It would appear that the Government's war on terrorism is losing its edge, at least in the telecommunications sector, writes Alex Lundie.
The heralded code of practice for the retention of communications data under the Anti-Terrorism, Crime and Security Act has yet to appear, despite plans to produce a working draft by Easter. The proposed code has been criticised as contrary to the principles of privacy legislation and its delayed introduction may be down to the difficulties of reconciling two conflicting areas of law.
On one hand, anti-terrorism legislation seeks to encourage the retention of data to help track down terrorists, while on the other, the Data Protection Act tells companies to destroy such data as soon as possible to protect the individual's right to privacy.
A review of the legislation shows that communications companies that decide to co-operate with the security forces could face the prospect of civil and even criminal liability for breaches of the Data Protection Act. Therefore it would seem prudent for those involved in the communications sector, whether they are telcos, ISPs or even postal services, to avoid collecting and retaining this sort of data. Such a conclusion will, no doubt, be welcomed by a communications industry anxious to avoid further increased costs in already expensive regulatory compliance.
Which way to turn?
Communications data is generated by and used within communications networks to route calls, e-mails or Web page requests, for example telephone numbers and IP addresses. A prime example when tracing terrorists is the tracking of mobile phones within and across different cell sites to determine where the phone was at a particular time.
Communications data details where calls or e-mails were made and received and is distinct from interception, which deals with the actual content of a message or what was said.
Interception and disclosure of communications data are both placed on a legal footing in the Regulation of Investigatory Powers (RIP) Act 2000. There are differences in procedure between interception and access of communications data and the Government's latest moves under the anti-terrorism code of practice, focused on increasing its ability to access communications data.
Data that consists of information that identifies an individual, such as a telephone or e-mail subscriber, is also personal data protected by the Data Protection Act. Consequently, this requires operators processing or storing such information to observe specified principles.
The first requires operators to process the data fairly and lawfully, meaning it must be obtained and processed with the knowledge of the individual, unless such processing is necessary for a legal obligation. The data must be obtained for specified purposes and not be processed for any other uses or held for longer than is necessary.
Finally, the Telecommunications Data Protection Directive requires that the data be erased or made anonymous as soon as the transmission is finished subject to limited exemptions, such as for billing.
Immunity from liability
The powers for the security services to access communications data were already available under the RIP Act but there was a lack of data held by communications providers. The Government wants to use the new code of practice to increase the rate of data retention by granting immunity from civil liability arising under the data protection regulation. This in turn will provide the security services with a larger pool of data.
Unfortunately the provisions in the anti-terrorism code of practice conflict with the data protection principles. Meanwhile, the first data protection principle still requires that processing is lawful unless there is a legal obligation.
According to the Anti-terrorism Act, failure to observe the code of practice is not to render any person liable to any criminal or civil proceedings but is admissible in evidence in certain legal proceedings. If this does not amount to a legal obligation, then it seems that operators may breach the data protection principles by retaining communications data under the code of practice.
With the prospect of civil or possibly criminal liability for breaches of the Data Protection Act it would seem that the safer, and cheaper course would be to not observe the anti-terrorism code of practice, as there is purported to be no liability.
But while the anti-terrorism code of practice seems to have failed due to the absence of a binding legal obligation, there are additional powers available to the Government to rectify this and ensure that stored data is exempt from the data protection and privacy regime.
It might only be a matter of time, therefore, before the security services triumph over the right to privacy.
Alex Lundie is a solicitor at Tite & Lewis