(a) Data retention under the Investigatory Powers Act

The IPA 2016 was introduced to update the UK's framework for use of investigatory powers to obtain communications and communications data.Footnote ¹² This new framework was lauded as establishing a ‘world-leading oversight regime’,Footnote ¹³ which introduced the Investigatory Powers Commissioner (IPC) and Judicial Commissioners (JCs) via section 227(1)(a) and (b) of the IPA 2016. The 2016 Act is the successor to much of the Regulation of Investigatory Powers Act 2000 and the Data Retention and Investigatory Powers Act 2014 (DRIPA 2014). The latter was declared to be incompatible with EU law by the Court of Appeal for the same reasons as the IPA 2016.Footnote ¹⁴

The data retention regime in the IPA 2016 is set out in Part 4. Section 87(1) permitted the Secretary of State, if it is considered necessary and proportionate, to issue retention notices on telecommunications operators to retain relevant communications data for purposes (a) to (j) in section 61(7). These grounds, amongst others, were included in the interests of national security, for the purpose of preventing or detecting crime or of preventing disorder, in the interests of public safety, etc. A retention notice is only permissible once it has been approved by a JC.Footnote ¹⁵

Relevant communications are defined in section 87(11) as any communications data which may be used to identify, or assist in identifying:

1. (a) the sender or recipient of a communication (whether or not a person);

2. (b) the time or duration of a communication;

3. (c) the type, method or pattern, or fact, of communication;

4. (d) the telecommunication system (or any part of it) from, to or through which, or by means of which, a communication is or may be transmitted; or

5. (e) the location of any such system; this expression therefore includes, in particular, internet connection records.

This definition covers any type of communication network including communications where the sender and receiver are not humans, such as background interactions on smartphones, but probably also the Internet of Things.Footnote ¹⁶ Section 261(5) of the IPA 2016 defines communications data as either being events data or entity data. For the purposes of this paper, only the latter will be considered in detail. Events data is defined in section 261(4) as:

The Explanatory Notes to the Act maintain that events data includes:

The Communications Data Code of Practice (Code of Practice) lists several examples of what constitutes events data:

• • information tracing the origin or destination of a communication that is, or has been, in transmission (including incoming call records);

• • information identifying the location of apparatus when a communication is, has been or may be made or received (such as the location of a mobile phone);

• • information identifying the sender or recipient (including copy recipients) of a communication from data comprised in or attached to the communication;

• • routing information identifying apparatus through which a communication is or has been transmitted (for example, file transfer logs and email headers – to the extent that content of a communication, such as the subject line of an email, is not disclosed);

• • itemised telephone call records (numbers called)

• • itemised internet connection records;

• • itemised timing and duration of service usage (calls and/or connections);

• • information about amounts of data downloaded and/or uploaded;

• • information about the use made of services which the user is allocated or has subscribed to (or may have subscribed to), including conference calling, call messaging, call waiting and call barring telecommunications services.Footnote ¹⁸

Entity data is defined in section 261(3) as any data which:

1. (a) is about—

   1. (i) an entity,

   2. (ii) an association between a telecommunications service and an entity, or

   3. (iii) an association between any part of a telecommunication system and an entity,

2. (b) consists of, or includes, data which identifies or describes the entity (whether or not by reference to the entity's location), and

3. (c) is not events data.

‘Entity’ is defined as a person or thing.Footnote ¹⁹ This could be individuals, groups or objects,Footnote ²⁰ such as ‘phones, tablets and computers’.Footnote ²¹ Entity data includes phone numbers or other identifiers linked to communication devices, such as IP addresses (allocated by an internet access provider).Footnote ²² The Code of Practice explains further that entity data can include devices:

Additionally it includes:

• • ‘subscriber checks’, such as ‘who is the subscriber of phone number 01234 567 890?’, ‘who is the account holder of email account example@example.co.uk?’ or ‘who is entitled to post to web space www.example.co.uk?’;

• • subscribers’ or account holders’ account information, including names and addresses for installation, and billing including payment method(s), details of payments;

• • information about the connection, disconnection and reconnection of services to which the subscriber or account holder is allocated or has subscribed (or may have subscribed) including conference calling, call messaging, call waiting and call barring telecommunications services;

• • information about apparatus or devices used by, or made available to, the subscriber or account holder, including the manufacturer, model, serial numbers and apparatus codes; and

• • information about selection of preferential numbers or discount calls.

This would include, as Liberty notes, ‘information about all applications (“apps”) mobile phone or internet service subscribers have installed on their phone or as an add-on to their primary service’.Footnote ²⁴ This can include which bank a person uses, where investments reside, what newspapers are read, whether a person has children, their sexuality and even whether one is having or contemplating having an affair.Footnote ²⁵

(b) The Investigatory Powers Act before the High Court

Following the ECJ's ruling in Tele2 and Watson, judicial review proceedings challenging the legality the IPA 2016 were initiated on 28 February 2017.Footnote ²⁶ The High Court acknowledged that the proceedings concerned the Charter and the ECHRFootnote ²⁷ but went on to only consider the Charter.Footnote ²⁸ The High Court noted that the defendants conceded that the IPA 2016 was incompatible with EU law in two respects.Footnote ²⁹ However, these inconsistencies were unamended, and thus the claimants argued that unlawful retention and access persisted.Footnote ³⁰

In the dispute about what was the appropriate remedy, the defendants argued that no more than declaratory relief was necessary,Footnote ³¹ because the concession on inconsistency had already been made.Footnote ³² The claimants argued for a suspended disapplication, which the High Court believed was fair.Footnote ³³ However, the High Court decided not to issue a disapplication, or a declarationFootnote ³⁴ and instead gave the UK Government until 1 November 2018 to amend the IPA 2016.Footnote ³⁵

The High Court also examined whether the IPA 2016 permitted general and indiscriminate data retention. The Court of Appeal's interpretation of the DRIPA 2014 was consideredFootnote ³⁶ and it was concluded that the IPA 2016 did not provide for general and indiscriminate data retention.Footnote ³⁷

Additionally, the High Court considered the question of whether entity data fell within the scope of traffic data or location data in Tele2 and Watson,Footnote ³⁸ as defined in Articles 2(b) and (c) of the ePrivacy Directive as follows:Footnote ³⁹

• (b) ‘traffic data’ means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof;

• (c) ‘location data’ means any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service.

