Not enough people realise that the authorities can order you to preserve data that’s potentially relevant to criminal investigations, says lawyer Mike Conradi.
Many people, even lawyers directly involved in the tech sector, will never have heard of data preservation as a legal concept.
In fact, it’s the ability of relevant authorities investigating criminal activity to require anybody holding information to preserve it – that is, store it – pending receipt of a lawful warrant or other authority requiring it to be handed over.
The costs associated with being able to do store this information could be high for ISP and telecoms operators, especially if they need to redesign their IT systems accordingly.
It could also be an onerous request for an individual to receive. So it is perhaps surprising that although the relevant treaty giving UK authorities these powers was ratified just a few months ago, it does not appear to have caused any concern from service providers. Very little has been written about it.
So here are four key points you need to know.
Point 1. The Convention on Cybercrime
The Council of Europe’s Convention on Cybercrime dates from 2001 but was only ratified in the UK much more recently, coming into force in September 2011.
The Convention endeavours to protect society from attack and criminal activity. Among other things, it provides for data-preservation rules, distinct from the data-retention rules that exist in EU member states by virtue of the Data Retention Directive.
Point 2. Data retention
All service providers in EU member states are required to retain data by virtue of the Directive – as implemented in the UK by the Data Retention (EC Directive) Regulations 2009.
The Directive imposes an obligation on service providers to retain all communications data. This term refers to information about a message, such as the sender and the recipient, but does not include the content of the message.
Service providers have to retain this data so that the information is available if needed for the purpose of the investigation, detection and prosecution of serious crime. In the UK, the obligation is to retain this data for 12 months from the date on which the information is generated.
Point 3. Data preservation
Data preservation under the Convention – also referred to as ‘quick freeze’ – is distinct from data retention, in that it requires recipients of an order to preserve specific computer data that they control and which might be relevant to a criminal investigation.
Under the Convention, anybody could be a recipient of this category of order, not just service providers.
The definition of computer data could include the content of messages. Under Article 16 of the Convention, recipients of such orders should be obliged to preserve this information for 90 days from the day of the preservation order.
Point 4. UK implementation of the Convention
It appears that on ratification, the government took the view that the UK is compliant with data preservation requirements by virtue of several pieces of existing legislation – such as the Police and Criminal Evidence Act 1984, the Regulation of Investigatory Powers 2000 and the Anti-Terrorism, Crime and Security Act 2001.
These laws give the police, and others, very wide powers to obtain access to material and to seize it if necessary.
Interestingly, none of this legislation provides for a quick-freeze order. Instead, the government appears to be relying on the fact that the purpose of the freeze order is to preserve information so that the authorities can obtain it.
Since the authorities already have an ability to obtain the required information very quickly anyway, quick-freeze orders are not needed in the UK.
Mike Conradi is one of the lead telecoms partners at law firm DLA Piper. Ani Grigorian, a trainee solicitor at DLA Piper, also contributed to this column.