CHAPTER 14: EXPLANATIONS
destroying the benevolent culture of voluntarily confessing to error that successive
IOCCs have remarked upon with approval.
14.10. Recommendation 12 (definitions of content and communications data) is of
central significance for the construction of any new law.
14.11. As to the distinction between content and communications data:
(a)
5
6
7
8
The borderline is neither as clear nor as simple as when it could be explained
in terms of the content of the letter versus the writing on the envelope.
Communications data currently comprises some types of data (location
data, and even some subscriber data) that can be quite revealing of
personal habits and characteristics.5
As is less often remarked, content (an undefined, residual category which
includes anything not classified as communications data) comprises some
material which is not particularly intrusive (e.g. a cookie, the date of a
letter or the title of a file attached to an email: 10.28 above).
There may be difficult cases at the margins, particularly in the esoteric
technical sphere in which GCHQ operates.
(b)
I do not recommend removing the distinction, despite the submissions referred
to at 12.27-12.28 above. A difference in terms of intrusiveness between “what
is said or written” on the one hand and “the who, when, where and how of a
communication” on the other6 is generally recognised, including in the practice
of other States and in the case law of international courts.7
(c)
But there is a case for (a) defining content in the new law8 and (b) reviewing the
borderline between content and communications data (in the new law or its
Codes of Practice) so as to ensure that it reflects the reality of modern
technology. CSPs pointed to web logs, cloud services and social media as
areas of ambiguity: 11.36 above. Thought has undoubtedly been given to these
matters within the security and intelligence agencies, but no proposal was
ready to be put before me. Accordingly I recommend a review which should be
as open and inclusive as possible.
The ISC coined the concept of “Communications Data Plus”: Privacy and Security Report, March
2015, Recommendation W.
These helpful shorthand terms are used in the Acquisition and Disclosure of Communications Data
Code of Practice, 2.12; cf. the 2013 Annual Report of the Interception of Communications
Commissioner, April 2014, 4.2.
See, e.g., Joined Cases C-293/12 and C-594/12 Digital Rights Ireland, CJEU 8 April 2014, para 39:
knowledge of content affects the essence of privacy rights in a way that knowledge of other data does
not.
As recommended in IOCCO’s submission to the Review, December 2014, 3.2.6-3.2.7.
259