Draft Investigatory Powers Bill: what do the Parliamentary committees say?
Published on 16th Feb 2016
The UK government’s draft Investigatory Powers Bill attracted an emotive response when it was published in November 2015. As summarised in our update at the time, the Bill seeks to:
- consolidate in one place existing powers in relation to the interception of communications and the acquisition of data about communications;
- set out a new oversight regime for these powers; and
- extend them to cover “internet connection records”.
What’s happening now?
In the last few weeks three Parliamentary committees have published their reports on the draft Bill, specifically the Joint Committee for the Draft Investigatory Powers Bill (the “Joint Committee”) published its report on the Bill on 11 February 2016, following those from the Science and Technology Committee (the “Technology Committee”) on 19 January 2016 and the Intelligence and Security Committee (the “Intelligence Committee”) on 9 February 2016.
The UK government will take the contents of these three reports into account in the next draft of the Bill, which is due to be published in March 2016.
What do the committees say?
All three Parliamentary reports suggest that the Bill requires significant further work. However, they contain few recommendations on how it should be amended in practice, and a number of areas of concern remain unresolved or simply highlighted for further consideration by the UK government.
Nonetheless, there are a number of areas where common themes and issues stand out across the three reports, particularly around privacy, “internet connection records” (ICRs) and encryption. The remainder of this update examines a number of these areas.
Overarching themes
- Definitions of key terms. All three reports highlighted the need for clearer definitions of a number of key concepts such as “communications data” and “internet communications records”. Indeed, the Joint Committee determined that the Home Office’s analogy of ICRs with an itemised phone bill was found to be “not a helpful one”.
- Privacy as the backbone. Interestingly, the Intelligence Committee report stated that “privacy protections should form the backbone of the draft legislation, around which the exceptional powers are then built”. It recommended that a new section is added to the Bill to address these concerns. If adopted, it would seem sensible for this to address the interaction with data protection legislation, including the EU General Data Protection Regulation.
- Codes of Practice. The Committees recommend that the government publish the proposed Codes of Practice alongside the Bill to allow property scrutiny of them. Hopefully these Codes will flesh out some of the detail currently lacking in the Bill, although these in turn will require close review to ensure the impact of the Bill is properly understood.
ICRs
- The obligation for telecommunications operators to acquire and retain ICRs (essentially the record of a communication service used rather than the content of such service) attracted scrutiny in all reports. The Home Office states that ICRs are required for effective law enforcement, but all three Committees stated that this must be balanced against their intrusive nature.
- A particular concern discussed was that telecommunications operators will have a duty to retain ICRs, yet they will contain personal data (including potentially sensitive personal data, e.g. websites visited may indicate political or religious affiliations). The Joint Committee therefore recommended that the government makes funding available to these operators to address the burden of retaining ICRs in compliance with data protection principles.
- The Joint Committee also highlighted that operators will receive subject access requests from data subjects for ICRs. As ICRs will be based on IP addresses, an ICR will include the sensitive personal data of those other than just the person making the request. Again this presents telecommunications operators with a dilemma of how to comply with both the Bill and their data protection obligations, which is highlighted but has not been resolved in the reports.
- The Technology Committee called for measures to ensure that the obligations in the Bill remain technically feasible for communications providers. All of the reports have questioned the practicality and cost of both collecting and storing ICRs.
Encryption and decryption
- The Bill imposes an obligation on telecommunication service providers to remove “electronic protection applied by a relevant operator to any communications or data”. This has, understandably, attracted considerable press attention.
- In particular, it is unclear how this will interact with end-to-end encryption as the service provider is unable to decrypt communications passing through its system. Questions have been raised on whether end-to-end encryption will effectively become unlawful in the UK. The Technology Committee especially stressed the need for business not to be subject to disproportionate burdens.
- The Home Office’s position is that companies should provide decrypted information if there is “necessity and proportionality”. However, how should “necessity and proportionality” be defined? The Joint Committee states that the Bill should ensure that it is not “requiring encryption keys to be compromised or backdoors installed on to systems”. In short, encryption is another area in need of considerable clarification in the next iteration of the Bill.
Bulk inception and equipment interference
- Equipment Interference and bulk interception. The Joint Committee concluded that the Home Office and intelligence agencies must make their case for these powers more strongly. Although they already largely exist, their inclusion in the Bill means that Parliament is now able to scrutinise and question their existence and use afresh.
- Openness. The Technology Committee has called for the government to provide the public with an indication of the extent to which these measures are used to allow for transparency.
As we say above, the next draft of this contentious Bill is expected from the government in March 2016, and we will continue to monitor the Bill’s passage through Parliament.
Our team has significant experience of advising in this area, both in respect of the extent and exercise of powers under the existing Regulation of Investigatory Powers Act, and in examining the position in over 40 other countries around the world. We would be happy to discuss the current position, and how we can assist, in more detail.