A proposal for a Communications Data Bill was announced on 14 May 2008 as part of the UK Government’s Draft legislative programme 2008/09. The purpose of the Bill is to:
“…allow communications data capabilities for the prevention and detection of crime and protection of national security to keep up with changing technology through providing for the collection and retention of such data, including data not required for the business purposes of communications service providers; and to ensure strict safeguards continue to strike the proper balance between privacy and protecting the public.”
This proposal was expected as the Government only has until March 2009 to transpose the rest of EU Directive 2006/24/EC on the retention of communications data into UK law. Unexpected, however, was the suggestion that data could be retained in a central Government database, a proposal that drew protest from the communications and IT industries and privacy groups when it was revealed.
The Data Retention Directive was partially implemented in October 2007 under the Data Retention (EC Directive) Regulations 2007/2199, which require providers of public communications services to retain data relating to fixed and mobile calls for a minimum of 12 months. The 2007 Regulations do not apply to the retention of communications data relating to internet access, IP telephony and email. The United Kingdom made a declaration pursuant to Article 15.3 of the Directive that it would postpone application of the Directive to these forms of data until 2009, and no later than the transposition deadline of 15 March 2009, reflecting the greater complexity in this area.
Communications data is essentially data relating to the traffic of communications generated or processed on the networks of communications providers or by the use of their services. Such data is used for a variety of business reasons, including billing, network management and the prevention of fraud. It is defined in the 2007 Regulations as traffic data and location data and the related data necessary to identify the subscriber or user.
Traffic data and location data have the same meaning as under the e-Privacy Regulations 2003/2426 (which also govern the use of unsolicited commercial email). Location data is defined under those Regulations as any data processed in an electronic communications network indicating the geographical position of the terminal equipment of a user. Traffic data is defined as any data processed for the purpose of the conveyance of a communication on an electronic communications network, or for the billing in respect of that communication, including data relating to the routing, duration, or time of a communication. Communications data does not therefore cover the content of any communication.
The Directive requires Member States to ensure that data is retained for periods of not less than six months and not more than two years from the date of the communication. A 12 month retention period was adopted under the voluntary regime that preceded the 2007 Regulations and the Government sees no reason for change, as, in its view, nothing has changed since the 2003 consultation that preceded that regime. The 2003 consultation concluded that 12 months was the optimal tradeoff between law enforcement requirements and the associated interference with individuals’ right to privacy. It therefore seems likely that a 12 month retention period will be adopted in the new Bill.
The rationale behind the retention of communications data is to allow access to such data for law enforcement authorities to assist with investigations into criminal activities, particularly terrorism. This would seem uncontroversial. Civil liberties groups, however, do not like to see such rules mandated. Nonetheless, from the industry perspective, a new regime mandating retention to this extent will arguably make little difference. Most communications providers already retain communications data for billing purposes and customer records, so will be unaffected by the new regime. Compelling ISPs and telcos to hand over communications data to a national database is, however, a different matter and, in the view of many, constitutes a significant security risk at odds with the overriding objective of combating terrorism. The UK Government plans to publish the Bill in draft for consultation later this year.