Communications Data Bill/Draft/Commentary

< Communications Data Bill‎ | Draft

Read the Bill here; read our page on the Bill here

Part 1 of the bill creates a new power to order companies to collect specific datasets, creating them if necessary, and deploying any technical or policy changes needed to do so. It also requires this data to be retained in a secure and confidential manner for 12 months, and destroyed after this period elapses. This power can be used by any principal secretary of state (which means most cabinet ministers), but in practice would be the Home Secretary. Use of this power must be ratified by a vote in Parliament.

Part 2 of the bill creates a system for assorted public bodies to get access to this data.

Part 3 makes some changes to RIPA, repeals all other existing powers that involve retaining and disclosing "communications data", and makes the Information Commissioner, the Interception of Communications Commissioner, and the Investigatory Powers Tribunal responsible for scrutiny and oversight of the implementation of these powers.

Part 1: Ensuring or Facilitating Availability of Data

Ensuring or facilitating availability

Section 1 Power to ensure or facilitate availability of data

This section allows the Secretary of State to make one or more orders whose purpose is to ensure that "communications data" is available from "telecommunication operators". It does not create any powers to obtain that information, which are to be found elsewhere (eg in clauses 9 to 19). Rather, the section allows the creation of a framework of collecting and storing that will mean anyone exercising a statutory power to obtain communications data will find it easier to use.

It sets out that the Secretary of State can specify the techniques used, and gain this information from third parties ("are in respect of communications data relating to the use of telecommunications services provided by another telecommunications operator in telecommunication system").

It states that the new powers and duties do not authorise interception of communications.

IS there a definition of Interception ? If deep packet inspection is used you are in effect intercepting and delaying the transfer of data.[if only for a few micro seconds?]

  • Interception is, under Section 28, given the same meaning as in s2 RIPA. Under the definition of 2(2), yes, it is arguably interception. However, under 2(5), interception does not include conduct that examines information "as consists in any traffic data comprised in or attached to a communication for the purposes of any postal service or telecommunication system". In other words, "communications data" under the Communications Data Bill does not appear to be capable of interception under the definition given in RIPA 2000.

The powers can apply to public postal operators and public postal services, and these meanings are found in section 25.

The definitions of “communications data” and “telecommunications operator” are found later, in section 28. Note this could include private networks which most large companies operate; [Banks etc ].

Safeguards

2 Consultation requirements

Before ordering new collection and retention duties, Ofcom must be consulted, alongside the people who will do the collection and their representatives, and anyone with statutory duties related to these duties. There is no requirement to consult the people that are the subject of the data being collected, if they are not in any of those groups. Note there is no requirement to consult Joe Public.

3 Data security and integrity

Companies who hold the data must do so accurately and securely, or "the data is of the same quality and subject to the same security and protection as the data on any system from which it is derived".

They must protect against wrongful access, alteration or destruction ("accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful retention, processing, access or disclosure").

4 Period for which data is to be retained

Data is retained by default for 12 months, or less if the Secretary of State's order says less.

If the data may be used in "legal proceedings" (defined in section 28), the operator will be notified and must keep the data until the public authority says it is no longer needed. All the notifications are in writing.

5 Access to data

The data can only be disclosed under the terms of Part 2 or "otherwise as authorised by law". The operator must implement adequate checks and controls to ensure that this is the case.

6 Destruction of data

The data has to be be destroyed by the operator after the retention period in section 4 has expired, and must be irretrievable. This may be done in batches by the operator, but those batches must be destroyed no less frequently than once per month. There appears to be nothing to require authorised data to be destroyed when given to “others”? There appears to be the possibility of confusion over data that is normally collected and that which is required under any order?''

7 Other safeguards

Notices given by the Secretary of State to a telecoms operator to start collecting data must be in writing, must say who it is addressed to, and must be done in an appropriate manner, which might include "publication".

Notices made in section 1 can be referred to the Home Office Technical Advisory Board. The notices will give time frame for these referrals to the TAB, who can then delay the start of the collection duties while they consider if they are feasible or need to be adjusted. The Board can refer the Order back to the Secretary of State if they are in their view unworkable. The Secretary of State is free to ignore them. Only the recipient of the order made in section 1 can appeal, and not other interested parties.

