The Data Retention (EC Directive) Regulations 2009 came into force on 6 April 2009, transposing into UK law the internet data requirements of the Data Retention Directive (2006/24/EC). The Directive’s requirements for communications data for fixed network and mobile telephony were implemented in October 2007 by the Data Retention (EC Directive) Regulations 2007. Those Regulations are superseded and replaced by the new Regulations which cover all communications data relating to fixed and mobile telephony, internet access, internet email and internet telephony that are generated or processed in the United Kingdom by public communications providers in the process of supplying communications services. Under the 2009 Regulations, public communications providers are required to retain such data for a minimum of 12 months. To avoid duplication, where more than one service provider has access to data, only one need retain the data for the purposes of the Regulations.
The new Regulations replace the United Kingdom’s voluntary regime for retention of communications data under Part 11 of the Anti-Terrorism, Crime and Security Act 2001, which has been in place since the end of 2003 and was formalised in the Code of practice on voluntary retention of communications data. The requirement under the Code was for internet data to be retained for six months. The rationale behind the retention of communications data is to allow access to such data for law enforcement authorities to assist with investigations into criminal activities, particularly terrorism.
Communications data is essentially data about the traffic of communications generated or processed on the networks of communications providers or by the use of their services. Such data is used for a variety of business reasons, including billing, network management and prevention of fraud. It is defined in the Regulations as “traffic data and location data and the related data necessary to identify the subscriber or user”. Traffic data and location data have the same meaning as under the e-Privacy Regulations 2003/2426 (which also governs the use of unsolicited commercial email). Location data is any data processed in an electronic communications network indicating the geographical position of the terminal equipment of a user. Traffic data is defined as any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication, including data relating to the routing, duration or time of a communication. Communications data therefore includes numbers dialled, the date and time of the start and end of a communication and IP addresses, but not the content of any communication.
On the basis that most communications providers already retain communications data, or because their business practices mean that the required data is retained by another public communications provider in the United Kingdom, most public communications providers should not be affected unduly by full implementation of the Directive. As under the 2007 Regulations, the Home Secretary may reimburse any expenses incurred by a public communications provider in complying with the provisions of the new Regulations, subject to expenses having been notified and agreed in advance.
The 2009 Regulations, however, are not end of story. On 27 April the Home Office published its consultation, Protecting the Public in a Changing Communications Environment, in which it ruled out the controversial idea of a central communications database but unveiled plans to legislate further to ensure that all the data that public authorities might require (subject to safeguards under the Regulation of Investigatory Powers Act 2000), including third party data, is collected and kept in the United Kingdom. It outlined the implications as follows
Communications service providers based in the UK would therefore continue to collect and retain communications data relating to their own services but also collect and store the additional third party data crossing their networks. This would therefore include communications data which does not come under the scope of the EU Data Retention Directive… This option would put additional demands on industry, especially around the collection and retention of third party communications data not required for the business purposes of communications service provider
The Home Office, however, recognises that while this would resolve the problem that some communications data, which may be important to public authorities, will not otherwise be retained, “it would not address the problem of fragmentation: as data is increasingly held by a wider range of communications service providers”. It has a solution, which is to “require communications service providers not only to collect and store data but to organise it, matching third party data to their own data where it had features in common… This would require additional legislation.” The question of cost and reimbursement is likely to figure highly in the responses to the consultation.