The claimants argued that ultimately this was and should be for the ECJ to decide, whereas the defendants argued that it was not and that this was acte clair.Footnote ⁴⁰ The High Court agreed with the defendants that entity data did not fall within the definitions of traffic or location data,Footnote ⁴¹ thus putting it outside the scope of EU law.Footnote ⁴² The High Court also felt satisfied that this issue was acte clair, and thus declined to issue a preliminary reference.Footnote ⁴³

Finally, the High Court considered the seriousness threshold for all retention objectives. The claimants argued that this seriousness threshold should be applied to the section 61(7) purposes for issuing a retention notice in the IPA 2016.Footnote ⁴⁴ The High Court referred to this argument being rejected by the Court of Appeal and noted that this position remained undisturbed by the ECJ's judgment.Footnote ⁴⁵ The High Court held that the fact that the IPA 2016 did not impose a seriousness threshold on a permissible objective for issuing a retention notice, does not render it incompatible with EU law.Footnote ⁴⁶ The High Court continued that such considerations of seriousness do not apply to other objectives, such as national security, public safety and miscarriages of justice.Footnote ⁴⁷ The High Court felt that the tests of necessity and proportionality found within section 87(1) adequately dealt with the issue of seriousness.Footnote ⁴⁸ The High Court also pointed to the claimant's counsel, Mr Jaffey, who acknowledged that ‘a threat to national security would readily cross’ the threshold for seriousness.Footnote ⁴⁹

Ultimately, the High Court ruled that Part 4 was incompatible with EU law for lack of prior authorisation by a court or an independent administrative body for access to communications dataFootnote ⁵⁰ because the JC approvals had not yet come into force.Footnote ⁵¹ It was also held to be incompatible with EU law because access to retained data was not limited to fighting serious crime.Footnote ⁵²

(a) Ignoring the European Convention on Human Rights

It is unfortunate that the High Court decided not to consider the ECHR in combination with the Charter, as the interpretation of the Convention in relation to measures of secret surveillance and data retention is of the utmost relevance. It is also unfortunate because where the Charter contains rights which correspond to those in the ECHR, the meaning and scope of those rights shall be interpreted in the same way,Footnote ⁵³ and this could have been a useful guide for the High Court. This failure to consider the ECHR, and the impact of that failure on the flawed reasoning of the High Court, will be highlighted throughout the following text.

(b) Data retention does not concern the content of communications?

The High Court stressed that Part 4 of the IPA 2016 does not concern the content of communications such as emails or text messages.Footnote ⁵⁴ Emails and text messages are but two examples of content. Content is defined in section 261(6) of the IPA 2016 as any element of the communication, or data logically associated with it, which reveals anything of what might reasonably considered as the meaning of the communication. This excludes inferences that can be drawn from communicationsFootnote ⁵⁵ and systems data. ‘Systems data’ is defined in section 263(4) as data which may be used:

1. a. to identify, or assist in identifying, any person, apparatus, system or service;

2. b. to identify any event; or

3. c. to identify the location of any person, event or thing.Footnote ⁵⁶

The distinction between content and communications data has been used by courts in the UK to suggest that content is more intrusive than communications data.Footnote ⁵⁷ However, it has been argued that communications data is just as revealing as content,Footnote ⁵⁸ if not more so.Footnote ⁵⁹ For this reason, the UN Office of the High Commissioner for Human Rights (OHCHR) has decided that the distinction between content and communications data is no longer tenable.Footnote ⁶⁰ Moreover, the European Court of Human Rights (ECtHR) has stressed that the principles with regard to interception are not based on the technical definition of interference, but on the level of interference,Footnote ⁶¹ and thus it is argued that the same principles should apply in the communications data context. Moreover, the ECtHR is ‘not persuaded that the acquisition of related communications data is necessarily less intrusive than the acquisition of content’.Footnote ⁶² This demonstrates that the UK can no longer rely on the purported distinction between communications data and content to justify differential treatment.

Schneier argues that communications data gives us context,Footnote ⁶³ and context gives us meaning.Footnote ⁶⁴ The effect of communications data is that ‘a very comprehensive dossier on an individual's private life can be produced (including contacts, where he or she has been, is, or will be going, and his or her interests and habits)’.Footnote ⁶⁵ Some argue that although content may not be revealed, content-related conclusions can be drawnFootnote ⁶⁶ on what kind of content is being viewed.Footnote ⁶⁷ This demonstrates the problematic construction of the IPA 2016, section 261(6), in that it proclaims that context is meaning, but not the kind of meaning that can be gained from communications data, thus illustrating that ‘meaning’ is unclear, because what if the same meaning of a communication could be obtained from communications data? Additionally, Cobbe points out that Parliament has not chosen to carry over a definition from DRIPA 2014 to the IPA 2016 that generally excluded content from communications data,Footnote ⁶⁸ thus implying that content can be retained. Furthermore, Cobbe notes that the ‘meaning’ of a communication is unclear, and neither is it ‘clear that data revealing the meaning of a communication is the same as data providing knowledge of its content’,Footnote ⁶⁹ as the ECJ suggest (see below).

Not only can communications data be just as revealing as content, if not more so; content within communications data can itself still be revealed. iiNet demonstrated that embedded data about communications like Twitter, Facebook, and websites do in fact reveal the content of communications (such as tweets), and a great deal of it.Footnote ⁷⁰

Furthermore, the High Court narrowly considered section 87(1) of the IPA 2016 in isolation, and thus, for example, did not contemplate section 87(4)(d) of the Act. That provision stipulates that retention notices must not require telecommunications operators to retain data that is not used by them for a lawful purpose. Lawful purposes are not defined in the IPA 2016, but section 46(4)(a) allows (by regulation, section 46(1) and (2)) any business to conduct interception if it constitutes a legitimate practice reasonably required for the purpose, in connection with the carrying on of any relevant activities for the purpose of record keeping. Section 46(2)(b) includes communications relating to business activities, essentially permitting interception for ‘business purposes’. This business purpose rationale would be consistent with the Home Office's approach to deep packet inspection as they considered that it was ‘a term used to describe the technical process whereby many communications service providers currently identify and obtain communications data from their networks for their business purposes’.Footnote ⁷¹ The European Data Protection Supervisor has stated that deep packet inspection enables internet service providers (ISPs) to access information addressed to the recipient of the communication only, which requires the interception of communications data and content.Footnote ⁷² This could permit intercepted data to be retained,Footnote ⁷³ which in turn could constitute a lawful purpose under section 87(4)(d).

Neither did the High Court consider internet connection records, which fall under the umbrella of relevant communications data. ‘Internet connection records’ is defined in the IPA 2016, section 62(7)(a) and (b) as communications data which:

1. (a) may be used to identify, or assist in identifying, a telecommunications service to which a communication is transmitted by means of a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program, and

2. (b) comprises data generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person).

The explanatory notes to the Act explain that internet connection records include websites.Footnote ⁷⁴ Obtaining website namesFootnote ⁷⁵ and internet connection records would require deep packet inspection,Footnote ⁷⁶ and thus content would be obtained. These are but a few examples (data can also be generated via section 87(9)(b), and could include the content of communications) which demonstrate that the High Court's narrow focus on section 87(1) blinded it to the fact that communications data is just as revealing as content, if not more so, and – in any event – content would be retained too.Footnote ⁷⁷ This would permit knowledge of the content to be acquired, which would adversely affect or compromise the essence of the protected rights,Footnote ⁷⁸ contrary to EU law.

(c) Entity data does not fall within the scope of EU law?

