Download to read offline
More Related Content
Similar to Uk data retention review ver 3.0
Uk data retention review ver 3.0
- 1. UK DATA RETENTIONREVIEW DATA RETENTION AND INVESTIGATORY POWERS ACT 2014 Prepared by Amr Eldeeb February 2016
- 2. “Whereas the objectof the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law; whereas, for that reason , the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community;”1 1 (10) DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
- 3. INTRODUCTION This research isin favor to find out the specified DATA that ISPs shall retain, protect & provide upon request, in light of the data retention regulations in the UK. SUMMARY The UK Data Retention Regulations completes the transposition of Directive 2006/24/EC2 , on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC3 . They relate to internet access, internet e-mail and internet telephony, as well as mobile and fixed line telephony. They revoke, and supersede, the Data Retention (EC Directive) Regulations 2007 (SI 2007/2199) which transposed the parts of Directive 2006/24/EC relating to mobile and fixed line telephony. It took three years to get the final UK Data retention regulations including the very important milestone of “proper public consultation”4 . However, the European Court of Justice (“ECJ”), in a judgment dated 8 April 2014 in joined cases C-293/12 Digital Rights Ireland & C-594/12 Seitlinger which, declared the Data Retention Directive (2006/24/EC) invalid. It noted that limitations to fundamental rights should only apply 2 Directive 2006/24/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL , of 15 March 2006 3 DIRECTIVE 2002/58/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 12 July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) 4 The draft Regulations have been subject to a 12-week public consultation exercise, which concluded in October 2008. During this exercise, Home Office officials met with a broad range of public communications providers and their trade associations, the Association of Chief Police Officers, the intelligence agencies, privacy lobbyists and other individuals. 54 responses were received. Many responses were from members of the public who were opposed to the Directive on principle but did not offer suggestions on the wording of the draft Regulations (24 out of 54 responses). Public communications providers welcomed the Government’s approach subject to five main concerns, which are addressed below. First, draft Regulation 5 has been amended to remove a provision, which would have enabled the Secretary of State to vary the period for data must be retained under the Regulations by notice. Second, draft Regulation 9 has been amended to ensure that all statistics required to be collected under Directive 2006/24/EC are also required to be collected under the draft Regulations. Third, draft Regulation 10 has been amended so that the Secretary of State must issue a notice to any public communications provider required to retain data under the Regulations. Under the amended version of draft Regulation 10, the Secretary of State must issue such a notice to a public communications provider unless the data to which the Regulations apply are retained in the UK in accordance with the Regulations by another public communications provider. Fourth, several responses to the consultation exercise expressed concern about how the draft Regulations ought to be interpreted in practice. The Government undertakes to establish an “implementation group”. This will develop guidance to assist in the implementation of the draft Regulations. Finally, a number of responses queried the meaning of the term “e-mail”. The Government confirms that the term “email” has the same meaning as “electronic mail” which is defined in the Privacy and Electronic Communications (EC Directive) Regulations 2003, transposing Directive 2002/58/EC into UK law. Both terms therefore refer to “any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service”.
- 4. in so faras is strictly necessary and that EU law must lay down clear and precise rules governing the scope of limitations and the safeguards for individuals. It held that the Directive did not set out clear and precise rules regarding the extent of the interference. It highlighted several elements of the directive, which fell short in this regard. By applying to all traffic data of all users of all means of electronic communications the Directive entailed an interference with the fundamental rights of practically the entire European population and did not require a relationship between the data retained and serious crime or public security. Moreover, no substantive conditions (such as objective criterion by which the number of persons authorized to access data can be limited) or procedural conditions (such as review by an administrative authority or a court prior to access) determined the limits of access and use to the data retained by competent national authorities. Nor did the Directive determine the period for which data are retained based on objective criteria. The Court also held that the Directive did not set out clear safeguards for the protection of the retained data. This finding was supported by the Court’s observation that the rules in the Directive were not tailored to the vast quantity of sensitive data retained and to the risk of unlawful access to these data. Rather, the Directive allowed providers to have regard to economic considerations when determining the technical and organizational means to secure these data. Moreover, the Directive did not specify that the data must be retained within the EU and thus within the control of national Data Protection Authorities. For these reasons, the Court declared the Directive invalid5 . In light of such development, the UK Government decided to introduce a secondary legislation to replace the Data Retention (EC Directive) Regulations 2009 (S.I.2009/859) (“the 2009 Regulations”), while providing additional safeguards. The Act had been taken through Parliament on a