The UK government has finalised legislation that will require ISPs to keep logs of their subscribers' use of the Web for one year. The information will be available to the police and other government authorities upon request. The new legislation – the Data Retention (EC Directive) Regulations 2009 – was introduced one day after the European Court of Justice upheld data retention requirements. It raises interesting issues about the "surveillance society" recently discussed by the House of Lords and the role of ISPs in stopping illegal file-sharing.
IP addresses, destination of emails and recipients of VoIP calls to be kept for a year
The Data Retention Regulations, which were laid before Parliament on 11 February 2009, are the final step in a 3-year long initiative led by the UK government to ensure police access to information about Internet usage and telephone calls in order to investigate terrorism and serious crimes. The effort resulted in the adoption of a European directive in 2006 that requires all EU telephone companies and ISPs to keep records of communications traffic and location data on their networks – the “who”, “when” and “where” information about telephone calls, Internet access and email.
ISPs, for example, are required to keep information about Internet communications traffic and subscribers’ identities, including the following:
- subscribers' names and addresses,
- the IP addresses assigned to users,
- their log-on and log-off times,
- the email addresses to which they send emails, and
- identifying information about who they call using VoIP telephony services.
The one-year retention period applies only to traffic-related information as the body of email messages and the content of VoIP calls are specifically excluded from the retention requirements.
ISPs that process Internet communications on their systems located in the UK will be expected to store the data starting in April 2009, when the Regulations are anticipated to come into force.
The UK wants to avoid having the same information stored more than once, particularly as it has promised to reimburse providers for the costs of retaining the data. While the Home Office will notify those ISPs that will be required to retain data, the Home Secretary is required to provide the notice to all “public communications providers” processing communications traffic data in the UK unless the required data will be retained by another provider. For example, resellers of another provider’s services would be exempt from the retention requirements.
While fixed-line and mobile telephony providers and ISPs are clearly covered by the Regulations, web-based email services and Internet VoIP applications should be exempt, even if they locate their servers within the UK, as they fall outside the definition of public communications services. The relevant definitions come from telecoms law (the Communications Act 2003, which implements into UK law various European directives regulating electronic communications services), which generally does not cover purely Internet-based services and applications.
ECJ upholds European directive on data retention
The new regulations complete the transposition into UK law of the Data Retention Directive (Directive 2006/24/EC) and were submitted to Parliament one day after the rejection of a challenge against the new data retention rules under European law.
On February 10, the European Court of Justice upheld the legal basis for the Directive on the grounds that it was necessary for the proper functioning of the internal market in communications services. At stake was whether the Directive required the unanimous approval of the national governments rather than the approval of only a qualified majority, which is all that is needed for single market measures.
The ECJ noted that communications providers faced conflicting national requirements about the data they were required to retain and the storage period, which has resulted in significant additional costs for service providers. Article 95 of the European Community Treaty allows for the adoption of measures to harmonise national laws in order to promote the creation the EU internal market.
Ireland (with the support of Slovakia) asked the European courts to annul the Directive. The Irish government argued that the Directive had been adopted on an incorrect legal basis as it relates to the investigation and prosecution of crimes and not the harmonisation of the internal market. Matters relating to police and judicial cooperation are governed by the Maastricht Treaty (the European Union Treaty), which requires unanimous approval for new laws regarding justice and home affairs matters.
The ECJ decision should clear the path for the complete implementation of the Directive in Europe despite a pending legal challenge in Germany, which has not stopped retention but limits the circumstances when the information can be given to the police.
Scope of the new data retention rules and the UK “surveillance society”
The new requirements raise several important questions about the proper balance between protecting society against serious crime and preserving individual privacy, particularly in regard to the monitoring of Internet use. The Data Retention Directive gives governments some flexibility in transposing its requirements into national laws, and the UK government has taken an expansive view of some of the requirements:
- The Directive allows EU countries to pick a retention period from a minimum of 6 months up to 24 months. The UK has opted to require the storage of Internet-related data for 12 months. While this is consistent with many other countries (such as France, Ireland and the Netherlands), other nations such as Germany have opted for the minimum 6-month period.
- Access to the data will not be limited to the police and the intelligence services. HM Revenue & Customs and many public authorities will be able to request access. Elsewhere in the EU, only senior police officials are entitled to obtain the retained data.
- The original rationale for communications data retention was to help prevent terrorism, investigate murders and prosecute other serious crimes. However, the Regulations will also allow the authorities to use the information to crack down on online piracy and copyright infringement. This means that ISPs can be asked for IP addresses and subscriber names and addresses in order to take action against illegal file-sharers.
- ISPs will have to spend a lot of money (the government estimates £46 million) to store the data and then make it available when requested. The Treasury will be expected to pick up the tab.
Central database for retained communications data
The Home Office plans to have ISPs and telephone companies eventually put their retained communications traffic data on a central database managed by the government as part of the Interception Modernisation Programme that Jacqui Smith announced last year. Legislation to implement the programme has been delayed following criticism by privacy advocates. However, a proposed bill is expected to be published for consultation in the coming weeks.