Skip to Main Content
The Liability of Internet Intermediaries The Liability of Internet Intermediaries

Contents

The Liability of Internet Intermediaries The Liability of Internet Intermediaries
1

Background 17.06

1.1

‘Communications data’ 17.07

1.2

Confidentiality of communications data 17.18

1.3

Rationale 17.23

1.4

Voluntary data retention 17.29

1.5

Data Retention Directive 17.37

1.6

Incompatibility of the Directive 17.43

2

Data retention duties 17.49

2.1

Overview of legislation 17.49

2.2

Who must retain data 17.55

2.3

What must be retained 17.70

2.4

Period of retention 17.78

2.5

Mode of retention 17.81

2.6

Breach of data retention duties 17.91

3

Access to retained data 17.93

3.1

Access by law enforcement authorities 17.98

3.2

Use of retained data for private purposes 17.114

4

Interception duties 17.123

4.1

The general prohibition on interception 17.125

4.2

Lawful authority to intercept 17.135

4.3

Equipment interference 17.145

4.4

Bulk interception 17.157

17.01 This chapter considers statutory duties that are owed by internet intermediaries to retain communications metadata for periods beyond their ordinary lifespan, and to disclose those data (and in narrower circumstances, the contents of the communications) for use in criminal investigations. These duties serve a range of public purposes—principally the preservation of national security, law enforcement, and public order. Their justification is said to be a rise in the criminal exploitation of internet and communications technologies, in particular to perpetrate cybercrime and to plan and carry out terrorist activities.

17.02 Metadata are data about data: they reveal properties such as the location, time, sender, or recipient of digital messages. Metadata can assist in the prevention, detection, and prosecution of crime: for example, they may be used to identify participants in suspected wrongdoing; to exclude individuals from investigation; to corroborate the location or sequence of events; or to advance an investigation by forming semantic connections between seemingly unrelated data points. For the same reasons, metadata also have intrinsic sensitivity, since they may reveal a person’s inner life and private activities.

17.03 Due to the extremely high volumes of information processed by internet intermediaries, it is rare for the content of all communications, or their associated metadata, to be stored for any substantial period beyond what is needed to supply the relevant service. Similarly, records of server access and user activity tend to be cycled and automatically erased at regular intervals for reasons of commercial and technical practicality. Unless preserved, much of this information may be deleted or overwritten before a criminal investigation is complete.

17.04 Retention is a controversial practice, both because it can involve blanket surveillance of persons with no actual or suspected connection to wrongdoing, and because retaining data creates a risk that data will be used for wider or unintended purposes. Additionally, to comply with such obligations may be intrusive or burdensome for service providers, particularly for start-ups and those who must store large volumes of data. The scope of these retention duties, and the conditions surrounding access to retained data by the intelligence services and law enforcement bodies who need it, embody a delicate and controversial balance between individual privacy, the public interest in national security and the rule of law, freedom of business, and the proper limits of state authority.

17.05 Section 1 outlines the background to the European data retention framework and considers the impact of the decision of the Court of Justice in Digital Rights Ireland.1 Section 2 considers the scope of retainable data and the duties owed by service providers under the data retention regimes enacted by the United Kingdom in 2014 and proposed to be enacted in 2016. Section 3 considers the conditions governing access to retained data by public and private applicants. Section 4 considers a related class of interception duties and the controversial practice of bulk interception.

17.06 Internet intermediaries create, process, and store a range of metadata during the course of their operation, most commonly including information about the source, destination, timing, and location of their users’ activities. This section introduces the concept of ‘metadata’ and explains how such data are generally required to be treated by service providers under European law. It then provides a historical introduction to the United Kingdom and European data retention frameworks, which operate as derogations from the general rule.

17.07  Metadata. Metadata are data about data.2 They may include information about how, when, where, why, or by whom data were created. Metadata may also describe basic attributes about data, such as their size, type, or means of creation. In the context of internet communications, metadata commonly record specific dealings with data, such as the source or destination of a communication, the location from which data were sent or accessed, or the network address associated with a request for data.

17.08  Why metadata matter. From metadata it is possible to infer much about the sender or recipient of a communication. Metadata tell us whom we call or email and how often, where we are at any particular moment, when and how we work, with whom we associate, which webpages we access, and what interests, excites, arouses, and concerns us.3 Metadata about individuals’ internet search and browsing histories can be particularly revealing, since they may record when and where users logged in, for what material they searched, which social media profiles they visited and how often; all this may reveal a person’s age, occupation, political affiliation, sexual orientation, religion, medical history, and much else besides.

17.09  Definition in RIPA. In the context of the acquisition, retention, and disclosure of digital data, metadata are referred to as ‘communications data’. This phrase was defined in section 21(4) of the Regulation of Investigatory Powers Act 2000 (‘RIPA’) to mean (insofar as relevant to internet telecommunications):

(a)

any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any...telecommunication system by means of which it is being or may be transmitted;

(b)

any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person—

(i)

of any...telecommunications service; or

(ii)

in connection with the provision to or use by any person of any telecommunications service, of any part of a telecommunication system;

(c)

any information not falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by a person providing a...telecommunications service.

17.10  The updated definition. In November 2015, the Home Office published a draft of the Investigatory Powers Bill 2015, which was later revised and reintroduced to Parliament on 1 March 2016 (‘2016 Bill’). The 2016 Bill provides for an updated definition of ‘communications data’. In summary, the updated definition encompasses two main sub-classes of communications data:

(1) ‘entity data’, which is data identifying an entity4 or its association with a telecommunications service or system; and

(2) ‘events data’, which identifies or describes an event which consists of some specific activity on, in or by means of a telecommunications system.5

17.11  Examples of communications data. Each class of communications data may identify the entity or event in a number of different ways. For example, it may include the location, username, IP address,6 telephone number, hostname, and access period of the entity accessing a telecommunications service or system; this entity may be the sender or recipient of the communication. Equally, it may include data identifying the telecommunications system (or any part of it) by means of which a communication is transmitted, the location of the system, and the type, method, or pattern of communications; or merely the fact that communications occur.7

17.12  Sources of communications data. To fall within the updated definition, communications data must satisfy one of three nexus requirements which link the data to a telecommunications operator or system. First, the data may be held or capable of being held or obtained by, or on behalf of, a telecommunications operator (eg data capable of interception). Second, communications data may be available directly from a telecommunication system (eg data already stored on the system). Third, communications data may relate to the general architecture of a telecommunication system but without relating to a specific person.8

17.13  Exclusion of content of a communication. The definition of communications data encompasses almost any information relating to the use or properties of a telecommunications service, but does not include the ‘content’ of a communication. ‘Content’ is defined as the elements of a communication (and any associated data) which reveal anything of what might reasonably be expected to be its meaning.9

17.14  Information that is not content. Two qualifications apply to the exclusion of the content of a communication. First, in the context of web browsing data, the ‘content’ of a communication does not include data identifying the telecommunications service (eg the IP address or domain name of a page request). Second, ‘content’ does not extend to the fact that the communication was made, or to data relating to its transmission.

17.15  Identifying the content. The distinction between ‘communications data’ (metadata) and the content of a communication is easier to describe than to apply. The former are attributes of the communication but distinct from the information conveyed within it, such as the precise words spoken, the text or files being emailed, or the video transmitted. However, the distinction is not absolute. Communications data often form part of a communication (or are attached to it), as in the case of email or packet headers and many other kinds of transmission data. The fact that such transmission data may permit detailed inferences to be drawn about the contents of their associated communications will not prevent them from being considered communications data, as the statutory definition makes plain.

17.16  Borderline cases. It seems arguable that communications data will not extend to information which directly or indirectly reveals the contents of a communication, such as the full URL of an accessed website, a query string submitted to a search engine, or the subject line of an email.10 Such information may be said to reveal what might reasonably be expected to be the meaning of the communications (the subject matter of the webpage, the search request submitted by the user, or the message sent by the sender, respectively).

17.17  Postal mail. A useful analogy may be drawn with the rules governing postal mail: metadata about a letter or other item of post is anything written on the outside of the item,11 such as an address, postmark, or stamp. Digital metadata can be much more sophisticated (and detailed), but will similarly relate to the ‘envelope’ surrounding the contents of a communication. The scope of retainable metadata is discussed further in section 2.2.

17.18  The general rule. The starting point is that Directive 2002/58/EC (‘PEC Directive’) requires service providers to ensure the confidentiality of communications data.12 For example, article 5 of that Directive requires member states to prohibit the storage, interception, and surveillance of communications data without affected users’ consent, subject to limited exceptions. In the case of traffic and location metadata, these must be erased or made anonymous when they are no longer needed to transmit a communication or to conduct billing, marketing, or other value-added services, unless user consent is obtained.13

17.19  Derogations from the general rule. Article 15(1) of the PEC Directive permits restrictions on the confidentiality of communications data that are necessary, appropriate, and proportionate within a democratic society to safeguard national security, defence, public security, and for the prevention, investigation, detection, and prosecution of crime.14 In reliance upon this exception, many member states enacted (or maintained) national data retention laws which required service providers to store communications data. These laws were not harmonised, requiring different classes of metadata to be retained for different periods and creating access regimes which differed from country to country. This led to distortions within the internal market.15

17.20  Grounds for derogation. In Productores de Musica de España (Promusicae) v Telefonica de España SAU, the CJEU held that article 15(1) authorises derogations from the obligation of confidentiality where justified by article 13(1) of the Data Protection Directive, and in particular the need to protect the rights and freedoms of others.16

17.21 Similarly, in R (British Telecommunications plc) v Secretary of State, the Court of Appeal held that the grounds for derogation include all the purposes listed in article 13(1) of the Data Protection Directive and that these purposes were not intended to be limited to the context of civil proceedings.17 Thus, the measures permitted by article 15(1) include ‘legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph’, and the relevant grounds include those set out in article 13(1) of the Data Protection Directive.18

17.22  Harmonisation of communications data retention. Following the Madrid and London terrorist attacks, the European Parliament resolved to harmonise and strengthen EU data retention law. The result was Directive 2006/24/EC (‘Data Retention Directive’),19 which was enacted in just three months—then the fastest adoption period in the history of the EU.20 This Directive represented a substantial derogation from articles 5, 6, and 9 of the PEC Directive—an attribute expressly acknowledged by article 3(1). Article 3 required member states to ensure that specified classes of metadata were retained where they were generated or processed by, inter alia, internet services who provide publicly available electronic communications services or operate a public communications network.

17.23  Policy justifications. Before considering the EU and national statutory frameworks in detail, it is worth pausing to consider the main objectives said to be served by metadata retention. Principally, these relate to the prevention, detection, and prosecution of serious crime: sometimes encapsulated by the phrase ‘the collective right to security’.21 Secondarily, they relate to data protection, individual privacy, and the rule of law.

17.24  Identifying wrongdoers. Communications data are often necessary to identify wrongdoers, for the same reasons as private claimants often require Norwich Pharmacal disclosure to unmask anonymous internet wrongdoing.22 One example commonly given is the need to investigate unlawful material published anonymously in an internet chat room or forum, such as offers to sell child abuse material or stolen credit card data, or threats of public violence.23 Unless internet intermediaries are obligated to store details of which user has been assigned a particular IP address, and when a particular posting was created, it will be difficult to identify the particular individuals who have published such material.24

17.25  Long-term investigations. Although many investigations can occur within days or weeks of the data being generated, more complex patterns of crime can require data to be gathered and retained over a much longer period. For example, investigations into financial crime, tax evasion, corruption, terrorism and organised crime, human trafficking, and cross-border crimes can involve gathering evidence spanning a period of months or even years. Identifying and making requests for access to the relevant servers takes further time, especially where international assistance or formal applications are required. The normal lifespan during which such data are stored by internet intermediaries may have long passed by the time the authorities request access.

