The UK Investigatory Powers Bill has received royal assent and passed into law as the Investigatory Powers Act 2016. The Act will have a significant and far reaching impact on data, technology and communications businesses, and not just those in the UK.
On 29 November 2016, the UK Investigatory Powers Bill (the "Bill") received royal assent and passed into law as the Investigatory Powers Act 2016 (the "Act"). Published as a bill on 4 November 2015, the Act will govern the use and oversight of investigatory powers by UK law enforcement, security and intelligence agencies, strengthen safeguards, as well as introduce new oversight arrangements.
The Act builds on the work of three independent reviews undertaken during 2015 and aims to do three things:
- consolidate the powers already available to UK law enforcement, security and intelligence agencies to obtain the content of, and data about, communications;
- overhaul the mechanism for authorising and overseeing these powers; and
- ensure that the powers afforded in existing legislation are fit for the digital age.
The Act has been controversial throughout its passage through Parliament due to the far-reaching powers it hands to government agencies to require technology and communications businesses, based within and without the UK, to retain personal data of their customers. Such businesses should take note, as the Act's extraterritorial reach could potentially require non-UK entities to assist UK law enforcement agencies, or even result in them becoming subject to "bulk equipment interference" (i.e., interception) warrants.
In a press release, the Home Office has stated that some provisions of the Act will not be in place for some time as they require "extensive testing". The Home Office is reportedly developing plans for implementing these provisions and will set out a timetable in due course. It further stated that such a timetable will be subject to detailed consultation with industry and operational partners, without indicating who such partners might be.
The Act imposes data retention and access obligations to providers of "over-the-top services", such as providers of messaging and other apps, and expands the current obligations that affect traditional telecoms companies under existing legislation. Some of its more significant provisions include:
- Retention of Internet Connection Records ("ICRs") and communications data: Communications Service Providers ("CSPs") will be required to keep ICRs (a record of the internet services to which devices have been connected) and, when issued with a retention notice, communications data, for a maximum period of 12 months for access by law enforcement agencies, and other public bodies, without a warrant.
- Bulk powers and encryption removal: The Act has provisions that give certain government agencies the power to access large volumes of data. However, it requires that bulk interception and bulk equipment interference warrants may only be issued where the main purpose of the interception is to acquire intelligence relating to individuals outside the UK, even where the conduct occurs within the UK. Similarly, interference with the privacy of persons in the UK will be permitted only to the extent that it is necessary for that purpose. CSPs may also, when served with a notice, be required to remove any applied encryption to assist in giving effect to interception warrants. The Act also provides for the possibility of regulations being passed which impose obligations relating to the removal of electronic protection (i.e., encryption) applied by technology providers.
- Overseas enforcement: The Act allows certain obligations and powers to be enforced against overseas companies through proceedings for an injunction or specific performance, together with local enforcement in the applicable overseas country using appropriate bi- or multi-jurisdictional enforcement agreements.
The Act also contains new safeguards, including:
- A "double-lock"; the decision of whether to issue a warrant in a particular case will be taken by the newly created Investigatory Powers Commissioner ("IPC") together with one of a number of appointed judicial commissioners to determine whether the warrant is necessary and the conduct authorised under the warrant is proportionate. In urgent cases, a warrant can be issued without judicial approval subject to review by a judicial commissioner within five working days. There is a legitimate question however, as to whether review by a judicial commissioner either before or, in urgent cases, after the grant of a warrant is sufficient.
- The IPC will have an expanded role in authorising the use of investigatory powers, and a wide-ranging and self-determined remit to oversee the use of these powers and capabilities by the security and intelligence agencies in the UK, as compared to the oversight granted to the Information Commissioner's Office under the previous regime.
- The Act also strengthens the right of redress for individuals by allowing a domestic right of appeal from the Investigatory Powers Tribunal.
Impact on legal professional privilege
Initially, the Bar Council raised concerns that the Bill would erode legal professional privilege through: (i) its failure to distinguish between privileged and non-privileged communications; and (ii) the power given to authorities to monitor "sensitive, highly confidential communications that have nothing to with criminality, national security or threats to individuals". The government subsequently added a number of further protections for legal professional privilege. Under the Act as passed, a warrant may be issued for the interception and review of information that is subject to legal privilege. The authority issuing the warrant must have regard to the "public interest in the confidentiality of items that are subject to legal privilege". Further, the Act requires public interest, necessity and prevention of death, or serious injury, conditions to be satisfied before such a warrant can be issued.
The Bill, as originally drafted, only imposed an obligation to inform the IPC as soon as reasonably practicable of the retention of privileged information. The Act as passed requires the IPC to either: (a) direct that the information be destroyed; or (b) impose one or more conditions as to the use or retention of that information, unless there are strong public interest, safety or national security reasons justifying continued retention without restrictions. Even if these reasons exist, the IPC can impose conditions on retention which it considers necessary to protect the public interest in the confidentiality of privileged information.
Effect on the Data Retention and Investigatory Powers Act 2014
The UK's law on data retention had previously been set out in the Data Retention and Investigatory Powers Act 2014 ("DRIPA") which is set to expire on 31 December 2016, after the High Court ruled that section 1 of DRIPA was incompatible with EU law, following the Digital Rights Ireland case. The High Court ruling was confirmed by the Court of Appeal, but a subsequent referral was made to the Court of Justice of the European Union ("CJEU").
Although the CJEU heard the case in April 2016, the Advocate General Henrik Saugmandsgaard Øe (the "AG") only issued his Opinion on 19 July 2016 and the CJEU has yet to rule on the matter. In his Opinion (which is not binding on the CJEU, although AG Opinions are often followed), the AG indicated that a general obligation to retain data imposed on providers of electronic communication services may be compatible with EU law, provided that: (i) any interference with fundamental rights is in the pursuit of "an objective in the general interest", such as the fight against serious crime; (ii) the general obligation is strictly necessary (i.e., no other measures could be as effective in pursuing this objective); and (iii) the general obligation is proportionate. However, the AG also indicated that it would be up to national courts to determine whether these requirements are met.
It is unclear how the AG's Opinion, and the forthcoming CJEU decision, will impact the obligations imposed by the Act, which are more expansive than those under DRIPA. It may be the case that, following the CJEU's ruling on DRIPA, there will be a further court challenge against the Act.
Impact of the Act on businesses
The Act will impact businesses in three important ways:
- Businesses in the online communications sector (whether traditional ISPs, or providers of over-the-top services) are likely to be classified as CSPs, and are therefore likely to face retention obligations in relation to customer data under the Act.
- Businesses that use online communications services need to be aware that their data may be subject to interception and decryption under the Act.
- Businesses should be mindful of the fact that, in certain limited circumstances, online communications with their legal counsel could be the subject of interception, examination and retention under the Act, even if those communications are privileged.
Consequently, businesses in all sectors should keep a close eye on developments under the Act.
Chris Ewing, a Trainee Solicitor at White & Case, assisted in the development of this publication.