We reported in April on the decison of the European court that the 2006 Data Retention Directive was invalid. Since then, little has been said about what the EU plans to do in order to fill the gap, and there have been reports of telecoms and internet companies planning to start deleting communications data. The problem has been raised at EU council level, but finding agreement on a way forward among the 28 EU states will not provide a quick solution.
Now the UK government has said that it will introduce emergency legislation to fill the gap. It hopes that its Data Retention and Investigation Powers Bill, which has cross-party support, will become law in a matter of days.
Getting the legislation right will be tricky. It will have to do enough to meet the government’s security needs, while taking account of the European court’s reasons for striking down the directive. These were wide-ranging.
The court said that to justify such an extensive interference with individuals’ rights would require rules that are specific and adapted to the quantity of data retained, the sensitive nature of the data and the risk of unlawful access. There would need to be a high level of protection and security, and irreversible destruction of the data at the end of the retention period. And retention should be confined within the boundaries of the EU.
Any discrepancies between the UK’s planned approach and the European court’s strict ruling are likely to be challenged by privacy campaigners.
The new law, if passed as planned, will only last until the end of 2016. It is intended to plug a gap while a wider public debate takes place. It will be the job of the next government to introduce a replacement at that point.