17.26  Examples. For example, following the 2005 London bombings, investigators continued to uncover relevant communications and records for several months, leading to the identification of further participants. Some historical data were unavailable because they had been deleted by the service provider.25 Conversely, in Germany, the Constitutional Court ruled in 2010 that national data retention measures were unconstitutional and mandatory data retention was annulled.26 It is unclear precisely what effect this had on criminal prosecutions, though one state police department reported that 75 per cent of investigations could not be solved without retained data.27

17.27  Law enforcement. Data retention provides law enforcement and intelligence bodies with a guarantee that potentially relevant data will be available for a minimum (and a maximum) period, and will be promptly accessible in accordance with a known procedure.

17.28  Regulated data access procedures. A properly regulated system of data retention upholds the rule of law by providing guarantees to data subjects (and in particular those who are the intended or indirect subjects of an investigation) that their personal data will only be released in specified circumstances and subject to judicial or other forms of lawful supervision. Data access rules impose restrictions on the persons by whom retained communications data may be accessed, and the purposes for which they may be used. The alternative would be a haphazard system of discretionary retention and disclosure by internet intermediaries and telecommunications service providers, which may not guarantee either the availability of data or respect for fundamental rights.

17.29  Historical overview. Since the first public avowal of the intelligence and security agencies, the United Kingdom has recognised domestic data retention and interception powers under a number of statutes and codes of practice.28 This section provides an overview of the recent history of voluntary data retention in the United Kingdom. This is now of largely historical interest with the impending repeal and consolidation of many of these enactments in the Investigatory Powers Bill 2016.

17.30  Overview of the old framework. The data retention framework developed in a piecemeal fashion, being contained in a range of statutory instruments, codes of practice, and secondary legislation. In large part, responsibility for the authorisation and extension of these obligations was and remains delegated to executive and administrative bodies who determine the intermediaries who must retain data, what they must retain and for how long, and when they must disclose retained data. For obvious reasons, the details of specific authorisations are not available, with the result that the full extent of these powers—and the way they are used in practice—is not publicly known.

17.31  Voluntary codes of practice. Provision was made for a voluntary data retention framework by part 11 of the Anti-terrorism, Crime and Security Act 2001, which was enacted shortly after the 11 September 2001 terrorist attacks. Section 102(1) conferred upon the Secretary of State the power to issue and revise a code of practice relating to the retention of communications data by communications providers, including internet intermediaries. Additionally, section 102(2) permitted the Secretary of State to enter into ‘such agreements as he considers appropriate with any communications provider’ in relation to that provider’s data retention practices.29 The details of those agreements are not publicly known, but in general terms they appear to have functioned as service level agreements which regulated the retention practices of the service provider and, in return, provided for payments to cover certain costs of data retention.30 To be authorised by section 102, a code or agreement had to be considered necessary to safeguard national security or to prevent, detect, or prosecute crime which may relate directly or indirectly to national security.31

17.32  The 2003 Code. A voluntary code of practice was issued by the Secretary of State on 5 December 2003 (‘Code’).32 The Code applied to all communication service providers who provide a public telecommunications service in the United Kingdom. Conversely, it did not apply to individuals or private network operators who do not supply a service to the general public. The Code did not define a complete framework for data retention and disclosure, but instead set out a more limited specification of the types and timespans of data that service providers should retain.

17.33  Classes of retainable metadata. The Code distinguished between different types of communications data, such as traffic, subscriber, and usage metadata.33 It did not require the retention of any data which a service provider did not already ‘routinely retain for business purposes’.34 The voluntary retention period under the Code ranged from 4 days (in the case of web activity logs)35 to 12 months (in the case of subscriber data). ISP data, which included details of a customer’s internet session (including his or her IP address and the session duration), was to be retained for 6 months.

17.34  Enforcement of the Code. A failure to comply with a code of practice or agreement under section 102 did not sound directly in civil or criminal liability.36 However, such a code or agreement was admissible in legal proceedings to justify the retention of any communications data. Because data retention will usually involve processing personal data, compliance with the code or agreement could be used to justify what might otherwise be a contravention of the Data Protection Act 1998.37 Non-compliance with a code or agreement might also in some circumstances lead to proceedings being brought in the Investigatory Powers Tribunal.38

17.35  Statutory duties. Additionally, the Secretary of State previously possessed a backstop power under section 104 to authorise the giving of directions about data retention to communications providers.39 If a provider was made the subject of such a direction, it came under a statutory duty to comply with it. A failure to do so would be a breach of statutory duty enforceable by civil proceedings brought by the Secretary of State.40 However, this power was subject to a sunset clause and, although extended twice, it appears to have lapsed at the end of 2007.41

17.36  Repeal of the voluntary retention regime. The Investigatory Powers Bill 2016 provides for the repeal of part 11 of the Anti-terrorism, Crime and Security Act 2001.42 If enacted, this would have the effect of consolidating the various data retention regimes under a single enactment providing for mandatory data retention duties.

17.37  Historical overview. This section provides an overview of the Data Retention Directive, which was the main EU instrument dealing with the mandatory storage of communications data.43 Like the United Kingdom regime, European data retention has undergone a tortuous history, culminating in the annulment of the Directive in its entirety.

17.38  Regulated entities. The Directive was directed at providers of ‘electronic communications services’ and set out detailed rules governing the type of data which must be retained, the period and manner of retention, and access to the retained data. The Directive had a dual function: its primary aim was to harmonise existing national data retention rules by providing for a general obligation to retain traffic and location data relating to electronic communications.44 Its secondary aim was to ensure that member states established data retention rules to the extent they did not already exist.45 However, the Directive has now been annulled in its totality by the decision in Digital Rights Ireland, and at the time of writing has not been replaced.

17.39  Relevant EU instruments. Until its annulment, the Data Retention Directive formed part of the European Union acquis relating to data protection and communications, in which the other main instruments were the Data Protection Directive and the PEC Directive.46 Each of those instruments permitted legislative measures restricting the scope of data protection rights for various purposes, including national security, defence, public security, and the prevention, investigation, detection, and prosecution of crime.47 However, the Data Retention Directive represented a further derogation from that framework of protection by profoundly altering these exceptions in relation to electronic communications services.48

17.40  Core retention obligation. The basic obligation established by the Directive was set out in article 3(1): providers of publicly available electronic communications services must retain the required metadata to the extent those metadata are ‘generated or processed’ by them.

17.41  Scope of retainable metadata. Retainable data for internet communications included: user IDs of the senders and intended recipients of communications; the identity of users to whom an IP address was allocated at a particular time; the date and time of users’ log-in and log-off events for an internet access service, including their dynamic or static IP address; the type of internet service being used; and details of the end point used by the originator of the communication. No data revealing the content of the communication could be retained.49

17.42  Mandatory retention period. The mandatory retention period was between 6 months and 2 years depending on the class of retained data.50 During that period, retained data were required to be stored securely and in accordance with the seventh data protection principle, but in such a way that they could be transmitted to the national authorities without undue delay. Appropriate technical and organisational measures had to be applied to ensure that retained data could be accessed only by specially authorised personnel. All retained data were to be deleted at the end of the retention period, unless accessed and preserved.51

17.43  Grounds of challenge. The Grand Chamber of the CJEU was asked to consider the validity of the Data Retention Directive in Digital Rights Ireland. The main ground of challenge was that the Directive was incompatible with articles 7, 8, and 11 of the Charter. The Court accepted that these rights were engaged: retained data, taken as a whole, could allow detailed scrutiny of individuals’ private habits, movements, and relationships. As a result, retention could conceivably affect the use of communication services and thereby restrict freedom of expression. Additionally, retention and access by the competent authorities clearly affected users’ rights to private life and data protection. The nature of these interferences was said to be ‘particularly serious’ because retention applied indiscriminately and could generate a feeling of ‘constant surveillance’.52

17.44  Necessity and proportionality of data retention. The Court of Justice noted that the fight against serious crime was a legitimate objective of general interest, and that data retention was an appropriate means of attaining that objective. However, the Court concluded that the manner in which the Directive provided for this was neither necessary nor proportionate. It relied upon five main groups of reasons:

(a)

The scope of retained data was excessive. It applied to all means of electronic communication, covered all subscribers and registered users, and all traffic data. As a result, the Directive ‘entails an interference with the fundamental rights of practically the entire European population’.53 Because retention was indiscriminate it was not limited to what was strictly necessary.

(b)

The Directive did not provide for adequate limits or exceptions, eg in relation to data protected by obligations of professional secrecy (such as legal professional privilege) or belonging to wholly innocent persons.54

(c)

The Directive failed to stipulate any criteria to limit access to and use of data by national authorities, and did not set out any substantive or procedural conditions to govern access requests (eg judicial authorisation), instead leaving those matters to member states.55

(d)

The minimum retention period did not differentiate between types of data based on their potential utility, and there were no objective criteria governing the overall retention period to limit it to what was ‘strictly necessary’.56

(e)

There were inadequate safeguards (contrary to article 8 of the Charter) to ensure the confidentiality of retained data, and to prevent unlawful access and use. The data security principles allowed service providers to take into account the cost of security measures, data were not required to be irreversibly destroyed at the end of the retention period, and data could be stored outside the European Union.57

17.45  Interference with fundamental rights. In view of these shortcomings, the Court concluded that the Data Retention Directive involved a serious interference with data subjects’ fundamental rights but failed to limit that interference to what was strictly necessary. The Directive was therefore disproportionate and contrary to article 52(1) of the Charter.

17.46  Data security. The CJEU was particularly critical of the Directive’s failure to require a ‘particularly high level of protection’ for the retained data by the service providers to whom retention was delegated.58 The Directive reflected the pragmatic concession that the level of data security implemented by service providers could be influenced by ‘economic considerations’; in other words, service providers could deploy less than perfect technical and organisational measures despite the availability of more effective (but more costly) alternatives.59 However, this would presumably remain subject to the benchmark set by the seventh data protection principle, that the technical and organisational measures remain ‘appropriate’ in all the circumstances. The Court seems to have expected that the Directive would set out those measures more clearly.

17.47  Consequences of the ruling. The immediate impact of the Digital Rights Ireland decision is that member states no longer need to take steps to transpose the Directive. Additionally, existing national data retention schemes will no longer fall within the derogations from the Data Protection Directive and PEC Directive that were previously contained in the Data Retention Directive. This means that provisions of national law must once again satisfy the ‘necessary, appropriate and proportionate’ requirements of article 15(1) of the PEC Directive to be compatible with EU law; these are likely to raise similar considerations.

17.48  Future data retention schemes. As a derogation from the general rule of protection for communications data, it is to be expected that article 15(1) will be construed narrowly. However, because article 15(1) expressly mentions data retention schemes as permitted derogations (provided they are compatible with the Charter and Convention), it remains possible that new national regimes will fall within the provision and be lawful. Of course, as article 15(1) itself makes clear, such regimes would also need to be compatible with fundamental rights, and must therefore be re-evaluated in light of the criteria and criticisms expressed by the Court of Justice in Digital Rights Ireland.

