HomepageCommercial LawPrivate LawPublic Law & Human RightsCriminal LawEU & International LawCareers

Accessibility

Have Irlen Syndrome, or need different contrast? Click the button below for options.

Background Colours

Subscribe

Enter you email address below to subscribe to free customisable article notifications.

Alternatively, click the button below for our various RSS Feeds (available journal wide, or per section).

Dead on Arrival: The Investigatory Powers Act 2016

Article Cover Image

About The Author

Alexios Ektor Koursopoulos (Former Private International Law Editor)

Alexios is a law graduate from Sussex University. Soon after completing his LLB, Alexios began working on his own medical start-up. Alongside his LLB, Alexios has successfully managed promotion companies in Brighton after working his way up the ladder, managing over 100 people at times. Outside the law, Alexios kick-boxed for a few years in Greece and still enjoys the odd training session when his schedule allows it.

The UK has just legalised the most extreme surveillance in the history of western democracy.

Edward Snowden

The Investigatory Powers Act 2016 (IPA 2016) is one of the most lengthy and controversial pieces of legislation enacted by Parliament in its 410-year history. Nicknamed the ‘Snoopers’ Charter’, the IPA 2016 grants UK intelligence agencies and the police some of the most potent surveillance powers anywhere in the Western world.

Though it is, in essence, a statutory codification of the powers that the Investigatory Powers Tribunal (IPT) discovered had been previously exercised by the authorities (without a sufficient degree of oversight or public knowledge), the IPA 2016 has been widely lamented by privacy groups who argue that the powers it grants are more suited to a dictatorship than a democracy. For such groups, it is surely welcome that the IPA 2016 is soon to face scrutiny from the European Court of Justice (ECJ) after the IPT requested, using the procedure under Article 267 of the Treaty on the Functioning of the European Union, a preliminary reference on whether the IPA 2016's provisions are in breach of EU law.

In light of this development, this article seeks to critically assess the IPA 2016 and the extent to which its introduction was necessary and satisfactory. After having examined the legislative background that led to its implementation and tracking its relationship with leading cases regarding data retention – both before and after its enactment – this article will also consider the future of privacy legislation on a domestic level in the light of Brexit.

A History of Data Retention

An Evaluation of the Legislative Background

After a close examination of the UK’s legislative history in the area of privacy and data retention dating all the way back to nineteenth century, it is hard to avoid concluding that there has been a repeated failure to deliver satisfactory legislative control over the interception of communications. Indeed, though this article’s primary focus is the IPA 2016, an analysis of the antecedent legislation is necessary when attempting to understand and criticise the morale behind the evolution of the current legislation.

In the 1980s, following the ruling of the European Court of Human Rights (ECtHR) in Malone v UK [1984], the UK government was forced to introduce via statute a more precise outline of the circumstances in which, and the mechanisms with which, it would allow for the lawful interception of communications. It therefore implemented the Interception of Communications Act 1985 (ICA 1985), which sought to provide a comprehensive statutory framework for the interception of communication and outline the remedies for those wishing to complain that interception had been improperly authorised.

Section 2(1) of the ICA 1985 empowered the Home Secretary to issue warrants regarding interception when considered to be for matters of national security, for protecting the economic welfare of the UK, or for preventing serious crime. Furthermore, Section 7 of the ICA 1985 established a Tribunal to hear cases regarding interception of communications of which the decisions were not subject to judicial review by the courts.

The legal framework of the ICA 1985 was heavily criticised; not only was it is extremely vague – especially regarding the grounds for interception – but by placing limitations on the jurisdiction of the Tribunal, it also heavily disallowed parliamentary and judicial scrutiny of the government’s interception activities.  

Furthermore, it was also soon to be discovered that the provisions of ICA 1985 had not been drafted in a way that permitted an interception activity on which the government had placed great weight: in Halford v United Kingdom [1997], the ECtHR held that the scope of the ICA 1985 was such that it did not in fact render lawful the interceptions of calls carried out on private telecommunication networks.

