Previous Section Back to Table of Contents Lords Hansard Home Page

Data Retention (EC Directive) Regulations 2009

Motion to Approve

7.37 pm

Moved By Lord West of Spithead

The Parliamentary Under-Secretary of State, Home Office (Lord West of Spithead): My Lords, these regulations are made under Section 2(2) of the European Communities Act 1972. They will complete the transposition of the European data retention directive or, to give it its full name, the directive on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending directive 2002/58/EC. I hope noble Lords will allow me to refer to it simply as “the directive”.

The European directive was formally adopted on 15 March 2006, three years ago, and related to fixed-line, mobile and internet communications. It requires the retention of data about the communication, covering details such as who contacted whom and where and when the communication took place. It does not relate to the content of a communication, nor to what was said or written.

The directive was adopted after discussions at a European level involving the communications industry, law enforcement and member states. The need for this measure was demonstrated by the shared experiences across many jurisdictions detailing how important communications data have been to law enforcement.

Let me outline some examples of where these data have played an important part. In the Soham murders, they placed Ian Huntley at the scene of his most grievous crime; in the desecration of Gladys Hammond's grave by animal rights extremists in 2004, communications data helped lead detectives to make those important arrests; and Levi Bellfield, who was found guilty of the murder of two women in south-west London, was caught thanks in part to historic communications data.

I could continue with example after example. In the United Kingdom, communications data form an important part of prosecution evidence in 95 per cent of serious crime cases. The directive rightly refers to the experiences already gained in this country and elsewhere in Europe in exploiting communications. The police, security and intelligence agencies in the UK have been utilising communications data for some time. It is unfortunate that they have had to do so, but the role of communications data in the reducing crime is undeniable. On this point I have the agreement of the important human rights campaigners of Liberty, who agree that communications data records can prove a valuable crime detection and prevention tool.

The benefits that law enforcement derives from retained communications data are clear. The directive as implemented in the UK has already saved many

24 Mar 2009 : Column 621

innocent lives—that is not an exaggeration. The regulations relating to telephony have regularly been used to place murderers at the scenes of their crimes, to prevent murders and kidnaps taking place and to identify serious sexual offenders who may not have been caught, and who would certainly not otherwise have been caught as quickly. Internet-related communications data are just as vital. Other member states offered similar examples of how they used communications data to deal with national security and crime problems. Communications data provide one part of the solution, one important tool that law enforcement has relied upon to help protect us. This is why the directive on retaining data was passed across Europe.

Many of our European partners are ahead of us in transposing this directive. France, Germany, Italy and Denmark are just four of the 17 member states that have transposed this directive so far. This directive represents a positive step forward—European member states taking the lead on these important matters. Other countries outside Europe are looking at this directive and are seeking to implement similar legislation.

The directive reflects the international nature of crime, particularly organised crime. It is all too common for crime perpetrated in one country to have been commissioned in another. This directive aims to assist law enforcement by ensuring that wherever in Europe national or cross-border crimes are commissioned, communications data are retained to enable law enforcement to help prevent and detect crime and increase public safety.

Already, as a result of this directive, the communications industry is making changes. The European Telecommunications Standards Institute has produced a technical specification to help the communications industry in its dealings with law enforcement. This European standard has already reduced the cost and complexity of implementing the directive. I commend to the House this excellent example of co-operation.

I now draw attention to the confusion that occurred in the debate in the other place. The published impact assessment that accompanies these regulations states that it is not the Government’s intention to change how communications data are accessed. This is indeed the case, because we believe that the framework in which communications data are accessed is appropriate. The framework is set out in RIPA. However, separate from these regulations, as the Home Secretary announced in December, we are shortly going to hold a consultation exercise on the public authorities able to access communications data under RIPA. The consultation will list the public authorities and set out the rank at which they can authorise the acquisition of communications data and the statutory purposes for which they can use communications data. In due course, this consultation will result in a statutory instrument subject to the affirmative resolution procedure. There will therefore be an opportunity to revise the list of public authorities able to access communications data which is currently contained in the Regulation of Investigatory Powers (Communications Data) Order 2003 and other places.

