HomepageCommercial LawPrivate LawPublic Law & Human RightsCriminal LawEU & International LawCareers


Have Irlen Syndrome, or need different contrast? Click the button below for options.

Background Colours


Enter you email address below to subscribe to free customisable article notifications.

Alternatively, click the button below for our various RSS Feeds (available journal wide, or per section).

Communications Data: A Critical Investigative Tool or a Charter to Snoop?

Article Cover Image

About The Author

Andrew D Parker (Regular Writer)

Andrew is a pupil barrister at Cornwall Street Chambers who intends to provide specialist advice and advocacy in relation to complex crime, police, mental health law and regulatory law. He is a former senior police detective who also holds a PhD in Forensic Psychology from Kings College London.

The more the data banks record about each one of us, the less we exist.

Marshall McLuhan

In both the US and the UK, there exists a legacy of executive creativity in the means and methods by which the state has sought to intrude into its citizens’ private lives and collect their personal data. There are valid reasons for this: for example, the case for the state legitimately accessing to private communications of terrorists or those involved in serious criminality is well established and accepted.

But over the last 10 years – as technology has advanced, and the number of ways by which sophisticated criminals can hide their nefarious activities have increased – governments have sought ever more inventive means to stay ahead of game. The law therefore has a valuable role to play in ensuring these methods do not go too far.

For example, on Friday 22 June, the United States Supreme Court ruled that the US government could no longer access an individual’s cell phone location data without a warrant. Providing the majority’s ruling in Carpenter v United States [2018], Chief Justice Roberts said the law could not permit easy access to a technique whereby:

[T]he government… achieves near-perfect surveillance as if it had attached an ankle monitor to the phone’s user.  

The decision provides a forward-thinking and long overdue correction to the balance struck between the interests of public protection and individuals’ privacy rights that has been years in the making. Indeed, although concerns over American law’s failure to protect privacy predated the whistleblowing of Edward Snowden, his revelations provided the tipping point that triggered change.    

However, questions can be raised about whether such progress towards striking the right balance has been made in the UK. Indeed, in relation to certain activities, it can be argued that the UK law is lagging behind. As this article contends, while the UK’s approach has – or was, at least, intended – to be transparent, reasoned and strategic, there has rightly been severe pressure on the government to do more to strike a better balance between its collection of data and privacy rights.

The UK’s Current Law on Communications Data

Categories of Data

Paragraph 2.13 of the Home Office’s Acquisition and Disclosure of Communications Data Code of Practice (the Code of Practice) confirms that – in general - the acquisition, retention, and use of communications data in the UK is limited to the “who, when and where of a communication but not the content’. In such circumstances, authorisation for the collection of this data must be given by the designated person of one of the relevant authorities set out in Section 25(1) of the Regulation of Investigatory Powers Act 2000 (RIPA 2000).

In contrast, the interception of the content of communications in transmission requires the so-called “double-lock” of a warrant of interception granted by the Secretary of State in addition to approval by an independent Judicial Commissioner.  

Different types of data are further distinguished to ensure that more intrusive tactics receive higher levels of consideration for authorisation. For instance, The Regulation of Investigatory Powers (Communications Data) Order 2003 holds that access to traffic data can only be granted by a Designated Person (DP) of the rank of police superintendent or above, whereas subscriber data can be granted by a DP ranked an inspector or above. 

As with all information gathered by an investigating body, communications data can and should be used to prove or disprove the accounts given by suspects and witnesses. As such, it is vital that the disclosure of relevant communications data is requested early, carefully scrutinised and considered for used in court proceedings.  

The Authorisation Process

Several critical questions must be considered by a DP before authorising access to data. Firstly, they must decide whether the authorisation would be for one of the lawful purposes outlined in Section 22(2) of the RIPA 2000. For example, if the authorisation is for preventing or detecting crime, Section 81(5) of RIPA 2000 requires is to be established:

[B]y whom, for what purpose, by what means and generally what circumstances any crime was committed, the gathering of evidence for use in legal proceedings and the apprehension of the person by whom any crime was committed.

Caution, however, needs to be exercised in an investigation where it is insufficiently clear that criminal conduct is engaged. Indeed, in C v The Police [2006], the Investigatory Powers Tribunal (IPT) held that it cannot be relied upon where the conduct alleged is merely disciplinary in nature.

Secondly, they must decide whether access to communications data for that purpose is necessary and proportionate, such that it is relevant, fulfills a specific investigative objective, and the means of acquiring the data is no more than is required in the circumstances. For example, an authority may fail the proportionality test if it results in the acquisition, use or retention of significant amounts of data about an individual's communications which may be irrelevant; this represents an unjustified intrusion into the individual's privacy.

