Data retention laws: what they mean for ISPs

This guide is based on UK law. It was last updated in October 2008.

If you think you're making a private call, or sending a discreet message, think again. Under an anti-terrorism law passed in late 2001 in the wake of the atrocities of September 11, details of every website visited and the transmission of every email sent and every phone call made in the UK can be retained and made available to authorities. This may give individuals privacy concerns but for telcos and internet service providers faced with the consequent storage and retrieval requirements, it is cause for financial concern.

The Anti-terrorism, Crime and Security Act (the ' ATCSA ') was a hurried piece of legislation which extends some powers introduced in the Regulation of Investigatory Powers Act of 2000 – better known as 'RIPA'. The combination gives the communications industry the challenge of tiptoeing a difficult path between privacy and security. In addition, the EC Data Retention Directive, which was approved following the Madrid train bombings of 2004 and the London terror attacks of 2005 (and implemented in the UK in respect of telephone communications by the Data Retention Regulations 2007 and due to be implemented in respect of internet-related data no later than 15th March 2009) requires the retention of data by communications services providers.

Do ISPs have to retain data?

Not yet, except for certain business purposes, such as billing. The legislation does not oblige the communications providers to retain data.   There is currently a voluntary code of practice in place (the Retention of Communications Data (Code of Practice) Order 2003, made under the ATCSA) under which ISPs can retain data for six months.

Mobile and fixed-line telephone data already has to be retained by service providers under the Data Retention Regulations 2007 and the consultation process in relation to a proposed replacement set of regulations (which will also cover VoIP, email and internet usage) is underway (responses are required by 31st October 2008) with a view to such regulations coming into force in 2009.

What data would they have to retain?

The law considers only "communications data" – meaning data which is not part of actual communications themselves, such as billing data, subscriber data, details of numbers dialled (including connected but unanswered calls), websites visited or email addresses used, but not the actual content of voice calls or email messages.

For how long must data be kept?

The voluntary code of practice currently in force requires data to be retained for six months (in respect of internet data), whereas the 2007 Regulations require a retention period of 12 months (for telephone data) and the draft regulations (which will extend the 2007 Regulations to cover VoIP, internet and email) envisage that this 12 month period will be retained (though the Secretary of State has the ability to give notice to individual service providers or categories of service providers requiring the retention of data for shorter or longer periods –not less than 6 months nor more than 24 months). 

What about access?

Rules on interception of communications are set out in RIPA, but it doesn't yet control access to the data. The Anti-terrorism Crime and Security Act ensures that data is retained only for purposes of national security, but once the data has been retained, a variety of parties will have access to it under a range of laws. ISPs and telcos fear an increase in requests for data.

Data retained under the 2007 Regulations is made available to law enforcement agencies for the purposes of investigation, detection and prosecution of serious crime, but it is thought that groups (such as intellectual property rights owners) are likely to lobby for wider access to be granted (e.g. to enable the prosecution of copyright infringements).

Communications industry problems

ISPs and telcos must comply with a provision of the Data Protection Act which forbids them holding personal data for longer than is necessary for purposes such as billing.

Compliance with the Act can be achieved if the continued retention is done to satisfy another legal obligation; but by definition, the current voluntary code of practice scheme falls short of a legal obligation. The Telecommunications (Data Protection and Privacy) Regulations of 1999 present another quandary. They permit data retention for the purposes of billing, network security or dispute resolution; otherwise it must be erased or made anonymous immediately after the telecommunications service has been provided. Without further laws, an ISP that retains data as the ATCSA proposes will run the risk of a lawsuit. The provisions of the Human Rights Act relating to the right to respect for private and family life, home and correspondence also pose a problem.  Once the 2007 Regulations are extended to cover VoIP, email and internet data, this will no longer be an issue.

Financial problems for the industry

The 2007 Regulations allow the Home Secretary to reimburse expenses incurred by service providers as a result of the requirement to retain communications data, provided they have been notified and agreed in advance.  However, this is not an obligation on the Home Secretary and service providers, whilst relieved that the Government has preserved the possibility of reimbursement, might well be concerned as to the discretionary nature of this commitment, particularly in view of the extension of the required retention period from six to 12 months.

For more information contact: louise.townsend@pinsentmasons.com