24 Mar 2009 : Column 622

7.45 pm

However, let us be clear, as I am afraid that the other place got very confused about this. The subject of today’s debate is retention of communications data and not access to it. There will be other good opportunities to debate access to communications data under RIPA, both in the affirmative resolution referred to previously and in the ongoing IMP work. So, before turning to the regulations themselves, I pause briefly to mention the interception modernisation programme. There has been a good deal of interest in this programme from those within this House. I know; I have given many briefings to noble Lords and I stand ready to give more if asked for. In addition, I have bent over backwards to ensure that the Opposition get briefings from Ministers and officials. There has been a great deal of media speculation about the Government’s plans. There will shortly be a full consultation exercise on options relating to maintaining our communications data capability in the longer term as methods of transferring data change. But that is not today’s issue. For now, we are considering a very specific set of proposals relating to retention, contained in the draft regulations before the House.

The directive and the regulations apply only to communications data. As I have said, this is best described as the who, where and when of communications. It may include, for example, the time at which a communication is made or the location of a piece of mobile communications equipment. To explain this in old-fashioned terms, it is effectively the information on the outside of an envelope, which includes the name, address and postmark. It is not the content. The specific data covered by the directive is information that is generated or processed by communications providers for their own business purposes, such as billing, network management and prevention of fraud. Neither the directive nor the regulations apply to any of the contents of a communication. The key effect of the directive and these regulations is to make the retention of communications data by communications service providers mandatory. Note, however, that it does not apply to social networking sites.

Before turning to the details of the regulations, it may assist noble Lords if I explain a little about the history of data retention in the UK in the past few years. The voluntary basis for retaining communications data started in 2003 with the introduction of the voluntary code. This was replaced when the first part of the data retention directive made traditional fixed-line and mobile telephony retention mandatory in October 2007. We have worked with those fixed-line and mobile companies and they have a good understanding of their responsibilities and perform them well. The Government remain grateful for the industry’s continued co-operation.

That was when the first part of the transposition of the directive, relating to traditional telephony, was completed. Since then, law enforcement agencies have been working closely with industry to develop expertise in using internet-related data and to understand which types of internet-related data should be retained by which service providers to provide most help to the law enforcement and intelligence agencies. A great deal of work has also been done on how internet-related

24 Mar 2009 : Column 623

data should be stored in order to ensure that they can be accessed efficiently when necessary. We are now in a position to complete the transposition of the directive and make the retention of data relating to internet communications mandatory. Those business data contain information about the subscriber to the services, details of the bills the subscriber receives and information about how those services are used—in other words, traffic data.

In line with the requirements of the directive and with comments made by communications service providers during our consultation exercise, we are determined to minimise any possible duplication of data retention. To do this, we have decided to introduce a notice system so that service providers can be absolutely confident about what they are required to do under the regulations. The Government will issue notices to those providers required to retain data. They will also explain precisely which data sets they would like the service providers to retain. The Government will use the notice system to minimise the burdens imposed upon industry while ensuring that relevant communications data are retained.

The consultation exercise highlighted the complexity of this area. We have therefore undertaken to establish an implementation group which will oversee the implementation of the directive and regulations. It will include experts drawn from industry and from the law enforcement and intelligence agencies. It will provide guidance to communications service providers so that they understand precisely what is required of them. We will also continue to ensure that service providers are not penalised financially as a result of complying with the regulations. This is compatible with previous practice and is a fair way of ensuring both that data are retained effectively and that there is no distortion of the communications market. In light of the approach that I have outlined, I hope that noble Lords will agree that the regulations will provide a suitable basis for the transposition of the directive.

Before I conclude, I remind your Lordships of the importance of communications data. I suggested at the beginning of this speech that the co-operation of industry in respect of communications data has saved lives. This is correct. This final transposition of the directive, as agreed across Europe, will ensure that communications data from all major types of communications, most of which are already held by the communication service providers from billing, are retained consistently and made available efficiently if required. The laws and safeguards covering access to that material are the subject of another, maybe more than one, debate. For these reasons, I commend the draft regulations to the House.

