Much ink has been spilt of late over the mass surveillance programs run by western intelligence agencies. A separate, but related, matter of concern for privacy campaigners has been legislation permitting the government to order the retention of communications data by service providers. Following a successful legal challenge, British constitutional law enthusiasts were treated recently to the novel spectacle of the English High Court disapplying legislation in R(Davis and others) v SSHD  EWHC 2092.
In the UK the Westminster Parliament remains sovereign and the courts are not permitted to strike down primary legislation. The exception, to a limited extent (by way of the famous case of Factortame (No.2)) is where UK law conflicts with EU law.
The slightly convoluted legislative background to Davis is as follows. The EU Data Retention Directive of 2006 (DRD) enabled European governments to require the retention of any and all communications data by companies, for a period of up to two years. This essentially comprises the who, what, when and where of communications but not its content (i.e. the text in a message or the words of a conversation).
Then, in 2009 the EU Charter of Fundamental Rights came into force, specifying and entrenching the rights that will be protected by the EU, including, but not limited to, those protected under the European Convention on Human Rights. Among these are the right to a private life (Article 7) and a right to protection of personal data (Article 8).
Unsurprisingly, the extensive powers afforded to the state under the DRD conflicted with the aforementioned Charter rights and in the Digital Rights Ireland case the Court of Justice of the European Union invalidated the DRD.
Faced with the possibility of companies deleting en masse data which they regarded as being now unlawfully retained, the British government, in line with many of its European counterparts, rushed through legislation to provide some legal basis for retention until the whole mess could be sorted out. This was the Data Retention Investigatory Powers Act 2014 (DRIPA), which passed through Parliament in the space of a mere 48 hours, angering some MPs and civil liberties groups. It purported to be a clarification of the law in light of the CJEU’s ruling.
The challenge to DRIPA, spearheaded by MPs David Davis and Tom Watson thus brings us full circle. It is the national analogue of the challenge in Digital Rights Ireland and argument focused on its correct interpretation. The claimants argued that the CJEU were indicating the safeguards required for data retention legislation to the compatible with EU law. The defendant essentially advanced various arguments about why that interpretation was over-broad, relying on, among other things, David Anderson QC’s recent report into surveillance legislation. This cut little ice with the court which found that compliance with the Charter required a system of adequate safeguards including (at ):
· Rules to protect the individual against the risk of abuse or unlawful access to data;
· Access only being granted for dealing with precisely defined serious offences;
· Access to retained data by a public authority being subject to prior review by a court or other independent body.
Accordingly, the power to order the retention of data under s.1, DRIPA was inconsistent with EU law to the extent that it did not provide for such safeguards.
It is a striking decision, but unlikely to result in a virtual bonfire of the hard drives at Google or BT. At least, not yet. The order suspends the disapplication of DRIPA until 31 March 2016, which gives the government time to re-fashion the law as promised in this year’s Queen’s Speech. The Act in any case has a sunset clause automatically repealing it at the end of 2016.
This case highlights the complex interplay between UK and EU law and the growing importance of the Charter, which may be directly relied upon to attack UK laws that lie within the scope of EU law.
It also highlights the increasing strength of data protection rights, which through the Charter gain a life outside of the four corners of the Data Protection Act 1998 and whatever gets included in the upcoming General Data Protection Regulation currently being negotiated in Brussels. Such rights have for some years been a tool in the arsenal of private law claimants in defamation and privacy claims, coming to prominence in the recent Google Spain case on the ‘right to be forgotten’. Davis indicates that their reach now extends to constitutional law matters at the highest level.