1. The steady DRIP of data: New UK Data Retention and Interception Act passed
In the wake of the European ruling on the Data Retention Directive in April this year, the UK Government has passed emergency data retention and interception legislation to ensure that communications operators in the UK remain under a mandatory obligation to retain communications data.
On 17 July 2014, the Data Retention and Investigatory Powers Act ("DRIP Act") received Royal Assent. The Bill had only been announced on 10 July 2014 and presented to Parliament for the first time on Monday 14 July. It was passed using the "fast-track" procedure for legislation.
The DRIP Act has three key elements:
- The first component of the Act relates to Government requirements for retention of communications data.
- The second component of the Act relates to the extra-territorial effect of the interception and communications data requirements of the Regulation of Investigatory Powers Act 2000 ("RIPA").
- The third component of the Act provides for a review of investigatory powers to report by 1 May 2015.
The Data Retention Provisions
Retention of communications data is currently regulated in the UK by the Data Retention (EC Directive) Regulations 2009 (the "2009 Regulations") which implemented the EU's Data Retention Directive. However, following the ECJ's ruling in April of this year that the Data Retention Directive was unlawful on the grounds that it breached human rights, the 2009 Regulations have been deemed to be in a somewhat vulnerable position. The DRIP Act provides powers to replace the 2009 Regulations, although they will remain in place until terminated by new Regulations made under the DRIP Act. The Government claims that the new Act is designed to strengthen and clarify the existing law rather than extend it. However, there are some subtle changes in the legislation.
For example, the 2009 Regulations applied to "public communications providers" which were defined by reference to the EU concepts of electronic communications networks and electronic communications services. The DRIP Act applies instead to "public telecommunications operators" which are defined by reference to the definition of "public telecommunications service" found in RIPA (which the DRIP Act also amends). It is not clear at this stage what practical effect, if any, this subtle change in definition will have.
The DRIP Act provides power for the Secretary of State to issue a data retention notice on a public telecommunications operator, requiring them to retain certain data types. Instead of the previous fixed 12 month period applicable under the 2009 Regulations, the retention period under the notice issued by the Secretary of State may vary subject to a maximum of 12 months. Again, until the new notices are published, it is impossible to know how this change will work in practice.
The DRIP Act also imposes obligations on public telecommunications operators in relation to the disclosure of retained data. Under the DRIP Act, any such retained data must not be disclosed other than in accordance with RIPA, a court order or warrant, or under new data retention regulations.
Despite the Government's claims that the data retention provisions do not extend the current regime under the 2009 Regulations, they have been criticised, not least because of their interaction with the ECJ's ruling on the Data Retention Directive. In its judgment, the ECJ set out ten principles with which any new data retention legislation must comply in order to be proportionate. In particular, it prohibited blanket data retention. The Government has published a note on the ECJ principles, in which it addresses the ways in which each principle has been dealt with. However, to the extent that the new legislation is not compatible with the EU Charter of Fundamental Rights and Liberties or the European Convention on Human Rights, it could be subject to challenge.
The Interception Provisions
As well as the data retention provisions, the DRIP Act also makes a number of amendments to RIPA. These mainly relate to extra territoriality. According to the Government, whilst RIPA has always had implicit extraterritorial effect, some companies based outside the United Kingdom, including some of the largest communications providers in the market, have questioned whether the legislation applies to them.
The DRIP Act therefore makes the extra-territorial reach of RIPA explicit in relation to both interception and communications data by adding specific provisions. This confirms that requests for interception and communications data to overseas companies that are providing communications services within the United Kingdom are subject to the legislation.
The DRIP Act has also widened the definition of "telecommunications service" as applies in RIPA and also now in relation to data retention. The amended definition provides that the cases in which a service is to be taken as a telecommunications service include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.” According to the explanatory notes, this amendment is to clarify that the definition includes companies who provide internet-based services, such as webmail.
The DRIP Act obtained Royal Assent on 17 July 2014, meaning that the changes to RIPA came into effect on that day. The 2009 Regulations will remain in effect until replaced by new data retention regulations proposed under the DRIP Act. Likewise existing data retention notices will remain in effect until such time as the Secretary of State issues new data retention notices to public telecommunications operators.
