- Created: 06 May 2014
By Stephen Gardner. Ooops! The British police face the loss of one of their favourite surveillance tools thanks to the European Union Court of Justice.
The court has declared (8 April 2014) the EU Data Retention Directive invalid on the basis that it grossly contravenes privacy rights.The directive was adopted in 2006 with the intention of tackling terrorism. Its formulation was influenced by the 2004 and 2005 terror attacks in Madrid and London, and then-home secretary Charles Clarke was a prime mover forcing it through. The directive requires telecoms and internet companies to keep records of their subscribers' communication activities for a minimum of six months, and to hand them over to police on request. There is no right to be informed for people whose data is accessed.
In implementing the directive in UK law, the British government decided to max out its provisions. It set a data retention period of one year, and gave many more bodies than just the police the right to access data – local councils can also do it, for example. The UK implementation also broadened the scope beyond terrorism and law enforcement, allowing data to be accessed “for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department,” and for any other reason on a nod from the home secretary.
Coincidentally, on the same day as the EU court judgement, Sir Anthony May, the Interception of Communications Commissioner, published his annual report. This shows the extent to which it has become routine for the police to use the data access powers. In 2013, there were 514,608 access authorisations, though this was down from 570,135 in 2012, when police upped the surveillance effort because of the London Olympics.
Although data access requests are supposed to be targeted at specific individuals, about whom there are grounds for suspicion, 514,608 authorisations according to Sir Anthony “seems to me to be a very large number. It has the feel of being too many.” In the careful language of such reports, he adds that “it may be that criminal investigations generally are now conducted with such automatic resort to communications data” that the “necessary and proportionate” grounds on which access to data should be granted are being over-ridden.
Sir Anthony also notes a small number of cases in which access to retained data “resulted in police action relating to wrongly identified individuals,” including “instances [in which] warrants were executed at the homes of innocent account holders,” in particular because of confusion about Internet Protocol (IP) addresses.
And although local councils make relatively little use of the powers, residents of Birmingham, Bromley, Enfield and Southampton might like to know that they are the most surveilled, according to figures in Sir Anthony's report.
The EU court decision, although it cancels the EU directive, does not for now affect the UK law that implemented the directive. But it does leave it open to legal challenge, and it in effect requires the European Commission to come up with a new law to replace the Data Retention Directive with less intrusive provisions. What will the British police do when their easy, secret access to communications data is taken away?