Amendment to the Motion

Moved by Baroness Neville-Jones

Baroness Neville-Jones: My Lords, I thank the Minister for introducing this statutory instrument. He outlined how it implements a requirement under EU law for service providers to collect and retain communications data relating to our internet access, e-mail and telephony. He also made the argument for the importance of these data in tackling the threats we face from terrorism and organised crime. I say straightaway that these Benches understand the need for communications data to be made available to the police, the security services and certain other agencies in the fight against serious crime and to protect our national security. There is nothing between us on this issue. Indeed, it is not that matter but other issues that lie between us. Despite what he has just said about the intention to amend RIPA, that remains a problem. We are not able to support an instrument where there is such uncertainty over what it will do, how it will work in practice and how it relates to the evolving set of policies and technical solutions under the interception modernisation programme. I shall explain why I have these reservations. It is for these reasons that we are calling on the Government to withdraw the instrument and bring forward primary legislation on communications data.

I want to look at three matters, each of which has significance. First, on the specifics of the statutory instrument before us, the instrument could very well be extended to cover a much wider range of communications than those outlined by the Minister. While it is claimed that the content of the internet communications will not be retained—the Minister underlined this—the truth is that it is very difficult with internet communications to separate the content from the who, what, where, when and how; that is to say, the transmission of data. Secondly, on the instrument’s relationship with RIPA, as it stands that Act has abusively wide scope which will certainly extend the use of communications data of this kind to many other different bodies for many reasons, some of them very trivial. Thirdly, setting all this in the context of the interception modernisation programme that the Minister mentioned, it is not at all clear to this side of the House how this regulation fits into this programme. We fear that we are moving on auto pilot to a stage where there is no longer a meaningful distinction between content and communications data, and one which may well involve a huge centralisation of data by the Government. Let me look at these specifics.

Reading the statutory instrument makes me very uneasy. The definitions that it uses are very broad, perhaps deliberately so. We are told that the service providers will retain only the data they “own”; in other words, data which they generate in the process of supplying their services to a customer, and not data generated by third parties or instant messaging. But “communications data” are defined as data generated and processed by service providers. And “internet e-mail” is defined as,

24 Mar 2009 : Column 625

Therefore, the problem does not end with the Minister telling us that social networking is to be excluded. Other categories of instant messaging would not necessarily be excluded in that way. These categories and definitions are very broad and they make me very uneasy.

It is not inconceivable that this definition of “internet e-mail” could cover third parties. Is it also not the case that service providers could be required to retain data relating to this third-party layer because they would process their communications? There is a real difficulty about what we are to understand by “process” and how far it really extends. We are very uneasy that that word could be interpreted as meaning a range of internet communications much wider than those discussed by the Minister. Will he clarify that?

We are also told that the guidance will specify what these definitions mean in practice. But this guidance will be written only after the regulations come into force. This is pretty strange. Does the Minister think this is good practice because it puts the horse before the cart and your Lordships' House is not in a position to be sure what it is being asked to agree to. Quite apart from the broad scope of the instrument, there are other practical and technical questions that need to be answered. Will service providers have to record every attempt to access an e-mail server, even if no e-mail is sent or received, and will they have to retain data in respect of spam e-mail? Some estimates say that 90 to 95 per cent of all e-mail traffic transmitted is spam. If so, what are the cost implications? If it is not to be included, how are ISPs to distinguish between proper e-mails and spam? Most importantly, it is claimed that the content of internet communications will not be collected. I come back to the point that the Minister made.

Regulation 4(5) states:

“No data revealing the content of a communication is to be retained in pursuance of these Regulations”.

But—and here is the problem—collecting “communications data” for phone calls is relatively straightforward. Technically, the details on who called whom, when and for how long are completely distinct from the content of that call. But for internet communications there is only one data stream, and this data stream includes both the fact of the communication and its content. How do you separate the two? Where do you draw the line? Can the Minister please clarify the Government's understanding of this? Take an e-mail as an example. The body of an e-mail is obviously content, but what about the subject? The subject is included in the e-mail header, which says when the e-mail was sent, to whom it was sent and who received it. Is this subject classed as communications data because it clearly gives content?