Sections 22-23 have additional roles for the Interception of Communications Commissioner, the Information Commissioner and the Investigatory Powers Tribunal in relation to Part One. Section 24 creates new limits to the ability of some parts of government to gain access to data retained under RIPA.

Questions

Who would be likely to be consulted other than Ofcom? And what does it mean consult OFCOM ? Will the result of OFCOm's deliberations be made public?

What would happen if the data security requirements weren't met? How would this be balanced / met by the operators without spiralling costs or liabilities?

What are "legal proceedings"?

  • See commentary on section 28, this term is defined within the bill

What is "otherwise as authorised by law"? How broad could that be: could it be substantially widened by the courts?

How does "publication" of notices to collect data take place? Is this for disclosure?

  • Since the orders have to be made by Statutory Instrument and voted on by both Houses, they are a matter of public record and are published in Hansard, and will also be cataloged on parliament.uk
  • Probably also in some other ways, it's not immediately clear what 7(1)(c) means here.

Enforcement and protection for compliance

8 Enforcement and protection for compliance

Telecoms Operators have to comply with duties imposed upon them under Part 1. The duty is enforceable by the Secretary of State through civil proceedings.

Because much of the conduct in collecting data could otherwise be considered illegal interception, subsections 3 and 4 clarify that anything the operators do in order to fulfil any orders to collect and retain data is lawful, provided that it is done exclusively in relation to that duty, and not for something that would otherwise require a separate authorisation.

Part 2: Regulatory Regime for Obtaining Data

Authorisations for obtaining data

9 Authorisations by police and other relevant public authorities

The Bill refers to communications data as "Part 2 data".

A "designated senior officer of a relevant public authority" can grant access to data if it is is "necessary" for a "specific investigation or a specific operation" or for testing purposes. The access must be "proportionate to what is sought to be achieved".

The designated senior officer can grant access or "section 9(2) conduct”" for themselves or others within their organisation. That is, they can authorise other in their organisation to engage with telecommunications operators to get what they need - provided that they consider the authorisation necessary and a proportionate measure. This is rather a blank sheet !

The responsibility under 9(1)(b)(ii), for testing systems necessary for obtaining Part 2 data, seem out of place and should be the responsibility of TAB?

Telecoms operators can be required to get data if they are capable of getting it, but do not have it, under (9) (3) (d) (ii).

Any request cannot require (additional) interception of communications and cannot authorise anyone outside the senior officer's organisation in (9) (5). However, there are powers for senior officers in one force to authorise officers in another under Clause 19 Collaborating police forces in England and Wales. This seems to be to enable a single senior officer to authorise officers in other organisations where those organisations are cooperating (preventing multiple senior officers to be required to assent to an authorisation).

Francis Davey comments:

In other words the power to force telecommunications operators to obtain and cough up communications data appears to be delegated further down the tree. I do not know enough about how RIPA is operated within police forces to know whether this will make any practical difference.[1]


The list of purposes are outlined in 9(6). It must be "necessary" to gain the data for at least one of these purposes: The terms need definition otherwise they become catch all opportunities ? - These are lifted straight from Article 8(2) ECHR. The interpretations of the terms are complex and arise from European case law. It is unlikely that even a senior officer would have a sufficient grasp of this to objectively weigh the individual's rights against the requirements of the police.

(a) national security,

(b) preventing or detecting crime or of preventing disorder,

(c) in relation to financial misconduct under section 123 or 129 of the Financial Services and Markets Act 2000 (civil penalties for market abuse),

(d) in the interests of the economic well-being of the United Kingdom,

(e) in the interests of public safety,

(f) protecting public health,

(g) for tax reasons

(h) for emergency health reasons

(i) to assist investigations into alleged miscarriages of justice, or

(j) to identify people who are incapacitated or dead, in order to identify them, their relatives, people connected with them, or to understand what has happened to them


10 Form of authorisations and authorised notices

This covers notices that authorise junior officers, and notices that require telecoms operators to supply information.

