The Data Retention (EC Directive) Regulations 2007 (SI 2007/2199) came into force on Monday 1 October 2007.

The Regulations implement part of the EU Data Retention Directive (2006/24/EU). The Directive aims to put in place an EU wide framework for the retention of telephone and internet data by communications service providers ("Providers") to help security services combat terrorism and other serious crime by accessing Providers' telephone and internet records.

At present the UK Regulations only apply to UK fixed line and mobile telephone call and text message records. Data from internet access, email and internet telephone usage is not yet covered, but the Government must pass legislation requiring retention of internet records by 15 March 2009 in order to comply with the Directive.

Under the Regulations, data must be retained by the Provider for 12 months from the date of the call and must then be destroyed. Providers' data retrieval systems must be designed so that any data requested by the law enforcement agencies can be transmitted without undue delay.

The retention requirement applies to traffic and location data and other identifying information as set out below, but does not apply to the content of the calls or text messages.

The Regulations specify that the data to be retained includes details of:-

  • the telephone from which the call was made;
  • the subscriber's or registered user's name and address;
  • the telephone number dialled, including details of any users to whom the call is forwarded or transferred;
  • the date and time of the call;
  • the telephone service used; and
  • in the case of a mobile phone, data identifying the location of the handset used.

The Home Office has discretionary power to reimburse any expenses incurred by a Provider in complying with the data retention requirements above, provided that the expenses are notified and agreed in advance.

It is unlikely that the Regulations will have much impact on Providers at present because Providers generally retain much of the specified data for billing purposes and customer record keeping.

In addition, many Providers already subscribe to the Home Office voluntary Code of Practice on data retention that was made under Part 11 of the Anti-Terrorism, Crime and Security Act 2001, which sets extended time limits for the retention of data by Providers to assist with the fight against terrorism.

The prescribed data retention period for internet data has not yet been set. In view of this uncertainty, Providers may wish to consider planning for the 2009 extension of the data retention legislation well in advance.