If you are an avid Question Time watcher, you will have seen the recent debate on the resurrection of the Communications Data Bill, aka the Snooper’s Charter. The debate follows the recent murder of Lee Rigby in Woolwich and the bombings in Boston, both linked to terrorism.
What is being tabled?
The Home Secretary Theresa May first presented the Draft Communications Data Bill to Parliament in June last year citing its purpose as “to protect the public and bring offenders to justice by ensuring that communications data is available to the police and security and intelligence agencies in future as it has been in the past”. The Joint Committee of the House of Lords and House of Commons concluded in December 2012 that although there was a case for legislation to provide law enforcement authorities with further access to communications data, the Bill was too sweeping, went further than it need or should and encroached upon privacy.
The Bill was then dropped from this year’s Queens Speech due to opposition from the Liberal Democrats. Nick Clegg went as far as saying that he did not think it was something the British public would support and that he did not think it was workable or proportionate.
The legislation raised its head again following the murder of Lee Rigby as many argue that his death could have been prevented if the authorities had had access to communications data from the email, social media and internet use of the men who have been charged with his murder.
The legislation in the UK which regulates the collection and retention of communications data is found in the Regulation of Investigatory Powers Act 2000 (RIPA), the Data Retention (EC Directive) Regulations 2009 and the Anti-Terrorism Crime and Security Act 2001 (ACTSA).
Broadly speaking, RIPA allows certain UK public authorities (including, amongst others, police forces, the intelligence and security services, the Serious Organised Crime Agency, local authorities, HMRC) to request communications data from a Communication Service Provider (CSP) for a permitted purpose.
Communications data includes:
- Traffic data. That is, data identifying the location of the device to or from which the communication is sent and the equipment and the network through which it is transmitted.
- Usage data. This covers date and time related data.
- Subscriber data. This is data held by the service provider about the person to whom it provides a service.
A CSP is an operator who provides a postal or telecommunications service and extends to those providing such services where the system for doing so is wholly or partly in the United Kingdom.
There are currently nine permitted purposes including “in the interests of national security” and “for the purpose of preventing of detecting crime or of preventing disorder”.
The Data Retention (EC Directive) Regulations 2009 requires public communications providers to retain the communications data relating to fixed network telephony, mobile telephony and internet access, internet e-mail or internet telephony for a period of 12 months from the date of the communication in question for every user whose data is generated or processed in the United Kingdom.
The above legislation does not allow the retention or use of the content of any communications.
New proposed powers
The Communications Data Bill introduces wide definitions for ‘communications data’, ‘telecommunications operator’, ‘telecommunication service’ and ‘telecommunication system’ and would, in essence, impose new and substantial obligations on telecommunications operators (which would include CSP's and information society service providers) requiring them to store internet browsing data and social media contacts, amongst other data, for each internet user. For the first time, telecommunications operators will be required to generate data which they would otherwise not have generated because there was no commercial need to do so and to retain it for 12 months.
The Government states that due to technological advances, approximately 25% of communications data required by investigators is currently unavailable and that without intervention this will increase to 35% within two years. The Government’s hope is that the Bill will address that and will make available three main types of data that it is currently unable to access under existing legislation. These are: (i) subscriber data relating to IP addresses (i.e. who is using an IP address at any given point); (ii) data identifying which services or websites are used on the internet (i.e. the web address up to the first); (iii) data from CSP's based overseas who provide webmail and social networks to users in the United Kingdom. There are other types of data they cannot access but they have not made this public in the interests of national security.
Pros and Cons
As a lawyer, I cannot resist briefly noting the arguments on both sides.
The arguments for this new legislation are as follows:
- The Government is just extending current legislation to keep up with social media and other technological advances.
- It is necessary for national security and if you have nothing to hide, you have nothing to worry about.
- CSP's can collect (although reluctantly) this data and should work with the Government to protect the public.
The arguments against are:
- CSP's will be collecting this data about everyone, not just criminals. This is an infringement of our privacy.
- UK public authorities already have the ability to access a lot of information using the current legislation, they are just not utilising it to its full extent or efficiently.
- The need to store this extra data will potentially require CSP's to re-structure their systems and will require substantial human, financial and technical resources. Since they are to be allowed to recoup some of their expenditure from the public purse, this could be very expensive for the public.
- The legislation could be abused.
- The new legislation is not workable in practice.
I will leave it to you to decide where you stand.
How this affects you?
Although on first look you would think that this legislation will just apply to internet service providers and telephone companies, the current definitions of ‘communications data’, ‘telecommunications operator’, ‘telecommunication system’ and ‘telecommunications service’ in the Communication Data Bill are so broad that the legislation, in its current format, could be used catch almost any company that operates most of its business over the internet.
If you are an internet based company or are setting up an internet based company, therefore, this legislation could have a serious impact on the way you run your business and on your business overheads. If the Bill is passed in its current format it could enable the Home Office to require any internet based company to put systems in place to collect all data on its customers, store it for twelve months and make it accessible to a UK public body if required.
It becomes clear why the biggest five internet companies in the world have, according to the Guardian, written to Theresa May outlining their distaste for this new legislation. It will be interesting to see whether the news this week that the US National Security Agency is secretly collecting electronic data on all Verizon’s (one of the largest phone companies in the US) customers on an "ongoing daily basis" adds fuel to the fire.
One thing is clear, this is not going away so we suggest you monitor this debate carefully if your business is internet-based.