As reported a few days ago, the U.K. is set to introduce emergency legislation to respond to a recent ruling by Europe’s top court, which struck down an EU-wide law forcing communications firms to hang on to subscriber data for law enforcement purposes.
However, the new law, which will be fast-tracked through the parliamentary process, would actually expand existing surveillance legislation so that interception warrants can be served on foreign communications companies, and even cover conduct taking place outside the U.K. It looks like the British government is trying to extend its lawful surveillance powers to foreign ISPs and web services.
The new law would explicitly allow the interception of metadata for webmail and other web services, potentially including social networks, chatrooms and instant messengers. It would also allow the government to “make further provision about the retention of relevant communications data” by regulation, rather than having to go through Parliament.
The emergency Data Retention and Investigation Powers (DRIP) Bill, which will be introduced in Parliament next week with cross-party support, will only be valid until the end of 2016, allowing the next government to decide what it wants to do at that point (a general election will take place in 2015). During that time, a full review of the controversial Regulation of Investigatory Powers Act (RIPA) will also take place – RIPA is the legislation that allegedly backs up the U.K.’s web surveillance activities.
In the meantime, though, Britons will get a fast-tracked DRIP Act so that spies and law enforcement can continue to see who called or emailed whom and when during the previous year. According to a statement from Number 10 Downing Street:
“Unless they have a business reason to hold this data, internet and phone companies will start deleting it which has serious consequences for investigations – investigations which can take many months and which rely on retrospectively accessing data for evidential purposes.”
The expansion of the U.K.’s interception powers can be found in section 4 of the bill, which proposes several amendments to RIPA. Most of these amendments come down to inserting the words “outside the United Kingdom” into the existing RIPA text, in sections governing which ISPs and companies are covered by the legislation.
In accompanying notes the government explained this by saying RIPA was always intended to apply to foreign firms, but that wasn’t clear enough before:
“This Bill is required in order to clarify the intent of RIPA. while RIPA has always had implicit extraterritorial effect, some companies based outside the United Kingdom, including some of the largest communications providers in the market, have questioned whether the legislation applies to them. These companies argue that they will only comply with requests where there is a clear obligation in law. When RIPA was drafted it was intended to apply to telecommunications companies offering services to United Kingdom customers, wherever those companies were based. It is now important to make that clear on the face of the legislation. The Bill therefore… confirms that requests for interception and communications data to overseas companies that are providing communications services within the United Kingdom are subject to the legislation.”
Similarly, the notes also make clear that the DRIP Act would “clarify” that the definitions of “telecommunications service” include “internet-based services, such as webmail,” and section 5 says intercept powers would cover any service that “consists in or includes facilitating the creation, management or storage of communications.” On the plus side, one of the clauses notes that, in assessing whether a warrant served overseas is reasonable or not, local laws should be taken into account.
Worryingly, DRIP would also make it possible to order communications providers to retain “all data or any description of data” — the accompanying notes say this couldn’t mean retaining more than metadata, but the wording of the bill itself doesn’t appear to be that clear.
So much for the assurances of Liberal Democrat MP Julian Huppert, who is usually a staunch defender of digital rights but who insisted that there was nothing new in the new law:
“We need legislation to allow communications data to be available, but not to store more than is already allowed. And in this post-Snowden world, we need to move towards keeping less, and finding better and more proportionate ways to do so. We need to completely rewrite the law in this area. But that cannot be done quickly. We have to get it right, which will take a lot of work from many experts … So I think it is right to agree to a stop-gap. A piece of legislation that can be passed quickly, but crucially will automatically expire at the end of 2016, giving time to write something better, and the certainty of knowing it will not just become entrenched.”
Uncertainty over legality
It is 3 months since the Court of Justice of the European Union (CJEU) struck down the EU-wide Data Retention Directive for having insufficient privacy safeguards. The U.K.’s own data retention regulations were just a transposition of that directive into national law, so the CJEU ruling effectively scrapped it.
Prime Minister David Cameron insisted at a press conference on Thursday that the emergency legislation was being announced “at the first available opportunity”. Cameron’s sidekick, Deputy Prime Minister Nick Clegg, said the struck-down directive “didn’t have all the checks and balances which we have in our domestic provisions.” Ergo, he suggested, the new law would be comply with EU privacy legislation.
When it made its ruling in April, the CJEU said :
“We anticipate that the Commission, taking into account the Court’s judgment, will now reflect on the need for a new Directive, which will also prevent member states from keeping or imposing the same legal obligations nationally as laid out in the now invalid Data Retention Directive.”
However, Michele Cercone, the spokesman for EU home affairs commissioner Cecilia Malmström, said the effect of the ruling was to make it as if the directive had never existed, effectively removing harmonization between EU member states on the data retention issue:
“It is for member states to decide on national legislation and possible follow-ups. The judgement of the court only concerns the EU directive.”
“Safeguards” include new U.S. data deal
Apart from the limited period of validity and the promised RIPA review, the extra “safeguards” in the DRIP Bill include the establishment of a U.S.-style Privacy and Civil Liberties Oversight Board (essentially an enhancement of the existing “independent reviewer of terrorism legislation” role), new restrictions on the number of public bodies that can access communications data, and new annual transparency reports.
The Downing Street statement also said:
“We will appoint a senior diplomat to lead discussions with the American government and the internet companies to establish a new international agreement for sharing data between legal jurisdictions.”
A Downing Street spokeswoman said this was a reference to the aforementioned uncertainty among U.S. firms about how RIPA squares up to their own laws.
“For example, the U.S. has the Wiretap Act, which companies will be concerned about, how complying with our interception laws fits with their own domestic interception laws,” she said.
This article was updated multiple times as the text of the bill was released and analyzed.