1. Introduction
This article provides a brief explanation of the key provisions of the Data Retention Directive 2006/24/EC (the "Directive"1) and examines the proposed transposition of the Directive into UK law by way of the draft Data Retention (EC Directive) Regulations 2007. The draft Regulations are expected to replace the existing Voluntary Code of Practice for the Retention of Communications Data under Part 11 of the Anti-Terrorism, Crime and Security Act 2001.
2. Background
The Directive came into force on 3 May 2006. Member States have until 15 September this year to implement the Directive, save that Member States may postpone application of the Directive to "the retention of communication data relating to Internet Access, Internet telephony and Internet e-mail" for up to 18 months (ie until 15 March 2009). [Art 15.3]
The United Kingdom has elected to do just that, obviously recognising that the retention of communications data relating to the Internet is a more complex issue, involving larger volumes of data and a broader set of stakeholders than the retention of data arising from fixed-line and mobile telephony services.
On the 27 March 2007 the Home Office issued a Consultation Paper inviting views on the initial transposition of the Directive into UK law, by way of the draft Regulations, which at this stage only apply to providers of fixed-network and mobile telephony services2.
3. Obligation to retain data
The Directive applies to "providers of publicly available electronic communications services or of a public communications network". [Art 3.1]
The draft Regulations are expressed to apply to all "public communications providers", which phrase is defined to mean a provider of a "public electronic communications network" or a "public electronic communications service", as those terms are defined in section 151 of the Communications Act 2003. [Reg 2]
Importantly, the Regulations do not apply to a service provider whose data are already being retained in the United Kingdom in accordance with the Regulations by another service provider. [Regs 3(1) & 3(2)]
That is, there should be no duplication of storage (and associated costs) of retained data. This also suggest that it is expected that data will be retained by upstream suppliers of services, so that there should be no need for resellers to retain data, provided they have suitable arrangements regarding data retention in place with their wholesalers.
4. Retention period
The Directive provides that the relevant data may be "retained for periods of not less than six months and not more than two years from the date of the communication." [Art 6]
The draft Regulations provide for a retention period of 12 months in the UK. [Reg 4(2)]
The Home Office has indicated that, until the transposition of the Directive is complete with respect to data generated from Internet services, the existing arrangements under the Voluntary Code of Practice will continue.
Article 7(d) of the Directive provides that retained data "shall be destroyed at the end of the period of retention", but, somewhat curiously, includes a carve-out for "those [data] that have been accessed and preserved". [Art 7(d)] The Directive does not elaborate on exactly what is meant by this. For example, is the intention that it is the responsibility of the service provider to retain in perpetuity any data that has been "accessed"? It would seem to make more sense that it should be the relevant competent national authority that has requested access to the data who is responsible for the ongoing safe-keeping of such data. Fortunately the draft Regulations do not contain the additional language that appears in Article 7(d) of the Directive, which presumably means that in the UK, as far as service providers are concerned, all data shall be destroyed at the end of the 12 month retention period. [Reg 6(d)]
5. Data to be retained
Please refer to the table in Annex A to see the data that is required to be retained. The table provides a comparison of the language used in the draft Regulations with that in the Directive. As noted above, the draft Regulations do not yet apply to data generated from Internet services.
The categories of information to be retained are reasonably comprehensive and, as they say, the devil is in the detail, particularly with regard to the precise meanings of some of the words and phrases used.
What will be of interest to ISPs and the like is the Home Office’s interpretation of what might at first seem like relatively mundane terms, such as "e-mail" (for example, does this include instant messenger services?). However, as the draft Regulations don’t deal with Internet services at this point in time, we will have to wait until the next instalment of this process to see how the Home Office proposes to transpose such terms.
There may be other issues with transposing the language used in the Directive. For example, it is noted that Article 5.1(c)(2)(i) refers to "the IP address … allocated by the Internet access service provider to a communication", whereas, generally speaking, IP addresses are allocated to particular machines or end users, not individual communications or emails.
Importantly, it is clear that neither the Directive nor the draft Regulations apply to "the content of electronic communications, … [which includes] information consulted using an electronic communications network." [Art 1.2] That is, no data revealing the content of a communication may be retained. This means, importantly for ISPs, that no data on web pages visited will need to be retained.
6. Timely access to data
Both the Directive and the draft Regulations provide that the data must be able to be transmitted by the service provider to the competent authorities "without undue delay". [Art 8 & Reg 7]
Thus, not only will service providers be required to store large amounts of data, they will also need to ensure that they can promptly identify and retrieve the data following a request from a competent national authority.
