Data retention directive "invalid"
Peter Fairbrother
zenadsl6186 at zen.co.uk
Thu Jul 10 23:29:53 BST 2014
On 10/07/14 21:10, Roland Perry wrote:
> In article
> <CAK0b=2ceFsj-Nae1azC7aAopsyd3+yJ0eQgQKGTuvYPG=9w4fQ at mail.gmail.com>,
> Tony Naggs <tonynaggs at gmail.com> writes
>>> "Emergency phone and internet data laws to be passed"
>>>
>>> http://www.bbc.co.uk/news/uk-politics-28237111
>>>
>> Oh gawd, that is pretty mangled. E.g. Nick Robinson video 1/3 down the
>> page, "there was no British law on this, in other words the security
>> service and the police, the national crime agency were able to find
>> out who
>> you spoke to on your phone and when, who you emailed and when as a result
>> of a European Directive".
>>
>> It's like a scene from the Wizard of Oz: oh look at those wicked
>> Europeans
>> and their intrusive rules, don't look at the RIPA behind the curtain ...
>
> It's not quite as bad as that. RIPA is about disclosure[1]. If the data
> hasn't been retained there's nothing to disclose. That's why the Data
> Retention stuff was introduced.
Actually, this is about disclosure too. Subsection 1(6) allows the SoS
to make regulations about disclosure, either MAY or MUST, with almost no
restrictions.
>
> [1] And potentially retention on a case by case basis, not blanket.
I have little complaint about case-by-case retention (though I don't see
the RIPA connection?) - but I have been looking at
https://www.openrightsgroup.org/blog/2014/updates-on-emergency-data-retention-law?quip_approved=1#qcom18557
who say
"Legislation must comply with human rights judgements
What exactly is the point of human rights judgements if even the Liberal
Democrats are prepared to ignore them? The CJEU have outlined very
clearly what needs to happen before governments compel data to be
retained. They say you cannot do it on a blanket basis, and someone
independent, such as a regulator or a judge, must supervise police
access. These fundamental points are missing from the emergency laws.
and studying the ECtJ judgement in terms of blanket retention."
I see two claims here, first that blanket retention is not allowed at
all, and second that someone independent must supervise access,
presumably on a per-case basis.
On the first claim, afaict the Court did not actually rule out blanket
retention, though it did not rule out ruling it out (it didn't address
that issue).
On the second claim there is this, from clause 62 of the judgement:
"Above all, the access by the competent national authorities to the data
retained is not made dependent on a prior review carried out by a court
or by an independent administrative body whose decision seeks to limit
access to the data and their use to what is strictly necessary for the
purpose of attaining the objective pursued and which intervenes
following a reasoned request of those authorities submitted within the
framework of procedures of prevention, detection or criminal prosecutions."
http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d0f130de29d54fbc5c03411c896bf327f62b9890.e34KaxiLc3eQc40LaxqMbN4OaNyQe0?text=&docid=150642&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=448162
It certainly seems to *mandate* a judicial or otherwise independent
layer between requests/demands from the Police etc and the ISPs. I
cannot see any legislation which does not contain such a layer as being
in compliance with the judgement - and the present proposal, the DRIP
bill, does not have any such layer.
Squaddy policemen may ask senior policemen to authorise their demands;
but the person who authorises them should be someone independent; ie,
not another policeman.
-- Peter Fairbrother
More information about the ukcrypto
mailing list