UK Data Retention Bill Promises More Online Privacy Issues

Christopher Sewerd Policy

In March 2006 a directive was introduced which aimed to assist law enforcement agencies within the European Union to be able to investigate crimes related to the internet and communications systems. This was known as the Data Retention Directive. The gist of the directive was to require member states of the EU to force data retention upon providers of communications such as ISPs. The general bulk of the record keeping related to source and destination of communications as well as further details such location of mobile devices, the times and dates and other such connection data.

Many discussions on various VPN forums and sites such as Reddit have ensued in recent years because of the apparent requirement of European VPN providers to record such data which is actually an untruth but the issue has always been raised regardless. After 8 years in operation the directive was finally overturned in April 2014 by the European Union Court of Justice which ruled that Directive 2006/24/EC was invalid.

While the directive was said to invade the privacy of users it was continued to be unofficially in use in countries such as the United Kingdom with which following Government advice and confusion surrounding the requirements of the UK’s own Data Retention Regulations the major ISPs continued even without the requirement to log and store such connection data. One of the nuances of the European Union is while overall law is passed effecting all member countries each individual country is also responsible for passing their own laws, this can and has become messy at times with various laws from the EU contradicting with each individual countries own stance. This has been recently noted in countries such as Romania who blatantly refuse to implement such logging regulations due to the fact they do not fit in with the ethos of the country as a whole and what it stands for individually.

While the EU directive was annulled each country which had the directive implemented was left in a limbo like state. Swedish ISP Bahnhof opted to delete all currently stored logs and ceased to continue logging with immediate effect which caused furious responses from Swedish ministers who proclaimed that Swedish law was still applicable.

The story of the directive has taken a rather peculiar twist and kicked up a stink in the United Kingdom recently. Faced with the uncertain future of data retention for communications providers the UK has rushed through an amended bill known as the Data Retention and Investigatory Powers Bill which aims to plug the hole that the removed European directive has created. Without going in to too much detail about how bills and directives are passed in the UK the speed at which it has been processed is rather alarming and has raised a few eyebrows. This is dubbed emergency legislation.

The crux of any issue with regard to data retention is the fine line between user privacy which is of heightened awareness since the likes of the Snowden revelations and the ability for law enforcement to investigate crimes committed over communications networks. While there are opinions on either side of the fence it is quite clear that not every user makes use of the internet and communications systems for entirely legitimate uses but where that line is drawn in regards to what should be monitored and stored and what shouldn’t is a tricky situation that has no clear answer.

Since the aftermath of the tragic events of September 11th 2001 the world is more aware of the risks of terrorist attacks and while user privacy is of utmost concern it needs to be balanced carefully with the ability to allow law enforcement agencies to protect citizens from further atrocities.

The EU and UK have one of the strongest Data Protection laws in the world which ensure that personal user data is not passed between those who should not have or have no requirement to access. The difficult situation now is how the new data retention bill can run concurrently with such strong data protection laws.

Further confusion is caused by what falls under the umbrella term of telecommunications service and when this is clarified may have implication for VPN providers and those who operate servers inside the United Kingdom, or at the very least the data centres that are used to house the servers of the VPN business. Regardless, at some junction user connection data may be required to be logged although with the privacy that a VPN provides aside from actual connection data there may be very little use to such data.

The hard reality of the rushed through bill is it not only requires UK companies to log such data but also extends to those who offer services available to the UK even though they may not be physically present as an entity on UK soil.

While the news has been widely reported and organisations such as the Open Rights Group have strongly criticised the moves it seems interest in the United Kingdom is rather muted compared to reactions seen in countries such as the United States in similar situations where freedom of speech is much more widely campaigned for.

The situation makes interesting times for not only communications providers in the UK & EU but also worldwide who provide services to such destinations, how this will affect VPN signups will remain to be seen and the requirement of recording such data could be felt worldwide by the VPN industry as a whole.