Michael Drury and Chris Whalley consider the recent impact of the Investigatory Powers Bill and the ensuing debates surrounding bulk action, extra-territorial and de-encryption powers.
Before taking up her new role as UK Prime Minister, one of Theresa May’s significant contributions to the Home Office was the introduction of the wide-ranging Investigatory Powers Bill (IPB) establishing enhanced controls on electronic surveillance and governing, in particular, state interception and the obtaining and examination of communications data. First published in November 2015, it has now made its way through Parliament to the Committee Stage in the House of Lords. It is near the end of its legislative journey. It will be further debated in early September but, noting the August review of the “bulk powers” contained in the Bill by the Independent Reviewer of Terrorism Legislation, David Anderson QC, which overall concluded such powers were needed, the IPB is unlikely to change significantly before it receives Royal Assent and comes into force before the end of 2016. Seldom, if ever, has legislation received so much Parliamentary and extra-Parliamentary scrutiny.
The Bill seeks to overhaul the current legislation governing electronic surveillance in the UK, currently contained in a large number of statutes. The IPB creates a single regime controlling the interception of communications – in the UK there is no distinction between US style Title VI wiretaps and Foreign Intelligence surveillance – and retention/obtaining communications data (including in bulk) and electronic interference by the UK (“hacking” in the vernacular), as well as recasting oversight and safeguard mechanisms (including the introduction of a judicial role in the granting of warrants).
Given that the IPB is not yet in its final form, and considering its length at some 253 pages, this article will look at some key areas: bulk powers; extra-territoriality and powers of compulsion/sanctions for non-cooperation; and encryption.
Much of the commentary on the IPB has concerned the bulk powers contained in Part 6, which provides for bulk interception warrants (to intercept the communications content and data); bulk acquisition warrants (to acquire communications data); and bulk equipment interference warrants (typically to interfere with computers and mobile telephones). Whilst many of the bulk powers in the IPB already exist under current legislation, it was not until the publication of the Bill that the full breadth of the powers available was avowed. Further evidence of when and how bulk data has previously been obtained has been made public through legal challenges by the human rights watchdog, Privacy International, and has caused consternation amongst libertarians.
A key court decision challenging the lawfulness of bulk powers will be delivered by the European Court of Justice (ECJ) in the autumn in a case brought by the Deputy Leader of the UK Labour Party, Tom Watson, supported by Liberty, the Law Society, the Open Rights Group and Privacy International. The Advocate General, whose opinion is usually followed by the Court, stated that: “…the fight against serious crime is an objective in the general interest that is capable of justifying a general obligation to retain data…” In other words bulk data collection is only lawful in support of the prevention and detection of serious crime. Whether this decision is handed down before the Bill becomes law remains to be seen and the implications of Brexit will also be a factor in determining to what extent the UK Government has regard to the decision. Our assessment is that there will be a suite of powers allowing for bulk actions on the UK statute book by the year end. It is inevitable however that challenges to those powers will follow, and this is likely to remain an active field (even if one occupied predominantly by non-governmental organisations).
It goes without saying that the internet cannot be “contained” in any particular legal jurisdiction: quite how one “polices” the internet is a question yet to be answered. The IPB is the first significant piece of UK legislation to be introduced since the Edward Snowden revelations relating to the use of global surveillance programs. Countries across the globe are looking to the UK for guidance and leadership on how the practices of the intelligence agencies (and law enforcement) can be formalised in statute and how information can be lawfully obtained and shared across borders. In this regard, the IPB seeks to impose obligations on companies outside the jurisdiction of England & Wales to comply with warrants and notices relating to interception, obtaining and retaining communications data and assisting in electronic interference. In relation to targeted and bulk interception warrants, if an overseas company knowingly fails to assist in complying with a warrant, it commits a criminal offence. Importantly, before a company can be required to assist, matters to be taken into account include any requirements or restrictions under the law of that country or territory that are relevant to the taking of any steps, and the extent to which it is reasonably practicable to give effect to the warrant in a way that does not breach any of those requirements or restrictions. Other “failures” to comply with warrants are enforced by civil sanctions. Whilst the obligations on overseas companies are causing concern amongst technology companies who may be caught by these provisions (especially amongst internet/tech providers headquartered in the US), it is difficult to see how the UK Government will seek to enforce the sanctions. We are not aware of any enforcement action being taken against a major technology company under the present law so it remains to be seen if the IPB will be more vigorously enforced.
There is an ongoing debate regarding the degree to which the IPB requires telecommunication operators to remove encryption from data. In essence, the debate revolves around the obligation to remove encryption pursuant to a so-called “technical capability notice”. The Bill permits law enforcement and intelligence services to require companies to remove encryption they have applied, or that has been applied on their behalf, in tightly prescribed circumstances. The Bill does however make it absolutely clear that a relevant company would not be obliged to remove encryption where it is not reasonably practicable for it to do so. Depending on the individual company and circumstances of the case, it may be entirely sensible for the UK Government to work with it to determine whether it would be reasonably practicable to take steps to develop and maintain a technical capability to remove encryption that has been applied to communications or data. Self-apparently, many of the biggest global technology companies rely on strong encryption to provide safe and secure communications and e-commerce, and, indeed, these companies’ reputations rest on their ability to protect their users’ data and they would be loath to remove encryption. The UK Government has stated that it does not intend to ban end-to-end encryption, or any type of encryption, and instead the requirement to remove encryption will apply when it is reasonably practicable for a company to build in a facility to de-encrypt the contents of communication. In light of recent cases in the US, in particular where Apple have been challenged in the courts over the ability of law enforcement agencies to access the content of iPhones, the extent to which companies are challenged over their encryption, as and when the Bill becomes law, will be fascinating to observe.