Authorisations

The authorisations must say what "part 2 data" the request relates to and for what general categories of concern it is needed, from the list in 9(6), plus who it is making the authorisation, including their name and rank or position.

Under 10 (3), authorisations for officers to require telecoms operators to supply information "must specify the nature of the requirements" but don't have to be any more specific.

Notices

The requests to telecoms operators must say who it is sending the request, and their position. It must state what is being required, and of whom. The requests from policing authorities do not have to be in writing, but must leave a record. On the other hand, requests from people like local authorities, who have to use a judicial process to get the information, have to be made in writing. Would have thought all requests would have to be in writing?

11 Judicial approval for certain authorisations

The Bill separates off officers of local authorities and the like (known as "relevant person"s) who have been criticised for having too easy access to these types of data. They can be given an authorisation to obtain data but it has no effect until it has been given judicial approval. They don't have to notify their intended target (the company or companies holding the data) or any data subject before making the application. Armed with an authorisation they can then give notice to a telecommunications operator without further judicial oversight.

The judicial authority applies the same tests as above, i.e. that the data is needed for an investigation and access is proportionate.

The list of relevant persons is given in clause 11 and is essentially local authority officers, but the list can be extended by the Secretary of State.

Oddly, local authorities are not "relevant public authorities". So, until an order is made by the Secretary of State to include them, local authority officers will not be able to use the powers under this bill. If, and when, they do, then clause 11 will have application. This non inclusion from the start happened in RIPA where local authority officers were designated soon after it was passed.

Question

What does '11 (4) (c) in relation to any other grant by a relevant person, that any conditions that may be provided for by an order made by the Secretary of State were satisfied." mean?

  • 11(4)(c) covers the eventuality whereby the Secretary of State has added to the list of what may be considered a 'relevant person' (as permitted under 11(6)(c)). 11(4)(a) and (b) apply set conditions to specific 'relevant persons' - i.e. local authorities and district councils in Northern Ireland. If the Secretary of State, by order, adds to the 'relevant person' list, they may also define conditions against which the relevant judicial authority may assess whether the grant of an authorisation was reasonable as required under 11(3)(a)(ii).

12 Duration and cancellation of authorisations

Authorisations last a month but can be continually renewed. Authorisations must be cancelled if there is no longer a justification for them, and the Secretary of State is given a power "by order" to create a 'fall back' person to cancel authorisations. It doesn't specify how renewal is achieved?

13 Duties of telecommunications operators in relation to authorisations

Telecoms Operators are asked to minimise the data they obtain and disclose for an authorised request. They are obliged to comply, but do not have to do anything that is not "reasonably practicable".

This is enforceable through the civil courts via injunctions, or other equivalent routes.

Filtering arrangements for acquisition of data

14 Filtering arrangements for obtaining data

14 (1) (a) is the mechanism by which the data is authorised and maintained. The Secretary of State may create procedures to help senior officers decide if data is really needed, and secondly, to make it easy to get hold of Part 2 (communications) data from the data holders once an authorisation is granted. Note that the actual description of the authorisations (one month, in relation to a particular problem (can be extended by further authorisations - see 12(2))) is outlined in 9(1)(a), (b) and (c).

The Secretary of State may make arrangements for the "generation" or use of information for "support, maintenance, oversight, operation or administration of the arrangements" plus the oversight functions of the Interception of Communications Commissioner in this Bill and also under RIPA 57(2)(e).

Question

Can someone clarify if this description of section 14 is accurate?

15 Use of filtering arrangements in pursuance of an authorisation

This describes the same requirements as the clause about the form of authorisation notices.

Filtering arrangements can be used to disclose "Part 2 Data" (communications data) as the result of an authorisation specifically asking to use them. The authorisation must say that permission has been granted for that specific type of data. The authorisation must include the senior officer's decision to allow access to Part 2 data, via filtering arrangements, and a description of the data that may be processed.

The designated senior officer also has to be satisfied that this would be proportionate.

This should be an independent person not the person requiring the data?

I get the feeling that all authorised data could be passed to an outsourced body [like a Serco] who would then do the filtering as required by “others”: just a feeling?

  • This is possible - see commentary on clause 20, below.

