UK High Court Rules that UK Data Retention and Investigation Legislation is Inconsistent with EU Law

On July 17, 2015, the High Court of Justice for England and Wales ruled that the UK Data Retention and Investigatory Powers Act 2014 (DRIPA) is inconsistent with European Union law. DRIPA governs the retention of communication data by service providers and the circumstances under which law enforcement agencies can gain access to such data.

The decision in Davis, R (on the application of) v Secretary of State for the Home Department, [2015] EWHC Admin 2092, is likely to be of broad interest, given the international controversy surrounding the collection and use of communications data by state agencies. “Communications data” (sometimes called “metadata”) includes information about a particular communication – e.g., the location of the sender or recipient, and the time at which the communication was made – but not the specific contents of the communication itself.

The High Court clarified that data retention legislation pertaining to the retention of and access to communications data must adhere to the following requirements if it is to be consistent with the Charter of Fundamental Rights of the EU, as expounded in a prior decision by the CJEU:

a)      The legislation must lay down clear and precise rules governing the scope and application of the measures in question and imposing minimum safeguards sufficient to protect against abuse of and unlawful access to an individual’s data;

b)     The legislation must expressly provide that access to and use of the data is strictly restricted to the purpose of preventing and detecting “precisely defined serious offences or of conducting criminal prosecutions relating to such offences”; and

c)      “Above all”, access by the competent national authority to the data retained must depend on a prior review by a court or independent administrative body, whose decision seeks to limit access to and use of the data to what is strictly necessary for the purpose of attaining the desired objective, and which intervenes following a reasoned request of those authorities.

The Court found that DRIPA is inconsistent with both b) and c), as access to communications data granted under DRIPA retention orders is not strictly restricted to the purpose of preventing, detecting or prosecuting precisely defined criminal offences, nor is such access dependent on prior review by a court or independent administrative body.

The Court suspended its disapplication of the law until March 31, 2016, in order to give Parliament time to pass legislation that is compliant with EU law. The Home Office has indicated that it intends to appeal the decision.

This ruling takes place within the context of international controversy concerning the use of communications data for law enforcement and national defence purposes. On June 2, 2015, US Congress passed the USA FREEDOM ACT, which placed restrictions and oversight on the National Security Agency’s surveillance powers (see commentary here).

In Canada, the data retention and disclosure practices of major telecom companies remain unclear. An open letter sent by academics and civil liberties groups to sixteen major Canadian telecom companies about their data retention and disclosure policies generated little in the way of substantive responses (see summary here). In the past decade, Parliament has considered three separate bills that would clarify the rules on lawful access to customer information in the possession of telecom service providers, but none of these bills were passed (more information here).