Case Summary and Outcome

The Data Retention and Investigatory Powers Act 2014 (DRIPA) was tested for validity under articles 7 and 8 of the ECHR. The High Court ruled that the law violated the ECHR and struck it down because: (1) it did not provide clear and precise rules on access to and use of retained communications data; and (2) access to data lacked judicial or independent administrative oversight.

Facts

DRIPA is a surveillance act that allows the Home Secretary to order communications companies to retain communications data for 12 months. The law allowed surveillance of anyone in the United Kingdom, including emails, calls, texts, and web activity that may be confidential or privileged.

Specifically, DRIPA allowed:
“1-The Secretary of State may by notice (a “retention notice”) require a public telecommunications operator to retain relevant communications data if the Secretary of State considers that the requirement is necessary and proportionate for one or more of the purposes falling within paragraphs (a) to (h) of section 22(2) of the Regulation of Investigatory Powers Act 2000 (purposes for which communications data may be obtained).
2- The Secretary of State may by regulations make further provision about the retention of relevant communications data.
3- Retention limited to 12 months.
4- A public telecommunications operator who retains relevant communications data by virtue of this section must not disclose the data except…” [1]

The law was challenged by three MPs who argued that it violated the ECHR articles 7 and 8. The MPs based their challenge to DRIPA in large part on the 2014 ECtHR decisions of Digital Rights Ireland Ltd v. Minister for Communications, Marine and Natural Resources.

[1] Section 1 of DRIPA

Decision Overview

The High Court extrapolated from the Digital Rights Ireland case that legislation “establishing a general retention regime for communications data infringes rights under articles 7 and 8 of the EU Charter unless it is accompanied by an access regime (laid down at national level) which provides adequate safeguards for those rights.” [1]

The High Court specified that EU law established mandatory requirements for surveillance legislation that include:

-The legislation must clearly and precisely establish rules governing the scope and application of surveillance and impose minimum safeguards that sufficiently and effectively protect against the risk of abuse and against any unlawful access to and use of that data;

-“Any legislation establishing or permitting a general retention regime for personal data must expressly provide for access to and use of the data to be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating to such offences”; and

-“‘Above all’, access by the competent national authority to the data retained must be made dependent on a prior review by a court or an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued, and which intervenes following a reasoned request of those authorities.” [2]

Based on this, the High Court ruled that DIRPA violated the ECHR because it: (1) did not provide clear and precise rules on access to and use of retained communications data; and (2) access to data lacked judicial or independent administrative oversight.

[1] Paragraph 89 of the decision, https://www.judiciary.gov.uk/wp-content/uploads/2015/07/davis_judgment.pdf.

[2] Paragraph 91 of the decision, id.