INTRODUCTION

Regular readers will already be aware of the still relatively recent Data Retention Directive¹ and the fact that it is going to bring about significant change to the European Union (EU) legislation governing telemarketing and e-mail marketing with regards to retention of data.² Whereas previously, limits were set on how long communications providers are entitled to retain communications data in the UK, the changes brought about by the Data Retention Directive will require enormous quantities of electronic communications data to be retained for specified periods across the EU, to assist law enforcement authorities in combating terrorism and serious crime.

In March 2007, the government published a consultation paper inviting public comment on its proposals for implementation of the Directive in the UK, and this concluded in June with the responses described by the Home Office as generally positive. While implementation of the more difficult internet aspects of the Directive has been postponed, the government has enacted legislation, The Data Retention (EC Directive) Regulations 2007 (SI 2007 No. 2199)³, which comes into effect on 1st October, 2007 and seeks to transpose the remaining provisions into UK law. The stance taken by the UK in its implementation is analysed below, with particular attention paid to aspects such as reimbursement of the costs to service providers that could impact upon database marketers and other heavy users of communications services.

THE DATA RETENTION DIRECTIVE – A BRIEF REMINDER

As described in our earlier paper⁴, the Data Retention Directive came into existence in the wake of heightened threats to national security, to harmonise the retention of data across the EU that, as things stand, varies dramatically with a variety of mandatory data retention schemes, voluntary schemes (as has been the case in the UK) and in some instances, no retention requirements at all. The Directive applies to providers of 'publicly available' electronic communications services and requires communications providers store (among other things) details of the senders and recipients of e-mails and text messages but not the actual content of those messages. The data to be retained include data necessary to trace and identify the communication type, source, destination date, time and duration of a communication as well as data necessary to identify users' communication equipment (including the location of mobile equipment), and data on unsuccessful call attempts.

Perhaps surprisingly given the aim of harmonisation, the Directive gives some leeway as regards time of retention, with Member States having to ensure the data be retained for no less than six months and no more than two years from the date of the communication, with possible extensions in exceptional circumstances. Another critical issue of transposition left to the individual Member States is whether and how to reimburse service providers' costs, as discussed further in the context of the UK below.

THE UK'S VOLUNTARY REGIME AND THE HOME OFFICE CONSULTATION

The voluntary Code of Practice in operation in the UK at the time of writing came into force in December 2003 pursuant to secondary legislation.⁵ It allows communications providers to retain data that would otherwise have to be deleted or rendered anonymous under the UK's data protection legislation and provides for various retention periods depending on the type of data, for example:

—12 months for subscriber information (including subscriber information relating to the subscribing person such as their name, date of birth, contact information and details of the services subscribed to), telephony data (such as call date, time and duration, location data and all numbers associated with the call); and

—Six months for SMS, EMS and MMS data (such as sending number, receiving number, date and time of sending and delivery receipt if available), e-mail data (including from/to email addresses, and date and time sent) and ISP data (including authentication user name, date and time of log-in/log-off, and IP assigned).

Significantly, the Code includes provisions whereby communications service providers can enter agreements with the authorities for reimbursement of their costs, and many consider that this aspect of the Code has been instrumental in persuading them to comply voluntarily. Another important aspect making it easier for service providers to follow the Code is the fact that it permits information to be stored in the same way for business purposes and for retention for the purposes of safeguarding national security and preventing/detecting crime, rather than requiring more expensive measures whereby the latter categories are treated in a different manner.

Service providers would have been pleased to see that these aspects were maintained in the draft regulations released by the Home Office in conjunction with its March 2007 consultation on the Directive's implementation.⁶ Indeed, the consultation paper, while acknowledging that there were no provisions in the Directive to reimburse service provider's costs, noted that the EU Commission had made a declaration to the EU Council in February 2006 to the effect that reimbursement may be necessary. In relation to the UK's implementation, it said that it intended to make provision for the payment of such additional costs, and included in draft regulation the following provisions: '(1) The Secretary of State may reimburse any expenses incurred by a public communications provider in complying with these Regulations. (2) Such reimbursement may be conditional on the expenses having been notified to the Secretary of State and agreed in advance.
(3) The Secretary of State may require any public communications provider to comply with any audit that may be reasonably required to monitor any claim for reimbursement [expenses provided]⁷ pursuant to this regulation.' (emphasis added)

Nevertheless, there was some concern over the discretionary nature of these provisions. This was evident from the responses received in relation to question three of the Consultation which asked: 'Do you agree with the Government's approach to meet additional costs to reduce burden and meet requirements?'

