Even Bigger Brother

June 3, 2008

Various reports have recently appeared in the media concerning government proposals for another massive government database. This time the target is not citizens’ biometric information, health data or driving records.  This time the target is details of every phone call made to or by, and every e-mail sent or received by, every citizen. Also within the capture range are details of all time spent on the internet by every citizen. (This does not refer, it must be stressed, to the content of any of these communications.) Although no details of these new proposals have yet been published, leaks indicate that the government appears to want to hold all this information for ‘at least 12 months’ to ‘aid the continuing fight against crime and terrorism’. The Information Commissioner, Richard Thomas, has previously warned that we are ‘sleepwalking into a surveillance society’ and his office has reiterated these concerns in light of these most recent proposals.


 


This article examines the government’s track record so far in operating such databases and the existing legal regime for retention of such data and access to that data. There is then an examination of how far further forward these new proposals would take the law and an evaluation of whether this is a necessary further nail in the coffin of the rights of the individual for the greater good.


 


A.        TRACK RECORDS


 


At the end of 2007, HMRC lost the tax records relating to the families of every person claiming child benefit in the country – details of some 25 million people. The details in question included people’s names, addresses, dates of birth and bank account details. The incident occurred when the data was sent on computer disc and posted, unrecorded, to go to the National Audit Office (NAO) in London via the internal post system. The Government originally claimed that a ‘junior’ official made an error and had not followed procedures, but email evidence shows the problems were far worse. Senior officials knew that this was occurring. More data about each person was being held on HMRC’s system and despatched to the NAO than was needed for the NAO’s purpose. Junior employees should not have been able to access so many people’s data unsupervised, let alone download and copy that data to portable memory devices. This is the most well-known of the government’s failures to properly protect personal and confidential data but there are many other examples.


 
In 2008 it was revealed that unqualified NHS staff in Bolton had been given access to patient records. Bolton Primary Care Trust was the first site to trial the £12.4 billion National Programme for IT. Patients had received leaflets advising them of the benefits of the new national database which will contain all of their medical records in one accessible location. In one such leaflet, specific assurance had been given that receptionists would not see full patient records. After it was revealed that receptionists had been printing the patient records to add to casualty record cards, Bolton PCT changed the procedure to enable healthcare assistants to view the database instead. This was viewed as little comfort to patients as healthcare assistants are not clinical staff and usually have no professional qualifications. Patients have now been given the option to opt out of the trial.


 


Last year, the DVLA ran into problems. The names and addresses of 3 million learner drivers were lost by the DVLA’s subcontractor in Iowa. Despite the data loss having taken place in May 2007, it took seven months for this to be brought to light. More data was lost in another, unconnected data loss involving drivers. This time, the DVLA in Northern Ireland admitted to having lost data of 6,000 drivers when it sent unencrypted disks to the DVLA in Swansea. The data involved lots of details about the cars.


 


In a more worrying breach, last year the Department of Health posted sensitive personal data – including religious beliefs and sexual information – about junior doctors on the Medical Training Application Service website in a way that was accessible to any visitors. The ICO called this data breach ‘an unacceptable breach of security’. The regulator required the Department to sign formal undertakings to comply with the Data Protection Act in future, including encrypting personal data on the website if it could otherwise cause personal distress; and to implement regular testing to ensure its computer systems comply with data protection, privacy and confidentiality laws.


 
Earlier last year, the Department for Work and Pensions (the government department that will be supplying some of the key technology for the government’s proposed new National Identity Register scheme) was caught out after details of 26,000 people ended up in the wrong people’s hands. Worse still, it was unable to explain how or why the glitch had occurred. The details included people’s contact data, national insurance and bank details. The government has said that for its proposed ID scheme, data will be protected better, as it would hold biometric and other personal information on separate databases, making it harder to get unauthorised access to both sets of data.


