The UK government has announced a seven-week consultation on proposed changes to the controversial Investigatory Powers Act in response to a ruling by the Court of Justice of the European Union (CJEU).
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
In December 2016, the CJEU ruled that the UK government was breaking the law by indiscriminately collecting the nation’s internet activity and phone records and letting hundreds of public bodies grant themselves access to these personal details with no suspicion of serious crime and no independent sign-off – effectively rendering significant parts of the Investigatory Powers Act unlawful.
The historic judgment was issued in a case brought by Labour MP Tom Watson and current Brexit secretary David Davis against the Data Retention and Investigatory Powers Act (Dripa) – although Davis withdrew his name from the action after his elevation to the Cabinet in July 2016.
The government said its proposed changes will introduce additional safeguards to ensure communications data can continue to be used to keep people safe from crime and terrorism, while complying with the judgment.
Security minister Ben Wallace said communications data is used in the vast majority of serious and organised crime prosecutions and has been used in every major security service counter-terrorism investigation over the past decade.
“Its importance cannot be overstated,” he said. “For example, it is often the only way to identify paedophiles involved in online child abuse and can be used to identify where and when these horrendous crimes have taken place.
“As this is an issue of public importance, we consider it important to consult on our proposed changes to inform our legislative response and subsequent parliamentary debate. All responses will be welcomed and carefully considered.”
The proposed provisions include:
- The introduction of independent authorisation of communications data requests by a new body, known as the Office for Communications Data Authorisations, under the investigatory powers commissioner, Lord Justice Fulford.
- Restricting the use of communications data to investigations into serious crime.
- Additional safeguards which must be taken into account before a data retention notice can be given to a telecommunications or postal operator.
- Clarification of the circumstances in which notification of those whose communications data has been accessed can occur.
- Mandatory guidance on the protection of retained data in line with European data protection standards.
The government has also published for consultation the communications data code of practice, which sets out how the safeguards governing the retention of communications data by telecommunications operators and its acquisition by public authorities will operate.
According to the government, the December 2016 judgment does not apply to the retention or acquisition of data for national security purposes because national security is outside the scope of EU law. “Nevertheless, a number of the proposed changes will apply to certain national security applications for communications data to create a simpler, more practical regime,” the government said in a statement.
Responding to the proposed changes, the Open Rights Group welcomed the addition of independent authorisation for communications data requests, but said the government has missed the main point of the December 2016 CJEU ruling.
Adding independent authorisation for communications data requests will make the police more effective, as corruption and abuse will be harder, said Jim Killock, executive director of the Open Rights Group.
But he said the government has evaded the main point of the Watson judgment, which is that it cannot keep data on a blanket basis.
“Without narrowing what they keep to specific places, incidents or investigations, these changes will not meet the standards set by the courts,” said Killock.
“Combined with the so-called Request Filter [covered in the code of practice], which could be a power for a police search engine for retained data, this will remain an incredibly intrusive surveillance power, unparalleled in democratic countries.”
Commenting further on the Request Filter in a blog post, Killock said: “Yet again we are told that this police search engine is a privacy safeguard. We will now run through the code in fine detail to see if any such safeguards are there. At first glance, there are not.”
The digital rights group believes the changes do not go far enough because they do not reduce the amount of data to be retained, they do not commit the government to notify people whose data is used during investigations, and they do not require data to be kept within the EU.
Killock also criticised the fact that the Home Office has opted for a “six-month sentence” definition of “serious crime” rather than the Lords’ definition of crimes capable of sentences of at least one year.
“These are clear evasions and abrogations of the judgment,” he wrote. “The mission of the Home Office is to uphold the rule of law. By failing to do what the courts tell it, the Home Office is undermining the very essence of the rule of law.
“The Home Office thinks it is playing a long game, hoping that courts will adjust their views over time, and that we will all get used to privacy being an increasingly theoretical idea. The truth is that privacy becomes a more necessary principle every day, in the surveillance economy. We are all in need of greater privacy, so will find ourselves valuing it more.”
Killock also highlighted the fact that the Home Office has ignored the need to notify people whose data has been accessed.
“The Home Office claimed that this is done in limited circumstances, so no change is needed,” he wrote. “This is another missed opportunity to improve police performance. Notification has the potential to reduce police abuse, and help people spot rotten apples, as the victim will find out when someone is pursuing a campaign of harassment against them or their community. Independent authorisation will help, of course, but may not always spot the abuse that an individual will understand to be unfair.”
Killock added: “Safeguards are not simply a nicety to satisfy civil liberties campaigners. They are needed to avoid abuse and thereby make the police a better, more trusted, less corruptible and more effective organisation.”
Rights group Liberty also considers the changes inadequate. “It is encouraging to see the government acknowledge the need to fix a law that breaches people’s rights – but these plans are a cop-out,” said Martha Spurrier, director of Liberty.
“The government has defined the ‘serious crime’ exception absurdly broadly – to include crimes punishable by only a few months in prison. It fails to propose the robust system of independent oversight that is so vital to protect our rights and ignores other critical changes demanded by the court.
“People in the UK deserve a surveillance law that keeps our country free and democratic – that protects our privacy, our freedom of speech, our right to protest and our free press. This is window dressing for indiscriminate surveillance of the public, when ministers should be getting on with making the law fit for purpose.”
Tom Watson MP said: “The current legislation fails to protect people’s fundamental rights or respect the rule of law. That is what my legal challenge proved, and I am glad [home secretary] Amber Rudd is making significant concessions. But I will be asking the court to go further, because today’s proposals from the Home Office are still flawed.
“Ministers aren’t above the law – they don’t get to pick and choose which rights violations they address and they can’t haggle with the courts to avoid properly protecting people’s freedom. All the fundamental safeguards demanded by the court must now be implemented.”