The new law gives UK intelligence and law enforcement bodies sweeping surveillance powers.
The IPA was introduced in response to recommendations that David Anderson QC made, in his capacity as the Independent Reviewer of Terrorism Legislation, to conduct a review of existing laws relating to regulatory powers. The UK government contends that the new legislation is needed to respond to evolving threats within a changing communications environment, especially regarding cybersecurity and terrorist threats.
In broad terms, the IPA permits intelligence and law enforcement bodies to require internet service providers to collect, retain, and disclose broad categories of communications data in certain circumstances.
The IPA allows the secretary of state to require communications companies to retain communications data for a period that must not exceed 12 months. The power is exercised by giving a retention notice to the company. A retention notice, which may relate to more than one company, will require the retention of specified data for the period of the notice, which must not exceed 12 months. This means that companies could be ordered to retain, for a limited period, records of every website and messaging service accessed from any device used by citizens based in the United Kingdom. Provided that a warrant has been obtained by the secretary of state, companies could also be ordered to submit bulk data sets to government bodies or to allow mass surveillance of their customers’ data, such as by allowing the government to see messages sent or received on smartphones.
The government states that the IPA adequately protects UK citizens’ personal data because the legislation creates
- a “double-lock” for the most intrusive mass surveillance powers, so that warrants issued by a secretary of state also require a senior judge’s approval;
- a powerful new Investigatory Powers Commissioner, who will oversee how the powers are used;
- new protections for journalistic and legally privileged material, and a requirement for judicial authorisation for acquiring communications data that identify journalists’ sources; and
- tough sanctions for those who abuse the powers, including criminal offences.
In the seminal decision of Maximillian Schrems v. Data Protection Commissioner, the European Court of Justice (ECJ) struck down the so-called “Safe Harbor” framework governing the transfer of personal data exported from the European Economic Area to the United States. In doing so, the ECJ was heavily influenced by Edward Snowden’s revelations relating to US law facilitating the mass surveillance of personal data relating to citizens of the European Union (EU). For as long as the United Kingdom remains in the EU, concerned citizens may bring a legal challenge regarding the United Kingdom’s compatibility with EU data protection law, particularly in light of the forthcoming General Data Protection Regulation, which will take effect in May 2018. Once the United Kingdom triggers notice to leave the EU, any future data transfer framework agreed on between the the two is likely to consider the scope of the powers granted to the UK government under the IPA. Finally, some have expressed concern that by requiring communications companies to collect this data in the first place, the government is increasing rather than decreasing the data protection and security risks for UK businesses and citizens. Such data sets will likely be highly valuable and sought after by cyber criminals. This may therefore encourage them to try to find ways to access such data.