Wednesday 18 February 2009

Data retention and the incredible duplicity of events

You wait for ages for an irrational and totally see-through official position on data retention and then two come along at once. Following hot on the heels of last week's ECJ decision on the validity of the Data Retention Directive, the Home Office has now published its response to the consultation on the transposition of the Directive into English law. And what a response it is!

Matron isn't quite sure what to commend them on first. That they managed to gloss over the extension of the retention period for internet data from currently six months (under the Voluntary Industry Code) to 12 months, blatantly ignoring the point made by a number of respondents (including the SCL and Liberty) that they have yet to present a business case for any retention of communications data?

That they managed to find and quote the one sentence in a highly critical submission by Liberty that acknowledges that "communications data records can prove a valuable crime detection and prevention tool” (in its submission, Liberty then goes on to say, that the recently reported use of communications data by local authorities for the purpose of enforcing laws against flytipping and benefit fraud hardly fall within the definition of serious crime and terrorism)?

But the most worrying part of the response has to be the government's refusal to even engage with the argument that the retention of internet data for 12 months may very well be disproportionate under Article 8 of the European Convention on Human Rights.

As a general rule, Matron loves to be right as much as the next know-it-all, but in some cases she really doesn't. And the fact that the Home Office - less than a week after the ECJ made a similar point - also seems to suggest that the retention of communications data is somehow separate from access to the data so retained is one of those cases.

But first things first. Let us first look at the changes to the draft Regulations that the Home Office wishes to introduce as a result of the consultation:

Application of the Regulations
Because the UK government has agreed to reimburse CSPs for the costs they incur in implementing the Directive, it has long tried to keep those costs to a minimum by avoiding duplicate storage of data. In practice, this is difficult as many CSPs are using networks operated by other CSPs so that communications data are often held by both the upstream and the downstream provider. In the original draft Regulations the government therefore proposed that they should not apply to a CSP to the extent that the data concerned are already retained by another UK CSP. However, CSPs were very unhappy with this provision as they feared it would create both uncertainty and market distortion. They also argued that third parties interested in accessing retained data (for example, copyright owners) might bring actions for breach of statutory duty against those CSPs ostensibly not required to retain data under the Regulations.

The revised Regulations published by the Home Office last week provide that they will only apply to a CSP if the Secretary of State issues a notice to that CSP requiring it to retain data. No statutory duty to retain data will exist on the part of the CSP in the absence of such a notice. At the same time, under revised regulation 10(2), the Secretary of State must issue such a notice to a CSP unless the data to which the Regulations apply are retained in the UK in accordance with the Regulations by another CSP. In the words of President Truman: "the buck stops with the Home Secretary". Meaning that even if the Home Office gets it wrong, it is now likely that third parties who feel aggrieved that a particular CSP has not retained communications data will probably have to bring an action against the UK government under the Francovich principles rather than have a case against the individual CSP. Directives do not have direct effect and from a CSPs point of view, their statutory duty is what English law says it is. So, that's good news. Or is it?

Well, it depends on whether or not you generally agree with the right of third parties to access data retained for crime prevention and anti-terrorism purposes for their own commercial purposes in the first place. Quite a few respondents raised this issue in their submission. It seems that the CSPs are mainly concern that this may net them lots of Norwhich Pharmacal orders from the already prolific film and music industry. But those of us, who feel that the use of CSP data for the purpose of enforcing copyright has already gone far enough, the Home Office's response to this issue is worrying indeed. It merely states that the Home Office is working with the Ministry of Justice and the Interception of Communications Commissioner to provide guidance for the courts on how these cases should be handled, and that, separately, the government intends to provide more effective remedies for rights holders. So, unsurprisingly, the government is still refusng to consider other solutions to the problem of filesharing and illegal downloads.

Data to be retained
Many ISPs have pointed out that the majority of communications data to be retained relates to unsolicited marketing e-mails ("spam") that is filtered by CSPs and that in most cases is never delivered to the intended recipient. Excluding that data from the retention requirement (along the lines of the Directive's exclusion of data relating to unconnected telephone calls) could save the government millions of £££ but did common sense prevail? Did it heck!

Coming back to the mystery of the missing business case, the government was caught with a small amount of egg on its face, when it had to admit that the orginal draft Regulations had omitted a requirement of the Directive that statistics relating to the time elapsed between the date on which the data were retained and the date on which a lawful request for data was made should be collected. That sort of data is obviously essential for establishing whether or not a retention period of 12 months is actually necessary and, hence, proportionate under Art. 8 ECHR (other views that have been mooted include the suggestion that the police only needs a retention period of 12 months because it is so unorganised that it will need at least six months to actually make the request and that long retention periods are really there to cover incompetence and inefficieny. Matron prudently reserves judgment on that).

Apparently, the omission was an "oversight" and the necessary requirement has now been inserted in draft regulation 9, but as they say, just because you're paranoid, doesn't mean they're not after you.

Human rights considerations
But returning to the above mentioned duplicity of events, most notably of all the Home Office has indeed managed to dismiss any suggestions that the retention provisions may actually be disproportionate under Art. 8 ECHR, reasoning that respondents who made those suggestions largely focused on the proportionality of access to the retained data rather than its retention. However, access, the Home Office argues, is governed by RIPA not the Regulations, so arguments relating to disproportionality should be made in a RIPA context. Wait a minute! Isn't that what the ECJ just said?

It is, of course, complete baloney, particularly when you look at the recent judment by the European Court of Human Rights in S. and Marper v United Kingdom, where the court decided that the blanket and indiscriminate retention of DNA records by the UK government, regardless of whether the data subject was convicted of an offence after collection, failed to strike a fair balance between the competing public and private interests. The court concluded that the UK government had overstepped any acceptable margin of appreciation in this regard and it could be argued that similar considerations should apply in relation to the retention of personal data of millions of innocent individuals.

But leaving that aside for the moment, Matron continues to be worried about strategy. If both the UK government and the ECJ are trying to separate the retention of data from access to that data, it may really be time to take note. As Matron suggested before, data retention opponents, particularly in the UK, should start to seriously plan for a fight on two fronts, namely they should think about lodging actions for judicial review of both the Regulations (once they are in force) and the access provisions under RIPA.