Précis - The written responses to the Parliamentary Committee's "call for evidence" on the draft Communications Data Bill have been published, and are largely critical of the Government's plans.
What? The draft Communications Data Bill (the "draft Bill") is a highly controversial piece of legislation which expands the obligations upon communications service providers ("CSPs") to retain communications data. The draft is currently being scrutinised by a joint committee of MPs and Peers, which in July asked for interested parties to submit their views on the draft Bill. The Joint Committee is due to report back to the Houses by 30 November 2012. The Intelligence and Security Committee are also undertaking a separate inquiry into the draft Bill.
So What? The draft Bill changes the framework surrounding both the retention of communications data and access to that data. It permits an authorised body to order a CSP to generate, obtain, retain and disclose to the authorities any data it may require. "Communications data" is the meta-data surrounding a communication, such as the timing and duration of a telephone call and the email address to which a communication is sent. It does not include the actual content of a communication. We have previously reported on some of the features of the draft Bill.
The responses to the call for written evidence vary. The Serious and Organised Crime Agency ("SOCA"), for example, is strongly supportive of both the principle behind and the manner of execution of the draft Bill. However, companies in the communications industry, who would be particularly affected by the proposals in the draft Bill, have roundly criticised the draft Bill, and a number of concerns reappear throughout their various responses.
One particular issue that stands out is the intended aim of the draft Bill. When publishing the draft Bill, the Home Office was careful to frame the draft Bill as an updating job, which was necessary to "maintain" the current capabilities of law enforcement agencies in a world of advancing technology. Similarly, SOCA's response to the call for evidence shows the same take on this - it says that its understanding of the scope of the draft Bill is that
"it will ensure law enforcement can maintain access to subscriber data, traffic data and service data in very much the same manner as it currently does, but that the data retained by CSPs will reflect the changes in technology".
However, a number of telecoms bodies have expressed concern that the draft Bill is actually a significant expansion of the current capabilities. The ISPA notes that the obligations to generate data that is not required for business purposes, the requirement to capture and retain data of a third party and the extended definition of CSPs represent significant changes to the current protocol, and questions whether "such extensive additional powers are proportionate and necessary".
Another particular issue of concern is the lack of detail given within the draft Bill. As Twitter points out, it is essentially a piece of enabling legislation, which allows for numerous additional requirements to be introduced by order, notice or regulations, and "the specific details, implementing regulations, and form and content of subsequent orders are as yet unknown". The IPSA is particularly critical of this, saying that "far too much discretion is given to the Home Secretary without the necessary parliamentary oversight to ensure that the significant changes proposed are proportionate and necessary". This is particularly troublesome because such pieces of secondary legislation tend to receive less parliamentary scrutiny than the primary legislation, so there is a risk that the bread and butter of the new regime will pass by without sufficient scrutiny.
Concerns have been raised over the definitions of "CSP" and "communications data". The persons who will now have obligations under the draft Bill have been dramatically widened. The Secretary of State could ask anyone who controls any communications equipment to provide communications data in respect of it. Additionally, communications apparatus such as social network services have led to the differentials between what would traditionally constitute internet "traffic" and what would constitute "content" becoming blurred. Given the concerns that privacy campaigners have had about the draft Bill, dubbing it a "snooper's charter", this is an area that should be considered in detail by the Joint Committee.
The obligations on CSPs in terms of data retention have caused particular upset. Virgin Media's primary concern about the draft Bill relates to "the retention requirements on providers not previously caught by data retention requirements and the requirement for UK providers to retain data of these providers". The company is concerned that it will damage its commercial relationships with third parties, such as those whose applications and services are made available through Virgin's TiVo service, if Virgin is obliged to provide data that it obtains from those third parties. Vodafone note that the proposals in the draft Bill go "considerably further than mere retention, including, as proposed, obligations to 'generate' data". The draft Bill varies here from the existing regime - currently, CSPs are only required to retain data that they generate for business purposes. The ISPA has highlighted this as an area of particular concern, as the generation of this data "is not why ISPs run their networks and is technically very complex. This obligation could force our members to redesign their networks based on the obligation to retain, rather than on commercial interest or economic effectiveness".
Another common concern was that the measures in the draft Bill would affect the UK's competitiveness, and would undermine new investment in the UK. The Coalition for a Digital Economy say that the unclear definitions in the draft Bill "create legal uncertainty around digital startups and whether they would be required to comply with these measures. Uncertainty is a major disincentive for investors". Furthermore, they consider that the draft Bill "undermines the fundamental nature of digital businesses by dictating how they handle their data". The ISPA agrees with this, commenting that "the draft Bill has the potential to put the UK at a competitive disadvantage and destabilise the market...in challenging economic times we question whether this should be a government priority".
Finally, the issue of how this will work across jurisdictions was raised. Twitter noted that it was possible that the type of monitoring that would be required would result in the collection and retention of data on users who are outside of the UK, which could place Twitter in the "legally untenable position with respect to privacy, data retention and data protection laws elsewhere in the world". Telefonica UK Ltd "does not believe that the plans are at all robust" in terms of placing requirements on CSPs based overseas, as "the spectrum of 'overseas providers' goes from multi-national players who see the UK as a tiny percentage of their market and who will be unwilling to change their trading practices to suit, through to tiny backroom application developers who will be impossible to locate". Telefonica's main concern is the potential for this to create differentials and an unfair playing field between UK-based CSPs and overseas providers.
It is worth noting that a similar attempt to reform the law around the retention of and access to communications data was made in 2008. However, these plans were shelved because of the overwhelmingly negative responses from respondees to the consultation paper. It will be interesting to see if politicians respond to the criticisms directed at the draft Bill before it is taken any further through Parliament.