Tuesday 7 April 2009

Data retention and open wifi

The Data Retention (EC Directive) Regulations 2009 came into force yesterday (6 April 2009). A frequently asked question is: "I run an open wifi network will I have to log user's data?"

Do I need to retain data?

At first sight you would appear to be quite safe because the regulations do not apply to everyone. Check out regulation 10(1):

10.—(1) These Regulations do not apply to a public communications provider unless the provider is given a notice in writing by the Secretary of State in accordance with this regulation.

So until you get that letter from the Secretary of State (or some nice minion working on her behalf) you need to do nothing. But hang on, the Secretary of State would appear to have given herself a rather bigger job than anticipated, still in regulation 10:

(2) The Secretary of State must give a written notice to a public communications provider under paragraph (1) unless the communications data concerned are retained in the United Kingdom in accordance with these Regulations by another public communications provider.

So she must give that notice. Notice in passing that there's no particular penalty on her for failing to do so, so the only way to make her would be to bring proceedings for judicial review. An unlikely eventuality.

But am I really a public communications provider?

Well the law on data retention is meant to be a paper chase for lawyers. "public communications provider" is defined in regulation 2(e):

(e) “public communications provider” means—

(i) a provider of a public electronic communications network, or

(ii) a provider of a public electronic communications service;

and “public electronic communications network” and “public electronic communications service” have the meaning given in section 151 of the Communications Act 2003

So, turning to s.151 of the Communications Act 2003 we find that

“public electronic communications network” means an electronic communications network provided wholly or mainly for the purpose of making electronic communications services available to members of the public;

If you noticed that the s.151 also has a definition of what a "public communications provider" is and that its not quite the same as in the regulations. Well spotted. You will not find transparency or consistency here.

So it looks from s.151 very much like an open wifi, or a wifi supplied to customers in a cafe or other site is a "public communications provider". The Secretary of State will be busy.

But hang on, does that mean I have to get ID from customers?

Well, if I'm right and if the Secretary of State did decide to comply with her statutory duty would that not make life really quite hard for (say) an internet cafe that does not check the identity of its customers?

Some comfort can be found in regulation 3:

  1. These Regulations apply to communications data if, or to the extent that, the data are generated or processed in the United Kingdom by public communications providers in the process of supplying the communications services concerned.

Notice that the regulations only apply to data that has been generated or processed. There's no obligation to create any data you don't already have.

That is just as well, if you check out the schedule to the regulations you will see that some of the data that is covered by the regulations doesn't seem to quite fit with the operation of many cybercafes etc that I know.

But that won't quite work as an answer. Some of the cybercafe's kit probably does at least process data mentioned in paragraph 13(1) of the schedule.

(a) The date and time of the log-in to and log-off from the internet access service, based on a specified time zone,

So it appears that if the regulations mean what they appear to say and an open wifi provider gets a regulation 10 notification they are going to have to keep 12 months' of data which would be a real pain. I promise not to tell the Secretary of State where you live.

No comments: