On July 17th, the Data Retention and Investigatory Powers Act (DRIPA) came into effect in the United Kingdom reinstating the Government’s powers to require communication providers to retain traffic data (also known as metadata) and enabling the Government to serve warrants to intercept communications data on companies outside of the United Kingdom to the extent they were providing services to UK users. DRIPA became law following emergency “fast-tracked” procedures on the basis that its enactment was essential to ensure continued national security. This meant it passed through all of the stages of Parliament in four days (a process that often takes months or even years), allowing no time for meaningful debate.
Civil liberties groups have been vocally opposed to the Act, criticising both its powers and the use of the fast-tracked process that limited Parliamentary discussion. The bill received the backing of all three major political parties on the grounds that it was required to protect the public against “criminals and terrorists”.
The Act addresses two key issues:
- the obligation to retain communications traffic data by communications providers; and
- the extraterritorial expansion of powers under the Regulation of Investigatory Powers Act 2000 (RIPA) enabling warrants for intercept communications data to be served on companies outside of the United Kingdom.
Part I: Data Retention
The first part of DRIPA allows the Secretary of State to issue notices to telecommunications operators requiring them to retain communications traffic data (also called metadata) (e.g. time of call and who the call was made to, but not the content of communications) for a period of up to twelve months. This is to ensure that the data is retained in the event law enforcement bodies need to access it to investigate crime or issues of national security.
DRIPA allows for the retention of “relevant communications data” which in the case of internet data, is “generated or processed in the United Kingdom” and includes the following information:
- data necessary to trace and identify a source of communication such as user IDs and IP addresses;
- data necessary to identify the destination of a communication such as the user ID or telephone number of the intended recipient of a call through the internet;
- data necessary to identify the date, time and duration of a communication, such as the date and time of log-on and log-off from the internet or an email service;
- data necessary to identify the type of communication, such as the email service provider or internet telephony provider used; and
- data necessary to identify users’ communication equipment, such as the calling telephone number for dial-up internet.
The data retention provisions under Part I of DRIPA are likely to apply extraterritorially given that the onus on compliance relates to where the data is generated or processed in the UK, but that is not clear.
Tom Watson, a Labour MP, and David Davis, a Conservative MP, have joined forces with Liberty, a leading civil liberties group, to challenge the data retention provisions of the Act by applying for a judicial review, a process in the United Kingdom where a judge reviews the lawfulness of a decision or action taken by a public body. In this instance, a judge will consider whether the blanket retention of data is a breach of an individual’s fundamental right to privacy.
The new provisions in DRIPA reinstate the requirements that existed in the United Kingdom under the Data Retention (EC Directive) Regulations 2009 which had to be replaced after the European Court of Justice declared the data retention provisions of the Data Retention Directive(2006/24/EC) (which the 2009 Regulations implemented) invalid. The actions of the UK Government in re-introducing data retention requirements is in stark contrast to the rest of Europe where Germany, Czech Republic, Romania, Austria, Cyprus, Belgium, Ireland and Bulgaria have already deemed similar provisions as unlawful.
Part II: Interception of communications
The second element of DRIP expands the Home Secretary’s power to obtain communications content (both stored data and interception data) and communications traffic data under RIPA to have extraterritorial effect. Authorisations for interception of traffic data can also now be served on companies that are outside the United Kingdom if they provide services to users in the UK. The definition of “telecommunications service” has also been amended to clarify that internet services providers are captured under RIPA.
Under RIPA prior to the amendment, the Home Secretary had the power to issue warrants requiring such providers in the UK to give effect to interception of communications where necessary on national security or crime-prevention grounds. DRIPA makes clear that such warrants can now be served on telecommunications providers based outside the UK if they provide services to or to “a substantial section of the public in any one or more parts of the United Kingdom”. This change will impact many popular online communications and social media sites that are located outside of the United Kingdom. DRIPA will require overseas companies to provide data to the UK government or risk civil sanctions or criminal prosecution under RIPA, which would result in directors facing up to two years in prison for non-compliance.
A copy of a RIPA warrant (the original warrant is served on the organisation that requested it) can be served on companies outside of the UK (including electronically or by other means) in any of the following ways:
(a) by serving it at the person’s principal office within the United Kingdom or, if the person has no such office in the United Kingdom, at any place in the United Kingdom where the person carries on business or conducts activities;
(b) if the person has specified an address in the United Kingdom as one at which the person, or someone on the person’s behalf, will accept service of documents of the same description as a copy of a warrant, by serving it at that address; and
(c) by making it available for inspection (whether to the person or to someone acting on the person’s behalf) at a place in the United Kingdom.
Service under (c) above is only available if service is not reasonably practicable by other means, the authority requesting the warrant thinks it is appropriate and a copy of the warrant is brought to attention of the person outside the United Kingdom as soon as reasonably practicable.
There is a defence, however, in the text of DRIPA that a non-UK communications provider will only have to give effect to a RIPA warrant so far as to do so is “reasonably practicable”. In order to determine what steps are “reasonably practicable”, “regard is to be had (amongst other things) to (a) any requirements or restrictions under law of that country or territory relevant to the taking of those steps, and (b) the extent to which it is reasonably practicable to give effect to the warrant in a way that does not breach any such requirements or restrictions”. In other words, the intent seems to be that compliance with an extra-territorial warrant is only required where it does not breach the laws of the other country.
Prior to amendment, RIPA provided the Secretary of State powers to issue a notice on telecommunications providers offering a service to the UK public to maintain intercept capability. Under such notice, the service provider is required to intercept in real-time the content of communications (which extends to stored data such as emails in an inbox) as authorised by the relevant public authority. Following DRIPA, these interception capability notices may be served on companies outside the United Kingdom and given in relation to conduct outside the United Kingdom. DRIPA does not provide a “reasonably practicable” defence for non-compliance; however, failure to maintain intercept capability will not result in criminal liability. The Secretary of State may issue civil proceedings for an injunction or application for specific performance, regardless of whether the company served is based inside or outside of the United Kingdom
More guidance is due regarding how the UK plans to implement the legislation set out in DRIPA. The UK government has announced it will appoint a senior former diplomat to lead discussions with the US government and internet firms to establish a new international agreement for sharing data between legal jurisdictions. Under US law, compliance with an extra-territorial RIPA warrant would generally be prohibited unless it is properly domesticated to a US court of law in order to avoid violating the Wiretap Act. These discussions are likely to set a precedent and a framework for how the UK government intends to manage the process of intercepting data extraterritorially. It remains to be seen how this new law will affect major internet service providers located outside of the United Kingdom and what discussions will ensue in the battle over rights to data in an increasingly complicated web of domestic laws targeting an international industry.