Home Office consultation on the implementation of 'Data Retention' legislation - March 2007

We have decided not to submit to this consultation, primarily because the data retention requirements contained herein are less stringent than existing business practices.

This page is a summary of the Home Office's consultation paper, and a place to note our thoughts, which will later be edited together into a formal submission.

The initial transposition of Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC

Deadline for submissions 11th June (To be emailed in no particular form to commsdata@homeoffice.gsi.gov.uk)

Executive Summary

Aim of the Directive: "to ensure that certain data is retained to enable public authorities to undertake their lawful activities to investigate, detect and prosecute crime and to protect the public."
Date for transposition of Dir 2006/24/EC: 15/9/7 (but its application in the UK to internet access, internet telephony and internet e-mails will be postponed, until no later than 15/3/9)
Annex B: Draft Regulations (relevant only for fixed line and mobile telephony)

Introduction

  • Comms data is collected by public comms providers about the traffic of comms generated or processed on their networks or by the use of their services. Such data is used, for example, in billing, network management and prevention of fraud. Does not relate to the content of the comms.
  • Detecting and preventing terrorist atrocities - now a valid public goal in the UK in the 21st century - drive the Directive.
  • Man public comms providers (PCP) will be unaffected because either 1. standard practice to retain said data 2. their data is retained by another PCP.

Q1 Will individual public communications providers be able to interpret how the draft regulations apply to their business? If not, why not?

  • Proposed length of retention is 12 months, but OK to retain for longer (contingent on compliance with Data Protection Act 1998).
  • Majority of underlying issues (e.g. proportionality in relation to Human Rights) were assessed as part of the 2003 consultation for the code of practice on voluntary retention of comms data
  • 2003 consultation revealed support and proactive engagement engagement by majority of telecomms industry regarding these measures.
  • Directive represents shift from voluntary retention to mandatory minimum requirements
  • As noted above, implementation required by 15/9/7 (except for internet-related activities, which can be postponed until 15/3/9 - justified by increased complexity of collection, and broader class of stakeholders)
  • "This consultation provides an opportunity to tell the Government if there is anything different that should be included in the draft Electronic Communications Data Retention (EC Directive) Regulations 2007 before they are laid before Parliament for approval later this year."

Human Rights considerations

Kay aspect to the debate is impact of legislation on individual's human rights: "We propose that the implementation of the Dir does not alter the balance in that debate and that these measures are a proportionate interference with individuals' rights to privacy to ensure protection of the public."

  • A key factor in this proportionality, according to past debates, is the length of retention => we have chosen 12 months retention period.
  • (MH comment > no expansion on this seemingly crucial point?)
  • Where is the business case from the users of this data justifying the 12-month period? Arguments made by police during original debate over retention used a series of cases where data was recovered more than 12 months later.
  • Access to retained data is available to a wide range of government bodies for purposes much more general than fighting serious crime and terrorism. Both the Information Commissioner's Office and the EU Data Protection Superviser have stated that these measures are a disproportionate interference with individuals' privacy rights. What detailed legal assessments have the government made of the compatibility of this law with the ECHR?

What is communications data?

Not the contents of communications, but rather

  • Who is communicating with whom?
  • When and where are they communicating?
  • What type of communication is it?

Data is defined in the Regulations as 'traffic data and location data and the related data necessary to identify the subscriber or user'. Definition of traffic data and location equal to that in the Privacy and Electronic Communications (EC Directive) Regulations 2003 2:
"Location data means any data processed in an electronic communications network indicating the geographical position of the terminal equipment of a user of a public electronic communications service, including data relating to

  • the latitude, longitude or altitude of the terminal equipment
  • the direction of travel of the user; or
  • the time the location information was recorded"

"Traffic data means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration of time of a communication." Informed by the Directive, the Regulation defines the term user as "any legal entity or natural person using a publicly available electronic communications service, for private or business purposes, without having necessarily subscribed to that service."

  • Article 5 of the Directive defines the the data that must be retained by PCP

Q2: Is the data required to be retained specified clearly in the draft regulations? If not, why not, and can the Regulations be any clearer?

Why is it important to retain communications data?

Previously discussed in the development of Part 11 of ATCSA (2001) and the consultation on the code of practice for voluntary retention of comms data (2003) and across Europe in lead up to the Directive itself.

