TL;DR

This newsletter is about the retention notices that can be served on telecommunications operators by the UK government under the Investigatory Powers Act 2016. It looks at what these notices are, when they can be served, what data can be retained under these notices and other relevant requirements around this power.

Here are the key takeaways:

• Under the Investigatory Powers Act 2016, the UK government can require telecommunications operators to retain relevant communications data by providing operators with a retention notice. The Home Office, liaising with various public authorities, including the security and intelligence agencies, is responsible for issuing and serving retention notices.

• These notices can be served on a wide range of entities, including email providers, messaging application providers and cloud service providers. Even businesses for which telecommunication services form only part of their operations can be served with a retention notice.

• The type of information that must be retained under a retention notice is communications data. This is essentially the metadata of communications, rather than their content, and also includes internet connection records.

• Retention notices can be served on various different grounds under the Investigatory Powers Act 2016. This includes national security and crime purposes.

• The main purpose of retention notices is to require telecommunications operators to retain data which may then be accessed via an authorisation for the acquisition of communications data under the 2016 Act. By requiring telecommunications operators to retain communications data over a certain period of time, public authorities can avert the problem of attempting to acquire data for an investigation of an event which took place before the acquisition and therefore such data not actually being in existence.

What are retention notices?

Under the Investigatory Powers Act 2016 (IPA 2016), the UK government can require telecommunications operators to retain relevant communications data by providing operators with a retention notice.1 These notices may require an operator to retain data for up to 12 months.2 The Home Office, liaising with various public authorities, including the security and intelligence agencies (SIAs), is responsible for issuing and serving retention notices.3

Who can be served with a retention notice?

The definition of 'telecommunications operator' under the IPA 2016 consists of three building blocks:

• A 'telecommunication system', which is a system for the purposes of facilitating the transmission of communications by means involving the use of electrical or electromagnetic energy.4

• A 'telecommunication service', which is any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system.5

• A 'telecommunications operator', which is a person who offers or provides a telecommunications service or controls or provides a telecommunication system whether that system is in the UK or controlled from the UK (either wholly or party).6

In aggregate, the definitions cover a wide range of entities, and it is not just limited to public networks or carriers. Private networks and online storage providers may also fall within the scope of entities who could be subject to a retention notice. So overall, "numerous businesses will be considered telecommunications operators in respect of some of their operations, even where the majority of their work is unrelated to telecommunications services or telecommunications systems."7 This means that the following could be subject to retention notices under the IPA 2016:

• Email providers

• Messaging application providers

• Cloud service providers

• Commercial entities providing communication services that are ancillary to the provision of another service, such as hotels, airport lounges and public transport operators

What data can be retained under a retention notice?

Communications data

Retention notices can be used to obtain 'relevant communications data' from telecommunications operators.

"Communications data" effectively means the metadata of a communication. This includes information about things like the recipient, sender and timing of the communication. The IPA 2016 itself defines the specific pieces of metadata within the scope of communications data, namely entity data and events data:

• 'Entity data' means data about an entity8 which could be a person or a thing.9

• 'Events data' means any data identifying or describing an event on, in or by means of a telecommunication system where the event consists of one or more entities engaging in a specific activity at a specific time.10

Together, communications data means any data "generated, held or obtained in the provision, delivery and maintenance of communication services."11 This could include:12

• Those involved in the communication (i.e., the sender and recipient)

• When the communication was made

• The duration of the communication

• The type and method of communication

• The telecommunication system used for the communication

• The location of the telecommunication system

Internet connection records

Retention notices can also instruct telecommunications operators to retain what the IPA 2016 calls 'internet connection records' (ICR).13

An internet connection record is a type of communications data that satisfies the following two conditions:14

• It can be used to identify a communication that has been transmitted to a telecommunications service via a telecommunication system to obtain access to or run a computer file or program

• It comprises data generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person)

ICRs therefore consist of information that identifies an internet service that a person has been using.15 This could include a wide range of data, such as IP addresses or a customer account reference like an account number.16

The websites a person has visited can also constitute an ICR. However, the definition of an ICR excludes certain elements of a person's web browsing history. For example, if a person visits 'https://www.thecybersolicitor.com/s/state-surveillance', the only part of this URL that would constitute 'communications data' for the purposes of the IPA 2016 includes the host name ('www.thecybersolicitor.com). The remainder of the URL, namely the resource ('/s/state-surveillance') would be classed as the content of a communication under the Act and therefore not fall within the definition of an ICR.17

What must be included in a retention notice?