fast-track basis. In order to ensure the new data retention regime is in place before the Summer Recess, these Regulations will also be subject to an accelerated Parliamentary timetable. In particular, the Regulations will come into force on the day after they are made. The Government considers it important to put in place a new regime for data retention as soon as possible. This will ensure that telecommunications service providers continue to retain data following the European Court of Justice Judgment. The replacement Bill was the “Data Retention and Investigatory Powers Act 2014” 17th of July 2014. The act aims, among other things, to respond to the ECJs judgement since the 2009 Regulations have implemented the Directive in domestic Laws. In addition, this Act ensures that, as the original legislation intended, any company providing communication services to customers in the United Kingdom is obliged to comply with requests for communications data and interception warrants issued by the Secretary of State, irrespective of the location of the company providing the service. Nevertheless, the Act provides a power for the Secretary of State to issue a data retention notice on a telecommunications services provider, requiring them to retain certain data types. The data types are those set out in the Schedule to the 2009 Regulations. No additional categories of data can be retained. The Act provides that the period for which data can be retained can be set at a 5 See more at: http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d0f130d5cb2de61340ea4b108458a62 01a7991e8.e34KaxiLc3eQc40LaxqMbN4Och8Re0?text=&docid=145562&pageIndex=0&doclang=en&mo de=req&dir=&occ=first&part=1&cid=768374
- 5. maximum period notto exceed 12 months, rather than the fixed 12 months in the 2009 Regulations, allowing for retention for shorter periods when appropriate. It provides a power to make regulations setting out further provision on the giving of and contents of notices, safeguards for retained data, enforcement of requirements relating to retained data and the creation of a code of practice in order to provide detailed guidelines for data retention and information about the application of safeguards, and transitional provisions. By 30 July 2014, In accordance with section 2(5) of the ACT, new draft for Data Retention Regulations 2014 have been prepared and laid before parliament & approval by resolution of each House. IN ACCORDANCE WITH THE AIM OF THIS RESEARCH, WE WILL NOT PROCEED DEEPLY IN ANY DETAILES REGARDING THE RELATED LAWS AND WILL ONLY LIST THE DIFINITIONS & DATA TYPES SET OUT IN THE DATA RETENTION AND POWERS ACT 2014 & THE RELATED DATA RETANTION REGULATIONS 2014. THE FOLLOWING DATA HAS BEEN COLLECTED, REFORMED AND LISTED IN A WAY SERVING THE AIM OF THIS RESEARCH.
- 6. SECTION (A) DEFINITIONS 1. DataRetention and Powers and investigatory powers Act 2014 described the definitions under the title Supplementary; I. “Communications data” has the meaning given by section 21(4)6 of the Regulation of Investigatory Powers Act 2000 so far as that meaning applies in relation to telecommunications services and telecommunication systems; II. “Functions” includes powers and duties; III. “Notice” means notice in writing; IV. “Public telecommunications operator” means a person who; (a) Controls or provides a public telecommunication system, or (b) Provides a public telecommunications service; V. “Public telecommunications service” and “public telecommunication system” have the meanings given by section 2(1)7 of the Regulation of Investigatory Powers Act 2000; VI. “Relevant communications data” means communications data of the kind mentioned in the Schedule to the 2009 Regulations so far as such data is generated or processed in the United Kingdom by public telecommunications operators in the process of supplying the telecommunications services concerned; In accordance with 2(2); “Relevant communications data” includes (so far as it otherwise falls within the definition) communications data relating to unsuccessful call attempts that— (a) in the case of telephony data, is stored in the United Kingdom, or (b) In the case of internet data, is logged in the United Kingdom, but does not include data relating to unconnected calls or data revealing the content of a communication. VII. “Relevant powers” means any powers conferred by virtue of section 1(1) to (6); VIII. “Relevant requirements or restrictions” means any requirements or restrictions imposed by virtue of section 1(1) to (6); IX. “Retention notice” has the meaning given by section 1(1); X. “Specify” means specify or describe (and “specified” is to be read accordingly); 6 In this Chapter “communications data” means any of the Following; (a) any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted;(b) any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person—(i) of any postal service or telecommunications service; or - (ii) in connection with the provision to or use by any person of any telecommunications service, of any part of a telecommunication system; (c) any information not falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by a person providing a postal service or telecommunications service. 7 “public telecommunications service” means any telecommunications service which is offered or provided to, or to a substantial section of, the public in any one or more parts of the United Kingdom; “public telecommunication system” means any such parts of a telecommunication system by means of which any public telecommunications service is provided as are located in the United Kingdom;
