Contents - 89

Just a week ago (24th March to be exact) the House of Lords had their chance to debate the Draft Data Retention Regulations. Lord West moved that the Draft Regulations be approved - but Baroness Neville-Jones introduced an amendment which provided the opportunity for some interesting debate and comment.

The noble Baroness attempted to insert a clause into the motion to approve the regulations, “but notes with regret the intrusions into privacy that would result from their implementation, in that the regulations substantially extend the range of communications data that must be collected to include information on personal e-mails and internet activity, and that the regulations allow hundreds of different public bodies access to information on personal e-mails and internet activity; and therefore calls upon the Government to withdraw the regulations, and to introduce primary legislation on the retention of communications data that will enable detailed parliamentary scrutiny of such proposals.”

A full transcript of the Lords discussion can be found in Hansard. The transcript is worth reading - but there are some particular comments by Baroness Neville-Jones, by Baroness Miller and by the Earl of Northesk that show that their noble Lordships are well informed and knowledgeable on the subject of technical intervention, data protection and privacy. Perhaps more so than some in another place!

Lord West (Parliamentary Under Secretary of State, Home Office) gave the by now fairly standard government position - use of data for serious crime (referring to the Soham murders etc.), importance for anti-terrorism investigations etc. and noted that the new regulations would introduce notice to service providers, reimbursement of costs (the UK is the only member state to have provided this) and the setting up of an implementation group to oversee provisions.

Introducing her amendment, Baroness Neville-Jones posed a number of questions. She made it clear that there was no opposition to the need to obtain data to prevent serious crime (quite right, I have no objections to that) but that there were questions relating to access (RIPA) and to the relationship with the Intercept Modernisation Programme.

Firstly, “The instrument could very well be extended to cover a much wider range of communications than those outlined by the Minister…. the truth is that it is very difficult with internet communications to separate the content from the who, what, where, when and how.”

Secondly, “On the instrument’s relationship with RIPA, as it stands that Act has abusively wide scope which will certainly extend the use of communications data of this kind to many other different bodies for many reasons, some of them very trivial.”

Thirdly, “Setting all this in the context of the interception modernisation programme that the Minister mentioned, it is not at all clear to this side of the House how this regulation fits into this programme. We fear that we are moving on auto pilot to a stage where there is no longer a meaningful distinction between content and communications data, and one which may well involve a huge centralisation of data by Government.”

The noble Baroness pointed out that differentiating between traffic and content data was quite easy in relation to telephone calls, not so for Internet traffic. Guidance would be forthcoming but only after the regulations became effective - suggested as rather putting the cart before the horse! The Earl of Northesk noted, “my noble friend’s excellent and devastating critique” before continuing “it is a source of regret to me that the Government’s justifications for their data retention policy—and, it has to be said, various other IT fields—seem to be riddled with intellectual and technological vacuity.” You do get a better class of comment in the Lords! The real point that the Earl was making was that whilst it is possible for investigators “to generate whole life profiles on individuals who may be engaged in terrorist or criminal activities” it is equally possible to use globally retained data to build “detailed whole-of-life profiles of every single citizen in a member state ….. The stark reality is that, on the Government’s own admission, the communications data on their own are more than adequate to define the individual and the minutiae of his or her life.”

When the Minister (Lord West) replied he was to make an interesting comment. At various times the industry had queried the retention of data relating to junk mail or SPAM. Now, spam accounts for some 94% of the mail going through a typical ISP servers on a daily basis and is often filtered and deleted without being delivered. As such it us in much the same position as ‘unconnected calls’ as cited within the Directive. There is no requirement to retain data about unconnected calls - if you apply the logic then there should not be any requirement to retain data about spam with a substantial impact on the storage capacity for retained email data. There is no provision within the Directive nor within the Regulations to exempt spam. Yet, in responding, Lord West said, “spam is not retained. ISPs already deal with spam and are able to tell the difference between that and other data.” There is a clear indication here by the Minister that there is no need to retain data relating to spam mail. As a statement by the Minister in Parliament it must be assumed that this may be cited as precedent and indicating the will of Parliament in a case before the Courts.

