This article was first published on Lexis®PSL IP & IT on 15 March 2016. Click for a free trial of Lexis®PSL.

Where are we now with the Investigatory Powers Bill? Bathilde Waquet provides an update on the progress of the Investigatory Powers Bill and the changes in the most recent draft.

What are the substantial changes in this draft?

Following consultation on the initial proposal released last November (the “draft Bill”), a number of changes have been introduced in the revised version of the draft Bill published by the Government on 1 March (the “Bill”). Key changes include:

Equipment interference - The scope of law enforcement agencies’ powers to interfere with electronic equipment such as computers and smart phones has been extended. Under the Bill, these powers are no longer limited to the prevention and detection of serious crimes and may also be used to prevent death or any damage to a person’s physical or mental health. For instance, this would include cases involving a threat to life or the location of a vulnerable person such as a missing child. The Bill also ensures that these powers are made available to a broader range of public authorities, including certain categories of law enforcement officers.

Internet Connection Records (“ICR”) – The purposes for which ICRs may be acquired have been expanded. Under the draft Bill, ICRs could only be acquired to identify online services to which a device has connected and that contain illegal material or are related to communications services. As a result, access to details of other online activities which could be relevant to an investigation (e.g. booking travel tickets, making an online payment) was not permitted. The Bill intends to provide for this where it is necessary and proportionate for a specific investigation.

Encryption – The language on encryption has been amended to clarify that the obligation for communication service providers to remove encryption from communications will only apply to encryption that they have applied themselves and where it is technically “practicable” for them to do so. Likely costs involved will also be taken into account.

Bulk powers – The Bill includes new provisions for the Secretary of State to authorise bulk equipment interference warrants in urgent circumstances. This is intended to enable intelligence and security agencies to use equipment interference powers swiftly in response to fast-moving situations, such as kidnaps, a foreign cyber-attach on a UK infrastructure or a terrorist attack overseas. In addition, the Bill permits the Secretary of State to modify the conduct authorised under a bulk equipment interference warrant, including urgent modifications, subject to further approval of a Judicial Commissioner.

Specific protection for sensitive professions– The Bill includes clearer safeguards around legally privileged communications in relation to interception and equipment interference. It also offers additional protection to journalists, for instance by requiring security and intelligence agencies to seek judicial authorisation in order to acquire communications data to identify a journalistic source.

Intelligence sharing – The Bill clarifies that UK security and intelligence agencies are prohibited from requesting foreign intelligence services to undertake activities on their behalf unless they have a warrant approved by a Judicial Commissioner and the Secretary of State.

Will these changes satisfy critics of the Bill?

A number of concerns have been raised around the scope and substantive elements of the draft Bill, for instance by the tech industry, privacy advocates and the Information Commissioner’s Office. In addition, various recommendations have been issued by three Parliamentary committees (the Joint Committee, the Intelligence and Security Committee, and the Science and Technology Committee).

One of the main issues that has been highlighted about the draft Bill relates to its clarity and predictability. It has been argued that the draft proposal was not clear enough for communications service providers to effectively understand the scope of their obligations and to be able to assess the practical implications of each requirement on their business and customers. Steps have therefore been taken with a view to address this point. For instance, some of the technical definitions have been refined (e.g. single definition of ‘ICRs’, ‘systems data’, ‘secondary data’, ‘identifying data’). As another example, further guidance on the implementation of the Bill has been published in the form of codes of practice (please see question 6). Whilst these steps are certainly welcome, it remains to be seen whether they will be regarded as sufficient to ensure full transparency. For instance, the new encryption wording could be viewed as unconvincing if there is uncertainty over what is “practicable”.

Another key challenge for the Government is to ensure that the principles of necessity and proportionality are satisfied in light of the Court of Justice of the European Union’s (“CJEU”) jurisprudence. Given the potential intrusiveness of some of the powers (particularly equipment interference, bulk powers and ICRs), there is a question as to whether the Bill strikes the right balance between the need for security and the fundamental right to privacy, and whether the compensatory safeguards implemented around the Bill are appropriate. In this regard, the Government has released two operational cases on bulk powers and ICRs retention which set out justifications for these measures. Whether these documents and the safeguards provided in the Bill are adequate will be left to detailed scrutiny of the Parliament.