A retention notice under the IPA 2016 may:18

• Relate to a particular operator or any description of operators

• Require the retention of all data or any description of data

• Identify the period or periods for which data is to be retained

• Contain other requirements, or restrictions, in relation to the retention of data

• Make different provision for different purposes

• Relate to data whether or not in existence at the time of the giving, or coming into force, of the notice

Accordingly, a retention notice must specify the following:19

• The operator (or description of operators) to whom it relates

• The data which is to be retained

• The period or periods for which the data is to be retained (which is a maximum of 12 months)

• Any other requirements, or restrictions, in relation to the retention of the data

• The level of contribution in respect of costs incurred as a result of the notice

The Secretary of State can vary a retention notice served on a telecommunications operator.20 A variation is only subject to the double lock mechanism if it includes the retention of additional communications data.21 Other variations do not require the review of a Judicial Commissioner,22 but the Secretary of State must nevertheless ensure that the changes are necessary and proportionate to the aim being pursued (i.e., the grounds on which a retention notice can be served). A retention notice may be varied for a number of reasons:23

• An operator launches a new service or generates a new category of communications data that may be of interest to the relevant public authority

• Law enforcement demands or priorities change

• There is a recommendation following a review of a notice (see how retention notices can be challenged further below)

• To amend or enhance security requirements

The Secretary of State, prior to varying a notice, must consult the operator “to understand the impact of the change and must take into account the same factors as when deciding to give a notice, including cost and technical implications”.24 It is possible for the retention period to be extended in a variation, but the data cannot be retained for more than 12 months.25

Retention notices can also be renewed within 30 days of its expiry26 if the following conditions are met:27

• The notice remains necessary and proportionate to the aim being pursued (i.e., the grounds on which a retention notice can be served)

• The decision to renew has been approved by a Judicial Commissioner

On what grounds can a retention notice be served?

Subject to the double lock, a retention notice may be served on a telecommunications operator if the retention of communications data is necessary on any of the following grounds:28

• In the interests of national security

• For the applicable crime purposes. Where the notice relates to events data, it may be retained for the purpose of preventing or detecting serious crime,29 defined as a criminal offence that involves conduct entailing the use of violence, results in substantial financial gain or is conduct by a large number of persons in pursuit of a common purpose.30 Where the notice relates to entity data, it may be retained for the purpose of preventing or detecting crime or of preventing disorder.31

• In the interests of the economic well-being of the UK so far as those interests are also relevant to the interests of national security

• In the interests of public safety

• For the purpose of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health

• To assist investigations into alleged miscarriages of justice

What are the other requirements and restrictions of retention notices?

A retention notice may address issues relating to the generation and processing of the retained data. For example, there may be a requirement to retain data in such a way that it can be transmitted efficiently and effectively in response to requests for such data.32 There may also be a requirement to “filter data to remove records that are not of interest, including duplicate events or where aggregated records or summaries have been created”.33 In essence, telecommunication operators will need to aggregate, summarise and filter data appropriately to “ensure the volume of data retained is limited to that which is truly necessary”.34

If served with a retention notice, telecommunications operators will need to retain communications data that it already holds35 as well as communications data that may be generated in the future on its system.36 In addition, there may be some types of communications data that remain active for days or possibly months, in which case “the retention period commences on the day on which the communication ends”.37 Overall though, “the retention period will start from the moment the data comes into existence”.38

Operators will often retain data independently of a retention notice under the IPA 2016 for various purposes. However, such data can still be subject to the retention period under a retention notice in case the business needs for the data changes and the operator decides to delete such data.39 In other words, if an operator retains communications data for business purposes, and then is subsequently served with a retention notice under the IPA 2016, that data must be retained in accordance with the notice regardless of what might be required under the operator’s data retention schedule or data governance policy.

In terms of the storage of the retained data, the IPA 2016 specifies that telecommunication operators must:40

• Secure that the retained data is of the same integrity, and subject to at least the same security and protection as other data held on the same system

• Secure, by appropriate technical and organisational measures, that the data can be accessed only by specially authorised personnel

• Protect, by appropriate technical and organisational measures, the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful retention, processing, access or disclosure

In addition, operators must ensure that data are destroyed where the retention period no longer applies and there are no other legal obligations requiring the retention of the data.41 This can take place on a monthly basis or on shorter intervals if more practicable for the operator.42

To make compliance with the retention of communications data easier, operators ought to store the data in a dedicated system separate from the business system and protected by appropriate security measures, such as a firewall.43 Where data is retained for both business purposes and for the purpose of a retention notice, it is permissible to have duplicates of such data to maintain efficient and effective access.44 However, if this is not practical for the operator, then retained data can be stored in a business or shared system so long as the required security measures are applied.45 In addition, “any processes or systems that are involved in the transferring or copying of data retained under a retention notice into another system [must be] subject to these security controls”.46