The government were forced to respond. In 1999, it published a consultation paper – the Interception of Communications in the United Kingdom which suggested regulatory reforms of the existing statutory framework that would aim to widen the scope of the legislation. This consultation resulted in the introduction of the Regulation of Investigatory Powers Act 2000 (RIPA 2000), the successor of the ICA 1985 and one of the most significant legislative attempts at regulating and recognising state surveillance in modern times. RIPA 2000 – some provisions of which are still in operation – attempted to provide a more comprehensive framework, containing provisions which Vincents Okechukwu Benjamin describes as allowing for:

the interception of communications, the acquisition and disclosure of communications data, surveillance, the use of covert human intelligence sources, and the decryption of data.

Nonetheless, as with its predecessor, RIPA 2000 was subject to heavy criticism, much of which derived from a constitutional and human rights standpoint. Commentators questioned the compatibility of RIPA 2000 with Article 8 of the European Convention on Human Rights (ECHR), which requires that data retention measures must be proportionate and appropriate so as to balance the interests pursued against the rights of citizens to privacy. And in light of the number of public authorities which had the right to access communications data retained under RIPA 2000, and the extensive purposes for which access could be granted, it was highly doubtful that striking the right balance is possible.

Legal Challenges to Data Retention

One of the most significant challenges to the legality of data retention came in a challenge before the ECJ against Directive 2006/24/EC (the ‘Data Retention Directive’ or ‘DRD’) which came into force in 2006. The DRD required communication providers to retain and make available to national authorities certain communications data for periods varying from 6 to 24 months, depending on the Member State.

But in the Digital Rights Ireland [2012] case, the ECJ sought to strike a more appropriate balance between the protection of freedom and privacy of citizens and the Member States’ duty to provide security. Specifically in this case, it deemed the DRD invalid. Referring to the rights outlined in the Article 7 and Article 8 of the EU Charter of Fundamental Rights which cover the rights to respect for private and family life and the protection of personal data respectively, the ECJ ruled that:

Directive 2006/24 entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.

Essentially, as Paul Bernal has explained, the ECJ’s decision confirmed that the intrusion of fundamental rights that the DRD authorized were disproportionate, noting:

[I]t applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime’ and that it ‘fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data.

As a result of the ECJ’s decision in Digital Rights Ireland [2012], the UK Coalition government – eager to maintain the police and security agencies’ ability to access communications data in order to combat crime and terrorism – rushed through an emergency bill over the course of three days in July 2014. Fast-tracked through Parliament and undergoing minimal scrutiny – though it did contain a “sunset” clause which provided that it would cease to exist by the end of 2016 – this Bill was officially enacted as the Data Retention and Investigatory Powers Act 2014 (DRIPA 2014). It retained the previous law’s requirement for compulsory communications data retention by public telecommunications operators for up to 1 year, but – at least in theory – introduced new safeguards in accordance with the general principle of confidentiality of communications required under EU law. 

Although the new safeguards introduced by DRIPA 2014 seemed to satisfy the government, they did not satisfy ‘anti-snooping’ campaigners including organisation like Liberty and the Law Society, and high-profile MPs like David Davis and Tom Watson. Indeed, in David Davis and others v Secretary of State for the Home Department [2015], the High Court heard a legal challenge against DRIPA 2014 in which campaigners argued that the data retention regime it mandated was incompatible with EU law on the grounds that, by having all their communications activities data retained without their consent, it constituted a breach of the average citizen’s privacy. 

The campaigners were successful in the High Court, so the government appealed to the Court of Appeal which, in its decision, referred the case to the ECJ for a preliminary ruling. The ECJ, considering the matter in the joint case of Tele2 Sverige AB and Watson [2016] (‘Watson’), was unambiguous in its decision, holding that blanket data retention is not lawful under EU law. Commenting that retaining communications data would ‘allow very precise conclusions to be drawn concerning the private lives of the persons’, the Court held that DRIPA 2014’s permitting of the retention of location and traffic data was intrusive. In the view of the ECJ, such retention could not be taken lightly, and could be justified only if its objective was to fight serious crime. Specifically, the ECJ stated that:

legislation prescribing a general and indiscriminate retention of data does not require there to be any relationship between the data which must be retained and a threat to public security … therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society, as required by the directive, read in the light of the Charter.

