Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

The Data Retention and Investigatory Powers Bill has passed its final reading in the House of Commons

Background to the Data Retention and Investigatory Powers Bill

The UK government is rushing through new legislation in response to the European Court of Justice (ECJ) overturning the EU Data Retention Directive in April. The EU Data Retention Directive was overturned as it was deemed to be inconsistent with the European Convention on Human Rights, due to a lack of safeguards on how data is accessed and for what purpose. In overturning this directive, certain powers have been removed from the UK government. The current existing 2009 Data Retention Regulations, which were based on definitions set out in the EU Communications Framework Directive and were implemented in UK law in the 2003 Communications Act, present remain although could be reviewed at any point as there is no longer a data-retention directive in place. The new Data Retention and Investigatory Powers Bill will become law in the next few weeks after passing through the House of Commons with relative ease.

What is the Data Retention and Investigatory Powers Bill?

The bill is currently just a draft bill. The bill as it stands presently contains a number of problems that may be ironed out. However, some of the changes from the 2009 Data Retention Regulations potentially give the UK government more powers for monitoring data. These powers include:

Warrants served to non-UK companies: Section 4 of the new bill proposes amendments to RIPA that would mean that the UK government would be able to serve warrants to non-UK companies providing telecommunication services to the UK.

Warrants served to forum owners, online storage, webmail providers: Clauses in section 5 and an accompanying note amend how ?telecommunication service? is defined in RIPA: ?For the purposes of the definition of ?telecommunications service? in subsection (1), the cases in which a service is to be taken to consist in the provision of access to, and of facilities for making use of, a telecommunication system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.? This means that the UK government would be able to serve a warrant on someone who owned a online forum or message board, in order to gain access to contact details of users of the board. The way the explanatory note is worded means that webmail providers and in fact any type of online storage service, like Dropbox, for example, would be included in this, too.

Data retention periods; The 2009 Data Retention Regulations mandated that data be retained for 12 months, whereas the new bill says that there is a maximum period of 12 months, meaning that data can be retained for shorter periods. Sections 3 and 4 say that the Secretary of State will be allowed to make ?further provision about the retention of relevant communications data?. Well, that means that potentially the Secretary of State could issue a notice using Section 1 (2) ? that would enable data to be retained even longer.

Who is affected?

This bill has a very wide reach and there a numerous technologies that are likely to be impacted.
  • Webmail and Email providers
  • Virtual Provider Network providers
  • Applications/Games with Peer to Peer communication
  • File Sharing Sites
  • Social Media Platforms
  • Collaboration Platforms
Anywhere a form of communication occurs online, the bill can be applied to that platform.