Spooky new powers for the FCA
We all thought that Halloween was last week, right? Wrong!
The Government has now formally announced its plans to allow various public bodies (including the FCA) to spy on your digital footprint. That's right readers, the FCA may soon have the power to identify who is reading this blog!*
On Wednesday, the Home Secretary, Theresa May, introduced the Government's new "Investigatory Powers Bill" to the House of Commons. This bill is the Government's latest attempt to enact the so-called "Snoopers' Charter" as it has been dubbed by its critics.
Understandably, press attention has been focussed on the new and more intrusive surveillance powers being granted to the police and security services to tackle terrorism and serious criminal activity but, buried in Part 3 and Schedule 4 of the draft bill is confirmation that new (but less invasive) investigatory powers may also be granted to various governmental agencies, including the FCA.
At the heart of the new bill is the requirement placed on "communications services providers" (CSPs), e.g. broadband providers, mobile phone operators etc, to keep "internet connection records" (ICRs). In the Government's guidance, that this appended to the draft bill, an ICR is described as a type of "communications data" that is a "record of the internet services a specific device has connected to, such as a website or instant messaging application", but it is not a person's "full internet browsing history".
Confused? Yes, well so am I. What is the dividing line between an obtainable ICR and a person's "full internet browsing history"? The answer to this question is not apparent from the current draft bill and, if enacted, I fully expect this dividing line to be litigated.
Nevertheless, if enacted, the bill will allow the FCA to request your ICR(s) from your CSP(s) if: (1) the request is authorised by a "designated senior officer" (DSO), which, in the case of the FCA, will be the "head of department in the Enforcement and Market Oversight Division"; and (2) a Single Point of Contact (SPoC) has been "consulted". A SPoC is not an alien being from the planet Vulcan, but another DSO from a separate public authority who can provide 'independent' advice to the relevant DSO regarding the proportionate and necessary nature the particular request.
As currently drafted, the bill will allow the FCA to request ICRs for any person (not just regulated persons) if the DSO (after consulting a SPoC) considers the request to be "necessary and proportionate":
- for the purpose of preventing or detecting crime or of preventing disorder; or
- for the purpose of exercising functions relating to: (i) the regulation of financial services and markets; or (ii) financial stability.
In addition for the need to consult a SPoC and establish that the request is "necessary and proportionate", the Government has sought to build a number of general "safeguards" into the draft bill. The Government is keen to nullify the "Snoopers' Charter" criticism and avoid repeating the pitfalls of Labour's Regulation of Investigatory Powers Act 2000 (RIPA), which was also designed to combat terrorism and serious crime but was ultimately used, to pick a completely random example, by 26 local authorities to spy on dog owners and identify whose animals were responsible for canine faeces. Therefore, in an attempt to ensure that public authorities do not abuse these new powers, the draft bill includes the following key "safeguards":
- It will be a criminal offence to "knowingly or recklessly [obtain] communications data from a telecommunications operator without lawful authority". Committing this offence could result in a fine and/or sentence of up to two years in prison; and
- A new quango called the "Investigatory Powers Commission" will be set up to oversee the administration of the new powers and ensure they are used sparingly.
Interestingly, for the time being, the PRA is not included in the list of public bodies in Schedule 4 (although this list can be easily amended by the Home Secretary before and/or after the bill is enacted). This suggests to us that these new powers are intended to be limited to assisting the FCA in its role in prosecuting criminal and civil allegations of market abuse and breaches of the regulatory perimeter. However, in our experience, when public bodies are granted new powers, they are very keen to use them whenever and wherever possible. It is not clear whether the proposed "safeguards" will curb any abuse; only time will tell in that regard.
In the meantime, the FCA, your new big brother, may soon be watching you!
*(For marketing purposes, we may prepare a FOI request to obtain this information!)