The Investigatory Powers Act ("IPA") follows the last government’s failed attempt to pass the Communications Data Bill in 2013. It also builds on interim legislation; the Data Retention and Investigatory Powers Act 2014, which was introduced to ‘plug the gap' in data retention powers but expired at the end of 2016, with the IPA replacing it.
The IPA, which has been dubbed the Snooper’s Charter, will rely heavily on the co-operation of telecommunications operators, who are defined in the IPA as being a person who either offers or provides telecommunications services in the UK or controls or provides a telecommunications system which is (wholly or partly) in the UK or controlled from the UK and, as such, telecommunications operators should be aware of their obligations under the IPA.
Extensive obligations placed on telecommunications operators
The IPA consolidates and extends many obligations for telecommunications operators. For example, telecommunications operators will be required to:
- maintain permanent capabilities to intercept and collect ‘communications data’ by public authorities
- obtain bulk personal datasets which permit intelligence agencies to access personal data, having the same meaning as under the Data Protection Act 1998, but also includes the personal data of a deceased person if the data would be classed as personal data whilst that individual was alive. Under certain conditions telecommunications operators may also be required to retain health records for examination by the intelligence services
- provide wider assistance to law enforcement and the security and intelligence agencies in the interests of national security, including assisting authorities to bypass encryptions where necessary.
The IPA also introduces a number of new obligations for telecommunications operators. One important addition relates to the retention of certain customer data. Under the Data Retention and Investigatory Powers Act 2014 telecommunications operators could be required to retain communications data, about when, where, how and with whom its customers’ communications took place, for up to 12 months from the date of transmission. The IPA extends these powers, allowing the Secretary of State to also issue a retention notice in relation to internet connection records (ICRs). This includes information about which websites a user has visited (their internet browsing history), but not the specific content that the user has looked at on these domains. If authorities wish to obtain details of the content of any communications, a special warrant will be required.
Data sharing and Brexit
In October 2015 the CJEU held that, following the Snowden revelations, the Safe Harbour Agreement (which permitted transfer of personal data from the EU to the US) was not compatible with the EU data protection regime. The CJEU found that Safe Harbour did not adequately protect EU citizens' personal data that had been transferred to the US as US public authorities were able to access EU citizens’ personal data without sufficient safeguards in place to protect EU citizens’ rights.
During Brexit negotiations any discussions designed to establish a cross-border data sharing agreement between the EU and the UK may be further complicated by the extensive powers that the Act bestows on UK enforcement agencies, in a similar vein to the difficulties that the Safe Harbour Agreement encountered.