Précis The Government published the eagerly awaited Communications Data Bill (the "Bill") on 13 June 2012.
What? The collection and retention of communications data is currently regulated by the Regulation of Investigatory Powers Act 2000 ("RIPA") and the Data Retention (EC Directive) Regulations 2009 (the "Data Regs") (together, the "Existing Laws"). The Home Secretary, in her letter to the Parliamentary Joint Committee on Human Rights, has stated that the further measures under the Bill are required to ensure that the police, security and intelligence agencies have access to the communication data under an updated framework, and one that is fit for the 21st century. The Bill will therefore permit an authorised body to order a Communication Services Provider ("CSP") to generate, obtain, retain and disclose to the authorities any data it may require.
So what? The Bill introduced a number of important changes, and one of the chief changes is that it relates to data that may be held by a CSP or could be obtained by a CSP.
Who will be affected?
The Bill permits the Home Secretary to order all telecommunications providers (and this term is sufficiently wide to cover all businesses and organisations with their own telecommunication/data networks) to retain data on communications for up to 12 months, or such longer period as may be extended by notice to the relevant telecommunications provider. The Bill also permits a CSP not directly involved in the relationship with a user (for example, a virtual CSP using the network infrastructure of a larger CSP) to provide the communications data it requires.
The definition of a CSP is therefore much broader than under RIPA, which covers public Internet Service Providers. There is also the possibility that the very broad definitions used in the Bill could require an individual to retain his/her own records of their mobile phone calls, though in reality this may be unlikely.
How is communications data defined?
As was anticipated, the scope of communications data is very wide and split into three categories:
- Subscriber data relates to the information a CSP holds for the person or persons using communication services, including any passwords giving access to stored information and the name and address of the person who has subscribed to a particular phone number;
- Use Data is defined as information relating to how a subscriber has used data, for example, itemised records of telephone calls, connection to internet services and so on; and
- Traffic Data means any data that is comprised in or attached to a communication, including information identifying the location of equipment (such as the location of a mobile phone), originating IP address, the origin and destination of communication in transmission, routing information and so on.
An additional burden of the Bill is that it may require CSPs to retain what would otherwise have been regarded as transient data and therefore not recorded or monitored in their normal business operations.
The Bill places an obligation on CSPs to provide the data in a useable format (a chief constable has stated that it should be incumbent on CSPs to present data to police in an intelligible form) and this may require CSPs to undertake a significant amount of processing, with the attendant costs implications.
Who will get access to such data?
Organisations that will have access to the data will include the intelligence agencies, the police constabularies, HM Revenue & Customs ("HMRC") and the proposed National Crime Agency. The Home Secretary will also be permitted to collect data on behalf of other bodies (for example, local authorities).
Who will pay?
A CSP will be reimbursed "an appropriate contribution" of its costs of complying with an order, as the Home Secretary may consider appropriate in the circumstances. Any payment by the Home Secretary may be subject to conditions and audit of claims for costs. On a positive note, the Bill will permit a CSP to claim its costs prior to actually incurring the expenditure, but it is unlikely that CSPs will be completely protected from the financial costs of complying with an order.
The Bill and associated comments from the Home Secretary give no indication as to how CSPs will be expected to comply with the technical challenges posed by the new legislation. Gmail, Twitter and Skype all use encryption by default in their services and this will make any network-level monitoring both costly and undesirable. However, the monitoring of social media is one of the primary targets of the Bill.
CSPs may also be made to contract out compliance with the Government or with private firms, including "on a commercial basis", meaning that the Government could nominate a private contractor to store data on its behalf (or on behalf of CSPs) and require CSPs to engage commercially with such an entity.
It is, by its nature, an ever-changing environment and CSPs will always be playing catch-up with their interception and monitoring processes. For example, with unencrypted communications, service providers regularly update communications protocols and each such update will require the CSPs to update their systems accordingly.
Packet-based data has the added complication that separating the content from data is not simple. CSPs see undifferentiated data streams for web communications, but to comply with the Bill and separate data from content would require them to look at all of the data using deep packet inspection or some other filtering technique. This may have a negative impact on the capacity and data throughput over certain networks.
People and business have a legitimate need to use encrypted communications to transmit data of a sensitive nature, such as financial details, and as a result there is an element of trust with their CSP. The requirement for a CSP to break that encryption by necessity may have the effect of breaking trust in that communication and the relationship.
Orders under the Bill will subsist for a period of one month but are subject to extension. A CSP will be required to retain data for a period of 12 months, possibly longer. All of this will have a costs implication and as we mention earlier, there is no clear indication that all costs incurred by a CSP in complying will be reimbursed. It is therefore likely that the costs of compliance will be passed on by a CSP to its customers.
How is this different to current monitoring legislation?
The obtaining and disclosure of communications data is currently covered in Chapter 2 Part 1 of RIPA. The effect of the Bill will be to replace this and Part 11 of the Anti-Terrorism Crime and Security Act 2001 ("ATCSA"). Chapter 2 Part 1 of RIPA sets out how a "relevant public authority" (including the police force, councils, security and intelligence services) may access communications data and for what purposes, subject to the relevant public authority satisfying tests of necessity and proportionality.
"Communications data", under RIPA, includes traffic data comprised in or attached to a communication but notably does not include the contents of the communication. The effect of the Bill would be to give the intelligence agencies, the police constabularies, HMRC and the proposed National Crime Agency access to a broader range of communications data and will affect a wider range of service providers than under RIPA, which applies only to public service providers.
Is there any oversight or safeguard in relation to the treatment of communications data?
Clauses 3 to 6 of the Bill require CSPs to protect data against accidental or unlawful destruction, accidental loss or alteration or unauthorised or unlawful retention, processing, access or disclosure, and to put in place adequate security systems governing access to the data and to destroy data at the end of the retention period "in such a way that it can never be retrieved".
Whilst these obligations are in a similar vein as certain of the obligations set out in Schedule 1 of the Data Protection Act 1998 (the "DPA"), the effect of the Bill is to increase the amount of data that CSPs may be required to retain and treat in accordance with the required safeguards, which may have time and cost implications. In addition, clause 4 of the Bill requires data to be held for up to 12 months from the date of the communication, something that may well result in costs implications for CSPs.
The Information Commissioner is expected to input on the draft Bill, in particular in relation to the adequacy of the proposed safeguards and limitations. CSPs will need to bear in mind their obligations under the DPA alongside those under the Bill. The Information Commissioner has commented that, in order to ensure compliance with the DPA in respect of security of retained personal data and destruction of the same at the end of the retention period, it will need "appropriately enhanced powers and the necessary additional resources".
A parliamentary timetable has not been published at the date of this briefing note, but two committees have been prepared for the initial review. The Home Secretary has sough pre-legislative scrutiny from the Joint Committee on Human Rights and, in parallel, an inquiry by the Intelligence and Security Committee.