17.49 Following the Digital Rights Ireland decision, the United Kingdom enacted emergency legislation intended to replace the existing provisions which transposed the Data Retention Directive,60 to introduce safeguards to govern the scope and storage of retained data, and to clarify the nature and extent of data retention obligations owed by entities who provide communications services to customers in the United Kingdom.61 These duties do not arise to correct wrongdoing by an intermediary but rather to facilitate the prevention, investigation, and prosecution of serious crime and threats to national security. Unlike disclosure or blocking, retention is indiscriminate but of more limited duration.

17.50  The 2014 Act. The emergency data retention regime was contained in the Data Retention and Investigatory Powers Act 2014 (‘2014 Act’), which entirely replaced the earlier regimes, apart from the 2003 voluntary code of practice.62 Additionally, a new code of practice known as the Retention of Communications Data Code of Practice (‘Retention Code’) provided detailed guidance to service providers about the procedures to be followed when retaining data.63

17.51  Overview of data retention obligations. The regime established by the 2014 Act and Code had three main aspects: first, provision as to who can be required to retain communications data; second, details of what data must be retained, for what period and for which purposes; and third, procedures for how those data may be obtained. Provision was also made for reporting and review of investigatory powers. The entire regime was subject to a sunset clause of 31 December 2016, though it appears that the regime will be repealed and replaced sooner than that. Access to retained data is dealt with in section 3.

17.52 In R (David Davis MP) v Secretary of State for the Home Department, the High Court issued a declaration of incompatibility in respect of section 1 of the 2014 Act on the basis that it failed to comply with the requirements of Digital Rights Ireland.64 In particular, the Act (1) failed to lay down clear and precise rules providing for access to and use of retained communications data for restricted purposes, and (2) failed to make access to retained data subject to prior review by a court or administrative body. The Court ordered that section 1 of the 2014 Act be disapplied.

17.53  Mandatory requirements of EU law. The Court held that the ratio of Digital Rights Ireland was that a data retention regime for communications data is incompatible with articles 7 and 8 of the Charterunless it is accompanied by an access regime (laid down at national level) which provides adequate safeguards for those rights’.65 The Court considered that, to be compatible with the mandatory requirements of EU law, national data retention legislation would need, in summary:

(a)

to guarantee that communications data would only be retained insofar as is strictly necessary;

(b)

to lay down clear and precise rules governing the scope of retention;

(c)

to impose minimum safeguards sufficient to protect against the risk of abuse;

(d)

to contain express restrictions on access to and use of retained data, which must be restricted to purposes relevant to serious criminal offences; and

(e)

‘above all’, to make access to retained data conditional upon independent review by a court or body ‘wholly independent of the force or body making the application’ whose role is to limit access and use to what is ‘strictly necessary for the purpose of attaining the objective pursued’.66

17.54  Decision of the Court of Appeal. The remedy in Davis was disapplication of the 2014 Act, with suspension for a time sufficient to allow Parliament to enact new legislation which complied with EU law. At the time of writing, the successor legislation was the Investigatory Powers Bill 2016, which had not yet been enacted. On appeal, the Court of Appeal inclined to the view that Digital Rights Ireland was concerned solely with the validity of the Directive, and did not purport to lay down ‘specific mandatory requirements of EU law’ for all national data retention schemes: in that setting, ‘precisely what safeguards may be required must be assessed in the context of the measure concerned and, in particular, must have regard to its objectives, its breadth and such safeguards as have been included’.67 However, the correct interpretation was not considered clear, so the Court referred two questions to the CJEU concerning the interpretation of the decision in Digital Rights Ireland.

17.55  Challenges in other member states. Despite the doubts expressed by the Court of Appeal in Davis as to the effect of Digital Rights Ireland, national courts in Austria, Belgium, The Netherlands, Romania, Slovakia, and Slovenia have declared national data retention legislation invalid on the basis of the CJEU’s decision.68 In Sweden, the Kammarrätten i Stockholm has referred questions to the CJEU which are similar to those referred by the Court of Appeal.69 It is to be hoped that the CJEU will lay down clear criteria which can be applied by national legislatures and courts to ensure legislation is compatible with articles 7 and 8 of the Charter and article 15(1) of the PEC Directive.

17.56  Retention notices. Under the Investigatory Powers Bill 2016, data retention duties will apply to any ‘telecommunications operator’ who has been issued with a retention notice by the Secretary of State. Such a notice must specify:

(a)

the operator (or description of operators) to whom it relates;

(b)

the data which are to be retained;

(c)

the period or periods for which the data are to be retained;

(d)

any other requirements, or any restrictions, in relation to the retention of the data; and

(e)

information concerning the financial contribution to be made towards the operator’s costs of complying with the notice.70

An operator who has received a retention notice must not disclose its existence or contents to any other person.71

17.57  Optional contents. A retention notice may relate to a particular operator or to a described class of operators, and may require the retention of ‘all data or any description of data’.72 It may also apply to existing or future data, and may identify multiple relevant periods for retention.73

17.58  Conditions for issuing retention notices. A notice may not be issued to an operator unless it falls within the definition of a telecommunications operator, and two threshold requirements are satisfied: (1) retention relates to one or more specified national security purposes, and (2) the Secretary of State considers that the retention requirement is necessary and proportionate for one or more of those purposes.74

17.59 The starting point is that a telecommunications operator is any person who offers or provides a telecommunications service, or who controls or provides a telecommunications system, with a link to the United Kingdom. These phrases are defined in section 223 of the 2016 Bill as follows:

(a)

‘Telecommunications service’ means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service).

(d)

‘Telecommunication system’ means a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy.75

17.60  Territorial link. The required territorial link for a telecommunications service is to the offering or providing of the service in the United Kingdom. However, the underlying ‘telecommunication system’ may be located anywhere in the world. The key question is therefore whether the service is ‘offered or provided to’ a substantial section of the United Kingdom public. Alternatively, in the case of a telecommunication system, it may be located ‘wholly or partly in the United Kingdom or elsewhere’, which means it can be located essentially anywhere. However, if the system is operated by a foreign telecommunications operator who does not offer or provide any telecommunications service in the United Kingdom, then the system must be located or controlled at least in part from the United Kingdom. This is a broader condition than under the previous RIPA regime, and means that almost all major internet intermediaries (local or foreign) may be potential recipients of retention notices.

17.61  Extraterritorial operation. The effect of these provisions is that retention notices may be issued to internet intermediaries who are established outside, or operate telecommunication systems beyond, the United Kingdom. The extraterritorial effects of requirements and restrictions imposed under a retention notice are confirmed by cl 86 of the 2016 Bill, which states that notices may relate to conduct outside the United Kingdom and persons outside the United Kingdom. However, the statutory duty owed by a telecommunications operator located abroad is, unlike the duty owed by a local operator, not enforceable by civil proceedings for an injunction.76

17.62  Neutrality. The definitions are technology-neutral. That is to say, they do not depend on any specific medium, protocol, or platform. Insofar as a medium is relevant, it is sufficient that the service relates to a telecommunications system which is conveyed electrically (including by optic fibre, which relies upon electromagnetic energy). Beyond that, potentially any internet system or service may fall within the definition.

17.63  Service providers and system operators. The provider of a ‘telecommunications service’ does not necessarily need to operate the underlying ‘telecommunication system’. For example, a service provider could supply access to another telecommunication system, including by facilitating the creation, management, or storage of communications carried by it. This could encompass numerous intermediaries in addition to the primary service provider.

17.64  Provision of access or facilities. To be caught by the retention regime, it is sufficient for an internet intermediary to provide access to, and facilities for making use of, a telecommunication system. Clause 223(12) clarifies that this includes facilitating the creation, management, or storage of transmitted communications. In other words, a web-based service (such as webmail or an online gaming platform) will be a relevant telecommunications service, because it facilitates the creation and storage of communications transmitted by their users and third parties.77

17.65  Application to internet intermediaries. Based on these definitions, it seems clear that platforms, social networks, search engines, ISPs, hosts, and many other intermediaries would be considered telecommunications operators and could therefore be issued with retention notices to the extent they offer or provide services in the United Kingdom, or in respect of any part of a relevant telecommunications system that is located there.

17.66  Relevant purposes. Before the Secretary of State may issue a retention notice, he or she must be satisfied that the retention requirement specified in the notice is necessary and proportionate for one or more specified purposes, namely:

(a)

in the interests of national security;

(b)

for the purpose of preventing or detecting crime or of preventing disorder;

(c)

in the interests of the economic well-being of the United Kingdom so far relevant to national security;

(d)

in the interests of public safety;

(e)

for the purpose of protecting public health;

(f)

for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department;

(g)

for the purpose, in an emergency, of preventing death or injury or mitigating any damage to a person’s physical or mental health;

(h)

to assist investigations into alleged miscarriages of justice;

(i)

to identify a deceased person or a person unable to identify themselves because of a physical or mental condition; or

(j)

for the purpose of exercising functions relating to—

(i)

the regulation of financial services and markets, or

(ii)

financial stability.

17.67 These purposes are the same as those for which disclosure of communications data, and the underlying content of communications, must be necessary under section Part 3 of the 2016 Bill. In light of the Court’s comments in Digital River Ireland, it seems arguable that ‘necessary’ should be construed as ‘strictly necessary’.78 Conversely, English authorities do not insist on a standard of strict necessity in the context of applications for disclosure of personal data made by civil litigants.79

17.68  Relevant considerations. The 2016 Bill requires the Secretary of State to take into account a number of additional factors before issuing a retention notice.80 These factors appear to embody a rough calculation of the proportionality of a notice. They include: the likely benefits of the notice; the likely number of affected users (which would presumably require account to be taken of the degree of intrusion upon their private life); the technical feasibility of the telecommunications operator complying with the notice; the likely cost of compliance; and any other effect of the notice upon the telecommunications operator.

17.69  Consultation. Before issuing a notice, the Secretary of State must take reasonable steps to consult with any telecommunications operator to whom it relates.81 As was the case for the 2014 Act, a retention notice should not specify blanket requirements for large numbers of internet intermediaries who operate different services. A retention notice should reflect the particular nature of each notified service provider,82 including the nature of the data generated and processed by it, the number of affected customers, and the costs of implementing the notice.

17.70 The 2016 Bill requires ‘relevant communications data’ to be retained, to the extent retention is required by a retention notice. Such data are communications data which may be used to identify, or assist in identifying, any of the following:

(a)

the sender or recipient of a communication (whether or not a person);

(b)

the time or duration of a communication;

(c)

the type, method, pattern, or fact, of communication;

(d)

the telecommunication system (or any part of it) from, to or through which, or by means of which, a communication is or may be transmitted;

(e)

the location of any such system; or

(f)

internet connection records,83 which include communications data transmitted for the purpose of obtaining access to, or running, a computer file or computer program.84

In general terms, this information can be thought of as the ‘who, where, and when’ of a digital communication or recipient of a service.

17.71  Requirement to specify retainable data. When issuing a retention notice, the Secretary of State must ensure that it specifies the relevant communications data which are to be retained.85 Normally this will be done by reference to the specific categories of data generated and processed by the telecommunications operator to whom the notice relates.

17.72  Categories of communications data. The 2016 Bill does not delineate the categories of retainable communications data in detail. A retention notice may list any or all of the available data types, but only insofar as their retention is considered necessary and proportionate for the relevant purpose. Where a subset of the communications data generated and processed by a notified service provider is specified, the notice may be varied in future to expand the scope of retention. The following paragraphs provide an overview of the main categories of communications data which telecommunications operators might be expected to retain, based on the examples given in the 2014 Act and Code.

17.73  Transmission metadata. Communications data includes metadata which relate to the transmission of a communication and are comprised in or attached to the communication. These metadata may identify the sender or receiver of the communication, the location from which it is transmitted or received, any apparatus forming part of the system,86 how the transmission was carried out, or the structure and format of the transmission.

17.74  Examples of transmission metadata. The most common examples of transmission metadata would be: packet headers, IP addresses used by the parties to a communication, identifiers for intermediate nodes through which a communication passes the recipients of an email, routing information contained in an email’s headers (but not the subject line, which would be part of the contents), file transfer logs, session logs, authentication data (eg the username of the sender), and internet browsing histories (identifying a remote host, such as a server, domain name, or IP address).87

17.75  Relevant identifiers. Data will often be necessary to allow a public IP address to be linked to the person or device using it at any given time, such as records of an ISP’s dynamic IP address allocations, or routing tables within equipment using Network Address Translation. Such data may relate to a home broadband connection, mobile carrier, public wireless hotspot, or an application-layer service such as video chat, webmail, or instant messaging.88 Potentially any data that may be used to identify (or assist in identifying) the subscriber who made a communication may need to be retained. According to the Explanatory Note to the Counter-terrorism and Security Act 2015, this would include:

data required to identify the sender or recipient of a communication (which could be a person or a device), the time or duration of a communication, the type, method or pattern of a communication (eg the protocol used to send an email), the telecommunications system used or the location of such a telecommunications system that the person was communicating from. An IP address can often be shared by hundreds of people at once...Data necessary for the resolution of IP addresses could include port numbers or MAC (media access control) addresses.89

17.76 However, the definition of communications data specifically excludes data that identify the content of communications, including the content of webpages a user has accessed.90

17.77  Examples of relevant metadata. Information about the sender or recipient of a communication could include various types of metadata: identification of the person associated with a particular account, email address, or website; when the service was activated or deactivated; personal details of subscribers, such as their names, addresses, billing details, or payment history; any static IP addresses allocated to the subscriber; information about any apparatus used by the subscriber; customer service history; and any other information provided by the subscriber, either during account sign-up or subsequently.

17.78  The relevant period. A retention notice cannot require data retention for a period of more than twelve months from the day of the communication (for data relating to a specific communication), the day when the entity ceases to be associated with the telecommunications service (for data relating to an entity), or the day on which the data is first held by the operator.91 This does not mean that twelve months will be appropriate for all internet services, or for all types of data. For example, it may well be inappropriate to retain detailed logs of internet access for such a lengthy period, whereas storing basic subscriber details and IP address allocation histories may be justified for the full retention period.

17.79  Time when period begins. The retention period begins on the date when the notice is given to the service provider, or on the date specified in the notice.92 In appropriate cases, a notice may come into effect in stages or at different times for different classes of metadata—for example, this may be a reasonable approach if the service provider must create new facilities or modify its systems in order to comply with the notice.

17.80  Application to existing communications data. Unless it specifies otherwise, a retention notice applies to relevant data already in existence when the notice comes into force. A notified service provider need only retain existing data for the remaining duration of the retention period.93 For example, if a service provider who has already retained subscriber data voluntarily for eleven months receives a notice specifying a 12 month period, it will only be required to retain the oldest subscriber data for one additional month upon the coming into force of the notice.

17.81  Duties of data integrity and security. Where a telecommunications operator retains data pursuant to a notice under the 2016 Bill, it comes under a number of statutory duties to ensure the integrity and security of the retained data. These are set out in clause 74 of the 2016 Bill, which augments the duties already owed by such service providers under the Data Protection Act 1998 in relation to personal data.

17.82  Equivalent security and protection. First, the operator must secure that the retained data is of the same integrity and subject to at least the same security and protection as the data on any system from which it is derived.94 In other words, it must apply the same level of organisational and technical security measures to retained data as to data on the primary telecommunications systems that generated or processed the communications. For example, the same level of physical site security, logical security (such as password protection and firewalls), and data integrity measures, such as backups and audits, would need to be applied.

17.83  Non-alteration. Another aspect of equal treatment is to ensure that retained data are not, at the point of retention, modified so as to introduce inaccuracies. The original communications data must be faithfully reproduced in the retention system, so that there are no discrepancies between what is retained and the original business data set.95

17.84  Restrictions on access. Second, the operator must secure, by appropriate technical and organisational measures, that the retained data may be accessed only by specially authorised personnel.96 These measures will include physical security (at the site of data centres and other infrastructure), technical security (such as firewalls, appropriate password policies, and anti-virus software), personnel security (such as background checks, training, and audit trails), and procedural security (such as processes and controls).97

17.85  Preservation of data integrity. Third, the operator must protect, by appropriate technical and organisational measures, the retained data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful retention, processing, access, or disclosure.98 This duty encompasses protection against both malicious acts (eg hacking or theft) and inadvertent ones (eg lightning strike, hard drive failure, fire, or data corruption).

17.86  Data audits. The duty applies once data have been retained. It requires security controls to reduce the risk of data being modified, such as an audit capability.99 The duty essentially mirrors the existing duties of the operator under the Data Protection Act 1998 and PEC Directive, and in particular the seventh data protection principle.100

17.87  Deletion once no longer retainable. Fourth, the operator must destroy retained data if the retention of the data ceases to be authorised by virtue of Part 4 of the 2016 Bill and is not otherwise authorised by law. Destruction will require permanent deletion of the data, sufficient to make access ‘impossible’.101 This would require the use of secure deletion software, such as a file shredder, and parallel deletion of all backups of the data. For reasons of practicality, data need not be destroyed the very moment their retention is no longer authorised. It is enough if destruction is carried out at monthly or shorter intervals.102

17.88  Retention authorised by law. Importantly, the obligation to destroy retained communications data is subject to the condition that the continued retention of data ‘is not otherwise authorised by law’.103 This gives a broad mandate for ongoing retention where the operator wishes to do so for its business purposes, or insofar as permitted under its terms of service. This means that operators may continue to retain metadata for longer periods where they are not subject to a retention notice, provided that such retention is otherwise lawful, and involves lawful processing within the meaning of the Data Protection Act 1998.

17.89  Retention requirements. Fifth, where the retention notice so provides, a specified operator may be made subject to a retention requirement that data must be retained in such a way that they can be transmitted to ‘efficiently and effectively’ in response to a lawful request for access.104 The 2016 Bill does not specify any particular period for transmission.

17.90 The 2016 Bill makes provision for at least partial payment of telecommunications operators’ data retention costs. The level of contribution to those costs is a matter that must be specified in a retention notice.105 The allocation of costs is discussed further in chapter 18.106

17.91  Effect of retention notices. A retention notice that has been validly issued to a telecommunications operator creates a statutory duty to comply with the requirements specified in the notice. Similarly, the duties of non-disclosure and to ensure the integrity, security, and availability of retained data, are statutory duties with which the operator must comply.107

17.92  Enforcement. These duties are enforceable by the Secretary of State in civil proceedings for breach of statutory duty. Thus, an operator who fails to comply with any of these statutory duties could face an injunction, an order for specific performance or ‘any other appropriate relief’.108 Monetary remedies such as damages are not mentioned expressly.

17.93  No access without lawful authority. The starting point is that, where a telecommunications operator retains communications data pursuant to a retention notice, a person must not knowingly or recklessly obtain access to communications data without lawful authority. To do so is a criminal offence.109

17.94  Sources of lawful authority. Authority to access retained communications data may be obtained:

(a)

first, in accordance with the provisions of RIPA (and, once enacted, the 2016 Bill) which govern the acquisition and disclosure of communications data to law enforcement authorities, and the interception of such data pursuant to a statutory warrant;

(b)

second, in accordance with a court order or other judicial authorisation or warrant; and

(c)

third, where expressly permitted by the 2016 Bill in accordance with the authorisation procedure established under Part 3.

17.95  Use of retained data by intermediaries. There are only limited restrictions on the use of retained data by service providers themselves, such as for their pre-existing commercial purposes. In this respect, the framework probably falls short of the standard encouraged by the Opinion of the European Data Protection Supervisor, who noted ‘the need of an effective control on the access and further use’ of retained data, ‘preferably by judicial authorities in the Member States’.110

17.96  Restrictions on access. Access to retained data is not at large, whether for public or private purposes, but subject to a framework of statutory controls under the 2016 Bill. In Liberty v GCHQ, this led the Investigatory Powers Tribunal to conclude that:

Technology in the surveillance field appears to be advancing at break-neck speed. This has given rise to submissions that the UK legislation has failed to keep abreast of the consequences of these advances, and is ill fitted to do so; and that in any event Parliament has failed to provide safeguards adequate to meet these developments. All this inevitably creates considerable tension between the competing interests, and the ‘Snowden revelations’ in particular have led to the impression voiced in some quarters that the law in some way permits the Intelligence Services carte blanche to do what they will. We are satisfied that this is not the case.111

17.97 The need for lawful authority may be an attempt to meet the criticisms made by the Court of Justice in Digital Rights Ireland and to address public concern over access to communications data following the public disclosures made by Edward Snowden. However, the effect of the restrictions under the 2016 Bill seems largely to preserve (and in some respects expand) the existing methods for accessing personal data stored by telecommunications operators. Those methods vary depending on whether access is being sought for public or private purposes.

17.98 The data access regime established under RIPA and related legislation (as proposed to be amended by the 2016 Bill) is complex and only a brief overview of the main principles and procedures will be provided here, insofar as they relate to communications data.

17.99  Overview. The regime for lawfully acquiring and disclosing communications data to any person is governed by Part 3 of the 2016 Bill, which replaces (and largely duplicates) the equivalent provisions in chapter 2 of Part 1 of RIPA.

17.100  Targeted authorisations. The primary method of acquiring communications data under the 2016 Bill is a targeted authorisation, by which a designated senior officer of a relevant public authority may authorise the obtaining and disclosure of communications data from any person or telecommunication system. The effect of an authorisation notice is to oblige the notified operator to disclose (and, if necessary, to obtain) the specified communications data.112 Before such an authorisation may be issued, the designated officer must consider that the communications data is necessary for a relevant purpose and proportionate to what is sought to be achieved.113

17.101  Source of authorisation. Targeted authorisations may normally be granted or renewed by a designated senior officer, who is typically a senior member of staff within a police force, government department, or the intelligence services.114 The applicant must also be a member of such a public authority. Ordinarily, the granting officer must not be working on the investigation or operation to which the authorisation relates, unless there are exceptional circumstances.115

17.102  Statutory duty of telecommunications operator. An operator who receives a targeted authorisation notice owes a statutory duty to comply with the requirements of the notice, which is enforceable in civil proceedings by the Secretary of State for an injunction, specific performance, or ‘for any other appropriate relief’.116 However, a notice cannot require such an operator to do anything which is ‘not reasonably practicable’ for that person to do.117 In other words, if a notice requests data that do not exist, are no longer in the possession of a service provider, or for any reason cannot practicably be provided then it will not be in breach of its duty to fail to do so. However, as noted in paragraph 17.138, an interception warrant may require the operator to develop the necessary capabilities for obtaining and intercepting communications data.

17.103  Unauthorised disclosures. Telecommunications operators owe a duty not to make an unauthorised disclosure of intercepted material or related communications data obtained pursuant to a warrant, including a disclosure of the existence of the warrant.118

17.104  Definition of ‘internet connection record’. The 2016 Bill provides for a mechanism to authorise access to internet connection records held by communications service providers (primarily ISPs). An ‘internet connection record’ is defined to mean data which:

(a)

may be used to identify a telecommunications service to which a communication is transmitted through a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program; and

(b)

is generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person).119

17.105 This definition is very broad. It would appear to extend to web browsing history, server access logs, system logs, user activity logs, and almost any other record of remote computer activity. However, the data must be ‘generated or processed’ by the service provider while providing the relevant service. Accordingly, if an ISP does not create or process data relating to its subscribers’ web activity, there will not be any ‘internet connection record’ capable of retention.

