“.. such directions of a general character as appear to the Secretary of State
to be necessary in the interests of national security or relations with the
government of a country or territory outside the United Kingdom”.
The generality of that provision is further underlined by the fact that there is (and
is proposed to be) no statutory definition of national security.
2.31.
Part 6 Chapter 2 of the Bill provides a more precise statutory basis for the
capability. It gives the Secretary of State, on the application of the Head of an
Agency and after approval by a Judicial Commissioner, the power to issue a bulk
acquisition warrant. Such a warrant cannot apply to the content of
communications, but may require a telecommunications operator to retain
communications data and to disclose it to a person specified in the warrant.
2.32.
In contrast to bulk interception and bulk EI (but like BPDs), there is no
requirement for bulk acquisition to be foreign-focused. The “who, when and
where” of domestic communications such as phone calls and emails (though not
their content) may therefore legitimately be the intended focus for collection
under the power.
2.33.
Another important and distinctive feature of the current capability is that data
obtained pursuant to it can be aggregated in one place. That distinguishes it
from the data retention powers that have been provided for successively by
Regulations under the Data Retention Directive,80 by the DRIPA power,81 and
now by Part 4 of the Bill. The existence of an aggregated database (as opposed
to the federated databases kept by each CSP subject to standard data retention
obligations) is said to be a key element in the added value of the bulk acquisition
power.
2.34.
80
81
82
I was told that the aggregated database which is enabled through the bulk
acquisition power is likely to retain advantages even after such time as the
filtering arrangements provided for in the Bill for interrogating multiple databases
(clauses 63-65) may have been designed and developed.82 This will plainly have
to be kept under review, since it is at least notionally possible that a search filter
applicable to numerous databases could achieve similar results in a less
intrusive manner.
Directive 2006/24/EC, which required service providers to retain data generated for billing
purposes concerning the use of telephone, internet and email services for between six and 24
months, was declared invalid by the CJEU in Joined Cases C-293/12 and C-594/12 Digital
Rights Ireland ECLI:EU:C:2014:238. The UK implementing Regulations were replaced by the
DRIPA power later in 2014.
See AQOT 6.60-6.70 and 2.5(a) above.
See 6.26-6.28 below.
30