The Investigatory Powers Bill (the “Bill”) was recently passed by the House of Commons and introduced to the House of Lords. The second reading was held on 27 June 2016 and it is likely that the Bill will be passed shortly.
For some time there has been criticism that the legislative regime which deals with the UK Government’s ability to intercept and acquire data is piecemeal, outdated and difficult to apply. The Investigatory Powers Bill is the Government’s attempt to deal with those criticisms, but the various versions of the Bill put forward in recent years have been the subject of significant criticism and objection. It looks as though many of those criticisms have now been overcome.
As an overview, the Bill provides for the targeted interception of communications, acquisition and retention of communications data, equipment interference, bulk interception and acquisition of communications data and bulk equipment interference, bulk personal datasets and a new oversight regime. The current version of the Bill is broadly similar to earlier versions of the Bill that were presented to the House of Commons, which we covered previously although there have been some interesting amendments.
The Bill abolishes or restricts other legislative powers that enable public authorities to obtain communications data. “Communications data” is data about the author, recipient, time and method of a communication, and not the content of the communication. As is currently the case under existing legislation, “communications” and “communications data” continue to be treated separately under the Bill. Numerous pieces of legislation currently enable authorities to obtain communications data and the purpose of abolishing those provisions is to ensure that the Bill provides the only route for acquiring communications data.
Part 2 of the Bill provides for the interception of communications. The process for intercepting communications is more stringent and subject to greater safeguards than that for obtaining communications data. Applications for interception warrants can be made by the Security Service, Secret Intelligence Service, GCHQ, National Crime Agency, Police of the Metropolis, Police Services of Northern Ireland and Scotland, Revenue and Customs, and Defence Intelligence. Warrants are to be issued by the Secretary of State and must be approved by a judicial commissioner. At present, under current law, interception warrants issued under the Regulation of Investigatory Powers Act (RIPA) only require the authorisation of the Secretary of State (or a Scottish Minister where applicable). For a warrant to be issued, it must be in the interests of national security, to prevent or detect serious crime or be in the interests of the economic wellbeing of the UK as it relates to national security.
Operators who receive interception warrants are under a duty to assist with implementing the warrant, although they are not required to take any steps which are not reasonably practicable. The Bill provides no guidance for domestic operators as to what may or may not be reasonably practicable, so this is an area which may develop in case law. Failure to comply with the duty to assist with implementing a warrant is a criminal offence and may also be enforced by civil proceedings.
One of the new provisions in this version of the Bill states that the fact that the information which would be obtained under a warrant relates to the activities of a trade union will not be sufficient to establish that the warrant is necessary. Another change is that the Bill now explicitly provides that warrants must be served in such a way as to bring their contents to the attention of the recipient; there had been criticism that this was not previously the case, with communications providers concerned that they could inadvertently breach a warrant. Third, an amendment – which also features in other parts of the Bill – now allows senior officials designated by the Secretary of State to sign off on major modifications to a warrant where it is not reasonably practicable for the Secretary of State to sign the modification and the Secretary has personally and expressly authorised the modification.
Part 3 of the Bill provides for the acquisition of communications data. Unlike interception warrants, judicial approval is not generally needed to obtain authorisation to obtain communications data, and a much larger group of public authorities, including local authorities, can apply for authorisations. Authorisations can be granted by senior officers of public authorities and the grounds for obtaining an authorisation are much broader than the grounds for obtaining an interception warrant.
Part 4 of the Bill provides for the retention of communications data, which is currently provided for by the Data Retention and Investigatory Powers Act 2014 (DRIPA). One reason the Bill was introduced was to replace DRIPA, which will be repealed at the end of this year following challenges to the legislation on the basis that it was incompatible with EU law. On 19 July, the Advocate General of the European Court of Justice issued an opinion which indicated that a general obligation to retain data (as currently provided by DRIPA) may be compatible with EU law if that obligation is subject to strict safeguards, including (among other factors):
- The obligation must respect the essence of the right to respect for private life and the protection of personal data;
- The general obligation to retain data must be strictly necessary to combat serious crime;
- The general obligation to retain data must be proportionate to the objective of the fight against serious crime.
