The Government’s latest proposals on retention of Internet and telephone data have come as a pleasant surprise to privacy advocates – despite being even more far-reaching than the unpopular EU Data Retention Directive which has only just been fully transposed into UK law. Then again, they had been fearing something much, much worse…

What’s new?

After almost a year of press speculation about the possible introduction of a centralised database to capture all phone and Internet traffic data for investigatory purposes, headline writers appeared to let out a collective sigh of relief this week: “Smith drops plans for state web database” (Financial Times 28/4) and “Home Secretary rules out state-run super database” (The Guardian 28/4). Human rights champion Liberty was so delighted that it issued a press release of its own, hailing a “Home Office U-turn on the super Big Brother database”. The source of these glad tidings? The Home Office consultation document “Protecting the public in a changing communications environment”, published on Monday, which sets out proposals to future-proof the UK’s newly implemented communications data regime.

But hang on – didn’t the data retention regime change only 3 weeks ago?

Yes – on 6 April, with the coming into force of the Data Retention (EC Directive) Regulations 2009 the UK completed its transposition of the EU Data Retention Directive making the transition from a voluntary to a mandatory regime for the retention of certain specified types of data related to fixed and mobile calls, emails and Internet usage (but not the content of those communications).

The Government’s rationale is that the scope of the data retention regime established by the Directive is already limited in its effectiveness and will continue to be eroded by new advances in technology, with the result that less and less communications data is actually available to investigators. In particular the following loopholes are cited:

• diversification of modes of communication, especially the move to IP protocol;
• the diminishing need for service providers to retain data for business purposes;
• the increasing anonymisation of services;
• the greater fragmentation of data across different communications networks; and
• the move to service providers based outside the jurisdiction.

New legislation will therefore be required.

Comms data aficionados will remember that a Communications Data Bill was outlined in the Government’s draft legislative programme in May 2008. That bill (which never materialised) seemed to be intended as a marriage of convenience, combining measures to transpose the Directive, along with the more far-reaching reforms needed to “future proof” the communications data regime. It is those more fundamental changes which are now, after much delay, outlined in the new consultation paper.

What is the Government proposing now?

Not much of the 34 page document is new: it recites the rationale for the retention of communications data and provides in support a range of illustrations from serious criminal and terrorist investigations; it also sets out the various safeguards which already exist to restrict the disclosure and use of such information, which is strictly governed by the Regulation of Investigatory Powers Act 2000 (and which, under separate proposals published earlier this month, the Government is planning to restrict even further).

The new proposals are deliberately sketchy at this stage; because of the privacy implications, the Government has been at pains to ensure the extended regime is subject to robust consultation and impact assessment.

So, what is new? The Government has rejected the rumoured option of a centralised, government-maintained database of all communications data, which has fuelled a great many headlines over the past year (To be fair, the Government has for some time made it clear that there would be no retention of the content of communications). Instead it proposes to build on the current decentralised system whereby service providers retain comms data for a 12 month period and disclose only specific data on a case by case basis to the authorities on request, subject to the existing safeguards.

Even so, the proposed new regime would go far beyond the existing Directive. Service providers would need to retain all data that the authorities might need – this would include data relating to third party services crossing their network as well as data relating to their own services, and data which would not otherwise be retained for the service provider’s operational needs.

To address the problem of fragmentation of data relating to a single communication, it is proposed that service providers should not only collect and store the data but also organise it and match it with any third party data relating to the same communication. In addition, the current 12 month retention period would be extendable in certain circumstances (an option which the Government climbed down from in its recent transposition of the Directive).

Read the small print!

Indeed, Shami Chakrabarti, the director of Liberty, quoted in Alan Travis’s Guardian article of 28/4, sounds a note of caution: “If this statement from the home secretary marks a genuine change of direction on privacy policy, we will welcome it. However, it might be wise to read the small print first.”

The proposals and questions in the consultation document are very high level ones (see pages 26 to 29 of the consultation for the actual content of the proposals), and the devil of any ensuing legislation will be in the (considerable) detail. The Government is keen to mitigate the practical and cost impact on the industry. Its initial cost estimate is of up to £2 billion (about 2.2 billion Euros) over ten years. Press reports so far suggest that certain ISPs have given the proposals a cautious welcome, provided that (like the current regime) they are “cost neutral” to the industry.

Hmmm … maybe the rumours of a centralised database were a clever ploy by the Government all along, to make these eventual proposals seem positively liberal by comparison?

The consultation period runs until 20 July and the Government is actively seeking industry’s views. Datonomy would love to hear readers’ views on the new proposals too!