The High Court rejected the argument that entity data (such as addresses, specific locations, billing address and details) fell within the definition of traffic and location data.Footnote ⁷⁹ The High Court referred to the idea that traffic data is concerned with the conveyance of a communication, and thus only concerns itself with data for the billing of such a communication, and not billing data in general.Footnote ⁸⁰ For the High Court, the mere holding of a billing address or bank details does not fall within the billing limb of traffic data,Footnote ⁸¹ and itemised billing would fall within the definition of traffic data, and in any case would be events data.Footnote ⁸²

This construction is problematic for a variety of reasons. Even if one were to assume the High Court was correct, this would ignore the ePrivacy Directive and EU data protection laws. As discussed above, events data does not include information on addresses, billing and payment methods etc; this would be entity data, as it identifies an individual. Although the High Court did rely on Recital 27 of the ePrivacy Directive to justify its reasoning, it misunderstood it, and overlooked other articles and recitals. The High Court justified its reliance on Recital 27 by asserting that because traffic data should be erased (except for billing purposes), this places the holding of billing addresses or bank account details outside the ‘billing’ limb of traffic data. The High Court also referred to Article 6 to support this position. However, although Article 6(1) states that traffic data must be erased when it is no longer needed for the transmission of a communication, this is without prejudice to Article 6(2), (3), (5) and Article 15(1). When Article 6(2) is examined, it clearly states that:

Not only does Article 6(2) essentially assert that subscriber data is traffic data, which would make it entity data, it also states that this data can be held only for as long as the bill can lawfully be challenged or payment be pursued. This indicates that traffic data beyond the purposes necessary for the transmission of a communication would equate to entity data, as billing addresses and details would come within the ambit of Article 6(2) because they would be necessary for billing and interconnection payments. The High Court seemingly misunderstood Recital 27, by considering it in isolation from Recital 29, for example. Recital 29 states that traffic data necessary for billing purposes may be processed to prevent fraud.

Similarly, the High Court failed to consider Recital 26 of the ePrivacy Directive, which implicitly expands upon Article 6(2), stating that:

Liberty highlighted that Article 1 (Scope and aim) and 3 (Services concerned) of the ePrivacy Directive concern the processing of personal data in the electronic communications sector.Footnote ⁸³ As the Code of Practice (see above) states, subscriber information falls within the ambit of entity data, and thus falls within the ambit of the ePrivacy Directive. Article 15(1) stipulates that ‘Member States may, inter alia, adopt legislative measures providing for the retention of data’. This does not specifically refer to traffic or location data, even if one were to argue that entity data does not fit with either definition. Moreover, when one considers the now invalid Data Retention Directive,Footnote ⁸⁴ Article 1(2) of that Directive provided that it applied to ‘traffic and location data on both legal entities and natural persons and to the related data necessary to identify the subscriber or registered user’. This is an important point, because the UK's ability to adopt data retention measures arises from Article 15(1).Footnote ⁸⁵ The ePrivacy Directive and the invalid Data Retention Directive both support the notion that entity data is within the scope of EU law.

Additionally, the High Court's reasoning relied upon the definition of traffic data in isolation from the definition of ‘communication’ in the ePrivacy Directive.Footnote ⁸⁶ Communication includes ‘any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service’. Recital 15 of the ePrivacy Directive states that a communication:

The Article 29 Data Protection Working Party regarded traffic data as including, amongst other things, the email and IP address of the sender, email address of the receiver and the date and time of the email being sent.Footnote ⁸⁷ As the Code of Practice (see above) states, IP addresses and subscriber information (such as email addresses) fall within the ambit of entity data.

Recital 46 of the ePrivacy Directive states that ‘Directive 95/46/EC covers any form of processing of personal data regardless of the technology used’. The ECJ has ruled that the term personal data is wide in scope, not restricted to sensitive or private information, and potentially encompasses all kinds of information, whether it be objective or subjective, provided that it relates to the data subject.Footnote ⁸⁸ This can include anything from a name, photo, email address, bank details, GPS tracking data, posts on social networking websites, medical information or a computer's IP address.Footnote ⁸⁹ Thus, even if the definitions in the ePrivacy Directive did not apply, processing (which includes collecting, recording and storing,Footnote ⁹⁰ ie retention) entity data would still be subject to the General Data Protection Regulation,Footnote ⁹¹ (because, for example, IP addresses are entity data, and can constitute personal data) and thus within the scope of EU law, and ultimately, within the scope of the Charter – particularly Article 8, which eclipses the General Data Protection Regulation.Footnote ⁹²

The ECJ's position in Tele2 and Watson confirms the scope of the ePrivacy Directive as regulating activities of providers of electronic communications services.Footnote ⁹³ It also confirms that the Directive applies to the measures taken by all persons other than users – whether that be private persons, bodies or the State – in the prevention of unauthorised access to communications including any data related to such communications.Footnote ⁹⁴ The ECJ concluded that issues raised by the Court of Appeal and Administrative Court fell within the scope of the ePrivacy Directive.Footnote ⁹⁵ Additionally, the ECJ did not limit its interpretation of data retention within the confines of the ePrivacy Directive (to publicly available electronic communications services); instead its interpretation included ‘all means of electronic communication, and that it imposes on providers of electronic communications services an obligation to retain that data systematically and continuously, with no exceptions’.Footnote ⁹⁶ The ECJ continued that communications data included data ‘relating to subscriptions and all electronic communications necessary to trace and identify the source and destination of a communication’.Footnote ⁹⁷ Furthermore, the ECJ held that communications data included the ‘name and address of the subscriber or registered user, the telephone number of the caller, the number called and an IP address for internet services’.Footnote ⁹⁸ These sets of communications data would all fall under the ambit of entity data.

Big Brother Watch also observed this point, explaining that ‘[the ECJ's] judgment did not distinguish different standards for traffic and location data to those for other communications data, but rather considered the national communications data regime as a whole’.Footnote ⁹⁹ Big Brother Watch also noted that in the Court of Appeal's 2015 judgment on the DRIPA 2014,Footnote ¹⁰⁰ the Court expressly referred to the communications data retention regime as a whole, identifying all the communications data contained.Footnote ¹⁰¹ Furthermore, the ECJ, as mentioned above, ruled that general and indiscriminate ‘retention of traffic and location data of all subscribers and registered users relating to all means of electronic communication’ is precluded by EU law. This, again, would put entity data within the scope of EU law.

The ECJ took this approach (consistent with the ECtHR's lack of interest in technical definitions) because the ePrivacy Directive was read in the light of the Charter.Footnote ¹⁰² Thus, when the High Court ruled that entity data fell outside the scope of EU law, it did so by ignoring the ePrivacy Directive, EU data protection law and the ECJ's interpretation in Tele2 and Watson. Thus, in reality, it was acte clair that entity data was within the scope of EU law. As Big Brother Watch note, ‘[e]ven on the basis of the Government's restrictive and incorrect interpretation of the [ECJ's] judgment, the judgment still applies to both “events” and “entity” data’.Footnote ¹⁰³ This is problematic not only because the High Court erred in its interpretation of EU law; it also means that if entity data is not subject to EU law, the safeguards that come with the General Data Protection Regulation and the interpretations of Digital Rights Ireland and Tele2 and Watson are not applicable, creating a disparity in fundamental rights protection. If the High Court were a court of last instance, this could engage state liability for committing a manifest breach of EU law.Footnote ¹⁰⁴