 
Turning to crime, public authority data errors came to light when the prisoner database was found to be incomplete and inaccurate with thousands of records missing important information. More than 30,000 offenders do not have a criminal records number and more than 21,000 do not have a police national computer number. The prisoner database, which holds information on more than 80,000 prisoners, contains incomplete and inaccurate records including made-up surnames (such as ‘self-harm’) and 194 offenders’ records which do not include details of a surname at all. These are the findings of a study by EDS, the main IT supplier of the Prison Service, which reviewed the Local Inmate Database System which is supposed to hold important information on all prisoners in England and Wales (such as how much of a risk they pose to the public) and which enables the Prison Service to track where prisoners are held.


 


B.        TRUST, CONFLICT AND THE LAW


 


According to a survey of 1,000 UK adults by Data Encryption Services, although three-quarters of British people would provide their contact details, date of birth, health information and children’s details to anyone who asks for it, just 1 in 10 would trust the Government with their data. 87% believe that the Government is not competent to deal with keeping personal data secure and 69% thought the government had little regard for their privacy. Legal issues aside, there is clearly a huge political and trust issue concerning people’s data.


 


The development of the law reflects the conflict between the human right to privacy and the need to fight crime and terror. At the heart of it is whether people trust the government with personal data – and whether even if the government has it, it will actually be of use to fight crime and terror; and whether the government can keep that data properly secure and confidential. The examples above say not.


 


Interestingly, there are a raft of laws already in place forcing telecommunications companies in the UK to retain all sorts of telecommunications data about phone calls. There are soon to be equivalent laws forcing ISPs in the UK to retain all sorts of email and Internet-related data. And more interestingly, the legal story does not start in the UK in the present day – its roots are in Brussels in 1995; with the modern impetus to expand massively all rules in the data retention area being rooted in the tragedies of New York on September 11, 2001.


 


C.        RETENTION OF COMMUNICATIONS DATA


 


Security concerns of governments worldwide were understandably increased when it was realised that the events of 9/11 could only have occurred with massive logistical planning and support. Most of this support came from disparate sources all over the world who communicated with each other electronically. This realisation was further sharpened following the terror attacks in Bali, Madrid and London – when again electronic communication of one sort or another played a part in the organisation of these atrocities.


 


Following the attacks in New York, European governments, through the institutions of the EU, began to legislate mandatory behaviours for ‘communication service providers’ (CSPs). This covered telcos and ISPs. Most of this legislation concerned laws forcing CSPs to retain certain data generated in the course of making telephone conversations, sending emails or accessing the internet. Although this data was retained by CSPs, access to it by government bodies (including the police) was subject to a more national regime by country; and it is believed that the new government proposals now being mooted are to make such access easier.


 


Data retention did not emerge as a standalone issue until the first years of the 21st Century – and then only due to major terrorist outrages. To evaluate the current government proposals, it is necessary to trace the roots into the law (which is still in force) of the mid-1990s.


 


Communications Data Retention: Mid 1990s


 


Directive 95/46/EC[1] of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data – more usually (thankfully) known as the Data Protection Directive – started the ball rolling back in 1995. Retention of data was not dealt with as an issue of its own but was wrapped up with the protections given to an individual. This was achieved by imposing duties on ‘data controllers’.


 


In the UK, the Data Protection Directive was implemented in the Data Protection Act 1998 (DPA). Five of the eight principles enshrined in sch 1 to the DPA seem particularly relevant to retention of data by a data controller (and it should be noted that retaining data also counts as ‘processing’ data):


 


2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.


3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.


4. Personal data shall be accurate and, where necessary, kept up to date.


5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.


7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.


 


At this point in time therefore, CSPs (who are ‘data controllers’ as defined in the DPA) could not retain personal data (which would include details of phone calls, emails and internet access) if the purpose of gathering that information in the first place was not to retain it (principle 2), could not retain any such data which was excessive (principle 3), had to maintain any they did keep accurately and keep it up to date (principle 4), could not retain such data for longer than was necessary for their own business purposes (which presumably included billing and payment issues) (principle 5) and had to keep that data properly secure (principle 7).


 


At this stage therefore, there was no duty to retain data. There were merely rules to follow if a CSP decided to retain communications data.


