The introduction of the controversial draft Data Retention Regulations 2014 has already been discussed by my colleague Robin Hopkins in his excellent post last month. The Regulations now have the force of law, having come into force on 31 July 2014 – see the Regulations here. In his post, Robin made the point that, following the judgment in Digital Rights Ireland, there were two methods for curtailing the infringement of privacy rights presupposed by the existing communications data retention (CDR) regime: either cut back on the data retention requirements provided for under the legislation, so as generally to limit the potential for interference with privacy rights, or introduce more robust safeguards with a view to ensuring that any interference with privacy rights is proportionate and otherwise justified. The Government, which has evidently opted for the latter approach in the new Regulations, will now need to persuade a somewhat sceptical public that the safeguards which have been adopted in the legislation strike the right balance as between the protection of privacy rights on the one hand and the imperative to support criminal law enforcement functions on the other.
Notably, the Explanatory Memorandum issued with the Regulations itself constitutes a clear attempt to allay concerns that the safeguarding arrangements embodied in the legislation are insufficiently robust. Here are some edited highlights:
Meaning of communications data and its uses – ‘Communications data is the context not the content of a communication. It can be used to demonstrate who was communicating; when; from where; and with whom. It can include the time and duration of a communication, the number or email address of the originator and recipient, and sometimes the location of the device from which the communication was made. It does not include the content of any communication: for example the text of an email or a conversation on a telephone. Communications data is used by the intelligence and law enforcement agencies during investigations regarding national security and, organised and serious crime. It enables investigators to identify members of a criminal network, place them in specific locations at given times and in certain cases to understand the criminality in which they are engaged. Communications data can be vital in a wide range of threat to life investigations, including the investigation of missing persons. Communications data can be used as evidence in court.’ (para. 7.1)
The need for legislation which mandates retention – Data needs to be retained by telecoms providers so that they can be accessed and used for criminal law enforcement purposes (para. 7.2). Absent mandatory retention requirements, there can be no guarantee that telecoms providers will themselves retain communications data for a sufficiently lengthy period time. This is because, in the absence of a mandatory obligation, telecoms providers may retain data for only a few months and indeed possibly only a few days, depending on their commercial needs. However, ‘many [criminal law enforcement] investigations require data that is older than the few months that data may be retained for business purposes, particularly in ongoing investigations into offences such as child abuse and financial crime’ (para. 7.3). This is why the original domestic CDR regime embodied in the Data Retention (EC Directive) Regulations 2009 mandated retention for a period of 12 months.
New safeguards – The new Regulations ‘effectively replicate the obligations on providers contained in the 2009 Regulations, and do not provide for the retention of any additional categories of communications data’ (para. 3.3). ‘These Regulations only differ from the 2009 Regulations in that they provide additional safeguards’ (para. 7.4). Two safeguards in particular are highlighted in the Memorandum.
- the 2009 Regulations imposed a blanket 12 month retention period where a relevant notice had been served on a telecoms provider. The new Regulations enable ‘different data types to be retained for shorter periods when appropriate’ (para. 7.4).
- the 2009 Regulations did not embody any statutory duty on the Secretary of State to consult providers prior to issuing a notice, although consultation was in practice undertaken. The new Regulations make prior consultation a statutory obligation (para. 7.4).
The following points are worthy of note in respect of the new ‘safeguards’ embodied in the Regulations.
- First and perhaps most significantly, the Regulations themselves do not purport to identify the types or categories of data which should to be retained for less than 12 months. They simply posit that 12 months is the maximum retention period (r. 4(2)). This leaves a significant question as to what types of data, if any, will ultimately attract a shorter retention period. The risk which is inevitably inherent in this type of open-ended legislative arrangement is that blanket, indiscriminate 12 month retention continues to be the norm.
- Regulation 5(1) requires the Secretary of State to take into account a variety of matters before issuing a retention notice, including not least the likely number of users who will be affected by the notice. However, such matters would presumably have been treated as relevant considerations as and when the Secretary of State was issuing a notice under the 2009 Regulations. Hence, it is not clear that this particular safeguard will add much of substance to the overall process.
- Similarly the requirement in r. 6 that the Secretary of State must keep any retention notice under review presumably merely codifies an obligation which was already implicitly present in the 2009 regime.
- Regulation 10 makes provision for a statutory code of practice on data retention to be issued by the Secretary of State. It is unclear whether this code may yet shed further light on how the Secretary of State intends to exercise her powers under this highly controversial legislation.
- More generally, there must be serious doubts that the safeguards embodied in the new Regulations are sufficient to meet the deep concerns expressed by the CJEU in the Digital Rights case. Of course it might be said that the real danger to personal privacy arises not in the context of the data retention regime per se but rather in the context of those legislative powers which permit the State to access any communications data which have been retained, most notably the powers provided for in RIPA. However, whatever position you may adopt on that particular line of argument, suffice it to say that the question of whether the State should be entitled, in effect, to create a vast reservoir of potentially accessible communications data still hangs in the balance, the new safeguards in the Data Retention Regulations notwithstanding.