In July 2014, the Government passed emergency legislation providing for mandatory retention of telecommunications and internet-based data. Kari Hansen considers the impact for retailers who offer telecommunication services, justification for rushing this legislation through Parliament and what it means.
Following complaints that the EU Data Retention Directive infringed the right to respect for private life and the right of protection of personal data, the European Court of Justice (ECJ) declared that the Directive, which enabled communication service providers (CSPs) to retain communications data for law enforcement purposes, was invalid. In response, the UK Government passed the Data Retention and Investigatory Powers Act 2014 (the Act). The Act came into force on 18 July 2014 following a fast-tracked approval process.
The Government justified the use of the fast-track process by citing the ongoing threat against national security. The concern was that companies would begin deleting the data and so emergency measures were needed to ensure that law enforcement and intelligence agencies could continue to access telecommunications data to investigate criminal activity and protect the public. As a secondary justification, the need for a clearer legal framework was considered necessary for companies to understand their obligations in respect of data retention and protect themselves from challenges by consumers.
What does it mean for CSPs?
Like the previous Regulations, the Act extends certain provisions of the Regulation of Investigatory Powers Act 2000 (RIPA) to CSPs.
However, the definition of a CSP is extended to include access to, and making use of, a telecommunications system. This could extend to customer service emails, for example. The Secretary of State retains the power to issue notices to CSPs to retain data if it is considered necessary and proportionate for one or more of the purposes set out in RIPA. However, the Act includes a requirement for the Secretary of State to keep notices under review and the content of the notice will need to be specific about the category of data it applies to. The Act extends the definition of ‘telecommunications system’ to include internet-based services, such as webmail and enables notices to be served on non-UK companies that provide telecommunication services to the UK.
If a notice is issued, then the CSP is required to store the data for a maximum, rather than fixed, period of 12 months. The data that should be retained includes names, addresses, telephone numbers, dates and times of messages, device (i.e. phone or computer) identifiers and cell location information.
While there is little obvious change to the previous regime, some opponents to the Act argue that it conveys greater powers to the Government and therefore represents a greater infringement of privacy. The Government has sought to allay these concerns by including within the Act various safeguards, including the creation of a Code of Practice on Data Retention and provision for the Information Commissioners Office (ICO) to monitor the collection and retention of data. The importance for retailers is that data retention remains essential to avoid falling foul of the Act. There is also a sunset clause for the Act to be repealed at the end of 2016, meaning that the next Government will need to carry out a full review of the powers contained in the Act.
Critics argue that these safeguards are insufficient and have threatened to challenge the legality of the Act… watch this space!