- 7. XI. “Telecommunications service”8 and“Telecommunication system”9 have the meanings given by section 2(1) of the Regulation of Investigatory Powers Act 2000; XII. “Telecommunications Service Provider” means a person who provides a telecommunications service; XIII. “Unsuccessful call attempt” means a communication where a telephone call has been successfully connected but not answered or there has been a network management intervention; XIV. “The 2009 Regulations” means the provisions known as the Data Retention (EC Directive) Regulations 2009 (S.I. 2009/859). XV. In subsection (5); Meaning of “telecommunications service” In section 2 of the Regulation of Investigatory Powers Act 2000 (meaning of interception” etc.), after subsection (8) insert— “(8A) For the purposes of the definition of “telecommunications service” in subsection (1), the cases in which a service is to be taken to consist in the provision of access to, and of facilities for making use of, a telecommunication system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.”10 2. The Data Retention Regulations 2014 has some special interpretation for part 2 of the regulations that can be cited as following; Interpretation of part 2; I. “The Act” means the Data Retention and Investigatory Powers Act 2014; II. “Cell ID” means the identity or location of the cell from which a mobile telephony call started or in which it finished; III. “Service use data” means anything falling within paragraph (b) of the definition of “communications data” in section 21(4) of the Regulation of Investigatory Powers Act 2000(a) so far as that definition applies in relation to telecommunications services and telecommunication systems; IV. “Subscriber data” means anything falling within paragraph (c) of the definition of “communications data” in section 21(4) of the Regulation of Investigatory Powers Act 2000 so far as that definition applies in relation to telecommunications services and telecommunication systems; V. “Telephone service” means calls (including voice, voicemail and conference and data calls), supplementary services (including call forwarding and call transfer) and messaging and multimedia services (including short message services, enhanced media services and multi-media services); 8 “telecommunications service” means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service); and 9 “telecommunication system” means any system (including the apparatus comprised in it) which exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy 10 Subsection 2 (8); For the purposes of this section the cases in which any contents of a communication are to be taken to be made available to a person while being transmitted shall include any case in which any of the contents of the communication, while being transmitted, are diverted or recorded so as to be available to a person subsequently.
- 8. VI. “Traffic data”means anything falling within paragraph (a) of the definition of “communications data” in section 21(4) of the Regulation of Investigatory Powers Act 2000 so far as that definition applies in relation to telecommunications services and telecommunication systems; VII. “Communications data” in section 21(4) of the Regulation of Investigatory Powers Act 2000 so far as that definition applies in relation to telecommunications services and telecommunication systems; VIII. “User ID” means a unique identifier allocated to persons when they subscribe to, or register with, an internet access service or internet communications service IX. The Schedule to these Regulations specifies the communications data that is of the kind mentioned in the Schedule to the 2009 Regulations (b). SECTION (B) THE REQUIRED TYPES OF RETAINED DATA DATA RETENTION REGULATIONS 2014 SCHEDULE COMMUNICATIONS DATA OF THE KIND MENTIONED IN THE SCHEDULE TO THE 2009 REGULATIONS The schedule includes data falling into categories of fixed network (part 1), mobile telephony (part 2), and internet access, internet e-mail or internet telephony (part 3). PART 1 FIXED NETWORK TELEPHONY Data necessary to trace and identify the source of a communication 1. — (1) The calling telephone number. (2) The name and address of the subscriber or registered user of any such telephone. Data necessary to identify the destination of a communication 2.— (1) The telephone number dialed and, in cases involving supplementary services such as call forwarding or call transfer, any telephone number to which the call is forwarded or transferred. (2) The name and address of the subscriber or registered user of any such telephone. Data necessary to identify the date, time and duration of a communication
- 9. 3. The dateand time of the start and end of the call. Data necessary to identify the type of communication 4. The telephone service used. PART 2 MOBILE TELEPHONY Data necessary to trace and identify the source of a communication 5. — (1) The calling telephone number. (2) The name and address of the subscriber or registered user of any such telephone. Data necessary to identify the destination of a communication 6. — (1) The telephone number dialed and, in cases involving supplementary services such as call forwarding or call transfer, any telephone number to which the call is forwarded or transferred. (2) The name and address of the subscriber or registered user of any such telephone. Data necessary to identify the date, time and duration of a communication 7. The date and time of the start and end of the call. Data necessary to identify the type of communication 8. The telephone service used. Data necessary to identify users’ communication equipment (or what purports to be their Equipment) 9. — (1) The International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI) of the telephone from which a telephone call is made. (2) The IMSI and the IMEI of the telephone dialed. (3) In the case of pre-paid anonymous services, the date and time of the initial activation of the Service and the cell ID from which the service was activated. Data necessary to identify the location of mobile communication equipment 10. — (1) The cell ID at the start of the communication. (2) Data identifying the geographic location of cells by reference to their cell ID
