Data Retention and Investigatory Powers Bill (HL Bill 37)

A

BILL

TO

Make provision, in consequence of a declaration of invalidity made by the
Court of Justice of the European Union in relation to Directive 2006/24/EC,
about the retention of certain communications data; to amend the grounds for
issuing interception warrants, or granting or giving certain authorisations or
notices, under Part 1 of the Regulation of Investigatory Powers Act 2000; to
make provision about the extra-territorial application of that Part and about
the meaning of “telecommunications service” for the purposes of that Act; to
make provision about additional reports by the Interception of
Communications Commissioner; to make provision about a review of the
operation and regulation of investigatory powers; and for connected
purposes.

Be it enacted by the Queen’s most Excellent Majesty, by and with the advice and
consent of the Lords Spiritual and Temporal, and Commons, in this present
Parliament assembled, and by the authority of the same, as follows:—

Retention of relevant communications data

1 Powers for retention of relevant communications data subject to safeguards

(1) The Secretary of State may by notice (a “retention notice”) require a public
telecommunications operator to retain relevant communications data if the
5Secretary of State considers that the requirement is necessary and
proportionate for one or more of the purposes falling within paragraphs (a) to
(h) of section 22(2) of the Regulation of Investigatory Powers Act 2000
(purposes for which communications data may be obtained).

(2) A retention notice may—

(a) 10relate to a particular operator or any description of operators,

(b) require the retention of all data or any description of data,

(c) specify the period or periods for which data is to be retained,

(d) contain other requirements, or restrictions, in relation to the retention
of data,

(e) 15make different provision for different purposes,

Data Retention and Investigatory Powers BillPage 2

(f) relate to data whether or not in existence at the time of the giving, or
coming into force, of the notice.

(3) The Secretary of State may by regulations make further provision about the
retention of relevant communications data.

(4) 5Such provision may, in particular, include provision about—

(a) requirements before giving a retention notice,

(b) the maximum period for which data is to be retained under a retention
notice,

(c) the content, giving, coming into force, review, variation or revocation
10of a retention notice,

(d) the integrity, security or protection of, access to, or the disclosure or
destruction of, data retained by virtue of this section,

(e) the enforcement of, or auditing compliance with, relevant requirements
or restrictions,

(f) 15a code of practice in relation to relevant requirements or restrictions or
relevant powers,

(g) the reimbursement by the Secretary of State (with or without
conditions) of expenses incurred by public telecommunications
operators in complying with relevant requirements or restrictions,

(h) 20the 2009 Regulations ceasing to have effect and the transition to the
retention of data by virtue of this section.

(5) The maximum period provided for by virtue of subsection (4)(b) must not
exceed 12 months beginning with such day as is specified in relation to the data
concerned by regulations under subsection (3).

(6) 25A public telecommunications operator who retains relevant communications
data by virtue of this section must not disclose the data except—

(a) in accordance with—

(i) Chapter 2 of Part 1 of the Regulation of Investigatory Powers
Act 2000 (acquisition and disclosure of communications data),
30or

(ii) a court order or other judicial authorisation or warrant, or

(b) as provided by regulations under subsection (3).

(7) The Secretary of State may by regulations make provision, which corresponds
to any provision made (or capable of being made) by virtue of subsection (4)(d)
35to (g) or (6), in relation to communications data which is retained by
telecommunications service providers by virtue of a code of practice under
section 102 of the Anti-terrorism, Crime and Security Act 2001.

