Statewatch News Online: Mandatory retention of telcommunications traffic to be "nodded" through in UK

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

Mandatory retention of telcommunications traffic to be "nodded" through in UK

- it will be adopted without any meaningful debate by a simple "affirmative" votes in parliament

- the government is saying that an EC Directive on the mandatory retention of telecommunications data for use in tackling serious crime can be used for any crime however minor

- the government is saying that there is no need for public or parliamentary discussion on privacy, civil liberties or human rights issues as these have already been discussed at the EU level

- 2005/2006 there were a staggering 439,054 requests to service providers for communication data by the agencies

The UK government is intending that the mandatory retention of telecommunications data by service providers - all phone-calls, faxes, mobile phone-calls (and location) and later all internet usage (sites visited, e-mails, telephony via net) - be introduced by Regulation. The procedure for the adoption of a "Regulation" is simply that the measure is "laid" before parliament and passed by a "affirmative vote" in the Commons and Lords - unless a large number of MPs and/or peers insist on a debate there will not be one.

The measure will put into national law the highly-contentious EC Directive on mandatory data retention adopted in 2005.

The Consultation paper (full-text including the EC Directive and the draft Regulation, pdf), put out on 28 March 2008, assumes there is no need to consider privacy or civil liberties issues as it says these were discussed when the government put in place "voluntary" code in XXXX. This was contentious because the power to collect traffic, data under the Anti-Terrorism, Crime and Security Act (ATCS) 2001, was for "national security" (and related offences) while the Code allowed the collected data to be used for all crimes. If passed the Regulation will regularise the current dubious use of the data by law enforcement agencies.

The political argument against having a debate on the human rights issues (ie: the 7 questions do not relate to human rights) is weak however -- since transposition of the Directive would replace a voluntary code by a binding law, I think a debate is called for.


The purpose is stated as being to "investigate, detect and prosecute crime and protect the public" (p3)

The Regulation is due to come into effect by 15 September 2007. Along with other goverments the UK is putting off the date for communications data "relating to internet access, internet telephony and internet e-mail until 15 March 2008 - because this is more "complex an issue involving much larger volumes of data" (p5)


"The Directive rightly references terrorist atrocities in Madrid and London in making the case for adopting measures for retention of communications data across Europe" - but this measure does not just cover terrorism but all crime however minor.

Since 2003 there has been a voluntary code...

"The proposed Regulation will not prevent businesses from keeping data for longer than our proposed retention period..." (p4) which is 12 months. By why should they are it is only needed for a few days in relation to the provision of services - is this a "back-door" for providers keeping data for longer with the tacit agreement of the government?

The paper argues that the "majority of issues" relating to retention, eg: proportionality, the Human Rights Act and "the disparity that can exist between purposes for which data may be lawfully retained and lawfully obtained"(p4) were discussed during the consultation concerning the voluntary code (2003). Thus Human Rights considerations do not need to be considered now for this reason and because the debates that took place in the Council of the European Union and the European Parliament (where the two big parties steam-rollered it through against highly vocal opposition).

Thus the government argues:

"these measures are a proportionate interference with individual's right to privacy to ensure the protection of the public"

So as it has been been decided in the EU there is no need to debate it and there is no need to ask anyquestions at all about these issues in this paper!

The paper says that the "majority" of service providers were happy to take part in the voluntary code and proactively "assist law enforcement and intelligence agencies" (p5). Others were not because of the uncertain legal basis of the voluntary code (pXXX).

The EC Directive and Regulation:

"represents a transition from a voluntary regime for retention of communications data in the UK, to a framework which mandates minimum requirements..."

In support of its argument for retention the paper cites a "two week survey" by ACPO (Association of Chief Police Officers) with headline figures concerning 231 requests for data of which 60% concerned murder and terrorism. However, the figures published in the annual report from the Interception of Communications Commissioner, published last month, said that there were a staggering 439,054 requests lodged for communications data - the Commissioner says that it is the law enforcement agencies:

"who are the principal users of communications data [who] have acquired fully automated systems"

Proposal to transpose the Directive into a Regulation

As noted above the Regulation will only be subject to an "affirmative vote" in the House of Commons and House of Lords.

