Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
The new Draft Investigatory Powers Bill will result in telecommunications operators being ordered to retain certain data about all customers’ internet activity. It faces criticism from both the tech industry and rights groups.
The Home Office has published its proposed Draft Investigatory Powers Bill (“Bill”), bringing together a number of previously existing powers in relation to interception of communications under a single regime. The most controversial aspect of the Bill is the ability of the Secretary of State to order telecommunications operators to retain customer data for an extended period so that it is available for public authorities to access it, subject to certain safeguards.
The Regulation of Investigatory Powers Act 2000 (“RIPA”) and related existing legislation provided a framework for the interception of communications by law enforcement agencies but did not require telecommunications operators to retain certain data for that purpose.
The Data Retention Directive (2006/24/EC) imposed an obligation on each Member State to ensure that certain categories of communications data was retained by public telecommunications providers for periods of not less than six months and not more than two years. It was implemented into UK law by the Data Retention (EC Directive) Regulations 2007 and 2009, the latter of which obliged public communication service providers to retain data about fixed and mobile telephone calls, internet access, email or internet telephony activity for 12 months.
However, in the Digital Rights Ireland decision (C‑293/12 and C‑594/12), the Court of Justice of the European Union (“CJEU”) held that the Data Retention Directive was invalid for failing to comply with requirements of proportionality in its interference with the rights to private and family life and data protection under the European Convention on Human Rights and the EU Charter of Fundamental Rights.
In the aftermath of that judgment (and following a number of failed attempts by the UK government to legislate in the area since 2008 including the 2012 Draft Communications Data Bill, nicknamed the “Snooper’s Charter”), the UK government rushed through the Data Retention and Investigatory Powers Act 2014 (“DRIPA”). DRIPA is a time-limited statute intended to ensure that the Secretary of State could issue retention orders to require telecommunications operators to retain data for up to 12 months despite the Digital Rights Ireland decision.
Following a challenge brought by (amongst others) Conservative David Davis MP and Labour’s Tom Watson MP ( EWHC 2092), in July 2015 the High Court made an order (to take effect from 31 March 2016) disapplying section 1 of DRIPA for being inconsistent with EU law due to its lack of clarity, failure to restrict to serious offences and because access to data is not dependent on prior review by a court or independent administrative body. That decision is currently subject to appeal and on 20 November 2015 the Court of Appeal referred questions as to the effect of the Digital Rights Ireland decision to the CJEU ( EWCA Civ 1185).
The Draft Investigatory Powers Bill published on 4 November 2015 is intended to repeal and replace a various existing legislation in this area, including Part 1 of RIPA and all of DRIPA. The Home Secretary explained to Parliament that the Bill was considerably different from the much-criticised Draft Communications Data Bill:
“It will not include powers to force UK companies to capture and retain third party internet traffic from companies based overseas; it will not compel overseas communications service providers to meet our domestic retention obligations for communications data; and it will not ban encryption or do anything to undermine the security of people’s data.”
A key provision of the Bill provides that the Secretary of State may issue retention notices to require the retention for 12 months of relevant communications data by a telecommunications operator, i.e. persons who control or provide a telecommunication system or provides a telecommunications service.
Such retained data must be securely stored, protected against disclosure and destroyed following the end of the retention period. A recipient may refer a notice back to the Secretary of State if they consider it unreasonable, following which the Secretary of State must review it in consultation with Technical Advisory Board and the Investigatory Powers Tribunal.
The definition of relevant communications data is intended to exclude the “content” of the communication, but includes data which may be used to identify, or assist in identifying, any of the following:
- The sender or recipient of a communication,
- The type, method or pattern of a communication,
- The type, method or pattern, or fact, of communication,
- The telecommunications system from, to or through which, or by means of which, a communication is or may be transmitted,
- The location of any such system, or
- The internet protocol address, or other identifier, or any apparatus to which a communication is transmitted for the purpose of obtaining access to, or running, a computer file or computer program.