2 Section 1: supplementary

(1) In this section and section 1—

  • 40“communications data” has the meaning given by section 21(4) of the
    Regulation of Investigatory Powers Act 2000 so far as that meaning
    applies in relation to telecommunications services and
    telecommunication systems;

  • “functions” includes powers and duties;

  • 45“notice” means notice in writing;

  • “public telecommunications operator” means a person who—

    (a)

    controls or provides a public telecommunication system, or

    Data Retention and Investigatory Powers BillPage 3

    (b)

    provides a public telecommunications service;

  • “public telecommunications service” and “public telecommunication
    system” have the meanings given by section 2(1) of the Regulation of
    Investigatory Powers Act 2000;

  • 5“relevant communications data” means communications data of the kind
    mentioned in the Schedule to the 2009 Regulations so far as such data
    is generated or processed in the United Kingdom by public
    telecommunications operators in the process of supplying the
    telecommunications services concerned;

  • 10“relevant powers” means any powers conferred by virtue of section 1(1)
    to (6);

  • “relevant requirements or restrictions” means any requirements or
    restrictions imposed by virtue of section 1(1) to (6);

  • “retention notice” has the meaning given by section 1(1);

  • 15“specify” means specify or describe (and “specified” is to be read
    accordingly);

  • “telecommunications service” and “telecommunication system” have the
    meanings given by section 2(1) of the Regulation of Investigatory
    Powers Act 2000;

  • 20“telecommunications service provider” means a person who provides a
    telecommunications service;

  • “unsuccessful call attempt” means a communication where a telephone
    call has been successfully connected but not answered or there has been
    a network management intervention;

  • 25“the 2009 Regulations” means the provisions known as the Data Retention
    (EC Directive) Regulations 2009 (S.I. 2009/859S.I. 2009/859).

(2) “Relevant communications data” includes (so far as it otherwise falls within
the definition) communications data relating to unsuccessful call attempts
that—

(a) 30in the case of telephony data, is stored in the United Kingdom, or

(b) in the case of internet data, is logged in the United Kingdom,

but does not include data relating to unconnected calls or data revealing the
content of a communication.

(3) Regulations under section 1(3) may specify the communications data that is of
35the kind mentioned in the Schedule to the 2009 Regulations and, where they do
so, the reference in the definition of “relevant communications data” to
communications data of that kind is to be read as a reference to
communications data so specified.

(4) Any power to make regulations under section 1—

(a) 40is exercisable by statutory instrument,

(b) includes power to—

(i) confer or impose functions (including those involving the
exercise of a discretion) on any person (including the Secretary
of State),

(ii) 45make supplementary, incidental, consequential, transitional,
transitory or saving provision,

(iii) make different provision for different purposes,

(c) may, so far as relating to provision about codes of practice, be exercised
in particular by modifying the effect of sections 71 and 72 of the

Data Retention and Investigatory Powers BillPage 4

Regulation of Investigatory Powers Act 2000 (codes of practice in
relation to certain powers and duties).

(5) A statutory instrument containing regulations under section 1 is not to be
made unless a draft of the instrument has been laid before, and approved by a
5resolution of, each House of Parliament.

Investigatory powers

3 Grounds for issuing warrants and obtaining data

(1) Section 5 of the Regulation of Investigatory Powers Act 2000 (power to issue
necessary and proportionate interception warrants in interests of national
10security, to prevent or detect serious crime or to safeguard the UK’s economic
well-being) is amended as set out in subsection (2).

(2) In subsection (3)(c) (economic well-being of the UK), after “purpose” insert “,
in circumstances appearing to the Secretary of State to be relevant to the
interests of national security,”.

(3) 15Section 22 of that Act (power to obtain communications data in interests of
national security, to prevent or detect serious crime, in interests of the UK’s
economic well-being and for other specified purposes) is amended as set out in
subsection (4).

(4) In subsection (2)(c) (economic well-being of the UK), after “United Kingdom”
20insert “so far as those interests are also relevant to the interests of national
security”.

4 Extra-territoriality in Part 1 of RIPA

(1) Part 1 of the Regulation of Investigatory Powers Act 2000 (communications) is
amended as follows.

(2) 25In section 11 (implementation of interception warrants), after subsection (2)
insert—

(2A) A copy of a warrant may be served under subsection (2) on a person
outside the United Kingdom (and may relate to conduct outside the
United Kingdom).

