The Global Network Initiative (GNI) submitted the following written evidence to the Joint Committee of Parliament currently considering the UK Government's proposed Draft Communications Data Bill (C8359). Our submission has been published on the Committee website alongside other submissions.
Global Network Initiative
Written Evidence to the Communications Data Bill Joint Scrutiny Committee
Author: Susan Morgan, Executive Director, Global Network Initiative
Date: 23 August 2012
1. The Global Network Initiative (GNI) welcomes the opportunity to provide written evidence to the Communications Data Bill Joint Scrutiny Committee. We have three specific concerns that we detail in our submission:
a) Broadening the collection and retention of new data on anyone in the UK using communications services;
b) The assertion of jurisdiction over non-UK based communications service providers when services are accessed in the UK;
c) A reserve power that would empower the Home Secretary to require UK providers to capture and retain data (specifically and only for law enforcement purposes) if requirements to capture and retain data cannot be directly imposed on a non-UK provider.
2. GNI is a multi-stakeholder group of companies, civil society organizations (including human rights and press freedom groups), investors and academics, who have created a collaborative approach to protect and advance freedom of expression and privacy in the Information Communications and Technology (ICT) sector. GNI has developed a set of Principles and Implementation Guidelines to guide responsible company action when facing requests from governments around the world that could impact on the freedom of expression and privacy rights of users. These Principles and Implementation Guidelines are based on international human rights standards and are attached to this written evidence in Appendix A. Appendix B has a full list of participants and observers of GNI.
3. It is the duty of governments to respect, protect, promote and fulfil human rights, including to ensure that national laws, regulations and policies are consistent with international human rights laws standards. GNI acknowledges the duty of a government to protect its citizens and public safety. It is right that governments consider how the changing communications landscape impacts policing operations and efforts to protect national security. However, the approach taken must reflect the few and limited circumstances within the Universal Declaration of Human Rights that provide for the limitation of these rights. Finding the right approach is not easy, particularly in the global, complex, and constantly evolving ICT sector.
4. No other democratic nation has proposed the approach set out in this Bill. The UK plays an important leadership role in the development of international legal standards and has far reaching influences on policy thinking generally. This includes the development of policy and legal frameworks relating to communications technology and the protection of human rights. For example, the UK used its convening power to assemble government, industry and civil society representatives to the London Conference on Cyberspace in October 2011, the first gathering of its kind that brought together the cyber-security community with the human rights community. The UK also engaged early to help form an international coalition of governments now working together on freedom of expression on the Internet.
5. There are very active debates internationally on the future of Internet governance. Several proposals, including one at the UN General Assembly for a code of conduct on information security are indicative of efforts by repressive regimes to exert a greater degree of control over the Internet. This could include placing greater requirements on companies.
6. Whilst these broader issues are outside the direct scope of the UK Communications Data Bill, they demonstrate the wider international context within which the draft Bill sits. We urge the Committee to consider the global context in its scrutiny of the draft Bill and be mindful of possible unintended consequences that could undermine the UK’s ability to support and further freedom of expression and privacy rights internationally. We would suggest it is not in the broader interests of the UK to initiate legislation that could give authoritarian regimes justification for their approach.
Specific comments on the Communications Data Bill
7. The Bill broadens the collection and retention of new data on anyone in the UK using communications services. This includes requirements to generate data—not required for business purposes and not routinely collected by providers—specifically and only for the purpose of law enforcement access. This provision goes beyond the existing requirements under the Regulatory and Investigatory Powers Act (RIPA) and the EU’s Data Retention Directive.
8. This aspect of the Bill could set a powerful precedent for repressive regimes to follow when seeking to justify surveillance on their own populations. Regimes attempt to claim legitimacy for their actions when they are able to point to similar requirements, even if only in the form of policy statements or draft legislation, in leading democratic nations. An example of exactly this type of reaction came from China in response to statements made in Parliament by the Prime Minister David Cameron in the days following the riots in 2011 around the need to consider placing limits on social networks and allowing greater government access to user communications in certain circumstances.
9. This is an enabling Bill that would require secondary legislation or Notices/Orders to be fully implemented. It is not clear whether secondary legislation or Orders, including those that would specify the data sets to be collected, would be made public. These details should be made available so that stakeholders and Parliament can make proper assessments about proportionality and the impact of the Government’s proposals.
