Commercial and Chancery Bar: Big brother, big bother?
On 15 July this year, the Information Commissioner, Richard Thomas, published his annual report. At the launch of the report he commented on the Government's proposed Communications Data Bill. Referring to media suggestions that the Bill would make provision for a massive government database holding details of everyone's telephone and internet communications, he stated that any such proposal would be "a step too far for the British way of life".
September 03, 2008 at 10:31 PM
7 minute read
Is the proposed Communications Data Bill a step too far for the British way of life? Timothy Pitt-Payne reports
On 15 July this year, the Information Commissioner, Richard Thomas, published his annual report. At the launch of the report he commented on the Government's proposed Communications Data Bill. Referring to media suggestions that the Bill would make provision for a massive government database holding details of everyone's telephone and internet communications, he stated that any such proposal would be "a step too far for the British way of life".
The way in which personal information is held by the Government is a subject of increasing public debate in the UK. There are concerns about the nature and the volume of information that is acquired and retained – this is one of the reasons why the Government's identity card proposals are so controversial. There are also concerns about security. Public confidence was severely damaged in November 2007, when CDs containing child benefit information about some 25 million individuals were lost by HM Revenue & Customs (HMRC). Since then there has been a series of further security breaches; most recently on 19 August, when a private contractor informed the Home Office that it had lost a computer memory stick containing personal details of tens of thousands of criminals.
The legal background to the Communications Data Bill is complex, but needs to be set out in a little detail in order to make sense of the Commissioner's concerns. The story begins with a European Union (EU) Directive of 2006 imposing requirements for the retention of "communications data" by telecoms providers and internet service providers (ISPs) across member states. Communications data in this context essentially means information about who is communicating with whom, when and where they are communicating, and what means of communication they are using. It does not include information about the actual content of the communication.
So in relation to telephone usage, communications data would include the timing and destination of phone calls, but not what was said. In relation to internet usage, communications data would not include details of the actual websites visited from a particular computer, though it would include information about when and for how long that computer had been used to access the internet. Even with these limitations, the information covered by the directive can potentially tell you a great deal about ordinary individuals. This kind of information could be used, for example, in order to try and ascertain the whereabouts of a particular individual at a specific time.
Implementation of the Directive in the UK has proceeded in two stages. The first stage was the Data Retention Regulations 2007, which implemented the directive in relation to landlines and mobile phones (but not ISPs). The regulations require telecoms providers to retain communications information for a minimum of 12 months. The regulations do not themselves confer any right for Government to obtain access to the retained information. Instead, access is governed by the Regulation of Investigatory Powers Act 2000 (RIPA 2000) and related regulations, under which various public bodies can access the retained information on request. The potential bases for access are wide-ranging, and are not confined to national security or the prevention of crime. For example, there is a right of access in the interests of the UK's economic well-being, and another for the protection of public health. A court order is not required, though an order can be sought if access is refused by the telecoms provider.
The Government's draft legislative programme for 2008-09 was published in May. This contained the first reference to a Communications Data Bill, intended to complete the implementation of the Directive. The draft programme
is uninformative about the detailed content of the proposed Bill, though it is envisaged that the Bill will extend to ISPs – since these were not covered by the 2007 regulations.
Media concern about the implications of the Bill began with a story in The Times on 20 May, suggesting that the Bill will adopt a radically different approach from the 2007 Regulations. According to the story, what is being contemplated is the creation of a central database under government control, containing all the retained records. Instead of merely retaining communications data and providing it on request, providers would automatically pass all of their communications data to the database.
Any proposal of this nature would prompt a number of important questions. One is whether the database would be confined to ISP records, or whether it would also cover telecoms records (the story suggested that both would be covered). A second question is what kind of information would be held. Would the database be confined to communications data, as defined in the Directive? Or would it include information about the actual content of telephone calls, emails and internet usage? And the third and most important question is who would be entitled to use the database, and in what way?
On any view a proposal of this nature would also raise some serious concerns, fully justifying the Information Commissioner's comments. There is the obvious risk of further security breaches. The possibilities range from accidental large-scale disclosure (as in the HMRC case) to isolated instances of unauthorised access by individual employees. Imagine, for instance, an individual with access to the database who wants to know if his new partner still speaks to her ex-boyfriend on the phone. A second and even more serious risk is that, once the database has been created, more and more ways of using it will be found. Under RIPA 2000, both the range of authorities entitled to access communications data and the purposes for which they are permitted to have access can be amended without the need for primary legislation. If the Bill adopts a similar approach, then there would be the risk of incremental extensions, with limited parliamentary scrutiny. Interest in the database's contents would not necessarily be confined to the UK. For instance, how would the UK Government respond if the US authorities asked for access to any information held on the new database about passengers intending to travel to the US?
The Information Commissioner has repeatedly warned about the danger of developing a 'surveillance society'. The danger comes from a combination of legal and technological developments: legal developments that facilitate the collection of personal information on a wide scale, and technological developments that allow that information to be exploited in ever more sophisticated ways. In real life, the quintessentially British double-decker bus that played a starring role in the Olympic closing ceremony would undoubtedly have been monitored by CCTV cameras. Facial recognition software now allows CCTV images to be linked to databases of information about identifiable individuals. The more information about us is held on centralised databases, the greater the potential risk posed by this kind of linkage. For a description of what a surveillance society of the future might look like in practice, Cory Doctorow's recent dystopian novel, Little Brother, is highly recommended.
Meanwhile, we wait to see the detail of the Communications Data Bill. It is hoped that the fears expressed by The Times and the Information Commissioner will not be borne out when the Bill is published. Public trust in the way in which personal information is held by Government is at a very low ebb. Proposals for massive new databases are not the right way to win it back.
Timothy Pitt-Payne is a barrister at 11KBW and visiting professor of information law at Northumbria University.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'Almost Impossible'?: Squire Challenge to Sanctions Spotlights Difficulty of Getting Off Administration's List
4 minute read'Never Been More Dynamic': US Law Firm Leaders Reflect on 2024 and Expectations Next Year
7 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250