If a telecommunications operator retains data under a notice that it would not retain on its own initiative, that operator cannot then use that retained data for other purposes without the permission of the Home Office.47 Permission may be given for uses considered to be in the public interest, such as to identify suspected criminal activity on a network.48 However, the Home Office would not give permission for purposes such as marketing.49 Any permission from the Home Office could relate to individual requests or categories of request.50

Telecommunications operators subject to a retention notice must keep the existence and indeed the content of such a notice confidential,51 unless permission is given by the Secretary of State for the disclosure of such information.52 This duty of confidentiality, and any other requirement or restriction under a retention notice, is enforceable by the Secretary of State by civil proceedings.53

Does the telecommunications operator need to be consulted before being served?

As well as being subject to the double lock, the Secretary of State must also consider the following factors before issuing a retention notice:54

• The likely benefits of serving the notice

• The telecommunications services to which the notice relates

• The appropriateness of limiting the data to be retained by reference to location or descriptions of persons to whom telecommunications services are provided

• The likely number of users (if known) to which the notice relates

• The technical feasibility of complying with the notice

• The likely cost of complying with the notice

• Any other effect of the notice on the telecommunications operator (or description of operators) to whom it relates

In addition, other factors not specified in the IPA 2016 may also be taken into account:

• The size of the telecommunications operator (the larger the size the more likely a retention notice will be served)

• The speed of growth of a telecommunications operator (those growing quickly may receive a notice in anticipation of future operational requirements)

• The number of authorisations or notices that a telecommunications operator receives annually for communications data (this, and the operator’s ability to meet the volume of authorisations and notices received, will be key in determining whether there is a benefit in giving a notice to an operator)

• Whether the telecommunications operator operates a niche service (operators that are the sole or key provider of a service are more likely to receive a notice regardless of their size)

• Whether the telecommunications operator operates in a specific geographical area (an operator providing a key service in a limited geographical area is more likely to be served with a notice)

Finally, the Secretary of State must also have regard to the following:55

• Whether what is sought to be achieved by the notice could reasonably be achieved by other less intrusive means

• The public interest in the integrity and security of telecommunication systems

• Any other aspects of the public interest in the protection of privacy

Ultimately, the Secretary of State, as required under the double lock, will have to consider the necessity and proportionality of the retention notice before it is served on a telecommunications operator. Moreover, reasonable steps must be taken to consult with any operator on which a notice may be served.56 This involves an informal consultation “long before a notice is given in order that the operator(s) understands the requirements that may be imposed and can consider the impact”.57 The consultation also ensures that the notice “accurately reflects the services and data types processed by that telecommunications operator”.58

Can retention notices be challenged?

A telecommunications operator can refer back a retention notice to the Secretary of State for review.59 This right expires after 28 days starting on the day that the notice was given,60 and it may be exercised where the obligations required under a notice are unreasonable.61 Such a review can also be triggered for variations of a notice made by the Secretary of State.62

A request for review absolves the operator of the duty to comply with the notice until it has been reviewed in accordance with the IPA 2016.63 However, if the notice covers a number of services, and the referral only pertains to one of those services, the operator must comply with the notice in relation to those other services not subject to the referral.64

The process of review involves the Technical Advisory Board,65 which is a group comprising of persons from public authorities who may issue warrants or notices under the IPA 2016, persons who may be the subject of those warrants or notices,66 and a Judicial Commissioner.67 The Board must consider the technical requirements and financial consequences of the notice for the operator.68 The Commissioner must consider whether the notice is proportionate.69 Opportunities must be given for both the operator and the Secretary of State to give evidence and representations before the Board reaches their conclusions,70 of which must then be reported to the Secretary of State and the operator.71 At that point, the Secretary of State must consider the report and from this either vary or revoke the notice, or even draft a new notice.72 No matter which option is chosen, the approval of the Investigatory Powers Commissioner is required.73

What is the operational case for retention notices?

The main purpose of retention notices is to require telecommunications operators to retain data which may then be accessed via an authorisation for the acquisition of communications data under the IPA 2016.74

By requiring telecommunications operators to retain communications data over a certain period of time, public authorities can avert the problem of attempting to acquire data for an investigation of an event which took place before the acquisition and therefore such data not actually being in existence. Instead, with the retention provisions under the IPA 2016, if “a person detonates a bomb at some point in time, his or her communications data for some specified period leading up to the act are available for acquisition by the relevant authorities, and details of who he or she was in contact with, and when, can be retrieved”.75 The exact use of that communications data, and the value that it brings for public authorities in their work, can be explored further in the context of the acquisition of communications data.