Thirdly, consideration should be given to any actual or potential infringement of the privacy of third parties (known as “collateral intrusion”) who are not subject to the specific investigation but whose data is likely to be acquired. Failing to consider, manage and minimise the risk of “collateral intrusion” may give rise to grounds for complaint or challenge.

Misuse of the Authorisation Process by Public Authorities

While the vast majority of authorisations for access to communications data appear justified and lawful, figures show that on average only 4% of applications are refused. It appears a strong internal culture of compliance with the expectation that an application will succeed exists, with a bias towards authorisation rather than challenge, correction and/or rejection when appropriate.

A big concern for the previous regulator, the Interception of Communications Commissioner's Office (IOCCO), was the so-called ‘rubber stamping’ of applications and ‘cut and paste’ approach to the wording of authorities; this may have indicated a readiness to authorise without proper consideration of the individual circumstances of each case. This became such a prominent issue that public authorities were put on notice by Paragraph 3.12 of the Code of Practice that the person authorising the access to communications must be independent of the relevant investigation when granting authorisation.

Independence is fundamental to the integrity of the process of authorisation for all categories of state surveillance. Yet, public authorities – not least police forces – have been found to serve their own interests in the use of these powers to the determinant of public confidence in a legitimate tool in the fight against serious crime. In Wilkinson v The Chief Constable of Cleveland Police [2018] – one of a series of cases brought against Cleveland Police – the IPT found that the police force had consistently misapplied the authorisation process to access communications data of journalists without any lawful basis.

Challenges to the Legislative Framework

A confluence of events has brought about significant reform to this area of law in the UK. Edward Snowden's revelations extended across the Atlantic, exposing how communications data had been acquired by the Government Communications Headquarters (GCHQ). There were also widespread phone hacking allegations, and alleged failures by the Metropolitan Police to properly investigate alleged police corruption.

Next, Big Brother Watch’s successful action before the European Court of Human Rights (ECtHR) in Big Brother Watch v UK [2014] necessitated urgent action by the government to shore-up the legislative basis for their activities. Its first attempt failed: the ill-fated Data Communications Bill attempted to broaden the state’s powers without sufficient reason and was resoundingly defeated following public outcry.

Subsequently, a new bill – which became the Data Retention and Investigatory Powers Act 2014 (DRIPA 2014) – was rushed through Parliament. But this too blurred the lines between what constitutes data and what information is contained in the data obtained. Further issues emerged when, in  R (Davies and Watson) v Secretary of State for the Home Department [2015], David Davies MP and Tom Watson MP brought successful judicial review proceedings challenging Section 1 of DRIPA 2014 on the grounds that the blanket approach it authorised represented the government was treating the entire nation as suspects. The European Court of Justice in Tele2 Sverige AB and Watson [2016] agreed, ultimately concluding that the DRIPA 2014 exceeded the limits of:

 [W]hat is strictly necessary to the extent that it could not be justified within a democratic society.

The DRIPA 2014 was therefore repealed on 31 December 2016 and replaced by the Investigatory Powers Act 2016 (IPA 2016) which, as Alexios Ektor Koursopoulos has examined for Keep Calm Talk Law, was given a baptism of fire: it began life having been christened the “Snooper’s Charter”.

As part of this reform, the Home Office – in order to address the issue of self-authorisation impacting upon the independence of decision-makers – swiftly put into place contingencies that allowed public authorities continued access to communications data by arranging for cross-authorisation (whereby ‘administratively independent’ police forces consider each other’s’ applications). This regime will apply until April 2019, when the new Office for Communications Data Authorisations (OCDA) will provide a permanent solution by taking responsibility for all applications.   

The Regime under the IPA 2016

New Powers

Arguably, the IPA 2016 has changed the covert policing landscape beyond recognition by – on one hand – providing hitherto unseen levels of transparency, while – on the other – greatly enhancing the state’s intrusive powers.

With regards communication data, the IPA 2016 – in effect, at least – greatly extended and enhanced the scope of the existing law in terms of the way it allows public authorities to gain access to communications data without a warrant. The IPA 2016 also brings the legislation up-to-date: it introduces the valuable distinction between ‘targeted data’ and ‘bulk data’, the latter requiring a wider set of safeguards including higher levels of authority and prior approval by a Judicial Commissioner.

On the more intrusive side, however, the IPA 2016 introduces the concept of ‘filtering’, which provides a mechanism for pulling fragmented communications data together to provide a more complete analysis of a person’s communications. In addition – by allowing the general retention of data generated by people in a specific location, such as a housing estate – it appears to facilitate geographical profiling.

Perhaps the most controversial element of the IPA, however, is the power bestowed that is upon the Secretary of State by Part 4 of the IPA 2016. This allows, in specific cases, for the issuing ‘retention notices’ that require a CSP to retain communications data for 12 months. Understandably, this was subject to a legal challenge in R (Liberty) v Secretary of State for the Home Department [2018], in which the High Court that Part 4 of the IPA 2016 was incompatible with fundamental rights in EU law.

