Précis - The Information Commissioner ("ICO") has submitted his response on the draft Communications Data Bill (the "draft Bill"), in which he expresses concern over the impact the legislation could have on individuals' privacy, and the lack of clarity on practical aspects such as enforcement of the legislation.
What? The draft Bill, which expands the obligations upon communications service providers ("CSPs") to retain communications data, has provoked a myriad of largely critical responses from industry. The draft is currently being scrutinised by the Joint Committee, which in July asked for interested parties to submit their views on the draft Bill. The Joint Committee is due to report back to the Houses by 30 November 2012.
So what? The draft Bill changes the framework surrounding both the retention of communications data and access to that data. It permits an authorised body to order a CSP to generate, obtain, retain and disclose to the authorities any data it may require. "Communications data" is the meta-data surrounding a communication, such as the timing and duration of a telephone call and the email address to which a communication is sent. It does not include the actual content of a communication. We have previously reported on some of the features of the draft Bill and the responses so far from industry.
Due to its subject matter, the draft Bill has significant implications from a privacy perspective. In his submission, the ICO has reiterated concerns that there will need to be adequate and effective safeguards in place to minimise the intrusion into and impact on individuals' privacy. The submission is very much concerned with how, on a practical level, the ICO will be enabled to flex any powers of enforcement and the exact role which his office will be expected to play, which as yet is undefined. On the subject of whether the draft Bill is a balanced solution to the issue of the monitoring and retention of communications data, the ICO's response is non-committal, stating that "it is for Parliament to determine whether the proposals contained in the draft Bill are a proportionate response to the perceived problem of communications data capability".
Some of the key points that the ICO has cited particular concerns on are:
- the consequences of the proposed new legislation, which the ICO says need to be adequately identified and addressed. The ICO cites a particular example in relation to the retention of data - as data will necessarily be retained for longer than is the case at present, organisations may attempt to exploit the data for additional commercial reasons, which would sit at odds with the intention of the proposed legislation;
- the lack of clarity around the proposed role for the ICO in the context of the legislation. The draft Bill states that the ICO will be required to "keep under review the operation of sections 3 and 6 of [the proposed] Act" (which relate to data security and integrity and the destruction of data respectively). How the ICO will carry out reviewing and/or auditing and/or reporting on CSPs which will hold communications data in practice is unclear. The ICO has commented in his submission that it is "important...that both he and the public know what outcomes his oversight is expected to deliver in practice, particularly if it is to extend beyond his existing regulatory functions...". Concern has also been expressed by the ICO over the potential resourcing issues associated with any extension of the ICO's functions or increase in workload;
- in relation to audit powers, the ICO will need enhanced compulsory audit powers (the nature, scope and detail of which will need to be clearly set out in statute) in order to carry out his proposed function under the draft Bill;
- there is a lack of clarity around the requirement on CSPs to destroy data so that it can never be retrieved at the end of a retention period. Whilst the ICO has welcomed the requirement, he has stated that "it is not clear how the requirement to 'destroy' data relates to the way in which operators achieve deletion of existing records in practice". The ICO's particular concern relates to how this requirement may be achieved by CSPs in practice and how the ICO will be enabled to enforce these requirements. Even if the ICO is given inspection and/or audit powers, for example, it would be difficult on a practical and technical level for his office to assess whether data has been destroyed by CSPs such that it can "never be retrieved";
- the potential impact of the proposed new data protection regime (which is expected to become law during the next few years) on the proposals around communications data retention and access, not least because the proposed data protection Regulation is likely to affect the ICO's current powers and duties;
- the draft Bill does not require the ICO to report on his review activities (either in general or in relation to the supervision of individual operators). The ICO's view is that introducing a specific obligation to report to Parliament on his review activities would provide a degree of public assurance and would aid the ongoing post-legislative analysis.
The ICO, whilst expressing concerns over a number of perceived deficiencies of the draft Bill, appears to support and welcome many of the proposals and the overall aims of the proposed legislation, in particular in respect of the more rigorous approach to be taken to controlling access to communications data that is currently provided for under RIPA. How the Government opts to deal with the perceived gaps and issues highlighted by the ICO and other players remains to be seen and will no doubt provoke further debate. Keep watching this space...