 


Communications Data Retention: Late 1990s


 


Directive 97/66/EC[2] of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector (the 97 Directive) followed soon after the Data Protection Directive. The 97 Directive has now been repealed but it was passed to harmonise rules about privacy in the telecommunications sector across all member states. The 97 Directive was about privacy and the rights of the individual. Article 6 of this Directive concerned ‘Traffic and billing data’ and it restricted the laws member states could pass about such data. It provided that:


 


1. Traffic data relating to subscribers and users processed to establish calls and stored by the provider of a public telecommunications network and/or publicly available telecommunications service must be erased or made anonymous upon termination of the call without prejudice to the provisions of paragraphs 2 … and 4.


2. For the purpose of subscriber billing and interconnection payments, data indicated … [below] … may be processed. Such processing is permissible only up to the end of the period during which the bill may lawfully be challenged or payment may be pursued…


4. Processing of traffic and billing data must be restricted to persons acting under the authority of providers of the public telecommunications networks and/or publicly available telecommunications services handling billing or traffic management, customer enquiries, fraud detection and marketing the provider’s own telecommunications services and it must be restricted to what is necessary for the purposes of such activities.


 


Although the 97 Directive was about privacy and the rights of the individual, Article 14 of the 97 Directive permitted a derogation ‘when such restriction constitutes a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the telecommunications system’. There was much commentary at the time about the scope of this derogation but it was generally agreed by European lawyers that forcing retention of communications data through that derogation would be a step beyond what was then allowed.


 


The 97 Directive was implemented in the UK by the Telecommunications (Data Protection and Privacy) Regulations 1999[3] (now repealed). Regulations 6-10 of those Regulations dealt with the implementation of the rules on traffic and billing data in UK law. Bearing in mind that Directives are usually minimum standards that must be met, the UK regulations went further and actually mandated that, at the end of a call, communications data related to the call would have to be deleted or depersonalised (ie unlinked to the identity of the caller/recipient of the call), subject to a couple of exceptions related to legal claims and marketing.


 


Communications Data Retention: 2000-2001


 


In 2000, the EU began to debate replacing the 97 Directive with a more general replacement that would be ‘future-proof’ and technology-neutral. However, this debate went on for two years. While the debate was raging, the UK government passed the Anti-Terrorism Crime and Security Act 2001 (ATCSA). ATCSA was a forerunner of later legislation but even at this embryonic stage, Part 11 of ATCSA dealt (and still deals) with ‘Retention of Communications Data’. It allows for the creation by the government of a voluntary code of practice that CSPs should (but do not have to) adhere to. ACTSA s.102 provides:


 


(1) The Secretary of State shall issue, and may from time to time revise, a code of practice relating to the retention by communications providers of communications data obtained by or held by them…


(3) A code of practice or agreement under this section may contain any such provision as appears to the Secretary of State to be necessary:


(a) for the purpose of safeguarding national security; or


(b) for the purposes of prevention or detection of crime or the prosecution of offenders which may relate directly or indirectly to national security.


(4) A failure by any person to comply with a code of practice or agreement under this section which is for the time being in force shall not of itself render him liable to any criminal or civil proceedings.


 


The voluntary code was not intended to have any teeth and its primary purpose was to ‘be admissible in evidence in any legal proceedings in which the question arises whether or not the retention of any communications data is justified on the grounds that a failure to retain the data would be likely to prejudice national security, the prevention or detection of crime or the prosecution of offenders.’


 


For a period of two years after being passed, the government had a right to impose mandatory data retention requirements if the code proved ineffective; but this was never done (even though the period was extended twice to December 2007) and the right to do this under ATCSA has now expired.


 


Communications Data Retention: 2002-2003


 


Finally, in 2002, the EU replaced the 97 Directive with Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (the ‘Privacy Directive’)[4]. The Privacy Directive was implemented in the UK by the Privacy and Electronic Communications (EC Directive) Regulations 2003[5].


 


The new Privacy Directive essentially extended the scope of the derogations from the 97 Directive. It provided that ‘Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for … when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security [ie State security], defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system… [and] To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph.’


