5 Data retention |
5.1 Part 3 of the Bill amends the Data Retention
and Investigatory Powers Act 2014 ("the DRIP Act") to
enable the Secretary of State to require communications service
providers to retain the data that would allow relevant authorities
to identify the individual or the device that was using a particular
IP (internet protocol) address at any given time.
5.2 This Part of the Bill has been controversial
with NGOs in particular, some of which argue that these provisions
pre-empt the various reviews currently being conducted into the
adequacy of the current legal framework governing surveillance
and data retention, including the Regulation of Investigatory
Powers Act 2001. We have received submissions on this Part of
the Bill from Big Brother Watch, expressing concerns about the
timing of the Bill in light of the current reviews of surveillance
powers being undertaken, and about the adequacy of oversight and
5.3 The Independent Reviewer, however, considered
this part of the Bill as dealing with the easiest and least controversial
part of the draft Communications Data Bill that was published
in 2012, and being "in principle, a desirable power that
He regarded scrutiny of the clause as essentially a technical
matter for relevant experts to ensure that the wording of the
new power is limited to what is strictly required to provide the
power that is said to be missing. The Minister pointed out that
these provisions are time-limited, being subject to the same sunset
clause as the DRIP Act (that is, December 2016).
5.4 A draft Code of Practice was published by the
Government for public consultation on 9 December 2014.
In the limited time available to us to scrutinise the Bill, we
have not been able to scrutinise the draft Code and we do not
therefore comment in this Report on the adequacy of the safeguards
it contains against disproportionate interference with the right
to respect for privacy and for personal data. We draw to Parliament's
attention, however, our concern as to whether UK law as a whole,
including the Regulation of Investigatory Powers Act, the DRIP
Act, and all relevant Codes of Practice, satisfy all of the requirements
set out in the judgment of the Court of Justice of the European
Union ("CJEU") in the Digital Rights Ireland case. The
CJEU in that case held that indiscriminate or "blanket"
retention of communications data is incompatible with the right
to respect for privacy and the right to protection of personal
data, and compatibility with those rights depends on the adequacy
of all the relevant safeguards taken in the round.
5.5 The DRIP Act was enacted on a legislative timetable
which made it impossible for us to report on the Bill before it
had completed all of its stages in both Houses, but we wrote to
the Home Secretary on 16 July asking for a detailed memorandum
setting out in full the Government's analysis of precisely how
UK law satisfies, or will satisfy, each of the requirements set
out in the relevant parts of the CJEU's judgment.
The Home Secretary replied on 31 July with a "summary"
of the safeguards governing retention of and access to communications
data. The exchange of correspondence is available on our website.
We are grateful to the Home Secretary for her response, but we
note that her letter did not identify, as we had requested, in
relation to each of the requirements set out in the CJEU's judgment,
the precise provisions of RIPA, the DRIP Act, or the draft Data
Retention Regulations 2014 which satisfy the particular requirement.
5.6 We draw this correspondence to the attention
of both Houses as it is relevant to Parliament's consideration
of whether the UK's legal regime for the retention of communications
data, viewed in the round, and including the provisions of Part
3 of the Bill and the draft Codes of Practice, contains adequate
safeguards to prevent disproportionate interference with the right
to respect for privacy and personal data.
68 Clause 17. Back
Evidence of David Anderson QC, 26 November 2014, Q24 Back
James Brokenshire MP, 3 December 2014, Q33. Back
Retention of Communications Data Code of Practice-Addendum in
relation to the provisions contained in the Counter Terrorism
and Security Bill (9 December 2014) https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/383403/Draft_Data_Retention_Code_of_Practice_-_IP_resolution_addendum_-_for_pub....pdf
C-293/12 (8 April 2014), paragraphs 54 to 68 of the judgment. Back