Investigatory Powers Act: Royal assent

On 29 November 2016, the Queen gave royal assent to the Investigatory Powers Bill, marking the end of the controversial bill’s passage into law.

The background

The Investigatory Powers Act 2016 (the Act) introduces several new powers, which the Home Offce says will ensure that law enforcement and the security services “have the powers they need in a digital age to disrupt terrorist attacks”. While the Act restates many existing powers, some of the new powers have attracted criticism as undermining privacy rights, including:

• collection of Internet Connection Records: Internet and communications companies will have to retain meta data of customers’ browser history for 12 months. This information includes which websites users have visited, when and for how long. Some 48 authorities, including government departments, police forces, local councils and HMRC, will be able to request this information
• equipment interference warrants: For the first time, the Home Secretary will have the power to permit security services to hack into computers, networks, mobile devices and servers
• access to “bulk” personal data sets: The Home Secretary may issue warrants to the security services to allow access to large data sets held by public and private organisations, or to permit large scale hacks, including in overseas operations.

Despite government assurances of proper oversight (there will be a new Investigatory Powers Commissioner and a “double-lock” mechanism for some of the more intrusive powers), civil liberties campaigners have criticised the Act. Bella Sankey, the Policy Director for Liberty, said the new powers “open every detail of every citizen’s online life up to state eyes, drowning the authorities in data and putting innocent people’s personal information at massive risk.”

Why is this important?

Internet and communications companies will be required to store vast quantities of meta-data relating to customers’ browsing history for at least 12 months. They will also be required to deliver this information to the relevant public authorities on request, which may prove to be a considerable burden for those companies. Against the backdrop of recent high profile data breaches, a key concern must be whether the companies that collect the data (and the authorities that access it) can keep it secure. Internet records would be a prize target for the hacker who manages to access them.

As to what all this means for the UK following Brexit, it’s hard to tell. With the UK outside the EU, how will personal data be transferred to the UK, noting that white-listed status takes considerable time to achieve? But will we even get white-listed status in light of the Act’s reach? Noting of course that it was just these types of investigatory powers which resulted in the death of the US Safe Harbour at the hands of Max Schrems…

Any practical tips?

Although the government has confirmed that a number of provisions in the Act will not come into force straight away, you should consider if your business is storing any data caught by the Act, and the extent of your obligations governing data storage and (potentially) its secure delivery to public authorities.