RETENTION OF COMMUNICATIONS DATA

Developments in the Online Space

Regulations have been introduced which require certain public communications providers (read ISPs, mobile
phone providers, VOIP operators…and, potentially, social networking sites such as Twitter) to retain certain data
about the communications made over their networks (and the people making those communications) for 12
months. This move may be seen by some as a threat to privacy as well as an extra compliance burden for the
affected service providers. Others would counter that it is a welcome and necessary weapon in the fight against
terrorism and other serious crime which can be incited, orchestrated or even conducted online, such as child
abuse.
Landline and mobile phone providers have been required to retain certain communications data (e.g. time/length
of call, name/address of caller) since 2007. The Data Retention (EC Directive) Regulations 2009 “New
Regulations”) came into force on 6th April, implementing the corresponding EU Directive into UK law. These New
Regulations replace the 2007 Regulations, which referred only to telephone services and expressly excluded
internet services. The New Regulations capture communications made by internet, email and internet telephony
(such as VOIP and efax), and require certain providers of these services to retain communications data for a
year. This ‘communications data’ relates to the who/when/where of a communication (but not the content) and
ranges from log on/call times and durations to the names and addresses of people sending and receiving
communications.
Only public communications providers who are notified by the Secretary of State are required to comply with the
New Regulations. These will be companies who make available “electronic communications services” to members
of the public by providing an “electronic communications network”, defined in the Communications Act 2003 as
“a transmission system for the conveyance, by the use of electrical, magnetic or electro-magnetic energy, of
signals of any description; and (b) such of the [apparatus comprised in the system and/or used for the switching
or routing of the signals; and software and stored data] as are used, by the person providing the system and in
association with it, for the conveyance of the signals.” It remains to be seen which companies will receive
notification under the New Regulations from the Secretary of State, but ISPs (e.g. BT Internet) will certainly be
notified, as will mobile phone providers (if they haven't already, e.g. O2) and VOIP operators (e.g. Skype). It will
be interesting to see whether the Government will extend such notification to search engines and website
operators – particularly social networking sites, where mass communication is key with the crowds twittering,
posting and poking.
Advantages of the New Regulations
The Home Office points out in its Explanatory Memorandum that communications data has proved valuable for
law enforcement purposes over many years, in detecting crimes, investigating suspects and prosecuting
offenders. Although many communications providers retain such information in any event, they delete it as soon
as their business purposes have been met (whether because of data protection legislation or the costs of
storage). The Home Office argues that long running investigations, which may require communications data
some time after a crime has been detected, tend to relate to the most serious crimes and as such there is a
strong public interest in obliging relevant companies to preserve such evidence.
If every email, IM, tweet and post is logged along with the sender’s name, address and geographical location at
the time, then law enforcers will find it easier to verify alibis, trace contacts and track movements. Criminals will
be unable to rely on the perceived anonymity of the Web to disguise their activities. The New Regulations send a
clear message that people cannot hide behind online personalities to conduct criminal behaviour.
Page 2
19 June 2009

Disadvantages of the New Regulations

However, despite the stated benefits of the New Regulations as a crime fighting tool, legitimate data protection
concerns have been raised by privacy groups, who object to being monitored and criticise the measure as a step
towards a ‘Big Brother’ state. As the Government has not had a good track record recently with safeguarding
data, concerns over the generation and retention of increasing amounts of data is perhaps justified.
Perhaps the biggest concern is the fact that the New Regulations do not limit the disclosure and use of the data
to investigation of the serious crimes on the basis of which the New Regulations are justified. The New
Regulations blandly state that “Access to data retained in accordance with these New Regulations may be
obtained only (a) in specific cases, and (b) in circumstances in which disclosure of the data is permitted or
required by law.” It is not difficult to envisage courts interpreting this provision widely and ordering disclosure in
civil cases where this information would be useful – for example, defamation claims (to discover the details of a
big-mouth blogger), divorce cases (to check a cheating spouse’s phone calls), and employment tribunals (to
ascertain a sick employee’s whereabouts). As in the ‘Owlstalk’ case, which we have previously blogged about,
Norwich Pharmacal orders can be made to disclose the contact details of libellous online commentators. We may
see increasing similar instances of this as more companies are required to hold more data for longer. In order for
disclosure of an individual’s details under a Norwich Pharmacal order, the following 3 conditions must be met:
1. a wrong must have been arguably carried out;
2. the order must be necessary in order to enable the claimant to bring an action against the wrongdoer;
and
3. the intermediary against whom the order is sought must (a) have facilitated the wrongdoing; and (b) be
likely to be able to provide the necessary information about the wrongdoer.
Indeed, if the New Regulations are extended so that online hosts of the defamatory forums are required to keep
the communications data relating to their users for a year, the third test will become more likely to be satisfied.
We should not forget that the New Regulations will impose an additional compliance burden on the notified
public communications providers. The extent to which this is an issue depends on the amount of companies
notified under the New Regulations and the additional measures they will have to take to understand and
implement their obligations under the New Regulations. The New Regulations have gone some way to addressing
this by stating that the Secretary of State “may reimburse any expenses incurred by a public communications
provider in complying with the provisions of these New Regulations.” However, this subsidy ultimately comes
from credit-crunched UK taxpayers, who may query the efficacy and efficiency of setting up the systems required
to implement the New Regulations.

Yasmin Joomraty
Laurence Kaye Solicitors
© Laurence Kaye 2009
T: 01923 352 117
E: laurie@laurencekaye.com
www.laurencekaye.com
http://laurencekaye.typepad.com/
Page 3
19 June 2009

This article is not intended to be exhaustive and it does not constitute or substitute legal advice,
which should be sought on a case by case basis.
Please feel free to copy or make available this article without modification in print or electronic form for non-
commercial purposes. If you do so, please include this disclaimer and copyright wording with attribution. If you
want to re-publish or make the whole or part of this article available in a commercial service or publication,
please contact the author at laurie@laurencekaye.com.