Emergency UK Legislation Expands Government Powers to Retain and Intercept Data

by Latham & Watkins LLP
Contact

On July 17th, the Data Retention and Investigatory Powers Act (“DRIP”) came into effect in the United Kingdom reinstating the Government’s powers to require communication providers to retain traffic data (also known as metadata) and enabling the Government to serve warrants to intercept communications data on companies outside of the United Kingdom to the extent they were providing services to UK users.  DRIP became law following emergency “fast-tracked” procedures on the basis that its enactment was essential to ensure continued national security. This meant it passed through all of the stages of Parliament in four days (a process that often takes months or even years), allowing no time for meaningful debate.

Civil liberties groups have been vocally opposed to the Act, criticising both its powers and the use of the fast-tracked process that limited Parliamentary discussion. The bill received the backing of all three major political parties on the grounds that it was required to protect the public against “criminals and terrorists”.

The Act addresses two key issues:

  • the obligation to retain communications traffic data by communications providers; and
  • the extraterritorial expansion of powers under the Regulation of Investigatory Powers Act 2000 (“RIPA”) enabling warrants for intercept communications data to be served on companies outside of the United Kingdom.

Part I: Data Retention

The first part of DRIP allows the Secretary of State to issue notices to telecommunications operators requiring them to retain communications traffic data (also called metadata) (e.g. time of call and who the call was made to, but not the content of communications) for a period of up to twelve months. This is to ensure that the data is retained in the event law enforcement bodies need to access it to investigate crime or issues of national security.

DRIP allows for the retention of “relevant communications data” which in the case of internet data, is “generated or processed in the United Kingdom” and includes the following information:

  • data necessary to trace and identify a source of communication such as user IDs and IP addresses;
  • data necessary to identify the destination of a communication such as the user ID or telephone number of the intended recipient of a call through the internet;
  • data necessary to identify the date, time and duration of a communication, such as the date and time of log-on and log-off from the internet or an email service;
  • data necessary to identify the type of communication, such as the email service provider or internet telephony provider used; and
  • data necessary to identify users’ communication equipment, such as the calling telephone number for dial-up internet.

The data retention provisions under Part I of DRIP are likely to apply extraterritorially given that the onus on compliance relates to where the data is generated or processed in the UK, but that is not clear.

Tom Watson, a Labour MP, and David Davis, a Conservative MP, have joined forces with Liberty, a leading civil liberties group, to challenge the data retention provisions of the Act by applying for a judicial review, a process in the United Kingdom where a judge reviews the lawfulness of a decision or action taken by a public body. In this instance, a judge will consider whether the blanket retention of data is a breach of an individual’s fundamental right to privacy.

The new provisions in DRIP reinstate the requirements that existed in the United Kingdom under the Data Retention (EC Directive) Regulations 2009 which had to be replaced after the European Court of Justice declared the data retention provisions of the Data Retention Directive (2006/24/EC) (which the 2009 Regulations implemented) invalid. The actions of the UK Government in re-introducing data retention requirements is in stark contrast to the rest of Europe where Germany, Czech Republic, Romania, Austria, Cyprus, Belgium, Ireland and Bulgaria have already deemed similar provisions as unlawful.

Part II: Interception of communications

The second element of DRIP expands the Home Secretary’s power to obtain communications content (both stored data and interception data) and communications traffic data under RIPA to have extraterritorial effect. Authorisations for interception of traffic data can also now be served on companies that are outside the United Kingdom if they provide services to users in the UK. The definition of “telecommunications service” has also been amended to clarify that internet services providers are captured under RIPA.

Under RIPA prior to the amendment, the Home Secretary had the power to issue warrants requiring such providers in the UK to give effect to interception of communications where necessary on national security or crime-prevention grounds. DRIP makes clear that such warrants can now be served on telecommunications providers based outside the UK if they provide services to or to “a substantial section of the public in any one or more parts of the United Kingdom”. This change will impact many popular online communications and social media sites that are located outside of the United Kingdom. DRIP will require overseas companies to provide data to the UK government or risk civil sanctions or criminal prosecution under RIPA, which would result in directors facing up to two years in prison for non-compliance.

A copy of a RIPA warrant (the original warrant is served on the organisation that requested it) can be served on companies outside of the UK (including electronically or by other means) in any of the following ways:

(a) by serving it at the person’s principal office within the United Kingdom or, if the person has no such office in the United Kingdom, at any place in the United Kingdom where the person carries on business or conducts activities;

(b) if the person has specified an address in the United Kingdom as one at which the person, or someone on the person’s behalf, will accept service of documents of the same description as a copy of a warrant, by serving it at that address; and

(c) by making it available for inspection (whether to the person or to someone acting on the person’s behalf) at a place in the United Kingdom.

Service under (c) above is only available if service is not reasonably practicable by other means, the authority requesting the warrant thinks it is appropriate and a copy of the warrant is brought to attention of the person outside the United Kingdom as soon as reasonably practicable.

There is a defence, however, in the text of DRIP that a non-UK communications provider will only have to give effect to a RIPA warrant so far as to do so is “reasonably practicable”. In order to determine what steps are “reasonably practicable”, “regard is to be had (amongst other things) to (a) any requirements or restrictions under law of that country or territory relevant to the taking of those steps, and (b) the extent to which it is reasonably practicable to give effect to the warrant in a way that does not breach any such requirements or restrictions”. In other words, the intent seems to be that compliance with an extra-territorial warrant is only required where it does not breach the laws of the other country.

Prior to amendment, RIPA provided the Secretary of State powers to issue a notice on telecommunications providers offering a service to the UK public to maintain intercept capability. Under such notice, the service provider is required to intercept in real-time the content of communications (which extends to stored data such as emails in an inbox) as authorised by the relevant public authority. Following DRIP, these interception capability notices may be served on companies outside the United Kingdom and given in relation to conduct outside the United Kingdom. DRIP does not provide a “reasonably practicable” defence for non-compliance; however, failure to maintain intercept capability will not result in criminal liability. The Secretary of State may issue civil proceedings for an injunction or application for specific performance, regardless of whether the company served is based inside or outside of the United Kingdom

More guidance is due regarding how the UK plans to implement the legislation set out in DRIP. The UK government has announced it will appoint a senior former diplomat to lead discussions with the US government and internet firms to establish a new international agreement for sharing data between legal jurisdictions. Under US law, compliance with an extra-territorial RIPA warrant would generally be prohibited unless it is properly domesticated to a US court of law in order to avoid violating the Wiretap Act. These discussions are likely to set a precedent and a framework for how the UK government intends to manage the process of intercepting data extraterritorially. It remains to be seen how this new law will affect major internet service providers located outside of the United Kingdom and what discussions will ensue in the battle over rights to data in an increasingly complicated web of domestic laws targeting an international industry.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Latham & Watkins LLP | Attorney Advertising

Written by:

Latham & Watkins LLP
Contact
more
less

Latham & Watkins LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.