Government publishes plans for reform of communications data surveillance law

Out-Law News | 14 Jun 2012 | 3:48 pm | 5 min. read

The police, intelligence services and other public authorities are to be given new powers of communications surveillance under plans unveiled by the Government.

Home Secretary Theresa May said the requirements set out in the Communications Data Bill (123-page / 679KB PDF) were needed because existing powers were insufficient to tackle terrorism and serious crime, but privacy campaigners said the 'snooper's charter' was unjustified.

Current laws require telecoms firms to store 'communications data' that they have business reasons for generating or processing. However, under the Government's new proposals many more businesses would be required to keep in storage communications data they do not need.

Under the Bill the Home Secretary could issue an order forcing any business that transmits "communications by any means involving the use of electrical or electro-magnetic energy" to store communications data in the form of "traffic data, use data or subscriber data" relevant to communications sent over their networks, including by email or the internet generally for up to a year. The data does not include the content of those communications.

Business caught by the proposed legislation must disclose information "without undue delay" to law enforcement bodies and other listed public authorities that ask for it. Those bodies can only request the information if it is to be used for a "permitted purpose" and if "designated senior officers" at those bodies believe it is "necessary to obtain the data" and that the action is "proportionate to what is sought to be achieved."

The 'permitted purposes' include where it is in the interests of national security, where the purpose is for the prevention or detection of crime, to prevent disorder and where it is in the interests of the economic well-being of the United Kingdom or in the interests of public safety, among others.

Local councils would have to first obtain "judicial approval" before they could obtain the information.

'Subscriber data' includes information such as the names and addresses of individual users of communication services. 'Use data' relates to how those individuals have utilised those services and may include itemised phone call records or connections to internet services, the duration of calls and the amount of data they have downloaded online. 'Traffic data' is information associated to communications, such as the physical location of mobile devices and the destination of received communications that are transmitted.

Under the Bill, businesses would have to "disclose the communications data in a way that minimises the amount of data that needs to be processed for the purpose concerned." They would also have to filter the information, without "human intervention", so that only information needed by the police or other authorities is disclosed.

Any business ordered to retain the information will be required to put in place a number of "safeguards", including that the data is "subject to the same security as network data, and is protected against accidental or unlawful destruction, processing, access or disclosure."

The data would have to be "destroyed in such a way that it can never be retrieved" within a month after a year has passed that the information has been stored for. A business may, in circumstances where the information may be later used in "legal proceedings", be forced to store communications data for a period longer than a year.

Under the Bill individuals would be able to request access to the data held about them through their rights of access under the Data Protection Act and would be able to appeal to an Investigatory Powers Tribunal if they feel their communications data has been misused.

The Interception of Communications Commissioner’s current powers of scrutiny over unlawful interception of communications would also be extended to ensure oversight of the proposed new rules. The Information Commissioner's Office (ICO) would also be responsible for overseeing compliance with data protection laws.

The Intelligence and Security Committee is to conduct an inquiry into the proposals, whilst a joint committee of MPs and peers will also formally scrutinise the plans before the Bill is laid before Parliament.

Home Secretary Theresa May said that the new powers were necessary "because communications data from new technologies is less available and often harder to access." She said that "crimes enabled by email and the internet will go undetected and unpunished, that the vulnerable will not be protected and that terrorists and criminals will not be caught and prosecuted" without the new powers being introduced.

However, digital rights campaigners the Open Rights Group said it was opposed to the plans.

"The Government's notes confirm that this is exactly what we expected: black boxes to intercept people's traffic data, and poorly supervised police powers to get access to it," Jim Killock of the Open Rights Group said in a statement. "Bluntly these are as dangerous as we expected, and represent unprecedented surveillance powers in the democratic world."

Nicholas Lansman, secretary general of the Internet Service Providers' Association (ISPA) said that the body also had "concerns" with the Government's draft Bill.

"These concerns include the scope and proportionality, privacy and data protection implications and the technical feasibility," Lansman said. "Whilst we appreciate that technological developments mean that Government is looking again at its communications data capabilities, it is important that powers are clear and contain sufficient safeguards." 

"We welcome the additional scrutiny the Bill will face in parliament and we will be seeking to address our key points during this process. ISPA will be working closely with its members over the coming months to ensure that the full breadth and range of industry is heard. We want to ensure that the proposals are clear, proportionate and fit for purpose," he said.

The ICO said it would need "enhanced powers" and "additional resources" to ensure businesses' storage of communications data is compliant with the Data Protection Act.

 "Ultimately, it is for Parliament to determine whether or not the proposals contained in the draft Bill are a proportionate response to the perceived problem of communications data capability," a spokesperson for the watchdog said. "The Information Commissioner will contribute to the Joint Committee's consideration of the draft Bill and, in particular, the adequacy of the proposed safeguards and limitations."

“If the Information Commissioner is to be in a position to ensure compliance with the Data Protection Act, in respect of security of retained personal information and its destruction after 12 months, the ICO will need appropriately enhanced powers and the necessary additional resources," they added.

Law enforcement bodies currently have the power to access historic communications data held by telecoms firms under the EU's Data Retention Directive. The Directive was established in 2006 to make it a requirement for telecoms companies to retain personal data for a period determined by national governments of between six months and two years. The Commission decided to regulate following terrorist attacks in Madrid in 2004 and London in 2005.

Telecoms firms are required to retain identifying details of phone calls and emails, such as the traffic and location, to help the police detect and investigate serious crimes, the Directive states. The details exclude the content of those communications.

Law enforcement bodies in the UK also already have the power to intercept individuals' communications in certain circumstances.  The Regulation of Investigatory Powers Act (RIPA) can be used by law enforcement agencies to force telecoms companies to hand over customers' details in order to tap phone, internet or email communications.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.