The government's Anti-Terrorism Bill faces serious questions over data protection laws and storage costs, warned industry bodies and the Information Commission.
Internet service providers (ISPs) are concerned that the Bill, published earlier this week, will leave them in breach of the 1998 Data Protection Act (DPA).
The DPA states that companies must not keep personal data, such as email and traffic logs for billing purposes, longer than it is needed.
"This bill allows us to keep data that we wouldn't otherwise be able to, so what are our liabilities? What parts of the DPA apply and what parts don't, and under what circumstances? The words are very vague and woolly," said Tim Snape, ISPA member and managing director of West Dorset Internet.
This could lead to ISPs being fined or prosecuted for misusing customer data, said Roland Perry, director of public policy at LINX.
"If someone takes civil action against you under the Data Protection or Human Rights Act, for keeping their data too long or for misuse of data, how watertight is this exemption in the Bill?"
The Information Commission has already written to the Home Office expressing concern about the voluntary retention of data for longer than is necessary.
"The Bill may not hold water in data protection terms, and if it contravenes the Act, then we do have enforcement powers," said Jonathan Bamford, assistant Information Commissioner.
The recovery of extra costs for storage of the information has also not been clarified sufficiently, said Perry.
He added that under current proposals ISPs would only be paid a fee for each access request by law enforcement agencies. For many ISPs this could lead to huge storage costs with no guarantee of recompense.
Yet the industry is generally supportive of the measures included in the Bill and Snape said refusal to co-operate with the government "is not an issue."
But the government has included reserve powers in the Bill to allow the Home Secretary to force ISPs to retain the necessary data if he faces opposition to the voluntary code of practice.
"The current proposals are for voluntary retention of data, and there is real commitment and goodwill within the industry. But in case it seems not everyone is signing up, then there are provisions to make it mandatory," said a Home Office spokeswoman.
Further meetings between the Home Office and industry bodies are planned for later this month. The government hopes to push the bill through by Christmas.
HP and Centrica are the first industry partners to sign up to the government's new Code
New ice grows faster but is also more vulnerable to weather and wind
With a crackdown on cheats is coming in November, PUBG rushes to fix matchmaking problems introduced in Update #22
New material uses carbon dioxide from the air to repair and reinforce itself