Moreover, due to High Court's failure to consider the ECHR, the Court failed to outline the limits of retaining entity data which would be compatible with the ECHR. The relevance of compatibility with the ECHR becomes crucial (see below); Big Brother Watch even remark that the definition of entity data in the IPA 2016 (see above), notably where data that identifies or describes an entity, whether or not by reference to the entity's location ‘explicitly includes location data’.Footnote ¹⁰⁵ The High Court ruled that entity data does not fall within the ambit of location data because, for example, the location of a fixed-line terminal is simply held by a service provider and is not processed in a communications network or by communications service.Footnote ¹⁰⁶ However, the High Court was not clear on what is meant by a service provider. The ePrivacy Directive throughout equates public communications network or publicly available electronic communications service as service providers. If the High Court meant that a service provider can be either a communications network or service, then its understanding of data protection laws is unsound. As discussed above, the mere storage of personal data constitutes a form of processing. Thus, service providers who hold or store the location of a fixed-line terminal are processing that data. The distinction between processing and holding data displays a fundamental misunderstanding of what actually constitutes processing. To further highlight the High Court's error, the Code of Practice states that links between a person and their phone are entity data.Footnote ¹⁰⁷ The Code of Practice describes IP addresses of an individual as entity data, and states that this is important because ‘your IP address is the address or logical location of your computer when it's connected to the Internet’.Footnote ¹⁰⁸ Article 2(c) of the ePrivacy Directive specifies that location data is any data processed that indicates the geographical position of the terminal equipment, ie the location of one's computer. Recital 15 states that traffic data ‘consist[s] of data referring to the… location of the terminal equipment of the sender’. The Article 29 Working Party highlighted that geolocation of IP addresses is one of the many ways of processing location data.Footnote ¹⁰⁹ Entity data also consists of identifiers linked to communication devices, such as a MAC address. These are unique hardware numbers for computers.Footnote ¹¹⁰ Edward Snowden has argued that the NSA has a system that tracks the movements (and therefore location) of everyone in a city by monitoring their MAC addresses,Footnote ¹¹¹ Cunche accepts that this is a real possibility,Footnote ¹¹² given that traffic and retail store monitoring are already occurring.Footnote ¹¹³ Banks maintains that ‘there is a greater probability of correlation between the owner of the device and the MAC address than there is of an IP address and an individual’.Footnote ¹¹⁴ This is conceivable because IP addresses can be dynamic – ie the IP address changes each time there is a new connection to the internet – as highlighted in Breyer,Footnote ¹¹⁵ whereas MAC addresses are not (unless hidden by the device owner).Footnote ¹¹⁶ What this demonstrates is that not only does entity data fall within the ambit of traffic data, it also falls within the ambit of location data, and is, in any event, within the scope of EU law.

Lastly, as noted above, the High Court ruled that the IPA 2016 was incompatible with EU law because access to retained data is not limited to the purpose of fighting serious crime. This passage confused their position on entity data because entity data is also retained. The High Court effectively placed entity data outside the scope of EU law whilst simultaneously ruling that data retained is within the scope of EU law, hence the requirement of combatting serious crime. A ruling that ‘access to retained events data is limited to the purpose of combating “serious crime”’ would have properly reflected the Court's reasoning. Simply put, its ruling does not reflect its own analysis.

(d) Seriousness threshold

When ruling that it was unnecessary to have a seriousness threshold for the purposes of retention, the High Court did not consider that the retention of communications data poses just as serious (if not more serious) an interference with fundamental rights as interception does. Section 20(2)(b) of the IPA 2016 in relation to interception warrants does have a seriousness threshold. Moreover, the UK Government has sought to comply with Digital Rights Ireland/Tele2 and Watson by inserting into the 2016 Act a definition of serious crime for the purposes of Part 4.Footnote ¹¹⁷ This new definition, however, has been argued to broaden the definition that is already present in the IPA 2016,Footnote ¹¹⁸ which is also beyond what the ECtHR accepted in Kennedy Footnote ¹¹⁹ and has been severely condemned by Liberty for creating a conflicting, confusing and overbroad standard for when communications data can be retained.Footnote ¹²⁰ Ultimately, it does not provide ‘adequate protection against abuse and is a serious problem regarding the protection of human rights’.Footnote ¹²¹This highlights that a well-defined seriousness threshold is necessary.

The High Court also ruled that miscarriages of justice were a legitimate purpose for requiring data retention. However, from the perspective of the ECtHR, for measures to be ‘in accordance with the law, they must be foreseeable, meaning the law must be formulated with sufficient precision to enable any individual – if need be with appropriate advice – to regulate their conduct’.Footnote ¹²² This ensures that there is adequate indication of the conditions and circumstances in which the authorities are empowered to resort to any such measures,Footnote ¹²³ thus allowing individuals to avoid exposure to unwelcome intrusions by the state.Footnote ¹²⁴ ‘Miscarriages of justice’ is not defined or explained, and thus lacks foreseeability.

The High Court also said that threats to national security would readily cross the threshold of seriousness. However, national security cannot, in and of itself, be used as justification for data retention. Judge Pettiti in Kopp stated that numerous European states have failed to comply with Article 8 by abusing concepts such as national security, by distorting its meaning and nature,Footnote ¹²⁵ with abuse by the UK well documented.Footnote ¹²⁶ The ECtHR has decided that in the area of national security, Member States only enjoy a certain margin of appreciation and thatFootnote ¹²⁷ the law must indicate the scope of any such discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity to prevent arbitrary interferences.Footnote ¹²⁸ The ECtHR ruled that it was ‘significant’ that Russian law did ‘not give any indication of the circumstances under which an individual's communications may be intercepted on account of events or activities endangering Russia's national… security’.Footnote ¹²⁹ The High Court's assumption that a threat to national security in and of itself justifies data retention is problematic, as the IPA 2016 does not define national security in any way, nor are the circumstances in which it is to be relied upon clear.Footnote ¹³⁰ Thus, data retention on this ground is insufficiently clear for the purposes of the ECHR.

(e) Access only for serious crime, but what about retention?

When ruling that Part 4 of the IPA 2016 was incompatible with EU law because it did not limit access only to cases involving serious crime, the High Court yet again erred in its interpretation of Tele2 and Watson. The ECJ ruled that ‘only the objective of fighting serious is capable of justifying [data retention]’,Footnote ¹³¹ and failure to comply would also violate Article 8 of the ECHR.Footnote ¹³² Thus, when the High Court ruled that miscarriages of justice were sufficient to justify data retention, it was done in contravention of EU law and the ECHR. Additionally, an often overlooked aspect of the earlier ECtHR ruling in Klass and Others was where it ruled that ‘[s]ecret surveillance and its implications are facts that the Court, albeit to its regret, has held to be necessary, in modern-day conditions in a democratic society, in the interests of national security and for the prevention of disorder or crime’ (emphasis added).Footnote ¹³³ This demonstrates that not all the exemptions under Article 8 can be used to justify secret surveillance such as data retention.

