WHAT YOU NEED TO KNOW
- UK law enforcement will get new powers regarding third party bulk personal data sets to make better use of machine learning and AI-powered investigatory techniques.
- General detection surveillance will be facilitated by streamlined access to Internet connection records subject to an internal approval but without a warrant.
- End-to-end encryption (E2EE) may be affected by a new duty to report technical system changes or to maintain the technological status quo.
- What, when and how will depend on how the new Secretary of State (following recent election victory by the UK’s Labour Party) decides to implement the new law.
- In Australia, law enforcement authorities have access without a warrant to communications data (as opposed to “content data’) retained by telecommunications operators under the mandatory Data Retention Scheme. The Scheme was implemented by an amendment bill in 2015 to the Telecommunications (Interception and Access) Act 1979. Under the Scheme, subscriber details, sender and recipient details, date, time and duration of a call or use of an online service, email subscriber, recipient records and other communications metadata (but not the content or subject line of an email), WiFi connection records and location data must be retained for two years.
- Both Australia and the UK are signatories to the International Statement: End-to-end Encryption and Public Safety of 2020 in which they challenged the assertion that public safety cannot be protected without compromising privacy or cyber security and agreed that tech companies should “include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can gain access to data in a readable and usable format.”
________________________________________________________________________________________________________
Provisions regarding third party bulk personal data sets and Internet connection records give the UK government new powers and obligations.
The Investigatory Powers (Amendment) Act 2024 amending the Investigatory Powers Act 2016 (IPA) received royal assent on 25 April 2024 and it will take effect in accordance with the Secretary of State’s future statutory instrument.
Some of the main changes include:
- Establishing new legal gateways for accessing and sharing of communications data and Internet connection records.
- Introducing a separate regime for the use of publicly or commercially available bulk personal datasets.
- Imposing a duty on operators of telecommunications services to report proposed technical system changes which could affect lawful access by authorities and a duty to maintain the status quo while any objections by the operator are being investigated.
- Bringing more authorities under the Investigatory Powers Commissioner’s (IPC’s) regulatory oversight.
The amendments come following a statutory review of the IPA published in February 2023 and Lord Anderson’s independent review of the bulk data regime published in June 2023. They are hoped to enable authorities “to rapidly identify intelligence insights from vast quantities of data” aiming to “reflect the reality of the current threat and technology landscape”.[1]
ABOUT THE IPA
The IPA governs the use of powers relating to the interception of communications, acquisition, retention and use of communications data, equipment interference and bulk data powers by UK’s intelligence agencies, law enforcement agencies, police, councils, local authorities and prisons. Such activities are unlawful unless carried out with the “lawful authority” which may be granted under the IPA.
This may involve a warrant, authorisation or notice to an operator under the IPA, provided the public authority holds the requisite investigatory powers at law, such as the Police common law powers and statutory powers under the Police and Criminal Evidence Act 1984. If the interception of communications or equipment interference is necessary for investigating a crime, the warrant and authorisation regime under the IPA will apply. However, the amendment will also enable authorities to exercise their powers to gather communications data outside of the IPA regime.
The authorisation process depends on the level of intrusiveness. For example, under the amendment, the acquisition of basic subscriber details by authorities will now be subject to an internal authorisation. Whereas, the “double-lock” (approval by Secretary of State (SoS) and Judicial Commissioner (JC)) or, now under the amendment, the “triple-lock” mechanism (approval by SoS, JC and prime minister (PM)) applies to targeted and bulk data collection warrants or the interception or equipment interference directed at a member of Parliament.
TELECOMMUNICATIONS OPERATOR
The IPA applies to each telecommunications operator (TO) who “offers or provides” or “controls or provides” a telecommunications service to persons in the UK or service controlled from the UK. This broad definition covers, for example, government departments which offer digital services to citizens, such as tax return portals.
Under the amendment, the definition of a TO also captures services used by another person to provide the service to individuals in the UK, even if not controlled from or based in the UK. The purpose of this amendment is to defeat any jurisdictional challenge to lawful access where some services are provided by foreign subsidiaries of the TO.
E2EE
According to the consultation report,[2] many respondents were concerned about the implications of the amendments on end-to-end-encryption (E2EE). Currently, E2EE is neither mandated nor prohibited by law. Besides, E2EE applied to communication content does not stop authorities from obtaining useful metadata, such as time, date and recipient details, which can still be obtained with a warrant.
Despite the claim that “these changes do not directly relate to end-to-end encryption“, E2EE will be directly affected, for example, by the new duty to report technical system changes or to maintain the technological status quo during any review period, if the TO challenges a request from the authorities.
Citing an international statement,[3] the Government is stressing that its purpose is “holding private companies to a common-sense set of legal standards that puts the interests of our citizens ahead of shareholders“. However, “The intention is not to introduce a consent or veto mechanism or any other kind of barrier to market“. The Government points out that “much of the data sought is already generated and retained by the operators for either their own purposes or to support user experience“.
