Government Affairs Blog

December 12, 2016


On November 29th the United Kingdom adopted a surveillance law that raised a novel issue of law enforcement assistance and privacy. How does the new law impact U.S.-based communication service providers?

The UK’s new Investigatory Powers Act

The UK’s existing Data Retention and Investigatory Powers Act of 2014, or “DRIPA,” already requires UK communication service providers to facilitate lawful surveillance and retain data on their subscribers’ past communications. To meet the data retention mandate, a service provider must store records on every subscriber’s past voice communications, emails, and text messages, and disclose them to the government upon lawful request.

The new UK Investigative Powers Act of 2016, known as the “IP Act,” extends DRIPA’s data retention mandate by covering records of Internet web site browsing. Accordingly, UK communication service providers that provide Internet access must now store each user’s “Internet connection records,” or “ICRs.” ICRs include metadata but not content. At any given time, law enforcement officials may collect up to 12 months of a suspect’s past ICRs.  The IP Act takes effect when DRIPA expires at the end of this month.

Many other EU member states have data retention laws, but so far Great Britain is the only one where data retention covers ICRs.

How does the IP Act affect US-based service providers?

The US Congress never adopted a data retention mandate, although the Federal Communications Commission has long required telephone companies to retain 18 months of all phone calling records. If a US communications provider wants to serve the British market, it will need a data retention program to comply with the IP Act. And if the provider offers Internet access, the program must include ICRs.

To develop a data retention program, the service provider must answer many questions. What data elements are covered by the law? In what type of database should the information be stored? Under what circumstances should the records be disclosed? To which government agencies? By what deadlines? With what potential liability for an inadequate disclosure? How should the data be stored to prevent unauthorized access? Should the provider keep records of data disclosures in case a subscriber later complains of an over-disclosure? Are any special privacy sensitivities raised by the storage of ICRs? How should the data retention program be explained in the privacy statement posted on the provider’s web site? Will the compliance effort entitle the provider to government cost recovery?

To be sure, complying with a data retention mandate is a complex and legally sensitive task. The addition of ICRs adds a new complication.

Will other nations adopt data retention mandates that cover Internet records?

Now that Great Britain has adopted a data retention mandate covering Internet access records, will other nations follow suit? Law enforcement agencies have reported that terrorists and criminals exploit Internet access for a variety of purposes, including not only communications but propaganda, incitement, recruiting, training, fundraising, unauthorized surveillance, and a growing volume of cyber-crime. Saving the Internet records of these activities would presumably help catch the perpetrators.

On the other hand, the European Court of Justice may soon limit the scope of EU data retention mandates. The Court’s Advocate General issued a “preliminary finding” on the data retention issue in July. In his opinion, he said data retention should be used only for investigations of “serious crimes.” The Court itself is expected to issue a binding decision on the subject very soon.

If the Court limits EU data retention mandates to serious crimes, the IP Act will suddenly fall out of compliance. At that point the UK will be forced to amend the IP Act. It would not need to drop the ICR part of the mandate.

Another unknown is the timing of Great Britain’s plan to withdraw from the European Union (the so-called “Brexit”). Once the separation is complete, the British will no longer be subject to the European Court of Justice or any other EU authority. The nation could then restore any components of the IP Act that are temporarily suspended for purposes of EU compliance.

November 2, 2016

The Impact of the 2016 Presidential Election on Lawful Surveillance and Customer Records Disclosures

Author: Trevor Gray, Legal Services Manager

With every presidential election comes some uncertainty. How will policy be impacted by a newly elected chief executive? It is vital that industry players be forward thinking to try and anticipate some of the change and be better prepared to take advantage of it. One critical area of discussion during this election cycle has been that of national security and more specifically cybersecurity and privacy. Electronic communication providers will need to be ready to act, so here is a look at how the candidates stand on issues related to lawful surveillance and records collection.


September 6, 2016


Communication service providers are sometimes served with court orders to implement lawful electronic surveillance – known as lawful intercepts or “LI” — on criminal suspects using their networks. These CSPs typically prepare for the judicial demands by equipping their networks with LI solutions, as required by the CALEA lawful surveillance statute. But are those solutions secure?


July 19, 2016


On July 14th the Second Circuit Court of Appeals issued a ruling in the case of Microsoft v. US that could impact all communication service providers (CSPs) that store communications content (e.g. email or voice mail). The ruling held that if a U.S. law enforcement agency (LEA) serves a valid warrant on a CSP to obtain a criminal suspect’s email content, and the CSP stores the content on a server outside the U.S., the CSP must not disclose the information.


June 22, 2016


Earlier this month the D.C. Court of Appeals upheld the Open Internet Order, a rulemaking by the Federal Communications Commission that imposed non-discrimination standards on broadband Internet access providers (“ISPs”). Some of the more prominent ISPs are Comcast, Earthlink, and Verizon. The Court’s ruling did not address the CALEA lawful surveillance statute, but indirectly it made CALEA’s legal coverage of ISPs more secure.