This also creates another problem. If miscarriages of justice, for example, are a sufficient justification for data retention, why would the High Court then rule that access has to be limited to fighting serious crime? On the one hand, what would be the purpose of retaining data on the ground of miscarriages of justice, if that same data could not be accessed on that ground? On the other hand, if data is retained on the ground of miscarriages of justice and accessed on that same ground, this would go against the High Court's own ruling in limiting access to fighting serious crime. If data is retained on the ground of fighting serious crime but then accessed on the ground on miscarriages of justice, this creates issues of processing data for an incompatible purpose. Ben Emmerson QC and Helen Mountfield have stated that there would be a significant risk of a violation of Article 8 of the ECHR if communications data was not accessed for the purposes for which it was retained.Footnote ¹³⁴ This would also be a prima facie breach of the FirstFootnote ¹³⁵ and SecondFootnote ¹³⁶ Data Protection Principles, especially since communications data might contains sensitive personal data which would therefore narrow the scope for compatible use.Footnote ¹³⁷ Moreover, retaining communications data outside of what was permissible in Klass would not only violate Article 8 but also ‘contravene the lawful processing requirement of the First Data Protection Principle’.Footnote ¹³⁸

(f) Appropriate remedy and the potential chaos that could ensue?

The claimants advocated for a suspended disapplication, which the High Court noted ‘was a realistic and fair acknowledgement that, in this context, it cannot reasonably be expected that there should, immediately, be no legislation at all in place allowing retention of data that is needed to apprehend criminals or prevent terrorist attacks’.Footnote ¹³⁹ The High Court acknowledged that whatever remedy it granted, it should not have the effect of ‘immediately disapplying Part 4 of the 2016 Act, with the resultant chaos and damage to the public interest which that would undoubtedly cause in this country’.Footnote ¹⁴⁰ The word ‘chaos’ is probably borrowed from the defendants, who argued that disapplication would be a recipe for chaos.Footnote ¹⁴¹

A reason for the High Court not wishing to disapply Part 4 immediately is its assertion that there would be no legislation at all which permitted data retention.Footnote ¹⁴² This, however, is not true: the Budapest Cybercrime ConventionFootnote ¹⁴³ has been in force in the UK since 1 September 2011. This Convention principally concerns crimes committed via computer networks, but Article 14(2)(c) allows the UK to adopt measures to collect evidence of a criminal offence in electronic form. This does not appear to limit offences to those described in Articles 2–11 of the Cybercrime Convention, ie computer-related offences such as illegal interception, system interference etc. Additionally, Article 16 provides for data preservation, which is the alternative to data retention. This is not the only option available to the UK (see below). These points demonstrate that the High Court's position is effectively a strawman because immediate disapplication was not argued, and in any event, chaos would not ensue if Part 4 were to be immediately disapplied.

The High Court's reference to ‘chaos’ and ‘damage’ to the public interest is made without explaining how and why disapplying Part 4 of the IPA would have such a result. Such a position requires a critique. Prior to the DRIPA 2014, communications data retention had been voluntary (mandatory retention was repealed by section 105(1) two years after enactment) under section 102(1) of the Anti-terrorism, Crime and Security Act 2001 (although the Data Retention (EC Directive) Regulations of 2007 and 2009 required data retention to a lesser extent). Previous attempts at mandatory data retention, in the form of the draft Communications Data Bill was halted by the then partners to the Conservative Coalition, the Liberal Democrats.Footnote ¹⁴⁴ There was no ‘chaos’ or ‘damage’ to the public interest prior to DRIPA 2014, when data retention was voluntary, nor when the draft Communications Data Bill was rejected. When the High Court in Davis disapplied section 1 of DRIPA 2014 (albeit delayed for eight months),Footnote ¹⁴⁵ they felt it appropriate to give Parliament enough time to scrutinise and pass new laws,Footnote ¹⁴⁶ not because of any chaos or damage that would ensue following immediate disapplication.

The High Court appeared to act on the assumption that if data retention obligations were immediately disapplied, there would be no communications data available to be accessed. This is untrue, as the Home Office even admits that telecommunications operators sometimes already retain data for 12 months,Footnote ¹⁴⁷ and are willing to hand over usage and location data to the Government amidst the Coronavirus pandemic.Footnote ¹⁴⁸ One of the biggest telecommunications operators in the world, Google, stores ‘your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls’.Footnote ¹⁴⁹ The legal basis for this retention is questionable,Footnote ¹⁵⁰ but it highlights the fact that communications data could be accessed under section 61 of the IPA 2016 whether or not this data was in existence at the time, which means that telecommunications operators could be required to retain communications data on a ‘forward looking basis’Footnote ¹⁵¹ irrespective of any retention obligation. This also reiterates the point made by former reviewer of terror legislation, David Anderson, that ‘[c]ommunications data are frequently used in the course of fast-moving operations, in which access will often be needed to data in something close to real time’ (emphasis added),Footnote ¹⁵² thus the need for retention for 12 months weakens. Moreover, in the aftermath of the Madrid bombings,Footnote ¹⁵³ 9/11Footnote ¹⁵⁴ and 7/7, for the latter two, ISPs voluntarily preserved data.Footnote ¹⁵⁵ With regard to the 9/11 preservations, Detective Inspector Mike Ford of the National Hi-Tech Crime Unit said ‘I can assure you that the existence of the data has been of significant benefit and value’.Footnote ¹⁵⁶ This establishes the ready availability of communications data without any retention obligations. It also ignores the fact that communications data is collected in bulk by the intelligence agencies under the IPA 2016, Part 6, Chapter 2. Notably, the USA does not currently have data retention laws,Footnote ¹⁵⁷ but was still able to accumulate vast amounts of data, as Edward Snowden revealed. Additionally, the recent US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) ‘establishes a framework for permitting non-US law enforcement agencies to access communications data held by US operators [Microsoft, Google, Twitter, Facebook and others], and removes statutory prohibitions which might otherwise have prevented US operators from releasing the data’.Footnote ¹⁵⁸ The hyperbolic language of the High Court is unhelpful, misleading and too uncritically succumbs to the Government's position.

The High Court referred to ‘public interest’ without clarification. Was it in reference to fighting serious crime and stopping terrorism? If this indeed was the case, the High Court did so without acknowledging that privacy, in and of itself, is a public interest,Footnote ¹⁵⁹ which is specifically recognised in section 2(2)(d) of the IPA 2016. Privacy has a public value because it is necessary to the proper functioning of democratic political systems.Footnote ¹⁶⁰ The then Labour Government acknowledged that ‘the protection of privacy is in itself a public service’.Footnote ¹⁶¹ Privacy is a prerequisite for liberal democracies because it sets limits on surveillance by acting as a shield for groups and individuals.Footnote ¹⁶² Privacy underpins freedom of expression, religion, thought and conscious and assembly/association. It is not just an individual right, as data retention does not just affect individuals.Footnote ¹⁶³ Not acknowledging the public interest privacy serves seriously underestimates the fundamental nature and importance of privacy.

(g) Not general and indiscriminate data retention?

