New UK regulations, which came into force on 1st October 2007, will impose significant extra regulatory burdens and costs on communications providers to retain call data. These burdens will soon be extended to Internet Service Providers (“ISPs”) and VOIP providers. Whilst public interest reasons probably justify these new measures they carry significant data privacy concerns. This article reviews the new legislation and discusses its implications.
The Data Retention Directive
Following the Madrid and London bombings in 2004 and 2005 it was clear that urgent action was needed to collect and retain mobile and other types of electronic communications data and make it available to law enforcement agencies to combat terrorism. Directive 2006/24 (the “Data Retention Directive”) was adopted by the Council of Ministers on 21 February 2006 and amended Directive 2002/58 on Privacy and Electronic Communications. The Data Retention Directive was implemented into UK law by the Data Retention (EC Directive) Regulations 2007 which came into effect on 1 October 2007.
The Data Retention Directive was passed on 3 May 2006 and gave Member States until 15 September 2007 to implement national legislation. However, this deadline was subject to the option for Member States to postpone the application of the Directive to “Internet Access, Internet telephony and Internet e-mail” until 15 March 2009.
The aim is to harmonise Member States’ laws concerning retention by communication service providers of all traffic and location data generated in the course of providing their services for between 6 and 24 months. Following recent terrorist outrages it was obvious that certain Member States did not mandate the collection and retention of crucial data, which was needed to capture and track terrorist suspects. The new legislation ensures that retained data will be made available to investigators of terrorism and other serious crime across the Community.
The Data Retention (EC Directive) Regulations 2007
The Data Retention (EC Directive) Regulations 2007(the “Regulations”) implement the Data Retention Directive in the UK and came into force on 1 October 2007. Prior to this a system of voluntary data retention existed under Part 11 of the Anti-Terrorism, Crime and Security Act 2001 together with a Parliamentary approved voluntary code under which some telephone operators and ISPs retain some data. For fixed line and mobile telephony, the Regulations have moved retention of communications data to a mandatory basis. Application
The Regulations apply to all communications providers, which provide a public electronic communications network or a public electronic communications service as defined under Section 151 of the Communications Act 2003 (“Providers”). This encompasses a wide range of communications providers including fixed line and mobile telecommunications operators, telecommunications resellers and ISPs.
The impact of the Regulations on the telecommunications and Internet world appears widespread at first sight. However the UK Government issued a declaration pursuant to Article 15.3 of the Data Retention Directive postponing the application of the Directive in the UK to internet access, internet email and internet telephony. Consequently ISPs and VOIP providers will be exempt from retaining their data in line with the Directive until March 2009 giving them more time to prepare their systems.
In agreeing to the opt out the EU legislators recognised the technical complexity of applying the Directive’s obligations to Internet communications without adequate preparation and consultation. The opt out was exercised not only by the UK but also by 15 other Member States, including the Netherlands, Belgium and Germany.
Retention of data
The Regulations require that in the UK data, including all traffic and location data generated or processed by a Provider during their supply of the communications services concerned, must be retained for 12 months from the date of communication (Reg 4). Article 6 of the Data Retention Directive requires data to be retained for periods of not less than six months and not more than two years, however the exact period within these parameters is discretionary for each Member State. This may create disparities between EU countries and cause problems for multi- jurisdictional organisations. This duty includes the retention of data relating to unsuccessful call attempts but does not extend to the content of a communication.
Data to be retained
- Data concerning both fixed network telephony and mobile telephony generated in the UK must be retained (Reg 5), and includes:
- Telephone number from which the telephone call was made and the name and address of the subscriber and registered user of that telephone;
- Telephone number dialled, and in cases involving supplementary services such as call forwarding or call transfer, any telephone number to which the call is forwarded or transferred, and the name and address of the subscriber and registered user of such telephone;
- Date and time of the start and end of the call; and
- Telephone service used.
The following additional data must also be retained for mobile telephony only:
- International Mobile Subscriber Identity (a unique number associated with all network mobile phone users which is stored in the SIM and is sent by the phone to the network) (“IMSI”) and the International Mobile Equipment Identity, which is used to identify the device (“IMEI”) from which a telephone call is made;
- IMSI and IMEI of the telephone dialled;
- For pre-paid anonymous services, date and time of the initial activation of the service and the cell ID from which the service was activated;
- Cell ID at the start of the communication; and
- Data identifying the geographic location of cells by reference to their cell ID.
Providers must put in place appropriate safeguards to protect data against destruction, loss, alteration, unauthorised or unlawful storage, processing, access or disclosure. Further, the data must be retained in such a way that it can be transmitted “without undue delay” in response to requests and must be destroyed at the end of the specified period of retention. Providers are therefore likely to have to employ additional storage facilities to retain the vast quantities of data together with ensuring that it is stored in a form enabling prompt identification and retrieval of requested data. These extra duties will result in increased costs and manpower. The lack of clarity of the concept of “without undue delay” will undoubtedly give rise to differences in response times between Providers. This will be a source of tension with EU law enforcement agencies, which may eventually spill over into the Courts.
In the UK the Information Commissioner will monitor the storage of data, as the designated Supervisory Authority and the Secretary of State will annually collate statistics from Providers in relation to storage of data. Whilst the Data Retention Directive does not provide for reimbursement of additional costs incurred by Providers, the Regulations contain a procedure allowing for discretionary reimbursement of expense provided those costs have been notified to the Secretary of State and agreed in advance. This may offer some comfort to Providers in that some additional expense may be recoverable, however it is not yet clear what expenses will be reimbursed.
The Consultation Paper on the draft Regulations was greeted with mixed opinions but the overall response was positive. The UKCTA, a trade association promoting the interests of competitive fixed line telecommunications companies was particularly supportive of the Home Office’s “pragmatic approach” However, the practical implications of the Regulations for telecommunications companies, including additional cost and maintenance of security of information, are yet to be understood.
There is also potential debate as to who is entitled access to the data. The objective behind the Data Retention Directive is to ensure data is available for the investigation, detection and prosecution of serious crime, as defined by each Member State in its national laws. In the UK access to retained data will be limited to the law enforcement agencies set out in section 25(2) of the Regulation of Investigatory Powers Act 2000.
Access will only be granted if it is considered appropriate by a senior designated official in the requesting authority. Such person is meant to balance the individual's right to privacy against the purpose of the request and ensure there is a compelling need for the information requested.
However the lack of checks and balances in this system will stoke civil liberties concerns. This will be especially so if central and local government or bodies connected to them misuse these broad powers to investigate matters other than terrorism or serious crime. Differing rules relating to access in Member States could result in conflicts and prove a further headache for multi- jurisdictional Providers. In Germany, for example, authorities have indicated that the they will allow retained data to be admissible in certain civil copyright infringement cases.
Many are worried about increasing encroachment on civil liberties. Irish civil rights group, Digital Rights Ireland (“DRI”) have commenced an action in the High Court challenging the Irish data retention laws. DRI state that the legislation is contrary to the Irish Constitution as well as Irish and European Data Protection laws. They are also challenging the power of the European Commission and Parliament to enact the Directive in the first place, as they believe it is a breach of Human Rights.
On initial review the effect of the Regulations is three fold; increased costs for telecommunications providers as a result of additional storage and administrative requirements, ambiguous legal duties leading to compliance issues and increased data privacy concerns for the public.
Nevertheless the Regulation’s aim of combating serious crime is in the public interest and the opt out for ISPs and Internet providers will temporarily lessen the impact on our increasingly data sensitive society.