Last updated: 
1 month 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Disentangling DRIP

Friday, July 25, 2014 - 09:57

Earlier this week Parliament passed the Data Retention and Investigatory Powers Act 2014 (DRIP), in response to the European Court of Justice's April 2014 declaration of the invalidity of the 2006 European Data Retention Directive on which the UK data retention law depended. For an Act with only eight sections, DRIP is remarkably hard to follow – partly because it leaves a lot to subsequent actions by the Home Secretary and partly because it includes singificant circular references. So here's an attempt to tease out those circles.

For historical reasons, UK law has two very similar definitions:  "telecommunications service" in s.2 of the Regulation of Investigatory Powers Act 2000 (RIPA) and "electronic communications service/network", derived from European Telecommunications Directives, in s.31 of the Communications Act 2003. The wordings of the two definitions aren’t quite the same. Before DRIP, the UK laws on internet investigations used both:

  • warrants to intercept networks or orders to disclose communications data about their use, in sections 5 and 21 of RIPA respectively,  can be made against any telecommunications service operator, according to the RIPA definition;
  • orders to retain communications data, under regulation 3 of the Data Retention (EC Directive) Regulations 2009, can be made against any public communications provider, according to the Communications Act definition.

DRIP changes that in two ways. First, according to DRIP s.2(1), orders to retain communications data are now available against public telecommunications service operators under the RIPA definition, not the Communications Act one. And second, DRIP s.5 adds a new s.2(8) to the RIPA definition, which makes it clear that this definition is significantly wider than the Communications Act one.

The Communications Act, following its European parent legislation, applies to Electronic Communications Networks and Electronic Communications Services – things that "convey" communications from one place to another. Those places, under European law, will often be Information Society Services, which have their own separate laws. However according to s.2(8), the RIPA definition of "telecommunications service" isn’t limited to services that "convey" messages but also includes those "facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system" (DRIP s.5). The explanatory notes that accompanied the Bill confirm that this includes "internet-based services, such as webmail" but the definition does not appear limited to any particular application. In future this broad definition will apply wherever the term "telecommunications service" appears in RIPA.

Section 4 of DRIP states that an interception warrant (but not, so far as I can see, an order to retain or disclose communications data) can be served on an operator outside the UK.

So far as I can see none of this should change the position of Janet. We are already a telecommunications service under the RIPA definition, so s.5 warrants and s.21 orders could be served on us (though we have little or no information about individual users that we could provide). But we are, and intend to remain, outside the RIPA definition of a "public" service that is "offered or provided to, or to a substantial section of, the public in any one or more parts of the United Kingdom" (RIPA s2(1)), so we should not be eligible to receive orders to retain communications data.

Provided Janet customers similarly remain outside the definition of "public telecommunication service" the same should apply to them. Our recommendation that, to comply with the Janet policy requirement to deal effectively with complaints of misuse, you retain logs about your use of Janet for between three and six months remains unchanged.