Divisional Court strikes down DRIPA communications data law

19 July 2015 by David Hart KC

R (ota Davis et al) v. Secretary of State for Home Department [2015] EWHC 2092 – 17 July 2015 – read judgment

When a domestic Act of Parliament is in conflict with EU law, EU law wins. And when a bit of the EU Charter (given effect by the Lisbon Treaty) conflicts with an EU Directive, the EU Charter wins.

Which is why the Divisional Court found itself quashing an Act of Parliament on Friday – at the behest of four claimants, including two MPs, the Tories’ David Davis and Labour’s Tom Watson. 

The doomed Act is the Data Retention and Investigatory Powers Act 2014 or DRIPA. It was in conformity with an underlying EU Directive (the Data Retention Directive 2006/24/EC or DRD – here). However, and prior to DRIPA, the DRD had been invalidated by the EU Court (in the Digital Rights Ireland case here)  because it was in breach of the EU Charter.

All this concerns communications data, which tell us who was sending an email, to whom, from where, and when – but not the content of the email. DRIPA in effect compels telecoms providers to keep communications data for 12 months, and to make it available to public bodies such as intelligence and law enforcement agencies.

Now to the Charter (here) which invalidated it, and the DRD. Many of the Charter rights are closely modelled on the ECHR. So the Charter’s Article 7 is effectively the same as Article 8(1) ECHR (private and family life). But Article 8 of the Charter (here) has no ECHR equivalent. It gives everyone the right to the protection of personal data concerning them; the data must be processed fairly, on the basis of consent or “some other legitimate basis laid down by law“. There is a right of access to data, and a right to rectification of data. Compliance is to be subject to control by an independent authority. The right is drawn from EU Treaty provisions (including Article 16 TFEU).

It is all very well to declare such a right in ringing terms, but there are obvious interests (as the right acknowledges) in having some system for retaining data to assist the investigation and prosecution of crime. The problem lies in balancing the right against the derogations. The DRD was all derogation, in a blanket form. Hence the CJEU in Digital Rights Ireland said that it did not introduce the safeguards necessary for it to be compliant with the Charter. The DRD

does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. It must therefore be held that Directive 2006/24 entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.

The CJEU came to this decision on 8 April 2014. There followed a mad scramble around the EU to seek to legitimise data retention via domestic laws, whilst the EU institutions came up with something better. Unfortunately, in the scramble, most countries seem to have repeated the mistake made in the underlying Directive, of not introducing sufficient protections. So the claimants’ task in the present case was, in the end, not too difficult. It simply compared the minimum requirements set out in the CJEU decision with the Act, and said that the Act was as deficient as the DRD struck down by the CJEU.

The Divisional Court accepted these arguments, and did not feel it necessary to refer the matter to the CJEU which it would do if there were real doubt. Courts in Slovenia, Romania, the Netherlands, and Belgium had struck down similar laws, and only the Swedes felt it necessary to ask the CJEU for more guidance.

The Government lawyers took an interesting tack. They said there was Strasbourg case law (Kennedy) which had decided that the UK Regulation of Investigation Powers Act 2000 legislation was not in breach of Article 8 ECHR (even when it concerned interception of content, rather than data). They added that this case law should be applied when determining what EU law is – the corpus of EU case law contains ECHR case law.  The Court at [81] did not find too much difficulty distinguishing Kennedy from the task in hand.

81…..But on the other hand a case about the interception of material relating to one individual, pursuant to a case-specific warrant signed personally by a Secretary of State, does not in our view assist much in interpreting the judgment of the CJEU in Digital Rights Ireland relating to a general retention regime on a potentially massive scale.

Ultimately, the court decided, in line with Digital Rights Ireland, that

89. The solution to the conundrum, in our view, and the ratio of Digital Rights Ireland, is that legislation establishing a general retention regime for communications data infringes rights under Articles 7 and 8 of the EU Charter unless it is accompanied by an access regime (laid down at national level) which provides adequate safeguards for those rights.

And that, DRIPA does not have. See also [91] of the judgment for the minimum content of any compliant law.

The next question was, what to do now? It was easy enough to decide that there should be a declaration that DRIPA was inconsistent with EU law in specific regards laid down in [114] of the judgment.  But the Court was also persuaded to make an order disapplying the Act, but suspending its disapplication until 31 March 2016, thus enabling Parliament to come up with a compliant law. It derived help from the coercive order made against Defra in the ClientEarth air pollution case in respect of EU breaches (see my post here).

120. The ClientEarth case is a significant and recent case on remedies in the UK courts for breaches of EU law. It does not lay down a rule that disapplication or mandatory relief, even with a reasonable time for compliance, must always be the appropriate remedy, but it gives a steer which in our view cannot be ignored.

It was persuaded to give that length of time because of the complexity of the task, adding wryly that

legislation enacted in haste is more prone to error, and it would be highly desirable to allow the opportunity of thorough scrutiny in both houses.

DRIPA got from introduction in the Commons to Royal Assent in 48 hours – and the Government has now been granted 7 months to do it properly. In passing, it was a bit of a giveaway when an Act has a “sunset” clause in it, namely s.8 which automatically repeals it at the end of 2016; a signal that it was a temporary job. We have been promised a new DRIPA anyway, in the Queen’s Speech on 27 May 2015.

One other topic of interest in the judgment. There has been a debate for some years about the scope of the Charter, given Article 52(3), and Protocol 30 negotiated by the UK and Poland, and whether in some ways this limits the applicability of the Charter to those countries. Protocol 30 provides:-

The Charter does not extend the ability of the Court of Justice, or any court or tribunal of Poland or of the UK, to find that the laws, regulations or administrative provisions or action of Poland or of the UK are inconsistent with the fundamental rights, freedoms and principles that it reaffirms.

To which the Divisional Court added

The precise scope of Protocol 30 is far from clear, since it only precludes the extension by the CJEU or domestic courts of their existing powers to find that UK laws are not in accordance with the Charter. It cannot be used to prevent the court from defining the extent of rights contained in the Charter which set out provisions within the material scope of EU law.

So once you are in EU territory (and data protection has been EU territory for 20 years), then you can rely on a right conferred by the Charter.

Conclusion

Part of the problem in this has been timing.

The EU did not exactly help its member states here, by coming up with such an unbalanced DRD in the first place: the usual reasons, being an insufficiently reflective response to the atrocities in Madrid (2004) and London (2005).

Given (a) that imbalance, (b) the automatic and instantaneous effect of the CJEU ruling, and (c) the difficulty of coming up with a swift DRD replacement at EU level, plainly member states had to have their own go at balancing the rights and derogations. But member states might have spent a little more time considering the reasons advanced by the CJEU (which had been trailed in the Advocate-General’s opinion in December 2013 here) as to why the DRD was inconsistent with the Charter. Failing that, it was hardly surprising that constitutional courts all around  the EU have been busy quashing those efforts.

Sign up to free human rights updates by email, Facebook, Twitter or RSS

Related posts:

• Supreme Court: no excuses, UK must comply with EU air pollution law
• Britain can lead the world in online privacy
• Google’s misuse of private browsing data entitles individuals to damages 
• Supreme Court on proportionality in EU and ECHR law: back to basics
• EU Court upholds greenhouse gas scheme against US airlines challenge