One of the UK’s most influential digital rights activism groups, the Open Rights Group, has written to all the major Internet Service Providers (ISPs) asking for them to delete all personal data held and to stop retaining data in line with the recent ruling from the European Court of Justice that the Data Retention Directive was invalid.
The Court had ruled that the Directive, which obliged all mobile and broadband companies to retain record on computer and telephone communications for up to two years, was a violation of fundamental rights like privacy.
The Directive required telecoms to keep records even though no crime was being suspected. The Court ruled that data retention was not illegal, but it had to be proportionate and only used in exceptional cases. The letter, designed to prompt the debate about the UK government’s growing surveillance state, follows on from a Swedish ISP named Bahnhof which deleted all of its user records and stopped retaining user data following the court ruling.
Previously, a Digital advocacy group named Digital Rights Ireland brought a challenge about data retention requirements for ISPs. The 'surveillance state' thought that data retention was a requirement necessary in order to fight serious crimes and terrorism. The law required ISPs to keep detailed data on GPS location, details about your text messages, phone calls, and emails for up to two years. The argument before the court was whether or not this was proportionate or “mass surveillance” taking place on the “entire population”.
The Court agreed and ruled that the data retention directive was illegal and would make people feel like they were constantly under surveillance. Member States had all implemented national legislation to give effect to the Directive. There is some confusion about the implications of the legal community about what this will be for this legislation.
Some may argue that the mobile phone companies and telecommunications companies will have to change their business practices to be more transparent. Will there be some reform of the regulations making transparent what data they will be continuing to collect for business purposes, and more importantly, what purpose that data collection serves? How long will the data be retained? For mobile phone companies, it may not be at all necessary to hold non-anonymised GPS data, but it might be more important to justify retention for billing data.
As for law enforcement, this may prove to be a trickier argument and this ruling may have complications for how law enforcement tackles information. The political parties are all in a bit of a rock and a hard place. All either actively or passively supported the data retention laws passed by Parliament. The ruling means that telecoms can no longer contribute to helping the State with mass surveillance, but at the same time, many will argue that the police must have access to mass surveillance data.
Even trickier for the UK Parliament is their history with implementing EU Directives without any significant parliamentary oversight. Westminster holds one the highest rates of implementing EU directives in national legislation (albeit with a spotty record on accurate implementation). It seems clear that the statutory instrument that implements the Data Retention Directive is no longer valid law and as such there is no legal basis for ongoing operations on data retention. If the government wants data retention to continue it needs to introduce a new act or new Statutory Instrument urgently. In the current political climate, with the ConDem coalition government already under pressure on the 'Snoopers' Charter' and by the Snowden revelations, this would be hard for them to do.
The Letter reads as follows:
Dear BT, Virgin, Sky, and TalkTalk
Data Retention Directive
I am writing to you to seek clarification of your approach to retention and use of your customers data, as a result of the European Court of Justice's ruling that the Data Retention Directive is invalid and does not apply as European law.
This directive was implemented into UK law by the Data Retention (EC Directive) Regulations 2009. Since the European Court of Justice declared the directive outside the competence of the EU treaties, the UK was never required to implement it. Therefore these regulations no longer have a valid basis in UK law. It is our understanding that ISPs therefore should not be retaining user data unless there is some other legal basis for doing so.
We understand that you should only retain personal data such as IP logs and email communications data for legitimate business reasons or specific legal requirements.
In the interests of your customers, please can you:
(1) Confirm that you are not continuing to abide by the now defunct Data Retention Directive and regulations;
(2) Publish a description of the data you will be continuing to collect for business purposes (and how the data assists you) and what time period you will be holding the data for.
Open Rights Group