Included in relevant communications data is what is defined elsewhere as “internet connection records” (“ICRs”). These are described by the Home Office as, “the internet equivalent of a phone bill,” and which, “…would let the police see a person has visited google.co.uk or facebook.com but not what searches have been made on Google or whose profiles had been viewed”. The Home Office’s case for retaining such connection records focuses on the use of instant messaging and internet telephony services by criminals.
ICRs may only be obtained for the three purposes: to identify the sender of an online communication; to identify which communication services a person has been using; or identifying where a person has accessed illegal content.
Designated public authorities are authorised to access ICRs, including police and intelligence services, government departments, regulatory bodies and the NHS. Access will be dependent on authorisation from a designated senior officer at the public authority in question, who will need to be satisfied that the request is necessary and proportionate for one of 10 functions, ranging from national security and preventing crime to identifying dead bodies and assessing tax. The senior officer may not be working on the operation or investigation in question, except in urgent cases.
Local authorities will not be permitted to access ICRs, following concerns about their misuse of existing surveillance powers for minor or administrative matters.
The Bill also includes a new independent Investigatory Powers Commissioner and a role for Judicial Commissioners to answer to them. A “double-lock” is required for some warrants, whereby a Judicial Commissioner (a serving or former High Court judge) will have to approve each warrant granted by the Secretary of State or other authorised person before it takes effect. The Judicial Commissioners are required to apply those principles as would be applied by a court on an application for judicial review.
There is also provision for targeted interception warrants or mutual assistance to be issued without Judicial Commissioner approval where the person who issued the warrant considers there to be an urgent need to do so. There follows a limited period in which the Judicial Commissioner must approve the warrant, following which, if not approved it will cease to have effect.
Previous criticisms are also addressed through measures including:
- Making requests in respect of “sensitive professions” (e.g. journalists, lawyers and doctors) subject to statutory Codes of Practice.
- Making requests to examine MPs’ communications subject to sign-off by the Prime Minister.
- Making requests for the purpose of identifying journalist’s sources subject to approval by Judicial Comissioners.
Rights-based criticisms state that, as with the Data Retention Directive, the Bill results in requirements for the generalised, indiscriminate retention of personal data of all subjects, whether under investigation or not, and the proposed safeguards either do not or cannot ensure such interference is proportionate.
Criticisms have included the width of the purposes for accessing ICRs, the inabiliity of senior officers within the same public authority to provide independent oversight of an access request and of the potential for abuse of exceptions provided for urgent cases.
It has also been observed that Judicial Commissioners do not assess and grant warrants themselves, but rather assess the decision to do so on judicial review principles. “In other words”, David Davis MP has said, “the Home Secretary would have to behave in an extraordinary manner not to get his or her warrant approved”.
The response from the industry has been critical for a number of other reasons. Representatives of the Internet Service Providers Association, Gigaclear and Sophos spoke to the House of Commons Science and Technology Committee on 11 November 2015 and expressed various concerns with the Bill including:
- The lack of clear definitions of various key terms including “internet connection records”.
- The fact that ISPs do not currently retain that set of information that would make up ICRs and would need to process records further to do so whilst excluding “content”.
- The massive amount of data per customer that a retention notice would require ISPs to gather and retain.
- The cost of gathering and retaining such a volume of data, which is likely to exceed the limited budget from the government for cost recovery and will therefore result in price rises.
- The limited utility of the data actually retained for stated purposes, such as the prevention of terrorism.
- The ability to keep such records safe, given its sensitive personal nature and potential usefulness to criminals, for example by disclosing with which bank an individual has an account.
- The possibility of UK technology companies losing international competitiveness due to the resulting perceived lack of security.
The decision in Digital Rights Ireland emphasised the need for proportionality of any interference in privacy and data rights, partly through establishing clear and precise rules. The Bill’s limits on the access to retained data, in terms of purpose and designated senior officer approval, are intended to ensure such proportionality in general and in individual cases. However, it is clear from academic and industry concerns that there are at least clarity issues regarding various key definitions.
The volume of data required to be retained, and the method of separating out such data, are not only concerns from a rights perspective but also present cost and security issues. It is not yet obvious that the effect of the Bill in interfering with the privacy of individuals and increasing the burden placed on UK tech businesses will be justified by its likely effectiveness.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.