Under the proposed Investigatory Powers Bill, communication service providers (CSPs) could be required to retain communications data for up to a year and make that data available to the police, intelligence and security services in certain circumstances, including to help with investigations into acts of terrorism or serious crime. As drafted the Bill, for the first time, would extend the communication data retention regime to include ICRs.
ICRs are broadly data that reveals which websites internet users have visited without detailing the precise webpages of those sites that have been viewed. Major mobile network operators (MNOs) and internet service providers (ISPs) have already outlined some of the challenges they see in being required to retain ICRs.
A committee has been established at the UK parliament to scrutinise the new Bill. In written evidence submitted to the committee, information commissioner Christopher Graham said there would need to be "strong justification" for CSPs to be ordered to retain ICRs under the Bill. This stems from the fact that ICRs could "reveal a great deal about the behaviours and activities of an individual", he said.
Although a new investigatory powers commissioner (IPC) would be established and provide some oversight of the workings of the new surveillance laws that are envisaged, Graham said the remit of the IPC would not go sufficiently far for there to be an appropriate assessment of whether orders on CSPs to retain ICRs were justified.
"Retaining ICRs is an area where there needs to be strong justification and if this is made on the basis of an assertion of need in advance of a power being given then there needs to be effective post legislative scrutiny to judge the magnitude and nature of the records retained and the use that was made of these in practice including law enforcement outcomes," Graham said.
"There are challenges in resolving IP addresses down to particular identifiable individuals which may make such data of less value in practice. It is understood that in 2014 Denmark repealed its provisions that are similar to the draft bill as they were unable to achieve their objectives in practice. It is not sufficient for the IPC to report on the working of the arrangements; it is the use of the information and its value that is the indicator of whether such intrusion is necessary and proportionate. This information would need to be provided as part of any post legislative scrutiny," he said.
In his written evidence Graham said that whilst he "does understand the value of communications data for investigatory purposes", he wants the UK government to justify provisions in the Bill that would require CSPs to retain communications data for a year.
"The period for retention remains at twelve months though there is little evidence provided explaining why this is the appropriate period," Graham said. "The justification for this period should be made clear, especially as it should be possible to provide evidence of the number of such requests and their law enforcement outcomes based on current arrangements."
He raised concerns about the security of communications data that CSPs will have to retain under the Bill and said that the new legislation, or "a subsidiary code of practice", should set out a requirement for that information "to be retained separately from normal business systems".
Graham said that the government should also ensure that the Bill provides the information commissioner with statutory powers to audit "the integrity, security and destruction" of communications data that is retained by CSPs. He said that the new laws should also provide for the information commissioner to be "directly notified about retention notices being issued, varied and revoked".