The Explanatory Memorandum says that an implementation group will be set up to examine practical issues of this kind. That is a very good thing, but what is the composition of the implementation group, when will it report, and when will its work be published? Again we feel that this is putting the cart before the horse. We need to have this report before we are asked to agree to this legislation.

24 Mar 2009 : Column 626

We must know how these regulations are going to work in practice. The regulations themselves are, of course, only one half of the issue. Their significance is heightened when you examine who will potentially have access to the information proposed to be retained. The Minister mentioned the promise by the Home Secretary made relatively recently to review RIPA. Under the Act the number of people and bodies who have access to sensitive information is very extensive. It is not just the security and intelligence services and the police but all 474 local councils in England, every NHS trust and fire service, 139 prisons, the Environment Agency and even Royal Mail, and those are only some. In the view of these Benches, it will require an extraordinary narrowing of the number of bodies entitled to have access under RIPA for it to be a fit instrument for an authorisation process for access to information and data communications of this degree of sensitivity. We would wish to see the narrowing of the authorisation process before we were happy to agree that that could be the Act that enabled that authorisation to take place. We would like to see the amendment of RIPA taking place before we get to the processing of any Bill relating to data communications.

8 pm

There is no guidance on how these regulations relate to the interception modernisation programme. I have already outlined how broad the definitions in this instrument are, that they could potentially cover third parties—that is a very important point—and how the distinction between communications data and content is difficult, if not impossible, to make in the internet protocols such as e-mail, web browsing and instant messaging. Is it the intention, in fact, to move to a stage where we will not be able to separate the two? Does this mean in practice that everything will be collected and held in a centralised database? Does this indeed open the door for data mining and deep packet inspection?

It is hard to avoid the suspicion that this instrument could very well establish a legal construct around which the IMP could be allowed to proceed without further primary legislation. It is telling that in another recent speech the Home Secretary said:

“The changes we need to make may require legislation. The safeguards we will want to put in place certainly will. And we may need legislation to test what a solution will look like”.

We on these Benches are not clear whether further primary legislation is intended by the Government and regarded as needed by the Government to achieve the aims of the interception modernisation programme. Therefore, we are not clear whether this provision would enable the extension of the collection of data for the purposes outlined to take place without any further legislation. Which are we facing? Are we faced by this provision, or are we going to be able to have primary legislation in due course? If so, it seems a good idea to put the whole of this into the primary legislation.

At the time of the Queen’s Speech, the Government said that they were going to bring forward primary legislation and at the same time the incorporation of the statutory instrument. Indeed, the Joint Committee on Human Rights has recommended that the Government’s powers should be set out in primary

24 Mar 2009 : Column 627

legislation. Now, we are asked instead to adopt the SI by itself, without knowing or understanding the relationship that this may have to primary legislation, whether there will be any primary legislation, and how much RIPA—the authorising access legislation—will be narrowed.

This is a very unsatisfactory state of affairs. I beg the Government to withdraw the regulations, which are not necessary, and to introduce at the earliest opportunity primary legislation on communications data, from which we will have clarity about what constitutes data and what constitutes content. The Government cannot expect us to support an instrument where there is such uncertainty over what it will do and how it will work in practice. The Government promised—I am sure it was a promise that was seriously meant—a well informed debate, characterised by openness, reason and reasonableness. The Home Secretary wants us to achieve consensus, and we would like to be able to join that. I hope that the Government will withdraw the regulations today and enable us to have a proper debate on primary legislation.

The Earl of Northesk: My Lords, I rise to support my noble friend’s amendment. In so doing, I declare my various interests in this field, as an unpaid adviser to the Enterprise Privacy Group, Privacy International and 80/20 Thinking.

I do not have all that much to add to my noble friend’s excellent and devastating critique, but I should like to reinforce one or two of the issues to which she referred and probe the Minister on a few more.

Next Section Back to Table of Contents Lords Hansard Home Page