Underlying the ECJ’s decision, though, was its desire to emphasise that EU law did not in any way prevent Members States from retaining targeted data; nonetheless, it is was also clear that it does provide for a threshold of strict necessity which DRIPA 2014 did not satisfy.

The Investigatory Powers Act 2016 – Dead on Arrival?

Given that the regime under DRIPA 2014 was set to expire at the end of December 2016, the government introduced the IPA 2016 to fill the lacuna left behind (though it should be noted that some provisions of RIPA 2000 remain in force).

The IPA 2016 seeks to govern the use and oversight of investigatory powers by law enforcement and the security and intelligence agencies and its implementation grants public authorities including intelligence agencies, councils, and the police statutory access to retained communications data without a warrant, unless the access regards data in a ‘bulk’.

Following Digital Rights Ireland [2012], EU Member States are required to consider carefully the scope of people from which data is retained. Under IPA 2016, however, data in relation to everyone in the United Kingdom or in relation to any communication controlled from the United Kingdom can be retained: a definition which practically includes everything and everyone from people or providers, to websites and applications.

Worryingly, Part 4 of the IPA 2016 introduced an element of secrecy by prohibiting telecommunication services from disclosing the fact that they have been served with a notice to retain data. The theme of secrecy is continued in Part 8 of the Interception of Communications Draft Code of Practice, which was issued by the Secretary of State pursuant to Schedule 7 to the IPA 2016. This provides that companies with over 10,000 users may be served notices requiring decryption of data, where possible. If such a notice is served the decryption process will be carried out behind closed doors as, once again, the notice will be accompanied by a gagging order on the request of the government preventing the company from disclosing the decryption notice. In addition, under the IPA 2016, authorities have access to users’ last 12 months of internet connection records and can also infiltrate a computer in the course of an investigation with the Home Secretary’s permission.

The IPA 2016 also furthered the police’s access beyond communications services like messengers to any internet web-based service, including services like Dropbox, where relevant to their investigation. And, deeply controversially as it represents a possible breach of attorney-client privilege, the IPA 2016 allows authorities to hack into advisers’ personal equipment during investigations regarding nationality and immigration offences where there are 'exceptional and compelling' reasons.

It is clear that the IPA 2016 not only incorporates the data retention powers that were granted by DRIPA 2014 into its regime but it expands them to a level of such significance that it seems the labelling of the IPA 2016 by opposition campaigners as the ‘Snoopers’ Charter’ is apt. Indeed, it is no wonder that the compatibility of the provisions of the IPA 2016 with EU law will be shortly examined by the ECJ, and it would be unsurprisingly if the government will subsequently be forced to significantly amend the legislation in order to achieve compliance.  

Reform on an EU level and Brexit Implications

As a result of the ruling in Tele2 Sverige AB and Watson [2016], EU law in the area of data prevention underwent a comprehensive review. In order to enhance certainty levels, the EU Commission proposed a new Regulation – the General Data Protection Regulation (GDPR) – which will come into force in 2018 with the aim, as the Commission explains, of providing a new unified legislative tool that ensures greater levels of privacy in electronic communications.

The general rules of the GDPR are intended to provide for new world-class standards which will, it is hoped, strengthen security and trust in the Digital Single Market. The rules set out in previous pieces of EU legislation have been to be extended to cover all modern communication services including Facebook Messenger, WhatsApp, and Gmail. Furthermore, metadata and location data will be anonymised or subject to deletion where the user has not consented to retention. And, because of the legal nature of the GDPR – a Regulation instead of a Directive – the Commission considers the new rules to be ‘stronger’ as they will have direct effect.

