The UK government has rowed back on proposals that would allow it to suck up communications data for investigations of crimes that could see someone put away for just six months – but not by much.
The move was revealed in the Home Office's response to a consultation on changes to regulations relating to retention of and access to communications data held by telcos and internet companies under the Investigatory Powers Act.
These changes were drafted in a bid to bring the so-called Snooper's Charter in line with European laws after the bloc's top court ruled the UK's regime unlawful.
In 2016, the Court of Justice of the European Union ruled indiscriminate data retention illegal. It said that access to retained data must only be granted for cases of serious crime, and that authorisation should come from an independent body, not public authorities. This was followed by similar decisions in the Court of Appeal and High Court.
Having accepted that the IPA couldn't continue in its current form, the government made a series of amendments and has today issued its summary (PDF) of the 800 or so responses it garnered.
Among the proposals aimed at bringing the law in line were provisions for data to be collected only in cases of serious crime – but defined this as a crime an adult should be capable of being imprisoned for six months.
Some compromise in evidence
However, opponents said that the government had set the bar too low and in its response the government acknowledged this concern and agreed to narrow it to 12 months.
"We have increased the crime threshold for which events data can be acquired to crimes for which a person is capable of receiving 12 months in prison.
"This will means data cannot be acquired for the investigation of crimes where a person is not capable of being sentenced to 12 months imprisonment."
Addressing concerns that the regulation would catch a broad spectrum of crimes – theft has a maximum sentence of 14 years but also covers low-level crimes like shoplifting – it said it would ensure the code of practice explicitly required authorities to consider other factors, such as the circumstances of the case, the impact on victim, the harm suffered and the motive of the crime.
The government also said it had amended the code of practice to make it clear that there are limitations on the authorisations that are handed out in urgent cases.
These "emergency" authorisations would allow public authorities to rubberstamp their own requests and bypass the newly proposed independent body, the Office for Communications Data Authorisation – in situations where there is "an urgent need to obtain the data".
However, respondents countered that this move would effectively circumvent the terms of the 2016 judgment.
The government said that this emergency authorisation terminates after three days, meaning any continued slurping would have to go via the OCDA – but agreed to make this restriction clear.
In other areas, the government asserts that its proposed changes are consistent with the 2016 CJEU ruling – for instance, on the security of retained data.
It also stands firm in its interpretation of the judgment as applying to traffic (or events) data, not subscriber (or entity) data – something a number of respondents disagreed with.
And, although it didn't offer up any changes, it tried to downplay things by saying it doesn’t have "significant material impact" on the regime.
For the purposes of authorisation, entity and events data will be treated in the same way, it argued, while – although entity data can be retained for non-serious crime – this comes with requirements on necessity and proportionality.
Elsewhere, the government noted that other issues on which there are disagreements between itself and opponents are still awaiting rulings from the CJEU, including on whether the 2016 judgment should apply to national security, and on notification of people affected by data retention.
The revised regulations and code of practice on communications data have been laid before parliament to debate and approve. ®