16 Duties in connection with operation of filtering arrangements

This clause describes the functioning of the "filtering" equipment and requests made to the holders of filtered information.

Disclosures must only be made to the person authorised. the data disclosed ("authorisation data") must only be given to the person authorised and must be destroyed once practical to do so.

Under (2), the Secretary of State is given a duty to ensure that retained data must only be used for the legal purposes set out in 14(1)(a); plus support functions and oversight functions. Under (3), the SoS is given a duty to ensure that only authorised persons are allowed to process and obtain data, either as the system administrators, or as officers obtaining data. (4) gives the SoS a duty to ensure "adequate" security and impose measures to stop "unauthorised or unlawful data retention, processing, access or disclosure".

Finally, (5) makes the SoS responsible for creating systems to test the filtering and to report to the Interception of Communications Commissioner regarding the functioning of the systems at the end of the calendar year. (6) states that the report must explain how the data was destroyed. (7) States than any significant errors must be reported to the Commissioner.

Supplementary provisions

17 Restrictions on exercise of powers

17 (1) restricts the ability of local authorities to access "traffic data" and data collected through Part 1. This leaves them with subscriber information.

The section also gives the SoS the ability to further restrict access to data sets by order (statutory instrument). The authorities, the purposes and the data that may be processed may all be limited by order.

18 Lawfulness of conduct authorised by this Part

This sets out that anyone who is authorised to obtain data or is authorised to handle the authorisation requests do not have civil liability for their actions in relation to the authorisations.

The clause places a limit. It is not lawful to do anything which the officer "might reasonably have been expected" to seek a warrant or normally should be done under powers in other acts. These are set out in (3): Regulation of Investigatory Powers Act 2000, Part 3 of the Police Act 1997 (powers of the police and of customs officers), or section 5 of the Intelligence Services Act 1994 (warrants for the intelligence services).

19 Collaborating police forces in England and Wales

This clause allows a senior officer in one force to authorise officers in another force, where they are collaborating under an agreement made under section 22A of the Police Act 1996.

20 Certain transfer and agency arrangements with public authorities

Clause 20 outlines that the powers in clauses 14-16 (filtering arrangements) can be delegated by a "designated public authority" by order (Statutory Instrument). This does not apply to the powers to make orders itself, nor does it remove responsibility from the SoS. The clause also provides for modifications to and revocations of delegated duties.

Does this allow for outsourcing?

  • Possibly. A "public authority" is defined by 28 of the Bill as having the same meaning as 6(3)(b) of the Human Rights Act 1998 - "any person certain of whose functions are functions of a public nature". This seems to be self-fulfilling: any person who is delegated powers in clauses 14-16 will, of course, be exercising functions of a public nature. It would appear that outsourcing to private companies would fall under this remit - see paragraph 6 of the Parliamentary Joint Committee document "The Meaning of Public Authority under the Human Rights Act".[2] The meaning of "public authority" is still not entirely clear - it is subject to constant judicial interpretation and has lead to some surprising outcomes, e.g. YL v Birmingham City Council [2007] UKHL 27 [3].

21 Interpretation of Part 2

This clause provides definitions of key terms used in Part 2. Other definitions are made in clause 28 and apply throughout the Bill.

The term "relevant public authority" includes (a) a police force, (b) the Serious Organised Crime Agency, (c) Her Majesty’s Revenue and Customs, (d) any of the intelligence services, can be widened and contracted by order under Clause 21 (8).

Part 3: Scrutiny and Other Provisions

Scrutiny of functions relating to communications data

22 Scrutiny by Commissioners

This relates to powers given to the Interception of Communications Commissioner and the Information Commissioner. The ICC's duties are mainly outlined in this Bill in clauses 14 and 16, so the clause tidies up RIPA to add references there. It also adds in RIPA duties for people and authorities who are authorised in the Comms Data Bill to co-operate with the ICC.

The Information Commissioner gets duties to review the "security of communications data" held by "telecommunications operators", and activities under Section 3 Data security and integrity and Section 6, Destruction of data.

Telecommunications operators have to keep records of what they do so that both commissioners can check what they are doing.