(2B) 30Service under subsection (2) of a copy of a warrant on a person outside
the United Kingdom may (in addition to electronic or other means of
service) be effected in any of the following ways—

(a) by serving it at the person’s principal office within the United
Kingdom or, if the person has no such office in the United
35Kingdom, at any place in the United Kingdom where the person
carries on business or conducts activities;

(b) if the person has specified an address in the United Kingdom as
one at which the person, or someone on the person’s behalf, will
accept service of documents of the same description as a copy of
40a warrant, by serving it at that address;

(c) by making it available for inspection (whether to the person or
to someone acting on the person’s behalf) at a place in the
United Kingdom (but this is subject to subsection (2C)).

Data Retention and Investigatory Powers BillPage 5

(2C) Service under subsection (2) of a copy of a warrant on a person outside
the United Kingdom may be effected in the way mentioned in
paragraph (c) of subsection (2B) only if—

(a) it is not reasonably practicable for service to be effected by any
5other means (whether as mentioned in subsection (2B)(a) or (b)
or otherwise), and

(b) the person to whom the warrant is addressed takes such steps
as the person thinks appropriate for the purpose of bringing the
contents of the warrant, and the availability of a copy for
10inspection, to the attention of the person outside the United
Kingdom.

The steps mentioned in paragraph (b) must be taken as soon as
reasonably practicable after the copy of the warrant is made available
for inspection.

(3) 15In subsection (4) of that section, after “that person” insert “(whether or not the
person is in the United Kingdom)”.

(4) After subsection (5) of that section insert—

(5A) Where a person outside the United Kingdom is under a duty by virtue
of subsection (4) to take any steps in a country or territory outside the
20United Kingdom for giving effect to a warrant, in determining for the
purposes of subsection (5) whether the steps are reasonably practicable
for the person to take, regard is to be had (amongst other matters) to—

(a) any requirements or restrictions under the law of that country
or territory relevant to the taking of those steps, and

(b) 25the extent to which it is reasonably practicable to give effect to
the warrant in a way that does not breach any such
requirements or restrictions.

(5) In subsection (8) of that section, after “enforceable” insert “(including in the
case of a person outside the United Kingdom)”.

(6) 30In section 12 (maintenance of interception capability), after subsection (3)
insert—

(3A) An obligation may be imposed in accordance with an order under this
section on, and a notice under subsection (2) given to, persons outside
the United Kingdom (and may be so imposed or given in relation to
35conduct outside the United Kingdom).

(3B) Where a notice under subsection (2) is to be given to a person outside
the United Kingdom, the notice may (in addition to electronic or other
means of giving a notice) be given to the person—

(a) by delivering it to the person’s principal office within the
40United Kingdom or, if the person has no such office in the
United Kingdom, to any place in the United Kingdom where
the person carries on business or conducts activities, or

(b) if the person has specified an address in the United Kingdom as
one at which the person, or someone on the person’s behalf, will
45accept documents of the same description as a notice, by
delivering it to that address.

(7) In subsection (7) of that section—

Data Retention and Investigatory Powers BillPage 6

(a) after “person” insert “(whether or not the person is in the United
Kingdom)”, and

(b) after “enforceable” insert “(including in the case of a person outside the
United Kingdom)”.

(8) 5In section 22 (obtaining and disclosing communications data), after subsection
(5) insert—

(5A) An authorisation under subsection (3) or (3B), or a requirement
imposed in accordance with a notice under subsection (4), may relate to
conduct outside the United Kingdom (and any such notice may be
10given to a person outside the United Kingdom).

(5B) Where a notice under subsection (4) is to be given to a person outside
the United Kingdom, the notice may (in addition to electronic or other
means of giving a notice) be given to the person in any of the following
ways—

(a) 15by delivering it to the person’s principal office within the
United Kingdom or, if the person has no such office in the
United Kingdom, to any place in the United Kingdom where
the person carries on business or conducts activities;

(b) if the person has specified an address in the United Kingdom as
20one at which the person, or someone on the person’s behalf, will
accept documents of the same description as a notice, by
delivering it to that address;

(c) by notifying the person of the requirements imposed by the
notice by such other means as the person giving the notice
25thinks appropriate (which may include notifying the person
orally, except where the notice is one to which section 23A
applies).

