UK: Data Retention Directive

Last Updated: 10 May 2007
Article by Jeff Goodall
This article first appeared in the April edition of Data Protection Law & Policy, published by Cecile Park Publishing Ltd.

1. Introduction

This article provides a brief explanation of the key provisions of the Data Retention Directive 2006/24/EC (the "Directive"1) and examines the proposed transposition of the Directive into UK law by way of the draft Data Retention (EC Directive) Regulations 2007. The draft Regulations are expected to replace the existing Voluntary Code of Practice for the Retention of Communications Data under Part 11 of the Anti-Terrorism, Crime and Security Act 2001.

2. Background

The Directive came into force on 3 May 2006. Member States have until 15 September this year to implement the Directive, save that Member States may postpone application of the Directive to "the retention of communication data relating to Internet Access, Internet telephony and Internet e-mail" for up to 18 months (ie until 15 March 2009). [Art 15.3]

The United Kingdom has elected to do just that, obviously recognising that the retention of communications data relating to the Internet is a more complex issue, involving larger volumes of data and a broader set of stakeholders than the retention of data arising from fixed-line and mobile telephony services.

On the 27 March 2007 the Home Office issued a Consultation Paper inviting views on the initial transposition of the Directive into UK law, by way of the draft Regulations, which at this stage only apply to providers of fixed-network and mobile telephony services2.

3. Obligation to retain data

The Directive applies to "providers of publicly available electronic communications services or of a public communications network". [Art 3.1]

The draft Regulations are expressed to apply to all "public communications providers", which phrase is defined to mean a provider of a "public electronic communications network" or a "public electronic communications service", as those terms are defined in section 151 of the Communications Act 2003. [Reg 2]

Importantly, the Regulations do not apply to a service provider whose data are already being retained in the United Kingdom in accordance with the Regulations by another service provider. [Regs 3(1) & 3(2)]

That is, there should be no duplication of storage (and associated costs) of retained data. This also suggest that it is expected that data will be retained by upstream suppliers of services, so that there should be no need for resellers to retain data, provided they have suitable arrangements regarding data retention in place with their wholesalers.

4. Retention period

The Directive provides that the relevant data may be "retained for periods of not less than six months and not more than two years from the date of the communication." [Art 6]

The draft Regulations provide for a retention period of 12 months in the UK. [Reg 4(2)]

The Home Office has indicated that, until the transposition of the Directive is complete with respect to data generated from Internet services, the existing arrangements under the Voluntary Code of Practice will continue.

Article 7(d) of the Directive provides that retained data "shall be destroyed at the end of the period of retention", but, somewhat curiously, includes a carve-out for "those [data] that have been accessed and preserved". [Art 7(d)] The Directive does not elaborate on exactly what is meant by this. For example, is the intention that it is the responsibility of the service provider to retain in perpetuity any data that has been "accessed"? It would seem to make more sense that it should be the relevant competent national authority that has requested access to the data who is responsible for the ongoing safe-keeping of such data. Fortunately the draft Regulations do not contain the additional language that appears in Article 7(d) of the Directive, which presumably means that in the UK, as far as service providers are concerned, all data shall be destroyed at the end of the 12 month retention period. [Reg 6(d)]

5. Data to be retained

Please refer to the table in Annex A to see the data that is required to be retained. The table provides a comparison of the language used in the draft Regulations with that in the Directive. As noted above, the draft Regulations do not yet apply to data generated from Internet services.

The categories of information to be retained are reasonably comprehensive and, as they say, the devil is in the detail, particularly with regard to the precise meanings of some of the words and phrases used.

What will be of interest to ISPs and the like is the Home Office’s interpretation of what might at first seem like relatively mundane terms, such as "e-mail" (for example, does this include instant messenger services?). However, as the draft Regulations don’t deal with Internet services at this point in time, we will have to wait until the next instalment of this process to see how the Home Office proposes to transpose such terms.

There may be other issues with transposing the language used in the Directive. For example, it is noted that Article 5.1(c)(2)(i) refers to "the IP address … allocated by the Internet access service provider to a communication", whereas, generally speaking, IP addresses are allocated to particular machines or end users, not individual communications or emails.

Importantly, it is clear that neither the Directive nor the draft Regulations apply to "the content of electronic communications, … [which includes] information consulted using an electronic communications network." [Art 1.2] That is, no data revealing the content of a communication may be retained. This means, importantly for ISPs, that no data on web pages visited will need to be retained.

6. Timely access to data

Both the Directive and the draft Regulations provide that the data must be able to be transmitted by the service provider to the competent authorities "without undue delay". [Art 8 & Reg 7]

Thus, not only will service providers be required to store large amounts of data, they will also need to ensure that they can promptly identify and retrieve the data following a request from a competent national authority.