Have any additional oversight mechanisms been introduced?

The Bill includes additional oversight mechanisms which have been recommended by Parliamentary committees. Examples of new or enhanced safeguards include:

Double lock – Under the draft Bill, the ‘double lock’ safeguard of ministerial and judicial approval was only required for renewal of urgent warrants. This means that the initial decision to issue an urgent warrant was not subject to judicial review. The Bill intends to plug this gap by clarifying that warrants are subject to a ‘double lock’ authorisation in all circumstances, including with respect to the most intrusive surveillance measures such as urgent warrants.

Urgent warrants – The Bill reduces the period of time within which urgent warrants must be reviewed by a Judicial Commissioner from five working days to three. As a result, where a warrant relating to interception or equipment interference has been issued in an urgent case and has not been endorsed by a Judicial Commissioner within three days, law enforcement agencies will have to reapply for this warrant.

Error reporting – The Bill clarifies that the Investigatory Powers Tribunal need not be involved where the Investigatory Powers Commissioner decides to inform individuals who have been the subject of a serious error made by a public authority as a result of the inappropriate use of surveillance powers. The former approach under the draft Bill was regarded as being too cumbersome and unnecessary to ensure that individuals have an effective right of redress.

Whistle blowing– The Bill provides the possibility for communications service providers and staff in public authorities using surveillance powers to refer concerns over the misuse of surveillance powers directly to the Investigatory Powers Commissioner without being at risk of prosecution for breaching the Official Secrets Act.

Where does this leave us on communications data retention?

Under the Bill and in line with UK’s current data retention legislation, communications service providers are only required to collect and retain communications data when served with a notice requiring them to do so. The retention notice must be issued by the Secretary of State and must specify which data categories need to be obtained as well as the associated retention period, of up to 12 months. Before issuing the retention notice, the Secretary of State must consult the communication service provider concerned and, in making a decision, balance the expected operational benefit against the cost, feasibility and potential impact on the provider. Where communications data is retained by virtue of a retention notice, communications service providers are required to implement a number of safeguards to ensure data security and integrity.

The key change introduced by the Bill to existing legislation is that ICRs – which are themselves communications data – may be subject to a retention notice. Moreover, the Bill includes a new provision to ensure that communications service providers are permitted to disclose the existence and contents of a data retention notice in specific circumstances with the permission of the Secretary of State. This, for instance, would allow communications service providers to share their views on how best to comply with data retention notices.

It has been emphasised that ICRs may reveal a great deal about the online activities and interests of an individual. In this regard, the retention of ICRs by communications service providers increases the risk of such information falling into the wrong hands following a security breach. Accordingly, it has been argued that there needs to be strong justifications around the need to retain ICRs and their retention period. In response, the Government has published an Operational Case for the Retention of Internet Connection Records alongside the Bill. This document is intended to provide evidence around the necessity to retain ICRs. However, it is uncertain whether it will be regarded as providing sufficient explanation for a twelve month retention period.

Does this latest version address the concerns of the Intelligence and Security Committee around bulk equipment interference?

In its report on the draft Bill, the Intelligence and Security Committee (the “ISC”) expressed concerns that the scope of targeted equipment interference warrants could be broad enough to cover anything obtained through bulk equipment interference powers. In this regard, the ISC found the draft Bill to be unclear as to what bulk equipment interference warrants are intended to cover and how they differ from targeted equipment interference warrants. In addition, the ISC report underlined that no specific examples have been provided by the Government as to what bulk equipment interference warrants might cover. As a result, the ISC recommended that bulk equipment interference warrants be removed from the Bill.

