The UK’s “emergency” DRIP surveillance law is now a done deal

The Data Retention and Investigatory Powers (DRIP) Bill, which was fast-tracked by the U.K. government as emergency legislation, is now law. The House of Lords passed the bill on Thursday without a vote after MPs gave their approval on Tuesday. It received royal assent hours later, making it the DRIP Act. The bill was only revealed to the public one week ago.
The purpose of DRIP, which actually expands the British authorities’ surveillance powers, is ostensibly to make up for an April ruling by the Court of Justice of the European Union (CJEU), which struck down the EU’s Data Retention Directive for having insufficient privacy safeguards.
Much of the U.K. authorities’ domestic surveillance powers came from regulations based wholly on that directive, so the CJEU ruling made those regulations invalid too. This removed the legal backing for the authorities being able to demand that ISPs and telcos store customer metadata so law enforcement and spies can look through it.

By the government’s telling, unless you can mandate one-year communications data retention — who called who and when — you’re just asking terrorists, pedophiles and other criminals to roam freely. As someone who lives in Germany, where there is no data retention law (local transposition of the EU directive was struck down for being unconstitutional), I can assure you this is not the case.

False emergency

Despite government assurances that DRIP was only designed to maintain the status quo, this isn’t quite true. DRIP expands the authorities’ powers so that they can also demand that foreign web firms – Google(s goog), Facebook(s fb) and so on – retain and offer up British users’ communications data.
The government insists that this was already the case and it’s only “clarifying” existing law, but this really amounts to formalizing what was previously a convenient interpretation of the Regulation of Investigatory Powers Act (RIPA), against which the web firms themselves were pushing back. It also extends the provisions of RIPA to take in anything that “consists in or includes facilitating the creation, management or storage of communications”, whereas previously RIPA only explicitly covered telephony, SMS and email.
This, a day after the United Nations’ human rights chief said it’s hard to see mass default data retention as being compliant with international law.
DRIP has a sunset clause that means it will cease to be valid at the end of 2016. Some MPs and peers pushed for there to be a much shorter time limit, but were rebuffed by large majorities – the 3 major parties agreed to push DRIP through before telling the public about it. As for the “emergency”, the government had at least 3 months to initiate a proper parliamentary process, and really much longer, as the CJEU ruling was widely anticipated.

Understanding “the modern world”

This is all very reminiscent of the rushing-through of the Digital Economy Act in 2010. That piece of pro-copyright legislation, which made it possible to cut off the internet access of “pirates”, was fast-tracked in the so-called washup period at the tail-end of the last government.
Frankly I find this bypassing of the democratic process too depressing for words, so I’ll leave the final bit of this piece to Baroness Lane-Fox of Soho, a.k.a. web entrepreneur Martha Lane-Fox, a.k.a. one of the few tech-literate peers in the House of Lords, who understands that people now live their lives online, where almost everything they do counts as “communications”.
In the Lords on Wednesday, after noting that even she found the nuances of DRIP hard to interpret, Lane-Fox continued:

“Through no fault of their own, parliamentarians may well be making judgments on areas which are rapidly evolving and where technology is changing the art of the possible. For example, ways of intercepting and recording data that do not exist today will undoubtedly be invented. There are many products launching right now which will change the boundaries again. How do wearable technologies, such as Google Glass, which collect data fit into this new picture? It therefore makes me extremely nervous that Bills which require such deep technical expertise are given so little time.

The digital capability of the other place and of your Lordships’ House is something that will become more and more profoundly significant. All pieces of legislation will soon have aspects of technology at their core and our ability to scrutinise effectively will rely on a deeper understanding than currently exists. As someone from the digital sector, it is also disappointing to watch as legislation that directly affects that sector is so cursorily debated. It only goes to further people’s belief that neither House understands the modern world nor cares about their digital lives. It is a tough problem to crack, but may I suggest to the Minister that it would be interesting to consider a review of our own skills which might lead to some actions to improve them?”

This article was updated at 12.25pm PT to reflect the fact that DRIP also received royal assent on Thursday, following approval by the House of Lords, and to note that the Lords approved it without a vote.