Data Retention and Investigatory Powers Bill CONTENTS Retention of relevant communications data 1 2 Powers for retention of relevant communications data subject to safeguards Section 1: supplementary Investigatory powers 3 4 5 Grounds for issuing warrants and obtaining data Extra-territoriality in Part 1 of RIPA Meaning of “telecommunications service” Final provisions 6 Commencement, duration, extent and short title 55/4 Draft Bill 1 Data Retention and Investigatory Powers Bill A BILL TO Make provision, in consequence of a declaration of invalidity made by the Court of Justice of the European Union in relation to Directive 2006/24/EC, about the retention of certain communications data; to amend the grounds for issuing interception warrants, or granting or giving certain authorisations or notices, under Part 1 of the Regulation of Investigatory Powers Act 2000; to make provision about the extra-territorial application of that Part and about the meaning of “telecommunications service” for the purposes of that Act; and for connected purposes. B by the Queen’s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:— E IT ENACTED Retention of relevant communications data 1 Powers for retention of relevant communications data subject to safeguards (1) (2) The Secretary of State may by notice (a “retention notice”) require a public telecommunications operator to retain relevant communications data if the Secretary of State considers that the requirement is necessary and proportionate for one or more of the purposes falling within paragraphs (a) to (h) of section 22(2) of the Regulation of Investigatory Powers Act 2000 (purposes for which communications data may be obtained). A retention notice may— (a) relate to a particular operator or any description of operators, (b) require the retention of all data or any description of data, (c) specify the period or periods for which data is to be retained, (d) contain other requirements, or restrictions, in relation to the retention of data, (e) make different provision for different purposes, (f) relate to data whether or not in existence at the time of the giving, or coming into force, of the notice. 55/4 Draft Bill 5 10 15 2 Data Retention and Investigatory Powers Bill (3) The Secretary of State may by regulations make further provision about the retention of relevant communications data. (4) Such provision may, in particular, include provision about— (a) requirements before giving a retention notice, (b) the maximum period for which data is to be retained under a retention notice, (c) the content, giving, coming into force, review, variation or revocation of a retention notice, (d) the integrity, security or protection of, access to, or the disclosure or destruction of, data retained by virtue of this section, (e) the enforcement of, or auditing compliance with, relevant requirements or restrictions, (f) a code of practice in relation to relevant requirements or restrictions or relevant powers, (g) the reimbursement by the Secretary of State (with or without conditions) of expenses incurred by public telecommunications operators in complying with relevant requirements or restrictions, (h) the 2009 Regulations ceasing to have effect and the transition to the retention of data by virtue of this section. (5) The maximum period provided for by virtue of subsection (4)(b) must not exceed 12 months beginning with such day as is specified in relation to the data concerned by regulations under subsection (3). (6) A public telecommunications operator who retains relevant communications data by virtue of this section must not disclose the data except— (a) in accordance with— (i) Chapter 2 of Part 1 of the Regulation of Investigatory Powers Act 2000 (acquisition and disclosure of communications data), or (ii) a court order or other judicial authorisation or warrant, or (b) as provided by regulations under subsection (3). (7) 2 The Secretary of State may by regulations make provision, which corresponds to any provision made (or capable of being made) by virtue of subsection (4)(d) to (g) or (6), in relation to communications data which is retained by telecommunications service providers by virtue of a code of practice under section 102 of the Anti-terrorism, Crime and Security Act 2001. 5 10 15 20 25 30 35 Section 1: supplementary (1) In this section and section 1— “communications data” has the meaning given by section 21(4) of the Regulation of Investigatory Powers Act 2000 so far as that meaning applies in relation to telecommunications services and telecommunication systems; “functions” includes powers and duties; “notice” means notice in writing; “public telecommunications operator” means a person who— (a) controls or provides a public telecommunication system, or (b) provides a public telecommunications service; Draft Bill 40 45 3 Data Retention and Investigatory Powers Bill “public telecommunications service” and “public telecommunication system” have the meanings given by section 2(1) of the Regulation of Investigatory Powers Act 2000; “relevant communications data” means communications data of the kind mentioned in the Schedule to the 2009 Regulations so far as such data is generated or processed in the United Kingdom by public telecommunications operators in the process