Is the proposed Communications Data Bill a step too far for the British way of life? Timothy Pitt-Payne reports
By Timothy Pitt-Payne | On 15 July this year, the Information Commissioner, Richard Thomas, published his annual report. At the launch of the report he commented on the Government’s proposed Communications Data Bill. Referring to media suggestions that the Bill would make provision for a massive government database holding details of everyone’s telephone and internet communications, he stated that any such proposal would be “a step too far for the British way of life”.
The way in which personal information is held by the Government is a subject of increasing public debate in the UK. There are concerns about the nature and the volume of information that is acquired and retained – this is one of the reasons why the Government’s identity card proposals are so controversial. There are also concerns about security. Public confidence was severely damaged in November 2007, when CDs containing child benefit information about some 25 million individuals were lost by HM Revenue & Customs (HMRC). Since then there has been a series of further security breaches; most recently on 19 August, when a private contractor informed the Home Office that it had lost a computer memory stick containing personal details of tens of thousands of criminals.
The legal background to the Communications Data Bill is complex, but needs to be set out in a little detail in order to make sense of the Commissioner’s concerns. The story begins with a European Union (EU) Directive of 2006 imposing requirements for the retention of “communications data” by telecoms providers and internet service providers (ISPs) across member states. Communications data in this context essentially means information about who is communicating with whom, when and where they are communicating, and what means of communication they are using. It does not include information about the actual content of the communication.
So in relation to telephone usage, communications data would include the timing and destination of phone calls, but not what was said. In relation to internet usage, communications data would not include details of the actual websites visited from a particular computer, though it would include information about when and for how long that computer had been used to access the internet. Even with these limitations, the information covered by the directive can potentially tell you a great deal about ordinary individuals. This kind of information could be used, for example, in order to try and ascertain the whereabouts of a particular individual at a specific time.
Implementation of the Directive in the UK has proceeded in two stages. The first stage was the Data Retention Regulations 2007, which implemented the directive in relation to landlines and mobile phones (but not ISPs). The regulations require telecoms providers to retain communications information for a minimum of 12 months. The regulations do not themselves confer any right for Government to obtain access to the retained information. Instead, access is governed by the Regulation of Investigatory Powers Act 2000 (RIPA 2000) and related regulations, under which various public bodies can access the retained information on request. The potential bases for access are wide-ranging, and are not confined to national security or the prevention of crime. For example, there is a right of access in the interests of the UK’s economic well-being, and another for the protection of public health. A court order is not required, though an order can be sought if access is refused by the telecoms provider.
The Government’s draft legislative programme for 2008-09 was published in May. This contained the first reference to a Communications Data Bill, intended to complete the implementation of the Directive. The draft programme
is uninformative about the detailed content of the proposed Bill, though it is envisaged that the Bill will extend to ISPs – since these were not covered by the 2007 regulations.
Media concern about the implications of the Bill began with a story in The Times on 20 May, suggesting that the Bill will adopt a radically different approach from the 2007 Regulations. According to the story, what is being contemplated is the creation of a central database under government control, containing all the retained records. Instead of merely retaining communications data and providing it on request, providers would automatically pass all of their communications data to the database.
Any proposal of this nature would prompt a number of important questions. One is whether the database would be confined to ISP records, or whether it would also cover telecoms records (the story suggested that both would be covered). A second question is what kind of information would be held. Would the database be confined to communications data, as defined in the Directive? Or would it include information about the actual content of telephone calls, emails and internet usage? And the third and most important question is who would be entitled to use the database, and in what way?
On any view a proposal of this nature would also raise some serious concerns, fully justifying the Information Commissioner’s comments. There is the obvious risk of further security breaches. The possibilities range from accidental large-scale disclosure (as in the HMRC case) to isolated instances of unauthorised access by individual employees. Imagine, for instance, an individual with access to the database who wants to know if his new partner still speaks to her ex-boyfriend on the phone. A second and even more serious risk is that, once the database has been created, more and more ways of using it will be found. Under RIPA 2000, both the range of authorities entitled to access communications data and the purposes for which they are permitted to have access can be amended without the need for primary legislation. If the Bill adopts a similar approach, then there would be the risk of incremental extensions, with limited parliamentary scrutiny. Interest in the database’s contents would not necessarily be confined to the UK. For instance, how would the UK Government respond if the US authorities asked for access to any information held on the new database about passengers intending to travel to the US?
The Information Commissioner has repeatedly warned about the danger of developing a ‘surveillance society’. The danger comes from a combination of legal and technological developments: legal developments that facilitate the collection of personal information on a wide scale, and technological developments that allow that information to be exploited in ever more sophisticated ways. In real life, the quintessentially British double-decker bus that played a starring role in the Olympic closing ceremony would undoubtedly have been monitored by CCTV cameras. Facial recognition software now allows CCTV images to be linked to databases of information about identifiable individuals. The more information about us is held on centralised databases, the greater the potential risk posed by this kind of linkage. For a description of what a surveillance society of the future might look like in practice, Cory Doctorow’s recent dystopian novel, Little Brother, is highly recommended.
Meanwhile, we wait to see the detail of the Communications Data Bill. It is hoped that the fears expressed by The Times and the Information Commissioner will not be borne out when the Bill is published. Public trust in the way in which personal information is held by Government is at a very low ebb. Proposals for massive new databases are not the right way to win it back.
Timothy Pitt-Payne is a barrister at 11KBW and visiting professor of information law at Northumbria University.