On November 29th the United Kingdom adopted a surveillance law that raised a novel issue of law enforcement assistance and privacy. How does the new law impact U.S.-based communication service providers?

The UK’s new Investigatory Powers Act

The UK’s existing Data Retention and Investigatory Powers Act of 2014, or “DRIPA,” already requires UK communication service providers to facilitate lawful surveillance and retain data on their subscribers’ past communications. To meet the data retention mandate, a service provider must store records on every subscriber’s past voice communications, emails, and text messages, and disclose them to the government upon lawful request.

The new UK Investigative Powers Act of 2016, known as the “IP Act,” extends DRIPA’s data retention mandate by covering records of Internet web site browsing. Accordingly, UK communication service providers that provide Internet access must now store each user’s “Internet connection records,” or “ICRs.” ICRs include metadata but not content. At any given time, law enforcement officials may collect up to 12 months of a suspect’s past ICRs.  The IP Act takes effect when DRIPA expires at the end of this month.

Many other EU member states have data retention laws, but so far Great Britain is the only one where data retention covers ICRs.

How does the IP Act affect US-based service providers?

The US Congress never adopted a data retention mandate, although the Federal Communications Commission has long required telephone companies to retain 18 months of all phone calling records. If a US communications provider wants to serve the British market, it will need a data retention program to comply with the IP Act. And if the provider offers Internet access, the program must include ICRs.

To develop a data retention program, the service provider must answer many questions. What data elements are covered by the law? In what type of database should the information be stored? Under what circumstances should the records be disclosed? To which government agencies? By what deadlines? With what potential liability for an inadequate disclosure? How should the data be stored to prevent unauthorized access? Should the provider keep records of data disclosures in case a subscriber later complains of an over-disclosure? Are any special privacy sensitivities raised by the storage of ICRs? How should the data retention program be explained in the privacy statement posted on the provider’s web site? Will the compliance effort entitle the provider to government cost recovery?

To be sure, complying with a data retention mandate is a complex and legally sensitive task. The addition of ICRs adds a new complication.

Will other nations adopt data retention mandates that cover Internet records?

Now that Great Britain has adopted a data retention mandate covering Internet access records, will other nations follow suit? Law enforcement agencies have reported that terrorists and criminals exploit Internet access for a variety of purposes, including not only communications but propaganda, incitement, recruiting, training, fundraising, unauthorized surveillance, and a growing volume of cyber-crime. Saving the Internet records of these activities would presumably help catch the perpetrators.

On the other hand, the European Court of Justice may soon limit the scope of EU data retention mandates. The Court’s Advocate General issued a “preliminary finding” on the data retention issue in July. In his opinion, he said data retention should be used only for investigations of “serious crimes.” The Court itself is expected to issue a binding decision on the subject very soon.

If the Court limits EU data retention mandates to serious crimes, the IP Act will suddenly fall out of compliance. At that point the UK will be forced to amend the IP Act. It would not need to drop the ICR part of the mandate.

Another unknown is the timing of Great Britain’s plan to withdraw from the European Union (the so-called “Brexit”). Once the separation is complete, the British will no longer be subject to the European Court of Justice or any other EU authority. The nation could then restore any components of the IP Act that are temporarily suspended for purposes of EU compliance.