Baroness Neville-Jones has some experience of the European process (Deputy to Commissioner Tugendhat) and noted that it was unlikely that the Govt. would face legal proceedings if they failed to transpose within the deadline set by the Directive. Of course, discussions in both Commons and Lords were already beyond the deadline so there was already a failure to meet the precise requirement. “I am not impressed by the notion that we have to pass this piece of legislation now in order to avoid infringement proceedings. Given the importance of the matters we are scrutinising, I repeat that I beg the Government to withdraw these regulations and produce at the earliest opportunity proper, primary legislation on communications data.”

So, the motion was put before the House. The Lords divided and the result was a much closer thing than the Govt. may have wished. 89 voted ‘Content’ (ie for the amendment) with 93 ‘Not Content’. Interestingly, 182 Lords present in the House to vote - in the Commons the vote in committee was just 8 ‘Ayes’ and 6 ‘Noes’ - a total of 14. Don’t you just love those Lords!

Back again to the decision by the Administrative Court in Wiesbaden, Federal Republic of Germany: ““data retention violates the fundamental right to privacy. It is not necessary in a democratic society. The individual does not provoke the interference but can be intimidated by the risks of abuse and the feeling of being under surveillance … The directive [on data retention] does not respect the principle of proportionality guaranteed in Article 8 ECHR, which is why it is invalid”.

The German situation is now to be reviewed by the European Courts - taking that as a starting point, Baroness Neville-Jones put down a question for the Government to answer, “To ask Her Majesty’s Government whether the bringing into force of the Data Retention (EC Directive) Regulations 2009 will be delayed until the European Court of Justice rules in respect of the conformity of the data retention directive with the European Convention on Human Rights in the case brought before it by the German Working Group on Data Retention.”

Somehow I think the answer from HMG will just be, No! The answer from the ECJ will be much more interesting and, if it follows the precedent of the DNA database in S and Marper v United Kingdom, may well be that the provisions of the Directive are indeed not compliant with Article 8 and the right to privacy. May we live in interesting times.

One final comment from the Lords debate. Lord Willoughby de Broke noted, “The final sentence of the amendment calls upon the Government to, ‘withdraw the Regulations, and to introduce primary legislation on the retention of communications’, and so on. Does that mean amending the regulations or withdrawing them, and would that be acceptable to the real Government in this case—the unelected and unsackable Government in Brussels?” ……..[my italics]

A better standard of debate than in the other place? Yes, it would seem so. Perhaps the noble Lords are less inclined to worry about claiming for kitchen sinks and bath plugs and second homes. All they can claim is an allowance to pay for meals, hotels, taxis and other expenses associated with their roles. Peers expenses in 2006 totalled some £17Million - in 2007, 646 MPs claimed £93Million.

Next target - social networking

When the Minister of State at the Home Office with responsibility for Policing, Vernon Coaker, introduced the Draft Data Retention Regulations before the Delegated Legislation Committee, he was asked whether the regulations would apply to Social Networking sites such as Facebook, Bebo etc. The Minister’s reply was that they would not. There is no provision within the underlying European Directive for such and to introduce within the Regulations would be seen as a clear example of ‘gold plating.’ Not that the UK has been shy of such provisions in the past of course. Social networking sites fall within the description of Information Society services and outside the obligations on public electronic communicatons services and public communications networks as provided for within Art. 2 of the Directive.

Members of the committee noted that there was some, possibly anecdotal, evidence of criminal usage of social networking. Now there’s a surprise! And criminals use the telephone, write letters, send texts and actually talk to each other.

