One of the key issues in the just completed federal public consultation on an updated national security strategy is whether communications service providers should have to keep subscriber metadata for a set period of time in case Canadian law enforcement and intelligence agencies want to go back and look at a suspect’s online history.
There are several hurdles any proposal would have to clear, including operator demands for compensation for storage they’d have to buy to hold the data.
This week the European Court of Justice weighed in with its opinion: The Charter of Fundamental Rights of the European Union forbids legislation from member countries which — even for the purpose of fighting crime — orders the “general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.”
Our Charter of Rights may not have the same wording as the the EU’s Charter and associated directives. However, it is likely that the government and courts here will at least consider the Court of Justice decision.
The Court of Justice noted European Parliament has passed a directive allowing EU countries to adopt “a measure that derogates from the principle of confidentiality of communications and related traffic data where it is a ‘necessary, appropriate and proportionate measure within a democratic society’.” But, it adds, that measure “must be ‘strictly’ proportionate to the intended purpose.” In addition, the directive specifies data should be retained ‘for a limited period’ and be ‘justified’ by reference to one of the objectives in the directive.
How long is a “limited period?” Think about this: According to one news site the United Kingdom’s new Investigatory Powers Bill gives the government the authority (In Part 4) to serve Internet service providers with a “data retention notice,” forcing them to record and store for up to 12 months. That apparently includes logs showing websites visited by all of their customers. Law enforcement agencies can obtain access to this data without any court order or warrant.
There are those who think the Court of Justice decision will strike down Part 4. That remains to be seen: It will be up to the U.K. Court of Appeal to interpret the ruling. Twelve months isn’t a “indiscriminate” period of time, I’m sure the government will argue.
In this country there are no data retention period rules communications service providers have to follow. Most would set a period of several months to keep data for business purposes. Rogers Communications says it keeps other data it police have traditionally asked for up to 13 months.
If holding subscriber metadata for that long would satisfy police in the U.K., it would likely satisfy police here, too. But would it be legal? And how much should providers keep?
If it decides to pass a law obliging providers to hold metadata for a specific period Ottawa won’t likely do it without another public consultation. That’s when it will be headline news.