The consultation paper notes the Ireland an Slovakia are challenging the legal basis of the Directive in the European Court of Justice and then says (point 6.5):

"Regulations passed by parliament under the European Communities Act 1972 will be unaffected if the Directive is subsequently annulled"

This assertion is clearly wrong legally - Regulations passed under the ECA would be undoubtedly invalid if the Directive is annulled - that is the whole point of a number of judicial review proceedings against ECA Regulations or intended ECA Regulations that have been brought in the past (ie the argument is that the ECA Regulations are invalid precisely because the Directive is invalid). This would be true, I think, if the Directive were annulled on any ground -- and in particular if it were annulled for the reasons that the Irish and Slovaks argue, that the EC has no power at all to adopt the Directive. If that is correct, then the ECA could not possibly be used to implement the "Directive".

Although the government intends to put off until March 2008 the mandatory retention of data from the internet (internet access, e-mail and telephony) they intend to continue with the "voluntary arrangements" in operation at present - in other words the majority of service providers are already making this data available. For this reason they intend to extended the "sunset clause" in Section 106 of the ATCS Act 2001.

The proposed Regulation

The scope of the draft Regulation is open to serious questions as to its scope. The EC Directive that is being transposed says that the purpose is:

"the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law" (emphasis added)




FROM 2003 Code:

"This Code of Practice relates specifically to the need for communications service
providers to retain data for extended periods of time in order to assist the
security, intelligence and law enforcement agencies in carrying out their work of
safeguarding national security or in the prevention or detection of crime or the
prosecution of offences which relate directly or indirectly to national security." and

"Communications data may be obtained by security, intelligence and law
enforcement agencies under the Regulation of Investigatory Powers Act 2000
and other statutory powers. This Code does not deal with these provisions." and

"The Code does not relate to the powers of public authorities to obtain
communications data retained in accordance with the Appendix to the Code.
Acquisition of communications data is provided for by Chapter II of Part I of the
Regulation of Investigatory Powers Act 2000, as well as other relevant statutory
powers." and

"In particular, this Code cannot place any restrictions on the ability of the public
authorities listed in Chapter II of Part I of the Regulation of Investigatory Powers Act
2000 to acquire data retained under this Code for any of the purposes set out in
section 22 of that Act which do not relate to national security."

Under Chapter II of Part I, Section 22.2 of RIPA 2000 communications data can be obtained in relation to "crime", that is all crime.

Whereas scope of the EC Directive being transposed is "serious crime" the government is seeking to allow data retained by all service providers to be obtained and used by all law enforcement agencies (and other public authorities) to tackle crime in general.

Thus nothing in the Regs to transposes Art 1.1. of the EC Directive, ie the limitation of use of the data to investigate, etc. serious crimes as defined by national law - this surely requires a definition of serious crimes in the Regulation (if only by reference to some other national measure) as a requirement both of transposition of the directive and as a matter of human rights/data protection law (ie the requirement that the circumstances in which the data will be processed must be foreseeable in legislation, otherwise the interference with private life is not "prescribed by law" as ruled by the courts.

Also there is nothing in the Regulation transposing Art 13 of the Directive, ie: sanctions and remedies relating to unauthorized use of the data, etc. It may be that there is adequate provision in the Data Protection act and/or other regs transposing EC data protection legislation but this should have been explained at least in the impact assessment and summary and referred to in the Regulation itself. There is an obligation when transposing directives to make a clear reference to the national legal rules which transpose the directive so that individuals can identify their rights - arguably since there is not even a cross-reference in this draft Regulation to the rules elsewhere which transpose Art 13 already (assuming there are such rules) this obligation has not been met.


The Home Office Consultation paper on mandatory data retention of telecommunications (full-text, pdf),

The full background is on: Statewatch's Observatory: The surveillance of telecommunications in the EU

See also from Statewatch:

EU: Data Retention proposal partly illegal, say Council and Commission lawyers
Data retention and police access in the UK - a warning for Europe
UK-EU: Call for mandatory data retention of all telecommunications
Annotated guide to the issues and documentation on mandatory data retention in the EU

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error