Government data requests: what data powers does the British government have?

The tech community is worried…

Recently, big tech companies have started to reveal government requests for user information. Last month, Yahoo announced that over the last six years the multinational internet company and the US government had become embroiled in a secret legal battle over customer data, with the latter threatening to fine Yahoo $250,000 a day (around £155,000, AU$285,000) if it refused to surrender that data. Traditionally, legal battles that occur at the Foreign Intelligence Surveillance court are kept confidential.

Yahoo made the US government's 2008 threat public after a special federal court released 1,500 pages extracted from legal documents from what was once classified court proceedings over the scope of the National Security Agency surveillance programmes. During these proceedings, documents were uncovered which shed light on growing tensions between American tech companies and the intelligence services, long before former NSA contractor Edward Snowden leaked classified information starting in June 2013.

Concerns of the tech community

However, Yahoo is not alone as other tech behemoths such as Microsoft and Dropbox are also challenging government requests for user data, echoing concerns of the wider tech community about the impact this might have on businesses.

Dropbox revealed in its transparency report last month that it has received 268 requests for user information from law enforcement agencies in the first half of 2014, with 37 requests for information coming from outside the US.

This series of data requests from governments raises important questions about government surveillance and the legality of retaining confidential user data. What is the situation like in the United Kingdom with the new Data Retention and Investigatory Powers Act 2014 (DRIP)?

Fast-tracked DRIP

DRIP was rushed through Parliament three months ago with the same aim of giving the government more data powers. At the time of fast-tracking the law through the House of Commons, Home Secretary Theresa May said the new laws would provide the UK's intelligence services with the "powers and capabilities" needed to combat terrorism and organised crime.

It is important to understand that the new data retention laws relate to traffic data about mobile and internet communications such as the source of a communication, its destination, date, time, duration and type. They do not relate to the content of communications, which is protected by other laws.

Under the DRIP Act, public telecommunications operators can be required to store 'communications data' if the Secretary of State considers data retention "necessary and proportionate" to help law enforcement agencies detect and prevent terrorism and other serious crimes, or for serving other limited purposes specified under the existing Regulation of Investigatory Powers Act.

Telecoms companies could be asked to store the data for up to a year under the Act. Operators based outside of the UK may be forced to comply with data retention orders made in accordance with the new legislation.

Expansion of state surveillance?

Whether DRIP equals a significant expansion of state surveillance in the UK is debatable, and it remains to be seen whether the UK government will be challenged under European privacy or human rights law, which is a possibility.

The European Court of Justice has said that there needs to be a balance between the right to privacy of individuals and the government's responsibility to detect and prevent criminal activities. There is a fine line between the two and to err on the side of caution, the DRIP has left it at the discretion of the Secretary of State to make these data retention orders.

Whether we want it or not, the state can retain our data and its interception powers have serious implications for big tech companies like Yahoo and Dropbox, which have to balance their users' privacy with government requests for more data. In an ideal scenario there's a balance between privacy and protection, a demanding brief as legislation tries to keep pace with rapid technological change.

  • Marc Dautlich is a partner and Head of the Information Law team at Pinsent Masons.