Data retention in the UK Ian Brown Foundation for Information Policy Research http://www. fipr .org/

Anti-Terrorism, Crime and Security Act 2001 Introduced shortly after Sep. 11 th Contains provisions for data retention by Communications Service Providers Must be for purposes directly or indirectly related to national security

Introduced shortly after Sep. 11 th

Contains provisions for data retention by Communications Service Providers

Must be for purposes directly or indirectly related to national security

EU-related actions 2002/58/EC: “Member States may… adopt legislative measures providing for the retention of data for a limited period.” UK: “Nothing in these Regulations shall require a communications provider to do, or refrain from doing, anything (including the processing of data) if exemption from the requirement in question is required for the purpose of safeguarding national security.”

2002/58/EC: “Member States may… adopt legislative measures providing for the retention of data for a limited period.”

UK: “Nothing in these Regulations shall require a communications provider to do, or refrain from doing, anything (including the processing of data) if exemption from the requirement in question is required for the purpose of safeguarding national security.”

Codes of practice Home Office must first consult on voluntary code of practice Subscriber info, telephony data 12 months; SMS, e-mail data 6 months; Web activity 4 days Then mandatory code may be imposed Powers may expire 13 Dec 2003

Home Office must first consult on voluntary code of practice

Subscriber info, telephony data 12 months; SMS, e-mail data 6 months; Web activity 4 days

Then mandatory code may be imposed

Powers may expire 13 Dec 2003

Real intentions? Most “business cases” given are well beyond current consultation timeframes Police continue to push for full URLs “ There is great merit for having information about subscribers kept for five years and call information for two years” –John Abbot, NCIS

Most “business cases” given are well beyond current consultation timeframes

Police continue to push for full URLs

“ There is great merit for having information about subscribers kept for five years and call information for two years” –John Abbot, NCIS

Information Commissioner view “ service providers are entitled to rely heavily on the fact that the Secretary of State and Parliament will have concluded that the retention of communications data for the periods specified in the Code is necessary in order to safeguard national security.” BUT “ the proposed regime will lead directly to disclosures under section 22 RIPA which are inconsistent with Parliament's intention in passing ATCSA, and thus arguably unlawful under Article 8”

“ service providers are entitled to rely heavily on the fact that the Secretary of State and Parliament will have concluded that the retention of communications data for the periods specified in the Code is necessary in order to safeguard national security.” BUT

“ the proposed regime will lead directly to disclosures under section 22 RIPA which are inconsistent with Parliament's intention in passing ATCSA, and thus arguably unlawful under Article 8”

ISP response No “ compelling case” for retention ISPA could not “ recommend to members that they voluntarily comply with the proposed code of practice”

No “ compelling case” for retention

ISPA could not “ recommend to members that they voluntarily comply with the proposed code of practice”

Parliamentary response “ We can reach no other conclusion than to recommend that the Home Office immediately drop their plans to introduce a voluntary scheme for data retention under ATCS.” “ We recommend very strongly that the Government do not… impose a mandatory data retention scheme.” “ We recommend that the Home Office enter into a dialogue with the CSP industry to develop an appropriate data preservation scheme to meet the needs of Law Enforcement.”

“ We can reach no other conclusion than to recommend that the Home Office immediately drop their plans to introduce a voluntary scheme for data retention under ATCS.”

“ We recommend very strongly that the Government do not… impose a mandatory data retention scheme.”

“ We recommend that the Home Office enter into a dialogue with the CSP industry to develop an appropriate data preservation scheme to meet the needs of Law Enforcement.”

Home Office response “ The Home Office do not consider that the fact that data is held by a communication service provider under the Code of Practice for national security purposes, and not for any other reason, should prevent the police or other public authorities having access to that data when they can demonstrate a proportionate need for it.” “ In order to be able to implement what they want, we will have to retain the data, so that it can be accessed to test out whether the intelligence services are right in believing that it is relevant in tackling terrorists. That is how stupid the Liberal Democrats are.” –David Blunkett, Hansard

“ The Home Office do not consider that the fact that data is held by a communication service provider under the Code of Practice for national security purposes, and not for any other reason, should prevent the police or other public authorities having access to that data when they can demonstrate a proportionate need for it.”

“ In order to be able to implement what they want, we will have to retain the data, so that it can be accessed to test out whether the intelligence services are right in believing that it is relevant in tackling terrorists. That is how stupid the Liberal Democrats are.” –David Blunkett, Hansard

Remaining questions Can ECHR articles 8 (privacy), 6 (fair trial) and data retention and access be reconciled? Will costs be acceptable?

Can ECHR articles 8 (privacy), 6 (fair trial) and data retention and access be reconciled?

Will costs be acceptable?