The High Court also ruled that access to retained data should be limited to the purpose of combating ‘serious crime’ and access to retained data be subject to prior review by a court or an ‘independent administrative body’. The court required the government to amend the provision accordingly by 1 November 2018, which means that cross-authorisation will limp on until April 2019 when the OCDA comes online. It remains to be seen whether Brexit – and any change to the UK’s relationship with the European Convention of Human Rights – changes this position.

Enhanced Oversight

Under the previous oversight regime, IOCCO had minimal powers of sanction. Now, however, the IPA 2016 has strengthened oversight arrangements with all measures now overseen by the newly created Investigatory Powers Commissioner's Office (IPCO) that is imbued with increased levels of sanction.

However, this widened role for IPCO brings its own risks. Judicial Commissioners are now more closely involved in operations than previously, potentially bringing into question their independence. Furthermore, the operation of Section 80 of the RIPA 2000 – which permits data collection to be authorised on the grounds of the ‘general saving for lawful conduct’ – is controversial, because it provides a potential ‘get of jail card’ for authorising public authorities to misfeasance. Indeed, while its effect is not to preclude public authorities’ requirements to act compatibly with Section 6 of the Human Rights Act 1998 (HRA 1998), it does mean that – so long as the conduct in question was authorised – any failure to do so does not make the conduct unlawful. This general immunity from legal challenge and the scrutiny of the courts for Judicial Commissioners is obviously highly controversial.

The IPA 2016 also extended the Secretary of State’s powers to make regulations to introduce new provisions for different purposes and forms of intrusion. The use of these so-called ‘Henry VIII clauses’ has been questioned by Lord Judge, the former Lord Chief Justice of England and Wales: he expressed concerns that powers are being ceded to the executive that should be retained by Parliament at such a rate that society risks becoming immune to it, thereby sliding towards a Big Brother state.  

Aware of such criticism, the introduction of the OCDA represents the government’s attempt to obviate various challenges to, and build confidence in, the new regime; not least by remedying an apparent lack of independence within self-authorisation, the inconsistency of process and non-compliance with oversight. However, while the OCDA sits independently to the Home Office, it still resides within the Cabinet Office, raising questions as to the extent to which this new body will be truly independent of the executive arms of the state. This arrangement is likely to be challenged.

There are, nevertheless, optimistic signs of independence with the recent publication of the (IPCO’s first Advisory Notice (the AN). This explains that the function of the Judicial Commissioners is to review and, if appropriate, approve the decision to issue the warrant; otherwise referred to as the ‘double-lock’. In doing so, the Judicial Commissioner must consider the decision-maker’s conclusions on necessity having regard to the grounds upon which the warrant was issued and whether the conduct authorised is proportionate to the operational objective to which it relates.

The AN holds Judicial Commissioners must ‘apply the same principles as would be applied by a court on an application for judicial review’ and consider necessity and proportionality ‘with a sufficient degree of care’ to ensure compliance with the over-arching privacy protections set out in Section 2 of the IPA 2016. The test to be applied is not the so-called Wednesbury reasonableness but the enhanced standard of proportionately that considers whether there has been an interference with fundamental rights and the HRA 1998 and/or EU law is engaged.

For the first time, detailed guidance is provided on what proportionality means at a practical level. Decision-makers will be increasingly required to explain what they understood proportionality to mean in relation to the relevant case and to demonstrate an assiduous adherence to the practical steps involved in its proper application. The AN also emphasises the duty of candour for those making applications. Failures to discharge this onerous duty will lead to adverse findings against public authorities before the IPT.

Remedies for Non-Compliance

Non-compliance may give rise to the question of abuse of process or admissibility where there is an allegation of entrapment or misfeasance. In R v Moore and Burrows [2013], the Court of Appeal held that ‘authorisation and supervision of the operation’ was one of the factors that the court should consider when determining applications to stay proceedings or exclude evidence in criminal proceedings. This, however, is significantly limited; as the House of Lords explained in R v Looseley [2001]:

[T]he conduct of the authorities must be so seriously improper as to bring the administration of justice into disrepute and result in an affront to the public conscience in any subsequent prosecutions. 

Although there has been a cultural shift towards being less tolerant of misconduct of public authorities – particularly if motivated by bad faith or a belief that the ‘ends justify the means’ – there remains no absolute rule in English law that evidence obtained illegally is automatically inadmissible. The Supreme Court in R v Maxwell [2010] set out the general categories of cases that may give rise to a stay of proceedings:

  • Where it would be impossible to give the accused a fair trial; and,
  • Where it offends the court's sense of justice and propriety to be as to try the accused in the circumstances.