When considering whether Part 4 of the IPA 2016 permitted general and indiscriminate data retention, reference was made to the Court of Appeal's refusal to hold that it was permitted under the DRIPA 2014.Footnote ¹⁶⁴ The Court of Appeal's reasoning was unconvincingFootnote ¹⁶⁵ and their semantic reasoning (see below) indicated what they would have held with regard to Part 4.Footnote ¹⁶⁶ The claimants argued that Part 4 permitted general and indiscriminate data retention and should be referred to the ECJ, whereas the defendants argued that, read as a whole, Part 4 is compatible with EU law.Footnote ¹⁶⁷

The High Court deflected by noting that when ruling on general and indiscriminate data retention, the ECJ was referring specifically to Swedish law.Footnote ¹⁶⁸ However, the ECJ's ruling referred to ‘national legislation’Footnote ¹⁶⁹ and acknowledged that the question was whether general and indiscriminate data retention per seFootnote ¹⁷⁰ was compatible with EU law. Moreover, the Administrative Court referred only to traffic data,Footnote ¹⁷¹ whereas the ECJ also considered location data of all subscribers/users.Footnote ¹⁷² Thus, the ECJ's position is applicable to all EU Member States; Ni Loideain maintains that the ECJ were also considering UK law.Footnote ¹⁷³ The High Court then summarised the ECJ's ruling by saying that Member States ‘may adopt legislation which permits decisions to be taken for the targeted retention of data which is (a) sufficiently connected with the objective being pursued, (b) is strictly necessary and (c) proportionate’ (emphasis added).Footnote ¹⁷⁴ It appears that the High Court is cherry picking aspects of the ECJ's judgment. On the one hand, the ECJ was referring to Swedish law on the prohibition of general and indiscriminate data retention, and on the other, was referring to all Member States for targeted retention (which in and of itself implicitly rules out general and indiscriminate data retention for all Member States).

The High Court held that the ECJ's judgment did not require more detailed factors as it would be impracticable and unnecessary to set out in detail in legislation the range of factors to be applied, ie matters such as national security, public safety and serious crime.Footnote ¹⁷⁵ It is unclear why the High Court refers to public safety; though the ECJ does refer to serious threats to public security, this, however, is with regard to the links between the measure and objective evidence.Footnote ¹⁷⁶ The High Court did not explain why it would be impracticable and unnecessary to set out in detail the range of factors to be applied, considering the ECJ observed that national law must be clear and precise,Footnote ¹⁷⁷ which Part 4 is not.Footnote ¹⁷⁸ This also raises issues under the ECHR. The ECtHR has ruled that it is essential to have clear, bindingFootnote ¹⁷⁹ and detailed rules ‘especially as the technology available for use is continually becoming more sophisticated’.Footnote ¹⁸⁰ This is because, given the technological advances since the 1970s, ‘the potential interferences with email, mobile phone and Internet services as well as those of mass surveillance attract the Convention protection of private life even more acutely’.Footnote ¹⁸¹ What the High Court considered unnecessary and impracticable are requirements of both European Courts, with the ECtHR taking extra steps to explain why.

The High Court held that the combination of the scope and application of data retention measures and the minimum safeguards are designed to achieve effective protection against the risk of misuse of personal data.Footnote ¹⁸² Granted this echoes the ECJ's position, it overlooks the ECtHR's in that the mere storing of data relating to private life amounts to an interference with Article 8, and the subsequent use has no bearing on that finding.Footnote ¹⁸³ The misuse of personal data is secondary to it being generated and retained. The High Court distinguished the IPA 2016 from Swedish law in that the former does not ‘contain a blanket requirement requiring the general retention of communications data’.Footnote ¹⁸⁴ This is a semantic argument of ‘distinguishing a catch all power, and a power that can catch all, which of course, in any event, amount to the same thing’.Footnote ¹⁸⁵ The High Court relied on the statement that the Secretary of State will only issue a retention notice if it is necessary and proportionate as being in line with EU law.Footnote ¹⁸⁶ This, however, directly contradicts a previous ruling on DRIPA 2014 (which too had the requirements of necessity and proportionality)Footnote ¹⁸⁷ in which both parties in that case accepted it permitted a ‘general retention regime’.Footnote ¹⁸⁸ This was partly due to the secrecy of the contents of a retention noticeFootnote ¹⁸⁹ which is repeated in section 95(2)-(4) of the IPA 2016.

The High Court then argued that it would be difficult to conceive how the tests of necessity and proportionality could require the retention of all communications data because of the wording of ‘all data’ in the IPA 2016.Footnote ¹⁹⁰ This, again, contradicts a previous ruling in that the High Court accepted that DRIPA 2014 permitted a ‘general retention regime’ which included the use of ‘all data’Footnote ¹⁹¹ and that ‘the retention notices issued under it may be as broad in scope as the statute permits, namely a direction to each CSP to retain all communications data for a period of 12 months’.Footnote ¹⁹² The High Court's reasoning in Liberty acts on the assumption that surely the UK would not do such a thing. However, a ‘power on which there are insufficient legal constraints does not become legal simply because those who may have resort to it, exercise self-restraint. It is the potential reach of the power rather than its actual use by which its legality must be judged’.Footnote ¹⁹³ This is precisely what Cobbe argues, stating that:

It has been argued that section 87(2)(a) and (b) theoretically allows for the possibility that ‘all operators in the UK [being] required to retain all data of users and subscribers’Footnote ¹⁹⁵ and should be treated as a blanket and indiscriminate power.Footnote ¹⁹⁶ In Liberty v UK the UK Government accepted that section 3(2) of the Interception of Communications Act 1985 allowed ‘in principle, any person who sent or received any form of telecommunication outside the British Islands during the period in question could have had such a communication intercepted’.Footnote ¹⁹⁷ The ECtHR regarded this power as unfetteredFootnote ¹⁹⁸ and not ‘in accordance with the law’Footnote ¹⁹⁹ despite there being requirements of necessityFootnote ²⁰⁰ and a duty to take into account whether other means could be utilised to gain the information.Footnote ²⁰¹ This demonstrates that adding ‘necessary’ and ‘proportionate’ in the terminology of a power does not guarantee its compliance with the ECHR. The High Court's reasoning also highlights yet another misinterpretation of EU law, in that the ECJ did not rule that general and indiscriminate data retention would be unlawful because it can be required, but because it can be provided. The IPA 2016 does not require general and indiscriminate data retention, but it makes that option possible. This reiterates the point that a law should be judged on its possibility and not on the assumed good faith of those who exercise it. Moreover, the High Court assumed that Part 4 of the IPA 2016 would only be unlawful if it did require a ‘catch all’ power. This is incorrect; the Liberty v UK case highlights that unlawfulness was found even though the measure did not concern a single communication within the UK. Additionally, in S and Marper v UK, the ECtHR ruled that blanket and indiscriminate biometric data retention of suspects violated Article 8.Footnote ²⁰² This demonstrated that general and indiscriminate powers need not affect everyone (just a section of people) to be considered unlawful.