The opinion is not binding but provides a helpful indication of what may be expected from the European Court of Justice when it delivers a full ruling. It remains to be seen whether Part 4 of the Bill in its current form will be further amended as a result of the Advocate General’s opinion.
The existing provisions in Part 4 are broadly similar to those contained in DRIPA, with the main difference being the definition of “relevant communications data” that telecommunications operators may be required to retain. At present, DRIPA does not provide for the retention of internet connection records, i.e. records of the internet services that have been accessed such as for example, that a particular phone accessed a particular website at a particular time. This includes the service name and address of a website (such as, for example, Google or www.google.com) but not the full website address or the pages visited within that website. The Secretary of State is authorised to issue retention notices which may require retention of data for up to 12 months. Operators are under a duty to comply with a retention notice although there is no criminal penalty for non-compliance.
Part 5 of the Bill relates to “equipment interference”, which is the term used in the Bill for what critics say is in reality hacking. Warrants for equipment interference can be issued by the Secretary of State and must be approved by a judicial commissioner. This part of the Bill removes a provision contained in earlier versions which required consideration as to whether what is sought by the warrant could reasonably be obtained by other means when deciding whether to issue the warrant.
Part 6 of the Bill provides for bulk warrants. There are three forms of bulk warrants: interception, acquisition and equipment interference warrants, and they must be approved by a judicial commissioner. As with the amendment to the equipment interference provisions, this version of the Bill removes a requirement that the Secretary of State must consider whether what is sought under the warrant could reasonably be obtained by other means. Bulk interception is currently provided for under RIPA while bulk acquisition is carried out pursuant to a broadly worded provision in the Telecommunications Act 1984 and bulk equipment interference is provided for under the Intelligence Services Act 1994.
Part 7 relates to bulk personal dataset warrants. Bulk personal datasets are sets of information about a large number of individuals, the majority of whom will not be of any interest to investigating authorities. Examples include the electoral roll and telephone directories. At present, the security and intelligence services have broad powers under the Security Service Act 1989 and the Intelligence Services Act 1994 to acquire and use information to help them to fulfil their statutory functions. The Bill provides for class and specific bulk personal dataset warrants, which may be issued by the Secretary of State and must be approved by a judicial commissioner. This version of the Bill introduces a new provision which creates additional safeguards for bulk personal datasets containing health records: there must be exceptional and compelling reasons to authorise the retention and examination of such records.
Part 8 of the Bill sets out the new oversight arrangements. A number of existing offices, including the Interception of Communications Commissioner, the Intelligence Services Commissioner, the Investigatory Powers Commissioner for Northern Ireland, the Chief Surveillance Commissioner, the Scottish Chief Surveillance Commissioner, and other Surveillance Commissioners are abolished. A new office – the Investigatory Powers Commissioner (IPC) – is established by the Bill. The IPC is given a broad remit to review the use of investigatory powers as they relate to interception, acquisition and retention of communications data and equipment interference. An amendment to this version of the Bill creates a new requirement that the IPC must have regard to safeguards to protect privacy when reviewing the exercise of investigatory powers, which is a concession aimed at concerns that previous drafts of the Bill were not explicit enough in protecting privacy rights. It remains to be seen how the IPC will interpret the protection of privacy in practice, but we expect that this will be an area which keeps the new IPC busy.
The IPC is not required to keep under review the exercise of functions under part 3 of RIPA (relating to the provision of encryption keys) where those functions require judicial authority in order to be exercised. The rationale is to avoid duplication of oversight, although it is interesting to note that the IPC will review the exercise of other powers that require the authorisation of a judicial commissioner.
The main amendments to this version of the Bill therefore generally concern the removal of provisions requiring the Secretary of State or other officials to have regard in certain circumstances to whether the data sought under a warrant could be obtained by other means, some new specific provisions relating to the protection of privacy (such as in relation to health records) and amendments enabling senior public officials to sign off on major modifications to warrants where it is not reasonably practicable for the Secretary of State or Scottish Minister to do so. It is anticipated that the Bill will be finalised shortly, as it must take effect by 31 December 2016. It remains to be seen whether there will be further significant amendments to the Bill, particularly in relation to the retention of data following the recent Advocate General’s opinion. What is clear is that the Bill remains highly controversial, and we expect that even if there are further significant amendments, this is an area which is likely to attract significant legal challenge for some time.