Webtrends Tracking Code
 
UK Home >  Legal Info About... >  Hosting and Maintenance >  The effect of anti-terrorism laws on ISPs

The effect of anti-terrorism laws on ISP s

This article first appeared in the Spring 2003 issue of the OUT-LAW magazine. There is a chance that the law has changed, or the facts of this article may have been superseded.

If you think you're making a private call, or sending a discreet message, think again. Under an anti-terrorism law passed in late 2001 in the wake of September 11, details of every web site visited and the transmission of every email sent and every phone call made in the UK can be retained and made available to authorities. Compulsory retention is viewed as a last resort by the government but it will almost certainly happen. It may give individuals privacy concerns but for telcos and internet service providers faced with the consequent storage and retrieval requirements, it is cause for financial concern. The Anti-terrorism, Crime and Security Act (the ' ATCSA ') was a hurried piece of legislation which extends some powers introduced in the Regulation of Investigatory Powers Act of 2000 – better known as 'RIPA'. The combination gives the communications industry the challenge of tiptoeing a difficult path between privacy and security.

Do ISP s have to retain data?

Not yet, except for certain business purposes, such as billing. The legislation does not oblige the communications providers to retain data. However, the legislation is worded such that if the industry doesn't accept a voluntary code of practice, the Government can make the retention requirement mandatory.

What data would they have to retain?

The law considers only "communications data" – meaning data which is not part of actual communications themselves, such as billing data, subscriber data, details of numbers dialled, web sites visited or email addresses used, but not the actual content of voice calls or email messages.

For how long must data be kept?

The duration of data retention is still undecided and the ATCSA does not mention a period. The Home Office's Regulatory Impact Assessment, published when the ATCSA was going through Parliament, indicated a period of 12 months. However, other countries are proposing their own data retention provisions. Consistency, at least across the EU, is very important for service providers.

What about access?

Rules on interception of communications are set out in RIPA, but it doesn't yet control access to the data. The Anti-terrorism Crime and Security Act ensures that data is retained only for purposes of national security, but once the data has been retained, a variety of parties will have access to it under a range of laws. ISP s and telcos fear an increase in requests for data.

Communications industry problems

ISP s and telcos must comply with a provision of the Data Protection Act which forbids them holding personal data for longer than is necessary for purposes such as billing.

Compliance with the Act can be achieved if the continued retention is done to satisfy another legal obligation; but by definition, a voluntary scheme falls short of a legal obligation. The Telecommunications (Data Protection and Privacy) Regulations of 1999 present another quandary. They permit data retention for the purposes of billing, network security or d ISP ute resolution; otherwise it must be erased or made anonymous immediately after the telecommunications service has been provided. Without further laws, an ISP that retains data as the ATCSA proposes will run the risk of a lawsuit. The provisions of the Human Rights Act relating to the right to respect for private and family life, home and correspondence also pose a problem.

Financial problems for the industry

In December 2002, AOL told a parliamentary group that under the ATCSA , it expects to have to spend about $14 million annually to store email and IP traffic, in addition to a one-off $40 million for set-up. These figures do not include the cost of the indexing that is necessary to retrieve the data. Compare this to the Government's own estimate: £20 million a year for the entire ISP industry. The chasm between estimates can partly be blamed on the ambiguity over what is required of ISP s. Legislation provides that the Secretary of State may contribute to some compliance costs but there is no word of help with the cost of accessing the data. ISP s and telcos are caught between the interests of the individual and of the state – while still making a profit. Insiders suggest that the Home Office will consult again in early 2003, with a view to introducing a revised voluntary code of practice on what types of data to store and make accessible and how long the data should be retained. If that Code fails – and the word is that even the Home Office expects it to fail – a mandatory Code is sure to follow. However, the biggest industry concern is over who will pay the bills, and there are still no indications that the Home Office will volunteer.

For more information contact: louise.townsend@pinsentmasons.com

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.