In response to September 11 2001 an anti terrorism law, the Anti-terrorism, Crime and Security Act 2001 (ATCSA) was passed. This legislation introduced a voluntary code that made it possible for details of every website visited, the transmission of every email sent and every phone call made in the UK to be retained and made available to authorities on request. The potential for such requests has raised privacy concerns. Yet for telecommunications companies and internet service providers faced with the consequent storage and retrieval requirements, it is also cause for financial concern.
ATCSA has been followed by European Union legislation, the Data Retention Directive 2006, which was introduced in the wake of the Madrid train bombings in 2004 and the London terror attacks of 2005. The Data Retention Directive was implemented in the UK in respect of telephone communications in relation to fixed telephone lines and mobile telephones by the Data Retention (EC Directive) Regulations 2007, which together with the ATCSA voluntary code, have now been superseded by the Data Retention (EC Directive) Regulations 2009 (2009 Regulations). The 2009 Regulations extend the range of data to be retained to internet related data which is defined to include data arising from 'internet access', 'internet telephone services' and 'internet e-mail' (in addition to fixed network telephony and mobile telephony communications data).
To whom do the 2009 Regulations apply?
The 2009 Regulations apply to public communications providers who generate or process communications data in the UK. The Regulations explain that a "public communications provider" is a provider of a public electronic communications network or a provider of a public electronic communications service. Related definitions for are set out in the Communications Act 2003. Taking into account these related definitions, ISPs and telecommunications companies including mobile phone providers need to comply with the 2009 Regulations. The 2009 Regulations do not explicitly refer to social media sites such as Facebook and Twitter however the draft Communications Data Bill is currently being considered and may have an impact on this in the future.
In relation to social networks, the High Court's decision in 2012 in Chambers v DPP indicates that the scope the Court is willing to give to the term "public electronic communications network" is extensive and that it can be applied to privately owned networks. The Court ruled that the internet is a "public network" and that communications platforms would also be considered public in nature even if they are not funded by public bodies. On this reasoning, it is reasonable to suggest that the 2009 Regulations could be applied to social networks.
It should be noted that the 2009 Regulations only apply to public communications providers who have received a written notice by the Secretary of State in accordance with the 2009 Regulations.
Data which must be retained
The 2009 Regulations apply to data generated or processed in the UK and specify that the data that must be retained are data necessary to:
- trace and identify the source of a communication;
- identify the destination of a communication;
- identify the date, time and duration of a communication; and
- identify the type of communication.
In the words of the 2009 Regulations, this includes data generated or process by means of 'mobile telephony', 'internet access', 'internet email' and 'internet telephony.' It is also necessary to identify the users' communication equipment.
Additionally for mobile telephony, data must be retained to identify the location of mobile communication equipment.
The provisions of the 2009 Regulations also require public communications providers to retain data that relates to unsuccessful call attempts either stored (in respect of telephony data) or logged (in respect of internet data) in the UK. An “unsuccessful call attempt” is defined as an attempt at communication where a telephone call has been successfully connected but not answered or where there has been a network management intervention. This requirement does not apply to unconnected calls.
No data of the actual content of a communication is to be retained for the purposes of compliance with the 2009 Regulations.
Whilst the 2009 Regulations are only concerned with data generated or processed in the UK, other EU member states were required to implement similar provisions by 15 March 2009 in order to comply with the Data Retention Directive. A report evaluating the Data Retention Directive published by the European Commission in April 2011 however showed that Germany, Romania and the Czech Republic have each rejected the Directive as 'unconstitutional'. The Commission is looking into addressing these inconsistencies through reform, although it is unlikely to do so before its attempts to reform the Data Protection Directive are finalised.
For how long must data be kept?
In accordance with the 2009 Regulations data must be retained by the public communications provider for 12 months from the date of the communication in question.
What about access to the retained data?
The 2009 Regulations provide that data retained may only be accessed in specific cases and in circumstances in which disclosure of the data is permitted or required by law.
Part 1 of Chapter II of the Regulation of Investigatory Powers Act 2000 (RIPA) stipulates who can request access to retained communications data. Generally, individuals holding particular positions in specified public authorities have the power to obtain communications data are permitted, with an example being a police officer in the interests of public safety.
Under the 2009 Regulations data must be stored in such a way that when a request is received the data can be transmitted without undue delay.
Any expenses incurred by a public communications provider in complying with the requirements of the 2009 Regulations may be reimbursed by the Secretary of State. Any reimbursement may be conditional on the expenses having been notified to the Secretary of State and agreed in advance. In addition, the Secretary of State may require a public communications provider to allow for audits to be conducted that may be reasonably required to monitor a claim for reimbursement.
Communications providers who outsource data processing activities to third parties remain responsible for ensuring that their contractors comply with the 2009 Regulations. It is therefore necessary that such communication providers ensure that any third party service providers understand which data must be retained, the appropriate time limits for retaining the data and other pertinent details of the regulatory requirements such as audit access arrangements. Communications supply contracts should specifically address these issues in detail.
Draft Communications Data Bill
In June 2012 the Government introduced to Parliament the draft Communications Data Bill (the Draft Bill), which proposes an increase to the forms of data to be retained. The Draft Bill focuses on the expansion in the use of new means of communication that are not presently subject to the retention obligations contained in the 2009 Regulations. A key focus area is the use of data by social networks.
The Draft Bill also suggests limiting the requests that local authorities and public bodies can make to access retained data. Under the Draft Bill these bodies will only be able to access data if Parliament agrees that its use is essential to tackling crime and protecting the public.
European Commission's Revision of the Data Retention Directive
The European Commission conducted an evaluation of the Data Retention Directive and published its report in April 2011. The report concluded that there are aspects of the Data Retention Directive which need to be changed. The Commission has consulted various law enforcement agencies, the judiciary, technology industry and civil groups as well as other relevant bodies across member states to comment on what revisions to the Data Retention Directive are required. The Commission is keen to ensure that the necessity of retaining data and maintaining internal security is balanced and proportionate to an individual's right to privacy and freedom.
The Commission initially proposed to publish its reform of the Data Retention Directive in 2012. This timetable has now however been delayed and the Commission will not be making any announcements on this matter until 2013 or 2014. It has announced that its revision to the Data Retention Directive will be made in conjunction with a revision to the e-Privacy Directive 2009.