Compulsory data retention for both telecoms and Internet data moved a step closer as the Home Office published the results of its data retention consultation and the final draft Regulations. These Regulations, which implement the Data Retention Directive, will become law on 6 April 2009 (the original deadline for implementation was 15 March but the UK Government appear to have extended this to 6 April).
The most notable feature of the new draft Regulations is how different they are from previous versions. The UK Government already implemented the Directive in respect of telecoms data in September 2007 and intends to replace those 2007 Regulations with the new ones covering both telecoms and Internet data. The original draft of the new Regulations was very similar to the 2007 Regulations but the latest draft has made some important changes.
The key issues
Who is required to retain data?
This is the key area of difference. The Directive required a blanket obligation on telcos and ISPs to retain all traffic data specified in the Directive. The 2007 Regulations tried to make this more proportionate by stating that, where more than one telco would hold the same data, only the primary telco would need to retain it.
The new Regulations have taken this carve-out further. Regulation 10 states:
“These Regulations do not apply to a public communications provider unless the provider is given notice in writing by the Secretary of State in accordance with this regulation”.
Although the Secretary of State is under an obligation to give notice to public communications providers, this approach means that not all telcos and ISPs will be required to retain data. This raises three issues:
- It is not entirely clear how the UK’s intended approach is compliant with the EU requirement to retain all traffic data under the Directive. However, we understand that the Home Office has been liaising with the EU Commission and has made them aware of the UK’s approach.
- It is also not entirely clear how this applies to telcos. The telcos have been under an obligation to retain data in accordance with the 2007 Regulations. From 6 April, the telcos will be under an obligation to comply with the new Regulations. On a strict interpretation, the telcos will not be required to retain data until notified by the Secretary of State. It is likely that the telcos will be notified by the Secretary of State to retain data on the same basis as before but this is not guaranteed. The safest position would be for telcos to continue to retain data on the basis until they are notified otherwise.
- There are also some questions over how the notifications will operate immediately after implementation. Assuming the Home Office will not be ready to send out all of its notifications by the day the Regulations come into effect, at least some of the relevant telcos and ISPs will not be obliged to retain data from day one. It is not clear how the Home Office intends to deal with the logistics of notifications. However, it is advisable that telcos and ISPs that know that they will be required to retain data should continue to make preparations to begin retaining that data from 6 April.
How long does data need to be retained?
The new Regulations require the data to be retained for 12 months. This is the same period as under the 2007 Regulations. It is, however, longer than the six months ISPs are currently required to retain data for under the Anti-Terrorism Crime and Security Act 2001. It has been suggested that ISPs could have been required to retain data for only six months under the Regulations, given that the Directive itself only requires data to be retained for between six months and 24 months. However, the Home Office has taken the view that it is preferable to have a single retention period for telcos and ISPs.
Who bears the costs?
The Home Office intends to apply the same approach as under the 2007 Regulations. The telcos and ISPs have to initially bear the cost of compliance but the Government “may reimburse any expenses”. The “may” has led to some concern about when the Government will or not reimburse costs. The Home Office has suggested that in practice it intends to reimburse all reasonable costs provided that they are notified and agreed with the Secretary of State in advance.
Junk emails make up the majority of email traffic and most is filtered out by the ISPs before it reaches the recipients. However, Regulation 4(2) extends the obligation to retain data to “unsuccessful call attempts” which “in the case of internet data, are logged in the UK”. There has been unofficial guidance that “unsuccessful call attempts” is only intended to apply to the telcos but the drafting of Regulation 4 does not reflect this. As a result, it is not clear whether ISPs need to retain data in relation to junk email. The safest advice is that ISPs should seek to retain all undelivered communications data, including that relating to junk email, until they receive clarification from the Secretary of State that they are not required to do so.
Tips for compliance
- Telcos are advised to continue to retain data on the same basis as before unless and until they are notified any differently by the Secretary of State.
- Major ISPs are almost certainly going to be required to retain data. Even though the obligation does not begin until notified, major ISPs are advised to prepare on the basis that they will have to comply from the beginning. Smaller ISPs, who feel they may not need to comply, may wish to make preliminary preparations but may want to hold off from actual compliance until notified.
- In the absence of clear guidance to the contrary, ISPs are advised to retain all required data relating to junk email.
- Ensure compliance expenses are notified to the Home Office as early as possible and avoid significant outlay until the expenses have been agreed and reimbursement is assured.