Dear reader,
I will be blogging soon about Digital Britain so watch this space. In the meantime, Yasmin weighs up a regulatory development in the field of data retention in this post and in a related article on our website.
Laurie
The Data Retention (EC Directive) Regulations 2009
Landline and mobile phone providers have been required to retain certain communications data (e.g. time/length of call, name/address of caller) since 2007. New Regulations introduced a couple of months ago have extended this obligation to cover internet, email and VOIP as well, which could potentially see every post, tweet and poke being compulsorily retained for 12 months.
This move may be seen as a welcome and necessary weapon in the fight against terrorism and other serious crime which can be incited, orchestrated or even conducted online. However, others would counter that it is a threat to privacy as well as an extra compliance burden for service providers.
The new Regulations came into force on 6th April and require certain providers of telephone and internet services to retain communications data for a year. This ‘communications data’ relates to the who/when/where of a communication (but not the content) and ranges from log on/call times and durations to the names and addresses of people sending and receiving communications (callers, callees, emailers, emailees... YouTubers? Twitterers?)
Only public communications providers who are notified by the Secretary of State will be required to comply with the Regulations. It remains to be seen which companies will receive such notification, but ISPs (e.g. BT Internet) will certainly be notified, as will mobile phone providers (if they haven't already, e.g. O2) and VOIP operators (e.g. Skype). It will be interesting to see whether the Government will extend such notification to search engines (Google?) and website operators – particularly social networking sites (Facebook?), where mass communication (Twitter?) is key.
Pros
The Home Office has pointed out that communications data has long proved valuable for law enforcement purposes, in detecting crimes, investigating suspects and prosecuting offenders. Although many communications providers already retain this information in any event, they delete it as soon as their business purposes have been met (whether because of data protection legislation or the costs of storage). The Home Office argues that long running investigations, which may require communications data some time after a crime has been detected, tend to relate to the most serious crimes and as such there is a strong public interest in obliging relevant companies to preserve such evidence.
If every email, IM, tweet and post is logged along with the sender’s name, address and geographical location at the time, then law enforcers will find it easier to verify alibis, trace contacts and track movements. Criminals will be unable to rely on the perceived anonymity of the Web to disguise their activities. The Regulations send a clear message that people cannot hide behind online personalities to conduct criminal behaviour – ‘no avatar is an island’, if you like.
Cons
However, despite the stated benefits of the Regulations as a crime fighting tool, legitimate data protection concerns have been raised by privacy groups, who object to being monitored (or spied on) and criticise the measure as a step towards a ‘Big Brother’ state. As the Government has not had a good track record recently with safeguarding data, concerns over the generation and retention of increasing amounts of data are perhaps justified.
What I see as the biggest concern is the fact that the Regulations do not limit the disclosure and use of the data to investigation of the serious crimes on the basis of which the Regulations are justified. The Regulations blandly state that “Access to data retained in accordance with these Regulations may be obtained only (a) in specific cases, and (b) in circumstances in which disclosure of the data is permitted or required by law.” It is not difficult to envisage courts interpreting this provision widely and ordering disclosure in civil cases where this information would be useful – for example, defamation claims (to discover the details of a big-mouth blogger) and divorce cases (to check a cheating spouse’s phone calls). We have previously postedon how 'Norwich Pharmacal' orders have been made to disclose the contact details of certain libellous chat room participants. We may see increasing similar instances as more companies are required to hold more data for longer, meaning more data is available for disclosure under court order. This may not necessarily be a bad thing, but it does depart from the stated purpose of the Regulations and the reasoning behind their introduction.
We should not forget that the Regulations will impose an additional compliance burden on the notified public communications providers. The extent to which this is an issue depends on the amount of companies notified under the Regulations and the additional measures they will have to take to understand and implement their obligations under the Regulations. The Regulations have gone some way to addressing this by stating that the Secretary of State “may reimburse any expenses incurred by a public communications provider in complying with the provisions of these Regulations.” However, this subsidy ultimately comes from credit-crunched UK taxpayers, who may query the efficacy and efficiency of setting up the systems required to implement the Regulations.
If you are keen to find out more about these Regulations, please see my article and the Explanatory Memorandum.
Enjoy the weekend!
Yasmin Joomraty
Recent Comments