The UK’s new surveillance law, the Investigatory Powers Act 2016 (IPA), received Royal Assent on 29 November 2016 after numerous reviews and recommendations in its initial state as a Bill in the past year. IPA followed the idea behind the Communications Data Bill, which was opposed in 2012 and thereafter abandoned, and was introduced in November 2015 by the Primer Minister Theresa May during her time as the UK’s Home Secretary.
New law for the digital era
The IPA puts into writing all, some of which new, powers and techniques used by the intelligence and security services to police the digital realm and investigate and prevent national and international threats. It follows a recommendation made on several occasions, most notably by David Anderson QC in his report A Question of Trust – the legislative framework in this area prior to passing IPA was scattered among various pieces of law, for instance in the often criticised Regulation of Investigatory Powers Act 2000 and Data Retention and Investigatory Powers Act 2014. This is why one of the main goals of the Government passing IPA is to consolidate the law in this area in one single instrument, which is fit for the digital age, and which protects adequately both the collective right to security and individual liberties, i.e. privacy.
The 2016 Act includes provisions on both interception of communication and data retention, requirements for access, in addition to a number of arguably new powers, such as equipment interference, bulk personal data sets, and importantly – oversight and warrant requirements. Legal professionals, academics, and technology experts have given evidence on different sections of the IPA. Some of the recommendations refer to equipment interference, criticised for being another phrase for authorised hacking of devices; to the newly-imposed duties on corporations and Internet Service Providers to retain their customers’ personal data and remove encryption when required; to bulk personal data sets, which might be seen to represent an encyclopaedia of citizens’ life, an argument furthered by the creation of the so-called Internet Connection Records (ICRs) – a history of websites visited up to the first “slash” (/), which need to be retained for 12 months under the new law.
Food for thought
It is often the case that the law is trying to catch up with developments in technology. The IPA is a valuable tool in this regard, as it attempts to modernise a regime which could not have known the power of Google or instant messaging at the time. Nevertheless, there are still questions to be answered when considering, for example, ICRs and their classification as “metadata”, which automatically makes them more easily available (i.e., there is no warrant requirement to access them) when they are retained as they are created. The collection of such information over the period of a year can create a rather detailed description of an individual – interests, hobbies, social connections, habits – which equates content.
What is more, there is an additional burden on organisations to start collecting ICRs as part of their normal operation, which they do not do at present. Even though financial support has been offered, the cost of this can be prohibitive and detrimental to the smaller business. Requiring the removal of encryption might prove helpful in investigations, but technology giants like Apple have stated that this would also be used by cyber criminals and harm the innocent anyway (see especially paras 15-20).
While the new oversight requirements aim to properly protect privacy and ensure compliance with the proportionality requirement, the “double-lock” allows judicial interference only on judicial review principles. As such, the courts could not in fact rule on the substance of a decision, but merely on the propriety of the procedure. Given the balancing act between two freedoms, it can be argued that the former is more appropriate – but this is not the case in the IPA. The situation is likely to become even more complicated during and after Brexit, despite which the UK is going to implement the General Data Protection Regulation (GDPR) that elevates privacy rights and requires national regimes to be compliant with these elevated standards. The pending decision of the European Court of Justice on the referral by the Court of Appeal in Secretary of State for the Home Department v David Davis et al  EWCA Civ 1185 could make it even harder for the IPA to comply with European developments in data protection law. Maximillian Schrems v Data Protection Commissioner (Case C-362/14) can contribute to this because the definition of “adequate” protection in a non-EU country now means “equivalent” to that in Member States. The GDPR follows this definition and since it has an extraterritorial effect, the UK might find that a rethink of whole parts of the IPA will be needed, even after Brexit if not before.
The security vs privacy debate has become even more heated in recent years because of new technologies, Edward Snowden’s revelations, and ever more threats to states. The IPA will be a key player in the UK’s legal and security landscape, and the country might have to find its exact place in light of a divorce between English and European law, but also internationally. In the meantime, the need of investigative powers to protect society cannot be denied, but neither can the right to privacy be claimed to be an unnecessary luxury.
Researched and written by Sofia Parunova, Legal Assistant
The information presented is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. Internet subscribers and online readers should not act upon this information without seeking professional counsel.