April 09, 2014 | Jim Killock

ISPs will break the law if they continue to retain our data

Yesterday’s invalidation of the Data Retention Directive opens up the question, what do the government and ISPs do next? Both are in a dubious legal situation now that data retention has no legal basis.

The Data Retention Directive is retrospectively invalid: not only is it gone, but in legal terms it never was. The UK Regulations are also gone, as the power for the Secretary of State to pass them under the European Communities Act 1972 (UK legislation) relied on the validity of the original Directive. The obvious conclusion is that, for now, data retention should stop. We have yet to hear any argument that the government could carry on using the ex-directive's powers, although of course it may try.

There may be older legislation that the government could try to use for some elements of data retention, especially S.94 of the Telecommunications Act 1984 which gives powers to order communications data retention, but it’s more likely that the government will need to legislate.

Without the Data Retention Directive, the only likely legal basis for retaining data is for business purposes. The Data Protection Act (DPA) allows for limited retention and processing of personal data, in order to provide you with the services you’ve asked for.

ISPs are in a difficult position if they retain data under the DPA. For retention, they should hold it for business purposes only; and lawful access should be defined by law before they hand it over. We believe they are obliged to stop retaining data  and should destroy any data retained by virtue of the now invalid regulations. If companies continue to retain the data there is a risk that their own customers could launch claims for breaches of the DPA.

The government also needs to clarify whether it is still continuing to pay for retention of data that has no legal basis. Since the UK regulation that authorised these payments are now invalid, under what powers would the government make those payments?

ISPs need to think quickly about liability, retention and government payments; the government may need to legislate. If the government legislates it needs to take the ECJ judgement into account, to avoid having to rewrite the rules again if the EU introduces new data retention legislation. We’ve been given guidance to the limits of surveillance and data retention, including requirements to limit the uses and confine the retention to relevant data. It is essential that the UK takes notice of these requirements.

The government may consider reviving the rump Snooper’s Charter proposals, for data retention in mobile companies, but it is also an opportunity for Parliament to discuss surveillance in the round. The ECJ ruling validates the argument that mass data retention breaches our rights to privacy and protection of personal data, and is very significant for ORG's legal challenge to government surveillance at the European Court of Human Rights. Any new government legislation must limit surveillance to what is necessary for investigation, rather than allow blanket data collection across everyone’s communications. 

Comments (7)

  1. ~me:
    Apr 09, 2014 at 04:33 PM

    finally some good news.

  2. Kev:
    Apr 09, 2014 at 04:49 PM

    what is to stop the government saying it has stopped retaining data, only to find out (through another whistle blower?) that it is carrying on the same?

    what is to say that the UK government just allows the NSA to do all the surveillance and retaining of data, handing it over to the UK when they ask for it? let's face it, this UK government is so USA orientated it will do anything Obama says!

    then there is the new Police force been put into operation using public money to fund it while doing anything and everything possible to aid a private industry, the main players being based in the USA? what right has the government got to use our tax money for this, rather than getting the industry itself to pay for it? what good is it doing anyone anyway!

  3. don:
    Apr 09, 2014 at 06:51 PM

    Sorry Jim
    but this judgement is worth nothing, all metadata can be classed as "business data" (as proved recently in the US) and with most of the isp's now running LLU networks on top of the leased openreach infrastructure, the retention of this data can be considered necessary for the running and maintenance of their private networks. also with most isp's having technical departments outside the EU, data could legally be sent to these places and its storage and use not covered by UK and EU law,

    FYI no major UK isp now provides a fixed ip address to residential customers (making private connections nigh on technically impossible, and any legal methods that are left are slowly being removed on copyright grounds by the use of court orders), talktalk business now offers preferential connections to business customers (no net-neutrality) on their LLU network. and also talktalk have told me the use of vpns are not allowed on their residential network. (so I am not being allowed to connect directly to a free internet just their network, allowing them to decide what protocols and restrictions they can place on my internet usage) legal censorship by the back door?

    also no network provider will now guarantee upload bandwidth as they claim it is not needed for an internet connection. (what about skype or transferring private and confidential data?) in my opinion they seem to be following the american model of becoming content delivery networks and not communication providers.

    until we get an trustworthy honest and open major isp, I do not think any legislation will make any difference to users privacy as our internet freedom (in the UK) is starting to be limited by global business models not government.

    I suspect google is deliberately restricting what youtube videos that can be seen in the UK (as they openly do with search results with a UK government agreement) and will update you if I find any proof of this.


  4. Pete:
    Apr 09, 2014 at 09:19 PM

    Request to the HO for confirmation that the associated UK legislation is now recognised to be invalid;-


    PS. ORG, please. Take the third party google cruft out of your web pages, and/or read the Snowden docs.

  5. jonny B:
    Apr 10, 2014 at 01:35 AM

    Ha ha, looks like the "third party google cruft" comes from the recaptcha anti-bot check on this very comment form, loving the irony (but thanks ORG for all your good works generally! :)

  6. Peter Fairbrother:
    Apr 10, 2014 at 07:19 AM

    Older data retention legislation includes Part 11 of the Anti-Terrorism, Crime and Security Act 2001, which has not been repealed.

    A voluntary Code of Practice for communications data retention
    was issued under ATCSA Part 11 s.102, but no mandatory Directions relating to data retention were ever issued under ATCSA.

    The s.102 power to revise the voluntary CoP still exists, but the power of the SoS to make an order containing mandatory Directions has lapsed (ATCSA s.105).

    As ATCSA Part 11 is very similar to the now-invalid Directive, it is almost certainly disproportionate as well - however the reasons why data is to be retained under Part 11 include "national security", which may well trump disproportionate interference with Article 8 EU Human Rights.

  7. taf:
    Apr 10, 2014 at 11:04 AM

    the public has been groomed into expecting everyone and their uncle to ask for date of birth etc. - totally unnecessarily information to have an internet connection for example. How can we turn back the clock on that? Most of my many young relatives accept that in order to use the devices they have, they will be monitored, most of them think it is to keep them safe - schools ram this home to them about internet bullying etc. As many children are using devices at a very young age, there is no way we can alter their attitude to privacy - a child doesn't have privacy these days, so they don't know what they have lost.

    I had a minor victory when I was asked for my d.o.b. to PAY! an electricity bill. After a long discussion with the operative, pointing out that in order to buy thousands of pounds worth of equipment on web sites, all I need is my card details, she wouldn't budge, so I put the phone down and sent a letter to the supplier instead - I got back an apology saying that I was of course right, that I didn't need to supply my d.o.b. to pay a bill, and that the operatives had been retrained - yeah!
    Unfortunately, months later I tried to pay a bill using my debit card on the phone to the same company - I was asked for my d.o.b. again, I had to read the letter to a supervisor - it took a very long time and was very painful. Boooo!

    I work in IT with other IT professionals and I have to say that even most of them are unconcerned that they are being monitored - head in sand syndrome because they "cant do anything about it", or childishly pleased that someone else is "looking after their safety".

    While this can happen, and most people accept it, and companies do not question their own activities (because information is money) and if they still get customers, why would they care - I don't think we will have any real hope of changing anything - its a shift in attitude we need. How do we change attitudes?