 


In the UK meanwhile, under ATCSA, the voluntary code applicable to CSPs was finally put in place[6]; it came into force on 5 December 2003 (the ‘ATCSA Code’). The ATCSA Code set out different rules for subscriber data, telephony data, text messaging and emails and ISP data. Specifically, subscriber data (which included an individual’s name, date of birth, credit card details, telephone number, email addresses and log-ins for dial-up internet accounts) and telephony data (which included numbers called, date, time and duration of calls, and the location of mobile phones when those calls were made) had to be retained for at least 12 months. Text message data (which included numbers texted to, date and time of texts, and the location of mobile phones when those texts were made) had to be retained for six months. Finally, email and ISP data (which included the dates, times and email addresses relevant to email communications, the dates and times of log-in and log-off and the IP address from which an email was sent) also had to be retained for six months.


 


The ATCSA Code also contained last-minute additions to deal with concerns raised by human rights lawyers about infringement of the human right to privacy. Essentially the human rights issues were dealt with by declarations in the final version of the ATCSA Code that the retention periods were necessary and proportionate when weighed against an individual’s right to respect for private life[7] and the national security purposes for which retention of data was required. To allay ISPs’ fears about the costs of all this, statements were included that the retention rules only applied to data that CSPs already retained for business purposes and that the object was not to increase the data fields which CSPs should retain but to encourage them to retain data for longer than they would otherwise need to for their own commercial purposes, so as to assist the security, intelligence and law enforcement agencies. Interestingly, the government also agreed to contribute to the cost of retention if data retention periods were ‘significantly longer for national security purposes than for business purposes’.


 


Communications Data Retention: 2004-2006


 


In the EU, in light of the continual international terrorist outrages, there was increasing political will to put in place measures specifically on data retention.


 


In April 2004, a draft Decision was published to harmonise data retention laws so as to fight organised crime and terrorism. It was heavily criticised by human rights lawyers and also by the Article 29 Data Protection Working Party. Among other things, that original draft Decision imposed a mandatory set of rules on CSPs to store traffic and location data i.e. communications data (but not content data) for 12 months; and a framework for law enforcement agencies to access that data ‘for the purposes of the prevention, investigation, detection or prosecution of criminal offences’.  In October 2004, an updated draft Decision was issued but it was it was heavily criticised (and indeed rejected)  a mere two months later by the EU Council’s Justice and Home Affairs Committee, saying the scope of the proposal was too narrow; and it was heavily criticised eight months later by the European Parliament, saying the rules were disproportionate. Nevertheless, shortly after the 7/7 attacks in London (and probably because of them) in July 2005, the EU Council agreed a Decision on the retention of communications data.


 


In September 2005, the EU Commission proposed a Directive which required the retention of fixed and mobile telephony traffic and location data for one year and the retention of internet data for six months. For internal political reasons, the EU Parliament accepted this but the Article 29 Working Party did not. Again human rights concerns were cited (i.e. that data retention interfered with the fundamental right to confidential communications under Article 8 of the European Convention on Human Rights) and the oft-stated maxim was cited that this right should be restricted only if there was a pressing need, in exceptional cases and subject to adequate safeguards. Technical and practical alternatives and further safeguards were also examined and proposed. However, these fell by the wayside. The EU Parliament commissioned a report on the draft Directive which proposed a list of compromises which would have changed large sections of the draft Directive had they been implemented. Unfortunately, the EU political process overtook this and due to some political shenanigans between the leaders of the two biggest political groups in the EU Parliament, the draft Directive was actually approved in basically its original form on 15 March 2006.


 


Communications Data Retention: 2006-2007


 


Directive 2006/24/EC[8] of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks (and amending Directive 2002/58/EC) (the ‘Data Retention Directive’) came into force on 3 May 2006. It provided that by 15 September 2007, each member state must implement the following:



  • wide categories of data are to be retained (see here)
  • this data must be retained for between six months and two years
  • Member States ‘facing particular circumstances that warrant an extension for a limited period’ may extend this period beyond two years.