The High Court then incorrectly claimed that section 87(2)(b) of the IPA 2016 relates to ‘a description of data’ and not simply to ‘all data’.Footnote ²⁰³ The correct construction of section 87(2)(b) refers to ‘any description of data’, meaning any or all data could be retained, and not a description of data. This construction underestimates the breadth of what can be retained. The High Court made the same error when it came to telecommunications operators, in that a retention notice may relate to ‘a particular operator or to a description of operators’.Footnote ²⁰⁴ Section 87(2)(b) actually refers to ‘any’ description of operators. The suggestion here is that if a retention notice is issued to one telecommunications operator, because section 87(2) ‘list[s] the elements which may be used when delineating the content and scope of a retention notice so as to satisfy the necessity and proportionality tests in any particular case’,Footnote ²⁰⁵ this would be human rights compliant. However, when this is examined further, the problematic approach of the High Court becomes clear. Using the example of BT, which has over nine million broadband subscribers,Footnote ²⁰⁶ would a retention notice requiring BT to retain all the communications data of its subscribers be considered necessary and proportionate by the High Court? After all, BT is but one telecommunications operator, and thus could not retain communications data on every UK broadband subscriber, and therefore the requirement would not be general and indiscriminate, according to the High Court. Another example is Facebook, which dominates the social media sphere, owning Facebook, Facebook Messenger, WhatsApp and Instagram which rank 1^st, 3^rd, 4^th and 6^th respectively for the most used social networks in the UK.Footnote ²⁰⁷ The percentage of people aged 18 or over in the UK who use Facebook is 79%, with Facebook Messenger tallying 68%, WhatsApp 58% and Instagram 41%.Footnote ²⁰⁸ The exact number of the population in the UK as a whole that use Facebook and its various subsidiaries is not clear, but the Code of Practice indicates that it may not (meaning that it can) ‘be necessary and proportionate to retain data in relation to all communications services provided by a company’.Footnote ²⁰⁹ This demonstrates that if it was deemed necessary and proportionate, Facebook and all its subsidiaries, which is utilised by a substantial portion of the adult UK population, could retain all communications data associated with use of its services. This does not even consider the use of Facebook's services by those under the age of 16Footnote ²¹⁰ and the fact that retention notices have extraterritorial effect through section 97 of the IPA 2016. As of November 2018, the Home Office only admitted issuing fewer than 25 retention notices under section 87,Footnote ²¹¹ which could still cover the vast majority of the UK population.Footnote ²¹² However, this mass retention (which is not necessarily all encompassing) is as much a problem for the ECJ as it is for the High Court, for example, in relation to geographical data retention,Footnote ²¹³ as S and Marper demonstrates that ‘data retention measures that are general and indiscriminate within a group can still be unlawful’.Footnote ²¹⁴

The High Court next referred to the 12-month retention limit,Footnote ²¹⁵ but this only serves to highlight the constant inference that retention notices will be renewed on a yearly basis. The High Court also referred to matters to which the Secretary of State must have regard in section 88(1), such as the benefits of the notice, number of users affected, costs etc, as well as taking reasonable steps to consult the relevant telecommunications operator (see section 88(2)). As to the former, the Secretary of State could still issue the intended retention notice despite having regard to those matters, and as to the latter, there is no obligation to actually consult a telecommunications operator.

The High Court next considered the role of JCs in approving retention notices based upon the Secretary of State's conclusions,Footnote ²¹⁶ ie ‘in deciding whether to approve a decision to issue a warrant, the Judicial Commissioners will ask themselves whether the Secretary of State's decision to issue a warrant’ (emphasis added) is necessary and proportionate.Footnote ²¹⁷ This is problematic, as there is ‘no obligation on the Secretary of State to make a full and frank disclosure and therefore, the [Commissioners] … could be misled (accidently or deliberately)’.Footnote ²¹⁸ The JCs could therefore be ‘given a summary [of] a summary of a summary of a summary of a summary of the original intelligence case’.Footnote ²¹⁹ The ECtHR has ruled that it is essential that the supervisory body has ‘access to all relevant documents, including closed materials and that all those involved in interception activities have a duty to disclose to it any material it required’.Footnote ²²⁰ This is currently not an obligation under the IPA 2016.

The High Court then referred to the fact that JCs apply the principles of judicial review to authorisations.Footnote ²²¹ The issue of whether the JCs will apply Wednesbury principles has been subject to debate.Footnote ²²² The IPC has indicated that when human rights issues arise, the necessity and proportionality tests of the ECHR and EU law will apply instead of Wednesbury.Footnote ²²³ This statement was only advisory, and thus not a true safeguard,Footnote ²²⁴ and therefore the JC's role is not one of genuine independent oversight.Footnote ²²⁵ Additionally, the IPC and JC's independence is threatened not only by the executive/legislature, but by themselves;Footnote ²²⁶ this in turn would fail the test of independence required by the ECHR and EU law. It also raises an interesting question: when there is recourse to the IPA 2016, when would there not be human rights issues for Wednesbury to apply? The IPC did not elaborate on this, leaving the situation unsatisfactorily unclear.

The High Court next examined the general duties of JCs under section 2 of the IPA 2016.Footnote ²²⁷ The first of these concerns having regard to whether there are less intrusive measures to achieve the objective. It is submitted that there is one such measure: data preservation. But that is not possible under the IPA 2016 (unless one considers section 61 a form of preservation). The second duty concerns the level of protection provided to sensitive information, which is a much narrower category than the ‘sensitive/special personal data’ found within Article 9 of the General Data Protection Regulation, as it includes only legally privileged material, journalistic sources, communications with Members of Parliament etc. This is problematic, as the JCs cannot have regard to this sensitive information because – as noted by the Bar Council and Law Society – the problem with bulk communications data retention is that it does not prevent legally privileged data from entering the ‘pool’ in the first place.Footnote ²²⁸ This was a position the defendants implicitly accepted,Footnote ²²⁹ and is the position of the ECJ.Footnote ²³⁰ Jessica Sobey has argued that ‘[k]nowing who a lawyer contacts, when the contact was made and even where the point of contact was in geographical terms at the time, can be enough to represent a material breach of privilege’.Footnote ²³¹ The Law Society and Bar Council argued that ‘new legislation should prevent an obligation being placed on service providers to retain data relating to communications to or from users known to be professional legal advisers’.Footnote ²³² This was a position endorsed by Advocate General Øe,Footnote ²³³ and perhaps something the High Court should have given more consideration to, irrespective of the actions of the claimant.Footnote ²³⁴ With regard to journalistic sources, the United Nations Educational, Scientific and Cultural Organization (UNESCO) stated that even when journalists encrypt content, they may neglect to encrypt the communications data, which means they still leave behind a digital trail when they communicate with their sources, thus making them identifiable.Footnote ²³⁵ Moreover, the ECtHR has stressed that where sensitive personal data is involved, it should attract ‘a heightened level of protection’.Footnote ²³⁶ It is difficult to agree with the High Court that section 2 of the IPA 2016 provides a sufficient safeguard, when that Court is unwilling to consider the threats Part 4 poses to journalism and the legal profession, to name but a few.

