Interception and data retention for telecoms in the UK

Interception

In the UK, the rules relating to interception of communications are contained within the Regulation of Investigatory Powers Act 2000 (“RIPA”), and various subsidiary orders such as the The Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002 (SI 2002/1931).

RIPA sets out the circumstances in which certain service providers are required to intercept communications. RIPA was put in place to balance the rights of the state and individuals, and pre-dates the European harmonised electronic communications (or telecoms) regulatory framework. It uses different definitions to that framework and is wider in scope so that services which are not regulated as electronic communications services may nevertheless fall within the scope of RIPA for interception purposes.

Under RIPA the Secretary of State has the power to require “public telecommunications service” providers to put in place and maintain certain interception capabilities. The Secretary of State may also serve warrants on “telecommunications service” providers to require interception of communications.

RIPA definitions

RIPA uses broader definitions that the Communications Act 2003:

  • “telecommunication system” – any system (including the apparatus comprised in it) which exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy;
  • “telecommunications service” – any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service);
  • “public telecommunications system” – any such parts of a telecommunication system by means of which any public telecommunications service is provided as are located in the United Kingdom; and
  • “public telecommunications service” – any telecommunications service which is offered or provided to, or to a substantial section of the public in any one or more parts of the United Kingdom.

Establishing interception capability

Under RIPA the Secretary of State may impose obligations on particular public telecommunications service providers by the service of individual “notices” describing in much greater detail than the order the precise steps they are required to take to establish interception capability. Such a notice must specify a period which appears to the Secretary of State to be a reasonable. The specified or described steps are those steps appearing to the Secretary of State to be necessary for securing that the service provider has the practical capability of meeting its obligations in relation to relevant interception warrants. Failure to comply with a RIPA maintenance of interception capability notice is breach of a statutory duty enforceable by civil proceedings including mandatory injunction.

Interception warrants

In addition to the ongoing maintenance of interception capability requirement described above, RIPA permits the Secretary of State on defined grounds to serve a “warrant” on a telecommunications service provider to oblige it to secure (amongst other things) the interception of particular communications in the course of their transmission by means of a telecommunication system.

The Secretary of State may not issue an interception warrant unless he believes that that the conduct authorised by the warrant is proportionate to what is sought to be achieved by that conduct and that the warrant is necessary on one of the following grounds:

  • in the interests of national security;
  • for the purpose of preventing or detecting serious crime;
  • for the purpose of safeguarding the economic well-being of the UK; or
  • for the purpose, in specified circumstances, of giving effect to the provisions of any international mutual assistance agreement.

Effect may be given to an interception warrant either by the company to which it is addressed, or by that company acting through, or together with, such other company as may be required to provide assistance with giving effect to the warrant. Where a copy of an interception warrant has been served on behalf of the company to which it is addressed on a company which provides a public telecommunications service (or a company which does not provide a public telecommunications service but which has control of the whole or any part of a telecommunication system located wholly or partly in the UK), that company must take all such steps for giving effect to the warrant as are notified to it by or on behalf of the company to which the warrant is addressed. A company which is obliged to take such steps cannot be required to take any steps which it is not reasonably practicable for it to take. The steps which it is reasonably practicable for a company to take where obligations have been imposed on that company include every step which it would have been reasonably practicable for it to take had it complied with all the obligations imposed on it. Failure to comply with a RIPA warrant is a criminal offence punishable by imprisonment or fine.

Data retention

The Data Retention (EC Directive) Regulations 2009 set out the requirements for notified communications providers to retain call data records and/or other information showing the extent of the network or service actually provided to a customer for a period of 12 months from when they were created.

This requirement only applies if a communications provider receives a notice from the Secretary of State. If a notice has been served, the records which should be retained include:

For fixed telephony

  • the telephone number from which the telephone call was made and the name and address of the subscriber and registered user of that telephone;
  • the telephone number dialed and, in cases involving supplementary services such as call forwarding or call transfer, any telephone number to which the call is forwarded or transferred;
  • the date and time of the start and end of the call; and
  • the service used to make the call.

For mobile telephony

  • the telephone number from which the telephone call was made and the name and address of the subscriber and registered user of that telephone;
  • the telephone number dialed and, in cases involving supplementary services such as call forwarding or call transfer, any telephone number to which the call is forwarded or transferred;
  • the date and time of the start and end of the call;
  • the service used to make the call;
  • details of the SIM and phone used to make and receive each call;
  • for pre-paid services the date, time and place of activation; and
  • the cell ID and location used for each call.

For email, internet and VoIP services

  • data necessary to trace and identify the source of a communication (e.g. the user ID allocated, the user ID and telephone number allocated to the communication entering the public telephone network, the name and address of the subscriber or registered user of an IP address/user ID/telephone number);
  • data necessary to identify the destination of a communication (e.g. the user ID or telephone number of the intended recipient, or the name and address of the subscriber or registered user and the user ID of the intended recipient of the communication);
  • data necessary to identify the date, time and duration of a communication (e.g. the date and time of the log-in to and log-off from the service, IP address, and user ID);
  • data necessary to identify the type of communication; and
  • data necessary to identify users’ communication equipment (e.g. the calling telephone number for dial-up access, or DSL line).