17.106  Purposes of access. Access to an internet connection record may only be obtained for the purposes of (1) identifying a user of an internet service where the service and time of use are already known, (2) identifying when and how a service has been used by a known person or apparatus, or (3) identifying where and when a known person or apparatus has dealt in material whose possession is a crime.120 These purposes are broadly similar to the most common reasons why Norwich Pharmacal disclosure is sought against network-layer intermediaries, albeit that their focus is criminal rather than civil wrongdoing.

17.107  Scope of access. It is presently unclear to what degree of precision an applicant for disclosure of an internet connection record will need to specify the time period, apparatus or person in relation to which or whom access is sought. There are obvious reasons to avoid giving effect to overly broad requests for disclosure, especially if internet connection records are retained for the full 12-month period.

17.108  Scope of recorded information. An internet connection record will enable the accessing party to see which internet services a particular subscriber or device has accessed within the monitored period (eg a search engine, website, or instant messaging software). However, it will not allow the content of communications or a full browsing history to be obtained.121 It is not yet clear precisely which parts of an internet connection record would be disclosable by an ISP (eg HTTP requests and DNS server requests). HTTP requests would include the domain name, remote path (subpage) and any GET or POST query string (such as the content of form submissions); however, it appears that only details of the remote host are intended to be obtainable. A more detailed query string (such as <http://www.google.co.uk/?q= hello+world>) would involve disclosure of the content of the communication.

17.109  Limitations. If a subscriber or remote host encrypts web communications, the transmitting ISP would normally be unable to store more than the IP address of the remote host to which encrypted HTTPS requests were sent by the subscriber. In practice, this may yield a similar level of information as the full domain name, since the IP address may be correlated with other information to identify the service.122 Similarly, if a subscriber routes his or her requests through a Virtual Private Network (‘VPN’) or onion router (eg Tor), then only the IP address of the VPN server or entry point would be known to the ISP. Finally, in multi-user households which rely on Network Address Translation to route requests through a single gateway, a connection record will not reveal which person was using a device or accessing a particular website.

17.110  Directions to provide assistance. The British intelligence services—namely, the Security Service (‘MI5’), the Secret Intelligence Service (‘MI6’), and the Government Communications Headquarters (‘GCHQ’)—have statutory powers to compel access to communications data. Under section 94(1) of the Telecommunications Act 1984, the Secretary of State may compel any communications service provider to provide assistance to the intelligence services and other government departments under a formal ‘Direction’. Such a Direction may be issued provided that it is considered necessary and proportionate in the interests of national security or international relations.

17.111  Volume of Directions. The existence and extent of any Directions are unknown. In a report published in early 2015, the intelligence and security agencies stated that to provide detailed information about their capabilities under Directions ‘would be significantly damaging to national security’.123 Directions have no time limit, though the policy of the agencies is to conduct six-monthly reviews to reassess their necessity and proportionality in light of operational requirements.

17.112  Repeal. If enacted, the 2016 Bill would repeal section 94 of the Telecommunications Act 1984, the intention being to consolidate the powers of the intelligence services in a more transparent manner.124

17.113  Disclosure for other public purposes. The Telecommunications Act 1984 also permits disclosure of communications data to a range of public authorities for public purposes, such as national security, preventing or detecting crime,125 enforcing trade practices legislation,126 or ‘in pursuance of an EU obligation’.127 These powers appear to survive the 2016 Bill.

17.114  Norwich Pharmacal disclosure. One potentially unintended effect of the 2016 Bill is to ensure that many internet services will hold a full complement of useful data which might be made available to private litigants. However useful the retained information may be to law enforcement authorities in specific cases, it represents a treasure trove to potential claimants. A timely application for pre-action or Norwich Pharmacal disclosure may lead to information being disclosed which would not have been retained were it not for the respondent’s data retention obligations, but which is not subject to any more stringent standards of disclosure than other information that may be disclosed pursuant to a court order.

17.115  Restrictions on use in civil proceedings. Although the use of retained data by public authorities is restricted in the various ways discussed in section 3.1,128 relatively little attention has been paid to the potential disclosure of retained data for private purposes in civil proceedings. When assessing applications for disclosure by private litigants, courts do not appear to inquire as to the reason why the information was retained or whether disclosure is permitted under any enactment.129 Indeed, the contrary assumption is reflected in paragraph 28 of the Voluntary Code, which states that access requests ‘can also be received’ from civil litigants and data subjects.130

17.116  Non-disclosure of interception-related conduct. The 2016 Bill would, if enacted, prevent evidence from being adduced, questions asked, assertions or disclosure made in proceedings, if they would reveal the existence of interception-related conduct, either by inference or suggestion.131 However, while this may prevent the origin of certain communications metadata from being disclosed, it seems unlikely that merely giving disclosure of retained communications data pursuant to a court order would permit such an inference to be drawn. As such, this provision seems unlikely to prohibit the giving of Norwich Pharmacal disclosure in relation to retained communications data.

17.117  Period for disclosure. The limited period of data retention means that a potential claimant may have a finite window within which to seek disclosure and thereby be in a position to commence or prosecute proceedings. That may operate as a de facto limitation period that can be oppressive to claimants who do not discover tortious material or wrongful activity until long after it has occurred. Some data (particularly emails and social media postings) may be stored over longer periods for commercial or technical reasons.

17.118  Consequences of private disclosure. Private leakage of retained data represents a substantial increase in the scope and practical effects of retention. However, it appears to be lawful. The CJEU validated the practice in Bonnier Audio AB v Perfect Communication Sweden AB,132 where it concluded that national laws permitting disclosure of retained communications data were compatible with the Data Retention Directive provided that they enabled a ‘fair balance’ to be struck between the competing fundamental rights. This would be so where a national court could weigh the ‘conflicting interests’ and consider the costs and benefits of disclosure in a given case.133 Judicial assessments of proportionality in Norwich Pharmacal proceedings arguably satisfy this requirement.

17.119  Subject access requests. Section 27(5) of the Data Protection Act 1998 provides that subject access rights ‘shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.’ As such, subject access rights are not affected by the 2016 Bill,134 and service providers must continue to respond to any valid subject access requests even if the response includes data retained pursuant to a retention notice.

17.120  Restrictions on subject disclosure. However, when complying with such requests, the operator would need to have regard to any duty of confidentiality owed to another individual (such as a law enforcement officer who has lawfully requested access to the data subject’s personal data), to its statutory non-disclosure obligations under the 2016 Bill, and to the exemption of personal data processed for the purposes of preventing or detecting crime.135 In such circumstances, it appears arguable that it would be reasonable not to comply with the request insofar as it would involve disclosing information relating to law enforcement officers or a criminal investigation, or if doing so would contravene the non-disclosure obligations imposed by the 2016 Bill.136

17.121  Billing, monitoring, and security. Finally, internet intermediaries are not prohibited from making use of retained data themselves, provided that it is not disclosed to a third party. Consequently, internal use of retained communications data for billing, monitoring, and security purposes is likely to be permissible (provided such a purpose was identified before retention began), but external disclosure of such data for purposes such as data mining or commercialisation would probably be contrary to the 2016 Bill.

17.122  Marketing. A late amendment to the 2014 Retention Code specifically prohibited the use of retained data for marketing purposes, if those purposes did not reflect ‘existing business purposes’ of the operator before the notice was issued.137 A similar requirement is foreseeable under the new regime.

17.123  The general duty of non-interception. Internet intermediaries owe a general duty not to intercept communications made by third parties on public or private telecommunications networks without lawful authority. Members of the public, governments, and public authorities owe the same obligation. The meaning and scope of this prohibition are explored in section 4.1. It is subject to a range of exceptions which determine when the intercepting party has ‘lawful authority’ to intercept a communication. These exceptions, which enable intelligence services and law enforcement bodies to monitor many digital communications, are discussed in section 4.2.

17.124  Interception warrants. The general interception regime is governed by RIPA (as amended or replaced by the 2016 Bill), which recognises two distinct classes of data that may be intercepted: communications data, and the content of communications. Different conditions apply to interception of each class of data. In general, more stringent conditions apply to contents, while less stringent conditions apply to metadata.

17.125 Clause 2(1) of the 2016 Bill makes it an offence for a person to intercept communications in the course of their transmission on a public network.138 That provision states:

A person commits an offence if —

(a)

the person intentionally intercepts any communication in the course of its transmission by means of—

(i)

a public telecommunication system; [or]

(ii)

a private telecommunication system;...

(b)

the interception is carried out in the United Kingdom; and

(c)

the person does not have lawful authority to carry out the interception.

17.126  Elements of the offence. The actus reus of this offence is composed of four elements. First, there must be an act of interception. ‘Interception’ is defined in clause 3 of the 2016 Bill to mean the modification of or interfering with a system, or the monitoring of transmissions made by means of the system (or wirelessly to or from the system), so as to make available ‘some or all of the content of the communication’ to a person who is not its sender or intended recipient.139 Examples may be eavesdropping electronically on a mobile telephone conversation or voicemail message, or a man-in-the-middle attack to redirect or access web traffic. Capturing packet streams transmitted on a wireless network may also amount to interception if it results in at least some of the contents of messages being rendered intelligible. Given the breadth of the definition, almost any form of unauthorised monitoring of digital transmissions could involve an ‘interception’.

17.127  Scope of ‘interception’. In Liberty v Government Communications Headquarters, it was common ground that

interception can simply comprise the obtaining and recording of a communication (as it is being transmitted), so as to make it available subsequently to be read, looked at or listened to by a person: no one in fact needs actually to have read, looked at or listened to the communication for interception to occur.140

17.128  Private networks. The offence of unlawful interception can be committed in respect of communications transmitted by means of private telecommunications systems. However, it will not be an offence to intercept a communication on such a system if the intercepting party has the ‘right to control the operation or use of the system’ or has the ‘express or implied consent of such a person’ to carry out the interception. This ensures that Local Area Networks operated by employers, private educational or healthcare institutions, and other private infrastructure may be monitored by, or under the direction of, the network operator. The exception for express or implied consent also appears to deal with the need for security or penetration testing.

17.129  The ‘course of transmission’. Second, the interception must be of a communication while it is in the course of transmission. The concept of a ‘communication’ appears to be very wide, and may contain almost any kind of information provided it is structured into a message unit in some way. However, the time when interception occurs is important: it must occur during the period while the communication is being sent from the sender to its intended recipient, and while being sent on a network in the United Kingdom (which may be a subset of the overall transmission path). No offence would be committed if a transmission were intercepted while it was abroad or once it had entered a private network under the control of the intercepting party.