The Government resisted the ISC’s demand on the basis that bulk equipment interference warrants are a key operational provision. In its response to the ISC report, the Government explained that a bulk equipment interference warrant would be a more appropriate instrument for situations where additional access controls are required at the examination stage. This is because it is difficult to assess at the time of issuance of the warrant the necessity and proportionality of each interference.

Consequently, the provisions on bulk equipment interference have been kept in the Bill. However, in order to address the ISC’s concerns, the Government has published an Operational Case for Bulk Powers. The purpose of this document is to clarify the necessity of bulk powers and describe how they differ from targeted equipment interference powers. According to the Government, additional classified information on the necessity of bulk powers has also been made available by the security and intelligence services to the ISC. Moreover, further explanations on the differences between targeted and bulk warrants and the circumstances where it is appropriate to use each has been set out in Chapters 4 and 5 of the draft Equipment Interference code of practice (please see question 6).

Do the codes of practice offer any insight into the operation of the Bill?

In response to calls for greater clarity, six draft statutory codes of practice have been published by the Government alongside the Bill. These codes are intended to provide further guidance on the implementation of surveillance powers contained in the Bill. They notably include greater details on the operation of these powers and the oversight arrangements that will govern them. Similar to the Bill, the codes will be submitted to Parliament for approval before they have statutory force.

The following areas are covered by these codes of practice:

  • National security notices
  • Interception of communications
  • Security and intelligence agencies’ retention and use of bulk personal datasets
  • Equipment interference
  • Communications data
  • Bulk acquisition

According to the Government, these codes of practice have been drafted to address the Parliamentary committees’ various recommendations. It remains to be seen whether the codes are regarded as providing sufficient clarifications and justifications around the Bill’s intrusive provisions (please see question 2).

Have these latest changes introduced any review or sunset clause?

The Government’s aspiration for the Bill is to provide a period of stability and certainty, which would make any form of sunset provision undesirable. Nonetheless, it was conceded that it would be necessary to revisit the legislative framework and the safeguards available under the Act, notably to take into account advances in technology.

Accordingly – and unlike the draft Bill – the Bill includes a ‘review provision’ requiring the Secretary of State to prepare a report on the operation of the Act following a period of 5 years and 6 months from its enactment. The report will be based on a review of the Act to be carried out by a specially constituted committee of either House of Parliament (whether acting along or jointly).

Such form of review is welcome and endorses recommendations made by the Parliamentary committees and the Information Commissioner’s Office. It should provide assurance to those who have expressed concerns over some of the powers set out in the Bill that these will be reconsidered. According to the Information Commissioner’s Office, post-legislative Parliamentary scrutiny is an essential component to fulfil the aspirations of greater transparency and legitimacy which underpin the Bill. In particular, it will allow for the review of whether threats that the legislation is intended to address still exist and whether surveillance powers are still effective in practice. In doing so, it will allow the continued need and proportionality of these measures to be assessed, most likely in light of the latest jurisprudence from the Court of Justice of the European Union and the European Court of Human Rights.

What’s next for the Bill? Will there be any further scrutiny?

The Bill needs to be examined in details by both Houses of Parliament before a final draft is produced. With the current UK data retention legislation (“DRIPA”) set to expire at the end of 2016, the Government has made clear that the new legislation needs to be in force by 31 December 2016.

However, it is worth noting that last summer the High Court1 found a section of DRIPA to be incompatible with EU law in light of the CJEU’s data retention ruling in Digital Rights Ireland2. The case is currently pending before the Court of Appeal which referred two questions to the CJEU back in November. The questions are essentially aimed at clarifying whether the CJEU’s data retention ruling lays down mandatory requirements of EU law and whether such ruling is intended to expand the effects of articles 7 and 8 of the EU Charter of Fundamental Rights beyond the effect of article 8 as established in the jurisprudence of the European Court of Human Rights. If the CJEU is able to deliver its preliminary ruling before the passing of the Bill3, then it will be interesting to see the extent to which the outcome of such ruling (depending on the CJEU’s position) will be taken into account by the Government and whether it could potentially be used to challenge the enacted Bill before the CJEU.