- 10. PART 3 INTERNET ACCESS,INTERNET E-MAIL OR INTERNET TELEPHONY Data necessary to trace and identify the source of a communication 11.— (1) The user ID allocated. (2) The user ID and telephone number allocated to the communication entering the public telephone network. (3) The name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication. Data necessary to identify the destination of a communication 12.— (1) In the case of internet telephony, the user ID or telephone number of the intended recipient of the call. (2) In the case of internet e-mail or internet telephony, the name and address of the subscriber or registered user and the user ID of the intended recipient of the communication. Data necessary to identify the date, time and duration of a communication 13.— (1) In the case of internet access— (a) The date and time of the log-in to and log-off from the internet access service, based on a specified time zone, (b) The IP address, whether dynamic or static, allocated by the internet access service provider to the communication, and (c) The user ID of the subscriber or registered user of the internet access service. (2) In the case of internet e-mail or internet telephony, the date and time of the log-in to and log off from the internet e-mail or internet telephony service, based on a specified time zone. Data necessary to identify the type of communication 14. In the case of internet e-mail or internet telephony, the internet service used. Data necessary to identify users’ communication equipment (or what purports to be their Equipment) 15. — (1) In the case of dial-up access, the calling telephone number. (2) In any other case, the digital subscriber line (DSL) or other end point of the originator of the Communication.
- 11. SECTION(C) HIGHLIGHTS & COMMENTARY 1.Highlights; The Act provides powers to create a new mandatory data retention regime to replace the 2009 Regulations. Communications data is the context not the content of a communication. It can be used to demonstrate who was communicating; when; from where; and with whom. It can include the time and duration of a communication, the number or email address of the originator and recipient, and sometimes the location of the device from which the communication was made. There is no section in any of the reviewed regulations to mention the CONTENT as a kind of data that has to be retained. There is major section in the 2009 regulations that has been modified; article 3; These Regulations apply to communications data if, or to the extent that, the data are generated or processed IN the United Kingdom by public communications providers in the process of supplying the communications services concerned. This article has been MODIFIED & CLARIFIED in ACT 2014 by updating the Extra-Territorial section in RIPA11. In accordance with the ECJ judgement, the ACT provides that the period for which data can be retained can be set at a maximum period not to exceed 12 months, rather than the fixed 12 months in the 2009 regulations, allowing for retention for shorter periods when appropriate. Telecommunications service providers will not be required to retain data, unless they have been given a Retention Notice by the Secretary of the state. A notice cannot require the retention of data types other than those described in the 2009 Regulations.12 In accordance with the new “Counter Terrorism and Security ACT 2015”, part 3, section 21; there have been scheduled modifications for some definitions to be in force of 31st of December 2016, as following; 11 Subsection number 2, 3, 4, 5, 6, 7, 8, 9 & 10 of the ACT modifying certain sections of RIPA to provide practicalities for Law Enforcement Agencies IN & OUT UK. 12 2 (3) Regulations under section 1(3) may specify the communications data that is of the kind mentioned in the Schedule to the 2009 Regulations and, where they do so, the reference in the definition of “relevant communications data” to communications data of that kind is to be read as a reference to communications data so specified.
- 12. 21 Retention ofrelevant internet data (1) Section 2(1) of the Data Retention and Investigatory Powers Act 2014 (temporary provision about the retention of relevant communications data subject to safeguards: definitions) is amended as follows. (2) In the definition of “relevant communications data”— (a) For “means communications data” substitute “means— (a) communications data”; (b) After “Regulations” insert “, or (b) relevant internet data not falling within paragraph (a),” (c) The words from “so far as” to the end of the definition become full-out words beneath the new paragraphs (a) and (b). (3) After the definition of “relevant communications data” insert— ““relevant internet data” means communications data which— (a) relates to an internet access service or an internet communications service, (b) May be used to identify, or assist in identifying, which internet protocol address, or other identifier, belongs to the sender or recipient of a communication (whether or not a person), and (c) is not data which— (i) may be used to identify an internet communications service to which a communication is transmitted through an internet access service for the purpose of obtaining access to, or running, a computer file or computer program, and (ii) is generated or processed by a public telecommunications operator in the process of Counter-Terrorism and Security Act 2015 (c. 6) Part 3 — Data retention 15 supplying the internet access service to the sender of the communication (whether or not a person);”. (4) In addition— (a) Before the definition of “communications data” insert— ““communication” has the meaning given by section 81(1) of the Regulation of Investigatory Powers Act 2000 so far as that meaning applies in relation to telecommunications services and telecommunication systems;”; (b) After the definition of “functions” insert— ““Identifier” means an identifier used to facilitate the transmission of a communication;” (c) After the definition of “notice” insert— ““Person” includes an organization and any association or combination of persons;” (5) Subsections (1) to (4) are repealed on 31 December 2016. 2. COMMENTARY The Data retention and investigatory powers ACT 2014 can be described as; The Necessary Modification that strengthen and clarify, rather than extend, the UK legislative framework.
