The UK Investigatory Powers Act 2016 – what it will mean for your business

Many of the powers are extraterritorial in that they may apply to non-UK operators. They can, to differing degrees, require a non-UK operator to take steps outside the UK to give effect to a UK warrant or notice.

The Act is in part a reaction to the Snowden revelations of the scale of bulk interception conducted by GCHQ. It draws on subsequent reviews of investigatory powers conducted by the Parliamentary Intelligence and Security Committee, David Anderson Q.C. and the Royal United Services Institute. A draft Bill published in November 2015 was scrutinised by three Parliamentary Committees.

The Act has the potential to affect not only the communications industry but any business that operates a network, whether public or private.

Timing

The existing compulsory data retention regime under the Data Retention and Investigatory Powers Act 2014 (DRIPA) expires at the end of December 2016. The parts of the Act that replace those provisions will have to be brought into effect before then. Existing data retention notices issued under DRIPA or its predecessor legislation will continue automatically under the new Act up to 6 months without having to be reissued. At some point the Secretary of State can be expected to issue expanded data retention notices covering internet connection records (site level browsing histories). However operators who receive such a notice are obliged not to disclose the existence or contents of the notice.

Otherwise, existing legislation such as the Regulation of Investigatory Powers Act 2000 (RIPA) will continue in force until expressly repealed. Considerable work has to be done to set up the new system of oversight, including the appointment of the Judicial Commissioners who will be tasked with approving the issue of most types of warrant and notice under the Act. Various secondary legislation has to be prepared and placed before Parliament, as do the Codes of Practice that have been published in draft and revised as the Bill has passed through Parliament.

Status

Much of the Act is controversial. Some of it, particularly in the areas of bulk powers and data retention, is likely to be subject to legal challenge. An existing challenge to the data retention provisions of DRIPA is awaiting a judgment from the EU Court of Justice which will be delivered on 21 December 2016. If the CJEU follows the Advocate General’s Opinion that would have repercussions for the new legislation.

Other existing challenges that could have implications for the Act include a pending complaint to the European Court of Human Rights about bulk interception powers and overseas intelligence sharing under RIPA; an application for judicial review of an Investigatory Powers Tribunal decision about thematic hacking warrants; and challenges in the CJEU to the EU-US Privacy Shield.

Who would the Act affect?

It would be easy to gain the impression that the Act affects only the communications industry. However it applies more widely than that, potentially affecting any type of business.

This broad scope flows from the definition at the heart of the Act: a ‘telecommunications operator’. This includes private as well as public networks and services. It covers not just carriers but online storage providers: those who facilitate the creation, management or storage of communications transmitted, or that may be transmitted, by a telecommunications system.

‘Communication’ is also broadly defined. It covers not just person to person messages, but person to machine, machine to person and machine to machine communications. The internet of things will, as it gathers pace, fall into the embrace of the new legislation.

However, falling within the scope of the Act does not necessarily mean that an obligation will be imposed. While the Act’s powers are drawn very broadly, no provider has an obligation to maintain a capability, retain or disclose data or assist with interception or equipment interference unless and until the Secretary of State or a public authority serves it with a notice or warrant.

Notices and warrants will generally be subject to secrecy obligations. As a result information on how they have been deployed may not be easy to come by. The most detailed guidance on how they are likely to be exercised is in Codes of Practice, drafts of which have been published with the Bill as it went through Parliament.

What does the Act cover?

The starting point of the Act, like the existing Regulation of Investigatory Powers Act (RIPA), is to prohibit interception of communications without lawful authority. The interception criminal offence is similar to that under RIPA, but extended to cover communications stored in or by the telecommunications system before transmission as well as after.

Much of the Act is taken up with enumerating the powers of law enforcement and the intelligence agencies under warrants issued by a Secretary of State and approved by a Judicial Commissioner. An interception warrant constitutes lawful authority for the purposes of the interception offence.
Other types of lawful authority include consent of the sender and intended recipient, interception for monitoring and record-keeping purposes specified under Lawful Business Practice Regulations, and interception by a telecommunications service provider for purposes relating to the provision or operation of the service. The Act clarifies and broadens this service provider exception compared with that under RIPA.

The warrantry powers under the Act include:

• Interception warrants (targeted, thematic or bulk)

• Equipment interference warrants (targeted, thematic or bulk)

• Bulk communications data acquisition warrants

Numerous different authorities can, as under RIPA, make targeted demands on telecommunications operators for communications data. A new ‘request filter’ tool will enable authorities to make complex queries across databases of communications data held by multiple CSPs.

The Secretary of State will be able to serve technical capability notices to require maintenance of permanent capabilities (including removal of encryption applied by a service provider or on its behalf). Under RIPA this ability applies only to interception. The Act introduces technical capability notices covering most warrants and powers. A technical capability notice requires the approval of a Judicial Commissioner.

The Act expands on DRIPA’s data retention requirements through compulsory generation, obtaining and retention of a broader range of communications data (including site browsing histories, officially known as internet connection records).

The Secretary of State will be able to serve national security notices on UK telecommunication operators, subject to approval by a Judicial Commissioner. While broadly defined, national security notices cannot be used for the main purpose of requiring something to be done for which the Act requires a separate warrant or authorisation.

