Data Preservation under the Convention on Cybercrime of the Council of Europe

November 18, 2011

The Council of Europe’s Convention on Cybercrime dates from 2001 but was ratified in the UK much more recently, coming into force only in September 2011.

The Convention endeavours to protect society from attack and criminal activity. Inter alia it provides for ‘data preservation’ rules, which are distinct from the data retention rules which exist in EU Member States by virtue of the Data Retention Directive (Directive 2006/24/EC).

This article sets out how the UK has implemented the data preservation rules in the Convention (Articles 16 and 29). It explains the relationship between these rules and the data retention rules and also discusses how and to what extent any consideration was (and is) given to the costs of compliance borne by service providers in the UK.

In summary, the UK has not specifically implemented the data preservation rules from the Convention. The authorities have taken the view (arguably wrongly) that existing police and other powers in the UK are sufficient.

Data Retention

It is essential to note the distinction between data retention and data preservation. All service providers in EU Member States are required to retain data by virtue of the Data Retention Directive (Directive 2006/24/EC), as implemented in the UK by the Data Retention (EC Directive) Regulations 2009.

The Directive imposes an obligation on service providers to retain all communications data (i.e. ‘traffic data’ and ‘location data’ – terms which refer to information about a message such as the sender and the recipient, but do not include the content of the message) in order to ensure that the information is available if needed for the purpose of the investigation, detection and prosecution of serious crime. In the UK the obligation is to retain this data for 12 months from the date on which the information is generated.

Data Preservation

Data preservation under the Convention (also referred to as ‘quick freeze’) is distinct from data retention in that it requires recipients of an order (a category which under the Convention could include anybody, not just a service provider) to preserve specific ‘computer data’ which they control and which might be relevant to a criminal investigation. The definition of ‘computer data’ could include the content of messages. Under Article 16 of the Convention recipients of such orders should be obliged to preserve this information for 90 days from the date of the preservation order.

UK Implementation of the Convention

The UK ratified the Convention in May 2011 and it came into force on 1 September 2011. It appears that the UK government took the view that the UK is compliant with data preservation requirements by virtue of the following pieces of current legislation:

•           Police and Criminal Evidence Act 1984, s 9, sch 1, giving the police in England and Wales the power (with a court warrant) to obtain access to certain material and seize it if necessary.

•           Regulation of Investigatory Powers 2000, s 22, giving a police officer of sufficient rank authority to request a service provider to obtain specific communication data (if not already in its possession) and to disclose it.

•           Part 11 of the Anti-Terrorism, Crime and Security Act 2001, providing for voluntary codes of practice and agreements between the Secretary of State and service providers in relation to data retention.

Interestingly, none of the above provides for a ‘quick freeze’ order. Instead the government appears to be relying on the fact that the purpose of the ‘freeze’ order is to preserve information so that the authorities can obtain it – and since the above powers appear to give the authorities an ability to obtain the required information very quickly anyway, it may be that the view was taken that ‘quick freeze’ orders are not needed in the UK.

Service Providers’ Compliance

Our information suggests that all service providers in the UK have so far co-operated with requests for data from the authorities and they have not raised any claims that it is difficult or expensive for them to comply. This seems likely to be because the systems they have put in place to implement data retention rules mean that it is now quite easy for them to comply with these requests. This point of course seems to ignore the fact that data preservation, unlike data retention, could apply to the content of messages. 

Mike Conradi is one of DLA Piper’s lead telecoms partners, and is based in London.

Ani Grigorian is a trainee solicitor in the Technology, Sourcing and Commercial Group of DLA Piper (London).