to that person such directions of a general 
character as appear to the Secretary of State to be necessary in the 
interests of national security or relations with the government of a 
country or territory outside the United Kingdom.

(2)If it appears to the Secretary of State to be necessary to do so in 
the interests of national security or relations with the government of a 
country or territory outside the United Kingdom, he may, after 
consultation with a person to whom this section applies, give to that 
person a direction requiring him (according to the circumstances of the 
case) to do, or not to do, a particular thing specified in the direction.

(2A)The Secretary of State shall not give a direction under subsection 
(1) or (2) unless he believes that the conduct required by the direction 
is proportionate to what is sought to be achieved by that conduct.

(3)A person to whom this section applies shall give effect to any 
direction given to him by the Secretary of State under this section 
notwithstanding any other duty imposed on him by or under Part 1 or 
Chapter 1 of Part 2 of the Communications Act 2003 and, in the case of a 
direction to a provider of a public electronic communications network, 
notwithstanding that it relates to him in a capacity other than as the 
provider of such a network.

(4)The Secretary of State shall lay before each House of Parliament a 
copy of every direction given under this section unless he is of opinion 
that disclosure of the direction is against the interests of national 
security or relations with the government of a country or territory 
outside the United Kingdom, or the commercial interests of any person.

(5)A person shall not disclose, or be required by virtue of any 
enactment or otherwise to disclose, anything done by virtue of this 
section if the Secretary of State has notified him that the Secretary of 
State is of the opinion that disclosure of that thing is against the 
interests of national security or relations with the government of a 
country or territory outside the United Kingdom, or the commercial 
interests of some other person.

(6)The Secretary of State may, with the approval of the Treasury, make 
grants to providers of public electronic communications networks for the 
purpose of defraying or contributing towards any losses they may sustain 
by reason of compliance with the directions given under this section.

(7)There shall be paid out of money provided by Parliament any sums 
required by the Secretary of State for making grants under this section.

(8)This section applies to OFCOM and to providers of public electronic 
communications networks.




More information about the ukcrypto mailing list