Report of the Independent Surveillance Review
4.29
79
Thirdly, a final criticism relates to the application of powers under RIPA 2000, in terms of
the number of organisations having access to these powers and the alleged abuse of these
powers by certain public-sector bodies. Following allegations of the use of RIPA powers
by the police to obtain journalistic material, and by local councils to ‘spy’ on citizens for
perceived minor offences, the House of Commons Home Affairs Committee published a
review of RIPA 2000 in December 2014 which concluded that it was ‘not fit for purpose’.14
Its main criticisms focused on the lack of information recording, and the level of secrecy
surrounding the use of RIPA 2000, which ‘allows investigating authorities to engage in
acts which would be unacceptable in a democracy, with inadequate oversight’.15
European Directives and the Digital Rights Ireland Case
4.30
The RIPA legislation that provides government agencies with powers to intercept or
acquire an individual’s communications via a CSP is separate from the legal obligation of
the latter to retain communications data for the purpose of investigation, detection and
prosecution of serious crime and terrorism.
4.31
In the UK, under the Anti-Terrorism, Crime and Security Act 2001, telecommunications
operators were asked to retain information on a voluntary basis with the understanding
that they would be reimbursed for retaining and handing over data beyond their normal
operations. A code of practice setting out the voluntary agreement was created through
the Retention of Communications Data (Code of Practice) Order 2003.16
4.32
In the wake of the terrorist attacks in Madrid in 2004 and London in 2005, the EU
adopted Directive 2006/24/EC, which imposed obligations on member states to adopt
measures to ensure that communications data generated or processed by CSPs within
their jurisdiction be retained for periods of between six months and two years (leaving
it up to individual member states to decide their own retention periods within these
limits).17 The Directive was careful to note that CSPs were not being required to collect
information that they did not already collect.18
4.33
This Directive was transposed into UK law by way of secondary legislation in 2009, the
Data Retention (EC Directive) Regulations 2009 SI 2009/859. This made the retention
of data by CSPs mandatory for twelve months (though CSPs may have their costs
reimbursed). The regulations created the power for the home secretary to require CSPs,
by notice, to retain communications data that they already held for business purposes
for a period of twelve months.19
14. Home Affairs Committee, ‘Regulation of Investigatory Powers Act 2000’, Eighth Report of
Session 2014–15, HC711, p. 11.
15. Ibid., p. 11.
16. Ward and Horne, ‘Interception of Communications’, pp. 5–6.
17. Ibid., p. 5.
18. Ibid., p. 6.
19. Liberty et al., ‘Liberty, Privacy International, Open Rights Group, Big Brother Watch, Article
19 and English PEN Briefing on the Fast-Track Data Retention and Investigatory Powers