REGULATORY OVERSIGHT
The IPC independently oversees the use of covert investigatory powers under the IPA in the public interest by more than 600 public authorities. The Commissioner is supported by the Investigatory Powers Commissioner’s Office (IPCO), Office for Communications Data Authorisations (OCDA), currently 13 Judicial Commissioners and the Technology Advisory Panel (TAP) advising on changing technology and investigatory techniques. The IPC makes an annual report to the PM which is also laid before Parliament.
The IPC’s oversight has been extended in the past to include Government Communications Headquarters’ (GCHQ) software vulnerability reporting, the foreign detainee regime[4] and oversees communications data production orders.[5] Under the amendment, the IPC will also oversee the Ministry of Defence and additional public authorities on the PM’s instruction carrying on intelligence activities. Public authorities will now have a statutory duty to report to the IPC errors made under surveillance laws and codes of practice.
The amendment also establishes deputy Commissioners, NCA deputy Directors General and enables JC’s to authorise certain communications data requests. It also exempts JC’s from the scope of the Freedom of Information Act 2000 (FOIA) as bodies dealing with security matters.
By repealing a previous exemption under the Privacy and Electronic Communications Regulations (PECR), the amendment also introduces a new duty to report personal data breaches in relation to authorisations or notices for communications data to the Information Commissioner’s Office (ICO).
COMMUNICATIONS DATA
Naturally, the content of private communications (“content data”) enjoys stricter protection under the IPA than communications data (CD). Essentially, CD is information about the circumstances of the communication. It includes “entity data” such as phone numbers or user name and “events data” such as the date and time of sending or receiving a message, but not what was written or said.
CD has great potential for revealing important facts about a crime being committed or to corroborate other evidence. It is used to investigate crime, keep children safe, support or disprove alibis and tie a suspect to a particular crime scene. In the context of a criminal investigation, the Part 3 authorisation process under IPA applies to access CD, subject to approval by OCDA.
However, the following changes are being introduced:
- Clarification that subscriber details under section 261 of the IPA, including “all content of a communication made for the purpose of initiating or maintaining an entity’s access to a telecommunications service” about the subscriber, constitute CD. This is to remove any suggestion that such subscriber details could fall under the “content data” regime.
- Authorities will be able to request CD not just in the context of a criminal investigation but also to exercise their regulatory powers in performing their lawful functions outside of the scope of the IPA. The definition of “regulatory power” is replaced with a broader definition of “regulatory or supervisory power”, and the previous abolition of information gathering powers under section 12 of IPA is reversed.
- General detection surveillance is introduced by way of accessing Internet connection records (ICR) under section 62 of the IPA. ICR include, websites visited or service accessed but excluding search terms, content viewed, actions taken within service. Authorities will now be able to monitor all users accessing a suspicious Internet domain, subject to appropriate authorisation by the IPC or the relevant senior officer. Authorities will no longer have to unequivocally know the perpetrator’s specific time of access, and service in use, and instead these factors can be ‘specified’ within the application for detection of high-impact offenders such as paedophiles or terrorists.
- The amendment removes the risk of government departments committing the offence under section 11 of the IPA when sharing CD among each other. The offence of unlawful collection of CD will not be committed if the CD is obtained from a publicly funded TO. The Government explains that sharing among authorities is often required when authenticating individuals’ applications and claims made to the Government, and to detect fraud.
ACQUISITION AND USE OF BPDS AND 3PDS
The interpretation under section 199 of IPA suggests that publicly and commercially available datasets constitute bulk personal datasets (BPD). The requirement for a “class” or “specific” warrant applies to the use of all BPDs, regardless of the sensitivity, public availability or the level of intrusion associated with their examination by the authorities.
The amendment introduces a new Part 7A of the IPA relating to authorisation in relation to BPDs with low or no reasonable expectation of privacy, with reference to the nature of the data, prior publication with or without the individual’s consent, and likely previous dissemination by the public.
The use of such BPDs will be subject to an “individual authorisation” given by the head of an intelligence service or their deputy, considering expectation of privacy, necessity in the context of a public function, proportionality and safeguards in place. Approval by a JC is required unless prevented by urgent need.
A new “category authorisation” is introduced in respect of low privacy BPDs which “may describe a category of bulk personal datasets by reference to (among other things) the use to which the datasets will be put“. Such authorisation will be subject to approval by a JC who must comply with general duties in relation to privacy.
The Government explains, “the intelligence services need to be able to process that data at a greater pace and greater scale to reflect this societal shift. … not something that can be done without the help of modern technology, such as machine learning.” The existing regime allegedly “limits opportunities to collaborate with partners, particularly on developing shared technical solutions or capabilities“.[6]
A new Part 7B is introduced in relation to third party bulk personal datasets (3PD) the access to which is granted by commercial or non-commercial third parties and which are typically examined by the authorities in situ. 3PDs can include datasets held by wider UK government bodies and commercial entities and they are considered ‘building block’ intelligence, such as names of subjects of interests, details of travel, and their associates.
