Last month the government pushed new laws on data retention through the Houses of Parliament in less than one week with the new Data Retention and Investigatory Powers Act 2014 (the "Act") coming into force immediately upon royal assent on 18 July 2014.
The Act was introduced following a decision of the Court of Justice of the European Union in April which invalidated the Data Retention Directive on the basis it was in breach of the right to privacy and protection of personal data provisions in the European Charter of Fundamental Rights. This Directive had been implemented into UK law by the 2009 Data Retention Regulations (the "2009 Regulations"). However, with the original Directive being invalidated the legal basis for the powers and obligations contained in the 2009 Regulations began to be questioned. Many communications data service providers required to retain data under the 2009 Regulations sought guidance as to their legal obligations following the Court's decision. The government claims the new legislation is a direct response to this request for guidance and a reaction to the Court's decision.
What does this mean for data service providers?
The Act makes little change to what is required of data communication service providers in the UK. Clauses 1 and 2 of the Act confer on the Secretary of State the powers previously provided for under the 2009 Regulations to require service providers to retain communications data. Under the Act the Secretary of State can issue notices to service providers to retain data if she considers it necessary and proportionate for one or more of the purposes under the Regulation of Investigatory Powers Act 2000 (the "RIPA"). Such purposes include the need for UK law enforcement and intelligence agencies to access the data to investigate criminal activity and protect the public. The 12 month retention period also remains although it is now an absolute period rather than a mandatory minimum; retention notices must specify the length of time the data needs to be retained for up to a maximum period of 12 months.
The Act also continues to apply the specific data retention requirements scheduled to the 2009 Regulations - this includes data on telephone numbers, name and address of registered users of the telephone number, date, time and duration of calls, and IMEI numbers of the phones called (IMEI numbers are the identifying numbers on all mobile phones and can be used to identify the owner of the device).
Although the government has claimed the Act is about maintaining existing capabilities and not to introduce new 'snooping' laws, the Act does cast a wider net than the 2009 Regulations. The Act has now made it clear that notices for data retention can be served on non-UK companies that provide telecommunication services to the UK, irrespective of where those companies are based. The Act also abandons the EU definitions and takes the telecommunications services definition contained in RIPA and widens it to include things like webmail/ remote storage services and some social media traffic data.
Impact on privacy
The government has tried to pre-empt fears of intrusion into privacy by including a number of safeguards in the Act. Most of these safeguards are based on constant review and reporting on the powers and capabilities of the Act; the Independent Reviewer of Counter-Terrorism Legislation will be reviewing the powers contained in the Act and the Interception of Communications Commissioner is required to report every 6 months on the operation of the legislation. A new Independent Privacy and Civil Liberties Board will also be created to consider the balance between the threat and concerns for civil liberties.
However it should be noted that the powers to intercept communications are not contained in the Act; these investigatory powers are contained in RIPA. RIPA sets out the framework for government bodies carrying out surveillance, specifying what communications data they can access, under what circumstances, and for what purposes phone calls can be listened to and emails read. The powers of interception can only be used where a warrant has been issued by the Secretary of State and warrants may only be issued at the request of senior police and intelligence officials such as the Director of GCHQ and the Commissioner of Police of the Metropolis.
The powers contained in RIPA have a far more substantial effect on privacy than those contained in the Act. However, without the Act there would be no communications data recorded that the government could intercept. It is for this reason, and the indiscriminate nature of communications data being stored on all individuals, that has led to challenges against the legislation; a high court challenge is to be mounted by two leading Westminster civil liberties campaigners, David Davis and Tom Watson, with the support of human rights organisation Liberty. It is likely that the challenge will focus on the Act's failure to answer the concerns of blanket retention of data being a breach of fundamental rights to privacy and as the EU Directive was invalidated for similar reasons it is likely the debate on the impact on privacy will continue for some time.
As parliament is on break for the summer it will be a number of months before we see the introduction of an Independent Privacy and Civil Liberties Board, and although a call for evidence has been published by the Independent Reviewer of Counter-Terrorism Legislation as of the time of writing no date has been given for completion of the report. It therefore remains to be seen whether the structure of the Civil Liberties Board and any comments by the Independent Reviewer will lead to better protection of personal data or a new barrage of criticism. However, as the Act currently stands the level of protection given to our personal data remains the same as it has been since 2009, and our data will likely continue to be stored at least until the sun sets on the Act on 31 December 2016.