Following the tragic events in Paris on Friday 13^th November, as well as the numerous other attacks that have taken place across the world in recent times, global leaders are ever anxious to find new means of identifying potential risky behaviour, an undertaking that has turned itself towards the digital world.

The ‘Snooper’s Charter’

Last month the Home Office published a draft of the Investigatory Powers Bill (more popularly known as the ‘Snooper’s Charter’) which, if passed into law, would require all internet service providers and telecommunications companies to keep records of most, if not all, of the online activities of their customers. The data that would be included within these records is set to include browsing history, email messages, SMS messages, duration and subject of phone calls and other associated activities. Whilst there are compelling reasons for passing such a law – aiding the prevention of future atrocities organised online being one – it is arguable as to whether subjecting the communications of each UK individual to the scrutiny of a security agent is a step too far.

The Data Retention and Investigatory Powers Act 2014 (DRIPA)

An earlier act of a similar nature, The Data Retention and Investigatory Powers Act 2014 (DRIPA) was ruled incompatible with EU law in the case of Digital Rights Ireland and Seitlinger and Others. Here the European Court of Justice ruled that requiring internet service providers and telecommunications companies to hold customer communications and activity on record presented an interference with both the right to a private life (Art. 8 of the European Convention on Human Rights) and the right to data protection (European Directive 95/46/EC). In the case of both rights, the court held that although the act represented an important national interest (DRIPA 2014 was also borne out of a desire to prevent acts of terrorism and crime), it was not a proportional response to the situation – in other words, the act may have been a kneejerk reaction to current events. Whilst there is arguably now a greater general interest in aiding the prevention of terrorism and organised crime than in 2014, the argument still remains that passing such a law may prove a regrettable kneejerk reaction to a series of terrible events, ultimately leading to the loss of rights for individuals and businesses alike.

Why the Investigatory Powers Bill might be of concern

While infringing upon the rights of the individual is concerning, it can be argued that monitoring communications is a necessary step in fighting back against terrorism and crime. What perhaps cannot be excused, in the current draft of the Investigatory Powers Bill, is the means by which the data retained by communications companies would be called for review. The draft as first published in early November 2015 allows communications data to be reviewed by the authorities by way of a warrant issued by government ministers, NOT the judiciary. This means, in effect, that the way your data and indeed the data of your company is handled would be dictated by a government official and would not be subject to judicial scrutiny. There is always a danger in politicising decisions such as how to handle and collect the sensitive data of individuals, as without the safety net of judicial scrutiny, politicians are free to use the law to achieve their own goals. Historically, legislation passed in times of crisis is rarely repealed once the crisis has passed (the Terrorism Act 2006, for example) and so we should question whether we are willing to diminish our civil liberties, rights to privacy and expression in the light of increasingly invasive government powers.

Overall there are compelling arguments for both sides of the coin, but in the meantime there is little sense in panicking. The best course of action, from a business perspective, is to review your current data protection policy and continue to handle client/personal data in a legal and efficient way. If you’d like help with this please get in touch.

Callum Sommerton
Devant