The Data Retention and Investigation Powers (DRIP) bill has recently been fast tracked by the UK Government through the legislation process. Since April 2014, when the European Court declared the previous Data Retention Act illegal, telecommunications companies and internet service providers have continued to collect communications metadata. Some are now at risk of being threatened with legal action by campaigners who wish to stop the collection.
The purpose of DRIP is to restore the legal basis for collecting communications metadata and to encourage the telecommunications companies to continue to collect it.
The almost unprecedented speed of the introduction of this legislation has required the Government to make a number of concessions to ensure cross-party support. Some of these have been well-publicised, such as the expiry of the bill in 2016, the requirement for a new Government to properly debate the replacement legislation in the next Parliament and the creation of a new Privacy and Civil Liberties Oversight Board.
Less well reported is the appointment of ‘a senior former diplomat’ to open talks with the US Government and Internet Service Providers to reach agreement on sharing of data between legal jurisdictions.
The scope of these discussions, or the identity of the diplomat, is yet to be established. There may be significant consequences for cloud computing and data storage.
Understanding the legal implications of the jurisdictions where data is stored and processed has been identified as a fundamental security requirement for cloud systems by both the UK Government Cloud Computing Principles and the Cloud Security Alliance Cloud Control Matrix.
Data exchange between the EU and the US is governed by two pieces of legislation. The Safe Harbor Principles extends EU data protection to companies registered with the scheme. In practice, the Safe Harbor legislation has been the subject of much criticism. Only a small proportion of US companies are registered with the scheme and there are issues around compliance.
There are also concerns that the US Patriot Act, may give the US Government access to data stored in the cloud servers of companies with a presence in the US, even though the data may be located in the EU or elsewhere. Microsoft recently lost the first round in a legal battle with the US Justice Department over the applicability of a US warrant for data stored on servers located in Dublin.
There are no apparent requirements for this initiative to report back to Parliament or anyone else on the progress it may achieve, and it may be forgotten about altogether in the run up to the election. But if talks do take place, and if they lead to a better agreement than the current Safe Harbor Principles, then this concession may have a significant and long-lasting impact on cloud computing security.