What are Drip and Ripa – is the UK’s ’emergency’ new snooping law legal?

The prime minister has secured backing from all the three main parties to rush through new “emergency surveillance legislation”. David Cameron has said that urgent action was needed to maintain existing snooping powers after the European Court of Justice (ECJ) ruled existing powers were unlawful.

The ruling meant that the government needed to pass a new law to force communications companies to keep holding data. The government says new laws introduce nothing new, but they do allow the government to keep doing something that the ECJ ruled was illegal.

Where does this law come from? What does it allow?

The Data Retention (EC Directive) Regulations, introduced by the Labour government in 2009, obliged mobile phone and internet companies to keep communications data for 12 months.

That data includes the who, where and when of phone calls, emails and text messages but crucially not the content of the communication. This information is known as metadata and the government says it is used to track terrorists and paedophiles.

Most people will have information such as the time and location of a phone call stored, but where a target is identified additional monitoring can be requested. This allows security agencies to listen to phone calls and other communications but all interceptions require a warrant.

This bill does not include the monitoring, interception and spying carried out by GCHQ, which is entirely separate.

These powers have been in use in the UK since 2009 and the government has stressed that it is no introducing anything new, but critics have argued that it shouldn’t be rushing through such important legislation without proper scrutiny and review.

Why is this an emergency?

Following the ECJ ruling that the current powers were unlawful communications companies said they would stop collecting and storing the data used by law enforcement agencies. The prime minister said the situation was approaching a cliff edge, at which point the data would no longer be retained.

As a result of this the government will rush through emergency new laws to allow it to continue collecting communications data of everyone living in the UK.

So there’s nothing new in the bill?

The new bill, known as the Data Retention and Investigation Powers (Drip) Act is being rushed in with the notion that it is reinstating existing powers, but some have argued that it will actually expand state surveillance.

It appears to allow for data interception warrants to be issued to communications companies outside the UK, something that wasn’t possible before. This forms part of the separate Regulation of Investigatory Powers Act.

The government has waved away suggestions that it is trying to sneak in new powers by saying that it already had them but that they were poorly explained.

“Some companies based outside the United Kingdom, including some of the largest communications providers in the market, have questioned whether the legislation applies to them. These companies argue that they will only comply with requests where there is a clear obligation in law,” a note explains.

By clearly expanding its ability to request data from companies outside of the UK the government would substantially increase its surveillance capabilities.

Concerns have been raised that changes in Drip would make it possible to order communications companies to collect and store “all data or any description of data”. Precisely what this means is unclear and accompanying notes say this is only metadata. Critics have argued that the vague and wide-ranging nature of the wording mean it is open to confusion and possibly abuse. 

Critics have argued that such complex details make it essential that Drip is subject to full scrutiny and debate, something that the government is keen to not allow.

How can the government get away with this?

The ECJ ruled that existing legislation was unlawful, forcing the government into this shock move. In its ruling against the Data Retention Directive it said that any new legislation must be proportionate, transparent, subject to oversight and targeted.

It is up to the government to prove that the new legislation falls within these guidelines.

Is it legal?

That’s the big question. According to Steve Peers, professor of EU law and human rights law at the University of Essex, it isn’t:

“The provision in the draft Bill to permit a requirement to collect ‘all’ data is inherently suspect, and it would certainly be a breach of EU law to require telecom providers to retain all traffic data within the scope of the e-privacy Directive without some form of further targeting.

“The government’s intention, as manifested by the Bill, to reinstitute mass surveillance of telecoms traffic data is a clear breach of the EU Charter of Fundamental Rights,” he explained.

Jim Killock, outspoken executive director the Open Rights Group said the privacy organisation was threatening legal action:

“The government knows that since the CJEU [court of justice of the EU] ruling, there is no legal basis for making internet service providers retain our data so it is using the threat of terrorism as an excuse for getting this law passed.

“The government has had since April to address the CJEU ruling but it is only now that organisations such as ORG are threatening legal action that this has become an ‘emergency’. Blanket surveillance needs to end. That is what the court has said.”

The government has said that additional protections in the new legislation make it safer than what was previously in place. Despite the ECJ ruling that the Data Retention Directive was unlawful that decision only affected the EU directive and not any national legislation such as Drip.

As the previous UK data retention directives were a copy of the EU-wide legislation the government had to create new, similar legislation to allow it to continue the collection and retention of communications metadata. This, the government says, makes it legal.

What’s the good news?

In order to rush through this new legislation a number of concessions have been made. The bill has a two-year sunset clause that will force parliament to revisit it after the next election. A full review of Ripa will also take place in 2016. Both reviews could allow for much-needed debate about the scope and scale of state surveillance.

A new board will also be appointed, with the aim of ensuring that counter-terrorism legislation doesn’t erode our human rights and civil liberties. Agencies using surveillance data will also release annual transparency reports in a big expansion of the current oversight on government snooping.

Finally a senior diplomat will be appointed to meet with the US government and the world’s biggest internet companies to create a new cross-border agreement on the sharing of data and international surveillance. Such a debate is crucial as recent revelations have shown that current laws do not adequately protect our data and privacy.

What are the criticisms?

That it is illegal, that it is being rushed through without sufficient oversight, that it ignores the ECJ ruling, that it isn’t really an “emergency”, that it infringes our liberty and that the government is using the threat of terrorism to scare people and justify it introducing draconian snooping laws.

Outspoken critics of the emergency legislation range from MPs to privacy advocates and some of the internet’s most important figures.

Jimmy Wales, founder of Wikipedia said it was crucial that a “proper debate” was allowed to take place:

“They [the government] have known of this problem for weeks, and there is no reason to rush through legislation without appropriate public and parliamentary scrutiny.”

Shami Chakrabarti, director of privacy advocacy group Liberty said that the legislation allowed the government to snoop not just on suspects but on everyone:

“We are promised greater scrutiny and debate but not until 2016, as it seems that all three party leaders have done a deal in private. No privacy for us and no scrutiny for them. Will Clegg and Cameron’s ‘debate for the future’ really comfort voters and companies today?”

Tory MP David Davies accused the government of creating a “theatrical emergency” to rush through the new legislation.

Labour MP Tom Watson published a blog calling on parliament to block the new legislation until a proper debate can be had.

“Regardless of where you stand on the decision of the European Court of Justice, can you honestly say that you want a key decision about how your personal data is stored to be made by a stitch up behind closed doors and clouded in secrecy?” he said.

And the defence?

Home secretary Theresa May says that lives will be lost if the legislation does not go through, with David Cameron repeatedly saying that it was essential to track and catch “terrorists, paedophiles and criminals”.

David Cameron warned that the “consequences of not acting are grave”.

“I want to be very clear that we are not introducing new powers or capabilities – that is not for this parliament. This is about restoring two vital measures ensuring that our law enforcement and intelligence agencies maintain the right tools to keep us all safe.

“As events in Iraq and Syria demonstrate, now is not the time to be scaling back on our ability to keep our people safe. The ability to access information about communications and intercept the communications of dangerous individuals is essential to fight the threat from criminals and terrorists targeting the UK.”

Deputy prime minister Nick Clegg said that the new legislation did not form part of the hugely controversial and apparently ditched ‘snooper’s charter’ that sought to expand state surveillance to unprecedented new levels.