A 3PD warrant may authorise the examination of a bulk personal dataset even in respect of changing or future data. The head of an intelligence service or their deputy may apply to the SoS for a 3PD warrant which must be approved by a JC, unless prevented by urgent need.
The amendment increases the duration of BPD warrants from six to twelve months with the justification that necessity and proportionality of retaining and examining the data can be better demonstrated over such a longer time-period.
NOTICES
Currently, data retention, technical capability and national security notices are served on TOs to request access to data. TOs will often have to make changes to their services or systems in order to comply. A notice could request a longer retention of CD or building a technical capability to access it in future.
The amendment introduces a renewal process for notices under new sections 94A and 256A of the IPA. After two years, each notice must go through the ‘double lock’ process, which includes the full case for necessity and proportionality being made by the SoS and the decision subject to the approval of a JC.
SECTION 258A NOTIFICATION OF PROPOSED SYSTEM CHANGES
Under section 258A of the IPA, TOs must report to the SoS any upcoming technical system changes which could affect lawful access capabilities. Currently, such notification only exists[7] for TOs which are under a technical capability notice. Under the amendment, the SoS can impose the duty on any TO capable of providing access of significant operational value where the SoS considers it necessary and proportionate.
A change might include a new data retention period, technical changes or the decommissioning of a service. The TO will have to judge when a proposed change could affect lawful access. Security patches are not covered, and it is not foreseen that a security patch would have a “sweeping effect on lawful access capabilities“.
Once the TO is notified, the SoS does not have the power to intervene in the rollout of the TO’s changes, except by using the notices regime. It is said that the primary motivation of introducing the change notification obligation is to create an opportunity for collaborative working in order to protect capabilities and keep people safe.
CONCLUSION
One could argue that the amendments take UK citizens one step closer toward general online surveillance by the state rather than targeted surveillance. Another would recognise the need of improving operational processes in the complex and critical area of law enforcement and intelligence services amidst rapid technological changes and constantly evolving security threats.
However, the underlying principles for interception, investigations and information gathering remain the same. A recent CJEU case C‑175/20,[8] concerning the Latvian tax authority’s indiscriminate request for the details of tax payers who advertised goods for sale on a website reminds us that “…….[a] data controller … acting within the framework of the public interest mission with which he has been entrusted, cannot proceed, in a generalized and undifferentiated manner, to the collection of data of a personal nature and that he must refrain from collecting data which is not strictly necessary for the purposes of the processing.” Similarly, UK authorities must comply with the data protection principles under section 34 of the Data Protection Act 2018.
Ultimately, laws are only as good as the underlying legal practice. There is little doubt that the IPC and the current 13 JCs represent a strong culture of the rule of law. As the Government puts it, “We must ensure that the fundamental safeguards that underpin these investigatory powers – ensuring that any usage is strictly necessary, proportionate, authorised, and accountable – remain at the core of any changes that are made to the regime“.[9]
This article was first published in the “Privacy Laws & Business United Kingdom Report”, Issue 134, July 2024.
Want Data Privacy, Cyber & Digital updates delivered straight to your inbox? Click here to subscribe.
[1] Policy paper Investigatory Powers (Amendment) Bill: factsheets, Last updated 26 April 2024 https://www.gov.uk/government/publications/investigatory-powers-amendment-bill-factsheets/investigatory-powers-amendment-bill-bulk-personal-datasets-and-third-party-bulk-personal-datasets
[2] Consultation outcome Government response to the Home Office consultation on revised notices regimes Updated 8 November 2023, https://www.gov.uk/government/consultations/revised-investigatory-powers-act-notices-regimes-consultation/outcome/government-response-to-the-home-office-consultation-on-revised-notices-regimes
[3] International statement: End-to-end encryption and public safety, https://www.gov.uk/government/publications/international-statement-end-to-end-encryption-and-public-safety
[4] The Investigatory Powers Commissioner (Oversight Functions) Regulations 2022 https://www.legislation.gov.uk/uksi/2022/1299/contents/made .
[5] The Functions of the Investigatory Powers Commissioner (Oversight of the Data Access Agreement between the United Kingdom and the United States of America and of functions exercisable under the Crime (Overseas Production Orders) Act 2019) Regulations 2020 https://www.legislation.gov.uk/uksi/2020/1009/regulation/2/made#regulation-2-a
[6] Policy paper Investigatory Powers (Amendment) Bill: factsheets, Last updated 26 April 2024, https://www.gov.uk/government/publications/investigatory-powers-amendment-bill-factsheets/investigatory-powers-amendment-bill-bulk-personal-datasets-and-third-party-bulk-personal-datasets
[7] Investigatory Powers (Technical Capability) Regulations 2018
[8] “SS” SIA v Valsts ieņēmumu dienests, https://curia.europa.eu/juris/document/document.jsf?text=&docid=254583&pageIndex=0&doclang=FR&mode=lst&dir=&occ=first&part=1&cid=1851098 (in French)
[9] Consultation outcome Government response to the Home Office consultation on revised notices regimes Updated 8 November 2023