There is no indication of what might be an acceptable period of delay (hours, days, weeks or months) or if such period is flexible in response to, for example, when a request is received or the number of request received. Consider, for example, a request made a 9am on Good Friday or whether there is a requirement for service providers’ data storage and retrieval systems to be infinitely scaleable.

7. Reason for retaining data & access to data by third parties

The objective behind or reason for retaining the relevant data is "… in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as [that term] defined by each Member State in its national law". [Art 1.1]

The Directive provides that Member States shall adopt measures to ensure that the data are "provided only to the competent national authorities in specific cases and in accordance with national law". [Art 4]

However, the Directive is not prescriptive with regard to the gaining of access to, and use of, the retained data by public authorities and/or law enforcement authorities of the Member States. This is left for Member States to deal with under their national laws.

The draft Regulations do not deal with this issue either, because access to the data is dealt with under other relevant legislation, including the Regulation of Investigatory Powers Act 2000 and the Anti-Terrorism, Crime and Security Act 2001.

Obviously, however, the issue of who has access to the retained data is very relevant as there is likely to be a direct correlation between the number of competent national authorities that may request access to the data and the cost to service providers of providing data in response to such requests, particularly given the requirement that the data retained can be transmitted without undue delay in response to requests.

There is also the outstanding issue of who else may obtain access to the retained data and under what circumstances. For example, is a court able to grant access in connection with a civil matter, as this is not currently expressly prohibited by the draft Regulations.

8. Data security

The Directive sets out a minimum set of standards that must be adhered to with respect to the security of the retained data, namely as follows:

"(a) the retained data shall be of the same quality and subject to the same security and protection as those data on the network;

(b) the data shall be subject to appropriate technical and organisational measures to protect the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage, processing, access or disclosure;

(c) the data shall be subject to appropriate technical and organisational measures to ensure that they can be accessed by specially authorised personnel only; and

(d) the data, except those that have been accessed and preserved, shall be destroyed at the end of the period of retention." [Art 7]

The minimum standards set out in Article 7 are repeated in Regulation 6 of the draft Regulations, essentially word-for-word, save for the language in Article 7(d) regarding "those [data] that have been accessed and preserved".

The data-security provisions in Article 7 / Regulation 6 fall short of the recommendations made by the Article 29 Data Protection Working Party. The Working Party recommends, for example, that systems for storage of data for public-order purposes should logically be separated from systems used for business purposes. The Working Party has consistently resisted the introduction of the Directive on grounds of privacy and the protection of individuals’ fundamental rights. Given that the Working Party’s recommendations are not binding, it is unlikely that its suggestions will find much favour with those Member States that have supported wide-ranging data retention provisions from the outset, such as the United Kingdom.

9. Reimbursement of additional costs

The Directive does not require Member States to reimburse service providers for the cost of compliance. Instead, Member States are free to decide whether or not they will compensate service providers.

Following on from the Voluntary Code of Practice, which provides as follows:

  1. Where the period of retention of data for national security purposes is not substantially larger than the period of retention for business purposes, the retention cost will continue to be borne by the communication service provider."; and
  2. Where data retention periods are significantly longer for national security purposes than for business purposes, the Secretary of State will contribute a reasonable proportion of the marginal cost as appropriate. Marginal costs may include, for example, the design and production of additional storage and searching facilities. This may be in the form of capital investment into retention and retrieval equipment or may include running costs." [Paras 23 & 24]

the draft Regulations provide that:

"(1) The Secretary of State may reimburse any expenses incurred by a public communications provider in complying with these Regulations."

"(2) Such reimbursement may be conditional on the expenses having been notified to the Secretary of State and agreed in advance."
[Regs 10(1) & 10(2)]

Obviously, as the Voluntary Code of Practice on Data Retention was exactly that, ie voluntary, reimbursement of a service provider’s increased costs was a key way for the Government to ensure compliance with the Code. It remains to be seen, however, how generous the Government will be in the future, given that compliance with the draft Regulations will be mandatory, whereas the Government’s obligation to reimburse is now voluntary.

The Government has indicated that it does not intend to enforce the Regulations against service providers who it has not agreed to reimburse.

