Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

Legal challenge lodged against new UK data retention laws

A legal challenge is to be launched against new UK data retention laws that received parliamentary backing under a prioritised approval process earlier this month.24 Jul 2014

Civil rights campaigners Liberty said it will seek a judicial review of the Data Retention and Investigatory Powers (DRIP) Act on behalf of two MPs, David Davis and Tom Watson.

In a statement the MPs criticised the speed with which the DRIP Act gained parliamentary approval and questioned whether the new rules sufficiently protect individuals' privacy rights.

Davis said: "The aim of this legal action is to make the government give the House [of Commons] the opportunity to do what it should have been allowed in the first place. Proper, considered and effective law making. The overall aim is to create law which both protects the security of our citizens without unnecessarily invading their privacy."

Watson said: "The three party leaders struck a private deal to railroad through a controversial Bill in a week. You cannot make good laws behind closed doors. The new Data Retention and Investigatory Powers Act does not answer the concerns of many that the blanket retention of personal data is a breach of fundamental rights to privacy."

The DRIP Act replaces previous UK regulations on data retention that had implemented an EU law which earlier this year was ruled to be invalid by the EU's highest court. The Court of Justice of the EU (CJEU) ruled that the EU Data Retention Directive disproportionately infringed on privacy rights enjoyed by EU citizens.

Home secretary Theresa May said the speedy approval of the new rules was necessary to plug potential holes in UK intelligence gathering capabilities that could have arisen if the telecoms companies subject to the data retention requirements had stopped collecting the information in light of the CJEU's ruling.

Under the DRIP Act, public telecommunications operators can be required to store 'communications data' if the secretary of state considers the data retention is "necessary and proportionate" to help law enforcement agencies detect and prevent terrorism and other serious crimes or for serving other limited purposes specified under the existing Regulation of Investigatory Powers Act.

'Communications data' concerns the traffic data surrounding phone and internet communications, such as the source of a communication, its destination, date, time, duration and type. They do not relate to the content of communications, which is protected by other laws. Under the Act, telecoms companies could be asked to store the data for up to a year. The new rules enable the government to compel operators based outside of the UK, as well as those based within the country, to comply with data retention orders made in accordance with the new rules.

Providers of a service which "consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system" are subject to the DRIP Act.

Announcement of the intended legal challenge to the DRIP Act comes as the government published draft new regulations which flesh out more detail on how the new data retention powers can be exercised.

The draft Data Retention Regulations 2014 set out what information must be included in retention notices served to telecoms companies. It also sets out a number of issues that the secretary of state issuing the notices must take into account before serving the notices, including the "likely benefits of the notice" and "the technical feasibility" of complying with it.

The regulations also outline the standards of data integrity and security that telecoms providers must observe when storing the communications data in line with the notice requirements, and also imposes a requirement on those companies to destroy the data it has retained "in such a way as to make access to the data impossible" if there is no longer a legal obligation on them to store the information.

A creation of a statutory code of practice governing the retention of communications data is also envisaged under the proposed regulations.