The United Kingdom Data Retention and Investigatory Powers Bill (DRIP) passed through the House of Lords on Thursday after two days of debate, according to a report by the BBC. The bill was fast-tracked by the government.
The parliament stated, “The Government argues that emergency legislation is needed to ensure that UK law enforcement and intelligence agencies can maintain their ability to access the telecommunications data they need to investigate criminal activity and protect the public. There is cross-party agreement on the need for the Bill.”
In April, the Court of Justice of the EU invalidated previous UK regulations on data retention, saying it disproportionately infringed on privacy rights of EU citizens. The old legislation required telcos to retain data on customer communications to pass on to law enforcement agencies on request. Earlier in July the government said the new law should be fast tracked in order to protect citizens from terrorists and criminals.
Recently, the European Parliament voted for new safeguards on the personal data of EU citizens when it’s transferred to non-EU countries.
The new data retention law only allows access to metadata and communications content still requires a warrant signed by a Secretary of State. Telcos will be required to retain the data on the chance that it is needed by law enforcement.
The new legislation could be challenged in the same way as the old law it is replacing.
Financial services regulation expert John Salmon and technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said earlier this week, “This attempts to address the CJEU judgment’s requirements, but the problem is that it is discretionary and the secretary of state does not have to explain why a particular retention period has been ordered. The bill could therefore be challenged on the basis that, like the Data Retention Directive and the previous UK laws deriving from it, the Bill does not set out ‘objective criteria’ governing how long data should be kept for.”
In addition to possibly being invalidated again, the Guardian reports there could be other problems. This new law could increase the incidence of cybercrime and hacking. The law will require more data to be stored which could make it attractive to hackers.
“Because of the extraterritorial reach in the Drip bill, it requires foreign internet service providers, who may be providing webmail services to British citizens (think of the expats living in Spain or Florida and using national ISPs for example), to store data about those British citizens in data or storage centres outside the jurisdiction of the UK Data Protection and other relevant Acts,” said Dr Adrian Davis, cybercrime expert and European director of (ISC)2 told the Guardian.
“As a result, we don’t know how that data is stored, processed, accessed or protected … Hackers may view foreign ISPs storing British citizens’ data as a ‘soft target’ – the levels of protection may be different and the penalties for stealing or compromising data could be lower.”
Other experts disagree, saying the data isn’t very useful to malicious hackers. However, it could be of interest to others such as politicians or journalists.
Richard Clayton, security expert from the University of Cambridge Computer Laboratory, told the Guardian, “What does seem plausible is that journalists will bribe insiders for the data. A list of mobile phone calls performed by Mr. Cameron over the past week or so might be very interesting.”
Even service providers that aren’t telcos should be interested in this and future legislation. Precedents and new laws are beginning to be set and could affect the future of the internet and data protection. For example, the European Data Protection Supervisor (EDPS) will soon decide what extra checks are necessary for cloud services under contract to EU institutions. This affects data transfer and storage which could cause extra headaches for cloud providers.
“Currently, Europeans worried their their data privacy rights have been violated by US companies have no official body to hear their complaints. Meanwhile, anyone, regardless of nationality, can go to a European court to complain about EU data privacy violations,” the WHIR reported previously.
US Attorney General Eric Holder announced that the Obama administration is seeking to extend privacy guarantees to EU citizens which are now only available to US citizens, which some European politicians see as an important step towards an “umbrella agreement” guaranteeing data protection. Decisions about how privacy and how data will be handled are being debated on an international stage.