Business by business

The large public telecommunications provider

Fully in scope for:

• Interception warrants (targeted, thematic or bulk)

• The new equipment interference warrants (targeted, thematic or bulk)

• Technical capability notices

• The ‘request filter’ for querying databases of communications data.

• Broader mandatory data retention

• Bulk communications data acquisition warrants

• National security notices

The provider will benefit from broader purposes for which it can lawfully intercept communications on its network. These include purposes relating to:

• the provision or operation of the service (this specifically includes identifying, combating or preventing anything which could affect any telecommunication system by means of which the service is provided, or any apparatus attached to such a system).

• the enforcement, in relation to the service, of any enactment relating to (i) the use of telecommunications services, or (ii) the content of communications transmitted by means of such services 

• the provision of services or facilities aimed at preventing or restricting the viewing or publication of the content of communications transmitted by means of telecommunications services.

The Act does not distinguish between large and small ISPs. So according to the letter of the Act any of the warrants and powers could apply to a small ISP.

However the draft Codes of Practice suggest that the powers mandating permanent capabilities will generally be applied to the larger players:

• Interception and equipment interference: Small companies (with under 10,000 users) will not be obligated to provide a permanent capability, although they may be obligated to give effect to a warrant.

• Bulk communications data acquisition: In practice, technical capability requirements will only be placed on companies that have to make significant technical changes in order to comply with the requirements of a bulk acquisition warrant.

• Communications data acquisition: In practice, technical capability requirements will only be placed on companies that are required to give effect to notices or authorisations on a recurrent basis.

For data retention various factors will be taken into account, including the size or growth rate of a CSP and the number of requests for communications data it receives. A niche market or geographical area served by a CSP may also be a factor.

A small ISP will benefit from the same broader lawful authority purposes as a large provider.

The cloud-based service provider

Most of the Act’s powers apply to ‘telecommunications operators’. This includes not just network providers, but the provider of a service that facilitates the creation, management or storage of communications transmitted, or that may be transmitted, by means of a telecommunication system.

This definition is intentionally broad, as can be seen from the draft Codes of Practice: “Internet based services such as web-based email, messaging applications and cloud-based services" are covered. 

Social media companies will also be in scope.

The non-UK communications provider

If an operator is outside the UK and provides a telecommunications service to people in the UK, or controls a telecommunication system in the UK, then it is generally within the scope of the Act.

Furthermore most of the powers:

• expressly apply to non-UK persons,

• can require them to do things outside the UK and

• specify methods of serving warrants and notices on non-UK persons.

Many of the powers, however, are enforceable by injunction only against persons in the UK. The powers enforceable by injunction against non-UK persons (interception warrants and targeted communications data acquisition notices) permit conflict with the law of another country to be taken into account.

Extraterritoriality provisions were first explicitly enacted in DRIPA. They remain controversial in the Act and have drawn criticism from international companies.

The powers sit within a broader canvas of ongoing efforts to improve cross-border mutual assistance procedures between nation states. There are also ongoing negotiations between some governments (such as UK and USA) to develop inter-state agreements allowing service providers to comply directly with some cross-border demands without risk of breaking their own countries’ laws. The Minister stated in the course of Parliamentary debates that where such an agreement is in place that would be the government's primary route.

The online business

An online business that does not think of itself as part of the communications industry may nonetheless be providing a telecommunications service to its users and customers as part of its business. If so, the Act could apply.

According to the draft Codes of Practice:

“The definition of a telecommunications operator also includes application and website providers but only insofar as they provide a telecommunication service. For example an online market place may only be a telecommunications operator as it provides a connection to an application/website. It may also be a telecommunications operator if and in so far as it provides a messaging service.”

The current regulations under RIPA exclude from any obligation to provide an interception capability those who only provide a public telecommunications service in relation to the provision of banking, insurance, investment or other financial services. It remains to be seen whether a similar exclusion will be implemented in regulations governing the issue of technical capability notices under the new legislation.

The café providing public Wi-Fi

The café (or perhaps the operator providing the hotspot for the café's customers) would be a telecommunications operator and within scope.

The Home Secretary, when giving evidence to the Joint Committee, was asked whether data retention would be applied to people running Wi-Fi networks in coffee shops. Her response indicated that the possibility of doing so had been deliberately left open:

“It may very well be that there are circumstances where it is appropriate to have that discussion and, potentially, to ask for information to be retained. It is about having that flexibility.”

The media organisation

The provisions regarding protection of journalist sources will be of particular interest to media organisations, as will the potential for warrants, data retention notices and technical capability notices to be applied to private networks. 

The National Union of Journalists and the Society of Editors regard the journalist source protections as insufficiently strong.

The provider of connected devices

Every time a customer’s connected device calls base, transmits or receives data or updates itself it is making a communication and generating communications data. That is generally within scope of the Act.

The organisation operating a private network

The Act generally applies to private networks: including those of businesses, schools, universities and even domestic households. This represents a significant shift from the powers under the existing legislation, most of which apply only to public telecommunications providers.

Would powers in fact be exercised against private networks? The Home Secretary when giving evidence to the Joint Committee was asked whether data retention notices could be applied to university or company networks. She said:

“I do not think that it would be right for us to exclude any particular type of network, because of the way in which people conduct their business and their interactions these days. However, for any individual decision, there is an onus on the Home Office to look at the necessity and proportionality of that, the technical feasibility of that, what the costs would be and what the impact on that particular CSP or network would be.”