Now it seems that Ministers are looking to close what they perceive as a gap. Vernon Coaker said, “Social networking sites, such as MySpace or Bebo, are not covered by the directive. That is one reason why the Government are looking at what we should do about the intercept modernisation programme because there are certain aspects of communications which are not covered by the directive.” To introduce retention for social networking will require inclusion within primary legislation - and that may well be within the Communications Data Bill as it eventually appears. That was initially trailed within the Draft Legislative Programme but was dropped in the face of mounting critiscism. Dropped then but, of course, not forgotten by one of the most authoritarian governments we have ever seen. We do now anticipate ‘consultation’ on the Communications Data proposals in the near future and it is now likely that there will be elements to extend the provisions of the Data Retention Directive. The key areas will be the introduction of primary legislation to underpin the Intercept Modernisation Programme (IMP) and the likely ‘discussion’ of the ‘benefits’ of incorporating all traffic data within a single national database. Watch the Ministerial announcements over the next few weeks!

The single database has already been roundly critiscised by privacy campaigners and by the Information Commissioner. Not that any of this is likely to deflect ministerial opinion from the ‘benefits’ of accessing data in the ‘fight’ against terrorism. That may just be acceptable for many of the population but it is the provision of access to hundreds of national and local governmental bodies and organisations that worries the majority. Once you have a single point of access to combined data relating to phone calls, email traffic, internet access, use of social networking etc. you can build a profile. That profile could then be accessible to a very broad range of ‘officials’ and, as commented by Isabella Sankey at Liberty, “would turn millions of innocent Britons into permanent suspects.”

When the Iron Curtain collapsed in 1989 the profiles collected by the East German Stasi were uncovered - not only collected on their own population but also on others. No surprises then that Germans and other Eastern Europeans have a marked reluctance to return to this kind of retention.

Watch the announcements - they will all focus on terrorism. The actuality will be access for ’serious crime’ - and the definition of what may be considered as serious crime will be rather wide. Dog fouling is a matter of public health - and thereby potentially a serious crime. Enter all those Winston Smith’s in public offices across the land.

Back to the Minister, “It is absolutely right to point out the difficulty of ensuring that we maintain a capability and a capacity to deal with crime and issues of national security, and where that butts up against issues of privacy.”

Yes Mr Coaker, we need to look at where national security butts up against privacy. There are already provisions that allow monitoring - but a single centralised database accessible by a wide range of ‘officials’ remains a step too far.

Austria takes a step forward…….

Now that the ECJ has handed down its judgement in the case brought by the Govt.’s of Ireland and Slovakia against the Data Retention Directive (ECJ rejected the challenge), the Govt. of Austria has now, reluctantly, decided to move forward with transposition of the Directive.

Austria has, for perfectly understandable historic reasons, considerable misgivings over retention and has dragged its feet so far, despite being faced with infraction proceedings and requests from the Commission to explain its failure to transpose Phase I. The Austrian Govt. has now asked the Ludwig Boltzmann Institute for Human Rights in Vienna to look at drafting new law to comply. Interestingly the Austrians have said that they understand that the Directive raises Human Rights issues and that they will look very carefully into possible consequences of legislation that may conflict with rights under the European Convention on Human Rights. They may well now want to consider the judgement in S and Marper v the UK Govt. on the implemention of the DNA database……

Note:
The first German court has found that retention is in conflict with human rights. The Administrative Court of Wiesbaden has stated, ‘The court is of the opinion that data retention violates the fundamental right to privacy. It is not necessary in a democratic society. The individual does not provoke the interference but can be intimidated by the risks of abuse and the feeling of being under surveillance …. The directive does not respect the principle of proportionality guaranteed in Article 8 ECHR, which is why it is invalid.’ This is just one step in Germany but it is a significant step. The Constitutional Court has yet to rule on retention but it is clear that there is a considerable public concern. And the Germans have the same reasons for concern as the Austrians.

day +1

Well, the deadline date of 15th March as set out within Directive 2006/24/EC came and went. This was the deadline for national transposition of phase II of the Directive, for transposition of those parts of the Directive relating to the retention of Internet access data, where Member States had not transposed as a single legislative procedure in September 2007.

A day after the deadline, the 4th Delegated Legislation Committee met in the House of Commons to consider the Draft Data Retention (EC Directive) Regulations 2009. The meeting did last just over an hour - from 4.30pm to 5.32pm and a full transcript can be found in Hansard. If you want to hear the audio playback of the discussions click here.

