Data retention directive "invalid"

Thu Jul 10 23:29:53 BST 2014

On 10/07/14 21:10, Roland Perry wrote:
> In article
> <CAK0b=2ceFsj-Nae1azC7aAopsyd3+yJ0eQgQKGTuvYPG=9w4fQ at mail.gmail.com>,
> Tony Naggs <tonynaggs at gmail.com> writes
>>> "Emergency phone and internet data laws to be passed"
>>>
>>> http://www.bbc.co.uk/news/uk-politics-28237111
>>>
>> Oh gawd, that is pretty mangled. E.g. Nick Robinson video 1/3 down the
>> page, "there was no British law on this, in other words the security
>> service and the police, the national crime agency were able to find
>> out who
>> you spoke to on your phone and when, who you emailed and when as a result
>> of a European Directive".
>>
>> It's like a scene from the Wizard of Oz: oh look at those wicked
>> Europeans
>> and their intrusive rules, don't look at the RIPA behind the curtain ...
>
> It's not quite as bad as that. RIPA is about disclosure[1]. If the data
> hasn't been retained there's nothing to disclose. That's why the Data
> Retention stuff was introduced.

Actually, this is about disclosure too. Subsection 1(6) allows the SoS 
to make regulations about disclosure, either MAY or MUST, with almost no 
restrictions.

>
> [1] And potentially retention on a case by case basis, not blanket.

I have little complaint about case-by-case retention (though I don't see 
the RIPA connection?) - but I have been looking at

https://www.openrightsgroup.org/blog/2014/updates-on-emergency-data-retention-law?quip_approved=1#qcom18557

who say

"Legislation must comply with human rights judgements

What exactly is the point of human rights judgements if even the Liberal 
Democrats are prepared to ignore them? The CJEU have outlined very 
clearly what needs to happen before governments compel data to be 
retained. They say you cannot do it on a blanket basis, and someone 
independent, such as a regulator or a judge, must supervise police 
access. These fundamental points are missing from the emergency laws.
and studying the ECtJ judgement in terms of blanket retention."

I see two claims here, first that blanket retention is not allowed at 
all, and second that someone independent must supervise access, 
presumably on a per-case basis.

On the first claim, afaict the Court did not actually rule out blanket 
retention, though it did not rule out ruling it out (it didn't address 
that issue).

On the second claim there is this, from clause 62 of the judgement:

"Above all, the access by the competent national authorities to the data 
retained is not made dependent on a prior review carried out by a court 
or by an independent administrative body whose decision seeks to limit 
access to the data and their use to what is strictly necessary for the 
purpose of attaining the objective pursued and which intervenes 
following a reasoned request of those authorities submitted within the 
framework of procedures of prevention, detection or criminal prosecutions."

http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d0f130de29d54fbc5c03411c896bf327f62b9890.e34KaxiLc3eQc40LaxqMbN4OaNyQe0?text=&docid=150642&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=448162

It certainly seems to *mandate* a judicial or otherwise independent 
layer between requests/demands from the Police etc and the ISPs. I 
cannot see any legislation which does not contain such a layer as being 
in compliance with the judgement - and the present proposal, the DRIP 
bill,  does not have any such layer.

Squaddy policemen may ask senior policemen to authorise their demands; 
but the person who authorises them should be someone independent; ie, 
not another policeman.

-- Peter Fairbrother