UK Government asks EU Court 'Did you really mean it?':  Bulk data retention and access is under scrutiny in Europe and the UK

Press release

Tomorrow, Privacy International and Open Rights Group will argue that wholesale and indiscriminate retention of our personal data is not permissible. The case, brought by MPs Tom Watson and David Davis against the Data Retention and Investigatory Powers Act 2014 (DRIPA), and in which PI intervened, will be heard in the European Court of Justice (CJEU) on 12 April. It has the potential to send shockwaves through the Investigatory Powers Bill, the controversial bill currently in Parliament.

The case represents yet another attempt by the UK Government to make bulk data retention and bulk access to retained data lawful. After 9/11, instead of engaging in a Parliamentary debate, the UK Government went to the European Union asking for legislation to require bulk data retention. The UK Government pushed the EU to adopt the 2005 Directive on Data Retention. After this EU legislation was later struck down in 2014, the UK Government chose to ignore the European Court ruling by introducing DRIPA. Tomorrow, we will see the UK Government ask the CJEU if it really meant to rule that mass data retention is unlawful as the UK, yet again, tries to argue that mass retention is lawful.

Both Labour and Conservative governments have been unwilling or perhaps afraid, to ask the UK Parliament to grant them the incredible power of data retention. Both have been keen on mass surveillance when in power and critical in opposition. In 2009 then-Conservative Shadow Justice Minister, and from 2010 to 2015 the Attorney General, criticised measures the Government is now defending in Europe and seeking to extend in the Investigatory Powers Bill, saying: 

“This Government’s approach to our personal privacy is the worst of all worlds – intrusive, ineffective and enormously expensive. As we have seen time and time again, over-reliance on the database state is a poor substitute for the human judgment and care essential to the delivery of frontline public services. Labour’s surveillance state has exposed the public to greater – not less – risk.” [1]

Even when David Cameron[2] was leader of the opposition, he criticised surveillance powers in 2009, saying:

“How have we got ourselves into the position where there is such a marked imbalance of power between the citizen and the state?”

There are nonetheless critics of these powers in both of the main political parties. Indeed, the case being heard in the CJEU is being brought by MPs from the two main political parties. 

Further, bulk  mass data retention and access plays a central role in the Investigatory Powers Bill. The outcome of this case could lead to a reduction of such powers that are currently outlined in the Bill.


Camilla Graham Wood, Legal Officer, Privacy International states:   

"The UK, in enacting legislation that is almost identical to the European Data Retention Directive which the CJEU ruled unlawful, is mandating data retention on a widespread, indiscriminate and untargeted basis. Such a broad and wholesale retention of communications data is in violation of European law. The effect of DRIPA is to use mass data retention to create a dossier on every person in the UK. It includes every internet and mobile phone transaction you undertake, every location will be filed, every meeting noted, every website indexed and every call marked. Blanket retention of communications data, without suspicion, creates a honeypot of information for criminals and hackers and this case will have implications for personal privacy and the security of individual personal data."


Open Rights Group’s Legal Director, Myles Jackman said:

“The Court found that you shouldn’t collect people’s data unless there is a specific reason and that there should be strict controls for allowing access to this data. With both DRIPA and the IPBill, the British government has ignored this call to respect our human rights. We look forward to the CJEU’s clarification of their ruling and hope that it condemns once and for all the blanket collection of our personal data.”




The history

In 2000, the Government told Parliament that the Regulation of Investigatory Powers Act 2000 (RIPA) was the total extent of surveillance powers that were needed. However, within weeks of RIPA receiving Royal Assent, a report from UK law enforcement was leaked, stating that the power the Government truly wanted was companies to retain communications data on all their users. 

Immediately after 9/11 as governments around the world over-reached with new pieces of legislation, the UK Government did pursue data retention powers in the Anti-Terrorism, Crime and Security Act. But the law only asked for ‘voluntary’ data retention – a service provider could, but was not obliged to retain data. The Government told Parliament again that this was the total extent of surveillance power that was needed.  

Rather than seek further approval for greater ambitions from the UK Parliament, the UK Government then went to Europe. From 2001 onwards, it pushed the EU to adopt a Directive on data retention, the Data Retention Directive (DRD). This would make data retention compulsory on all service providers across Europe, including the UK. When the UK Government held the Presidency of the European Council, and with the political momentum that followers from the 7/7 bombings, they managed to push the directive through the European Parliament in the autumn of 2005 – but had to also promise greater powers for that Parliament. 

Only after that did the UK Government return to the UK Parliament and state that because of European Union obligations, data retention is required in the UK and Parliament must give its consent.

The Government’s reticence for introducing legislation directly through Parliament is easily understandable. Parliament by that time had become quite resilient to surveillance claims by the Government. RIPA struggled through Parliament. ID cards resulted in a near- constitutional critics. Every subsequent attempt at expanding communications surveillance, up until now, faced significant push back. Parliament, in the eyes of the UK Government, needed to be circumvented. 

But on 8 April 2014 in  Digital Rights Ireland and Seitlinger [1] (DRI), the European Court of Justice struck down the Data Retention Directive of 2006, disruptingthe UK Government’s plans.  

In response to the Data Retention Directive being found unlawul, in order to continue bulk data retention, the UK Government had to finally do what it was trying to avoid for nearly 15 years: ask Parliament to approve communications data retention. The Government said it was an emergency and the Data Retention and Investigatory Powers Act 2014 (DRIPA) was passed with little debate or scrutiny. 


Investigatory Powers Bill

The Government has introduced the Investigatory Powers Bill, currently going through Parliament, which goes beyond the powers in DRIPA. Under Clause 78 the Secretary of State can require any description of telecommunication operators to retain all or any description of communications data for up to 12 months. The retention will be limited to the detection or prevention of serious crimes, but will be allowed under any of the grounds which communication data can be obtained (Clause 53.7). The new retention regimes also goes further in the types of data that can be retained. Clause 78.9 includes ‘pattern’ of communications and ‘internet connection records’. Telecommunication operators may then be required to retain not only data they save in their normal course of business, but also anything they may be able to generate or obtain, that fall within the definition of ‘relevant communications data’. 


[1] C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger (ECLI: EU: C: 2014: 238) (“DRI”).