The fight against crime and terrorism has led to newly expanded monitoring requirements on communications companies

The importance of data held by communications companies cannot be underestimated. It is thought that data of this nature forms an integral piece of prosecution evidence in 95% of serious crime cases in the UK. For example, communications data placed Ian Huntley at the scene of the crime in the Soham murders.

It is therefore of little surprise that following the Madrid bombings in 2004, EU member states sought to widen the monitoring powers of communications companies with a view to retaining valuable data which could be used to prevent criminal acts or catch those carrying out these acts.

Accordingly, the EU Data Retention Directive 2006/24/EC was brought into force requiring member states to adopt laws requiring telecom service providers and internet service providers (“ISPs”) to retain certain data.

Like many other member states, the UK decided to implement the directive in two parts. The Data Retention (EC Directive) Regulations 2007 dealt with data in respect of fixed and mobile telephony. The Data Retention (EC Directive) Regulations 2009 (SI 2009/859), which came into force on 6 April 2009, replace and expand the 2007 Regulations, dealing with fixed and mobile telephony and also data retained by ISPs in respect of internet use.

While a degree of monitoring is understandable in the aftermath of terrorist attacks such as those in Madrid, London and Glasgow, is the extent of monitoring pushing the UK into the realms of becoming a surveillance state? Also, what are the implications for those undertaking this level of monitoring?

Extent of monitoring

Under the 2009 Regulations, if requested by the Secretary of State, telecom service providers and ISPs (referred to in the 2009 Regulations as “public communications providers”) must retain certain data for 12 months from the date the data is created.

The specific data to be retained is stated in the schedule to the 2009 Regulations and includes: calling telephone number and dialled telephone number (including the telephone number to which the call is forwarded or transferred); name and address of the subscriber or registered user of such telephone numbers; date and time of the start and end of the call; and the telephone service used. It also includes data to indentify a user’s mobile communication equipment and the location of that equipment.

In respect of data arising from use of the internet, the information to be retained includes data that traces and identifies the source of a communication; destination of a communication; date, time and duration of a communication; type of communication; and a user’s communication equipment. Notably, content of the communication should not be retained.

The purpose of retaining this data is so that it can be easily transmitted to the appropriate authorities without undue delay. Such transfers will only take place in limited circumstances and require to be done in accordance with the existing legislative framework in place dealing with such transfers, such as the Data Protection Act 1998 and the Regulation of Investigatory Powers Act 2000.

Money, money, money

Aside from the additional administrative burden the 2009 Regulations place on public communications providers, there is a serious cost implication to consider, which in the current economic climate, is about as welcome as a slap in the face.

Public communications providers must ensure that they put the necessary technological provisions in place to retain this data in such a manner that they can transmit the data as quickly as possible should they be required to do so. This, together with the costs of retaining all the records for 12 months, has been estimated by the Home Office to require in the region of £30 million in capital and £16 million in operating costs over an eight year period. Although these are cumulative figures, the cost for the individual public communications provider is still likely to be significant.

The Secretary of State may decide to reimburse a public communications provider any expenses in complying with the 2009 Regulations, but this is likely to be conditional on such expenses having been notified to and agreed by the Secretary of State in advance. There is no guarantee that public communications providers will be reimbursed for costs.

And the right to privacy?

Article 8 in sched 1 to the Human Rights Act 1998 secures to each individual in the UK the right to respect for a private life, which includes correspondence. Many would argue that the level of monitoring noted above infringes this human right. Indeed, the Open Rights Group, an organisation campaigning to protect civil liberties against digital rights abuse, together with 40 other human rights and privacy organisations, challenged, albeit unsuccessfully, the implementation of the directive on the basis that it was incompatible with human rights legislation.

The question of compatibility is a matter of interpretation of article 8. Article 8(2) provides the UK with a get-out clause: the UK is permitted to interfere with this human right if it is in the interest of national security or public safety or for the prevention of crime and disorder. Given that the content of the communications will not be recorded, and the benefit likely to arise from this monitoring, it is perhaps easier to justify the implementation of the directive.

Future possibilities

Currently, the 2009 Regulations are limited to tracking data (as opposed to content) and do not include recording data regarding the actual websites visited by users, nor do they cover communications via social networking sites such as Facebook. However the Government’s Intercept Modernisation Programme discusses the extension of monitoring powers to cover these issues, in addition to others. While the level of monitoring imposed by the 2009 Regulations may be justified, it is likely that individuals within the UK will be under additional scrutiny in the future.

The Author
Loretta Maxfield is a solicitor in the Intellectual Property and Information Technology Team, Thorntons Law LLP.  
Share this article
Add To Favorites