While in the summary of the responses received, published in June 2007⁸, the Home Office suggested that the vast majority of respondents agreed with the government's general approach to meeting additional costs; it acknowledged that those who did not agree share a presentiment that the government would somehow use the drafting of the Regulations to avoid paying costs. The summary categorically states that this is not the case, and that the drafting of the costs provision is intended to ensure that the government retains flexibility to arrange communications data to be retained in the most efficient manner and to ensure that the government is able to demonstrate that the arrangements are cost neutral.

THE NEW REGULATIONS

There were few amendments between the publication of the draft Regulations in the Home Office Consultation document and the Regulations in the form enacted, which will come into force in October 2007, the principal aspects of which may be summarised as follows:

• Which providers?– The regulations apply to all public communications providers, but this is subject to the exception that the data need not be retained if the provider is given notice by the authorities that the information is already retained by another provider (the aim being to avoid duplication).
• What sort of data?– The data to be retained relate exclusively to fixed-line and mobile telephony and differ for each. They are broadly similar to the subscriber and telephony data set out in the Code described above. This includes data on unsuccessful call attempts in some instances but not data on unconnected calls or data derived from internet access, internet e-mail or internet telephony.⁹
• What obligations?– Data are to be retained for a period of 12 months, which is the same as the retention period under the Code for this sort of data. There are also obligations on communications service providers with regards to security and accessibility of the data. On the latter point, the Regulations require providers to retain the data in such a way that it can be transmitted 'promptly' in response to requests from the authorities.
• Cost reimbursement? – This issue was dealt with in substantively the same way as in the draft regulations; service providers are to enter agreements with the authorities in advance for reimbursement of their costs.

Further explanation of how the Regulations are expected to work is provided in the accompanying explanatory memorandum.¹⁰ Unsurprisingly, these include once again a substantive section seeking to assuage fears over service providers' costs. Notably, they state that given the majority of other Member States indicating that they do not intend to reimburse the provider's additional costs, the government must also consider whether or not the UK should change its position on this. They, however, go on to state that they believe a cooperative approach will be most effective and although thought had been given to half-way house options such as requiring industry to bear the costs of retention but reimbursing additional costs associated with retrieval solutions for providers who receive the highest volumes of requests, the government proposes to continue the approach of reimbursing additional costs for both the retention and disclosure of communications data.

CONCLUSIONS AND COMMENTS

The provisions of the Data Retention Directive relating to telephony data have now been implemented into UK law. Overall, the government seems to have maintained the cooperative approach developed under the Voluntary Code, and service providers will for the most part be not overly alarmed by the provisions enacted. Notably, the UK Government, in contrast to some other Member States, has made efforts assuage fears over the reimbursement of service provider's additional costs, and, if this position is maintained, it should help continuity with all service providers being in a similar position to those who follow the voluntary UK Code. This should, in turn, help reduce the impact of the Regulations on the prices communications providers charge to extensive users of their service such as database marketers. Given the discretionary nature of the reimbursement wording used in the Regulations, however, some concerns still remain. Furthermore, although one might expect a similar line to be followed when the Directive's more tricky provisions on internet data are implemented in the next couple of years, this is by no means certain and the full impact of the Directive may be yet to come.
© Bristows

References

Notes

1. Directive 2006/24/EC of the European Parliament and of the Council of 15th March, 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.
2. Directive 2002/58/EC of the European Parliament and of the Council of 12th July, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
3. Available at http://www.opsi.gov.uk/si/si2007/20072199.htm.
4. See the article entitled 'The Data Retention Directive', Journal of Database Marketing and Consumer Strategy Management: Vol. 14, No. 1, pp. 74–77 (October 2006).
5. Code of Practice entitled 'Retention of Communications Data under Part 11: Anti-Terrorism, Crime & Security Act 2001 — Voluntary Code of Practice', which came into force on 5th December, 2003 pursuant to the Retention of Communications Data (Code of Practice) Order 2003 (SI 3003/3175).
6. Home Office Consultation entitled 'Access to Communications Data – Respecting Privacy and Protecting the Public from Crime', dated March 2007. The draft regulations were included in Annex B of the consultation document.
7. The wording in square brackets was present in the draft regulations as set out in the consultation document published in March 2007, but was removed in the Regulations as enacted. With the exception of this amendment, Regulation 10 remains unchanged.
8. Home Office summary entitled 'The Initial Transposition of Directive 2006/24/EC – Government Responses to the Consultation', dated June 2007, available at http://www.homeoffice.gov.uk/documents/euro-directive-retention-data/
   cons-responses-07-euro-directive?view=Binary.
9. Provisions relating to Internet data are of course to follow as explained above.
10. 'Explanatory Memorandum to The Data Retention (EC Directive) Regulations 2007–2007 No. 2199', available at http://www.opsi.gov.uk/si/em2007/uksiem_20072199_en.pdf.