Draft Communications Data Bill, The Second Coming?

As many will already know, the 2012 Queen’s Speech included mention of a Draft Communications Data Bill (would JISC folk class this as being all about paradata, I wonder?!;-)- here are the relevant briefing notes as published by the Home Office Press Office – Queen’s Speech Briefing Notes:

Draft Communications Data Bill
“My Government intends to bring forward measures to maintain the ability of the law enforcement and intelligence agencies to access vital communications data under strict safeguards to protect the public, subject to scrutiny of draft clauses.”

The purpose of the draft Bill is to:

The draft Bill would protect the public by ensuring that law enforcement agencies and others continue to have access to communications data so that they can bring offenders to justice.

What is communications data:
– Communications data is information about a communication, not the communication itself. – Communication data is NOT the content of any communication – the text of an email, or conversation on a telephone.
– Communications data includes the time and duration of the communication, the telephone number or email address which has been contacted and sometimes the location of the originator of the communication.

The main benefits of the draft Bill would be:

– The ability of the police and intelligence agencies to continue to access communications data which is vital in supporting their work in protecting the public.
– An updated framework for the collection, retention and acquisition of communications data which enables a flexible response to technological change.

The main elements of the draft Bill are:

– Establishing an updated framework for the collection and retention of communications data by communication service providers (CSPs) to ensure communications data remains available to law enforcement and other authorised public authorities.
– Establishing an updated framework to facilitate the lawful, efficient and effective obtaining of communications data by authorised public authorities including law enforcement and intelligence agencies.
– Establishing strict safeguards including: a 12 month limit of the length of time for which communications data may be retained by CSPs and measures to protect the data from unauthorised access or disclosure. (It will continue to be the role of the Information Commissioner to keep under review the operation of the provisions relating to the security of retained communications data and their destruction at the end of the 12 month retention period).
– Providing for appropriate independent oversight including: extending the role of the Interception of Communications Commissioner to oversee the collection of communications data by communications service providers; providing a communications service provider with the ability to consult an independent Government / Industry body (the Technical Advisory Board) to consider the impact of obligations placed upon them; extending the role of the independent Investigatory Powers Tribunal (made up of senior judicial figures) to ensure that individuals have a proper avenue of complaint and independent investigation if they think the powers have been used unlawfully.
– Removing other statutory powers with weaker safeguards to acquire communications data.

Existing legislation in this area is:

Regulation of Investigatory Powers Act 2000
The Data Retention (EC Directive) Regulations 2009

It’s worth remembering that this is the second time in recent years that a draft communications data bill has been mooted. Here’s how it was described last time round, in the 2008/2009 draft legislative programme:

“A communications data bill would help ensure that crucial capabilities in the use of communications data for counter-terrorism and investigation of crime continue to be available. These powers would be subject to strict safeguards to ensure the right balance between privacy and protecting the public;”

The purpose of the Bill is to: allow communications data capabilities for the prevention and detection of crime and protection of national security to keep up with changing technology through providing for the collection and retention of such data, including data not required for the business purposes of communications service providers; and to ensure strict safeguards continue to strike the proper balance between privacy and protecting the public.

The main elements of the Bill are:
– Modify the procedures for acquiring communications data and allow this data to be retained
– Transpose EU Directive 2006/24/EC on the retention of communications data into UK law.

The main benefits of the Bill are:
– Communications data plays a key role in counter-terrorism investigations, the prevention and detection of crime and protecting the public. The Bill would bring the legislative framework on access to communications data up to date with changes taking place in the telecommunications industry and the move to using Internet Protocol (IP) core network
– Unless the legislation is updated to reflect these changes, the ability of authorities to carry out their counter-terror, crime prevention and public safety duties and to counter these threats will be undermined.

(See also some briefing notes from the time (January 2009).)

What strikes me immediately about the earlier statement was its use of anti-terrorism rhetoric to justify the introduction of the proposed bill, rhetoric which appears to have been dropped this time round.

It’s also worth noting that the 2008 proposals regarding EU Directive 2006/24/EC (retention of communications data) were passed in to law via a Statutory Instrument, The Data Retention (EC Directive) Regulations 2009, regulations that it appears will be up for review/revision via the new draft bill. In those regulations:

[2b] – “communications data” means traffic data and location data and the related data necessary to identify the subscriber or user;

[2d] – “location data” means data processed in an electronic communications network indicating the geographical position of the terminal equipment of a user of a public electronic communications service, including data relating to: (i) the latitude, longitude or altitude of the terminal equipment, (ii) the direction of travel of the user, or (iii) the time the location information was recorded;
[2e] – “public communications provider” means: (i) a provider of a public electronic communications network, or (ii) a provider of a public electronic communications service; and “public electronic communications network” and “public electronic communications service” have the meaning given in section 151 of the Communications Act 2003(1); [from that act: “public electronic communications network” means an electronic communications network provided wholly or mainly for the purpose of making electronic communications services available to members of the public; “public electronic communications service” means any electronic communications service that is provided so as to be available for use by members of the public;]

[2g] – “traffic data” means data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication;
[2h] – “user ID” means a unique identifier allocated to persons when they subscribe to or register with an internet access service or internet communications service.

[3] These Regulations apply to communications data if, or to the extent that, the data are generated or processed in the United Kingdom by public communications providers in the process of supplying the communications services concerned.

As more and more online services start to look at what data they may be able to collect about their users, it’s maybe worth bearing in mind the extent to which they are a “public electronic communications service” and any proposed legislation they may have to conform to.

As and when this draft bill is announced formally, I think it could provide a good opportunity for a wider discussion about the ethics of communications/paradata collection and use.

PS Although it’s unlikely to get very far, I notice that a Private Member’s Bill on Online Safety was introduced last week with the intention to Make provision about the promotion of online safety; to require internet service providers and mobile phone operators to provide a service that excludes pornographic images; and to require electronic device manufacturers to provide a means of filtering content where “electronic device” means a device that is capable of connecting to an internet access service and downloading content.

Author: Tony Hirst

I'm a Senior Lecturer at The Open University, with an interest in #opendata policy and practice, as well as general web tinkering...