  • "Access to such communications data allows investigators to identify suspects, examine their contacts, establish relationships between conspirators, and place them in a specific location at a certain time. Analysis of this information can then be used to draw up a detailed profile of the suspect(s) either to inform prevention / disruption operations or for use as corroborative evidence in a prosecution supported by witness statements. Equally, the information provided by analysis of communications data may be used to clear an individual, or individuals, of suspicion."
  • Data may be needed soon after creation, in which case expensive but possible, or it may be needed much later - in which case it may have been deleted in accordance with Data Protection legislation, or business practices.
  • May 2005 - 2 week survey of comms data obtained by UK police - 231 requests for data relating comms that took place 6 - 12 months hence. 60% related to murder / terrorism, and 86% related to murder, terrorism and serious crime.
  • "The requirement for data older than 6 months is predominantly for long-running serious crime investigation. This highlights the significance of the older data which - without a mandatory framework for data retention in place - is more at risk of deletion. We believe that retention of this data is justified by the benefit to national security and the prevention of serious crime."

Proposal to transpose Directive 2006/24/EC

Directive does not require reimbursements, but European Commission have suggested it may be necessary

  • "In the UK, we propose to make provision for payment to public service providers of additional cost. These provisions can be found in draft Regulation 10 at Annex B. Section 4 of the partial Regulatory Impact Assessment at Annex C sets out why we believe these payments are necessary and consultation questions 3 and 4 invite comment on this:

Q3: Do you agree with the Government's approach to meet additional costs to reduce burden and meet requirements? Q4: Do you agree the proposed approach will not have a detrimental effect upon competition?

  • "The response to this consultation paper, together with ongoing consultation with industry, law enforcement, the intelligence agencies and the public, is informing the development of our approach to completing the full transposition of the Directive. Until the transposition is completed and provisions are in place for the retention of data derived from Internet access, Internet e-mail or Internet telephony, we will continue with voluntary arrangements for the retention of these types of data under Part II of ATCSA. We propose that until the transposition is complete, the sunset clause relevant to Section 106 of ACTSA should be extended."

Q5: Do you agree that because the issues around retention of IP are different from traditional telephony, it is appropriate to maintain the voluntary code under ATSCA and to extend the sunset clause relating to section 104 of the ATSCA? Q6: Do you think the draft regulations can provide a framework that will enable implementation of the internet aspects of the Directive?

Consultation Questions - Enter your concerns here!

Question 1

Will individual public communications providers be able to interpret how the draft regulations apply to their business? If not, why not?

Response

No-one's contributed yet, so please be the first to enter your opinions

Notes

Q2: Is the data required to be retained specified clearly in the draft regulations? If not, why not, and can the Regulations be any clearer?

Response

No-one's contributed yet, so please be the first to enter your opinions

Notes

From the outline of the directive it will include Date, time& duration of call and location data. However the Directive appears to specify this be in lattitude/longitude co-ordinates. This isl ikely to be an involved calculation as mobile phone companies seem to track to a primary tower, and produce a list of primary towers as part of the Call Data Record

Q3: Do you agree with the Government's approach to meet additional costs to reduce burden and meet requirements?

Response

No-one's contributed yet, so please be the first to enter your opinions

Notes

Q4: Do you agree the proposed approach will not have a detrimental effect upon competition?

Response

No-one's contributed yet, so please be the first to enter your opinions

Notes

Q5: Do you agree that because the issues around retention of IP are different from traditional telephony, it is appropriate to maintain the voluntary code under ATSCA and to extend the sunset clause relating to section 104 of the ATSCA?

Response

No-one's contributed yet, so please be the first to enter your opinions

Notes

Q6: Do you think the draft regulations can provide a framework that will enable implementation of the internet aspects of the Directive?

Annex A - Directive 2006/24/EC

The 'Data Retention' Directive - 2006/24/EC

Annex B - Draft Regulations

Draft Data Retention (EC Directive) Regulations 2007

Annex C - Partial Regulatory Impact Assessment

The Partial Regulatory Impact Assessment

Annex D - Equality Impact Assessment

Preliminary screening for equality impact assessment

Annex E - Consultation Criteria

The Consultation Criteria

Links

News

2007-04-04 - The Register - Home Office rethinks call data plans
Summary: The Home Office has published draft regulations to require the retention of certain call data by phone companies for 12 months. Internet telephony and internet access data will not be covered for the time being.