EU/UK: Data retention and police access in the UK - a warning for Europe

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

Introduction

At a time when the UK government is lobbying hard for mandatory data retention across the EU it is pertinent to consider how things already work in practise in that country. This article examines the way mobile telecommunications "traffic data" is stored in the UK, and the way in which the police are able to access that data.

The provisions of the Data Protection Act 1998 (DPA) and the Telecommunications (Data Protection and Privacy) Regulations 1999 (Statutory Instrument 2093) were meant to ensure that communications records would not be retained by service providers beyond the "business need" to do so. For call records, this business need is specifically constrained by matters such as billing.

Companies differ considerably in their arrangements, but in general the telecoms industry keep records for one year while internet services providers have much much shorter periods. Mandatory data retention would oblige all service providers to keep this data for at least a year, potentially much longer.

The Regulation of Investigatory Powers Act 2000

The Regulation of Investigatory Powers Act (RIPA) did not introduce data retention. But it does mean that the police are able to serve "section 22" (S22) notices on service providers, giving them access to the data that they do retain. This means, the longer the data retention period, the greater the extent of access under RIPA.

S22 notices are not authorised by the courts but by police officers holding the rank of inspector or superintendent (depending on the type of data). RIPA also introduced an "authorisation" process allowing the police to access data directly where this is technically possible - i.e. without the need for an S22 notice. Again, senior officers and not the courts decide on the "authorisation".

The only time a warrant is necessary is if the police want to access communications in "real time" or want to access to the "content data". However, even in these cases it is the Home Office and not the courts that authorises the warrant.

The system in the UK differs widely to jurisdictions with constitutional privacy protections and governments keen to uphold those traditions. Here, the police must obtain judicial approval to access communications data in the same way as they must obtain a "search warrant" from the courts to enter someone's private dwelling.

Even under the notorious United States PATRIOT Act there is judicial oversight, albeit in the form of a special tribunal. Instead of "data retention", law enforcement in the US can only seek "preservation orders" for the communications of suspected individuals, obliging service providers to retain data on individuals that would normally be automatically deleted. This is clearly more proportionate in a democratic society than retaining everybody's communications records for long periods in case the police want to look at them.

The Anti-terrorism, Crime and Security Act 2001: data retention by the back door

Adopted in the aftermath of the 11 September bombings in the United States, ATCSA introduced a voluntary data retention scheme in the UK, allowing the Home Secretary to enter into formal agreements with individual service providers. The Bill was originally worded so that data retention could be used for the purposes of the prevention and investigation of crime in general, but was amended by a large majority in the House of Lords to change the purpose of retention to:

"(a) for the purpose of safeguarding national security; or

(b) for the purposes of prevention or detection of crime or the prosecution of offenders which may relate directly or indirectly to
national security (s.103(3), part 11)"


This suggests that data should only be accessed for limited purposes. However, because access to the data is governed by RIPA (as explained above) this restriction appears worthless in practise.

In "accepting" the amendment, the government constructe

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error