There is no indication of what might be an acceptable period of delay (hours, days, weeks or months) or if such period is flexible in response to, for example, when a request is received or the number of request received. Consider, for example, a request made a 9am on Good Friday or whether there is a requirement for service providers’ data storage and retrieval systems to be infinitely scaleable.
7. Reason for retaining data & access to data by third parties
The objective behind or reason for retaining the relevant data is "… in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as [that term] defined by each Member State in its national law". [Art 1.1]
The Directive provides that Member States shall adopt measures to ensure that the data are "provided only to the competent national authorities in specific cases and in accordance with national law". [Art 4]
However, the Directive is not prescriptive with regard to the gaining of access to, and use of, the retained data by public authorities and/or law enforcement authorities of the Member States. This is left for Member States to deal with under their national laws.
The draft Regulations do not deal with this issue either, because access to the data is dealt with under other relevant legislation, including the Regulation of Investigatory Powers Act 2000 and the Anti-Terrorism, Crime and Security Act 2001.
Obviously, however, the issue of who has access to the retained data is very relevant as there is likely to be a direct correlation between the number of competent national authorities that may request access to the data and the cost to service providers of providing data in response to such requests, particularly given the requirement that the data retained can be transmitted without undue delay in response to requests.
There is also the outstanding issue of who else may obtain access to the retained data and under what circumstances. For example, is a court able to grant access in connection with a civil matter, as this is not currently expressly prohibited by the draft Regulations.
8. Data security
The Directive sets out a minimum set of standards that must be adhered to with respect to the security of the retained data, namely as follows:
"(a) the retained data shall be of the same quality and subject to the same security and protection as those data on the network;
(b) the data shall be subject to appropriate technical and organisational measures to protect the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage, processing, access or disclosure;
(c) the data shall be subject to appropriate technical and organisational measures to ensure that they can be accessed by specially authorised personnel only; and
(d) the data, except those that have been accessed and preserved, shall be destroyed at the end of the period of retention." [Art 7]
The minimum standards set out in Article 7 are repeated in Regulation 6 of the draft Regulations, essentially word-for-word, save for the language in Article 7(d) regarding "those [data] that have been accessed and preserved".
The data-security provisions in Article 7 / Regulation 6 fall short of the recommendations made by the Article 29 Data Protection Working Party. The Working Party recommends, for example, that systems for storage of data for public-order purposes should logically be separated from systems used for business purposes. The Working Party has consistently resisted the introduction of the Directive on grounds of privacy and the protection of individuals’ fundamental rights. Given that the Working Party’s recommendations are not binding, it is unlikely that its suggestions will find much favour with those Member States that have supported wide-ranging data retention provisions from the outset, such as the United Kingdom.
9. Reimbursement of additional costs
The Directive does not require Member States to reimburse service providers for the cost of compliance. Instead, Member States are free to decide whether or not they will compensate service providers.
Following on from the Voluntary Code of Practice, which provides as follows:
- Where the period of retention of data for national security purposes is not substantially larger than the period of retention for business purposes, the retention cost will continue to be borne by the communication service provider."; and
- Where data retention periods are significantly longer for national security purposes than for business purposes, the Secretary of State will contribute a reasonable proportion of the marginal cost as appropriate. Marginal costs may include, for example, the design and production of additional storage and searching facilities. This may be in the form of capital investment into retention and retrieval equipment or may include running costs." [Paras 23 & 24]
the draft Regulations provide that:
"(1) The Secretary of State may reimburse any expenses incurred by a public communications provider in complying with these Regulations."
"(2) Such reimbursement may be conditional on the expenses having been notified to the Secretary of State and agreed in advance."
[Regs 10(1) & 10(2)]
Obviously, as the Voluntary Code of Practice on Data Retention was exactly that, ie voluntary, reimbursement of a service provider’s increased costs was a key way for the Government to ensure compliance with the Code. It remains to be seen, however, how generous the Government will be in the future, given that compliance with the draft Regulations will be mandatory, whereas the Government’s obligation to reimburse is now voluntary.
The Government has indicated that it does not intend to enforce the Regulations against service providers who it has not agreed to reimburse.
10. Conclusion
One of the key drivers behind the Directive, as stated in the first Article of the Directive, was supposedly "to harmonise Member States’ provisions concerning the obligations of … providers … with respect to the retention of certain data which are generated or processed by them". [Art 1.1]
Arguably, however, the Directive fails to achieve this objective. Consider, for example, the economic effect on different service providers located in different Member States of:
(a) variations in the length of the retention period (6 months to 2 years);
(b) variations relating to the reimbursement, or otherwise, of service providers for additional costs incurred;
(c) variations in each Member State’s interpretation of the somewhat vague terms used in relation to data generated in connection with Internet services; and
(d) inconsistent adoption of the Article 29 Data Protection Work Party’s non-binding recommendations on the implementation of the Directive.