of supplying the telecommunications services concerned; “relevant powers” means any powers conferred by virtue of section 1(1) to (6); “relevant requirements or restrictions” means any requirements or restrictions imposed by virtue of section 1(1) to (6); “retention notice” has the meaning given by section 1(1); “specify” means specify or describe (and “specified” is to be read accordingly); “telecommunications service” and “telecommunication system” have the meanings given by section 2(1) of the Regulation of Investigatory Powers Act 2000; “telecommunications service provider” means a person who provides a telecommunications service; “unsuccessful call attempt” means a communication where a telephone call has been successfully connected but not answered or there has been a network management intervention; “the 2009 Regulations” means the provisions known as the Data Retention (EC Directive) Regulations 2009 (S.I. 2009/859). (2) (3) (4) “Relevant communications data” includes (so far as it otherwise falls within the definition) communications data relating to unsuccessful call attempts that— (a) in the case of telephony data, is stored in the United Kingdom, or (b) in the case of internet data, is logged in the United Kingdom, but does not include data relating to unconnected calls or data revealing the content of a communication. Regulations under section 1(3) may specify the communications data that is of the kind mentioned in the Schedule to the 2009 Regulations and, where they do so, the reference in the definition of “relevant communications data” to communications data of that kind is to be read as a reference to communications data so specified. Any power to make regulations under section 1— (a) is exercisable by statutory instrument, (b) includes power to— (i) confer or impose functions (including those involving the exercise of a discretion) on any person (including the Secretary of State), (ii) make supplementary, incidental, consequential, transitional, transitory or saving provision, (iii) make different provision for different purposes, (c) may, so far as relating to provision about codes of practice, be exercised in particular by modifying the effect of sections 71 and 72 of the Regulation of Investigatory Powers Act 2000 (codes of practice in relation to certain powers and duties). Draft Bill 5 10 15 20 25 30 35 40 45 50 4 Data Retention and Investigatory Powers Bill (5) A statutory instrument containing regulations under section 1 is not to be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament. Investigatory powers 3 Grounds for issuing warrants and obtaining data (1) Section 5 of the Regulation of Investigatory Powers Act 2000 (power to issue necessary and proportionate interception warrants in interests of national security, to prevent or detect serious crime or to safeguard the UK’s economic well-being) is amended as set out in subsection (2). (2) In subsection (3)(c) (economic well-being of the UK), after “purpose” insert “, in circumstances appearing to the Secretary of State to be relevant to the interests of national security,”. (3) Section 22 of that Act (power to obtain communications data in interests of national security, to prevent or detect serious crime, in interests of the UK’s economic well-being and for other specified purposes) is amended as set out in subsection (4). (4) 4 5 10 15 In subsection (2)(c) (economic well-being of the UK), after “United Kingdom” insert “so far as those interests are also relevant to the interests of national security”. Extra-territoriality in Part 1 of RIPA (1) Part 1 of the Regulation of Investigatory Powers Act 2000 (communications) is amended as follows. (2) In section 11 (implementation of interception warrants), after subsection (2) insert— “(2A) A copy of a warrant may be served under subsection (2) on a person outside the United Kingdom (and may relate to conduct outside the United Kingdom). (2B) Service under subsection (2) of a copy of a warrant on a person outside the United Kingdom may (in addition to electronic or other means of service) be effected in any of the following ways— (a) by serving it at the person’s principal office within the United Kingdom or, if the person has no such office in the United Kingdom, at any place in the United Kingdom where the person carries on business or conducts activities; (b) if the person has specified an address in the United Kingdom as one at which the person, or someone on the person’s behalf, will accept service of documents of the same description as a copy of a warrant, by serving it at that address; (c) by making it available for inspection (whether to the person or to someone acting on the person’s behalf) at a place in the United Kingdom (but this is subject to subsection (2C)). (2C) Service under subsection (2) of a copy of a warrant on a person outside the United Kingdom may be effected in the way mentioned in paragraph (c) of subsection (2B) only if— Draft Bill 20 25 30 35 40 5 Data Retention and Investigatory Powers Bill (a) it is not reasonably practicable for service to be effected by any other means (whether as mentioned in subsection (2B)(a) or (b) or otherwise), and (b) the person to whom the warrant is addressed takes such steps as the person thinks appropriate