The government's new proposed Data Retention and Investigatory Powers Bill was published on Thursday last week and passed through the House of Commons yesterday.
It is an emergency measure to address the invalidity of the European Union's Data Retention Directive, which was found by the European Court of Justice to be invalid. The government is concerned that the UK's Data Retention (EC Directive) Regulations 2009 will suffer a similar fate in the UK courts, and therefore new laws are required to provide for telecoms providers to retain communications data for law enforcement purposes.
A timetable of one week was set for the Bill to be passed by Parliament and a decision is due imminently.
But what are the commercial implications of the proposed bill for UK businesses? And has the government allowed sufficient time for the debate over the bill?
Uncertainty on relationship with data protection laws
One of the most important questions about the proposed new laws is whether or not they strike the right balance between the privacy of individuals who make use of telecommunications services (i.e. all of us) and the need for law enforcement authorities to obtain access to communications data to facilitate their investigations.
The original EU Data Retention Directive was passed in order to safeguard national security in light of terrorist attacks in Europe. However, the European Court of Justice recently found that the Directive disproportionately interfered with the fundamental EU rights to a private life and to protection of personal data and declared the Directive invalid.
The new Bill fails to answer the same fundamental question on how telecoms providers will be able to comply simultaneously with the new Bill and our EU based data protection laws. Telecoms providers will be concerned about how they can demonstrate to the Information Commissioner and their customers that they have adequate procedures in place to safeguard their end users' personal data, whilst compelled to retain communications data for potential disclosure to law enforcement authorities.
The uncertainty is likely to result in additional costs for compliance and increased risks of claims or fines until clearer guidance is available from the government, the Information Commissioner or courts as to how the balance should be maintained. It is unlikely that regulations pursuant to the Act will clarify the position sufficiently.
Potential for broader application to businesses
Not only will telecoms providers face a difficult task in complying with the new Bill and data protection laws, some telecoms and technology businesses may be caught by surprise. Under the existing UK laws, communications providers are not usually required to retain data if another public communications provider is already retaining the relevant communications data. As the UK has a very successful telecoms resale market, a large number of public telecommunications providers are not actually required to retain communications data generated or processed in their service provision. Their upstream providers, like BT or the major public mobile network operators, tend to retain the communications data required by law.
Under the new Bill, there is no immunity for resellers or communications providers who are not best placed to retain communications data. This could result in duplication of effort and cost by multiple telecommunications providers in the value chain retaining the same communications data, or indeed non-compliance where downstream providers do not have access to communications data that the Secretary of State may require them to retain.
In addition, other technology suppliers may find themselves subject to the new Bill. The definition of "telecommunications service" is being clarified to cover services that consist in or include facilitating the creation, management or storage of communications. The breadth of this provision has concerned some commentators and it is likely to extend to over-the-top players, internet mail providers and social media businesses who may not currently be required to retain communications data. Once again, this could have significant commercial implications for those businesses and raise concerns among their communities of users.
As if that is not enough, the proposed extra-territorial effect of the new Bill will purportedly give the government quite draconian powers to require providers to retain communications data even if they, and their telecommunications systems, are located outside of the UK. While this is likely to be required to deal effectively with international over-the-top players and social media businesses whose services are accessible from the UK, it may make the UK appear an undesirable location for overseas providers to make their services available.
Not enough time for proper debate
Perhaps the main attention of the new Bill has been the timescale in which the government is seeking to pass it. There is no doubt that the majority of Parliament considers new laws necessary to enable law enforcement authorities to carry out their functions effectively. However, the new Bill does not simply "maintain the status quo" of the existing laws; nor does it correct the issues raised by the recent findings of the European Court of Justice. The reality is that the new Bill touches on issues that are of major concern to technology users and businesses and they have been denied the opportunity to engage in any proper debate as part of the emergency process being run by Parliament.
Liz Fitzsimmons is a data protection specialist and James Walsh is head of telecoms, both at Eversheds LLP.
This paper seeks to provide education and technical insight to beacons, in addition to providing insight to Apple's iBeacon specification
Focus on cost efficiency, simplicity, performance, scalability and future-readiness when architecting your data protection strategy