UK: Data Retention Directive

Last Updated: 10 May 2007
Article by Jeff Goodall
This article first appeared in the April edition of Data Protection Law & Policy, published by Cecile Park Publishing Ltd.

1. Introduction

This article provides a brief explanation of the key provisions of the Data Retention Directive 2006/24/EC (the "Directive"1) and examines the proposed transposition of the Directive into UK law by way of the draft Data Retention (EC Directive) Regulations 2007. The draft Regulations are expected to replace the existing Voluntary Code of Practice for the Retention of Communications Data under Part 11 of the Anti-Terrorism, Crime and Security Act 2001.

2. Background

The Directive came into force on 3 May 2006. Member States have until 15 September this year to implement the Directive, save that Member States may postpone application of the Directive to "the retention of communication data relating to Internet Access, Internet telephony and Internet e-mail" for up to 18 months (ie until 15 March 2009). [Art 15.3]

The United Kingdom has elected to do just that, obviously recognising that the retention of communications data relating to the Internet is a more complex issue, involving larger volumes of data and a broader set of stakeholders than the retention of data arising from fixed-line and mobile telephony services.

On the 27 March 2007 the Home Office issued a Consultation Paper inviting views on the initial transposition of the Directive into UK law, by way of the draft Regulations, which at this stage only apply to providers of fixed-network and mobile telephony services2.

3. Obligation to retain data

The Directive applies to "providers of publicly available electronic communications services or of a public communications network". [Art 3.1]

The draft Regulations are expressed to apply to all "public communications providers", which phrase is defined to mean a provider of a "public electronic communications network" or a "public electronic communications service", as those terms are defined in section 151 of the Communications Act 2003. [Reg 2]

Importantly, the Regulations do not apply to a service provider whose data are already being retained in the United Kingdom in accordance with the Regulations by another service provider. [Regs 3(1) & 3(2)]

That is, there should be no duplication of storage (and associated costs) of retained data. This also suggest that it is expected that data will be retained by upstream suppliers of services, so that there should be no need for resellers to retain data, provided they have suitable arrangements regarding data retention in place with their wholesalers.

4. Retention period

The Directive provides that the relevant data may be "retained for periods of not less than six months and not more than two years from the date of the communication." [Art 6]

The draft Regulations provide for a retention period of 12 months in the UK. [Reg 4(2)]

The Home Office has indicated that, until the transposition of the Directive is complete with respect to data generated from Internet services, the existing arrangements under the Voluntary Code of Practice will continue.

Article 7(d) of the Directive provides that retained data "shall be destroyed at the end of the period of retention", but, somewhat curiously, includes a carve-out for "those [data] that have been accessed and preserved". [Art 7(d)] The Directive does not elaborate on exactly what is meant by this. For example, is the intention that it is the responsibility of the service provider to retain in perpetuity any data that has been "accessed"? It would seem to make more sense that it should be the relevant competent national authority that has requested access to the data who is responsible for the ongoing safe-keeping of such data. Fortunately the draft Regulations do not contain the additional language that appears in Article 7(d) of the Directive, which presumably means that in the UK, as far as service providers are concerned, all data shall be destroyed at the end of the 12 month retention period. [Reg 6(d)]

5. Data to be retained

Please refer to the table in Annex A to see the data that is required to be retained. The table provides a comparison of the language used in the draft Regulations with that in the Directive. As noted above, the draft Regulations do not yet apply to data generated from Internet services.

The categories of information to be retained are reasonably comprehensive and, as they say, the devil is in the detail, particularly with regard to the precise meanings of some of the words and phrases used.

What will be of interest to ISPs and the like is the Home Office’s interpretation of what might at first seem like relatively mundane terms, such as "e-mail" (for example, does this include instant messenger services?). However, as the draft Regulations don’t deal with Internet services at this point in time, we will have to wait until the next instalment of this process to see how the Home Office proposes to transpose such terms.

There may be other issues with transposing the language used in the Directive. For example, it is noted that Article 5.1(c)(2)(i) refers to "the IP address … allocated by the Internet access service provider to a communication", whereas, generally speaking, IP addresses are allocated to particular machines or end users, not individual communications or emails.

Importantly, it is clear that neither the Directive nor the draft Regulations apply to "the content of electronic communications, … [which includes] information consulted using an electronic communications network." [Art 1.2] That is, no data revealing the content of a communication may be retained. This means, importantly for ISPs, that no data on web pages visited will need to be retained.

6. Timely access to data

Both the Directive and the draft Regulations provide that the data must be able to be transmitted by the service provider to the competent authorities "without undue delay". [Art 8 & Reg 7]

Thus, not only will service providers be required to store large amounts of data, they will also need to ensure that they can promptly identify and retrieve the data following a request from a competent national authority.