 


The preamble to the Data Retention Directive confirmed that all such data must be for the purpose of the investigation, detection and prosecution of serious crime. Importantly, the definition of ‘serious crime’ is defined by reference to the national law of member states. As will be seen below, the UK seems in effect to have defined ‘serious crime’ as ‘any crime’ for these purposes.


 


Importantly, the Data Retention Directive did not contain (and still does not contain) any rules about government access to, and use of, the retained data; this is intended to be governed purely by non-harmonised national law (see below).


 


In March 2007 (six months before the implementation deadline), the Home Office consulted on possible implementing regulations. Following that consultation and the affirmative resolution procedure, the Data Retention (EC Directive) Regulations 2007 came into force on 1 October 2007. These Regulations apply to telcos (not CSPs generally) who must retain:



  • the telephone number from which the telephone call was made and the name and address of the subscriber and registered user of that telephone;
  • the telephone number dialled;
  • in cases involving supplementary services such as call forwarding or call transfer, any telephone number to which the call is forwarded or transferred, and the name and address of the subscriber and registered user of such telephone;
  • the date and time of the start and end of the call; and
  • the telephone service used.

 


For mobile telephony, the following additional data must be retained:



  • the International Mobile Subscriber Identity (IMSI) of the telephone from which a telephone call is made;
  • the International Mobile Equipment Identity (IMEI) of the telephone from which a telephone call is made;
  • the IMSI and the IMEI of the telephone dialled;
  • in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the cell ID from which the service was activated;
  • the cell ID at the start of the communication; and
  • data identifying the geographic location of cells by reference to their cell ID.

 


The data must be retained for 12 months and must be stored ‘in such a way that the data retained can be transmitted without undue delay in response to requests’.


 


Importantly, the UK made a declaration[9] that it was going to postpone application of the Data Retention Directive to the retention of communications data relating to Internet Access, Internet telephony and Internet e-mail. The Regulations therefore do not implement the Directive with respect to those forms of data; although the derogation only lasts until 15 March 2009.


 


Communications Data Retention: 2008 


 


It had been thought that the government would introduce the Internet Access, Internet telephony and Internet e-mail measures in its proposed Counter Terrorism Bill. However, with little or no information forthcoming yet from the government, these plans may now have been superseded by the proposal for the Big Brother database which are currently the subject of such concern.


 


D.        ACCESS TO COMMUNICATIONS DATA


 


The EU seems quite content to let each member state put in place its own measures for government or public bodies to access any retained data. In the UK, access to ‘communications data’ retained by CSPs is regulated by ss 21-25 of the Regulation of Investigatory Powers Act 2000 (RIPA).


 


The grounds of access are set out in RIPA s.22. These are, access:


(a)              in the interests of national security;


(b)              for the purpose of preventing or detecting crime or of preventing disorder;


(c)              in the interests of the economic well-being of the United Kingdom;


(d)              in the interests of public safety;


(e)              for the purpose of protecting public health;


(f)                for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department;


(g)              for the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health; or


(h)              for any purpose (not falling within paragraphs (a) to (g)) which is specified in an order. This includes assisting investigations into alleged miscarriages of justice; and for the purpose of assisting in identifying any person who has died otherwise than as a result of crime or who is unable to identify himself because of a physical or mental condition, other than one resulting from crime; or obtaining information about the next of kin or other connected persons of such a person or about the reason for his death or condition.


 


Interestingly, while the EU mandates retention of data for the purposes of serious crime (see above) the access under English law appears to be appears to be for preventing or detecting any crime, thus going considerably wider than the EU specification.


 


Only ‘public authorities’ and ‘designated persons’ may apply to have access to the data held by CSPs. Full access is provided to the police, SOCA, HMRC and the intelligence services but the government can add to the list any time by SI and it has done so; at least up until now, after public consultation. For example, the Financial Services Authority, DBERR, the Department of Health, the Home Office and local authorities have all been added. Usually, individuals entitled to acquire communications data within these authorities are listed by reference to their office, rank or position.