- 13. In orderto balance between the privacy rights & the law enforcement agencies requirements, It differentiated between two kinds of requests to retain relevant communications data: o “A Retention Notice” for the purposes for which communication data may be obtained.13 o By “Regulations” to make further provisions about the retention of relevant communications data14. As mentioned, the context is the targeted data type by these regulations, while the set of actions to gain access to the content is covered by, but not limited to, chapter 1 of part one of RIPA15, which can be briefed in; o In the interests of national security16; o For the purpose of preventing or detecting crime or of preventing disorder; o In the interests of the economic well-being of the United Kingdom; o In the interests of public safety; o For the purpose of protecting public health; o For the purpose of assessing or collecting any tax, duty, levy or other imposition, o Contribution or charge payable to a government department; o For the purpose, in an emergency, of preventing death or injury or any damage to a o Person’s physical or mental health, or of mitigating any injury or damage to a o Person’s physical or mental health; or o For any purpose (not falling within paragraphs (a) to (g)) which is specified for the Purposes of section 22(2) by an order made by the Secretary of State. By working in conjunction with other, pre-existing legislation, the ACT & Regulations ensures the following points are clearly covered: o A clear and widened set of definitions o Purposes to which relevant powers may be used o Which authorities can use the powers o Authorization of the use of the powers o Shaping & confirming the extra territorial definition. 13 Purposes set out in section 22(2) of RIPA; (2) It is necessary on grounds falling within this subsection to obtain communications data if it is necessary— (a) in the interests of national security; (b) for the purpose of preventing or detecting crime or of preventing disorder; (c) in the interests of the economic well-being of the United Kingdom; (d) in the interests of public safety; (e) for the purpose of protecting public health; (f) for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department; (g) for the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health; or (h) for any purpose (not falling within paragraphs (a) to (g)) which is specified for the purposes of this subsection by an order made by the Secretary of State. 14 Section 1(3), ACT 2014; The Secretary of State may by regulations make further provision about the Retention of relevant communications data. 15 http://iocco-uk.info/docs/ripa.pdf 16 RIPA, section 22(2)
- 14. In regardto legal framework functionality, section 7 has obligated the Secretary of state to appoint the “independent reviewer of terrorism legislation”17 to review the regulations and operations of investigatory powers18. SECTION (D) RECOMMENDATIONS Data Retention is not a target for itself; it is a part of a larger legal framework to guarantee the digital wellbeing of the public and national economy as well. Considering it as a threat for individual’s privacy shall not exist; if the system is trustfully implemented. Thus, Data Protection Regulations, Directives & Laws, among other legislative & organizational frameworks, are evolving around the globe to maintain our way of living, not to lessening any of our rights. In this regard, Common Law and Civil Law traditional legal systems are determined formulating a complete system to organize the cyber zone. So far, the US & EU have addressed certain key strategic subjects, while there are certain regions, like the Middle East, in their first stages in this regard. In accordance to the subject of this research, we do recommend the following; Considering it a balanced & sufficient data retention direction, it is recommended excerpting the Data Retention Regulation Schedule 2014 in national legislations. Adopting proper & strict Content Retention Policies that guarantees personal privacy in line with the national procedural laws. Monitoring the Data Retention policies on a yearly basis. Assigning a National Data Regulatory Authority. 17 Subsection 7(8) in this section “the independent reviewer of terrorism legislation” means the person appointed under section 36(1) of the Terrorism Act 2006 (and “independent reviewer” is to be read accordingly). 18 “The independent reviewer” is a post that already exists under the terrorism ACT 2006 & section 44 of Counter- Terrorism and Security Act 2015
- 15.
- 16.