The UK Parliament approved emergency legislation known as the Data Retention and Investigatory Powers Act of 2014 (“DRIP”) on Thursday, July 17th, making significant amendments to the existing surveillance and data retention regime in the UK. DRIP expands RIPA (Regulation of Investigatory Powers Act 2000) to apply extraterritorially, amends the definition of covered providers, and clarifies that it provides authority to obtain data of non-UK users in a move that is designed to bring US based providers who have resisted RIPA squarely within RIPA’s requirements. Before the DRIP amendments, many US-based Internet companies argued that the UK lacked jurisdiction to force compliance with wiretap orders and notices to build intercept capability. They made this argument due to a lack of UK presence, disparities between US and UK law, and because the definition of covered providers was sufficiently narrow that it could be read as limited to telecommunications providers. DRIP directly addresses these arguments with its amendments and purports to allow service of warrants and notices to build surveillance capability to companies who are located outside the UK. While the legislation includes a nod to consideration of the laws of the country where a provider is located, it is not clear that US providers will be able to rely on the Wiretap Act and Stored Communications Act to avoid UK sanctions for non-compliance. In addition to the modifications to surveillance law, DRIP also provides regulatory authority to the Secretary of State to issue data retention notices to specific companies or sectors of companies for a broad set of communications data for periods of up to 12 months.
The new UK law comes in response to the European Court of Justice’s decision that broad data retention mandates violate the European Human Rights Convention. In the wake of that decision, EU member countries were put in a position of evaluating whether their data retention requirements were proportionate to the needs being addressed. The manner in which the new legislation was passed is being criticized for cutting off the potential for debate and outside input, as the measure passed through Parliament in eight days from introduction to final approval. With the changes to RIPA, the UK joins Brazil and Russia in explicitly requiring providers to comply with their legal requirements regardless of the providers’ location.
Further background on the legislation is available from the House of Common’s Standard Note on DRIP.