The High Court next noted that telecommunications operators can refer a retention notice back to the Secretary of State, which would then require approval by the IPC,Footnote ²³⁷ and that Part 4 and section 2 of the IPA 2016 allow a range of factors to be taken into account before a retention notice is issued.Footnote ²³⁸ The High Court summarised Part 4 by saying that it did ‘not think it could possibly be said that the legislation requires, or even permits’Footnote ²³⁹ a general retention regime. This opinion proves problematic when a series of questions are asked. Can the Secretary of State issue a general and indiscriminate retention notice if it is deemed necessary and proportionate? (It can, see above reference to n 209.) Can a JC approve this? Can this be approved by the IPC after a referral by the telecommunications operator? If the answer is yes, then what? This emphasises that all the factors to be considered do not change the operation of the power itself. If the answer is no, where does Part 4 expressly prevent this? What is stopping the Commissioners from authorising general and indiscriminate data retention (whether on all, or on a group) if it is considered necessary and proportionate? The answer is that there is nothing to prevent this, and this is an escapable fact to which the High Court refused to address. The High Court's position is not only incorrect, but also contradicts its previous position, and the High Court does not adequately explain (see below) this complete reversal. This issue is not a matter of whether general and indiscriminate data retention will occur, but importantly, can it. The ECtHR has maintained that it would be contrary to the rule of law for the discretion granted to the executive or to a judge to be expressed in terms of an unfettered power.Footnote ²⁴⁰ Thus it would be unlawful even if retention notices are approved by Commissioners.

The High Court justified its departure from its previous ruling on data retention by arguing that:

The High Court essentially argued that even if its previous ruling was correct, the IPA 2016 is somehow different from DRIPA 2014 – despite the relevant wordings being identical –without explaining why it should be construed differently. Remarkably, the High Court decided that it was not important how the law might be or is operated based on evidence, but upon this notion of the ‘proper interpretation’ of an ‘objective question of law’. What does this mean? If the High Court is hiding behind the notion of objectivity, why is it that it ‘thinks’ Part 4 is not a general retention regime, whereas the DRIPA 2014 did permit this? Does ‘proper interpretation’ include overlooking the relevant ECtHR jurisprudence? The ECtHR not only considers measures applying the law, but the law itself,Footnote ²⁴² in consistently holding that:

The High Court's position is in contrast with that of the ECtHR in that the lawfulness of secret surveillance can be judged either in abstracto or where an individual can claim to be an actual subject of surveillance. With the former, a risk of being subject to surveillance need not be demonstrated; with the latter, only a potential risk need be demonstrated.Footnote ²⁴⁴ The High Court also overlooked the possibility of secret interpretations of the law,Footnote ²⁴⁵ of which the UK's intelligence agency has already been found guilty.Footnote ²⁴⁶

Whether retention notices apply to all or one telecommunications operator, to retain all or some communications data, this permits the ‘automatic storage for six months of clearly irrelevant data’ which ‘cannot be considered justified under Article 8’.Footnote ²⁴⁷ This demonstrates that even a six-month retention period is unacceptable to the ECtHR, which highlights the problem with the 12-month retention period. This position is strengthened by the Opinion of Advocate General Øe, where he noted that ‘[t]he disadvantages of general data retention obligations arise from the fact that the vast majority of the data retained will relate to persons who will never be connected in any way with serious crime’ (emphasis added).Footnote ²⁴⁸

(h) The amendments

The Data Retention and Acquisition Regulations 2018Footnote ²⁴⁹ amend the IPA 2016 by inserting a new section 60A, which provides the power for the Investigatory Powers Commissioner to grant authorisations to obtain communications data. Section 60A(7)(b) permits communications data to be obtained for ‘the applicable crime purpose’. This is defined in s 60A(8) as meaning:

1. (a) where the communications data is wholly or partly events data, the purpose of preventing or detecting serious crime;

2. (b) in any other case, the purpose of preventing or detecting crime or of preventing disorder.

This allows events data to be accessed for serious crimes, whereas entity data can be accessed for regular crime and disorder. Similarly, the 2018 amending Regulations amend section 87 of the IPA 2016 by inserting section 87(10A), which includes an ‘applicable crime purpose’ for a retention notice which has the same meaning as in section 60A(8). Thus, the threshold for retaining entity data is lower than that for events data.

Criticisms of this definition of serious crime, such as the 2018 amending Regulations failing to satisfy the requirements of Digital Rights Ireland by creating ‘precisely defined serious offences’, will not be set out in detail here.Footnote ²⁵⁰ However, it is important to note that, as argued above, entity data not only falls within the scope of EU law and the ECJ's judgments on data retention, the definition of entity data in the IPA 2016 confirms this. This is contrary to EU law; the ECtHR in Big Brother Watch stated:

Whilst the ECtHR also found a violation of Article 8 because the Regulation of Investigatory Powers Act 2000 lacked authorisation by a court or an independent administrative body, it emphasised that where there is a conflict between domestic and law and EU law, the latter has primacy.Footnote ²⁵² Allowing entity data to be retained for the purpose of ‘preventing or detecting crime or of preventing disorder’ is on its own merits a separate conflict between UK and EU law. Like the ECJ, the ECtHR did not distinguish between the types of communications data and confined its judgment to any data retained by communication service providers. Therefore, failing to confine the retention and access to retained data to serious crimes cannot be said to be ‘in accordance with the law’ within the meaning of Article 8. This would also demonstrate that purposes such as miscarriages of justice (see above) and the amendments to section 22 of the Regulation of Investigatory Powers Act 2000Footnote ²⁵³ would be contrary to EU law and the ECHR.

Additionally, in Big Brother Watch, the ECtHR stated that ‘[n]o interference can be considered to be “in accordance with law” unless the decision occasioning it complies with the relevant domestic law’.Footnote ²⁵⁴ The 2018 amending Regulations were made under section 2(2) of the European Communities Act 1972 and paragraph 4(3) of Schedule 7 to the IPA 2016. However, Schedule 7 applies to codes of practice rather than regulations. The correct legal basis on which to make regulations by way of statutory instrument (which is what the 2018 amending Regulations are) is via section 267(1)(a) of the IPA 2016. Therefore, the legal basis on which 2018 amending Regulations are created is not legally sound. Moreover, as noted above, the definition of entity data within the IPA 2016 places it within the scope of EU law and the ECJ's judgments; therefore, the 2018 amending Regulations are ultra vires the IPA 2016. In this instance, the UK has not observed its own laws, first, by creating regulations on an incorrect legal basis, and second, by said Regulations being ultra vires their parent statute with regard to entity data. The UK's failure to observe its own laws would also violate Article 8.Footnote ²⁵⁵ Finally, the Code of Practice notes that the IPA 2016 ‘provides that persons exercising any functions to which this code relates must have regard to the code, although failure to comply with the code does not, of itself, make a person liable to criminal or civil proceedings’ (emphasis added).Footnote ²⁵⁶ This makes it clear that the Code of Practice is not binding, which again is contrary to what the ECtHR has established with regard to measures of secret surveillance.

Additionally, Regulation 5 set up the Office for Communications Data Authorisations (OCDA). However, the OCDA does not deal with all communications data requests (as the IPC still deals with some). The OCDA is also insufficiently independent, given the lack of transparency regarding its appointments. This would ultimately fall foul of the ECHR and EU law,Footnote ²⁵⁷ highlighting that even with changes, they are still insufficient.