Under the second limb of this test, it may be possible to run an abuse of process argument; for instance, it would probably apply in circumstances where bulk data has been used without a clearly defined lawful purpose or as a means of identifying and prosecuting retrospective criminal communications, involving gross collateral intrusion. But such limited grounds are highly fact-sensitive.   

This may be mitigated somewhat by Section 78 of the Police and Criminal Evidence Act 1984, which provides for the exclusion of unfair evidence:

[I]f it appears to the court, having regard to all the circumstances, including the circumstances in which the evidence was obtained, the admission of the evidence would have such an adverse effect on the proceedings that the court ought not to admit it.

Nevertheless, this is again limited by case law, with the Court of Appeal in R v Williams [2012] holding that the breach should be significant and substantial before it can be excluded, and generally only if there is no alternative remedy. Again, the success of such applications will depend on the circumstances in the case.

Perhaps the most effective remedy to unjustified state intrusion into an individual’s privacy is to bring a complaint to the IPT, the most the appropriate tribunal for the purposes in relation to proceedings under Section 7 of the HRA 1998. Since its inception, the IPT has received a steadily increasing number of complaints, as the public has become aware of its existence as an effective route of legal recourse. The IPT, if it finds a breach of the RIPA 2000 or the IPA 2016 – can order an authorisation to be quashed and/or the deletion of all personal data and/or compensation.

The IPA 2016 additionally provides a new right of appeal inserted into Section 67A of the RIPA 2000. In tightly prescribed circumstances, a ‘relevant person’ can appeal against a determination on an on a point of law arising by the IPT that it made when considering an authorisation. Permission to appeal is required – either from the IPT itself or the appellate court – and the threshold for granting permission is high: an appeal must raise an important point of principle or practice or another compelling reason for granting permission must exist.


Judgement as to whether the IPA 2016 addresses the imbalance between privacy and the protection of the public, through effectiveness of the safeguards it purports to embrace, will depend not just on operational results but also the outcome of numerous ongoing challenges to the extent of its powers, the application of its provisions, and how these will be interpreted by the courts in due course.

Some obvious areas of high risk remain for the privacy of individuals: the operation of judicial approval and how the Investigatory Powers Commissioners and Judicial Commissioners will apply judicial review principles in their considerations; the limited protections offered the sensitive professions; the practical implications for disclosure in criminal proceedings; how the super-regulator IPCO and new authorising body will adapt to their vastly increased sets of functions; and, the inevitable creativity applied to the few remaining dark spaces for state intrusion such as end-to-end encryption and the dark web.

For the latest articles straight to your inbox, you can subscribe for free. Alternatively, follow @KeepCalmTalkLaw on Twitter or Like us on Facebook.

Tagged: Anti-Terror, Courts, Criminal Law, Data Protection, Justice, Privacy Law, Rule of Law, Technology

Comment / Show Comments (0)

You May Also Be Interested In...

'In Your Defence: Stories of Life and Law': An Interview with Sarah Langford

5th Mar 2019 by Malvika Jaganmohan

Harkins v UK: Highlighting the Importance for Discourse on Extradition

9th Jan 2018 by Kateřina Hemalova (Guest Author)

A Damaging Disclosure Culture? Lessons from the Allan Case

24th Dec 2017 by Andrew D Parker

The Illegality of Guantanamo Bay

30th Oct 2015 by Sophie Cole-Hamilton

The Semi-Secret Terror Trial - A Leap of Faith in the Judiciary

13th Jun 2014 by Merry Van Woodenberg (Guest Author)

All Bark and No Bite? ‘The Pitbull’ Gerrie Nel

22nd May 2014 by Joseph Switalski (Guest Author)

Section Pick March

Coronavirus and the ECHR: Should the UK Trigger Article 15?

Editors' Pick Image

View More


Keep Calm Talk Law: Moving Forward

3rd Sep 2019

Changing of the Guard: Moving Keep Calm Talk Law Forward

12th Aug 2018

An Anniversary or Two: Four Years of Keep Calm Talk Law

11th Nov 2017

Rising from the Ashes: The Return of Keep Calm Talk Law

18th Nov 2016

Two Years On, Keep Calm Talk Law’s Legacy is Expanding

11th Nov 2015


Javascript must be enabled for the Twitter plugin to function. Click below to visit us on Twitter.

Free Email Subscription

Subscribe to Keep Calm Talk Law for email updates, and/or weekly roundups. You can tailor your subscription on activation. Both fields are required.

Your occupation / Career stage is used to tailor your subscription and for readership monitoring.

Uncheck this box if you do not want to receive our monthly newsletter.

By clicking the Subscribe button, you agree to our privacy policy and terms of service. Please ensure you read these in full.

Free Subscription