It is difficult to say at this stage what practical difference, if any, the new legislation will have. The Government maintains that it is not extending the existing regime. However, the changes to definitions could mean that more organisations are served with data retention notices than was previously permitted under the 2009 Regulations.
The legislation could also still be subject to challenge and review. Two MPs have already given notice to the Home Office of their intention to seek a judicial review of the passing of the legislation, which was rushed through the fast-track procedure. It also remains to be seen whether or not the EU will take any interest in the extent to which the legislation complies with the proportionality principles laid down by the ECJ. Either way, it seems likely that data retention is going to remain a hot topic for operators in the IT and telecoms sectors dealing with communications in the UK (or even outside the UK) for the foreseeable future.
To view a copy of the DRIP Act, please click here.
2. US Federal Court orders Microsoft to produce e-mail content stored outside the United States
In a decision that may affect how US technology companies, and in particular data storage or "cloud" providers, do business with customers outside the United States, a federal district judge in New York has affirmed a magistrate judge's decision that ordered Microsoft Corporation to produce, in response to a search warrant issued at the behest of US authorities, the contents of one of its customer's e-mail accounts stored on a Microsoft server in Ireland.
In allowing the magistrate judge's ruling to stand, the federal district court may have inadvertently heightened tensions between the US government and privacy advocates, and raised even more challenges for US service providers as they seek to negotiate a path between compliance with US law and the privacy demands of both their customers and authorities outside the US, particularly in Europe. It has been reported, for example, that German officials previously cautioned Microsoft that their government would not utilise data storage services of US-based companies if the search warrant ruling is not overturned.
Coming as it does on the heels of various allegations about the US government's treatment of non-US data, the ruling (issued orally at a 31 July 2014 hearing) may fuel the perception, particularly in Europe, that US authorities are free to cast a wide, even trans-Atlantic, net for data whenever they wish. That perception, however, does not take into account the substantial legal and procedural safeguards that US authorities need to meet before being issued a search warrant. For example, in this case the government was conducting a criminal investigation and made a showing to the court that there was probable cause to believe that the e-mails might provide evidence of a crime. Nor does this criminal matter address the fact that, as certain US courts have found in the civil context, third party service providers cannot be compelled under the US Stored Communications Act ("SCA") to disclose the content of their customer's e-mails pursuant to a civil discovery subpoena.
Nevertheless, if the ruling stands, it may embolden other nations to seek similar data of US customers, either directly from US companies or from the local affiliates of US-based companies. This may increasingly present US providers and their affiliates with a Hobson's choice: either comply with foreign data demands at the risk of violating the SCA or related provisions that limit disclosure of e-mail content to US authorities, or else risk violating the disclosure orders of authorities outside the United States. That this type of quandary has often plagued non-US companies dealing with, for example, discovery demands emanating from US courts, will likely be of little comfort to Microsoft and other US-based providers.
The long-term, or even short-term, impact of the decision is uncertain. The district court's ruling is not binding on any other court, and the district court has stayed its ruling to enable Microsoft to appeal. In a statement issued shortly after the hearing, Microsoft stated that "[t]he only issue that was certain this morning was that the District Court’s decision would not represent the final step in this process," and shortly thereafter the company filed a further appeal. Thus, the final word is not in, and it may be that the ultimate resolution will involve the deliberation and cooperation of not only the courts, but of industry, legislature and regulators, both in the US and elsewhere.
To view a more detailed eBulletin on this case, please click here.
3. House of Lords publishes report on right to be forgotten
The House of Lords European Union Committee has published a report into the so-called right to be forgotten, concluding that it is both "misguided in principle and unworkable in practice".
On 30 July 2014, the House of Lords European Union Committee published a report (the "Report") entitled "EU Data Protection law: a 'right to be forgotten'?" in which it considered the implications of the ECJ's judgment in the case of Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (the "Costeja ruling"). The Costeja ruling confirmed internet users' right to have search engine results removed where they interfere with the user's right to privacy.
The Report examines whether, following the Costeja ruling, data protection laws continue to strike a fair balance between the right of privacy and the freedom to seek and impart accurate information that has been lawfully acquired, as well as looking at the degree to which it is practical and proportionate for search engines to comply with the ruling.