There is no indication of what might be an acceptable period of delay (hours, days, weeks or months) or if such period is flexible in response to, for example, when a request is received or the number of request received. Consider, for example, a request made a 9am on Good Friday or whether there is a requirement for service providers’ data storage and retrieval systems to be infinitely scaleable.

7. Reason for retaining data & access to data by third parties

The objective behind or reason for retaining the relevant data is "… in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as [that term] defined by each Member State in its national law". [Art 1.1]

The Directive provides that Member States shall adopt measures to ensure that the data are "provided only to the competent national authorities in specific cases and in accordance with national law". [Art 4]

However, the Directive is not prescriptive with regard to the gaining of access to, and use of, the retained data by public authorities and/or law enforcement authorities of the Member States. This is left for Member States to deal with under their national laws.

The draft Regulations do not deal with this issue either, because access to the data is dealt with under other relevant legislation, including the Regulation of Investigatory Powers Act 2000 and the Anti-Terrorism, Crime and Security Act 2001.

Obviously, however, the issue of who has access to the retained data is very relevant as there is likely to be a direct correlation between the number of competent national authorities that may request access to the data and the cost to service providers of providing data in response to such requests, particularly given the requirement that the data retained can be transmitted without undue delay in response to requests.

There is also the outstanding issue of who else may obtain access to the retained data and under what circumstances. For example, is a court able to grant access in connection with a civil matter, as this is not currently expressly prohibited by the draft Regulations.

8. Data security

The Directive sets out a minimum set of standards that must be adhered to with respect to the security of the retained data, namely as follows:

"(a) the retained data shall be of the same quality and subject to the same security and protection as those data on the network;

(b) the data shall be subject to appropriate technical and organisational measures to protect the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage, processing, access or disclosure;

(c) the data shall be subject to appropriate technical and organisational measures to ensure that they can be accessed by specially authorised personnel only; and

(d) the data, except those that have been accessed and preserved, shall be destroyed at the end of the period of retention." [Art 7]

The minimum standards set out in Article 7 are repeated in Regulation 6 of the draft Regulations, essentially word-for-word, save for the language in Article 7(d) regarding "those [data] that have been accessed and preserved".

The data-security provisions in Article 7 / Regulation 6 fall short of the recommendations made by the Article 29 Data Protection Working Party. The Working Party recommends, for example, that systems for storage of data for public-order purposes should logically be separated from systems used for business purposes. The Working Party has consistently resisted the introduction of the Directive on grounds of privacy and the protection of individuals’ fundamental rights. Given that the Working Party’s recommendations are not binding, it is unlikely that its suggestions will find much favour with those Member States that have supported wide-ranging data retention provisions from the outset, such as the United Kingdom.

9. Reimbursement of additional costs

The Directive does not require Member States to reimburse service providers for the cost of compliance. Instead, Member States are free to decide whether or not they will compensate service providers.

Following on from the Voluntary Code of Practice, which provides as follows:

  1. Where the period of retention of data for national security purposes is not substantially larger than the period of retention for business purposes, the retention cost will continue to be borne by the communication service provider."; and
  2. Where data retention periods are significantly longer for national security purposes than for business purposes, the Secretary of State will contribute a reasonable proportion of the marginal cost as appropriate. Marginal costs may include, for example, the design and production of additional storage and searching facilities. This may be in the form of capital investment into retention and retrieval equipment or may include running costs." [Paras 23 & 24]

the draft Regulations provide that:

"(1) The Secretary of State may reimburse any expenses incurred by a public communications provider in complying with these Regulations."

"(2) Such reimbursement may be conditional on the expenses having been notified to the Secretary of State and agreed in advance."
[Regs 10(1) & 10(2)]

Obviously, as the Voluntary Code of Practice on Data Retention was exactly that, ie voluntary, reimbursement of a service provider’s increased costs was a key way for the Government to ensure compliance with the Code. It remains to be seen, however, how generous the Government will be in the future, given that compliance with the draft Regulations will be mandatory, whereas the Government’s obligation to reimburse is now voluntary.

The Government has indicated that it does not intend to enforce the Regulations against service providers who it has not agreed to reimburse.