23 Scrutiny by the Investigatory Powers Tribunal

This clause amends RIPA to add the ability to challenge orders to collect data (under section 1), judicial authorisations for data and police authorisations or requests for data (section 9 or 19, or notices under section 9(3)(d)).

It adds a duty for people operating under the Communications Data Act to co-operate with the Tribunal.

Questions

  • What sort of challenges could made?
    • Any conduct in violation of ECHR rights, the most likely culprit being disproportionate interference with qualified Article 8 rights. Conceivable examples include someone exceeding the scope of their authorisation, or the unwarranted/disproportionate grant of that authorisation, disproportionate extensions of authorisations, or a failure to securely keep or dispose of data by the Secretary of State when operating Request Filters.
  • Presumably the challenges would have to be made by the data holders?
    • It doesn't appear so. s65 RIPA sets out the jurisdiction of the Tribunal. Under 65(4), "The Tribunal is the appropriate forum for any complaint if it is a complaint by a person who is aggrieved by any conduct falling within subsection (5)". Subsection 5 is amended by 23(1)(a) CDB to include (g) - "conduct required or permitted by virtue of an order under section 1 of the CDA 2012" and (h) - "conduct to which Part 2 of the Act of 2012 applies". Challenges may thus be brought by individuals. However, obligations of data holders can only be enforced in the civil courts by the Secretary of State.
  • How does this differ from RIPA?
    • It doesn't appear to differ - it uses the same mechanisms as RIPA.

Abolition of powers to secure disclosure of communications data

24 Abolition of powers to secure disclosure of communications data

This outlines that Schedule 2 revokes some powers of access for some authorities. The SoS is given a tidy-up power, to "by order amend, repeal or revoke any enactment in consequence of subsection (2)".

General provisions

25 Application of Parts 1 and 2 to postal operators and postal services

Everything in parts 1 and 2 that talk about telecoms operators also applies to postal services, with the specific exception that no change is made to any existing rules about opening, delaying, or redirecting a postal packet.

26 Operators’ costs of compliance with Parts 1 and 2

The Secretary of State must somehow make arrangements for operators to receive whatever financial contributions the Secretary feels is appropriate towards the cost of compliance.

27 Codes of practice in relation to Part 1 and 2 functions

This section merely says that Schedule 3 is part of the bill.

28 Interpretation general

This section defines terms used.

Important terms:

Public authority
Has the same meaning as in section 6 of the Human Rights Act 1998, excluding courts and tribunals. This means any person exercising public functions may be considered a public authority.
telecoms
any communication system using electrical or electro-magnetic energy
communications data
For telecoms operators: traffic data, use data, or subscriber data
For postal operators: anything the postal service uses to transmit the communication, anything about how people are using the postal service, and any other data that the postal service has about people who use the service
traffic data
anything associated with a communication for the purpose of facilitating transmission, which also satisfies at least one of these criteria:
  • Identifies any person, apparatus, or location which the communication is being sent to or from
  • Identifies apparatus involved in sending the communication
  • Controls apparatus involved in sending the communication
  • Identifies the time when something relating to the communication occurs
  • Identifies data that is associated with the communication
  • Identification of a computer file or program which is accessed or run by the communication is not traffic data (although identification of the apparatus where the file or program is stored is traffic data)

Not sure what this means - for example Skype encodes the voice; is this a programme?

  • It seems to mean that traffic data is not information that details what files/programs on Machine A were remotely accessed/run by Machine B. However, it does include any identification of that file/program that arises from reference to the equipment on which it is stored.
use data
Information about how the service is used by people, except for the contents of communications
subscriber data
Any information that a telecoms operator has about people who use their service
legal proceedings
Any of the following:
  • Civil or criminal proceedings before a court or tribunal
  • Proceedings before an officer within the armed forces


Questions

  • Telecoms operator is proposed to include anyone who "controls" a "telecommunications system" whether in the UK or not (telecoms "system" is identical to RIPA 2(1), operator is new defn). Telecommunications includes any electronic signalling system, but "system" is not defined within the bill except the implication that it includes apparatus. Is an individual server a "system"? Is an email program? Is "operator" intended to cover content providers like Facebook (probably)? Does it cover web hosts? Domain registrars? Anyone with a phone?
    • As written the answer would appear to be "yes" to all of these - but since it still has to be put before parliament for approval in each case, extremes that don't pass the giggle test wouldn't be possible, like personal telephones. Individual email servers and web hosts seem plausible; domain registrars could be possible on grounds of "facilitating transmission".
  • Does "subscriber data" include lists of social network contacts (equiv RIPA 21(4))?
  • Does 28(3) restrict web request data to hostname or IP address rather than full URI (equivalent to concession RIPA )21(6)?
  • Does c26 limit cost recovery compared to RIPA's "fair" contributions?

