A year after the Data Retention and Investigatory Powers Act 2014 (DRIPA) was rushed through to plug the gap left by the ‘Digital Rights Ireland’ case it has been ruled invalid.
DRIPA allows the Home Secretary to issue retention notices requiring communications service providers (telecoms companies, ISPs, mobile operators, etc) to retain information in bulk about communications traffic. Controversial at the time, DRIPA was immediately challenged by on human rights grounds by MPs Tom Watson and David Davis. They argued that the law tipped the balance too far in the direction of those tackling terrorism and organised crime, at the expense of an individual’s right to privacy.
DRIPA includes a “sunset clause” so that it was automatically scheduled to expire on 31 December 2016. But now the key provision of the act has been ruled unlawful, because
"a) it does not lay down clear and precise rules providing for access to and use of communications data retained pursuant to a retention notice to be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating to such offences; and
b) access to the data is not made dependent on a prior review by a court or an independent administrative body whose decision limits access to and use of the data to what is strictly necessary for the purpose of attaining the objective pursued."
The court ordered that the law should fall away, but allowed the government until 31 March 2016 so that the gap can be plugged (again). It will challenging for the government to find a solution that complies with the court's ruling but still meets the perceived needs of the security services. Meanwhile, service providers must still comply with Home Office retention notices.
The UK government obtained leave to appeal.