foundation for information policy research
FIPR response to the retention of communications data consultation
The Foundation for Information Policy Research [http://www.fipr.org/] is an independent body that studies the interaction between information technology and society. Its goal is to identify technical developments with significant social impact, commission and undertake research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers.
Much debate has taken place over the subject of data retention. However, as far as this consultation is concerned, we believe there are only three pertinent facts:
The European Data Protection Commissioners have repeatedly emphasized that mandatory blanket data retention would be an improper invasion of the fundamental rights guaranteed to individuals by Article 8 of the European Convention on Human Rights (ECHR), as further elaborated by the European Court of Human Rights (see Opinion 4/2001 of the Article 29 Working Party established by Directive 95/46/EC; the Declaration of Stockholm of April 2000; and most recently, the Statement issued in Cardiff in September 2002). Law enforcement authorities should only be permitted to require Communications Service Providers to retain ("preserve") data beyond the normal time needed for contractual (billing) and other business purposes in specific cases, in which the need for such data preservation was clearly demonstrated, subject to adequate legal safeguards.
The suggestion that blanket data retention, beyond the time for which the data are needed by the service provider, could be permitted on the basis of a voluntary code is absurd: such a rule would blatantly breach the most fundamental data protection principle, that personal data be retained only for legitimate, specified purposes and for no longer than necessary to achieve those purposes. However, even a law requiring such compulsory blanket retention would be contrary to the ECHR and incompatible with the Human Rights Act.
As the European Data Protection Commissioners make clear, data preservation in an individual case can only be allowed if there is a "demonstrable need" in that particular case (i.e. the authorities cannot require preservation of traffic data relating to a particular subscriber "just in case" the data may be useful later). Even in such individual cases, the period of retention must be as short as possible. Most importantly, under both the ECHR (and thus the Human Rights Act) and the EU data protection directives, "the practice must be clearly regulated by law, in a way that provides sufficient safeguards against unlawful access and any other abuse. Systematic retention of all kinds of traffic data for a period of one year or more would be clearly disproportionate and therefore unacceptable in any case."
Legal opinions given to the Office of the Information Commissioner and elsewhere have concluded that retention would be unlawful given the disparity of purpose between access to traffic data under the Regulation of Investigatory Powers Act and retention only for national security related purposes under the Anti-Terrorism Crime and Security Act (ATCS). This is a barrier to both voluntary and mandatory retention that could only be addressed through new primary legislation.
Internet Service Providers have repeatedly made clear, individually and through their trade association ISPA, that the Home Office has not provided a justification for retention. The examples given in the consultation document concerning the use of communications data are entirely unconvincing. They largely concern time periods that are longer than those proposed for retention in Appendix A. They do not attempt any cost/benefit analysis based on cases lost due to missing communications data. They certainly do not justify the very high cost that larger ISPs have estimated for retention mechanisms. ISPs are therefore not willing to implement retention voluntarily.
We therefore strongly urge that the Home Office drop all plans for retention and allow the powers to require it to lapse on 13 December 2003 under s.105 of ATCS. They should follow the lead of the US Federal Bureau of Investigation and rely instead on data preservation powers.
The failure of the Government to address preservation issues over the past two years has been a lost opportunity. We feel sure that the issues involved could even now be addressed by relatively brief discussions. No further time should be wasted on inevitably doomed attempts to implement data retention.