Will operators be able to pass excess costs onto the service user?

Final provisions

29 Orders

(Note: come back and fill in what these section numbers refer to, once we've figured out what those sections do)

All orders in this bill must be made by statutory instrument.

The following set of orders are subject to the affirmative resolution procedure before both Houses before it is made - so both the Lords and Commons must vote "yes" before these orders can be made:

  • Anything under section 1
  • Anything under section 9(7)
  • Anything under section 11(6)
  • Anything under section 17
  • Anything under section 20
  • Anything under section 21 that changes primary legislation, or designates a public authority that is not in the following list:
    • A police force
    • SOCA
    • HMRC
    • An intelligence service
  • Anything under section 24(3) that changes primary legislation
  • Anything under section 31 that changes primary legislation

The following set of orders are subject to the negative resolution procedure before both Houses after they are made - so the order is immediately effective, but either House can vote "no" within 40 days to annul the order:

  • Anything under section 11(4)
  • Anything under section 12
  • Anything under 3(1)(b) of Schedule 1
  • Anything under section 21 that does not meet the conditions for affirmative resolution above
  • Anything under section 24(3) that does not change primary legislation
  • Anything under section 31 that does not change primary legislation

The following set of orders are subject to the negative resolution procedure before the House of Commons after they are made, but not the Lords:

  • Anything under paragraph 5 of Schedule 1

30 Financial provisions

The bill will be funded by the treasury. This is uninteresting.

31 Consequential provision

32 Transitional, transitory or saving provision

33 Short title, commencement and extent

The bill applies to all areas of the UK and the Secretary of State can decide when the bill will come into force after it has passed.

Schedules

Schedule 1: Transfer and Agency Arrangements with Public Authorities: Further Provisions

Paragraph 1 establishes the criteria that must be satisfied for the Secretary of State to delegate functions, by order, under section 20. The designated public body must be willing to exercise the function, and must have arrangements in place to allow the function to be performed effectively and in accordance with any requirements or provisions made by the order.

Paragraph 2 requires that, where filtering arrangements are delegated, the measures adopted by the designated public body must be approved by the Secretary of State, and reports must be sent to the Secretary of State as well as the Interception of Communications Commissioner.

Paragraph 3 requires designated public authorities exercising delegated functions to send a report back to the Secretary of State.

Paragraph 4 allows the Secretary of State to “make a scheme for the transfer of property, rights or liabilities” in connection with a delegated function. In particular, this would enable the SoS to, e.g., cause a member of the civil service to become an employee of the transferee, or to compensate a designated public authority should the SoS later reclaim delegated functions.

  • Arguably, the fact that the explanatory notes detail how Secretary of State may compensate a designated public authority (141) is an indication that such public authorities would be for-profit private companies.

Paragraph 5 allows the Treasury to make consequential tax orders where necessitated by a transfer scheme made under Paragraph 4

Schedule 2: Abolition of Disclosure Powers

A number of Acts are amended:

Trade Descriptions Act 1968 (c. 29) Health and Safety at Work etc. Act 1974 (c. 37) Criminal Justice Act 1987 (c. 38) Consumer Protection Act 1987 (c. 43) Environmental Protection Act 1990 (c. 43) Social Security Administration Act 1992 (c. 5) Competition Act 1998 (c. 41) Financial Services and Markets Act 2000 (c. 8) Enterprise Act 2002 (c. 40) Finance Act 2008 (c. 9)

In each case, amendments are provided to make clear that seizure or data powers do not compel the release of data collected under the Communications Data Act.

