Issues around retention of communications and on-line data have been receiving much attention in recent weeks with the UK government finalising new data retention regulations, the coming into force of new data retention requirements for certain Financial Services Authority (FSA) authorised businesses and privacy concerns over Facebook seeking to amend its user terms.
UK Government Finalises Data Retention (EC Directive) Regulations 2009
On 11 February the Data Retention (EC Directive) Regulations 2009 (DRRs) were laid before Parliament.
From April this year, all telecommunications companies and internet service providers (ISPs) will be required to keep a record of communications traffic and location data on their networks for a period of 12 months. The aim is to allow the police to obtain certain telephone and internet use data from ISPs to aid their investigations of terrorism and other serious crimes. The DRRs cover data relating to the geographical location of network users and also the routing/duration or time of communications (but not communication content, which is expressly excluded).
The DRRs cover fixed-line/mobile telephone service providers and ISPs, however web-based email services and Internet VoIP applications should ordinarily be exempt, even where the relevant servers are located in the UK, as these are not covered by the definition of "public communications services".
The DRRs represent the final step in the transposition of the EC Data Retention Directive (Directive 2006/24/EC) and were laid before parliament the day after the European Court of Justice (ECJ) issued a decision upholding the Directive's legal basis, in the face of a challenge from Ireland supported by Slovakia. The Irish and Slovakian governments argued that the main purpose of the Directive is investigation and prosecution of crimes and should, under the Maastricht Treaty, have been unanimously approved by all EU member states (which it had not).
The ECJ held that the Directive had been adopted correctly because it regulated economic rather than police activity and was necessary for the proper functioning of the internal market in communications services.
Financial Services: New Data Retention Requirements
On a similar regulatory theme, the FSA have executed new rules requiring certain financial firms to record and retain communications data for six months.
The rules have been enacted with the aim of preventing fraudulent trading behaviour and also to help the FSA investigate and apprehend potential suspects in market abuse cases.
Firms which receive, execute or arrange orders relating to equities, bonds or derivatives are subject to the new regulations to retain recordings of communications made by email, fax and instant message as well as telephone calls. The regulations do not currently cover calls made from mobile phones or other handheld devices, but the FSA states that this will be "revisited" in the next 18 months.
Critics of this extension to the data retention regime for financial services have expressed concern that the expense and administrative burden imposed by the regulations are disproportionate and are likely to place UK financial service providers at a disadvantage in the global market.
However, the FSA maintains that introducing a data retention requirement "may raise the standard of behaviour by those using telephone lines and electronic communication"
Facebook Retreats on Retention of Former Customers' Data
Facebook managed to cause uproar in the online community when it sought to amend the site's user terms in February. The controversy centred on the deletion of a provision under which Facebook's right to a customer's generated content was stated to expire when that user account was closed. This proposed deletion provoked an outcry by some customers alleging that Facebook was attempting to assert contractual rights of retention over their photos and other content on a permanent basis.
Facebook then issued an explanatory note clarifying that the main reason for the amendment was to reflect "current practice" that information posted by one user on another user's personal pages would not be automatically deleted by Facebook where the posting user closed their account. The note clarified that Facebook had always expressly disclaimed ownership of user generated content and that the licence to such content which it did claim permitted it to use material "in connection with Facebook or the promotion thereof".
This issue is however yet to be tested in the courts and this data retention debate, it seems, is not over yet.