Shami Chakrabarti

In April of this year, the EU, through its Court of Justice of the EU (CJEU), ruled that blanket retention of the metadata surrounding our calls and internet usage for two years (a process which was the result of an earlier EU Data Retention Directive) was a violation of privacy rights. It thus  ruled that laws forcing ISPs and phone companies to hold this data were invalid.

Metadata is all that information about who you called, where and when your calls are made and so on. It has proved extremely useful for law enforcement agencies, who are able to corroborate (or otherwise) the testimony of suspects.

But collecting this data not just from such suspects, but from all of us, has proved more controversial. It's exactly this controversy which the EU ruling addressed head on in April. Justification for the switch of direction from the original law included the harmonisation of such rules across Europe and the lack of proportionality of the blanket collection of data about the communications activities of EU citizens.

Three months later, someone in the Cabinet Office must have been riffling through some old news stories and, in a light bulb moment, realised that this meant that the status quo allowing UK government agencies widespread access to call, locational and other communications behaviours was no longer applicable. Hence the apparent panic which resulted in David Cameron's hasty announcement at the start of July of a fast-track 'data retention' bill. Details of this bill have been agreed behind closed doors with the leaders of the Liberal Democrats and Labour in advance of any published information.

The bill would (will) re-instate the about-to-be lost privilege government agencies enjoy to examine our data: The information we all generate just going about our ordinary lives. And contrary to the EU's recently stated opinion, UK political parties of all hues all agree that we do not need to be under suspicion of any kind in order to have our metadata passed to the authorities.

The kicker for this hasty looking action seems to have been the realisation that ISP and comms companies companies would shortly start to delete their old data in line with the EU's new ruling, so rendering it unavailable at a stroke.

For UK ISPs and comms companies (who seem to be remarkably reluctant to talk about this topic at all) it's probably simply a case of should they or shouldn't they continue to store this data in anticipation of the next switch and being asked for it by government agencies. The government move makes it most unlikely that they will delete this metadata – that was the objective.

It was a branch of government in Ireland which had originally challenged the EU data retention directive and caused the EU court's intervention. Whether the new UK government decision will now trigger a second complaint, followed by another EU court case and another ruling remains to be seen. It seems likely, as does the outcome. Yet another switch of direction here in the UK...

While some in the UK will welcome the change on the grounds of home security, others do not. European Digital Rights Group (EDRi) executive director Joe McNamee described the original EU data retention directive as an affront to the fundamental rights of European citizens and suggested that the EU court ruling in April was the end of eight years of abuses of personal data. Of UK's latest volte face, Director of Liberty, Shami Chakrabarti (top image) has suggested that the issue that should be of most concern is the blanket snooping of everyone whether being investigated for a crime or not.

And if it is terrorism that is behind this panic, the response appears to challenge the very the liberties we seek to defend. Protecting citizens against potential threats has never looked as close to mass-surveillance as right now.

Meanwhile for the IT industry its probably just one more example of how legislation at both UK and European level can have a profound impact of the way our IT systems and Big Data repositories must be planned and maintained. Always expect that next switch of direction.

The lack of consultation that getting the leaders of the three main parliamentary parties together to agree what a new law should be without the inconvenience of testing it against public, legal or profession opinion is unsettling. It must be clear that this is argument with diametrically opposed sides that need to be explored. Yet one side with an argument that was sufficiently valid to make a European country rule in its favour, has been now been ignored in the UK to the cries of threats real and imaginary. And it is also a subject which begs professional technical input. How hard is it for criminals to evade such mass-surveillance anyway for example?

The only reliable conclusion for a CIO watching these antics, appears to be that we must accept that these rapid changes and discontinuities of direction are a now-regular feature of the global legislative landscape we operate in. All a savvy CIO can seek to do is build systems and governance processes that are capable of responding equally rapidly.