Public Wi-Fi and Data Retention

In 2006 the EU passed the Data Retention Directive, which the UK implemented as the Data Retention (EC Directive) Regulations 2009. These regulations required a ‘Public Communications Provider’, as defined by the Communications Act 2003, to retain certain information about their user’s usage of the networks.

Whilst it was clearly aimed at ISP’s and phone companies, businesses who offered Wi-Fi to their customers seemed to fall loosely in the definition of a Public Communications Provider. However, given the definition was taken from the Communications Act 2003, which was passed to set up the Office of Communications (Ofcom) it’s reasonable to say that the definition was not intended to cover businesses who offer Wi-Fi access to their clients.

The Information Commissioners Office has stated that:

‘In our view, businesses offering Wi-Fi access to customers as a supplementary service are not service providers. A service provider would generally have a formal and ongoing contract with the customer subscribing to the service. By contrast, a coffee shop or hotel that provides Wi-Fi will itself be a subscriber to a service, and is simply permitting passing customers to use its connection.’

This is only an opinion of the ICO and not legally binding, but in any event the obligation was only triggered when a notice was given to the Communications Provider by the Secretary of State. Notice wasn’t supposed to be given if the data was already being retained by another provider. Consequently it was simpler to serve notice on the ISPs rather than individual businesses as the data would be caught by the ISP anyway.

However in April 2014, the European Court of Justice ruled that the Data Retention Directive was void, as the mass retention of customer’s data constituted a breach of their right to privacy (regardless of whether the data was ever actually accessed and seen by anybody).

As this undermined the legal basis for the UK’s Data Retention (EC Directive) Regulations 2009, the Government rushed through the Data Retention and Investigatory Powers Act 2014 (DRIPA), which came into force on 17 July 2014, just three months after the previous legislation had been declared void.

The new legislation limits the Secretary of State to issuing retention notices only in certain circumstances, relating to national security, public safety and any other reason specified by the Secretary. However it alters the scope of ‘Public Communications Provider’ to a ‘Public Telecommunications Operator’ as defined by the Regulation of Investigatory Powers Act 2000 (RIPA).

However the DRIPA also amends that same definition of a ‘Public Telecommunications Operator’ and expands the definition:

‘For the purposes of the definition of “telecommunications service” in subsection (1), the cases in which a service is to be taken to consist in the provision of access to, and of facilities for making use of, a telecommunication system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.’

Again this is a very wide definition, and this time it is taken from an Act which was designed to facilitate and regulate the interception of communications for investigation and intelligence gathering, in which case we have to assume that the widest possible definition was intended.

The Secretary of State still has to issue a retention notice in the first place before the requirements apply. Given the nature of the retention notices and the intended purpose, there isn’t much information available about how the Secretary of State has been using them so far.

The issue now is that the DRIPA was only ever intended as a temporary measure, designed to last until 31 December 2016. In fact earlier this year it was also challenged in the High Court by several interested parties including the now Deputy Leader of the Labour party, Tom Watson MP.

The court ordered that the operative part of the Act be disapplied, as inconsistent with EU law. However it has delayed the effect of its Judgment until 31 March 2016, to allow time for the government to introduce new legislation. The full Judgment is available here,

On 4 November 2015 the Government published its Draft Investigatory Powers Bill. This is the legislation it is proposing to replace both DRIPA and RIPA, and it will now go through the consultation process.

Currently the data retention measures in the new Bill are similar to the current measures, but with the level of criticism they have received to date, and the recent publicity surrounding the activities of the intelligence community, it seems likely that it will not have an easy ride through Parliament.

So what does this mean for businesses who offer Wi-Fi to their customers? Whilst it is unclear whether this data retention scheme does apply to you, unless you actually receive a Retention Notice you don’t have to worry about it. In fact retaining such data may be a breach of the Data Protection laws, given the ECJ’s stance on the Data Retention Directive.

On the other hand if you do receive a Retention Notice, then you can be sure the Secretary of State believes this law covers you and, unless you are willing to challenge it, the safest option would be to retain the relevant data.

Of course this position may all change again in the coming months, and we will be watching with interest to see how the new law develops, and what form it finally takes!