Internet service providers will have to store details of web and email traffic and details of internet phone calls for 12 months from today as expanded European legislation comes into effect.
The European Parliament passed the Data Retention Directive in 2006 in response to terrorist bombings in London in 2005. It required phone companies to store records of where and when phone calls were made. Those rules have now been expanded to include logs of internet communications.
The content of emails and phone calls will not be recorded or kept, but the details of the communications, such as who was in touch with whom, when and for how long, will be stored.
The rules replace and extend Regulations of 2007 that applied to non-internet data only. The new rules only apply to telcos and ISPs that receive a notice to retain data from the Secretary of State. In contrast, the 2007 Regulations applied to all telcos unless they were notified that they did not need to retain the data.
The EU legislation allowed countries to choose a retention period of between six and 24 months. The UK has chosen a period of 12 months.
Bodies which are covered by phone tap law the Regulation of Investigatory Powers Act (RIPA) will be able to serve a notice under that Act for the release of the data, without having to seek a court's approval.
ISPs will be forced to retain data on what communications were made from which internet protocol (IP) address or phone number, what the destination of that communication was, and its duration.
In the case of mobile phone calls, the data to be retained will also include information on which cell within a network a call was made from. This will give authorities an indication of the user's location at the time of the call.
The addresses of web pages visited do not need to be stored under the new rules. For internet access, ISPs only need to store the dates and times of a user connecting to the internet and disconnecting; the internet protocol (IP) address allocated to the user; and the user ID of the customer.
In March, Home Office security minister Vernon Coaker told a Parliamentary committee that the Government is considering an extension to the rules to include communications sent via social networking sites like Facebook and Bebo. The Government will consult before introducing any new law, according to Coaker, and that consultation could address the retention of URLs visited by web users.
The extension of existing data retention laws has been controversial, and faced an unsuccessful court challenge by digital rights pressure group the Open Rights Group (ORG).
"This requirement, imposed on all EU states, is a serious erosion of our fundamental human right to privacy," said ORG executive director Jim Killock. "Privacy is recognised by European and British courts as a matter of right. The European Human Rights Convention states quite clearly that we have a right to a private life and correspondence, and the European Court of Human Rights has stated that traffic data is ‘an integral element in the communications made’."
The Home Office previously calculated that the cost of retaining all the records that need to be retained, including the newly added internet records, would be £30 million in capital costs and £16 million in operating costs over an eight-year period.
The Government is allowed but not required to repay communications companies the costs associated with data retention.