In a recent High Court case regarding the Data Retention and Investigatory Powers Act 2014 (DRIPA), judges ruled that the government’s surveillance regime is unlawful. Although this judgement pertains to legislation that is no longer in force, it could have major implications for its successor, the Investigatory Powers Act 2016.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
“The Court of Appeal issued its judgment in January ,” says a Home Office spokesperson. “That judgment relates to legislation which is no longer in force and, crucially, the judgement does not require any immediate changes to the way in which law enforcement agencies can detect and disrupt crimes.”
The Investigatory Powers Act is the government’s current surveillance legislation. It is designed to simplify the UK’s surveillance legislation and update it for the 21st century. Its three core elements are:
Interception: accessing communications (telephone, email and any type of messaging) during transmission.
Interference: accessing electronic equipment, such as computers and smartphones, to obtain communication data.
Retention: storing internet connection records for 12 months.
Despite the controversy surrounding the Investigatory Powers Act, as well as the issues raised in the science and technology select committee hearings on the technology issues of the act, it was passed within 12 months of going through parliament and came into force on 30 December 2016 (Royal assent was granted on 29 November to meet the sunset clause deadline in DRIPA of 31 December 2016).
The court case, brought by Labour MP Tom Watson, ultimately ruled that the DRIPA was unlawful.
Judge Lloyd Jones declared: “Section one of the Data Retention and Investigatory Powers Act 2014 was inconsistent with EU law to the extent that, for the purposes of the prevention, investigation, detection and prosecution of criminal offences, it permitted access to retained data: a) where the object pursued by that access was not restricted to solely fighting serious crime; or b) where access was not subject to prior review by a court or an independent administrative body.”
Although this judgement pertains to legislation that is no longer in force, part four of the Investigatory Powers Act, which allows various bodies access to retained customer data of communication service providers (such as internet service providers (ISP) and telecommunication companies), shares similar issues.
“The Investigatory Powers Act has adopted much of what was there in 2014 and therefore, by implication at least, some of that is also going to be deemed in breach of EU legislation,” says Kaspersky principal security researcher David Emm.
Given the similarity between the current Investigatory Powers Act and the previous DRIPA, as well as the ongoing legal challenge against the Investigatory Powers Act, it is expected that the Investigatory Powers Act 2016 could be revised in response to these judgements.
Liberty, in the arguments published on its website, sought to argue that the government should put in place new arrangements by July 2018. However, the government made clear, in documents also published on Liberty’s website, that it was working to bring the new arrangements into force by April 2019. The court has not yet ruled on this matter.
Due to the legal actions against these data-retention acts, the government started a consultation process regarding potential changes. This was open to comment between 30 November 2017 and 18 January 2018.
“Additional safeguards were added to address some of the concerns of the court,” says Andrew Kernahan, policy advisor for the Internet Service Providers Association. “Some of the key ones are around government bodies’ authorisation of information, access requests, a new definition of serious crime, and how to notify someone if they have been subject to data-retention measures.”
While the changes do not limit the extent of retention of communication data, what they do propose is limiting those who can access the data and the reasons for which they can access it.
The focus is on serious crimes, which – according to the EU – is any crime that has a prison sentence of more than three years. However, the consultation process states that to prevent serious crimes, law enforcement agencies may also be able to access this data for crimes that have a prison sentence of six months or more.
“I think where it is going to change is in terms of what needs to be in place to access that data,” says Emm. “They will have to have in place the same measures to make that data available when they are required to do so; it is just the requirements of when the government is legally required to do so that is going to change.”
Remain aware of obligations
Given the shifting nature of data-retention legislation, any company that is classified as a “communication service provider”, which can be a telecommunication company, an ISP or messaging application developers, will need to remain aware of the obligations that they are compelled to meet as part of the Investigatory Powers Act.
Despite the court ruling that accessing private communications data for reasons other than fighting serious crime was unlawful, until the law changes companies need to continue meeting their legal obligations, which are detailed in the technical capability notices sent to companies, when they are tasked to perform this function.
“If you have been served a notice, then until the government tells you otherwise, you are legally compelled to adhere to that notice,” says Kernahan.
Moving forward, the government needs to ensure that the revised Investigatory Powers Act meets the requirements of the security service, while also being in line with EU law.
Having to review the Investigatory Powers Act again wastes time and money for both the government and companies that are classified as communication service providers. However, given the issues of privacy and security being debated, it is possible that this will not be the final review.
“Some people will think that changes have not gone far enough,” says Gigaclear chief executive Matthew Hare. “It’s quite likely that providers – from both ends of the spectrum on this issue – will feel the need to challenge this in the courts.”
While it is true that from 2019 the UK will begin the process of leaving the EU, and will therefore no longer be beholden to EU courts, it is likely that many of our legal obligations will remain in line with the EU.
We have already witnessed this, as the forthcoming Data Protection Act effectively mirrors much of the EU’s General Data Protection Regulation (GDPR). Having two sets of legislation would present problems for companies wishing to operate in both the EU and the UK territories, especially if these conflict with each other. Thus, it is expected that the final version of this updated Investigatory Powers Act will likely remain in line with EU law.
“The government – from the way they are playing this – looks like they will try to keep in line with EU legislation on stuff like this anyway,” says Emm.
Review consultation documents
The first thing companies need to do is to review the Investigatory Power Act’s consultation documents that have so far been released by the government. While these are not definite proposals, a review will give companies an understanding of the general direction in which the legislation is being updated.
However, some companies will be more affected than others.
“There are three tiers of companies,” explains Hare. “At the top end, there are those under technical notices, who will continue what they are doing; in the middle are other communication providers, who will still need to maintain data sets of their customers’ activity; and then there are other companies that may fall under the interception regime, for example, such as app development firms who enable communications, but are not traditionally communication providers.
“It is unlikely the proposals will make much difference to the top end. It is more likely to impact those enabling communications, as there may be some new issues they will need to attend to.”
Those companies that have been served with technical capability notices will need to liaise with their points of contact within the government. These are often the people who reached out to companies prior to the technical capability notice being issued. Companies need to begin discussions about how their legal obligations, which are set out in the technical capability notice, will change and what technological impact this will have on their day-to-day operations.
“If [a company] has been served a notice to retain data, then they will have relationship with the authorities and a dialogue about the changes,” says Kernahan.
Once the technical impact has been determined, companies can subsequently conduct an assessment of the economic cost that these changes may bring. Nothing has yet been determined, but being forewarned can at least mitigate any detrimental impact by having necessary resources in reserve.
To maintain process flexibility, companies should prepare to meet the various possible shifting responsibilities. It is assumed this deadline will not be a fixed date, but the commencement of a transition period, by the end of which companies will be expected to meet their new legal obligations.
The UK’s data-retention legislation is currently in a state of flux, as conflicting statutory functions and existing legal rights seek some form of equilibrium in statutes. A consequence of this is that companies need to maintain legislative awareness of the legal requirements, as well as adequate contingency plans and resources in reserve, to remain responsive.