{b}Law enforcement{/b}
For lawyers advising companies on issues of law enforcement assistance, 2017 is going to be one of the most interesting years for a while, with substantial changes to the framework.
Although it is highly likely that the various parts of the Investigatory Powers Act 2016 will be brought in in a phased manner, we can expect to see changes to the data retention framework imminently, given the sunset provision in DRIPA. Even though the legislation will be in final, enacted form, there will be plenty of work to do on the codes of practice, as well as ensuring that systems and processes meet the new legal requirements.
As the Act will permit a broader range of obligations to be imposed on providers of private telecommunication systems than has been the case to date, if I provided substantial private system to persons in the United Kingdom, I would be considering what might be coming in my direction over the next 12 months or so, probably with a degree of trepidation despite the promise of 100% cost recovery.
Tele2 Sverige will cast further uncertainty on the situation. If the CJEU follows the Advocate General’s opinion and holds that, in principle, data retention obligations can be compatible with Union law, we can expect further deliberation as to whether the UK’s national implementation affords the relevant safeguards, with a trip back to the domestic courts. I suspect that this is likely to entail revisiting what constitutes ‘serious’ crime, along with further argument about retention periods and, most probably, questions about the proportionality of the Investigatory Powers Act’s new category of data, Internet connection records.
{b}Orders to block and to register{/b}
We can expect to see more obligations placed on Internet service providers, public and private, in terms of both access blocking and potentially user registration.
With the ruling of the Court of Appeal earlier this year that it can be appropriate in some circumstances for ISPs to bear the costs of implementing blocking injunctions to attempt to prevent access to sites which infringe copyright or trade marks, I expect that more cases will be brought and more sites (notionally) blocked.
Depending on how the current debate around the Digital Economy Bill plays out, ISPs may be blocking more than merely infringing content: Claire Perry’s proposed amendment would empower the British Board of Film Classification to compel ISPs to prevent access to pornographic material made available on a commercial basis without age verification. It is perhaps more likely than not that we will see something of this nature, as the government has announced that it will support a similar approach, although the precise wording may still be up for debate. I should hope so since, as currently drafted, the obligations which could be imposed on an ISP by the BBFC — a decision of a private company, not an act of the judiciary — are uncomfortably broad, and there is, as of yet, no provision for the recovery of an ISP’s costs in carrying out what is being positioned as a public service.
Lastly, I wonder if we will see the first UK case attempting to secure a McFadden injunction against a Wi-Fi operator, aiming to compel them to impose user registration requirements. The CJEU did not comment on the Article 8 / data protection implications of its suggestion, and the ICO has not offered a view on the issue, but I would expect this to be a contentious area, especially since many places running open Wi-Fi networks are experts in running cafes or bars, rather than operating databases and protecting data, and the burden of processing potentially substantial volumes of customer data safely may weigh heavily on them. But perhaps a further opportunity for bigger Wi-Fi suppliers.
{b}The year of IPv6?{/b}
I would like to predict that 2017 will be the ‘year of IPv6’, but I am not that brave!
For those who had held out hope that the open Internet access regulation (2015/2120) would encourage IPv6 adoption, since the definition of ‘internet access service’ entails the provision of ‘connectivity to virtually all end points of the internet,’ BEREC’s August 2016 guidance is likely to have been rather disappointing: it has opined that this requirement should ‘at present, not be interpreted as a requirement on ISPs to offer connectivity with both IPv4 and IPv6’.
As the Internet of Things grows, and even more devices require connectivity, we can expect to see yet further pressure placed on the legacy IPv4 Internet, and, with IPv4 exhaustion creeping ever closer, increasing numbers of customers will be faced with carrier-grade NAT. Fine for many, but a real pain for those running their own servers. Customers reliant on hosting their own Internet-facing services may well want to check their contracts and see if inbound routable IPv4 is guaranteed.
I predict that those supporting the purchase of technology will find that ‘must support IPv6’ will become an increasingly important client demand, to maximise equipment life: savvy purchasers have already been specifying this for a while, but perhaps 2017 will see this being embraced more broadly.
On the selling side of things, as is often the case, with scarcity comes the possibility of commercial opportunity. Companies and other organisations with large legacy IPv4 holdings will continue to try to sell their unused ranges, attempting to find the sweet spot before potential purchasers give in and deploy IPv6. It will be interesting to see what Regional Internet Registries accept as justifications for these transfers: whether they will be sympathetic to what are likely to be corporate acquirers trying to fend off IPv6 rollout for a little longer, or whether they will take a tougher line.
So there you have it. Some slight predictions, some certainties, and some ponderings.
{b}{i}Neil Brown is the managing director of decoded:Legal. You can access an IPv6-only version of their website at ipv6.decodedlegal.com largely because Neil was bored one evening. For those of you with more traditional Internet connections, it’s decodedlegal.com{/b}{/i}