17.130  Accessing stored communications. Although one might expect that there would be no offence under section 2(1) if previously transmitted information were accessed from a passive storage medium while no transmission was taking place,141 clause 3(4) of the 2016 Bill extends the times while a communication is being transmitted to include any time when the communication is stored in or by the telecommunication system. It is ‘readily apparent from the plain words’ of section 2(7) of RIPA (the predecessor of clause 3(4) of the 2016 Bill) that that there may be an unlawful interception even where a message has been initially heard or read by the recipient but left on a storage medium such as a voicemail system.142 In a passage approved by the Court of Appeal in Coulson, Fulford LJ explained that:

the period of storage covered by [sections 1(1) and 2(7)] does not come to an end on first access or collection by the intended recipient, but it continues for so long as the system is used to store the communication, and whilst the intended recipient has access to it in this way. In a comprehensive fashion, this covers the vice that in my view the provision was intended to address, namely unauthorised access to communications, whether oral or text, whilst they remain on the system by which they were transmitted.143

17.131  Transmission by means of a telecommunications system. Third, the transmission must occur by means of (inter alia) a public or private telecommunications system.144 A question arises about communications sent by means of networks which are partly public and partly private: if interception occurs while such communications are being transmitted in a public telecommunication system, it seems arguable that such an interception could not be authorised by the operator or controller of the private system.

17.132  Absence of lawful authority. Finally, the interception must be without lawful authority. The meaning of ‘lawful authority’ is discussed in section 4.2. Clauses 37 to 45 of the 2016 Bill sets out a number of circumstances in which interception will always be authorised. These include acts of interception carried out by a telecommunications provider: (1) for the purpose of operating or providing its service (including combating or preventing threats to the service or network equipment); (2) to enforce any enactment relating to the content of transmitted communications; and (3) for ‘preventing or restricting the viewing or publication of the content of communications’. An example of the latter kind of interception may be website blocking.

17.133  Public interest. It is notable that there is no public interest defence to the offence defined in clause 2(1). As the Court of Appeal noted in R v Coulson,145 this is quite unlike the computer hacking offences defined in the Computer Misuse Act 1990 and data processing offences under the Data Protection Act 1998.146 This reflects a legislative intention to protect transmissions from unauthorised access to a greater extent than stored personal data and computer systems.

17.134  Mens rea. The mens rea of the interception offence is intention. That is, the person carrying out the act of interception must specifically intend to intercept the communication. Whether they must intend to intercept that communication (as distinct from any other communication) seems doubtful, since the mischief addressed by the section is plainly not limited to the interception of communications whose identity or contents are already known. It therefore appears sufficient to intend the act of interception.

17.135  Overview. There are a number of circumstances in which an interception will occur ‘with lawful authority’ for the purposes of clause 2(1). The most obvious case is that of a warrant issued by the Secretary of State which authorises the conduct in question pursuant to a targeted interception warrant, mutual assistance warrant, targeted interference warrant, a bulk interception warrant, or a bulk equipment interference warrant.147

17.136  Targeted interception. Statutory warrants may only be issued in specified circumstances—in the case of targeted interception warrants, if the Secretary of State believes that the warrant is necessary for a relevant purpose, and proportionate to what is sought to be achieved by the interception.148 Such warrants must be ‘necessary’ in the interests of national security, for the purpose of preventing or detecting serious crime, for the purpose of safeguarding the economic wellbeing of the United Kingdom, or for giving effect to a relevant international mutual assistance agreement. Additionally, the warrant must have been approved by a relevant judicial officer (known as a ‘Judicial Commissioner’), who must independently review the necessity and proportionality of the warrant.149 Warrants must normally relate to a particular person or organisation, or a single set of premises, and must contain certain other details. Targeted interception warrants may be broader, and relate to a group of persons with a common purpose of activity, or to multiple persons or organisations if the authorised conduct is for the same investigation or operation.150

17.137  Development of new capabilities. Additionally, a targeted interception warrant may relate to ‘the testing, maintenance or development of apparatus, systems or other capabilities relating to the interception of communications in the course of their transmission by means of a telecommunication system or to the obtaining of related communications data’, or to training persons to carry out interception.151 This is an extremely broad power, which appears to be capable of requiring a telecommunications operator to develop new technology for the purpose of intercepting communications.

17.138  Maintenance of capabilities. Under clause 217 of the 2016 Bill, providers of telecommunications services may be ordered by the Secretary of State to develop or maintain technical capabilities to provide assistance in relation to matters including interception warrants. Before such an obligation may be imposed, the Secretary of State must consider it reasonable to do so, and practicable to comply, and must consult with affected service providers and technical advisors. Most significantly, these obligations can relate to ‘the removal of electronic protection applied by a relevant operator to any communications or data’. The drafting is regrettably Delphic, but seems designed to encompass the removal of encryption, passwords, and other devices which inhibit access to intercepted material—but only to the extent that those protections are ‘applied by a relevant operator’ upon whom the obligation has been imposed. It would, of course, be wholly impracticable and unreasonable for a network-layer intermediary (eg an ISP) to be required to remove encryption applied by a third party (eg WhatsApp).

17.139  Proportionality considerations. When considering the proportionality of an interception warrant, it will normally be appropriate to balance the likely nature and degree of intrusion it represents against the necessity of doing so. This will involve considering the nature of the information being sought, the seriousness of the potential harm to the public of not obtaining the information, and the existence or absence of alternative means of acquiring it.

17.140  Safeguards. Interception of communications and related communications data obtained pursuant to an interception warrant are subject to a number of safeguards. Their details are often left to delegated legislative powers and details of how the safeguards are applied in practice are not publicly available. However, the intercepted material must not be accessed, disclosed, copied, or retained more than the minimum that is ‘necessary’ for the authorised purposes.152 Necessity is given a broad statutory meaning, which includes ‘facilitating the carrying out’ of functions by the intercepting public authority, the Secretary of State, external regulators, or for certain record-keeping activities.153

17.141  Statutory rules. Lawful authority may also be conferred by another statutory provision. For example, in R v Mahmood (Asad), the issue was whether ‘blanket’ interception of the telephone calls of inmates in two prisons was a breach of section 1(1) of RIPA. The prosecution successfully argued that interception was lawful because it was carried out pursuant to a power conferred by rules made under a statutory provision.154 The Court concluded that the relevant prison rules created a regime that was intended to permit conditions to be imposed upon the telephone calls made by prisoners both generally and in particular cases. Those conditions included an ability to intercept the communications lawfully.

17.142  GCHQ operations. Another potential source of lawful authority is section 3 of the Intelligence Services Act 1989, which sets out the statutory functions and powers of GCHQ.155 Those functions include the monitoring or interference with ‘electromagnetic, acoustic and other emissions and any equipment producing such emissions’ and obtaining and providing ‘information derived from or related to such emissions or equipment and from encrypted material’.156 Such functions must be exercised only in the interests of specified purposes, such as national security and in support of the prevention or detection of serious crime.157 This suggests that lawful interception may include the decryption of communications data and their content in the course of relevant intelligence-gathering activity. The exercise of such powers is subject to external scrutiny by the Intelligence and Security Committee of Parliament and by the Interception of Communications Commissioner.158 Further, to be exempt from civil liability, the exercise of the power must involve conduct which might reasonably have been expected in the case in question.159

17.143  Functions of the intelligence services. Similarly, section 19(2) of the Counter-terrorism Act 2008 confirms that any information obtained by one of the intelligence services when exercising their functions ‘may be used by that service in connection with the exercise of any of its other functions’. In other words, intercepted communications may be combined with other data and used for other purposes, provided those purposes fall within the statutory authority of the relevant organisation. In some instances, this will permit disclosure of intercepted information by MI5 and MI6, who possess a limited statutory authority to do so for specified purposes (including ‘national security’ and the prevention or detection of serious crime) under sections 19(3) and (4) of the 2008 Act.

17.144 Most large British internet intermediaries (and other communication service providers) have disclosure departments dedicated to handling requests under interception warrants. Best practice dictates that a service provider’s disclosure systems should be secure and include audit trails containing details of law enforcement requests and the service provider’s responses to them. Those details would typically include the name of the public authority acquiring data, the data description, and the statutory purpose of disclosure. That information is periodically used for auditing and scrutiny by external regulators,160 but is not normally disclosed to the public.

17.145  Overview. Equipment interference is the obtaining of access to electronic equipment (such as a computer or smartphone) without the authorisation of its owner—in essence, state-sanctioned hacking. This conduct would otherwise be unlawful if performed by a private citizen or the government without lawful authority, since it would involve offences under the Computer Misuse Act 1990 or acts of unauthorised interception. The 2016 Bill provides for the grant of equipment interference warrants to members of the security and intelligence agencies, law enforcement, and the armed forces. The following paragraphs provide an overview of these powers.

17.146 The Bill draws a distinction between three kinds of interference warrants. Each authorises different conduct and may be sought in different circumstances. In general terms, these warrants allow the authorised person to gain access to, and interfere with, computing devices, mobile phones and their radio signals, and other electronic equipment. They will replace the existing (and somewhat opaque) general property interference powers under the Intelligence Services Act 1994 and Police Act 1997.

17.147  Targeted interference. First, ‘targeted equipment interference warrants’ authorise a person to secure interference with particular equipment in order to obtain communications, private information, or equipment data.161 These warrants can relate to equipment associated with a particular person, organisation, or group; equipment in a particular location; equipment used for described activity; or for testing.

17.148  Bulk interference. Second, ‘bulk equipment interference warrants’ authorise a person to intercept overseas-related communications and obtain related communications metadata.162 The main purpose of these warrants is to facilitate the addressee to obtain overseas-related communications, private information, and equipment data. The concept of an ‘overseas-related’ communication is discussed in section 4.4.

17.149  Targeted examination. Third, ‘targeted examination warrants’ permit a person to examine material previously obtained and selected under a bulk equipment interference warrant.

17.150  The concept of ‘interference’. The 2016 Bill does not give a general definition of the kinds of interference able to be rendered permissible under an equipment interference warrant. However, it appears that the concept of ‘interference’ is at least as wide as the conduct proscribed by sections 1 to 3A of the Computer Misuse Act 1990. The examples given include the following: (1) monitoring, observing, or listening to a person’s communications or other activities; and (2) recording anything that is monitored, observed, or listened to.163 It is apparent that the concept of interference is much wider than that of ‘interception’ because, in addition to communications and metadata, interference may relate to private information and equipment data that have not been communicated.

17.151  Particular kinds of interference. For obvious reasons, detailed information about the kinds of interference techniques employed by the security services is not publicly available. However, one may speculate that the likely techniques include: installing ‘rootkits’, Trojans and other kinds of spyware on a target device; monitoring keystrokes and other activity using a keylogger; obtaining access to files on a remote system; damaging or disabling a computer system; transcribing, listening to, or matching voice and text communications; impairing or disabling access to a network or remote host; defeating cryptography; and impersonating other equipment or users in order to gain access to information.

17.152  Wireless interference. Where ‘interference’ is considered in the context of wireless telegraphy (eg mobile phone communications) the definition from the Wireless Telegraphy Act 2006 applies.164 According to section 115(3) of that Act, interference with wireless telegraphy requires some prejudice to the purposes of the telegraphy caused by an emission or reflection of electromagnetic energy. This appears to encompass conduct blocking or jamming the reception of wireless signals in a manner that impairs their ability to be received by their intended recipients.

17.153  Equipment data. The concept of interference includes obtaining access to ‘equipment data’, which is defined to mean data or metadata facilitating the functioning of the system or apparatus (or associated service) on which the data are held.165 The data must be separate to, or capable of being logically separated from, the content of a communication or item of private information. Examples of equipment data include data identifying the user of an apparatus, data identifying an event, and data identifying the location of any person, event or thing. This might provide an indirect basis for compelling an intermediary or hardware manufacturer to provide access to encrypted data stored on a user’s device (eg a smartphone or laptop).

