(Dec. 8, 2016) The Investigatory Powers Act, which has been under consideration for the past year and in various forms for the past few years, was recently enacted into law when it received Royal Assent. It was introduced in draft form in autumn of 2015 (Draft Investigatory Powers Bill 2015, 2015-16 Cm. 9152, GOV.UK), as a 192-page bill; it has now been enacted as a 304-page Act (Investigatory Powers Act 2016, c. 25, LEGISLATION.GOV.UK).
Drafted in the wake of the disclosures by Edward Snowden, including that the government was conducting mass surveillance on United Kingdom citizens, the Act is expansive and covers a wide range of surveillance activities, including acquisition of communications data, equipment interference, and requirements for retaining and accessing bulk information. It aims to clearly define the powers of the intelligence services and police, some of which have been used for a number of years without lawful authority.
Overview of Surveillance Powers
The Act introduces procedures for law enforcement and intelligence services to undertake equipment interference to access individuals’ electronic devices, including their computers, to obtain data such as communications via texts and email and geolocation. (House of Commons Library, Investigatory Powers Bill, Briefing Paper No. 7518, Mar. 11 2016, Parliament website.) Bulk data may now be collected and examined with a warrant authorized by a senior law enforcement officer and approved by a Judicial Commissioner, if it is necessary and proportionate on the grounds of national security, to prevent or detect serious crime, or in the interests of the economic well-being of the UK. Permitting the government to collect and retain bulk data by communications providers for up to a year and the requirement to provide this data to the securities services if issued with a notice and to remove encryption if requested are among the most contentious aspects of the Act. (Id.; ‘Extreme Surveillance’ Becomes UK Law with Barely a Whimper, GUARDIAN (Nov. 19, 2016).)
Section 253 enables the Secretary of State to impose obligations on communications service providers in the form of technical capability notices, to facilitate assistance to warrants issued under specified parts of the Investigatory Powers Act. It further provides that such obligations may include the removal of electronic protection applied by an operator, or any third party acting on their behalf, to any data or communications. When making these notices, the Secretary of State is required to take into account the technical feasibility and cost of compliance, and section 249 provides that communications service providers would receive a contribution towards any costs they incurred to comply with the measure. (Investigatory Powers Act 2016.)
Given the intrusive nature of the powers included in this Act, privacy advocates have been highly critical of it. These concerns were addressed in part in amendments to the Act, notably one from the Lords that inserted a statement in section 1 of the Act that reads “[t]his Act sets out the extent to which certain investigatory powers may be used to interfere with privacy.” (Id.; Investigatory Powers Bill Published: Minimal Changes Are Not Even Cosmetic, Privacy International website (Mar. 1, 2016).) Amid arguments that the Act did not sufficiently address privacy concerns, Lord Janvrin, who introduced this amendment in an attempt to place privacy at the forefront of the Act, noted “[t]hat there is merit in placing a simple statement right at the forefront of the legislation to provide additional clarity that there should be no doubt that privacy protection remains a fundamental priority.” (774 Parl. Deb. H.L (5th ser.) (2016) 1789, Parliament website.) Further provisions were included in the Act that require public authorities to have regard to a number of factors relating to privacy, including whether the objectives could be achieved by other, less intrusive means, prior to requesting a warrant, authorization, or notice. (Investigatory Powers Act 2016, section 2.)
The Executive Director of Open Rights Group has stated that the Act provides for “a surveillance law that is more suited to a dictatorship than a democracy. The state has unprecedented powers to monitor and analyse UK citizens’ communications regardless of whether we are suspected of any criminal activity.” (‘Extreme Surveillance’ Becomes UK Law with Barely a Whimper, supra.) The Act met considerable resistance both within the government and in private industry, representatives of which are concerned not only about the Act’s requirement that law enforcement and intelligence services be able to access an unprecedented number of communications, but also about the negative impact it could have on the UK’s technology industry. (Id.)
Recommendations from the committee reviewing the Act note that the government should make it explicit that providers of “end-to-end encrypted communication or other un-decryptable communication services will not be expected to provide copies of those communications if it is not practicable for them to do so.” (House of Commons Library, supra, at 71.) Concerns were also raised that the language used in this would result in the prohibition of end-to-end encryption in the UK and the government was urged to clarify the nature of the obligations that would be imposed by the Act. The government responded that a Code of Practice will contain further details as to the necessity and proportionality of imposing these requirements on communications service providers. (Id. at 42.)