CHAPTER 14: EXPLANATIONS
12 months, as is currently the case under DRIPA 2014 s1 and CTSA 2015 s21
(and was previously the case under the EU Data Retention Directive).
(b)
(c)
Communications Data Bill: whether (as originally proposed in a Bill of 2012,
dubbed by its opponents “the snoopers’ charter”) additional obligations should
be placed upon CSPs, in particular as regards the retention of:
records of subscribers’ internet interactions (loosely known as web logs:
see the Home Office definition of this term at 9.53 above); and
the entire content of third-party communications that passed over the
network of a UK CSP.
Bulk collection: whether GCHQ should be entitled to recover content and
related communications data in bulk from cables carrying overseas traffic, as is
currently permitted under RIPA s8(4), and to use it in specified ways for the
purposes of protecting national security.
In framing my recommendations on capabilities, I seek to give effect to my first
principle (minimise no go areas) as well as by the second (limited powers) and
third (rights compliance).
Compulsory data retention
14.14. Recommendation 14 states that the data retention power now contained in DRIPA
2014 s1, as supplemented by the additional category of information whose retention
is required by CTSA 2015 s21 (6.60-6.63 and 7.38 above) should remain in force after
December 2016.
14.15. A comparative survey of compulsory data retention laws in Europe and the Five Eyes
countries is at 8.55-8.59 above. Laws in Canada and Australia dating from 2014 and
2015 have made provision for compulsory data retention.
14.16. The utility of communications data to law enforcement across the board is explained
at 7.43-7.51 and accompanying annexes. The experience of the police, NCA, CPS,
Europol and European Commission in relation to the particular utility of retained data
in criminal and missing persons investigations is at 7.49-7.51 and 9.43-9.47 above.
The points made at 9.45 are of particular significance: older data may be the only way
to catch the ringleader in a conspiracy, or to investigate a crime when months have
elapsed between the incident and the identification of a suspect.
14.17. In order to test the utility of retained communications data, I decided to visit a country
where data retention is not required, and to take evidence from law enforcement and
from others. The obvious choice was Germany, where EU data protection rules apply
as they do in the UK, but where the rules implementing the EU Data Retention
Directive were struck down in March 2010 by the Federal Constitutional Court.
14.18. On a visit to Berlin in December 2014, I was able to question the Interior Ministry and
internal security service (BfV) on the issue of data retention, together with the Federal
Chancellery, the Justice Ministry, the Federal Data Protection Authority, Bitkom (an
organisation representing CSPs) and academics who have reported on data retention.
261