10. Conclusion

One of the key drivers behind the Directive, as stated in the first Article of the Directive, was supposedly "to harmonise Member States’ provisions concerning the obligations of … providers … with respect to the retention of certain data which are generated or processed by them". [Art 1.1]

Arguably, however, the Directive fails to achieve this objective. Consider, for example, the economic effect on different service providers located in different Member States of:

(a) variations in the length of the retention period (6 months to 2 years);

(b) variations relating to the reimbursement, or otherwise, of service providers for additional costs incurred;

(c) variations in each Member State’s interpretation of the somewhat vague terms used in relation to data generated in connection with Internet services; and

(d) inconsistent adoption of the Article 29 Data Protection Work Party’s non-binding recommendations on the implementation of the Directive.

Unfortunately, however, there is not much that can be expected from the Home Office in this regard, because the scope for variation exists at the EU level, arising from the Directive itself.

We are, however, in a position at the moment to at least assist the Home Office with the refinement of the draft Regulations, so as to ensure that transposition of the Directive into UK law is as smooth as possible, which is, of course, the purpose and hopefully, the outcome of the current consultation process.

Responses to the Consultation Paper and the draft Regulations may be submitted to the Home Office up until 11 June 2007.

Annex A
Data to be retained - comparative table

data necessary to …

Service(s)

Directive [Art 5.1]

Service(s)

draft Regulations [Regs 5(1) & 5(2)]

(a) … trace and identify the source of a communication:

fixed network telephony

mobile telephony

(i) the calling telephone number;



(ii) the name and address of the subscriber or registered user;

fixed network telephony

mobile telephony

(a) the telephone number from which the telephone call was made and

the name and address of the subscriber of that telephone;

 

Internet access

Internet e-mail




Internet telephony

(i) the user ID(s) allocated;

(ii) the user ID and telephone number allocated to any communication entering the public telephone network;

(iii) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication;

TBA

TBA

(b) … identify the destination of a communication:

fixed network telephony

mobile telephony

(i) the number(s) dialled (the telephone number(s) called), and, in cases involving supplementary services such as call forwarding or call transfer, the number or numbers to which the call is routed;

(ii) the name(s) and address(es) of the subscriber(s) or registered user(s);

fixed network telephony

mobile telephony

(b) the telephone number dialled and, in cases involving supplementary services such as call forwarding or call transfer, any telephone number to which the call is forwarded or transferred and

the name and address of the subscriber of any such telephone;

 

Internet e-mail

Internet telephony

[not Internet access]

(i) the user ID or telephone number of the intended recipient(s) of an Internet telephony call;

(ii) the name(s) and address(es) of the subscriber(s) or registered user(s) and user ID of the intended recipient of the communication;

TBA

TBA

(c) … identify the date, time and duration of a communication;

fixed network telephony

mobile telephony

the date and time of the start and end of the communication;

fixed network telephony

mobile telephony

(c) the data and time of the start and end of the call; and

 

Internet access

Internet e-mail

Internet telephony

(i) the date and time of the log-in and log-off of the Internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the Internet access service provider to a communication, and the user ID of the subscriber or registered user;

TBA

TBA

(d) … identify the type of communication;

fixed network telephony

mobile telephony

the telephone service used;

fixed network telephony

mobile telephony

(d) the telephone service used.

 

Internet e-mail

Internet telephony

[not Internet access]

the Internet service used;

TBA

TBA

(e) … identify users’ communications equipment or what purports to be their equipment:

fixed network telephony

[not mobile telephony]

the calling and called telephone numbers;

   

 

&nsbp;

mobile telephony

[not fixed network telephony]

(i) the calling and called telephone numbers;

(ii) the International Mobile Subscriber Identity (IMSI) of the calling party;

(iii) the International Mobile Equipment Identity (IMEI) of the calling party;

(iv) the IMSI of the called party;

(v) the IMEI of the called party;

(vi) in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the location label (Cell ID) from which the service was activated;

mobile telephony

[not fixed network telephony]

(a) the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI) of the telephone from which a telephone call is made;








(b) the IMSI and the IMEI of the telephone dialled;

(c) in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the cell ID from which the service was activated;

 

Internet access

Internet e-mail

Internet telephony

(i) the calling telephone number for dial-up access;

(ii) the digital subscriber line (DSL) or other end point of the originator of the communication;

TBA

TBA

(f) … identify the location of mobile communications equipment:

mobile telephony

[not fixed network telephony]

(1) the location label (Cell ID) at the start of the communication;

(2) data identifying the geographic location of cells by reference to their location labels (Cell ID) during the period for which communications data are retained.

mobile telephony

[not fixed network telephony]

(d) the cell ID at the start of the communication; and

(e) data identifying the geographic location of cells by reference to their cell ID.

CODE

Blue= Fixed and Mobile

Violet = Fixed only

Green = Mobile only

Red = Internet

www.kemplittle.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions