CHAPTER 9: LAW ENFORCEMENT
(d)
the Digital Rights Ireland judgment, which appears to place limits on the
powers of EU Member States to practise data retention, and even to revive the
debate over whether a data preservation model (as used in Germany, and
under which data are retained only on limited categories of person) should be
used instead.
Legislative solution
9.39.
The policy debate is thus a particularly difficult and delicate one. Existing powers are
perceived as being under technological and legal threat, just as the law enforcement
case for adding to them (running, they would say, to stay still) is growing in force. But
it is fair to say that whilst both police and NCA see the need for change, neither has
expressed to me a clear view on the form that any new powers should take. They say
that it is their role to outline operational requirements against which Parliament should
consider what powers are needed.
9.40.
Limited consultation leading up to the Communications Data Bill 2012, and a further
two years since early 2013 in which political disagreements made it impossible to take
things farther, leave an uncertain position which I attempt to describe but which can
only be resolved by further intensive consultations between Government, law
enforcement and service providers.
9.41.
The debate concerning communications data capabilities may be organised under
five overlapping heads: data retention, IP resolution, web logs/destination IP
addresses, third party data and the search filter. I summarise the position of law
enforcement on each of these, before addressing some further capability matters that
the NCA raised with me during the course of the Review.
9.42.
Both police and the NCA were keen to emphasise that they want to work with industry
to identify solutions that would meet their investigatory requirements in a way that
could inform legislation. Those requirements are very likely to include data retention
and IP resolution, but in other respects may or may not fall under the same headings
as the 2012 Bill. As the MPS put it to me:
“a less ‘technology-centric’ approach may assist in ensuring flexibility and
agility in meeting our future capability requirements.”21
Data retention
9.43.
21
22
Successive UK Governments have supported the compulsory retention of
communications data by service providers.22 The principle that communications data
generated by service providers should be required to be retained by UK service
providers for a certain period, as provided for in DRIPA 2014 s1, (and previously by
the EU Data Retention Directive of 2006), passed through Parliament with few
Evidence to the Review, April 2015.
The UK was one of four Member States that put forward the original proposal for the mandatory
retention of data in 2004, and used its Presidency of the EU to prioritise the draft EU Data Retention
Directive in the months after the London bombings of July 2005: JCDCDB Report, para 4.
174