ISPs on Red Alert following Sweeping New Anti-terrorism Laws

March 1, 2002

The Anti-terrorism, Crime and Security Act 2001 (available in full text on the HMSO site)was fast-tracked through Parliament prior to Christmas by the Home Secretary David Blunkett and contains a package of measures to safeguard the ‘rights and freedoms’ of British citizens in the aftermath of the recent terrorist attacks. These include wide powers being given to law enforcement authorities in a diverse range of areas from communications surveillance to religious hate speech, from bio-terror hoaxes to security at laboratories and from asylum controls to the internment of terror suspects.



The Act has already attracted fierce criticism, and it would appear that many businesses are ignorant of their wider responsibilities under the new legislation.



Part 11 of the Act is of particular interest to Internet service providers (ISPs) and the wider IT industry as it provides for the retention of communications data. For the purposes of the Act, communications providers include both ISPs and telephone companies who operate publicly accessible networks.



No-one seems to be disputing the Home Secretary’s decision to take stock of our laws to see where they might need strengthening in light of the increased terrorist threats, but some commentators are concerned about the new measures being draconian.



Implications for Communications Providers


The primary provision in Part 11 of the Act is an obligation to retain data in order to enable law enforcement agencies to retrieve specific communications for the purposes of national security, for the prevention or detection of crime or for the prosecution of offenders for offences which may relate to national security matters.


The Act does not, however, require ISPs or other communications providers to retain all data. Only “communications” data must be retained. The term ‘communications data’ is defined by the Regulation of Investigatory Powers Act 2000 and that definition is adopted here. The definition includes traffic data but excludes the content of the actual call or message. Billing data, details of numbers dialled or e-mail and Web logs are therefore communications data and subject to the Act.


Code of Practice


The retention of data under the Act will be regulated by a voluntary code of practice and the Government is currently consulting with the ISP industry and telecommunications providers on the implementation of the Code of Practice and, more importantly, its content and remit. Particular issues that still require clarification include the exact fields of data which need be retained and how the Act will impact upon ISPs who locate their servers outside the UK.


It is hoped that a draft Code will be laid before Parliament in the latter half of 2002, but until it is published there will be a great deal of uncertainty as to how the new legislation will be implemented and enforced.


What is for sure is that many bodies and interested parties will be clamouring to have their voices heard during the consultation period, not least representatives from the ISPA (Internet Service Providers Association) and the Office of the Information Commissioner. One of their priorities will be to seek clarity on the content of the Code of Practice, the methods of storage and retrieval, the processes for disclosure, the range of law enforcement agencies which will have access to the data and, not least, the period of retention of the relevant data.


Failure to comply with the Code of Practice will not render a communications provider liable to criminal or civil proceedings. However, the Code may be admissible in any legal proceedings in which there is an issue as to whether or not the failure to retain the relevant data may compromise national security or otherwise hinder or prejudice the prevention or detection of crime or the prosecution of offenders for offences which may relate to national security matters.


The Act and its impact on Data Protection Legislation


On the face of it, the Act does appear to conflict with the provisions set down in the Data Protection Act 1998 (the DPA). Under the fifth principle of the DPA, personal data should not be kept for longer than is necessary. However the eight data protection principles may fall away where there is a need to safeguard national security. There are also specific provisions within both the DPA and the Police and Criminal Evidence Act 1984 permitting longer periods of data retention for the investigation or detection of crimes.


In spite of these wide exemptions, the Information Commissioner has written to the Home Office expressing her concern that personal data may be retained for longer than is necessary. The outcome may be that communications providers must ensure as far as they can that the scope of any codes of practice, orders and directions is exceptionally clear.


If the period of retention is vaguely defined and it could be concluded that data has been stored for longer than is necessary, there is a real risk that ISPs and similar bodies will be in breach of their data protection obligations. Statutory guidance on this particular point would have been preferable to the open-ended requirements of the Act.


Mandatory Directions by the Secretary of State


Although the Code of Practice will be voluntary and carry no civil or criminal penalty for non-compliance, the Secretary of State is given powers under the Act to make mandatory directions, again with prior consultation, for the retention of communications data by any communications provider. The direction must specify the maximum period for which the communications provider is required to retain any specified data. This power to issue mandatory directions is available to the Secretary of State for two years from the Act coming into force.


If the Secretary of State issues any mandatory direction under the Act and the communications provider fails to comply with such direction, the Secretary of State may bring civil proceedings against the relevant provider for injunction or an order for specific performance or other appropriate civil relief.


Summary


Whilst the Government’s objectives are admirable, the Act does create huge uncertainty for the communications sector not only in relation to the type of data stored, but also as to methods and time periods of storage, retrieval and interception. The ISPA for one has been critical of the Act and its financial implications for an industry which already faces significant economic uncertainty.


Ultimately the feasibility of the entire scheme may boil down to the issue of cost. Having learnt from the debate surrounding the Regulation of Investigatory Powers Act 2000, the Government has included provisions in the Act to allow communication providers to recover the costs of complying with the Code of Practice and/or with mandatory directions issued by the Secretary of State. However, the exact wording of these provisions is vague and unclear, other than stating that monies may be provided by Parliament (in other words, funded by taxpayers).



The Government certainly has a difficult proposition balancing national security with the rights of individuals and businesses to conduct business freely but the implications this Act for a significant but already beleagured section of the UK economy are likely to be ominous.



Fiona Ghosh is a barrister specialising in data protection and IT at Addleshaw Booth & Co