The draft Communications Data Bill was published this week. The Bill provides an updated framework for ensuring the availability of communications data and its obtaining by public authorities. It replaces Part 1 Chapter 2 of the Regulation of Investigatory Powers Act 2000 (“RIPA”) and Part 11 of the Anti-Terrorism Crime and Security Act 2001 (ACTSA) and sits alongside the Data Retention (EC Directive) Regulations 2009.
If passed in its current form, the Bill will enact proposals, announced in the Queen’s Speech in May, which will require Internet firms to give Police, the Serious and Organised Crime Agency, the Intelligence Agencies and HM Revenue and Customs access to a wider range of communications data on demand, in real time. However it will not allow them to access the content of such communications without a warrant. The Home Office says that the Bill is “needed” to ensure that communications data continues to be available to the police and others in the future as it has in the past. Without action they say that there is a growing risk that crimes enabled by email and the internet will go undetected and unpunished. However various civil liberties groups, as well as Internet Service Providers have voiced concerns about the Bill from a privacy and technical perspective.
The Current Law
Part 1 Chapter 2 of RIPA (sections 21-25) sets out who can access what type of communications data and for what purposes. This includes the police and security services as well as councils, government departments and various quangos. The legislation as it stands restricts access to the different types of communications data depending on the nature of the body requesting it and the reason for doing so.
The definition of “communications data” includes information relating to the use of a communications service (e.g telephone, internet and postal service) but does not include the contents of the communication itself. Such data is broadly split into three categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by an operator on a person they provide a service to.
Some public bodies already get access to all types of communications data e.g. police, security service, ambulance service, customs and excise. Local authorities are restricted to subscriber and service use data and even then only where it is required for the purpose of preventing or detecting crime or preventing disorder.
At present access to communications data is done on a system of self authorisation. There are forms to fill (signed by a senior officer) out and tests of necessity and proportionality to satisfy. Notices have to be served on the service provider requesting the data.
More information
At present, the Internet service providers are obliged to keep details of users’ web access, email and internet phone calls for 12 months, under the EU Data Retention Directive 2009. While they keep a limited amount of other data already on their own subscribers for billing and other commercial purposes, the new law will require them to store a much bigger volume of third party data such as that from Google Mail, Twitter, Skype and Facebook that crosses their servers every day.
Access in real time
It is unclear as to how the new proposals will be different from the current system. There is talk of the police and intelligence services being able to access data in real time. The current system normally gives access to historic data. It does allow real time access to certain organisations (including the police and security services) but only in an emergency to save life or limb or in exceptionally urgent operations. The authorisation forms still have to be completed and signed and served later on though. Maybe they are suggesting that the security services get carte blanche direct access into communications service providers’ systems. This would be unprecedented and certainly “Orwellian”, to say the least. The potential for abuse would be massive.
This is not the first time that this idea has been floated. In October 2010, the Government announced its intention to introduce the Interception Modernisation Programme, at a cost of £2billion. This latest announcement seems to be the same project but renamed “the Communications Capabilities Development Programme (CCDP)”. Details of the scheme will be published within weeks and will build on Labour’s abandoned proposal (which was heavily criticised by the Coalition partners at the time) to require communications service providers (CSPs) to collect and store the traffic details of all internet and mobile phone use, initially in a central database
Modernising the law
The Home Office Minister says they are updating the law “in terms of social media and new devices” – it is widely expected to include things like Facebook and phone calls via web-based systems such as Skype. If this means the agencies knowing when an individual visits these sites this is already allowed under the current regime known as traffic data (web browsing information). If the new system goes further and allows agencies to look at actual webpages visited within a domain (e.g Facebook) and calls made (e.g from Skype) this would be a big extension of existing powers and much more intrusive. It gives the possibility of building up a picture of someone’s lifestyle, their movements, contacts, interests etc.; potentially vast a amount of information which, if it gets into the wrong hands, can be quite damaging to individuals.
Safeguards
At present, the checks and balances are very weak (self authorisation followed by a notice to the CSP). The proposals, which talk of access in “real time” and “on demand”, require much stronger checks and balances.
If it is really necessary for GCHQ to have access to such a vast amount of information, it should be subject to judicial approval. This could be a similar system to the one which councils will be subject to as a result of the changes to the RIPA regime to be made by Protection of Freedoms Act 2012. In the future any local authority request for communications data (however minor) will have to be approved by a Magistrate. (See my earlier Blog Post for more detail about the Bill.) After all, the powers that the police and intelligence agencies have under RIPA to undertake surveillance and acquire communications data are much wider than those of local authorities.
There are also legitimate concerns about what would happen if the information held and accessed on individuals gets into the wrong hands. Can we really trust the law enforcement agencies not to mishandle such data? Only recently allegations have surfaced that that the police have been misusing their powers under RIPA to assist the tabloids to locate the whereabouts of celebrities and other persons of interest.
The effect on local authorities
The Bill will have a minimal effect on local authorities when accessing communications data. The process and procedure will remain the same (subject Magistrates approval as set out in the Protection of Freedoms Act (discussed above)). There is no provision to widen the scope of the information available to councils. The Home Office will have to issue a new code of practice and standard forms which Investigating Officers and their legal advisers will have to familiarize themselves with. This comes on top of other recently announced changes to the local authority surveillance powers.
The Bill will be subject to scrutiny by a joint parliamentary committee before the effort to bring the measures through Parliament and into law begins in earnest. Given what the Lib Dems and some Conservative backbenchers have said about it, it is likely to have a rough passage through Parliament.
Ibrahim Hasan is a solicitor and director of “Act Now Training” (website here). You can follow Ibrahim on Twitter here.
Article (c) Ibrahim Hasan 2012 (not LegalAware)
