Interception and data retention for telecoms in the UK

NOT CURRENT – TO BE UPDATED

Interception

In the UK, the rules relating to interception of communications are contained within the Regulation of Investigatory Powers Act 2000 (“RIPA”), and various subsidiary orders such as the The Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002 (SI 2002/1931).

RIPA sets out the circumstances in which certain service providers are required to intercept communications. RIPA was put in place to balance the rights of the state and individuals, and pre-dates the European harmonised electronic communications (or telecoms) regulatory framework. It uses different definitions to that framework and is wider in scope so that services which are not regulated as electronic communications services may nevertheless fall within the scope of RIPA for interception purposes.

Under RIPA the Secretary of State has the power to require “public telecommunications service” providers to put in place and maintain certain interception capabilities. The Secretary of State may also serve warrants on “telecommunications service” providers to require interception of communications.

RIPA definitions

RIPA uses broader definitions that the Communications Act 2003:

  • “telecommunication system” – any system (including the apparatus comprised in it) which exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy;
  • “telecommunications service” – any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service);
  • “public telecommunications system” – any such parts of a telecommunication system by means of which any public telecommunications service is provided as are located in the United Kingdom; and
  • “public telecommunications service” – any telecommunications service which is offered or provided to, or to a substantial section of the public in any one or more parts of the United Kingdom.

Establishing interception capability

Under RIPA the Secretary of State may impose obligations on particular public telecommunications service providers by the service of individual “notices” describing in much greater detail than the order the precise steps they are required to take to establish interception capability. Such a notice must specify a period which appears to the Secretary of State to be a reasonable. The specified or described steps are those steps appearing to the Secretary of State to be necessary for securing that the service provider has the practical capability of meeting its obligations in relation to relevant interception warrants. Failure to comply with a RIPA maintenance of interception capability notice is breach of a statutory duty enforceable by civil proceedings including mandatory injunction.

Interception warrants

In addition to the ongoing maintenance of interception capability requirement described above, RIPA permits the Secretary of State on defined grounds to serve a “warrant” on a telecommunications service provider to oblige it to secure (amongst other things) the interception of particular communications in the course of their transmission by means of a telecommunication system.

The Secretary of State may not issue an interception warrant unless he believes that that the conduct authorised by the warrant is proportionate to what is sought to be achieved by that conduct and that the warrant is necessary on one of the following grounds:

  • in the interests of national security;
  • for the purpose of preventing or detecting serious crime;
  • for the purpose of safeguarding the economic well-being of the UK; or
  • for the purpose, in specified circumstances, of giving effect to the provisions of any international mutual assistance agreement.

Effect may be given to an interception warrant either by the company to which it is addressed, or by that company acting through, or together with, such other company as may be required to provide assistance with giving effect to the warrant. Where a copy of an interception warrant has been served on behalf of the company to which it is addressed on a company which provides a public telecommunications service (or a company which does not provide a public telecommunications service but which has control of the whole or any part of a telecommunication system located wholly or partly in the UK), that company must take all such steps for giving effect to the warrant as are notified to it by or on behalf of the company to which the warrant is addressed. A company which is obliged to take such steps cannot be required to take any steps which it is not reasonably practicable for it to take. The steps which it is reasonably practicable for a company to take where obligations have been imposed on that company include every step which it would have been reasonably practicable for it to take had it complied with all the obligations imposed on it. Failure to comply with a RIPA warrant is a criminal offence punishable by imprisonment or fine.

Data retention

Data Retention and Investigatory Powers Act 2014 and the Data Retention Regulations 2014 set out the requirements for notified communications providers to retain call data records and/or other information showing the extent of the network or service actually provided to a customer for a period up to 12 months from when they were created. This requirement only applies if a communications provider receives a notice from the Secretary of State.

Note: These provisions have been challenged and the UK is in the process of proposing new legislation.