I have just read the Explanatory Notes and the clauses in “The Data Retention and Investigatory Powers (DRIP) Bill” which is being rushed through Parliament this week.
According to Ministers, the Bill is primarily to allow the national security agencies and the police continued access to communications data and the content of communications because the European Court of Justice struck out the Data Retention Directive (on the grounds that the Directive provisions facilitated mass indiscriminate surveillance).
According to Ministers, the Bill is needed because terrorists, peados, mafia members and other purveyors of human nastiness will get away with it if the legislation is not rushed through.
However, the Bill is not just about the above. In its 6 pages and 6 clauses contains only Clause 1 is about data retention; most of the Bill concerns warrants signed in relation to interception and a definition which provides wider access to communications data on the Internet. There has been little publicity about the other clauses and the extension of surveillance.
An alternative emergency?
The Notes to the Bill in relation to “Clause 4: Extra-territoriality in Part 1 of RIPA” contains a surprise. It states that “This clause clarifies certain provisions of Chapter 1 of Part 1 of RIPA to put beyond doubt that those provisions have extra-territorial effect” (my emphasis).
In other words, the Notes infer that there are now doubts as to whether GCHQ etc have acted lawfully (and give the length of this clause, these doubts are not insignificant).
So what are these doubts? This has yet to be explained; however, in Parliament, when the Snowden revelations first surfaced, Foreign Secretary Hague stated that the accusation that GCHQ acted unlawfully was “baseless”. He said:
“The signing of a warrant is not a casual process. "Every decision is based on extensive legal and policy advice. Warrants are legally required to be necessary, proportionate and carefully targeted, and we judge them on that basis"...
"....It has been suggested that GCHQ uses our partnership with the United States to get around UK law, obtaining information that it cannot legally obtain in the United Kingdom. I wish to be absolutely clear that that accusation is baseless". (My emphasis; Hansard 10 Jun 2013: Columns 32 and 33)
The above absolute statements of lawful certainty on the part of GCHQ sit uncomfortably with the comment in the Notes that there is a need to put “beyond doubt” that RIPA has extra-territorial effect.
So is there an alternative explanation for this haste? This week, the Investigatory Powers Tribunal will be sitting in the Royal Courts of Justice in order to hear cases brought against the intelligence agencies in respect of alleged interception activity involving UK and US access to communications. The complainants are Liberty, Privacy International, Amnesty International and seven overseas human rights groups.
As part of the process, both sides exchange legal arguments; this was done some weeks ago. In other words, the Government having seen these legal arguments might have decided that emergency legislation is needed, not because of jihadists and other undesirables, but because it might lose the litigation.
I don't know whether this is the correct motivation - but pre-empting a loss in the Courts certainly fits the facts.
The Data Protection aspects
Confidence in Ministerial pronouncements on the Bill is not enhanced by the comments lurking at the back of the Explanatory Notes to the Bill under the heading “Privacy Impact Statements”. Paragraph 86 states:
“In relation to data retention, in addressing the ECJ’s concerns, where possible, the new legislation will go even further in safeguarding privacy. It is assessed that implementation of the proposed legislation is capable of being fully compliant with the Data Protection Principles and the Data Protection Act 1998. (my emphasis).
Evidently there is a Privacy Impact Assessment which underpins this statement although the PIA itself remains unpublished. [Note added later: these are now published - see references].
As readers know that there is an exemption for safeguarding the national security purpose in the Data Protection Act. This exemption states that “Personal data are exempt from any of the provisions of:
(a) the data protection principles,
(b) Parts II, III and V, and
(c) sections 54A and 55".
Part II is all the rights, Part III is notification and Part V is enforcement; section 54A is the ability of the Commissioner to inspect personal data from the Schengen information system, the Europol information system, and the Customs information system and section 55 is the data protection offence. In other words, all the important provisions in the Data Protection Act (DPA) are set aside for our national security friends.
Note that the exemption from the First Principle can be absolute. Thus, as far as the DPA is concerned, if the exemption is for the purpose of safeguarding national security there is no need for the national security agencies to consider “lawfulness” or that the processing is necessary for the legitimate functions of national security agencies.
Indeed such personal data can be disclosed to anyone for any purpose irrespective of compatability and absurdly in my view, there is no obligation under the DPA, to keep the personal data secure.
In other words, the exemption for safeguarding national security is more or less total and the Data Protection Act has no role to play; yet the claim in the Explanatory Notes is that this position is “fully compliant with the Data Protection Principles and the Data Protection Act 1998”.
When communications data are disclosed by a telecommunications operator to the national security agencies, that disclosure is exempt from the non-disclosure provisions (in section 35(1) of the DPA).
In the context of the telecommunications operator making a disclosure, this exemption disapplies:
(a) the first data protection principle except to the extent to which it requires compliance with the conditions in Schedules 2 and 3,
(b) the second, third, fourth and fifth data protection principles, and
(c) sections 10 and 14(1) to (3).
Note that the exemption from the First Principle includes “lawfulness”; in other words, a disclosure could be “unlawful” but that might won’t breach the Data Protection Principle. The impact of other Principles identified in the exemption, as can be seen, can be totally negated.
But don’t worry, the Explanatory Notes tells us that such disclosures can be “fully compliant with the Data Protection Principles and the Data Protection Act 1998”.
The Notes are totally misleading because what happens in practice is the complete opposite of what is suggested by these Notes.
Namely, in the context of national security the emergency legislation provides for the processing of personal data that can be “fully exempt from the Data Protection Principles and there is no need to consider the Data Protection Act 1998”.
A copy of the Data Retention and Investigatory Powers Bill, Notes, Impact Assessments and draft Regulations are on https://www.gov.uk/government/publications/the-data-retention-and-investigatory-powers-bill