1. The steady DRIP of data: New UK Data Retention and Interception Act passed 

In the wake of the European ruling on the Data Retention Directive in April this year, the UK Government has passed emergency data retention and interception legislation to ensure that telecommunications operators in the UK remain under a mandatory obligation to retain communications data.

On 17 July 2014, the Data Retention and Investigatory Powers Act ("DRIP Act") received Royal Assent. The Bill had only been announced on 10 July 2014 and presented to Parliament for the first time on Monday 14 July. It was passed using the "fast-track" procedure for legislation.

The DRIP Act has three key elements:

  • The first component of the Act relates to Government requirements for retention of communications data.
  • The second component of the Act relates to the extra-territorial effect of the interception and communications data requirements of the Regulation of Investigatory Powers Act 2000 ("RIPA").
  • The third component of the Act provides for a review of investigatory powers to report by 1 May 2015.

The Data Retention Provisions

Retention of communications data is currently regulated in the UK by the Data Retention (EC Directive) Regulations 2009 (the "2009 Regulations") which implemented the EU's Data Retention Directive. However, following the ECJ's ruling in April of this year that the Data Retention Directive was unlawful on the grounds that it breached human rights, the 2009 Regulations have been deemed to be in a somewhat vulnerable position. The DRIP Act provides powers to replace the 2009 Regulations, although they will remain in place until terminated by new Regulations made under the DRIP Act. The Government claims that the new Act is designed to strengthen and clarify the existing law rather than extend it. However, there are some subtle changes in the legislation.

For example, the 2009 Regulations applied to "public communications providers" which were defined by reference to the EU concepts of electronic communications networks and electronic communications services. The DRIP Act applies instead to "public telecommunications operators" which are defined by reference to the definition of "public telecommunications service" found in RIPA (which the DRIP Act also amends). It is not clear at this stage what practical effect, if any, this subtle change in definition will have.

The DRIP Act provides power for the Secretary of State to issue a data retention notice on a public telecommunications operator, requiring them to retain certain data types. Instead of the previous fixed 12 month period applicable under the 2009 Regulations, the retention period under the notice issued by the Secretary of State may vary subject to a maximum of 12 months. Again, until the new notices are published, it is impossible to know how this change will work in practice.

The DRIP Act also imposes obligations on public telecommunications operators in relation to the disclosure of retained data. Under the DRIP Act, any such retained data must not be disclosed other than in accordance with RIPA, a court order or warrant, or under new data retention regulations.

Despite the Government's claims that the data retention provisions do not extend the current regime under the 2009 Regulations, they have been criticised, not least because of their interaction with the ECJ's ruling on the Data Retention Directive. In its judgment, the ECJ set out ten principles with which any new data retention legislation must comply in order to be proportionate. In particular, it prohibited blanket data retention. The Government has published a note on the ECJ principles, in which it addresses the ways in which each principle has been dealt with. However, to the extent that the new legislation is not compatible with the EU Charter of Fundamental Rights and Liberties or the European Convention on Human Rights, it could be subject to challenge. 

The Interception Provisions

As well as the data retention provisions, the DRIP Act also makes a number of amendments to RIPA. These mainly relate to extra territoriality. According to the Government, whilst RIPA has always had implicit extraterritorial effect, some companies based outside the United Kingdom, including some of the largest communications providers in the market, have questioned whether the legislation applies to them. 

The DRIP Act therefore makes the extra-territorial reach of RIPA explicit in relation to both interception and communications data by adding specific provisions. This confirms that requests for interception and communications data to overseas companies that are providing communications services within the United Kingdom are subject to the legislation.

The DRIP Act has also widened the definition of "telecommunications service" as applies in RIPA and also now in relation to data retention. The amended definition provides that the cases in which a service is to be taken as a telecommunications service include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.” According to the explanatory notes, this amendment is to clarify that the definition includes companies who provide internet-based services, such as webmail.

Business Impact

The DRIP Act obtained Royal Assent on 17 July 2014, meaning that the changes to RIPA came into effect on that day. The 2009 Regulations will remain in effect until replaced by new data retention regulations proposed under the DRIP Act. Likewise existing data retention notices will remain in effect until such time as the Secretary of State issues new data retention notices to public telecommunications operators.

The Government maintains that the new legislation is not extending the existing regime. However, the changes to definitions could mean that more organisations are served with data retention notices than was previously permitted under the 2009 Regulations.

The legislation could also still be subject to challenge and review. Two MPs have already given notice to the Home Office of their intention to seek a judicial review of the passing of the legislation, which was rushed through the fast-track procedure. It also remains to be seen whether or not the EU will take any interest in the extent to which the legislation complies with the proportionality principles laid down by the ECJ. Either way, it seems likely that data retention is going to remain a hot topic for communications providers in the UK (or even outside the UK) for the foreseeable future.

For a copy of the DRIP Act, click here.

2. Superfast Strategy: UK Government publishes consultation on digital communications infrastructure strategy

Following its July 2013 report on Connectivity, Content and Consumers, the Department for Culture, Media and Sport has published a consultation on digital communications infrastructure with a view to developing a long term strategy.

