Data Retention Directive Transcript
In a world familiar with threats of crime and terrorism, the idea of retaining e-mail and call data for security purposes is not new. However, the implementation of the Data Retention Directive later this year is changing the landscape and moving data retention to a new level. What will this mean for the future of data retention and for the service providers and the public? TMT lawyer Helen Anderson discusses.
Ed – Hello, I'm Ed Hayes. I'm here with Helen Anderson today. Helen's a solicitor in Denton Wilde Sapte's Technology, Media and Telecoms department. Helen is going to talk about the Data Retention Directive. Helen, the UK is planning to pass new Regulations on data retention. What's the point of these Regulations?
Helen – Well, the Regulations are the UK implementing the Data Retention Directive. The Directive covers the retention of communications data by telecommunications providers, such as mobile and fixed line operators and also by internet service providers carrying internet data, email and voice over IP. Communications traffic data is really data on the location, time, number, IP address of communications, but not the actual content of the communication itself.
Ed – So that's a fairly wide remit then. How's the government going about implementing these new Regulations?
Helen – Well the government is going through a consultation process at the moment. It published a consultation paper in March and the consultation ends in June. The deadline for implementation is the 15th September this year and the government is seeking to implement the Regulations on the 15th September. I should say that these current Regulations only cover data retention in relation to the telecommunications data, that is the data by the fixed and mobile operators. It doesn't cover the other internet and voice over IP and email data. The government asked for an extension of time for implementing the Directive in relation to that data and it's been granted an extension until March 2009.
Ed – Why has the UK been given this extension then?
Helen – Well, I believe it's because the government felt that due to the complexity of the nature of the internet data, they required a bit more time to consider the right approach for implementing the Directive in relation to this data, so they asked for an 18 month extension.
Ed – So what's new with these Regulations and how do they change the current UK position on data retention?
Helen – Well the main change is to implement a new mandatory regime. At the moment it's a voluntary code under the Anti-Terrorism Crime and Securities Act so service providers have a voluntary requirement to retain the data but don't actually have to do so. The new Regulations will make it compulsory for them to retain the data. The likely implication of this is that more data will be retained simply because obviously, under the voluntary regime, not all service providers had to comply and also they only had to retain data up to 12 months. Now the Regulations make all service providers required to retain this data and it has to be for 12 months, so obviously there is likely to be a slight increase in the amount of data. This is likely that it will not see a great change in practice for most people and the public is unlikely to notice any real difference.
Ed – You've picked up the move from a voluntary to a mandatory data retention basis. I know in the media there have been a lot of expressions of concern about having mandatory retention. Is that sort of approach the right one for the UK?
Helen – Well the reality is that the UK is implementing the Data Retention Directive and doesn't really have any discretion about the type of regime that it has to implement. The Directive is a mandatory scheme and that's what the UK has to go with. So the debate's not really open now to discuss whether a mandatory scheme is the right one for the UK. One point about having a mandatory scheme is that it has been argued that it is quite inflexible in that it's a blanket requirement for all service providers to retain all data for a set period of time. Interestingly, the UK looks like it wants to try and have a slightly more flexible approach. This is shown by having data only retained once as a principle of the Regulations. By this it means that if data is held by more than one service provider, only one of those service providers, the primary one, needs to retain that data.
Ed – Can we go back to that point on retention only by one party? Is it the case that there will be discretion between the parties to decide which one should hold the data or is there going to be some sort of mandate within the Regulations which says party A or party B has to hold the data?
Helen – Well this one needs some clarification. I think it's fair to say that from the consultation it is not exactly clear at this moment how it's going to work. I think you can say from the Regulations that, given the nature of the communications data and the obligation to retain it, the data principally relates to the making of the call, the caller, the number called and the time of the call and it is likely that the service provider of the caller is the one that will be the primary holder of that data and therefore the service provider of the recipient is probably the duplicating service provider and will not need to generally hold that information, but it needs to be clarified and I suspect it will do when it goes through consultation before the Regulations are implemented.
Ed – So if you're originating data and you've got an obligation to retain it, surely that's going to create huge cost obligations and implications. You are going to need servers, you're going to need the facilities and the staff in place in order just to deal with retention. Is that a concern for service providers?
Helen – This has always been probably the greatest concern for service providers. It was the case under the voluntary code and it is certainly likely to be more so under the mandatory code and there has been a lot of discussion on this. The Directive itself left it open to Member States how they dealt with costs. The consultation and Regulations appear to suggest that the UK government is intending to generally pay for the cost of retention with certain limitations and restrictions such as requiring prior notification. I think it's fair to say that this is going to again need a bit more clarification of how it works in practice, whether the government will always pay out for the cost of retention and what the restrictions and limitations might be.
Ed – So we've just touched on there how the government is talking about dealing with the cost implications. Aside from the cost aspect, I know another part of the recent debate has been around something of a mismatch in the existing legislation under the Anti-Terrorism, Crime and Securities Act. I understand that Act allows data to be retained only for security purposes, but when we come on to access under the Regulation of Investigatory Powers Act, access is allowed for wider purposes than just crime and security reasons. Do the Regulations go in any way to address that mismatch?
Helen – The Regulations don't. This has been something of a criticism of the Regulations but in fact the Regulations can't address this. They are only secondary legislation implementing the Directive. It would require primary legislation, a new act of Parliament to address this inconsistency between the two Acts. We understand that the government is considering having a new crime and securities Act in the near future and it is likely that the government will revisit this issue in that new legislation.
Ed – I suppose overall then, this is clearly going to be a pan European issue, that the Directive envisages Member States working together to deal with anti-terrorism and crime prevention measures. How far are we seeing the Regulations implemented in other EU states in a similar way to the UK?
Helen – Well the Directive sets out the basic principles but leaves discretion to Member States on how they implement the Directive. For example, the data retention periods under the Directive are between 6 and 24 months. The UK has gone for 12 months. Experience from past implementation such as under the Data Protection Directive have shown quite a divergence between how different states have implemented a Directive and that's likely to be the case here. The UK tends to go for quite a liberal approach and I think that is shown with its principle of having only the primary data holder having to retain the data. It's likely that other states will implement the Directive perhaps more literally and in a more restrictive way, so I think it's fair to say that there is unlikely to be a uniform approach across Europe on the implementation of this Directive.
Ed – It sounds like then a lot of the debates have still got to be played out. Thanks Helen.
Helen – Thank you.