Question

  • In each case, is there much or any evidence that communications data bas been handed over?

The amended provisions within each Act relate even more broadly, to obtaining generic data. The amendments ensure that communications data is explicitly excluded - the only way to access communications data would be through the Communications Data Bill. The provisions in the amended Acts have certainly been used to gain, or attempt to gain, access to data in the past, e.g.:

  • Trade Descriptions Act 1968, section 28: e.g. Barge v British Gas Corporation & Another 81 LGR 53, CO/87/82
  • Health and Safety at Work Act 1974, section 20: e.g. R (on the application of London Borough of Wandsworth) v South Western Magistrates Court [2003] EWHC 1158
  • Criminal Justice Act 1987, section 2: e.g. R v Smith [1996] 2 BCLC 109
  • Consumer Protection Act 1987, section 29: e.g. Regina v Liverpool County Council, ex parte Baby Products Association and another [2000] LGR 171

Schedule 3: Codes of Practice in Relation to Part 1 and 2 Functions

Schedule 4: Consequential Provision

Paragraphs 2-11 amend the Regulation of Investigatory Powers Act 2000 (c. 23) mainly aiming at replacing Part II of Chapter I in RIPA (the provisions allowing public authorities to obtain data).

Question

What is left in and out of RIPA?

  • The role of the Interception of Communications Commissioner (ICC) is retained (and modified) for use under the Communications Data Bill (CDB) (Section 22 CDB), as well as that of the Investigatory Powers Tribunal (IPT) (Section 23 CDB). However, RIPA will no longer govern the acquisition, and disclosure of data if the CDB becomes law. See below for details.

Where/how does the EU data retention directive and e-commerce directive fit in relation to this Bill ; and so what has precedence over what

  • Directives do not have direct effect in UK law - they must be implemented, or be given indirect effect through interpreting domestic legislation in a manner that fulfils the obligations in the Directive without distorting domestic law too greatly. The period that data must be retained under the 2006 Directive is between 6 months and 2 years. The period in the Bill (12 months) is thus compliant with this requirement. The type of data that must be retained is similar between the two (header information but not content of communication). There is no requirement within the 2006 Directive that the "supervisory authorities" that prevent unauthorised access to the data are to be judicial in nature. Thus, the provisions of the 2012 Bill do not seem to be incompatible with the 2006 Directive. Could you specify what parts of the e-commerce directive are potential conflicts?

Definitions amended by CDB Schedule 4, Part 1

Section 3(a) amends Section 2(9) of RIPA - the definition of "traffic data" is amended to include "(ca) any data identifying, or purporting to identify, the time at which an event relating to the communication occurs".

Section 3(b) amends the end of Section 2(10) of RIPA to read "“data”, in relation to a postal item, includes anything written on the outside of the item.

Section 4 amends Section 20 of RIPA to use the definition of "related communications data" provided in Section 28 of the Communications Data Bill.

Provisions repealed/amended by CDB Schedule 4, Part 1

Section 5 repeals the entirety of Chapter II of Part 1 of RIPA (i.e. Sections 21 to 25).

Consequentially, the following sections of RIPA are also repealed/amended, by Section 6 of the CDB:

  • 57(2)(b) - repealed (regarding the duty of the ICC to review conduct under Chapter II of RIPA)
  • 58(1)(g) - repealed (regarding the duty of those acting under provisions within Chapter II to disclose all information to the ICC)
  • 58(1)(h) - repealed (regarding the duty of those given a notice under provisions within Chapter II to disclose all information to the ICC)
  • 58(1)(j) - amended (removes reference to 58(1)(h))
  • 65(5)(c) - repealed (the definition of 'conduct', to which proceedings should be brought to Tribunal, includes conduct under Chapter II)
  • 65(8)(b) - repealed (granting of a notice under Chapter II is a matter which may be brought to Tribunal)
  • 68(7)(g) - repealed (regarding the duty of those acting under provisions within Chapter II to disclose all information to the Tribunal)
  • 68(7)(h) - repealed (regarding the duty of those given a notice under provisions within Chapter II to disclose all information to the Tribunal)
  • 68(7)(n)- amended (removes reference to 68(7)(h))

References