On Tuesday 1 March the UK government published the Investigatory Powers Bill and introduced it into Parliament.
The Bill is largely based on the draft Investigatory Powers Bill published in November 2015 (summarised in our November 2015 update) and reflects some, but not all, of the recommendations in the reports from the three Parliamentary Committees on that draft – the Joint Committee for the Draft Investigatory Powers Bill, the Science and Technology Committee and the Intelligence and Security Committee (summarised in our February 2016 update). Responses to each of those three reports and a guide to the Bill have also been published.
The main changes to the Bill are:
Codes of Practice
- Drafts of six statutory Codes of Practice have been published to give guidance on national security notices, interception of communications, security and intelligence agencies’ retention and use of bulk datasets, equipment interference, communications data and bulk acquisition.
- These codes are designed to address many of the Parliamentary Committees’ recommendations by providing details of how the powers and obligations will work in practice. The final versions of the codes will be approved by Parliament and will have statutory force.
Internet Connection Records (ICRs)
- ICRs are now defined more narrowly in the Bill so as to make clear that they can only consist of communications data (rather than any data as previously). This also means the content of a communication will clearly fall outside ICRs, although there may still be a debate as to where the delineation between “content” and “communications data” falls in this context.
- The Code of Practice for the Interception of Communications Data (the Interception Code) restates that ICRs will only identify the service used, rather than what the user has been doing on that service. However, the guidance retains flexibility by stating that there is no single set of data making up an ICR, although it may be made up of an account reference, source IP and port address, destination IP and port address and time/date.
Encryption and technical capacity notices
- Relevant operators need only maintain technical capabilities to decrypt communications or data in relation to the electronic protection applied by or on behalf of that operator. This should give some comfort to those operators who have implemented end-to-end encryption.
- The Secretary of State must now take into account “the technical feasibility, and likely cost, of complying” when issuing decryption notices.
- The Secretary of State may vary or revoke a notice to maintain technical capability (including decryption) to allow for developments such as the launch of new services and products and changing law enforcement priorities.
- The Interception Code states that operators subject to a technical capability notice must notify the government of new services and systems in advance of their launch.
- Although the press release from the Home Office states that privacy is “at the heart of the Bill”, in practice there appear to be few substantive changes from the draft Bill in this respect and this issue seems to remain largely unresolved.
- Breaches of the Act which are reported to the Investigatory Powers Commissioner in accordance with a code of practice under the Bill do not have to be reported again in accordance with the Privacy and Electronic Communications (EC Directive) Regulations 2003.
- A request to an overseas authority to intercept communications sent by or intended for an individual in the UK may only be made if a targeted interception warrant or targeted examination warrant has been issued. This tightens the previous wording in this area which should, in theory, prevent government agencies asking overseas authorities to undertake interceptions as a means of by passing the UK regime and controls.
- Warrants to intercept material subject to legal privilege may only be granted in exceptional circumstances. The Interception Code gives guidance that this is only likely if there is a “threat to life or limb or in the interests of national security, and the interception is reasonably regarded as likely to yield intelligence necessary to counter the threat”.
- The intelligence services’ exemption from requiring authorisation from a Judicial Commissioner before an order is granted to identify or confirm journalistic sources has been removed.
Osborne Clarke comment
Although there have been a number of changes to the previous draft Bill, the majority of them are not that substantive and the Bill still contains many controversial aspects. Despite the publication of the draft Codes of Practice, there is still a lack of clarity in areas such as the practical implications of retaining ICRs, and the interaction between this Bill and general privacy legislation.