The United Kingdom Parliament is currently in the pre-legislative scrutiny phase of a new Investigatory Powers Bill, which aims to “consolidate existing legislation and ensure the powers in the Bill are fit for the digital age.” It is fair to say this Bill is controversial with strong views being expressed by both critics and supporters of the Bill. Against this backdrop it is important to cut through the rhetoric and get to the heart of the Bill and to examine what it will do and what it will mean in terms of the legal framework for British citizens, and indeed for those overseas.
The Investigatory Powers Bill
Much of the Bill’s activity is to formalise and restate pre-existing surveillance powers. One of the key criticisms of the extant powers of the security and law enforcement services is that the law lacks clarity. Indeed it was this lack of clarity which led the Investigatory Powers Tribunal to rule in the landmark case of Liberty v GCHQ that the regulations which covered GCHQ’s access to emails and phone records intercepted by the US National Security Agency breached Articles 8 and 10 of the European Convention on Human Rights. Following a number of strong critiques of the law including numerous legal challenges the Government received three reports into the current law: the report of the Intelligence and Security Committee of Parliament, ‘Privacy and Security: A modern and transparent legal framework‘; the report of the Independent Reviewer of Terrorism Legislation. ‘A Question of Trust‘; and the report of the Royal United Services Institute: ‘A Democratic Licence to Operate.’ All three reported deficiencies in the law’s transparency.
As a result the Bill restates much of the existing law in a way which should be more transparent and which, in theory, should allow for greater democratic and legal oversight of the powers of the security and law enforcement services. In essence the Bill is split into sections: interception, retention, equipment interference, and oversight, with each of the three substantive powers split again into targeted and bulk. What this means in practice is the authorisation of three broad types of activity (each of which have sub-types); the authorisation to intercept data between sender and receiver, the authorisation to retain data such as communications data and internet connection records for possible processing later and authorisation to interfere with (in colloquial terms ‘hack’) systems and devices. For each of these there is a split between targeted activity, which is required when dealing with communications which are sent and received by individuals who are inside the British Islands (domestic communications), and bulk activity, which is permissible where either the sender or receiver (or both) of the communications are located outside the British Islands.
Two of the more controversial aspects of the Bill are the oversight provisions and the introduction of a new form of retained data, so called ‘internet connection records.’
The retention of internet connection records are an entirely new power found in the Bill. It is an extension to the extant, but currently legally uncertain, data retention powers found in the Data Retention and Investigatory Powers Act 2014 (DRIPA). This new power is thus controversial on two bases: (1) it fails to meet the proportionality principle on the basis it fails to comply with the EU Charter on Fundamental Rights; (2) even if the current law is proportionate, an extension of powers is almost certainly disproportionate. With regard to the first of these, the current law, as contained in DRIPA, is subject to an ongoing legal challenge brought by MPs David Davis and Tom Watson supported by Liberty. The case, Secretary of State for the Home Department v David Davis MP and others  EWCA Civ 1185, has recently been referred by the Court of Appeal to the Court of Justice of the European Union where the court asks the CJEU to rule on whether the ground-breaking case of Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources & Others, the case which ruled that European data retention laws were incompatible with Articles 7 & 8 of the EU Charter, also binds national legislators in the making of domestic data retention laws.
Thus the current status of domestic data retention laws is unclear. However, while this case remains under review, the Bill seeks to extend the powers of the state from its current simple, yet still very invasive, powers to order the retention of all traffic data on our communications. This would include internet connections records, described in the guide to the Bill as “a record of the internet services a specific device has connected to, such as a website or instant messaging application.” This would be data such as which banking services we use, which rail company or airline we tend to favour and which may reveal much about us including gender, ethnicity, religious beliefs, medical conditions and much more. University of East Anglia law lecturer Paul Bernal has written upon this issue very eloquently in his blog. As he notes, despite the Home Office’s best attempts to paint these as akin to itemised phone records, they are much more invasive of personal privacy and they are also clearly likely to be more invasive than the mere retention of communications records, a practice ruled illegal under EU Law in Digital Rights Ireland, and which at domestic law is currently under review. It is difficult to see how this new provision could be seen to be proportionate.
Featured image credit: Keyboard Macbook Pro Lighting by KeanuKeem. Public domain via Pixabay.