There is a lot of discussion following a piece in the Telegraph this weekend about the UK government's proposed upgrade to its current data retention / interception system, nominally to enable continued capability in a changing communications environment — in other words, retention of data and interception relating to over the top services, such as Facebook chat sessions, private tweets and Skype conversations.
The Telegraph article is here, and the official CCDP webpage is here.
I gave a paper on this subject (critiquing the current system, and discussing the reform proposals) at a conference last year; my slides are rather basic, but I shall dig out what I have in case anyone is interested. (The presentation attracted quite a lot of interest, because of the rather invasive nature of the proposals...)
How would this comply with the new data protection regulation allowing the right to be forgotten? :-)
ReplyDeleteIt is true that the storage media is becoming lower in cost, however here we are talking about huge volume of data... who will pay the bill?
How would this comply with the new data protection regulation allowing the right to be forgotten? :-)
ReplyDeleteArticle 2(2) of the draft regulation :)
This Regulation does not apply to the processing of personal data:
(a) in the course of an activity which falls outside the scope of Union law, in particular concerning national security;
...
(e) by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
who will pay the bill?
A big question indeed.
For the retention, the UK regulations implementing directive 2006/24/EC provide that:
"11.—(1) The Secretary of State may reimburse any expenses incurred by a public communications provider in complying with the provisions of these Regulations."
In terms of accessing retained data, in the UK, the Secretary of State is required "to ensure that such arrangements are in force as he thinks appropriate for requiring or authorising, in such cases as he thinks fit, the making to postal and telecommunications operators of appropriate contributions towards the costs incurred by them in complying" with access requests. (s24(1), RIPA 2000)
This move raises issues of civil liberties and security of information concerns. Under what conditions will security services be allowed to access such personal records, is it through a court process based on some degree of evidence? What steps will be taken to ensure the security of the information stored by service providers and that other public organizations will not be given access to such records and that the service providers themselves do not use the information for their own purposes?
ReplyDeleteBoth good questions, Zizi.
ReplyDeleteCurrently, it looks as if access with by under Part 1, Chapter 2, of RIPA 2000: here. It's the procedure in the UK currently used by law enforcement to access data retained under the data retention directive, for example. It's not a judicial process, but instead one which is authorised by senior officers within relevant public authorities — of concern, quite a range of public authorities have access to the information, and the review is not always independent, with these senior officers sometimes approving access for their own investigations (as evidenced by the most recent report of the Interception Commissioner).
In terms of security of the information, if it's to be held by the access providers (which is not necessarily what access providers want), it would be covered by the Data Protection Act 1998, which requires, as you may know, "appropriate" security, but I would be surprised if there was anything more than this — at least, under the current arrangements, the only obligations set out legislatively are those under data protection legislation.
As for use by service providers for their own purposes, the provisions of the ePrivacy regulations and the Data Protection Act 1998 would apply here.
In case it is of interest, I have uploaded my slides and notes from a conference paper I gave on this topic at the most recent Cyberspace conference (at Brno, in the Czech Republic) — they are the notes I used for my presentation, rather than an article, but they give a fair gist of the legislation, and the potential impact of CCDP. The notes are here.