In July 2013, the Government published its paper on Connectivity, Content and Consumers, which specifically identified a need to develop a longer term digital communications infrastructure strategy. The Department for Culture, Media and Sport has now issued a consultation regarding this strategy. The consultation does not set out a draft strategy or specific options for future action. Instead it seeks views on the challenges that might be faced in delivering future world class digital communications infrastructure and how those challenges might be addressed and by whom.

In particular, the consultation looks at:

  • existing and planned communications infrastructure and the current infrastructure supply market;
  • what might future demand look like;
  • scenarios of future demand;
  • competition and regulation; and
  • facilitating and encouraging investment.

In relation to regulation, the consultation invites views on how the regulatory framework might continue to promote effective competition and support efficient investment in infrastructure. It also considers whether any changes are needed to the European regulatory framework to encourage future competition or move to a greater focus on competition law.

Responses to the consultation are required by 1 October 2014.

To view a copy of the consultation document, please click here.

3. Calling all interest in Spectrum 

Ofcom has published a consultation on key issues for the next World Radiocommunication Conference in 2015 where decisions concerning the identification and international harmonisation of spectrum bands will be taken.

The World Radiocommunication Conferences ("WRCs") are held approximately every four years. The next WRC will take place in November 2015 with Ofcom, under a Government direction, representing the UK. The outcomes from the meeting will set the framework for how spectrum is used over the next few years and beyond.

In advance of WRC 2015, Ofcom has published a consultation seeking stakeholder views on four issues that are believed to be of particular interest and/or relevance to the UK:

  1. The future availability of spectrum for mobile broadband (including Wi-Fi) with particular focus on some key bands: one of the highest profile issues is how to address the increasing use of data by mobile devices.
  2. The spectrum requirements of the emergency services and associated agencies for Public Protection and Disaster Relief ("PPDR"): Ofcom supports a model that enables the UK, at a national level, to identify a range of different frequency bands for PPDR, which includes the potential use of established commercial networks.
  3. Spectrum requirements for the command and control of Unmanned Aircraft: the WRC will consider whether fixed-satellite service frequency allocations could be used for the command and control of unmanned aircraft.
  4. The inclusion of leap seconds in global time and its link with Greenwich Mean Time: the WRC will take a decision on whether the inclusion of the leap second into Coordinated Universal Time ("UTC") should continue. The UK currently supports maintaining the leap second in UTC.

The closing date for responses is 19th September 2014 and Ofcom will consider these to define the UK position for WRC 2015.

To view a copy of the consultation document click here.

4. Tweeting into trouble: inquiry into social media offences 

Following a brief review, the House of Lords Select Committee on Communications has published its report on social media and criminal offences, concluding that the existing criminal law is generally appropriate for the prosecution of offences committed using social media.

The committee considered how instances of cyber bullying, revenge porn, trolling and virtual mobbing were dealt with by criminal law, with the aim of determining whether any legislative changes were necessary. The report is for information purposes only and no formal response is expected from Government.

The committee concluded that:

  • what is not an offence offline should not be an offence online;
  • it would be unnecessary to create a new set of offences for acts committed using social media and other technology;
  • the Director of Public Prosecutions ("DPP") should publish guidance on the circumstances in which "revenge porn" could attract criminal penalties;
  • the DPP's guidance on social media prosecutions appropriately takes account of Article 10 ECHR freedom of expression;
  • a number of existing statutes passed before the invention of the internet refer to print media only and do not catch electronic communications in the way that they should;
  • the period for investigating social media offences to be tried in the magistrates court should be increased from 6 months to 12 months, as there is often a need to obtain information from overseas (where the social media operator is based); and
  • it would be proportional to require website operators to establish the identity of those who open accounts with them.

The House of Lords' conclusions contrast with the wider opinion that although the law may be suitable in theory, it is applied inconsistently and with poor results. The report is unlikely to have any direct impact, although it may frame Parliament's discussions of these issues.

For further information please click here.

5. Going private? Rights for EU citizens under US Privacy Act 

The Obama administration is seeking to extend a right of redress available to US citizens under the US Privacy Act to EU citizens. The right of redress relates to the wrongful sharing of personal data with US authorities for law enforcement purposes.

As part of the current negotiations towards an EU-US data protection umbrella agreement, US Attorney General Eric Holder has announced that the Obama administration will seek to work with Congress to enact legislation that would provide EU citizens with the right to seek redress in US courts if personal data shared with US authorities by their home countries for law enforcement purposes under the proposed agreement is subsequently intentionally or wilfully disclosed. This right would mirror the right already available to US citizens under the US Privacy Act.

If the right of redress is extended as hoped, then EU citizens would be able to seek judicial redress

  • in circumstances where their personal data was shared with US authorities by their home countries for law enforcement purposes and was then wilfully disclosed; and
  • for refusal to grant access or rectify errors in the information shared.

The European Commission has responded by saying that the announcement is "an important first step towards rebuilding trust in our transatlantic relations [and] should be swiftly translated into legislation so that further steps can be taken in the negotiation".

The EU-US data protection umbrella agreement has been negotiated since 2011 and the issue of judicial redress had been a major stumbling block to the conclusion of negotiations. However, the two sides also still need to come to an agreement regarding the purpose limitation of the data sent to the US. The EU seeks to ensure that data shall only be transferred for specified law enforcement purposes, and then processed in a way compatible with these purposes.

To read the US Department of Justice press release click here.

Or to view an EC factsheet on EU-US data protection negotiations, click here.