Regulations recently introduced in the UK, under an EU initiative to enhance efforts to combat terrorism and international organised crime, require telecoms service providers to retain traffic and location data.
Under the Data Retention Directive (Directive) adopted by the European Council in February 2006, member states must adopt laws requiring telecoms service providers to retain, for between six and 24 months, traffic and location data generated in providing their services. This covers a range of email, internet and telephony data, including data necessary to identify the source, destination, date, time and duration of communications and the location of the mobile phones used. The content of the communications is expressly excluded from the requirements.
The related UK Regulations, which came into force on 1 October 2007, deal only with fixed and mobile telephony data because the UK has taken advantage of the permitted delay until 2009 to enforce the rules regarding internet and email data. UK telecoms companies must retain traffic and location data on fixed and mobile telephony for 12 months. This matches the retention period already observed by UK telecoms companies under the voluntary Code of Practice on the Retention of Communications Data (Code) under the Anti-Terrorism, Crime and Security Act 2001. Continuing the Code’s principle of compensation, the Regulations allow the Home Secretary to reimburse any expenses incurred by telecoms companies in complying with the Regulations (without imposing an obligation to do so) provided they are notified and agreed in advance.
The Regulations have been criticised for opening the way for service providers to be dragged into disputes between third parties. Under the Directive, member states must ensure data retained is provided ‘only to the competent national authorities’. It also requires member states to specify the procedures to be followed and conditions to be fulfilled for these national authorities to access the data. However, the UK made no provision for these requirements in its Regulations. The data retained by UK telecoms companies is therefore available to any third party that obtains a court order requiring its disclosure. This is not a new concept: the Code envisaged data access requests being received from ‘data subjects under the Data Protection Act 1998 and from civil litigants’. Nevertheless, as the retention of traffic and location data is no longer voluntary, some commentators are concerned about the practical implications of having to grant access to this data in a manner clearly not envisaged by the Directive.
There is also concern about whether the Regulations as presently drafted can, given the technical difficulties, simply be applied to the collection and retention of data for emails and internet traffic. The Home Office consulted on the Regulations this year and was told by the telecoms industry that the collection of internet data was too complex an issue to be covered by the existing Regulations. The extension of the Regulations to internet data in 2009 could therefore be a more protracted, and controversial, process.