The UK’s controversial stop-gap legislation, the Data Retention and Investigatory Powers Act 2014, has been fast-tracked through the parliamentary process and became law on 17 July.
After the European court’s strike-down of the directive that required EU states to collect communications data, discussed in our earlier posts here and here, the British government became concerned that data would no longer be retained undermining its ability to track criminal and particularly terrorist activity.
Now emergency legislation has been rushed through to plug the gap.
The new law allows the Home Secretary to serve a retention notice on any provider of telecoms and internet communications services to UK customers, requiring them to retain specified classes of data for up to 12 months. The data concerned deal with the ‘who, when, where and how’ of communications, including unsuccessful contact attempts, but not their content. It extends to communications service providers based outside of the UK, if their services are provided within the country.
Changes are also made to RIPA 2000, the law that controls how the authorities can access and use such data. These address arrangements for serving interception warrants on communications providers outside the UK. An interception warrant can be served on any business premises within the UK, for example, if the communications provider has no UK head office.
The obligations on reporting to parliament are changed to require a 6 monthly instead of an annual report. An independent reviewer will be appointed to review the operation of the system and consider security threats, privacy safeguards, advances to technology and the effectiveness and proportionality of the legislation.
The government’s announcement emphasises the usefulness of data access in child abuse and murder cases; collection of data in these contexts is more likely to meet with public acceptance. But a major part of the interception activity will no doubt be aimed at terrorism. The independent review system may go some way towards meeting the concerns of the European court about the old directive, although privacy campaigners have been vocal in their opposition to the new law.
In any event, a sunset clause means that the Act will expire at the end of 2016. The efforts of the privacy lobby may be better spent in shaping its replacement rather than attacking this interim law.