The contentious Data Retention (EC Directive) Regulations 2009 came into force on 6 April, in the face of opposition from privacy campaigners and serious questions from lawyers. Billed as a vital tool in the fight against terrorism and other crime, the regulations stand accused of being yet another snoopers’ charter.

The contentious Data Retention (EC Directive) Regulations 2009 came into force on 6 April, in the face of opposition from privacy campaigners and serious questions from lawyers. Billed as a vital tool in the fight against terrorism and other crime, the regulations stand accused of being yet another snoopers’ charter.

The regulations oblige notified communication service providers (CSPs) to retain communications data for 12 months from the date of communication. The regulations cover fixed, mobile and e-mail telephony, communications over the internet and email data. CSPs must retain electronic and traffic data that might identify the sender and recipient of the communication, the date and time of the call or e-mail, and the geographical location (and direction of travel) of users.

The regulations do not require CSPs to retain the content of communications. But notified CSPs must retain data that shows when you made (or received) a call or email, the number you were calling or address you were emailing, the length of the call and where you were when you made the call. Data to be retained includes voicemail, call forwarding and transfer, and unsuccessful call attempts.

The regulations complete the transposition into UK law of the EC Data Retention Directive 2006/24/EC, and supercede the narrower Data Retention (EC Directive) Regulations 2007. The regulations also make mandatory a voluntary code arising from the Anti-Terrorism Crime and Security Act 2003.

The Home Office’s Explanatory Memorandum emphasises the importance of the regulations in tackling serious crime: identifying suspects, tracing their contacts and relationships, placing them in a specific location at a specific time, and confirming or disproving alibis. Terrorism is an obvious target, and the Home Office also explains the regulations in the context of murder investigations, sexual assault, and protecting children from sexual offenders online.

So far, so justifiable. But the circumstances in which data may be retained and accessed is not restricted to such serious cases. The regulations simply provide that retained data may be accessed ‘only in specific cases and in circumstances in which disclosure of the data is permitted or required by law’ (section 7).

One area of concern is the capacity of the regulations to aid creeping snooperism, as seen under the Regulation of Investigatory Powers Act 2000 (RIPA). When RIPA was introduced it too was billed as an aid to investigate serious crime. But since its introduction, RIPA-governed surveillance has also covered less serious activity such as alleged benefit cheating, and has even been used by local authorities to monitor dog fouling and putting out bins (as last week’s Legal Update recalled).

Nor is there any restriction in the regulations on third parties who are seeking to access the data in civil proceedings. The time, location and recipient of a telephone call could easily be relevant in a civil case, in which case a claimant might seek an order against the CSP to disclose the relevant data under Civil Procedure Rule 31.17 or on Norwich Pharmacal principles (Norwich Pharmacal v CCE [1974] AC 133). Practitioners making or defending claims against errant spouses, absconding employees or wayward business partners should take note.

Only those CSPs that have been notified by the secretary of state are required to retain data under the regulations. It is unclear what this will mean in practice. The government intends to convene a group to advise on the implementation of the proposals but, in a move that could almost have been designed to excite conspiracy theorists, has stated that guidance from the group will not be published. The best one can say is that it seems likely that notifications will be issued, at least to the larger CSPs. Meanwhile, the government is considering whether to extend the rules to communications sent via social networking sites, such as Facebook and Twitter.

Some EC governments are less enthusiastic than the UK about monitoring their citizens, and challenges to the underlying EC Directive have been filed in Ireland and Germany (the latter being the largest constitutional case in German history). One school of thought, though, is that the regulations may not make a huge difference to the current state of play. Many CSPs routinely retain communications data, albeit to varying degrees and for varying periods, and the regulations arguably do no more than provide a framework for that retention. Still, the potential for abuse of retained data means that the legal community should keep the regulations under careful watch.

Richard Taylor, DLA Piper, Yorkshire