The Investigatory Powers Act 2016 (the “Act”) has recently received Royal Assent and become law. Replacing the Regulation of Investigatory Powers Act 2000, the Act details the powers the police, security and intelligence agencies hold which allow them to collect and access electronic communications. The Act is due to come into force in early 2017. The UK Government has said that the Act “will ensure that law enforcement and the security and intelligence agencies have the powers they need in a digital age to disrupt terrorist attacks, subject to strict safeguards and world-leading oversight”.
The legislation, as promised by the Government, has been passed prior to the repealing of the Data Retention and Investigatory Powers Act 2014 (“DRIPA”) which will take place on 31 December 2016. The Act updates and consolidates existing powers and revamps the ways in which they are executed and monitored. When brought into force, the Act will reform the regulatory regime under which various bodies can intercept and interfere with communications and equipment and widen existing investigatory powers.
The main focus of the Act is on “telecommunications operators”, the definition of which has a broad scope and means “a person who offers or provides a telecommunications service to persons in the UK, or controls or provides a telecommunication system which is (wholly or partly) in the UK, or controlled from the UK”. The scope of “telecommunications system” is also wide, covering “any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service)”, which includes “facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system”.
Many of the Act’s provisions have been seen as controversial and have received wide-spread press coverage as they affect inpiduals and businesses alike and have been said to be too far-reaching. One of the Act’s most notable creations is the internet connection record. Companies providing communications services, such as ISPs and phone networks, must store customer communication data for one year, which includes keeping a list of every website accessed. This new record may be accessed by various law enforcement and intelligence agencies without warrant, “to disrupt terrorist attacks and prosecute suspects”. The list of authorised bodies is extensive and includes the Police, GCHQ, MI6, the MoD, HMRC and the Home Office, as well as the Food Standards Agency and the Gambling Commission.
Concerns, especially in the Technology community where intellectual property and data protection is key, have been raised regarding access to data by government and law enforcement. Where data protection is crucial to the success of a business, those in the IP and IT sector may be anxious about the effect the Act may have on data security. The issue of trust may also be relevant to the fintech industry, with fears being raised that consumers may begin to lose faith in the security of their personal data when conducting online banking. The result of this could be a step back technologically speaking, if customers become wary of technology, akin to attitudes towards online banking and financial services in the early 2000s.
With the EU General Data Protection Regulation fast-approaching, some have highlighted the contrast between the tight privacy controls put in place by the GDPR, and the requirements under the Act for companies to collect inpiduals’ data, which may make companies more of a target for cyber-attacks. Companies should ensure that their data storage and encryption procedures are up-to-date and watertight to alleviate any concerns customers may have. The Government states that both the privacy and security of the public is protected by the Act, by introducing:
- a “double-lock” for the most intrusive powers, so that warrants issued by a Secretary of State will also require the approval of a senior judge;
- a powerful new Investigatory Powers Commissioner, to oversee how the powers are used;
- new protections for journalistic and legally privileged material, and a requirement for judicial authorisation for acquisition of communications data that identify journalists’ sources; and
- tough sanctions – including the creation of new criminal offences – for those misusing the powers.
It has been said by the Government that some of the Act’s provisions will require extensive testing and will not be in place for some time.