(9) In subsection (6) of that section, after “operator” insert “(whether or not the
operator is in the United Kingdom)”.

(10) 30In subsection (8) of that section, after “enforceable” insert “(including in the
case of a person outside the United Kingdom)”.

5 Meaning of “telecommunications service”

In section 2 of the Regulation of Investigatory Powers Act 2000 (meaning of
“interception” etc), after subsection (8) insert—

(8A) 35For the purposes of the definition of “telecommunications service” in
subsection (1), the cases in which a service is to be taken to consist in the
provision of access to, and of facilities for making use of, a
telecommunication system include any case where a service consists in
or includes facilitating the creation, management or storage of
40communications transmitted, or that may be transmitted, by means of
such a system.

6 Half-yearly reports by the Interception of Communications Commissioner

(1) Section 58 of the Regulation of Investigatory Powers Act 2000 (reports by the
Interception of Communications Commissioner) is amended as follows.

Data Retention and Investigatory Powers BillPage 7

(2) In subsection (4) (annual reports) after “calendar year” insert “and after the end
of the period of six months beginning with the end of each calendar year”.

(3) In subsection (6) (duty to lay annual reports before Parliament) after “annual
report” insert “, and every half-yearly report,”.

(4) 5In subsection (6A) (duty to send annual reports to the First Minister) after
“annual report” insert “, and every half-yearly report,”.

(5) In subsection (7) (power to exclude matter from annual reports) after “annual
report” insert “, or half-yearly report,”.

7 Review of investigatory powers and their regulation

(1) 10The Secretary of State must appoint the independent reviewer of terrorism
legislation to review the operation and regulation of investigatory powers.

(2) The independent reviewer must, in particular, consider—

(a) current and future threats to the United Kingdom,

(b) the capabilities needed to combat those threats,

(c) 15safeguards to protect privacy,

(d) the challenges of changing technologies,

(e) issues relating to transparency and oversight,

(f) the effectiveness of existing legislation (including its proportionality)
and the case for new or amending legislation.

(3) 20The independent reviewer must, so far as reasonably practicable, complete the
review before 1 May 2015.

(4) The independent reviewer must send to the Prime Minister a report on the
outcome of the review as soon as reasonably practicable after completing the
review.

(5) 25On receiving a report under subsection (4), the Prime Minister must lay a copy
of it before Parliament together with a statement as to whether any matter has
been excluded from that copy under subsection (6).

(6) If it appears to the Prime Minister that the publication of any matter in a report
under subsection (4) would be contrary to the public interest or prejudicial to
30national security, the Prime Minister may exclude the matter from the copy of
the report laid before Parliament.

(7) The Secretary of State may pay to the independent reviewer—

(a) expenses incurred in carrying out the functions of the independent
reviewer under this section, and

(b) 35such allowances as the Secretary of State determines.

(8) In this section “the independent reviewer of terrorism legislation” means the
person appointed under section 36(1) of the Terrorism Act 2006 (and
“independent reviewer” is to be read accordingly).

Data Retention and Investigatory Powers BillPage 8

Final provisions

8 Commencement, duration, extent and short title

(1) Subject to subsection (2), this Act comes into force on the day on which it is
passed.

(2) 5Section 1(6) comes into force on such day as the Secretary of State may by order
made by statutory instrument appoint; and different days may be appointed
for different purposes.

(3) Sections 1 to 7 (and the provisions inserted into the Regulation of Investigatory
Powers Act 2000 by sections 3 to 6) are repealed on 31 December 2016.

(4) 10This Act extends to England and Wales, Scotland and Northern Ireland.

(5) This Act may be cited as the Data Retention and Investigatory Powers Act 2014.