:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/D5NPZU6HW2PXVFJ4ETJZDPFODA.jpg)
:quality(70)/s3.amazonaws.com/arc-authors/irishtimes/2a429887-bb72-4814-bd40-0cbf79fe8d51.png)
When earlier this year, the European Court of Justice threw out the EU’s data retention directive on the grounds that it was not fit for purpose and grossly disproportionate to needs – in effect, imposing surveillance on the entire European population without justification – the UK had a problem.
Since its enactment in 2006, the directive had required European telecommunications and internet companies to retain customers’ communications data for what have now been deemed excessive periods, without adequate safeguards or oversight.
The judgment that rejected the directive was largely the result of the constitutional challenge on data retention, taken against the Irish Government by privacy advocates Digital Rights Ireland (DRI). The case was referred to the European Court of Justice by Ireland’s High Court.
Unlike other EU states, though, the British government had never bothered to bring in a law based on the directive. British data retention law instead has existed on the basis of a ministerial order that directly transposed the directive.
Thus, once the court declared in strong terms the existing directive was unlawful, Britain’s legislation ceased to have any legal basis because it was in essence, only the directive and nothing but the directive.
Other EU states had brought in, or modified, specific national data retention laws, which transposed the directive but also had distinct national elements. All of these national laws, including Ireland’s, can now be challenged within national courts on the grounds they are largely based on an unlawful directive.
That’s exactly what DRI, represented by McGarr Solicitors, will carry on doing in the High Court. But whatever headaches this creates for the Irish Government, they pale compared to Britain’s conundrum.
The UK has no grounds on which to retain data, a serious problem for law enforcement which has no proper legal basis to ask for call data held by telecommunications operators, even within the six months allowed by data protection laws.
Meanwhile, a year of revelations from Edward Snowden about the secretive mass data-gathering activities of the UK's secretive spy agency GCHQ – which made many of the the National Security Agency's actions seem moderate – hang as a grotesque background to the UK proposals. The British government has utterly failed to respond to, or open any sort of public conversation about, GCHQ's activities. Its stance has consistently been that it has total confidence in GCHQ and the adequacy of oversight of its activities.
Unwarranted surveillance
Contrast this to the response in the US to Snowden’s revelations about the NSA. One can argue the steps taken to address the agency’s overreach remain woefully inadequate, but at least the appalling level of invasive and unwarranted surveillance on the general population has been acknowledged at the highest – presidential – level, and become part of national debate. But it gets worse.
In the UK, four months after the European Court of Justice decision –whose basic elements were clearly signalled in the court’s advocate general’s opinion eight months ago – the British government suddenly announced new “emergency” data-retention legislation, passed in the Commons on Tuesday, to be imposed without any normal parliamentary, much less public, debate.
That’s on the basis that, after all these months of knowing it had to bring in legislation, and knowing for a couple of years that the court case was in the pipeline, there isn’t time.
The provisions of this emergency legislation clearly violate in nearly every way possible the basic findings of the European Court of Justice that caused the original directive to be declared unlawful: excessive periods of unjustified retention with little oversight.
In addition, the proposed legislation, which is to last until 2016, would allow the UK government to impose sanctions on foreign companies operating in the UK which refuse to hand over data on request.
Well, that provision will certainly help the UK in its goal to become a powerhouse location for technology and internet companies, won’t it? David Cameron might as well hang out a shingle on the UK’s door that says “Go Away”.
The proposals would seem to violate EU fair trade law, too, imposing potentially costly data-retention and management requirements on other EU companies wanting to do business in the UK. And there are existing EU and international laws for properly exchanging data for law enforcement reasons (a factor in the European Court of Justice decision).
It’s hard to understand where the UK government thinks it is going with all of this, or how it can succeed in passing such legislation while remaining part of the EU.
On the plus side for Ireland, the own-goal stupidity and legal dubiousness of such legislation, set alongside ongoing uncertainty as to whether the UK will remain in the EU, certainly gives Ireland a significant competitive advantage.
Whatever about the data privacy and protection implications in Britain, there cannot be many technology companies that would consider the UK a stable, tech-friendly business environment now.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/sandbox.irishtimes/GW3FWAURWFGM7FF4RMYJLBG7ZI.png)