 


The subsidiary legislation also imposes further restrictions on the grounds on which any such persons may acquire communications data, and the types of communications data they may acquire. Only a small number of bodies have unfettered access to data; most have some level of restriction.


 


Once public authorities obtain the data they must then comply with a further level of regulation; specifically:


 


·         the ‘toolkit’ for the handling of information in the public sector published by the Department of Constitutional Affairs[10];


·         the Code of Practice[11] under the Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order 2007 (prepared under RIPA s.71) which came into force on 1 October 2007;


·         Regulation 45/2002 on the processing of personal data by Community institutions and bodies; and


·         Directive 2003/98/EC on the re-use of public sector documents which harmonises rules for the re-use of public sector information in the EU.


 


The Code (which is only seven months old) is of most interest. Chapter 2 of the Code sets out the general scope of powers with regard to necessity and proportionality. It says (among other things):


 


2.1 The acquisition of communications data under the Act will be a justifiable interference with an individual’s human rights under Article 8 of the European Convention on Human Rights only if the conduct being authorised or required to take place is both necessary and proportionate and in accordance with law.


2.3 The purposes for which some public authorities may seek to acquire communications data are restricted by order. The designated person may only consider necessity on grounds open to his or her public authority and only in relation to matters that are the statutory or administrative function of their respective public authority.


2.5 The designated person must believe that the conduct required by any authorisation or notice is necessary. He or she must also believe that conduct to be proportionate to what is sought to be achieved by obtaining the specified communication data – that the conduct is no more than is required in the circumstances. This involves balancing the extent of the intrusiveness of the interference with an individual’s right of respect for their private life against a specific benefit to the investigation or operation being undertaken by a relevant public authority in the public interest.


2.6 Consideration must also be given to any actual or potential infringement of the privacy of individuals who are not the subject of the investigation or operation. An application for the acquisition of communications data should draw attention to any circumstances which give rise to a meaningful degree of collateral intrusion.


2.7 Taking all these considerations into account in a particular case, an interference with the right to respect of individual privacy may still not be justified because the adverse impact on the privacy of an individual or group of individuals is too severe.


2.8 Any conduct that is excessive in the circumstances of both the interference and the aim of the investigation or operation, or is in any way arbitrary will not be proportionate.


 


In the annual report of the Interception of Communications Commissioner (who is responsible to review the exercise and performance of the powers and duties conferred or imposed under ss21-26 of RIPA) for 2006[12], he reported that public authorities made in excess of a quarter of a million requests for communications data in 2006[13]!


 


Chapter 7 expands the scope:


 


7.11 Whilst the majority of public authorities which obtain communications data under the Act have no need to disclose that data to any authority outside the United Kingdom, there can be occasions when it is necessary, appropriate and lawful to do so in matters of international co-operation.


 


Chapter 3 of the Code sets out the general rules on the granting of authorisations and the giving of notices. It provides:


 


3.2 The Act provides two alternative means for acquiring communications data, by way of:


·         an authorisation … [which allows the relevant public authority to obtain the data itself], or


·         a notice … [which is given to a CSP requiring collection of the data by the CSP].


3.23 An authorisation provides for persons within a public authority to engage in specific conduct, relating to a postal service or telecommunications system, to obtain communications data.


3.27 An authorisation is not served upon a CSP, although there may be circumstances where a CSP may require or may be given an assurance that conduct being, or to be, undertaken is lawful. That assurance may be given by disclosing details of the authorisation or the authorisation itself.


3.33 Giving of a notice is appropriate where a CSP is able to retrieve or obtain specific data, and to disclose that data, unless the grant of an authorisation is more appropriate. A notice may require a CSP to obtain any communications data, if that data is not already in its possession.


3.3 The applicant [for either an authorisation or a notice] is a person involved in conducting an investigation or operation for a relevant public authority who makes an application in writing or electronically for the acquisition of communications data. The applicant completes an application form, setting out for consideration by the designated person, the necessity and proportionality of a specific requirement for acquiring communications data.


