Legal action over the government's continued implementation of the Data Retention Directive has been threatened by the Open Rights Group.
The digital rights campaigners want the government to explain the basis on which internet service providers (ISPs) are being asked to retain records of customers' communications after the Court of Justice of the EU (CJEU) ruled earlier this year that the Data Retention Directive disproportionately infringes on individuals' privacy rights.
More than 1,300 people have written to their ISP to "ask why they are still retaining their web, email, SMS and phone data" as part of an ORG campaign, the group said.
"The government needs to give a full explanation of the grounds on which it is advising ISPs to continue to retain data," Elizabeth Knight, the ORG's legal director, said. "The response to Open Rights Group’s campaign shows that customers also want answers. It’s time that ISPs seek clarity from the courts instead of blindly following the government’s advice."
The ORG said that it does not believe that UK regulations which implement the Data Retention Directive can be enforced by the government in light of the CJEU's judgment on the Directive.
"In the view of Open Rights Group, the UK Data Retention (EC Directive) Regulations 2009 are 'ultra vires', meaning they are, and have always been, outside the government's powers," the ORG said. "The Data Retention Regulations were made under the European Communities Act 1972. As a result, the government enjoyed the power to make the Regulations only because they were made pursuant to an EU Directive."
"When the [CJEU] declared the Data Retention Directive invalid for breaching fundamental rights, the decision had retrospective effect. This means the Data Retention Directive was never valid. As a result the government did not have the power to make the Data Retention Regulations in the first place," it said.
The Data Retention Directive requires telecoms and other electronic communications businesses to retain identifying details of phone calls and emails, such as the traffic and location, to help the police detect and investigate serious crimes. The details exclude the content of those communications.
However, in April the CJEU ruled that, on the whole, the Directive was invalid. This was because it "has exceeded the limits imposed by compliance with the principle of proportionality" in terms of the interference with individuals' privacy and protection of personal data rights, as guaranteed under the EU Charter of Fundamental Rights.
Although the CJEU found that the retention of data for the purposes of allowing law enforcement bodies to access the data to help detect and prevent serious crime "genuinely satisfies an objective of general interest" in aiding the fight against serious crime such as terrorism, it determined that that the extent of interference with individuals' privacy and personal data protection rights allowed for under the Directive was not proportionate to serving that purpose.
The CJEU found that Directive was too wide ranging in allowing data about individuals to be collected and retained even where "there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime". In addition, it said that the Directive does not contain sufficient controls and safeguards to limit law enforcement agencies' access to the data retained.
In its ruling the CJEU also criticised the Directive for allowing EU countries too much freedom to decide how long, between the minimum and maximum periods of six months and two years respectively, to require telecoms businesses in their country to retain the data for. It said the Directive ought to have explained that data should only be retained for as long as is "strictly necessary" and that the type of data collected and its "possible usefulness for the purposes of the objective pursued or according to the persons concerned" were factors that should help determine how long data retention periods should be.
Since the ruling, however, there has been a lack of clarity over whether the Directive should continue to apply until replacement EU legislation is implemented. In a non-binding opinion issued prior to the judgment in the case by an advisor to the CJEU, advocate general Pedro Cruz Villalón recommended that the Directive be scrapped once a replacement framework had been put in place with greater controls and safeguards around the access to and use of the data collected.