On 15 July 2014, Parliament passed the Data Retention and Investigatory Powers Bill (DRIP) using a fast-track procedure. The bill is highly unusual in that it is an emergency legislation that is being introduced without the normal scrutiny which accompanies most pieces of legislation. DRIP is likely to have an impact for some business that provide or use cloud services.
DRIP concerns “communications data” - data that providers of telephone and internet services have about their customers that shows the context of a call or Internet usage. Communications data can show who was communicating and with whom, the time and duration of a communication, the phones number or email addresses, and the location of the device, but not the content of the communication.
Mandatory requirements for the retention of communications data have previously been covered in the UK by the Data Retention (EC Directive) Regulations 2009 (2009 Regulations), which require certain providers to retain communications data for 12 months to help prevent, detect and prosecute crime. The 2009 Regulations implemented the Data Retention Directive 2006/24/EC (Data Retention Directive) which requires retention of communications data for between six and 24 months.
On 8 April 2014 the European Court of Justice (ECJ) handed down a decision in the joined cases Digital Rights Ireland Ltd (C-293/12) and Seitlinger (C‑594/12), where the court was asked to examine the validity of the Data Retention Directive.
The ECJ noted that the retained data made it possible to know with whom the user has communicated and by what means. It included the time, place and frequency of communications, which taken together provide precise information about a person’s private life, such as habits, place of residence, and relationships. The retention of this data seriously interfered with the fundamental rights to privacy and to the protection of personal data enshrined in other parts of EU legislation.
The court also indicated that the retention did satisfy an objective of general interest, namely the fight against serious crime and public security but the Data Retention Directive was, nevertheless, not proportionate, as the interference is not sufficiently constrained to be limited to what is strictly necessary; for that reason, the court declared the Directive Retention Directive invalid.
Impact for the cloud Following the ECJ’s decision, many cloud providers expressed confusion about the law, including whether they were obligated to delete data they had thus far been obligated to maintain. Cloud providers that operate in the UK but are based elsewhere, also expressed confusion about what rules apply to them.
In the wake of the ECJ decision and the reaction it prompted, the Government saw an urgent need to legislate in order to clarify the legislative framework for data retention. It justified the fast-track legislation as necessary to protect the public on grounds that retained communication data is vital to law enforcement.
DRIP has two distinct parts:
- Part one - the retention of relevant communications data
- Part two – the clarification of investigatory powers and the reach of the Regulation of Investigatory Powers Act 2000 (RIPA).
DRIP also includes a sunset clause whereby it will be repealed on 31 December 2016 such that it is up to the next Government to consider the questions again.
To strengthen transparency and oversight a ‘Privacy and Civil Liberties Oversight Board’ will be established to advise the government in the formulation of government policy. An annual transparency report that will list the number and type of requests made to service providers under the legislation will also be published.
- i. Part One - Retention of relevant communications data
Under DRIP, certain cloud service providers may be given notice by the Secretary of State to require them to retain such data. The data types to which this applies include internet access, Internet e-mail or internet telephony. These are the same as under the 2009 Regulations. The notice must be necessary and proportionate and for a purpose specified in RIPA, including national security; preventing or detecting crime or preventing disorder or by an order by the Secretary of State. A retention notice can specify the period for which data is to be retained, and may require the retention of all data or only specific data.
DRIP also specifies that regulations relating to the retention of data, to replace the 2009 Regulations, may be introduced. These may include:
- security measures to protect the data retained
- a code of best practices
- reimbursement of expenses incurred in complying with the requirements
The maximum retention period under the new regulations will be 12 months.
DRIP v Data Retention Directive Although much of DRIP does appear to reinstate the 2009 Regulations there are some differences. DRIP amends the RIPA definition of “telecommunications service.” The previous definition was:
“any service that consists in the provision of access to, and of facilities for making use of, a telecommunications system,”
whereas the new one includes:
“any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.”
The Government has indicated that clarifying the definition ensures that internet-based services, such as webmail, are included.
Other differences include:
- a need to consider necessity and proportionality before issuing a retention notice;
- the maximum retention period is 12 months (but the period may be shorter if it is not necessary or proportionate to keep it longer)
- data retention is limited to the list of data types
- access to retained data require requests under RIPA or a court order
- data security requirements
The Government maintains that the measures are in pursuit of a legitimate aim and proportionate to that aim. Nevertheless, the data retention appears to still generally cover most individuals, means of electronic communication and data without differentiation. It remains to be seen whether the safeguards are sufficient.
- ii. Part Two - Investigatory Powers
DRIP also addresses the authorities’ ability to carry out so-called legal intercept, such as monitoring and listening to phone calls and other communications, which are currently governed by RIPA.
The new bill states that RIPA applies to non-UK companies that provide communications services to the UK public. DRIP specifies that a capability maintenance notice may be issued for a service provider based outside the UK or for conduct outside the UK. Similarly, a warrant or communication data acquisition notice may relate to conduct outside the UK, and may be given to a person outside the UK. DRIP also offers details on how to serve a warrant on a person based outside the UK to make them subject to the relevant obligation.
Although the Government refer to the provision related to extra-territorial application of RIPA as a clarification it seems clear that it broadens the scope of the legislation.
Impact for the cloud
The scope of providers captured by retention obligations by DRIP has expanded and more cloud providers are likely to find themselves within the remit of the DRIP obligations. In addition, there are additional levels of complexity to the operation and management of retention obligations as imposed by DRIP. Those providing or using cloud services which fall within the ambit of DRIP will need to be aware that they may be required to retain data, or the rules under which their data may be retained and disclosed.