17.154  Prohibition of unauthorised interference. The starting point is that, without authorisation, an intelligence service (defined to mean the Security Service, Secret Intelligence Service, GCHQ, or Ministry of Defence)166 may not engage in conduct that could be authorised by an equipment interference warrant if it considers that (1) the conduct would fall within sections 1 to 3A of the Computer Misuse Act 1990 if done without lawful authority, and (2) the conduct has a connection to the British Islands (eg because the conduct would take place there, would affect equipment there, or would aim to obtain information about a person located there).167

17.155  Procedure for grant. Obtaining an equipment interference warrant will require the intelligence services to obtain the approval of the Secretary of State, while law enforcement bodies must obtain approval from the Chief Constable. In either case, the granter must determine that the warrant is necessary and proportionate to what is sought to be achieved by the authorised conduct. The warrant must also be approved by the Judicial Commissioner and, if the warrant will relate to communications sent by or to a Member of Parliament, the Secretary of State must first consult the Prime Minister.168

17.156  Relevant purposes. Equipment interference is reserved for the most serious cases of actual or threatened wrongdoing. The equipment interference applied for must be necessary in the interests of national security, for the purpose of preventing or detecting serious crime, or to preserve the economic wellbeing of the United Kingdom insofar as relevant to national security. At the time of writing, it remains to be seen whether these powers will be enacted in the 2016 Bill and, if they are, how they will be regulated and applied.

17.157  Bulk interception warrants. Chapter 1 of Part 6 of the 2016 Bill establishes a regime for the grant of authorisations to intercept, obtain, and search unspecified communications which are overseas-related. This is a much broader power than targeted interception, which ordinarily requires that a warrant relate to specified persons or premises.

17.158  Overseas-related communications. Where the act of interception takes place inside the United Kingdom, bulk interception warrants may only relate to overseas-related communications. Clause 119(3) defines this to refer to communications which are either sent or received by individuals who are outside the British Islands.169 Because a communication may fall within the definition if either its sender or receiver is located outside the British Islands, it is apparent that many such communications may also have a local character.

17.159  External interception. An act of interception only falls within the scope of the statutory interception offence if it takes place in the United Kingdom.170 Accordingly, acts of interception undertaken by foreign intelligence services, or by local intelligence services acting abroad, would not be covered if the relevant modification, interference, or monitoring of communications was not effected by conduct within the United Kingdom, and the communication was not intercepted in the course of its transmission in a British telecommunication system. This would mean that no bulk interception warrant would be required.

17.160  Authorised conduct. A bulk interception warrant may only authorise four activities: (1) interception of overseas-related communications; (2) obtaining related communications data, insofar as it is logically associated with the communications but can be logically separated from their contents; (3) selecting intercepted material or its metadata for examination using ‘selectors’ (eg search terms or other filtering criteria) in order to identify specific communications of interest; and (4) disclosure of anything obtained under the warrant to the addressee.171 Importantly, selectors may be applied to both communications metadata and the communications themselves. However, examination of specific communications requires a separate authorisation called a ‘targeted examination warrant’.

17.161  Conditions for grant. A bulk interception warrant may only be granted by the Secretary of State if it is considered necessary and proportionate for a specified operational purpose. The relevant purposes are preventing or detecting serious crime and preserving the economic wellbeing of the United Kingdom insofar as related to national security and an overseas person.172 Such a warrant must also be approved by a Judicial Commissioner.173 Its duration may not exceed 6 months, subject to the possibility of renewal.174

17.162  Effect on telecommunications operators. If a warrant is likely to affect a telecommunications operator outside the United Kingdom, then the Secretary of State must consult the operator before issuing the warrant. He or she must also take into account the likely benefits of the warrant, the number of affected users, and the technical feasibility, costs, and other effects of the warrant on the operator.175

17.163  Effect of bulk interception warrants. Once a bulk interception warrant has been issued, it is likely to permit a similar range of conduct to the warrants previously issued under section 8(4) of RIPA. Such warrants authorised the intercepting party (such as GCHQ) to identify and select overseas-related communications matching the specified descriptions, which were usually given by reference to specific criteria, called ‘selectors’, such as email addresses, IP addresses, or usernames. Selectors can be extremely versatile, allowing communications to be targeted on the basis of keywords in their content, identification of their subject matter, their relation to any number of persons or groups of interest, or their transmission by means of a particular service. Such a description might encompass a vast number of communications that involve millions of individuals.

17.164  Overview. Following the disclosures made by the former National Security Agency contractor, Edward Snowden, it became public that the United States government was operating intelligence programmes known as ‘PRISM’ and ‘Upstream’. The existence of those programmes has now been publicly acknowledged. In broad terms, they involve the interception of communications from a range of application- and network-layer internet intermediaries, including ISPs, social networks, hosts, network backbones, and issuers of cryptographic certificates.176 According to leaked documents, the programmes’ stated aim is to target foreign intelligence targets rather than domestic communications.

17.165  Types of interception. PRISM operates by copying data stored by internet services pursuant to judicial supervision, while the Upstream programme intercepts internet communications ‘as they transit the internet’.177 Because many England-to-England communications will transit through American infrastructure, PRISM will inevitably involve the interception of a significant proportion of communications which are otherwise of a domestic or British character. For example, messages sent via Gmail, Facebook, or almost any other application-layer internet intermediary may be intercepted.

17.166  Legislative basis under United States law. In Liberty v GCHQ, it was assumed that PRISM and Upstream were lawful under United States law, which authorised ‘the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information’.178 Access to intercepted data is by judicial authorisation from the Foreign Intelligence Surveillance Act Court and must relate to specific cases. Except as publicly acknowledged by the United States government, the programme falls under the ‘Neither Confirm Nor Deny’ policy of the British intelligence services. Accordingly, this section assumes that the publicly available materials are accurate.

17.167 According to the Intelligence Security Committee, in each case where GCHQ sought information from the American intelligence services, an interception warrant (presumably under section 8(4)) was in place in accordance with RIPA.179

17.168  Circumstances of review. In Liberty v GCHQ, the Investigatory Powers Tribunal was asked to consider whether the retention, use, and disclosure of communications obtained from the American authorities via the PRISM programme satisfies the requirement in article 8(2) of the Convention that interferences with the right to private and family life be prescribed ‘in accordance with the law’.

17.169  Interference with the right to private life. The Tribunal agreed that article 8 rights were clearly engaged by bulk interception. To be in accordance with the law, such an interference must satisfy two requirements. First, it must not ‘be an unfettered discretion for executive action’; that is to say, there must be adequate safeguards. Second, the constraining rules must be clear; that is to say, an ‘adequate indication’ of their ambit must be in the public domain, ‘so that the existence of interference with privacy may in general terms be foreseeable.’180

However, the Tribunal accepted that the degree of foreseeability required of a national security measure is lower than in other fields.181

17.170  Internal safeguards and procedures. The Tribunal conducted closed hearings to examine the ambit of the safeguards governing the retention and use of PRISM data. It considered that the requirements under RIPA for section 8(1) or 8(4) warrants were sufficiently clear signposts of the rules for intercepting communications. Because GCHQ treated all intercepted data ‘as if it were obtained under RIPA’, those rules and procedures, although ‘below the waterline’ of public scrutiny, were adequate to ensure compliance with the statutory framework and the Convention.

17.171  The impact of public disclosure. Insofar as discretion existed, it was sufficiently circumscribed to protect against arbitrary interference with article 8 rights.182 The Tribunal placed significant weight on the external oversight arrangements, including by the Intelligence and Security Committee, the Interception of Communications Commissioner, and the Tribunal itself. Further, the rules governing bulk interception were sufficiently accessible to the public by virtue of recent statements by the Intelligence and Security Committee, the evidence tendered in the proceedings, and the Tribunal’s judgment itself. In this regard, the Tribunal left open the possibility that there may have been a breach of article 8 prior to the extent of public disclosure that was given during the proceedings.183

17.172  Contraventions occurring before public disclosure. In a subsequent decision, the Tribunal held that, at the relevant time, the scope of the discretion available to the intelligence services in respect of communications intercepted via PRISM or Upstream was not indicated with sufficient clarity.184 This reflects the approach adopted by the European Court of Human Rights in Liberty v United Kingdom, which proceeded on the basis of the facts concerning domestic law at the time when the complaint was made.185 Accordingly, the Tribunal made a declaration that (prior to the disclosures in the first and second Tribunal judgments), the regime applicable to communications obtained via PRISM or Upstream contravened articles 8 and 10 of the Convention, but now complies.186

17.173 Limited public information exists surrounding the alleged capability of the British intelligence services which is known as ‘Tempora’. No explanation was given to the Tribunal in Liberty, other than that warrants are obtained by GCHQ under section 8(4) of RIPA. According to the claimants’ submissions, the programme involves bulk data interception by means of apparatus attached to fibre optic cables, pursuant to which communications and communications data may be retained for an indefinite period, rendered searchableaccording to search terms, analysed, and shared with public authorities and foreign governments.187

17.174 One might question, as the Tribunal did in Liberty, whether the distinction between ‘overseas-related’ and ‘internal’ communications makes sense in a cloud-based transmission environment. Communications by and between British subjects will routinely be stored externally, and many communications whose content is of a purely domestic character will be transmitted across external links before being received and stored internally. Most large internet intermediaries maintain distributed infrastructure in which both internal and external systems are used to transmit and store digital communications, and it may be a matter of chance (or perhaps network congestion) which link or system is used for any given communication. In short, almost all internet traffic could potentially involve an ‘overseas-related’ element, which makes the distinction largely meaningless.

17.175 In Liberty v GCHQ, the Tribunal concluded that the practice of granting section 8(4) warrants was in accordance with law and subject to sufficiently accessible safeguards. In particular, the examination of intercepted material was subject to safeguards under section 16 of RIPA, which meant that it could only be lawfully accessed, used, and retained for the permitted statutory purposes. As a result, warranted interception was proportionate. Further, it was subject to the same safeguards and scrutiny as PRISM data, which was, at least in light of the disclosure which was made in that case, adequate and accessible.

17.176  Scale of intrusion. Following Edward Snowden’s publication of information about American and British bulk interception programmes in 2013, public criticism was levelled at the scale and intrusiveness of those programmes, and at their lack of transparency and oversight. It now seems likely that bulk interception is both lawful and has resulted in comparatively few citizens’ private communications being examined (at least relative to the total number of internet communications).

17.177  Independent review. In its 2015 special report to Parliament, the Intelligence and Security Committee concluded that such interception was designed to be targeted and focused on the communications likely to be most relevant to national security:

Our scrutiny of GCHQ’s bulk interception via different methods has shown that while they collect large numbers of items, these have all been targeted in some way. Nevertheless, it is unavoidable that some innocent communications may have been incidentally collected. The next stage of the process—to decide which of the items collected should be examined—is therefore critical. For one major method, a ‘triage’ process means that the vast majority (***%) of the items collected are never looked at by an analyst. For another major method, the analysts use the search results to decide which of the communications appear most relevant and examine only a tiny fraction (***%) of the items that are collected. In practice this means that fewer than *** of ***% of the items that transit the internet in one day are ever selected to be read by a GCHQ analyst. These communications—which only amount to around *** thousand items a day—are only the ones considered to be of the highest intelligence value. Only the communications of suspected criminals or national security targets are deliberately selected for examination.188

17.178 The Committee concluded that bulk interception was a ‘valuable capability’ that enabled the intelligence agencies to identify unknown threats. They did not consider that it was acceptable to allow terrorist attacks to happen in order to uphold individual rights of privacy. Instead, they recommended that the capability be maintained subject to appropriate controls and safeguards.189

Notes
1

Joined Cases C-293/12 and C-594/12, Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources, EU:C:2013:845, EU:C:2014:238 [2015] QB 127 (‘Digital Rights Ireland’).