There was some useful discussion and it is clear that there is concern amongst some members about the proportionality of the measures - and of the linkage with the Regulation of Investigatory Powers Act 2000 provisions which have become rather disreputable through the actions of some local authorities using RIPA to ’snoop’ on parents sending their children to school and persons allowing their dogs to foul -there is a reference in the Committee deliberations to the ‘dustbin STASI’.

Interesting to note that the Minister was specifically asked whether or not the regulations would apply to social networking sites such as Facebook and instant messaging etc. His reply was that they would not. The Member for Carshalton and Wallington noted that there was some evidence of French drugs dealers using social networking for communications as they were aware that there wwas no provision for the retention of data on these sites. There is no provision within the Directive for retention of data from the social networking sites and for instant messaging - and, arguably not for Skype phone calls either as it seems that the transfer process involves a peer to peer network and a distributed database. But, the Minister makes it clear that work in this area will fall within the remit of discussions relating to the Intercept Modernisation Programme (IMP).

Interesting points here. When the UK Govt. announced its draft legislative programme in mid 2008 it included a Communications Data Bill - the provisions of which were trailed to include transposition of the Data Retention Directive and incorporation of measures to enable IMP. There was an outcry - and considerable comment against the proposal in the press. When the Parliamentary session was opened and the Queen read her (Govt.’s) speech the Communications Data Bill was noticeable by its absence. The Home Secretary appeared to be rapidly backtracking in the face of the opposition and there now appears to be a new consultation to take place before any more action in this area. That consultation is likely to include review of RIPA in the light of the ‘dustbin STASI’ experience. Seems that Govt. may just have gotten a part of the message that the public are not ready or minded to accept large scale centralised databases. Of course, the public have a perception, not altogether unwarranted, that the Govt. has a poor reputation in relation to large scale IT based projects or to the keeping of private data private.

And now we have a further back track with the retreat from the shared public database with personal data - after severe and very careful critiscism from leaders of the medical profession.

Back to retention. The Minister, ex Deputy Head Teacher Mr Vernon Coaker, did not get an easy ride - indeed was quite hauled over the coals in relation to RIPA protection (who can access the retained data), costs, timescales etc. Interesting to note that another Govt. MP was talking about the possibility of extending the retention provisions to 24 months!

After consideration of the draft regulations the final division saw 8 Ayes and 6 Noes - a closer result than may normally be expected for the transposition of European legislation. The discussion now moves on to the Lords before being finally laid before the full House.

2 days to the EU deadline

Friday 13th (according to a stress management assessment, some 17 million persons in the USA are affected by a fear of this day!) and just 2 days to go until the deadline within Directive 2006/24/EC for transposition of Phase II of Data Retention.

Back in February, the Home Office published its response to the consultation - the consultation paper was published in August 2008 with consultation responses required by end of October. Well, the response was different and there were some changes, some quite considerable, in the updated draft regulations included with the February consultation response. The Draft Regulations - available online indicate an implementation date of 6th April 2009. So far there is no mention of Parliamentary scrutiny within upcoming Parliamentary timetables so one has to wonder whether or not the Home Office will meet the implementation date.

As these regulations are secondary instruments (under the European Communities Act 1972) they can be fast-tracked through the Westminster procedures - nodded through in committee discussion within both houses. But they must still go throught that and there are some waiting to put down questions to Her Majesty’s Government before they get to signature by the relevant Minister.

OK - so what is different? The new regulations have been structured differently - the actual retention requirements are now included within a 3 part Schedule - part 1 relating to fixed line communications, part 2 to mobile communications and part 3 to Internet access, Internet email and Internet telephony.

The interesting part is that Clause 10 now indicates that Communications Service Providers (CSPs) will only need to retain data if they are in receipt of a notification by the Secretary of State. This is a result of discussions over the implementation of Recital 13 of the Directive - the part that allows for data to be retained only once - recognising the inefficiences and potential costs of retaining the same data in multiple provider locations. We may expect notifications to be given to upstream and wholesale access providers (BT Wholesale etc.) in relation to broadband provisions and to individual CSPs in relation to customer account details (and, presumably, email accounts where these are managed and maintained by the individual CSPs.