3.4 Applications may be made orally in exceptional circumstances but a record of that application must be made in writing or electronically as soon as possible.


3.7 The designated person is a person holding a prescribed office in a relevant public authority who considers the application and records his considerations at the time (or as soon as is reasonably practicable) in writing or electronically. If the designated person believes it is necessary and proportionate in the specific circumstances, an authorisation is granted or a notice is given. [In addition, by provisions elsewhere in Chapter 3, a ‘designated person’ must have a current working knowledge of human rights principles, specifically those of necessity and proportionality, and how they apply; and must also take account of advice of the ‘single point of contact’, who is an accredited individual trained to facilitate lawful acquisition of communications data. Other safeguards also apply such as the necessity for a public authority to have a ‘senior responsible officer’, responsible for compliance with the Code.]


 


E.         TOWARDS A COMMUNICATIONS DATA GOVERNMENT DATABASE


 


Critics of any communications data retention and access regime claim that the mandatory retention of communications such data violates individuals’ right to privacy under Article 8 of the ECHR. Given the dependence in a modern Western society of an online presence (whether to communicate by email, to shop by Internet or any of the other myriad activities we all get up to online) communications data allows anyone accessing it to create a detailed picture of an individual’s personal life. An examination of my own Telco and ISP traffic communications data traffic over the last week shows whom I talk to (landline, mobile and Voice Over IP), whom I write to (email), where I shop (internet sites visited), what my hobbies are likely to include and which are my favourite websites. There is much more data besides which builds a picture of me.


 


However, in light of the existing legislation now in place, it seems that the laws on retention are being driven by the EU and the government has merely gone along with those rules. The rules on retention of data about my telephony traffic already require Telcos to retain communications data for 6-24 months at the EU level and 12 months at the UK level. The rules on retention of data about my Internet activities already exist at an EU level and must be in place in the UK by 15 March 2009 (although in practice many ISPs already retain this data anyway).


 


Although this communications data is kept by the Telcos and ISPs, access to that data by a government agency is not difficult to achieve at present (communications data access requests are believed to be close to 450,000 for 2007[14]) and are subject to existing rules as to what can be done when a government agency gets hold of that data. However, in terms of existing legislation, the government seems to have gone further than the EU requirements in that communications data is available for access in respect of detection of any crime; not just serious crime.


 


Commission Decision 2008/324/EC of 25 March 2008 set up the Platform on Electronic Data Retention for the Investigation, Detection and Prosecution of Serious Crime which is a group of experts in matters relating to retention of personal data for law enforcement purposes in the electronic communications sector. It remains to be seen how this group will act and what it will do.


 


Critics of the latest UK government proposals ask why the government wants to go one step further by making CSPs hand over all communications data to the government for storage in its own database. Access for public authorities will be easier. But scrutiny of safeguards will be lessened. As the first section of this article clearly shows, the government’s track record with respect to loss of data, security of data and inappropriate use of and access to its citizens’ data leaves a lot to be desired. This may turn out to be not so much a clash of the governmental will against the people’s will but a clash of the governmental will against the people’s wont.


 


Mark Weston is a Partner at Matthew Arnold & Baldwin and Head of the Commercial/IP/IT Department there. He is also Chair of the SCL’s North London and Home Counties Group.


 








[1] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML



[2] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31997L0066:EN:HTML



[3] http://www.opsi.gov.uk/si/si1999/19992093.htm



[4] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML



[5] SI 2003/2426



[6] SI 2003/3175



[7] Article 8 of the European Convention on Human Rights



[8] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:01:EN:HTML



[9] under Article 15.3 of the Data Retention Directive



[10] http://www.dca.gov.uk/foi/sharing/toolkit/index.htm



[11]http://security.homeoffice.gov.uk/ripa/publication-search/ripa-cop/acquisition-disclosure-cop.pdf



[12] http://www.official-documents.gov.uk/document/hc0708/hc02/0252/0252.pdf (published January 2008)



[13] Para 58



[14] We await the Interception of Communications Commissioner’s Report for 2007 for definitive figures.