The overall conclusion of the Report is that the right to be forgotten is both 'misguided in principle and unworkable in practice'. From a practical perspective, according to the report, Google’s webform for the "right to be forgotten" went live on 30 May 2014, 17 days after the ECJ's judgment. In the first 24 hours they received 12,000 requests (European totals), and in the first four days approximately 40,000. Up to 30 June 2014 they had received more than 70,000 removal requests with an average of 3.8 URLs per request, a total of over a quarter of a million URLs. Even by the standards of a global corporation the size of Google, this is a massive burden. In addition, the Report argues that both the Costeja ruling and the legislation on which it is based (the Data Protection Directive 1995/46/EC ("DPD 1995")) fail to take into account the current state of communications service provision where 'global access to detailed personal information has become part of the way of life'. Search engines should not, according to the Report, fall within the definition of data controllers (as the ECJ held in the Costeja ruling) and the right to be forgotten should consequently be removed from the draft Data Protection Regulation that is currently going through the EU legislative process.
With respect to the on-going EU data protection reform, removal of the right to deletion and erasure of data (a right which was originally contained in the DPD 1995) is unlikely as it would represent a weakening of the current provisions. However, a review of the definition of 'data controller' and the classification of search engines under the new Data Protection Regulation is a greater possibility.
The European Commission has responded to the Report by emphasising that finding the right balance between the right to privacy and freedom of the media is precisely the spirit of the on-going EU data protection reform.
To view a copy of the House of Lords report, please click here.
4. FCA publishes paper on technology outsourcings
As part of the FCA (and PRA) review into barriers to banking, the FCA has recently published a paper setting out a list of questions for a firm to consider as part of its preparations for the use and evaluation of third parties in the delivery of technology services which are critical to the regulated firm’s business operations.
In practical terms, the FCA states that it is looking for the following outcomes:
- At the time of authorisation, a firm’s regulated activities must be supported by IT services which are effective, resilient and secure and have been appropriately designed to meet expected future as well as current business needs so as to avoid risks to the FCA's objectives.
- The firm must have undertaken sufficient preparatory work to provide reasonable assurance that each outsourced service provider will deliver its services effectively, resiliently and securely.
- The firm must establish appropriate arrangements for the on-going oversight of its outsourced service providers and the management of any associated risks such that the firm meets all its regulatory requirements.
- Above all, a regulated firm should be clear that it retains full accountability for discharging all of its regulatory responsibilities. It cannot delegate any part of its responsibility to a third party.
The paper and the questions contained within it are broadly consistent with the existing SYSC 8 regulatory requirements but it is interesting that the FCA has done more of a deep dive into where technology solutions are going and what it might mean for banks, including a reference to multi-tenancy/shared platform solutions.
To view a copy of the paper, please click here.
5. Going private? Rights for EU citizens under US Privacy Act
The Obama administration is seeking to extend a right of redress available to US citizens under the US Privacy Act to EU citizens. The right of redress relates to the wrongful sharing of personal data with US authorities for law enforcement purposes.
As part of the current negotiations towards an EU-US data protection umbrella agreement, US Attorney General Eric Holder has announced that the Obama administration will seek to work with Congress to enact legislation that would provide EU citizens with the right to seek redress in US courts if personal data shared with US authorities by their home countries for law enforcement purposes under the proposed agreement is subsequently intentionally or wilfully disclosed. This right would mirror the right already available to US citizens under the US Privacy Act.
If the right of redress is extended as hoped, then EU citizens would be able to seek judicial redress
- in circumstances where their personal data was shared with US authorities by their home countries for law enforcement purposes and was then wilfully disclosed; and
- for refusal to grant access or rectify errors in the information shared.
The European Commission has responded by saying that the announcement is "an important first step towards rebuilding trust in our transatlantic relations [and] should be swiftly translated into legislation so that further steps can be taken in the negotiation".
The EU-US data protection umbrella agreement has been negotiated since 2011 and the issue of judicial redress had been a major stumbling block to the conclusion of negotiations. However, the two sides also still need to come to an agreement regarding the purpose limitation of the data sent to the US. The EU seeks to ensure that data shall only be transferred for specified law enforcement purposes, and then processed in a way compatible with these purposes.
To read the US Department of Justice press release click here.
Or to view an EC factsheet on EU-US data protection negotiations, click here.