If notifications are going to be given then the Home Office must first identify to whom they should be sent. I cannot see that being done between now and 6th April. There may only be 6 large providers accounting for 90% of the domestic broadband marketplace but there are a very large number of small and niche providers accounting for the remaining 10% and for the business marketplace. There will still be confusion as to who is expected to retain and what and I do not see this as being resolved anytime soon.

The original Directive provides for the Commission to review provisions in 2010. At the rate we are going I would not expect too much data to be retained by then!

The Draft Regulations provide for a blanket retention period of 12 months. Now, 12 months was the period for telephone data under the initial phase and also under the voluntary code of conduct introduced by the Anti Terrorism Crime and Society Act 2001 (ACTS 2001). But, the voluntary code only provided for a 6 month retention for Internet data and the information provided as part of the business case within the consultation documents is not convincing on the need for an extension from 6 to 12 months. There is provision in the Directive for retention between 6 and 24 months and clear possibility for the UK Govt. to differentiate between telephone and Internet data. Responses from ISPs suggest that the majority of requests for access to Internet communications data is for access to data below the 6 month time period. It does look as if the Govt. is (unwittingly?) setting itself up for a challenge over proportionate response under Article 8 of the European Convention on Human Rights (right to privacy).

So, it remains to be seen. Will the Regulations be in place for the implementation date of 6th April. Not far away now. What will be the reaction of the Commission if the UK Govt. fails to meet the deadline of 15th March for transposition? Will Brussels commence infraction proceedings?

Putting us on the map!

Ah ha, it seems we are about to be put on the map - well the Google Street View version that is.

Spotted a camera car in the New Forest today - driving up and around all roads in the village. Wonder how long it will take to get online and will I be onscreen there with my camera

and just to show who it was…..

UK loses DNA case at ECHR

The UK policy of taking and retaining DNA samples from persons arrested in the course of criminal investigation has long raised concerns, particularly as the UK policy required that the DNA data was retained even if the donor was later discharged (’de-arrested’)  without any case being taken forward or is acquitted of any charge. As a result, a number of entirely innocent persons found that their personal DNA was stored on the national database alongside that of convicted criminals.

This policy was challenged by two persons following retention of DNA data by the South Yorkshire police - one an 11 year old arrested for attempted robbery and later acquitted and the other, a Mr Michael Marper, arrested for a domestic incident with charges dropped when the couple became reconciled. Although there were no charges in the latter case, and the boy (referred to only as ‘S’) was acquitted, the police refused to remove their data from the national database. Policy indicates that the building up of a comprehensive national database allows law enforcement to trace suspects in serious cases (murder, rape etc.) by matching samples taken at the scene with samples in the database.

The Chief Constable of a local/regional force does have the power to remove data from the database. This was upheld by Sedley LJ in the Court of Appeal, who ‘considered that the power of a Chief Constable to destroy data which he would ordinarily retain had to be exercised in every case, however rare such cases might be, where he or she was satisfied on conscientious consideration that the individual was free of any taint of suspicion.’ Unfortunately Sedley LJ was the dissenting voice and the Appeal was lost, although referred to Europe. The Home Office gave evidence to the appeal that there was a 40% chance of matching a sample taken from a crime-scene with data in the national database and that there were some 6000 instances where a crime scene sample matched data thjat would have been removed under previous policy of not retaining data relating to persons not convicted. Of course, by retaining data under the policy, the national database is expanding at a rapid rate and is now the largest such database in the world. A significant number of samples and profiles retained relate to persons never convicted of any crime and now immediately suspected in a profile search. Rather turning around the innocent until proven guilty to guilty (by association) until proven innocent. Umm, that is the European approach is it not?

