Full Debate on Laws, Practices Needed to Ensure Reform
July 14, 2014
It is outrageous that instead of reforming its laws to address concerns about its involvement in mass surveillance, the UK government is renewing its powers to monitor the communications of people who aren’t suspected of breaking any laws. Blanket data retention undermines the right to privacy of millions of people inside and outside the UK, and yet the government is pushing through emergency legislation allowing it to do just that.
Izza Leghtas, Western Europe researcher

(London) – Emergency legislation announced by the UK government on July 10, 2014, that would grant the British intelligence and law enforcement agencies access to data about millions of people’s communications is a blow to the right to privacy.

The new law is intended to replace legislation that became invalid when the Court of Justice of the European Union (CJEU) ruled in April that blanket data retention breaches the right to privacy. Yet the new law does not adequately address the human rights requirements laid out in the court’s ruling and goes further to expand the government’s surveillance powers. 

“It is outrageous that instead of reforming its laws to address concerns about its involvement in mass surveillance, the UK government is renewing its powers to monitor the communications of people who aren’t suspected of breaking any laws,” said Izza Leghtas, Western Europe researcher at Human Rights Watch. “Blanket data retention undermines the right to privacy of millions of people inside and outside the UK, and yet the government is pushing through emergency legislation allowing it to do just that.”

There is credible evidence that the UK’s Government Communications Headquarters (GCHQ) is engaged in mass surveillance of people in the UK and overseas, and the government has been criticized for such perceived surveillance excesses. The evidence emerged following revelations by former the US National Security Agency (NSA) contractor Edward Snowden in June 2013. In contrast to the US government, which has engaged in a public debate and taken some first steps toward reform, the UK government has been largely silent on the issue, asserting that UK intelligence agencies complied with the law and acted to protect public safety.

Under the draft emergency bill published on July 10, 2014, the government would be able to require telephone and internet companies in the UK and abroad to collect metadata on their customers’ communications and store it for up to 12 months. While companies could be required to keep data for less than 12 months instead of the fixed 12-month period in the current law, the new bill would otherwise maintain the existing system of data collection and retention.  

Intelligence and law enforcement officials will be able to access that data under the law governing surveillance, the Regulation of Investigatory Powers Act (RIPA) of 2000, which allows for broad government surveillance with no independent scrutiny.

The CJEU ruled on April 8, 2014, that blanket data retention disproportionately interferes with the rights to privacy and to the protection of personal data under the EU Charter of Fundamental Rights, and struck down EU Directive 2006/24/EC on data retention. The directive required phone and internet companies in EU countries to collect data on their users’ communications over phone and email – including their location, whom they called and e-mailed, and when – and store it for up to two years. The new Data Retention and Investigatory Powers Bill will replace two domestic regulations of 2009 on data retention enacted by the UK to implement that directive. Those regulations became invalid once the Court of Justice declared the directive illegal.

With this bill and the extremely short timeframe it has given parliament and the public to consider it, the government circumvents concerns raised by the Grand Chamber of the EU’s top court, undermining the rule of law as well as the right to privacy. The bill does not address the court’s concerns that the data retention directive affected everyone using electronic communications services regardless of whether they were linked to criminal activity, interfering with the rights of “practically the entire European population.”

However, the bill goes further than merely addressing communications data retention by also extending the government’s powers to intercept the content of communications under the Regulation of Investigatory Powers Act (RIPA) of 2000. Grounds for intercepting communications under that law include national security and preventing or detecting serious crime. Though the new bill reduces the scope of one of those grounds – “safeguarding the economic well-being of the United Kingdom” – to cases relating to national security, it extends the scope of who may be subject to interception warrants extraterritorially to companies outside the UK that offer communications services to UK customers.

The bill also extends the definition of “telecommunications service” in the law to include “companies who provide internet-based services, such as webmail,” the government’s explanatory notes say. This change would subject a much broader range of internet companies in the UK and abroad to surveillance warrants from the UK.   

The UK government has failed to address concerns that the 2000 law is outdated and needs to be brought in line with the right to privacy. While Prime Minister David Cameron and Deputy Prime Minister Nick Clegg announced a full review of the law on July 10, 2014, a positive step, the review will not be concluded until 2016, when the new emergency law expires.

“An independent review of existing legislation is a positive step, but it should be completed before new legislation is enacted, not after,” Leghtas said. “Members of parliament should insist on a proper debate on surveillance with enough time to consult civil society and engage with the public to ensure meaningful reforms that can protect people’s privacy and safety.”

Prime Minister Cameron contends that the new emergency law is needed because without it companies would stop collecting and storing such data necessary for national security and to protect people from serious crime. Parliament will have a week to examine the bill, with a debate of only one day in the House of Commons and two days in the House of Lords, a far shorter timetable than usual for the passage of legislation in the UK. It is expected to pass as leaders of the main three political parties have expressed their support. Cameron and Clegg justified the short time frame by saying that not acting immediately would put people’s safety at risk, given events in Syria, Iraq, and around the world. They also contended that the bill restores existing measures but does not introduce any new powers.

But, as the EU court ruled, existing powers undermine human rights. And using the fast-track procedure denies members of parliament and the public a chance to properly consider and debate a bill that affects the rights of millions of people, Human Rights Watch said. The “emergency” bill also goes far beyond data retention by asserting that the government’s surveillance powers have striking extraterritorial reach over a broader range of service providers, which merits a more meaningful public debate.  

Knowing who communicated with whom, when, and from where can reveal as much as the contents of what is said over the phone or written in an e-mail, especially when collected in bulk. In March 2014 the United Nations Human Rights Committee called on the US government to “refrain from imposing mandatory retention of data by third parties.”

Under the European Convention on Human Rights (ECHR) and the Human Rights Act (HRA), which incorporates it into UK law, the UK must respect the right to private life and any interference with that right must be “in accordance with the law,” “necessary in a democratic society,” and proportionate. The International Covenant on Civil and Political Rights (ICCPR), ratified by the UK, also prohibits arbitrary and unlawful interference with privacy. This right applies to digital and phone communications and is not limited to the contents of those communications.

Other measures the UK government announced on July 10 include a new Privacy and Civil Liberties Oversight Board, based on the US model, to advise the government on counterterrorism policies; the restriction of the number of public bodies that can request communications data from phone and internet companies; and the publication of annual transparency reports. Details of these measures have yet to be published, and it is too soon to assess whether they would provide any effective oversight or degree of public accountability to UK government surveillance practices, Human Rights Watch said.

“Why did the government wait for over three months to react to the European Court’s ruling, and then plan to rush the bill through parliament within a week?” Leghtas said. “This emergency bill undermines not only the right to privacy, but parliamentary and public scrutiny of measures that affect everyone’s lives.”