10. Technological advances are also blurring the distinction between communications data and content that is at the heart of this Bill. For example, the URL for a web address can provide considerable access to information about the type of content the user is viewing. Stakeholders must be reassured that communications data could be reliably extracted without also disclosing content. Taken alongside the expanded scope of data collection for anyone using communications services in the UK this must be considered when assessing the proportionality of the proposals.
11. The assertion of jurisdiction over non-UK-based communications service providers when services are accessed in the UK is problematic. Companies considering the provision of services in markets where free expression and privacy rights may be at risk may consider ways to manage and operate their services to mitigate human rights risks. This is one of the requirements in GNI’s Principles. It is also consistent within the UN Protect, Respect and Remedy framework and Guiding Principles. We have seen worrying trends in legislative proposals in a range of countries that hold intermediaries liable for the activities of their users in ways that could have serious implications for free speech. One example is the draft Internet decree by the Government of Vietnam that places requirements on foreign providers not located in Vietnam to collaborate with the government in the filtering of a wide variety of information such as that which could “undermine the fine customs and traditions of the nation”. Whilst filtering requirements and retention of communications data are not analogous, assertions of jurisdiction are. The draft Bill could provide unintended justification for actions by other governments. The UK Government should consider these consequences, including the impact of laws enacted in other jurisdictions on the privacy rights of UK citizens as it prepares this legislation.
12. Even if other jurisdictions do not enact similar or contrary laws, UK citizens’ data could still be at jeopardy. Once other governments become aware of the storage of this additional communications data, law enforcement entities in other jurisdictions will seek to obtain it as well. If ICT companies are required to obtain and retain communications data for UK residents law enforcement entities in other jurisdictions could have a legitimate claim to seek access to it. Non-UK law enforcement entities may either try to obtain it through UK law enforcement or by exerting pressure on companies to release the data without UK cooperation.
13. A reserve power proposed in the Bill would empower the Home Secretary to require UK providers to capture and retain data (again, specifically and only for law enforcement purposes) if requirements cannot be directly imposed on a non-UK provider. Setting aside the technical challenges of whether this can be done, there are two specific problems. First, this requirement could have the effect of increasing pressure on non-UK providers to cooperate with law enforcement in informal, voluntary agreements. In contrast, GNI’s Implementation Guidelines commit companies to encourage governments to be “specific, transparent and consistent in the demands, laws, and regulations” they issue. Secondly, although we understand the challenge that law enforcement faces in regard to accessing communications data in a timely fashion, proposals to address this issue should begin with existing processes. If processes such as mutual legal assistance treaties (MLATs) are insufficiently fleet of foot, then government should initiate a concerted effort to review and improve them. This would be a far more proportionate response to the legitimate concern that data may not be available by the time a lawful request is served on a provider. In June 2012 a GNI commissioned report recommended that access to data through the MLAT process needs to be made more efficient, with safeguards in place.
14. As it considers this legislation, the committee has an opportunity to guide government on how the legitimate needs of law enforcement can be consistent with international human rights standards. It has the opportunity to develop an approach that would serve as a worthy model for other countries. The draft Bill does not succeed in this respect. We recommend that more time be taken and revisions considered to ensure that the rights of individuals are respected, so as to shape a regime that the UK would be comfortable having copied by other governments.
 For more information see http://www.fco.gov.uk/en/global-issues/london-conference-cyberspace/.
 See “Freedom Online: Joint Action for Free Expression on the Internet”, The Hague, 9 December 2011, available at http://www.minbuza.nl/binaries/content/assets/minbuza/en/the_ministry/declaration-final-v-14dec.pdf.
 “International Code of Conduct for Information Security” presented to UN General Assembly 12 September 2011, http://news.dot-nxt.com/2011/09/13/china-russia-security-code-of-conduct.
 Global Times, “Riots lead to rethink of Internet freedom”, 13 August 2011, available at http://www.globaltimes.cn/NEWS/tabid/99/articleType/ArticleView/articleId/670718/Riots-lead-to-rethink-of-Internet-freedom.aspx.
5 UN Guiding Principles on Business and Human Rights: Implementing the United Nations 'Protect, Respect and Remedy' Framework", available at http://www.business-humanrights.org/SpecialRepPortal/Home/Protect-Respect-Remedy-Framework/GuidingPrinciples.
 Ian Brown and Douwe Korff, “Digital Freedoms in International Law: Practical Steps to Protect Human Rights Online”, June 2012, available at http://www.globalnetworkinitiative.org/news/new-report-outlines-recommendations-governments-companies-and-others-how-protect-free.