In its judgement report, the Court said that, ‘The Court must consider whether the permanent retention of fingerprint and DNA data of all suspected but unconvicted people is based on relevant and sufficient reasons.’ It recognised that thepower to retain data relating to unconvicted persons had only existed in England and Wales since 2001 and that the UK Govt. argued that this power was indispensible in the fight against crime. The application brought by ‘S’ and Michael Marper argued that the Govt. statistics used to support the use of retained data were misleading and did not reveal the number of convictions brought about through acccess to data from unconvicted persons. The Court noted that, “The Court finds that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention at issue constitutes a disproportionate interference with the applicants’ right to respect for private life and cannot be regarded as necessary in a democratic society.”

The Court ordered that the applicants costs should be paid by the Govt.

There is now a body of European case law relating to infringements of Art. 8 ECHR. In Burghartz v Switzerland it was held that, beyond a person’s name, his or her private and family life may include other means of personal identification and of linking to a family. In Leander v Sweden (1987) it was held that the mere storing of data relating to the private life of an individual amounts to an interference within the meaning of Art. 8 and that the subsequent use of stored information has no bearing on that finding, Amann v Switzerland (2000).

The judgement is really quite trenchant and one wonders what part of, ‘the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention at issue constitutes a disproportionate interference with the applicants’ right to respect for private life and cannot be regarded as necessary in a democratic society.’ the UK Govt. will fail to understand.

It might seem that all of it is the answer. There are now political moves to make changes to the enabling law to allow future changes to the DNA retention rules to be passed under secondary legislation (Statutory Instruments, Regulations) rather than requiring the full Parliamentary scrutiny of an Act of Parliament. This is dangerous, allowing changes to fundamental rights to privacy to be passed through without the need for full discussion (and thereby challenge ).

The European Court has delivered a strong message to the UK Govt. with this decision. Will the Govt. now take notice and introduce changes to the policy on retention and require removal of all data and samples relating to unconvicted persons. I would say ‘watch this space’ but have a feeling that you might be watching for a very long time.

Update: Home Secretary, Jacqui Smith, today (09 March 09) told MPs that the youngest person with a profile on the National DNA database was under a year old and the oldest person on the database is over 90. The response related to data on the database at the end of Novemebr 2008. Now, if the age of criminal responsibility is 10, just what was the data relating to a baby aged under 1 year doing on the database and who gave the informed consent to allow the sample to be taken?

Has all the data relating to under-10s now been removed? I wonder.

EU 1 Ireland 0

The first challenge to data retention has now come and gone. The European Court of Justice has rejected the challenge brought by the governments of Ireland and Slovakia.

This challenge was on the basis of incorrect procedure - the two governments claimed that the Data Retention Directive had been brought forward under the wrong procedural ‘pillar’ of the European Union. The two claimed that the Directive had been passed throught 1st Pillar procedures whereas it should have been passed under 3rd Pillar…

Sounds a little esoteric but if it had been successful then the challenge would have struck a fiundamental blow. The likely direction of the decision came with the Advocate General’s opinion in October 2008 - and the opinion expressed by AG Yves Bot was followed by the full court in February 2009, with a unanimous decision of all 17 judges.

The judgement said, “The measures provided for by [the Directive] do not, in themselves, involve intervention by the police or law-enforcement authorities of the Member States. [The Directive] thus regulates operations which are independent of the implementation of any police and judicial cooperation in criminal matters.” It does seem that there was a clear nod towards the functioning of the internal market and an understanding that variations between national rules were likely to hinder the internal market and that this would increase with time…..

The original challenge submission was accompanied by an amicus curiae brief submitted on behalf of 43 organisations and advising the ECJ that the Directive was illegal on human rights grounds. The brief was rejected in fairly short order and on procedural grounds (there is no procedure within the ECJ to accept amicus curiae) so this inclusion to the governmental challenge was not debated. Yet the final judgement makes the comment (perhaps in a nod to the brief), “[the judgement]….relates to the choice of legal basis and not to any possible infringement of fundamental rights arising from interference with the exercise of the right to privacy contained in Directive 2006/24

Round one to the EU but clearly room for further challenges. Article 8 of the European Convention on Human Rights is likely to be the battleground. Ding a ding, round 2, seconds away……