2

The term derives from Philip Bagley, ‘Extension of Programming Language Concepts’ (1968) 26.

3

See American Civil Liberties Union v Clapper, Case No 13-cv-03994 (SDNY, 2013) (Declaration of Professor Edward Felton) [46].

4

An entity is any ‘person or thing’: Investigatory Powers Bill 2016 cl 223(7).

5

Cf Regulation of Investigatory Powers Act 2000 s 21(4); Data Retention Regulations 2014 regs 2–3; Data Retention (EC Directive) Regulations 2009 reg 2(b) (which are to be replaced by 2016 Bill cl 223(3)–(5)).

6

See chapter 14, section 2.1 for an explanation of IP addresses.

7

See 2016 Bill cl 78(9). The expression also includes internet connection records: see paragraph 17.104.

8

Investigatory Powers Bill 2016 cl 223(5)(a)–(c).

9

Investigatory Powers Bill 2016 cl 223(5)–(6).

10

Eg the header of a HTTP GET request would be traffic data, but only insofar as it discloses the destination of the remote host (such as a domain name, server, or IP address). The remote URL, and any details of a form query submitted by the user, would not be communications data but rather the content of the communication. Thus, in the request ‘https://www.google.co.uk/?q=how+to+change+a+tyre’, only the target host (google.co.uk) would be retainable communications data: see Acquisition and Disclosure Code [2.25].

11

Regulation of Investigatory Powers Act 2000 s 21(7). See also 2016 Bill cl 224(4).

12

PEC Directive arts 5, 6, 9. See chapter 10, section 2.3 for further discussion of the PEC Directive.

13

PEC Directive arts 6, 9.

14

See, eg, PEC Directive art 15(1), See also Data Protection Directive art 13(1).

15

See European Commission, Evaluation Report on the Data Retention Directive (18 April 2011), COM(2011) 225 final, 3–4 (‘Evaluation Report’).

16

Case C-275/06 [2008] ECR I-271, [53].

17

[2012] EWCA Civ 232, [80]–[81] (Richards LJ) (Arden and Patten LJJ agreeing).

18

See chapter 10, section 1 for further discussion of the Data Protection Directive.

19

Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC [2006] OJ L 105/54. It appears that the United Kingdom government was one of the primary proponents of the Directive.

20

Franziska Boehm and Mark Cole, ‘Data Retention after the Judgement of the Court of Justice of the European Union’ (30 June 2014) 12.

21

See Intelligence and Security Committee of Parliament, Privacy and Security: A Modern and Transparent Legal Framework (2015) 1.

22

See chapter 4, section 2 for further discussion.

23

See European Commission, ‘Evidence for Necessity of Data Retention in the EU’ (March 2013) 4. The Commission reports that 15 threats to carry out massacres in schools were investigated by Swedish police in just one year using ISP data.

24

Even then, the reality is that many criminals are likely to take steps to obscure their identities using a range of tools such as those discussed in chapter 14, section 2.6.

25

European Commission, n 23, 10.

26

See Decision of 2 March 2010, Joined Cases 1 BvR 256/08, 1 BvR 263/08, and 1 BvR 586/08, Bundesverfassungsgericht (German Constitutional Court) 833. See also Eleni Kosta, ‘The Way to Luxemburg: National Court Decisions on the Compatibility of the Data Retention Directive with the Rights to Privacy and Data Protection’ (2013) 10 SCRIPTed 339, 350–2.

27

European Commission, n 23, 6.

28

See Telecommunications Act 1984; Security Service Act 1989; Intelligence Services Act 1994; Regulation of Investigatory Powers Act 2000; Wireless Telegraphy Act 2006; Counter-terrorism Act 2008.

29

The assistance of service providers could also be sought otherwise than by agreement, by means of a warrant authorising the interference with wireless telegraphy or property by the Intelligence Service, the Security Service, or GCHQ: see Intelligence Services Act 1994 s 5(2).

30

See Code [20], [23]–[24]. The costs of data retention are considered further in chapter 18.

31

Anti-terrorism, Crime and Security Act 2001 s 102(3).

32

The Retention of Communications Data (Code of Practice) Order 2003 (SI 2003/3175).

33

Until 2016, the Code was largely subsumed within the Retention of Communications Data Code of Practice issued under s 71 of RIPA: see para 17.50. However, the Investigatory Powers Bill 2016 would, if enacted, repeal the statutory basis of the Code: see paragraph 17.36.

34

See Code [19].

35

These logs exclude the content of communications, but may include details of URLs visited and IP addresses used and accessed (from which some details of content may be inferred): Code appendix A.

36

Anti-terrorism, Crime and Security Act 2001 s 102(4), (5).

37

See Data Protection Act 1998 ss 28(1), 29(1), 35(1).

38

See RIPA s 65(2)–(4).

39

Anti-terrorism, Crime and Security Act 2001 s 104(2).

40

Anti-terrorism, Crime and Security Act 2001 s 104(6), (7).

41

The Retention of Communications Data (Further Extension of Initial Period) Order 2005 (SI 2005/3335).

42

See Investigatory Powers Bill 2016, sch 10, para 58.

43

Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC [2006] OJ L 105/54 (‘Data Retention Directive’).

44

Ireland v European Parliament [2009] ECR I-593, [64], [70]; Digital Rights Ireland, [24].

45

See Data Retention Directive recital (21), art 1(1).

46

See chapter 10, section 2.3 for further discussion.

47

See Data Protection Directive art 13(1); PEC Directive art 15(1).

48

See Digital Rights Ireland, [36] (Advocate General), [32]. See Data Retention Directive art 11 (exempting data retained under the Directive from art 15(1) of the PEC Directive).

49

Data Retention Directive arts 5(1), 5(2).

50

Data Retention Directive art 6.

51

Data Retention Directive arts 7, 8.

52

Digital Rights Ireland, [37].

53

Digital Rights Ireland, [56].

54

Digital Rights Ireland, [58]–[59].

55

Digital Rights Ireland, [60]–[62].

56

Digital Rights Ireland, [63]–[64].

57

Digital Rights Ireland, [66].

58

Digital Rights Ireland, [67].

59

This aspect of the reasoning is puzzling, given that art 7(1) of the Directive largely mirrored the seventh data protection principle. If service providers were not permitted to take account of costs, it is difficult to see how that would strike a fair balance between data protection and freedom of business.

60

See Data Retention (EC Directive) Regulations 2009 (SI 2009/859) (now repealed).

61

Explanatory Notes, Data Retention and Investigatory Powers Bill (House of Commons, 14 July 2014) [3].

62

The 2014 Act extended the 2003 Code in a number of ways, by providing for mandatory retention, longer retention periods, and wider classes of retainable data: see 2014 Act s 1(7).

63

Retention of Communications Data (Code of Practice) Order 2015. See generally Judith Rauhofer, Wiebke Abel, and Ian Brown, ‘A First Look at the Constitutional and Legal Implications of the Data Retention and Investigatory Powers Act 2014’ (2014) 11SCRIPTed 320 for commentary.

64

[2015] EWHC 2092 (Admin) (‘Davis’).

65

Davis, [89] (Bean LJ and Collins J).

66

Davis, [91], [98], [114] (Bean LJ and Collins J).

67

Secretary of State for the Home Department v Davis [2015] EWCA Civ 1185, [76], [80].

68

See Decision G47/2012 (Federal Constitutional Court, 27 June 2014) (Austria); Decision 84/2015 (Constitutional Court, 11 June 2015) (Belgium); Case No C/09/480009/KG ZA 14/1575 (District Court of The Hague, 11 March 2015) (The Netherlands); Decision No 440 (Constitutional Court, 8 July 2015) (Romania); Decision PL US 10/2014 (Constitutional Court, 29 April 2015) (Slovakia); Decision U-I-65/13-19 (Constitutional Court, 3 July 2014) (Slovenia).

69

Case C-203/15, Tele2 Sverige AB v Post-och telestyrelsen (reference dated 4 May 2015).

70

2016 Bill cl 78(7). The requirements are broadly similar to ss 1 and 2 of the 2014 Act.

71

2016 Bill cl 84(2).

72

2016 Bill cl 78(2)(a), (b).

73

2016 Bill cl 78(2)(c), (f).

74

2016 Bill cl 78(1).

75

Providing ‘access to’ or ‘facilities for making use of’ a telecommunications service include ‘facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system’: 2016 Bill cl 223(11)–(13) (in identical terms to RIPA s 2(8A)).

76

2016 Bill cls 84(5), 86(2).

77

This is likely to operate in a similar manner to Retention Code para [2.6].

78

See para 17.44.

79

See The Rugby Football Union v Viagogo Ltd [2011] EWCA Civ 1585, [10], [29] (Longmore LJ); aff’d [2012] 1 WLR 1333. Cf Case C-73/07, Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy [2008] ECR I-9831, [56].

80

See 2016 Bill cl 79(1).

81

2016 Bill cl 79(2).

82

Cf Retention Code [3.8].

83

These are communications data which are generated or processed by a telecommunications operator and which may be used to identify a telecommunications service to which a communication is transmitted. 2016 Bill cl 54(6). Besides an IP address, it may include a cryptographic key, email address, username, hostname, port numbers, MAC addresses, IMSI codes, or conceivably any other way of identifying a computer system, network host, or device.

84

2016 Bill cl 78(9).

85

2016 Bill cl 78(7)(b).

86

The ‘apparatus’ includes ‘any equipment, machinery or device (whether physical or logical) and any wire or cable’: 2016 Bill cl 225(1) (definition of ‘apparatus’).

87

See Home Office, Acquisition and Disclosure of Communications Data: Code of Practice (4 March 2015) [2.26] (‘Acquisition and Disclosure Code’). Note that this Code does not apply to data retention, but provides relevant guidance on the definitions.

88

This requirement reflects Counter-terrorism and Security Act 2015 s 15, which amended the definition of ‘communications data’ in the 2014 Act to include a new category of retainable data, known as ‘relevant internet data’.

89

Explanatory Note, Counter-terrorism and Security Act 2015, [96].

90

See Counter-terrorism and Security Act 2015 s 21(3) (specifically sub-para (c)).

91

2016 Bill cl 78(3).

92

2016 Bill cl 78(5).

93

2016 Bill cl 78(4).

94

2016 Bill cl 81(1)(a).

95

See also Retention Code [6.13]–[6.15].

96

2016 Bill cl 81(1)(b).

97

See also Retention Code [6.9]. The requirements under the 2016 Bill have not yet been confirmed.

98

2016 Bill cl 81(1)(c).

99

See also Retention Code [6.16].

100

See chapter 10, section 2.1.

101

2016 Bill cl 225(1) (definition of ‘destroy’).

102

2016 Bill cl 81(3).

103

2016 Bill cl 81(2).

104

2016 Bill cl 78(8)(a).

105

2016 Bill cls 78(7)(e), 213(7).

106

See chapter 18, section 3.7.

107

2016 Bill cl 84(1).

108

2016 Bill cl 84(5).

109

2016 Bill cl 9(1).

110

Opinion of the European Data Protection Supervisor [2005] OJ/C 298/01, [34].

111

[2014] IPT 13_77-h, [158].

112

2016 Bill cl 53(2)–(4).

113

2016 Bill cl 53(1). See section 2.2 for a list of the relevant purposes.