Telecoms companies' data retention obligations to be extended to 'internet data'

Out-Law News | 27 Nov 2014 | 12:40 pm | 2 min. read

Telecoms companies operating in the UK could be required to retain 'relevant internet data' as well as communications data under draft new anti-terrorism legislation introduced before parliament.

The Counter-Terrorism and Security Bill would, if introduced, extend the obligations on public telecommunications operators (telcos) under existing data retention laws to new classes of information.

Under the Data Retention and Investigatory Powers (DRIP) Act, telcos can be required to store 'communications data' if the secretary of state considers the data retention is "necessary and proportionate" to help law enforcement agencies detect and prevent terrorism and other serious crimes or for serving other limited purposes specified under the existing Regulation of Investigatory Powers Act (RIPA).

'Communications data' is data about phone and internet communications, such as the source of a communication, its destination, date, time, duration and type. It does not include the content of communications.

Under the new Counter-Terrorism and Security Bill, the government wants to allow a secretary of state, ordinarily the home secretary, to order telcos to retain 'relevant internet data' as well as communications data.

According to the Bill, 'relevant internet data' is defined as "communications data which relates to an internet access service or an internet communications service" and which "may be used to identify, or assist in identifying, which internet protocol address, or other identifier, belongs to the sender or recipient of a communication (whether or not a person)".

'Relevant internet data' is not considered to be data that "may be used to identify an internet communications service to which a communication is transmitted through an internet access service for the purpose of obtaining access to, or running, a computer file or computer program" and which telcos either generate or process when "supplying the internet access service to the sender of the communication (whether or not a person)".

The new provisions, if introduced, would be repealed at the end of 2016. The government said it wants to pass the legislation through parliament via a fast-track procedure.

The new data retention obligations would "allow relevant authorities to link a public internet protocol (IP) address to the person or device using it at any given time", the government said in explanatory notes published alongside the Bill. Whilst telcos are required to "keep allocated IP addresses" under the DRIP Act already, the provisions are "not sufficient to identify who made a connection where an IP address is shared".

"Communications data has played a significant role in every security service counter-terrorism operation over the last decade," the government said. "Enabling the retention of relevant internet data will close one element of the gap in the retention of communications data by communications service providers, thereby helping law enforcement agencies to carry out their functions."

The Bill also contains proposals which would prohibit insurers from making a payment under an insurance policy which "has been, or is to be, handed over in response to a demand made wholly or partly for the purposes of terrorism" and where they, or others acting on their behalf, know or have "reasonable cause to suspect that the money or other property has been, or is to be, handed over in response to such a demand".

Senior executives could be held personally liable for the offence of making a payment in response to terrorist demands if the offence "is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of" a company director, manager or secretary, or any other person "who was purporting to act in any such capacity".