Outside view of RPC's transparent glass building.

UK's data retention powers incompatible with EU Law

Published on 09 August 2018

Are the UK security services' data retention powers compatible with the new privacy regime under EU Law?

The background

The Investigatory Powers Act 2016 (IPA) introduced sweeping surveillance powers for UK intelligence agencies and police services, legalising a range of snooping and hacking tools. Two years on, the General Data Protection Regulation (GDPR) has brought in an equally sweeping array of privacy rights and sanctions for entities that breach its rules. The GDPR has direct effect as an EU Regulation, and has also been implemented in UK law by the Data Protection Act 2018, putting it into direct conflict with the privacy-limiting provisions of the IPA. 

The development

Following a legal challenge by human rights group Liberty (whose campaign has been bankrolled by crowd-funding, raising over £50,000), the High Court has ruled that the IPA is incompatible with European data protection law, and has given the government a 1 November 2018 deadline to re-write its provisions.

The government had previously accepted that some provisions of the IPA were inconsistent with EU law, and had announced that it planned to revise the law by April 2019. However, this ruling has significantly reduced this timeframe and the government will now seek to push through its legislative amendments as soon as possible.

Following the success of their initial campaign, Liberty has announced that it intends to launch further challenges to the provisions of the IPA, including challenging the rules on bulk interception of digital communications. Liberty argues that the ability to intercept communications in bulk and create 'personal datasets' about individuals undermines free speech, privacy and patient confidentiality, legal privilege and journalist's sources.

Why is this important?

This High Court ruling helps to clarify the position regarding personal data and the UK security services in light of the introduction of the GDPR. The court has taken a strong stance in demanding that the government amends the legislation in a shorter timeframe, and highlights that our courts will enforce EU law that contravenes UK domestic law. 

The government must now come up with new legislation which seeks to protect the powers of the UK security and police services, whilst complying with wider EU data protection law. While these two aims seem incompatible, it seems unlikely that the government will drop all of the powers brought in under the IPA. Instead, it may be that the government will seek to scale back the IPA by the minimum amount possible in order to satisfy the courts that it is compliant with EU law. 

Any practical tips?

Keep watching! The government is now under pressure to come up with a new surveillance law that will comply with EU law. Whilst this will represent a step down from the wide powers currently in force under the IPA, it seems unlikely that it will encompass a complete surrender of its surveillance tools. 

This all feeds into the wider Brexit picture of course and whether the UK can benefit from an 'adequacy decision' by the European Commission. Critically, the government's proposal for a special agreement with the EU on data protection has only recently been rejected out of hand by Michel Barnier, the EU's chief Brexit negotiator. If the UK cannot secure an adequacy designation, then we will be a 'third country' from the perspective of data transfers – meaning that there can be no automatic transfer of personal data from the EU to the UK after 30 March 2019. In turn, this could mean inserting model contract clauses into any EU-related contracts which touch on data transfer. Hardly an exciting prospect for the start to 2019…