The Data Retention and Acquisition Regulations 2018 (the regulations) entered into force on 31 October 2018. The regulations concern the retention of communications data by telecommunications and postal operators and the acquisition of communications data by public authorities.
“Communications data” means data concerning a communication transmission, but not the content of the communication. For example, it includes the method of communication, and the sender and receiver of the communication, but excludes what was said or written.
Tele2 and Watson
The regulations were introduced following the Court of Justice of the European Union’s (CJEU) ruling on the Tele2 and Watson case in 2016, which found that the scope of the UK’s data retention regime was too wide to be compatible with European Union (EU) law.
The CJEU found that the retention and acquisition of communications data can only be justified where: (1) the objective is fighting serious crime, (2) only data that is “strictly necessary” is retained, and (3) the retained data is kept within the EU. There should also be independent administrative or judicial authorisation for the retention and acquisition of communications data. The CJEU therefore required the UK to limit the scope of its data retention regime.
Amendments to RIPA and the IPA
In response, the UK government introduced the regulations, amending the Regulation of Investigatory Powers Act 2000 and Parts 3 and 4 of the Investigatory Powers Act 2016 (the Acts), which provided for the interference of privacy in the interests of national security.
The amendments to the Acts include:
- A new power for the Investigatory Powers Commissioner to authorise communications data requests made by a public authority. This power will be delegated to a new body, the Office for Communications Data Authorisations.
- Allowing for internal authorisation of requests in cases with urgency or in cases of national security where the request is made by intelligence agencies.
- A new threshold of “serious crime”, which includes offences where an adult may be sentenced to imprisonment for at least 12 months and any offence committed by a body corporate.
- The removal of three of the previous statutory purposes for retaining and acquiring communications data: public health; collecting any tax or other charge payable to a government department; and exercising functions relating to the regulation of financial services and markets or financial stability.
- Enhancing the transparency of the retention regime by adding additional considerations that must be taken into account by the Secretary of State before a retention notice is issued to a telecommunications or postal operator. These considerations include: which of the operator’s services the notice specifically relates to, whether it would be appropriate to restrict the retention notice by geography or by groups of customers, and the statutory purpose to be achieved.
Relevance of the regulations to the private sector
The regulations will directly affect telecommunications and postal operators as the potential subjects of retention notices issued by the Secretary of State. A retention notice may relate to a particular operator or any description of operators and require the retention of all data or any description of data for up to 12 months. It may also relate to data that is not yet in existence. Public authorities will require separate authorisation to subsequently access this data.
The regulations also come at an interesting time. The CJEU has a history of being dissatisfied with the scope of the UK’s data retention regime in relation to surveillance and national security, as seen in the Tele2 and Watson ruling. While the regulations address some of the CJEU’s concerns, they seemingly create wider powers by allowing for internal authorization.