In this post, Web Foundation CEO Anne Jellema reflects on the UK’s just-passed DRIP Bill and on a recently published UN Report on Human Rights Online.
Late yesterday, just days after it was introduced to parliament, the ‘emergency’ Data Retention and Investigatory Powers Bill (DRIP Bill) was given Royal Assent. Just one day earlier, the Office of the United Nations High Commissioner for Human Rights published a report entitled “The right to privacy in the digital age”. When read alongside each other, these two documents demonstrate just how shocking the DRIP Bill is, and highlight how far the UK has drifted from being a global human rights leader.
The UN’s report, compiled on the basis of expert submissions from countries, businesses and civil society (disclosure: the Web Foundation prepared a joint submission to the High Commissioner) slams mass surveillance programmes, including those which collect metadata. Here are just four ways in which the DRIP Bill seems to be in violation of the standards set out in the UN report.
1. The very existence of a bulk collection programme could violate the right to privacy.
The UN report asserts that “Even the mere possibility of communications information being captured creates an interference with privacy, with a potential chilling effect on rights, including those to free expression and association …. The onus is on the State to demonstrate that such interference is neither arbitrary nor unlawful.” It then goes on to note that: “Mandatory third-party data retention– … where Governments require telephone companies and Internet service providers to store metadata about their customers’ communications and location … – appears neither necessary nor proportionate.”
Yet enabling mandatory third party data retention is exactly what DRIP will do. The Bill requires the Secretary of State to conduct a benefit analysis before issuing a ‘retention notice’, and we wait with interest to see if such analyses will be publicly shared and demonstrably not ‘arbitrary or unlawful’.
2. Collecting ‘only’ metadata is still a violation of the right to privacy
The UN report also demolishes the argument that collecting ‘metadata’ (information such as the date and time of an email or call) is less invasive than collecting the actual content of communications. The report notes that: “the aggregation of information commonly referred to as “metadata” may give an insight into an individual’s behaviour, social relationships, private preferences and identity that go beyond even that conveyed by accessing the content of a private communication. As the European Union Court of Justice recently observed, communications metadata “taken as a whole may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained.”
In presenting the Bill to the House of Commons, the UK Home Secretary Theresa May went to pains to make a division between metadata and interception (content). However, any suggested inference that collecting metadata is somehow less harmful than collecting the full content of communications is blown out of the water by the UN report.
3. The Bill is overly broad
The UN report is crystal clear on the need for laws that could violate the right to privacy to be very specific. It says: “The State must ensure that any interference with the right to privacy, family, home or correspondence is authorized by laws that (a) are publicly accessible; (b) contain provisions that ensure that collection of, access to and use of communications data are tailored to specific legitimate aims; (c) are sufficiently precise, specifying in detail the precise circumstances in which any such interference may be permitted, the procedures for authorizing, the categories of persons who may be placed under surveillance, the limits on the duration of surveillance, and procedures for the use and storage of the data collected.”
The DRIP Bill certainly does not spell out the categories of people who could be placed under surveillance. Unless the answer is everyone?
4. Businesses may be forced to contravene human rights standards
We’ve already covered the fact that mandatory third party data collection is neither necessary nor proportionate. The UN report also warns that companies which supply such data to the State, even in response to an official government request, “risk being complicit in or otherwise involved with human rights abuses.” It goes on to recommend that companies“adopt an explicit policy statement outlining their commitment to respect human rights throughout the company’s activities. They should also have in place appropriate due diligence policies to identify, assess, prevent and mitigate any adverse impact.”
DRIP places companies in an invidious position. In complying with UK data requests, they could be seen to be in violation of internationally accepted human rights best practices, damaging not only their reputation but also their bottom line in other countries.
Where to from here?
Ordinary people and Web users have been left without a voice or adequate democratic safeguards this week. Clearly there was no ‘emergency’ – these issues have been on the front pages of all our newspapers for over a year and the ECJ Judgment that sparked the ‘crisis’ was handed down in April, well before the Government announced its legislative programme in the Queen’s Speech. In railroading through this Bill without time for adequate parliamentary scrutiny and debate, politicians from all sides have turned their back on democracy.
Perhaps the only good thing about DRIP is the fact that it contains a sunset clause – its provisions will expire in December 2016 – and the promise of a full review of the flawed RIPA legislation on which DRIP is based. Yet without fresh political leadership on the right to privacy, these concessions are no guarantee of change – experiences in the US show that sunset clauses are all too often extended, while government reviews, as Yes, Minister told us, can easily be designed “to unearth a great mass of no evidence”.
We support the Open Rights Group’s effort to challenge DRIP in court, and hope it will succeed. But concerned citizens should not sit back and wait for the courts to act – they may be able to get results faster through the ballot box. With the UK’s next General Election coming up soon, voters should press political parties to commit in their manifestos to repealing this rushed and railroaded piece of legislation. Instead, Britain’s political leaders must pledge to develop the “clear, precise, accessible, comprehensive and non-discriminatory legislative framework” that the UN has mandated to ensure that online surveillance does not destroy our privacy, undermine democracy and threaten the very future of the Web.