The history of DRIPA 2014 - data retention in the UK


In 2000, the Government told Parliament that the Regulation of Investigatory Powers Act 2000 (RIPA) was the total extent of surveillance powers that were needed. However, within weeks of RIPA receiving Royal Assent, a report from UK law enforcement was leaked, stating that the power the Government truly wanted was companies to retain communications data on all their users. 

Immediately after 9/11 as governments around the world over-reached with new pieces of legislation, the UK Government did pursue data retention powers in the Anti-Terrorism, Crime and Security Act. But the law only asked for ‘voluntary’ data retention – a service provider could, but was not obliged to retain data. The Government told Parliament again that this was the total extent of surveillance power that was needed. 

Rather than seek further approval for greater ambitions from the UK Parliament, the UK Government then went to Europe. From 2001 onwards, it pushed the EU to adopt a Directive on data retention, the Data Retention Directive (DRD). This would make data retention compulsory on all service providers across Europe, including the UK. When the UK Government held the Presidency of the European Council, and with the political momentum that followers from the 7/7 bombings, they managed to push the directive through the European Parliament in the autumn of 2005 – but had to also promise greater powers for that Parliament. 

Only after that did the UK Government return to the UK Parliament and state that because of European Union obligations, data retention is required in the UK and Parliament must give its consent.

The Government’s reticence for introducing legislation directly through Parliament is easily understandable. Parliament by that time had become quite resilient to surveillance claims by the Government. RIPA struggled through Parliament. ID cards resulted in a near- constitutional critics. Every subsequent attempt at expanding communications surveillance, up until now, faced significant push back. Parliament, in the eyes of the UK Government, needed to be circumvented. 

But on 8 April 2014 in  Digital Rights Ireland and Seitlinger [1] (DRI), the European Court of Justice struck down the Data Retention Directive of 2006, disrupting the UK Government’s plans.  

In response to the Data Retention Directive being found unlawul, in order to continue bulk data retention, the UK Government had to finally do what it was trying to avoid for nearly 15 years: ask Parliament to approve communications data retention. The Government said it was an emergency and the Data Retention and Investigatory Powers Act 2014 (DRIPA) was passed with little debate or scrutiny. 

[1] C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger (ECLI: EU: C: 2014: 238) (“DRI”).