for the purpose of bringing the contents of the warrant, and the availability of a copy for inspection, to the attention of the person outside the United Kingdom. The steps mentioned in paragraph (b) must be taken as soon as reasonably practicable after the copy of the warrant is made available for inspection.” (3) In subsection (4) of that section, after “that person” insert “(whether or not the person is in the United Kingdom)”. (4) After subsection (5) of that section insert— “(5A) 5 10 Where a person outside the United Kingdom is under a duty by virtue of subsection (4) to take any steps in a country or territory outside the United Kingdom for giving effect to a warrant, in determining for the purposes of subsection (5) whether the steps are reasonably practicable for the person to take, regard is to be had (amongst other matters) to— (a) any requirements or restrictions under the law of that country or territory relevant to the taking of those steps, and (b) the extent to which it is reasonably practicable to give effect to the warrant in a way that does not breach any such requirements or restrictions.” 15 (5) In subsection (8) of that section, after “enforceable” insert “(including in the case of a person outside the United Kingdom)”. 25 (6) In section 12 (maintenance of interception capability), after subsection (3) insert— (7) “(3A) An obligation may be imposed in accordance with an order under this section on, and a notice under subsection (2) given to, persons outside the United Kingdom (and may be so imposed or given in relation to conduct outside the United Kingdom). (3B) Where a notice under subsection (2) is to be given to a person outside the United Kingdom, the notice may (in addition to electronic or other means of giving a notice) be given to the person— (a) by delivering it to the person’s principal office within the United Kingdom or, if the person has no such office in the United Kingdom, to any place in the United Kingdom where the person carries on business or conducts activities, or (b) if the person has specified an address in the United Kingdom as one at which the person, or someone on the person’s behalf, will accept documents of the same description as a notice, by delivering it to that address.” In subsection (7) of that section— (a) after “person” insert “(whether or not the person is in the United Kingdom)”, and (b) after “enforceable” insert “(including in the case of a person outside the United Kingdom)”. Draft Bill 20 30 35 40 45 6 Data Retention and Investigatory Powers Bill (8) In section 22 (obtaining and disclosing communications data), after subsection (5) insert— “(5A) (5B) An authorisation under subsection (3) or (3B), or a requirement imposed in accordance with a notice under subsection (4), may relate to conduct outside the United Kingdom (and any such notice may be given to a person outside the United Kingdom). Where a notice under subsection (4) is to be given to a person outside the United Kingdom, the notice may (in addition to electronic or other means of giving a notice) be given to the person in any of the following ways— (a) by delivering it to the person’s principal office within the United Kingdom or, if the person has no such office in the United Kingdom, to any place in the United Kingdom where the person carries on business or conducts activities; (b) if the person has specified an address in the United Kingdom as one at which the person, or someone on the person’s behalf, will accept documents of the same description as a notice, by delivering it to that address; (c) by notifying the person of the requirements imposed by the notice by such other means as the person giving the notice thinks appropriate (which may include notifying the person orally, except where the notice is one to which section 23A applies).” (9) In subsection (6) of that section, after “operator” insert “(whether or not the operator is in the United Kingdom)”. (10) In subsection (8) of that section, after “enforceable” insert “(including in the case of a person outside the United Kingdom)”. 5 5 10 15 20 25 Meaning of “telecommunications service” In section 2 of the Regulation of Investigatory Powers Act 2000 (meaning of “interception” etc), after subsection (8) insert— “(8A) For the purposes of the definition of “telecommunications service” in subsection (1), the cases in which a service is to be taken to consist in the provision of access to, and of facilities for making use of, a telecommunication system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.” 30 35 Final provisions 6 Commencement, duration, extent and short title (1) Subject to subsection (2), this Act comes into force on the day on which it is passed. (2) Section 1(6) comes into force on such day as the Secretary of State may by order made by statutory instrument appoint; and different days may be appointed for different purposes. Draft Bill 40 7 Data Retention and Investigatory Powers Bill (3) Sections 1 to 5 (and the provisions inserted into the Regulation of Investigatory Powers Act 2000 by sections 3 to 5) are repealed on 31 December 2016. (4) This Act extends to England and Wales, Scotland and Northern Ireland. (5) This Act may be cited as the Data Retention and Investigatory Powers Act 2014. Draft Bill