10. Conclusion

One of the key drivers behind the Directive, as stated in the first Article of the Directive, was supposedly "to harmonise Member States’ provisions concerning the obligations of … providers … with respect to the retention of certain data which are generated or processed by them". [Art 1.1]

Arguably, however, the Directive fails to achieve this objective. Consider, for example, the economic effect on different service providers located in different Member States of:

(a) variations in the length of the retention period (6 months to 2 years);

(b) variations relating to the reimbursement, or otherwise, of service providers for additional costs incurred;

(c) variations in each Member State’s interpretation of the somewhat vague terms used in relation to data generated in connection with Internet services; and

(d) inconsistent adoption of the Article 29 Data Protection Work Party’s non-binding recommendations on the implementation of the Directive.

Unfortunately, however, there is not much that can be expected from the Home Office in this regard, because the scope for variation exists at the EU level, arising from the Directive itself.

We are, however, in a position at the moment to at least assist the Home Office with the refinement of the draft Regulations, so as to ensure that transposition of the Directive into UK law is as smooth as possible, which is, of course, the purpose and hopefully, the outcome of the current consultation process.

Responses to the Consultation Paper and the draft Regulations may be submitted to the Home Office up until 11 June 2007.

Annex A
Data to be retained - comparative table

data necessary to …

Service(s)

Directive [Art 5.1]

Service(s)

draft Regulations [Regs 5(1) & 5(2)]

(a) … trace and identify the source of a communication:

fixed network telephony

mobile telephony

(i) the calling telephone number;



(ii) the name and address of the subscriber or registered user;

fixed network telephony

mobile telephony

(a) the telephone number from which the telephone call was made and

the name and address of the subscriber of that telephone;

 

Internet access

Internet e-mail




Internet telephony

(i) the user ID(s) allocated;

(ii) the user ID and telephone number allocated to any communication entering the public telephone network;

(iii) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication;

TBA

TBA

(b) … identify the destination of a communication:

fixed network telephony

mobile telephony

(i) the number(s) dialled (the telephone number(s) called), and, in cases involving supplementary services such as call forwarding or call transfer, the number or numbers to which the call is routed;

(ii) the name(s) and address(es) of the subscriber(s) or registered user(s);

fixed network telephony

mobile telephony

(b) the telephone number dialled and, in cases involving supplementary services such as call forwarding or call transfer, any telephone number to which the call is forwarded or transferred and

the name and address of the subscriber of any such telephone;

 

Internet e-mail

Internet telephony

[not Internet access]

(i) the user ID or telephone number of the intended recipient(s) of an Internet telephony call;

(ii) the name(s) and address(es) of the subscriber(s) or registered user(s) and user ID of the intended recipient of the communication;

TBA

TBA

(c) … identify the date, time and duration of a communication;

fixed network telephony

mobile telephony

the date and time of the start and end of the communication;

fixed network telephony

mobile telephony

(c) the data and time of the start and end of the call; and

 

Internet access

Internet e-mail

Internet telephony

(i) the date and time of the log-in and log-off of the Internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the Internet access service provider to a communication, and the user ID of the subscriber or registered user;

TBA

TBA

(d) … identify the type of communication;

fixed network telephony

mobile telephony

the telephone service used;

fixed network telephony

mobile telephony

(d) the telephone service used.

 

Internet e-mail

Internet telephony

[not Internet access]

the Internet service used;

TBA

TBA

(e) … identify users’ communications equipment or what purports to be their equipment:

fixed network telephony

[not mobile telephony]

the calling and called telephone numbers;

   

 

&nsbp;

mobile telephony

[not fixed network telephony]

(i) the calling and called telephone numbers;

(ii) the International Mobile Subscriber Identity (IMSI) of the calling party;

(iii) the International Mobile Equipment Identity (IMEI) of the calling party;

(iv) the IMSI of the called party;

(v) the IMEI of the called party;

(vi) in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the location label (Cell ID) from which the service was activated;

mobile telephony

[not fixed network telephony]

(a) the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI) of the telephone from which a telephone call is made;








(b) the IMSI and the IMEI of the telephone dialled;

(c) in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the cell ID from which the service was activated;

 

Internet access

Internet e-mail

Internet telephony

(i) the calling telephone number for dial-up access;

(ii) the digital subscriber line (DSL) or other end point of the originator of the communication;

TBA

TBA

(f) … identify the location of mobile communications equipment:

mobile telephony

[not fixed network telephony]

(1) the location label (Cell ID) at the start of the communication;

(2) data identifying the geographic location of cells by reference to their location labels (Cell ID) during the period for which communications data are retained.

mobile telephony

[not fixed network telephony]

(d) the cell ID at the start of the communication; and

(e) data identifying the geographic location of cells by reference to their cell ID.

CODE

Blue= Fixed and Mobile

Violet = Fixed only

Green = Mobile only

Red = Internet

www.kemplittle.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Emails

From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

*** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.