The controversy surrounding the state interception and surveillance provisions of the Regulation of Investigatory Powers Act, which achieved Royal Assent last Friday (28 July), has obscured significant provisions in the Act that introduce a broad new individual right to network privacy This could lay companies open to civil claims for damages and injunctions if they intercept communications - including those of their employees on their own networks
The Act pre-empts the potential effect of the Human Rights Act on employee privacy. Indeed, it goes further than might be required by the European Convention on Human Rights, since it gives a new right against state and private operators.
Section 1(3) of the Act introduces the new privacy right by creating a new tort. Any interception of a communication in the UK by, or with the express or implied consent of, a person having the right to control the operation or use of a private telecommunication system is actionable if it is without lawful authority The tort is actionable at the suit of the sender, recipient or intended recipient of the communication.
'Private telecommunication system' excludes any private network not attached to a public system. But this is likely to catch any private network on which, for instance, a user can send or receive e-mail, even via a dial-up connection. This will include most office networks. Since an employer will be the person who has the right to control the operation or use of its own network, these provisions have clear potential to affect the ability of employers to read e-mails and other communications in their own systems.
The interception must either be in the course of transmission by the private telecommunications system or by a public telecommunications system to or from the private system. The times when a communication is being transmitted are extended by section 2(7) to include any time when the system is used for storing the communication in a manner that enables the intended recipient to collect it or have access to it. So e-mail stored in a mailbox will be covered.
Interception will not be actionable if it has lawful authority. In this instance, interception has lawful authority in two situations - if the interception has, or the person intercepting has reasonable grounds for believing it has, the consent of the sender and the intended recipient of the communication.
Interception is also lawful if it is authorised by the Secretary of State under section 4(2). The Secretary of State may authorise conduct that appears to be legitimately required for the carrying on of any business, of monitoring communications of transactions that are entered into in the course of business; or other communications relating to that business.
The likely scope of the regulations is not yet known. But there must be a risk, given the fast-moving nature of technology in this area, that any regulations will be quickly outdated and have unforeseen consequences. The need to create the new network privacy right is debatable since the Data Protection Act 1998 already controls the use of personal data on private networks. The Data Protection Commissioner has staled that she intends to introduce a Code of Practice under the 1998 Act concerning tile use of personal data in employment, which would include e-mail and other electronic communications.
Article 5 of the Telecommunications Data Protection Directive, which the Act purports to implement, by which member states of the EU must secure the confidentiality of communications on public telecoms networks, appears not to apply to a private network used for private purposes even if it be attached to a public network.
Monitoring of e-mail and other communications on private networks, which has so far remained relatively free from regulatory intrusion, is about to fall prey to a serious bout of legislative overkill.
First published in Legal Week 3 August 2000.