At breakneck speed and amidst considerable controversy the Data Retention and Investigatory Powers Act 2014 (DRIPA) became law in the UK on Thursday last week, having been introduced as an emergency Bill on the Monday.
The row about the rights and wrongs of using the fast track emergency Bill procedure will rumble on. Here we focus on what the Act actually does and its implications for providers of internet-related services in and to the UK. We also touch on likely forthcoming challenges to the legislation.
The Act does four main things.
- It substantively re-enacts the mandatory data retention provisions of the 2009 Data Retention Regulations. Those were based on the EU Data Retention Directive, which the CJEU invalidated on 8 April 2014.
- It introduces new regimes for subjecting providers located outside the UK to maintenance of interception notices, interception warrants and communications data acquisition notices. It also provides that obligations imposed by such warrants and notices can apply to conduct within and outside the UK. The government maintains that this is no more than a clarification of the pre-existing position.
- It supplements the definition of 'telecommunications services' in the Regulation of Investigatory Powers Act 2000 (RIPA). This potentially affects which services can be the subject of maintenance of interception notices, interception warrants and communications data acquisition notices. The government has stoutly maintained, to a chorus of scepticism, that the additional text does not broaden the pre-existing definition but merely clarifies it.
- It may affect which providers can be made subject to the mandatory data retention obligations. The 2009 Regulations used the Communications Act 2003 definitions, based on those in the EU Framework Directive. The new legislation replaces these with RIPA definitions, including the newly supplemented definition of 'telecommunications services'.
Mandatory data retention
The existing 2009 Regulations (which remain in force until terminated by new regulations to be made under DRIPA) provide a fixed 12 month retention period for specific categories of communications data, replicating those in Article 5 of the now defunct Directive. Only a public telecommunications provider who has received a notice from the Secretary of State is required to retain data. This is designed to avoid duplication of retention.
The Act and new regulations will empower the Secretary of State to give data retention notices to public telecommunications operators (defined in RIPA terms as a person who controls or provides a public telecommunication system, or provides a public telecommunications service – the latter as now amended by DRIPA). Instead of the previous fixed 12 month period applicable across the board, the retention period may vary subject to a maximum 12 months. The notice may specify different periods for different types of data. The notice may relate to an operator or description of operators.
The Secretary of State can give a notice only if s/he considers that the requirement is necessary and proportionate for one of the purposes specified in RIPA for which communications data may be obtained. S/he is required under the regulations to take reasonable steps to consult any operator to whom it relates before giving a notice. The notice may be given or published in such manner as the Secretary of State considers appropriate for bringing it to the attention of the operator(s) to whom it relates. The Secretary of State must keep the notice under review.
A public telecommunications operator who retains data under a retention notice is placed under tighter restrictions as to disclosure of mandatorily retained data. In particular it is prohibited from disclosing such data (or data voluntarily retained pursuant to ATCSA) in response to the purported exercise of disclosure powers in statutes other than RIPA. It will also have specific obligations in relation to data integrity, security and destruction of data and responsiveness to requests for data. There will be a new RIPA Section 71 Code of Practice in relation to mandatory data retention under DRIPA.
There are two potential issues with this aspect of DRIPA. The first is that DRIPA does not, and does not purport, to address every separate criticism of the existing data retention scheme made by the CJEU in the Digital Rights Ireland case. This has led some to question whether the new legislation is compatible with the EU Charter of Fundamental Rights and Liberties (which the CJEU applied in Digital Rights Ireland) or the European Convention on Human Rights. There is a strong likelihood of legal challenge to the new legislation. Since DRIPA relies on an exception to the E-Privacy Directive, following the CJEU decision in Pfleger it will no doubt be argued that DRIP must comply with the Charter and thus is susceptible to disapplication by domestic courts (if necessary following a reference to the CJEU) if it does not comply with the Charter.
The second possible issue is that the government notified the draft Bill and regulations to the European Commission under the EU Transparency Directive on a precautionary, without prejudice basis. The government repeated in the notification documents its stance that, for mandatory data retention:
"The legislation simply re-enacts, with additional safeguards, existing provisions which are already contained in the Data Retention (EC Directive) Regulations 2009, which remain in force within the UK."
For investigatory powers it said:
"The legislation clarifies existing provisions of the Regulation of Investigatory Powers Act which were previously notified to the Commission (2000/0069/UK). This is, in part, to react to domestic case law which may lead to Act being interpreted in a more limited way than when the Bill was passed and the Act notified."
This appears to be the first reference to the possible effect of domestic caselaw having been a consideration.
Normally a notification would require a three month standstill period before the regulations could be brought in to force. However the government has invoked the urgency procedure under Article 2(7) of the Transparency Directive to bypass the standstill period. Considerable disquiet was expressed in Parliament over the use of the fast-track domestic emergency Bill procedure.
DRIPA makes two amendments (according to the government, clarifications) to the existing provisions concerning interception capability notices, interception warrants and communications data acquisition notices, both amendments designed to ensure that non-UK providers are within the scope of these provisions.
- State that the notice or warrant may relate to conduct outside the UK.
- Provide three different schemes for serving warrants or notices within the UK on operators located outside the UK. These are graduated according to (presumably) the perceived intrusiveness of the warrant or notice. So, for instance only a communications data notice may be notified orally, and then not for local authority notices requiring magistrates' approval.
- Provide that when considering under RIPA the reasonable practicability of a person outside the UK taking steps in a country outside the UK to give effect to a warrant, regard is to be had to any relevant requirements or restrictions under the law of that country and the extent to which it is reasonably practicable to give effect to the warrant without breaching them.
DRIP makes no specific provision for giving data retention notices to operators located outside the UK.
The original RIPA definition of 'telecommunications service' was:
"any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service)"
The newly inserted Section 2(8A) adds:
"For the purposes of the definition of “telecommunications service” … , the cases in which a service is to be taken to consist in the provision of access to, and of facilities for making use of, a telecommunication system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.”
This has a potentially wide ambit. The Explanatory Notes say that the sub-section "makes clear that the definition of “telecommunications service” includes companies who provide internet-based services, such as webmail." 'Internet-based services' is again a broad concept.
The amended definition of telecommunications services applies to RIPA generally and also to mandatory data retention under DRIPA.
The changes to RIPA came into effect on Royal Assent last Thursday. The existing mandatory retention scheme continues until terminated by the forthcoming new regulations implementing the DRIPA scheme and by new notices to PTOs from the Secretary of State. Pre-existing notices will continue in force.
The whole of the Act (including the amendments to RIPA) is subject to automatic repeal on 31 December 2016, by which time a review of this area should have been carried out.