Unfortunately, however, there is not much that can be expected from the Home Office in this regard, because the scope for variation exists at the EU level, arising from the Directive itself.
We are, however, in a position at the moment to at least assist the Home Office with the refinement of the draft Regulations, so as to ensure that transposition of the Directive into UK law is as smooth as possible, which is, of course, the purpose and hopefully, the outcome of the current consultation process.
Responses to the Consultation Paper and the draft Regulations may be submitted to the Home Office up until 11 June 2007.
Annex A
Data to be retained - comparative table
|
data necessary to … |
Service(s) |
Directive [Art 5.1] |
Service(s) |
draft Regulations [Regs 5(1) & 5(2)] |
|
(a) … trace and identify the source of a communication: |
fixed network telephony mobile telephony |
(i) the calling telephone number; (ii) the name and address of the subscriber or registered user; |
fixed network telephony mobile telephony |
(a) the telephone number from which the telephone call was made and the name and address of the subscriber of that telephone; |
|
|
Internet access Internet e-mail Internet telephony |
(i) the user ID(s) allocated; (ii) the user ID and telephone number allocated to any communication entering the public telephone network; (iii) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication; |
TBA |
TBA |
|
(b) … identify the destination of a communication: |
fixed network telephony mobile telephony |
(i) the number(s) dialled (the telephone number(s) called), and, in cases involving supplementary services such as call forwarding or call transfer, the number or numbers to which the call is routed; (ii) the name(s) and address(es) of the subscriber(s) or registered user(s); |
fixed network telephony mobile telephony |
(b) the telephone number dialled and, in cases involving supplementary services such as call forwarding or call transfer, any telephone number to which the call is forwarded or transferred and the name and address of the subscriber of any such telephone; |
|
Internet e-mail Internet telephony [not Internet access] |
(i) the user ID or telephone number of the intended recipient(s) of an Internet telephony call; (ii) the name(s) and address(es) of the subscriber(s) or registered user(s) and user ID of the intended recipient of the communication; |
TBA |
TBA |
|
(c) … identify the date, time and duration of a communication; |
fixed network telephony mobile telephony |
the date and time of the start and end of the communication; |
fixed network telephony mobile telephony |
(c) the data and time of the start and end of the call; and |
|
|
Internet access Internet e-mail Internet telephony |
(i) the date and time of the log-in and log-off of the Internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the Internet access service provider to a communication, and the user ID of the subscriber or registered user; |
TBA |
TBA |
|
(d) … identify the type of communication; |
fixed network telephony mobile telephony |
the telephone service used; |
fixed network telephony mobile telephony |
(d) the telephone service used. |
|
|
Internet e-mail Internet telephony [not Internet access] |
the Internet service used; |
TBA |
TBA |
|
(e) … identify users’ communications equipment or what purports to be their equipment: |
fixed network telephony [not mobile telephony] |
the calling and called telephone numbers; |
|
|
&nsbp; |
mobile telephony [not fixed network telephony] |
(i) the calling and called telephone numbers; (ii) the International Mobile Subscriber Identity (IMSI) of the calling party; (iii) the International Mobile Equipment Identity (IMEI) of the calling party; (iv) the IMSI of the called party; (v) the IMEI of the called party; (vi) in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the location label (Cell ID) from which the service was activated; |
mobile telephony [not fixed network telephony] |
(a) the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI) of the telephone from which a telephone call is made;
(b) the IMSI and the IMEI of the telephone dialled; (c) in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the cell ID from which the service was activated; |
|
|
Internet access Internet e-mail Internet telephony |
(i) the calling telephone number for dial-up access; (ii) the digital subscriber line (DSL) or other end point of the originator of the communication; |
TBA |
TBA |
|
(f) … identify the location of mobile communications equipment: |
mobile telephony [not fixed network telephony] |
(1) the location label (Cell ID) at the start of the communication; (2) data identifying the geographic location of cells by reference to their location labels (Cell ID) during the period for which communications data are retained. |
mobile telephony [not fixed network telephony] |
(d) the cell ID at the start of the communication; and (e) data identifying the geographic location of cells by reference to their cell ID. |
CODE
Blue= Fixed and Mobile
Violet = Fixed only
Green = Mobile only
Red = Internet
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
