Privacy & Information Security Law Blog

On July 10, 2014, the UK government announced plans to introduce emergency data retention rules, publishing the Data Retention and Investigatory Powers Bill (the “Bill”) along with explanatory notes and draft regulations. The publication of the Bill follows the European Court of Justice’s April 2014 declaration that the EU Data Retention Directive (the “Directive”) is invalid. Under the Directive, EU Member States were able to require communications service provides (e.g., ISPs) to retain communications data relating to their subscribers for up to 12 months.

The Directive had been implemented in the UK by the Data Retention (EC Directive) Regulations 2009, but the legality of that legislation is likely to be challenged following the ECJ’s declaration that the Directive was void from its inception. In anticipation of such a challenge, the UK government announced that the Bill seeks to “ensure that UK law enforcement and intelligence agencies can maintain their ability to access the telecommunications data they need to investigate criminal activity and protect the public,” and to provide a clearer legal framework for organizations to cooperate with law enforcement and intelligence agencies.

Content of the Bill

The Bill authorizes the Secretary of State to provide notice to a public telecommunications operator requiring it to retain communications data where the Secretary of State considers it necessary or proportionate for one of several purposes. The purposes are listed in Section 22(2) of the Regulation of Investigatory Powers Act 2000, and include national security, the prevention or detection of crime and the protection of public safety. A notice may apply to a specific operator or describe relevant operators, require the retention of all data or a category of data, specify the periods for which the data must be retained, and “contain other requirements, or restrictions, in relation to the retention of data.”

The Bill allows the Secretary of State to issue regulations governing the retention of communications data. For example, the Secretary of State may publish of a code of practice, or alter the maximum period for which data can be maintained under a retention notice (up to 12 months). The Bill also contains a termination clause that will automatically repeal the law on December 31, 2016.

The Bill reportedly has support from the main political parties, but has been criticized by civil liberties groups who disagree with how the legislation is being expedited. Although no firm legislative timetable has been set, the Bill is expected to be fast-tracked through Parliament this week.