David Cameron has decided to rush through new emergency legislation known as the Data Retention and Investigatory Powers Bill (DRIP) this week, saying that there is an urgent need for better legislation since the European Court of Justice (ECJ) overturned the EU Data Retention Directive in April.
The EU Data Retention Directive was overturned as it was deemed to be inconsistent with the European Convention on Human Rights, due to a lack of safeguards on how data is accessed and for what purpose.
By overturning this directive, which was passed into secondary legislation in the UK, certain powers have been removed from the UK government, and it wants them back (click here to read Theresa May's speech).
The existing 2009 Data Retention Regulations were based on definitions set out in the EU Communications Framework Directive, implemented by the UK government in the 2003 Communications Act.
While the Data Retention Regulations still stand, they could be reviewed at any point as there is no longer a data-retention directive in place.
Civil liberties groups have been putting pressure on Internet Service Providers (ISPs) saying that it is no longer legal, which could be one reason why David Cameron is rushing this bill.
What changes are in the new DRIP bill?
DRIP is currently just a draft bill, and potentially some of the problems that critics have spotted may be ironed out. However, some of the changes from the 2009 Data Retention Regulations potentially give the UK government more powers for monitoring our data, although the coalition says otherwise, through:
- Warrants to non-UK companies
Section 4 of the new bill proposes amendments to RIPA that would mean that the UK government would be able to serve warrants to non-UK companies providing telecommunication services to the UK.
- Warrants to forum owners, online storage, webmail providers
Even worse, the clauses in section 5 and an accompanying note amend how "telecommunication service" is defined in RIPA:
For the purposes of the definition of "telecommunications service" in subsection (1), the cases in which a service is to be taken to consist in the provision of access to, and of facilities for making use of, a telecommunication system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.
This means that the UK government would be able to serve a warrant on someone who owned a online forum or message board, in order to gain access to contact details of users of the board.
The way the explanatory note is worded means that webmail providers and in fact any type of online storage service, like Dropbox, for example, would be included in this, too.
- Unclear data retention period
Then there's the fact that the original 2009 Data Retention Regulations mandated that data be retained for 12 months, whereas the new bill says that there is a maximum period of 12 months, meaning that data can be retained for shorter periods.
Sections 3 and 4 say that the Secretary of State will be allowed to make "further provision about the retention of relevant communications data". Well, that means that potentially the Secretary of State could issue a notice using Section 1 (2) (c) that would enable data to be retained even longer.
What happens now?
Looking at the UK Parliament bill progress tracker, there will be six more stages before the bill gets the Royal Assent. However, the government wants the bill to become law this week, so there isn't much time to oppose it, like was the case in the US with SOPA.
If you'd like more information, lawyer Graham Smith has written a well-thought-out dissection of the DRIP bill on his personal blog. Also the charity 38 Degrees is asking UK citizens to email their MP now to ask them to vote for an amendment (tabled by the Labour party) that would make sure the bill is properly reviewed in the next six months.