2012 - Joint Committee on Human Rights evidence on draft Communications Data Bill
- This is the response of the JNT Association, trading as Janet, to the Joint Committee on Human Rights’ call for evidence on the draft Communications Data Bill. Janet is the non-profit company that operates the UK’s national research and education network, connecting universities, colleges, schools and research organisations to each other and to the global Internet. That national network and most of its customers’ networks are currently classed as Private Electronic Communications Services or Networks under the Communications Act 2003. We are concerned that the draft Bill would greatly increase the number or individuals and organisations that could be compelled to take action under the Bill, and that the Bill contains no check that such compulsion is proportionate to the rights of those individuals and organizations and those others who may be affected by their actions.
- Clause 1 of the draft Bill would allow the Home Secretary to make orders requiring specified behaviour by any “telecommunications operator”. Under Regulation 3 of the present Data Retention (EC Directive) Regulations 2009 only “public communications providers” can be required to retain communications data. However the definition of “telecommunications operator” in clause 28 of the draft Bill will include not just public networks but anyone who “provides or controls” a computer or telephone network, in other words virtually every business and other organisation in the UK as well as many homeowners. Rather than a few hundred organisations being subject to the current Regulations, this proposal could affect millions of organisations and individuals. We are not aware of any evidence that such an increase in the scope of legislation is required, and therefore recommend that the clause 1 power be restricted to public communications providers as at present.
- Furthermore, there appears to be no statutory limit to the behaviour that a Clause 1 Order can require, other than that it must “facilitate the availability of communications data” (c.1(1)(b)). As discussed in the following sections an order could impinge on all the fundamental rights of network operators and users that were identified by the European Court of Justice in SABAM v Netlog (Case 360/10)– the rights to privacy, to freely impart and receive information, and to conduct a business. The draft Bill does not require any consideration of whether the exercise of powers will interfere with these rights, or whether such interference is proportionate.
- Privacy. The purpose of the legislation is stated to be to increase the amount of communications data (all of it likely to be personal data within the meaning of the Data Protection Act 1998) that is processed and retained by public communications providers and other telecommunications providers. Clause 3 requires that stored data be given the same protection as on the system from which it originated; however much of this data would previously have been ephemeral – stored only while the communication was in progress – so storing it for up to 12 months inevitably increases the risk that security will be breached and privacy harmed. Many authorities would regard the mere additional storage of the information, even if it is kept secure, as a breach of privacy in itself.
- Free exchange of information. As business and society become increasingly dependent on networks, there has been a move to design them to be highly resilient to faults. This normally includes ensuring that individual network components are as reliable as possible and identifying and removing single points of failure. For example there are at least two possible paths that a communication can follow between any pair of points on the Janet backbone so a failure on either path will not break the connection. However this inevitably makes it more difficult to collect communications data, since the network no longer has choke points that all communications must pass. The Bill would allow the Secretary of State to order the addition of new information collection apparatus, whose reliability is unknown, and the re-creation of choke points to ensure that apparatus has access to all traffic. Both would clearly “facilitate the availability of communications data” but at a significant cost to the reliability with which networks carry communications between their users.
- Conduct of Business. An Order to retain or collect communications data, or to modify a network to facilitate such collection, will override an organisation’s normal priorities. It will also require it to spend money and staff time to implement the Order. While Clause 26 requires that the organisation will “receive an appropriate contribution in respect of such of their relevant costs as the Secretary of State considers appropriate”, even full recovery of the financial costs cannot remedy the lost opportunity costs that will result from an Order. Satisfying the requirements of an Order and the Bill will require continuing effort from staff with rare skills in technical, security and privacy fields. Organisations that already have such staff will forgo part of their contribution to development and operation of products and services: organisations that do not currently have such staff will need to recruit them if they are to comply with the law.
- Since the power contained in clause 1 of the draft Bill could represent potentially serious infringements of fundamental rights, we believe that there should be a statutory requirement that the power should only be exercised in ways that are proportionate. Furthermore, since the power itself contains a very wide discretion, we do not believe it will be possible to assess proportionality at the level of the Act itself, but that this test must apply separately to each exercise of the power.
We therefore recommend:
- That the scope of Clause 1 Orders be limited to “Public Communications Providers” as in the current Data Retention (EC Directive) Regulations 2009, rather than all “telecommunications operators” (paragraph 2);
- That the potential harm to the fundament rights to privacy, free exchange of information and conduct of a business be recognised in the Bill, and that there be a statutory duty to ensure that each exercise of the Clause 1 powers is proportionate to the protection of those rights (paragraph 7).