The Coming UK Surveillance Debate: Communications Data Retention, Part 1

One of a series of posts on the forthcoming Investigatory Powers Bill

Previous: Extraterritoriality, Transparency and Data sharing

Next: Communications Data Retention, Part 2

Mandatory communications data retention is already a battleground. The Conservatives did not get their way over the Communications Data Bill in 2012.  The coalition government pushed DRIPA through Parliament in 2014 with indecent haste. In July 2015 the current administration lost the first round of the judicial review challenge to DRIPA. The government has said it will appeal. 

The court judicial review judgment did not hold that the CJEU DRI decision had outlawed a general data retention obligation as such.  The government has been given until March 2016 to implement new legislation remedying the defects identified by the court.

We can expect more blood on the floor in this area. Some likely issues include: 

The boundary between content and communications data is likely to be revisited. As well as its more general implications a change in the dividing line would have a particular impact on the proposed Communications Data Bill third party data collection scheme (discussed below).  The Joint Committee described how the data would be collected:

"It would be necessary to place data probes within a CSP’s network and those probes would be programmed to generate information from network links within the CSP. Deep Packet Inspection (DPI) would be used to isolate key pieces of information from data packets in a CSP’s network traffic." [91] 

Under RIPA that type of activity would be an interception, unless restricted to the acquisition of traffic data “comprised in or attached to a communication … for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted.”

The draft CDB specifically did not authorise any conduct that would amount to an interception. Difficult questions would have arisen about how far DPI for this purpose could go before it became an unlawful interception. If the definition of traffic data were to be widened as the result of a review of the boundary between content and communications data, then the potential scope of third party data collection would be automatically broadened.

Recommendations by the three Reviews on the boundary between content and communications data:

ISC	In relation to communications, given the controversy and confusion around access to Communications Data, we believe that the legislation should clearly define the following terms: ‘Communications Data’ should be restricted to basic information about a communication, rather than data which would reveal a person’s habits, preferences or lifestyle choices. This should be limited to basic information such as identifiers (email address, telephone number, username, IP address), dates, times, approximate location, and subscriber information. ‘Communications Data Plus’ would include a more detailed class of information which could reveal private information about a person’s habits, preferences or lifestyle choices, such as websites visited. Such data is more intrusive and therefore should attract greater safeguards. ‘Content-Derived Information’ would include all information which the Agencies are able to generate from a communication by analysing or processing the content. This would continue to be treated as content in the legislation. (Recommendation AAA)
Anderson	The definitions of content and of communications data, and any subdivisions, should be reviewed, with input from all interested parties including service providers, technical experts and NGOs, so as to ensure that they properly reflect both current and anticipated technological developments and the privacy interests attaching to different categories of material and data. Content and communications data should continue to be distinguished from one other, and their scope should be clearly delineated in law. (Recommendation 12)
RUSI	Following evidence received by the ISR Panel and further discussion with civil-liberties groups and communications service providers (CSPs), we recommend that definitions of content data and of communications data should be reviewed as part of the drafting of new legislation. They should be clearly delineated in law. (Recommendation 3)

Compelled data generation.  The current data retention law (DRIPA) can require data to be retained only if it is already generated or processed in the UK by the service provider in the course of providing its service.

The voluntary communications data retention provisions of Section 102 ATCSA 2001 are narrower.  They only apply to retention of communications data obtained by or held by telecommunications service providers. The Code of Practice makes clear this simply extends the retention period where data is already held for the CSP’s own business purposes.  This is a higher threshold than mere generation or processing. However unlike this aspect of DRIPA, ATCSA is not limited to the UK.

The Communications Data Bill would for the first time have enabled a provider to be compelled to generate data.  This could for instance have been used to require a provider to collect identifying details of a user.  Many would regard this as crossing a red line between facilitating the authorities’ access to whatever data may already be out there and requiring a provider to design its business to suit the authorities.

For whatever reason – possibly the terms of the voluntary ATCSA Code – it is sometimes assumed that under current law mandatory data retention can only apply to data already retained for some period for the CSP’s own business purposes.  However as the Home Office correctly stated in its response to the consultation on the Data Retention Code of Practice under DRIPA:

 “DRIPA and the preceding legislation provided for the retention of data that was generated or processed by a CSP as part of providing a service. There has never been a requirement for a CSP to retain data for business purposes before it can be retained further.”

Even so, currently a CSP cannot be required to create data that it does not already generate or process in the UK. That condition applies to the new category of 'relevant internet data' added by CTSA 2015 as well as to the original categories covered by DRIPA.

None of the reviews makes any specific recommendations in relation to compelled data generation. Anderson has recommended repeal of the ATCSA voluntary retention provision. (Recommendation 13).