A new Counter-Terrorism and Security Bill (the “Bill”) was introduced to the House of Commons on 26 November 2011 that will, among other things, allow the Government to require communications providers to retain data necessary to attribute an IP address to an individual.
Earlier this year the European Union’s Data Retention Directive was found to be invalid. The Government passed a new Data Retention and Investigatory Powers Act 2014 (“DRIPA”) in order to replace the Data Retention Regulations 2009 (“2009 Regulations”), which had implemented the EU Directive and was at risk of being found invalid. DRIPA contained various amendments to the Regulation of Investigatory Powers Act 2000 and set out a new regime for the retention of communications data. Among other things, DRIPA amended the definition of “telecommunications service” to cover services that consist in or include facilitating the creation, management or storage of communications, catching over-the-top players, internet mail providers and social media businesses who may not have been required to retain communications data under the 2009 Regulations.
The Bill makes certain amendments to the provisions of DRIPA including the definition of “communications data”. Providers may now be required to retain internet data that relates to internet access services or internet communications services and may be used to identify or assist in identifying which IP address or other identifier belongs to the sender or recipient of a communication (whether or not a person). The effect is that providers that are potentially required to retain communications data may now need to attribute IP addresses to individuals or devices or retain information to assist law enforcement authorities to identify the users of certain telecommunications services.
In some ways, the new requirements do not go much further than the existing requirements of DRIPA. For example, internet access providers could already be required to retain IP address details. However, providers may be under a higher obligation to retain such data and, unlike in the 2009 Regulations, there is no defence for a provider in the event that another organisation is already retaining the relevant data. The requirement for data to be collected and retained to attribute IP addresses and other internet identifiers to recipients and senders may well be controversial given that providers need to comply with the data protection laws and regulations with respect to the communications data that they retain. Much will depend on how draconian the Government would be in issuing data retention notices under the amended DRIPA.
While DRIPA and previous bills proposed by the Government on the subject of data retention (including the Communications Data Bill from 2012) have been the subject of great debate, the new focus of the new Bill has been on the wide ranging powers that the Government has requested including the power to place universities under a statutory duty to prevent people from being drawn into terrorism. The Bill will progress to the next stage of its consideration in the House of Commons on 9 December 2014. There is a strong chance that changes will need to be made before it is passed into law but we suspect that the new data retention requirements will receive little attention in the larger debate that has been triggered by the Bill. Whether or not the Bill is passed in its current form, there is little doubt that the Government will continue to push its agenda for greater powers in relation to communications data and many businesses operating in the sector will be glad for now that the scope of DRIPA and the new Bill is not yet as expansive as the Government once sought in 2012.