RECONCILING RIPA AND ATCSA
The position under the voluntary code of practice is most unsatisfactory, for two reasons. First, the code is voluntary, meaning that it is shrouded by legal uncertainty. Second, although ATCSA allows the Secretary of State to issue a code where that is necessary for the purpose of safeguarding national security or for the prevention or detection of crime impacting upon national security, RIPA allows access to retained communications data for considerably more purposes. Thus, there is an inherent conflict between ATCSA and RIPA. This conflict, while recognized by the Secretary of State, has been very much skirted over by the Voluntary Code of Practice. The foreward to the code says:
|
Communications data may be obtained by security, intelligence and law enforcement agencies under the Regulation of Investigatory Powers Act 2000 and other statutory powers. This Code does not deal with these provisions. The Data Protection Act 1998 requires that personal data are processed lawfully. In retaining communications data for longer than needed for their own business purposes and for the purposes identified in the Act communication service providers will process personal data. The Information Commissioner’s Office (ICO) has accepted that such processing will not, on human rights grounds, contravene this requirement of the Act. However, individual communication service providers must satisfy themselves that the processing is ‘necessary’ for one of a range of functions. In doing so they are entitled to rely heavily on the Secretary of State’s assurance that the retention of communications data for the periods as specified in this Code is necessary for the government’s function of safeguarding national security, and on the fact that the Code has been approved by Parliament. The ICO has though expressed concern about such retained data being acquired for purposes that do not relate to national security. Acquisition of communications data is not addressed in the Act and therefore is not within the proper ambit of this Code. |
It may be considered that communications providers are entitled to feel confused by the current state of the law. However, as discussed earlier, in 2005 considerable progress was made towards a harmonized regime for retention and disclosure of communications data as evidenced, which has resulted in the Communications Data Retention Directive.165 This directive amends the DPEC so as to allow lengthy retention periods for internet and telecommunications data.