The new Regulation does indeed seem promising. However, in the light of Brexit, questions regarding the future applicability of the GDPR to the UK can be raised. Indeed, although the new Regulation will apply to the UK prior to the end of its EU membership as it comes into force next year, the future of the GDPR in the UK is heavily dependent on the outcome of the negotiations regarding the trade relationship.

‘Soft Brexit’

If, like Norway, the UK were to remain a member of the EEA, it would retain access to the single market and would therefore have to comply with EU laws, including the GDPR.

Alternatively, the UK could negotiate a Swiss-style model, under which it would seek to secure bilateral agreements with the EU and not be a member of the EEA. Although EU laws would not have direct effect in the UK under a Swiss-like model, there would likely be a requirement for the adoption of comparative legislation in order to retain access to the single market. In relation to data protection legislation, for example, Switzerland had to seek a decision of “adequacy” in order to enable free transfer of personal data to and from EU member states. Critically too, the GDPR will apply to Switzerland on the 28 May 2018 and will affect Swiss companies located within the EU and companies based in Switzerland that offer services or goods within the EU.

Ultimately then, if the UK wants relatively unlimited access to the single market, whether via a Norwegian or Swiss model or another bespoke arrangement, the likelihood is that it will have to comply with the GDPR.

‘Hard Brexit’

If no deal can be reached by the end of the two-year negotiation period, the WTO rules will automatically apply. This situation is considered commercially unfavourable as it grants no access to the single market and would result in the implementation of trade tariffs.

However, in terms of data regulation, the model means that the UK will not be bound to follow EU laws. Under the WTO model, therefore, the UK would have ultimate discretion to revise its data protection laws and it could adopt what some may consider a more business-friendly approach. As James Titcomb has argued:

Liberal laws on data protection could encourage investment in areas such as artificial intelligence, an area that has a tricky relationship with privacy at the best of times and in which Britain excels, as shown by the many acquisitions of home-grown AI businesses by the likes of Google.

The implications of Brexit will also have an impact on a new piece of domestic legislation: the Digital Economy Act 2017 (DEA 2017). This highly controversial Bill, which received Royal Assent on 27 April 2017, was – like DRIPA 2014 – passed with minimal amount of debate. Part 5 of DEA 2017 has been widely criticised by privacy campaigners because it simplifies the exchange of personal data between public authorities and seems to provide no clear information about how such exchanges of data will be regulated. The compatibility of the DEA 2017 with EU law, like with IPA 2016, is doubtful and its ongoing survival may thus depend on the model which is adopted post-Brexit.

Conclusion

It is clear that the UK has traditionally implemented controversial pieces of legislation in the sphere of data protection. However, it is arguable that the IPA 2106 was the drop that spilled the cup, as it granted the government unprecedented surveillance powers that may well be found to be incompatible with EU law.

But in a post-Brexit world, the extent this will matter – and the extent to which the UK will have to comply with EU law – in the future is rather uncertain. It is thus impossible to make accurate predictions regarding the future of data regulation. Yet if one thing is certain, the fast-paced technological advancements in communications and the political uncertainty regarding the UK as a whole, and data regulation specifically, means that the government’s troubles in successfully legislating in this area are far from over.

For the latest articles straight to your inbox, you can subscribe for free. Alternatively, follow @KeepCalmTalkLaw on Twitter or Like us on Facebook.

Tagged: Anti-Terror, Consumer Rights, European Union, Human Rights, Privacy Law, Public Law, Technology

Comment / Show Comments (0)

You May Also Be Interested In...

An Introduction to the GDPR and its Impact on Competition Law

25th May 2018 by İnayet Aydeniz Baytaş

Misuse of Private Information: The Failure to Protect the Right to Privacy

10th Feb 2017 by Connor Griffith

A Web of Influence: Freedom of Information and the Black Spider Memos

28th Apr 2015 by Amy Ling

From DRIP to an ocean of trouble for the UK Legislature

6th Aug 2014 by Thomas Horton

Is There Really a ‘Right’ to be Forgotten?

17th May 2014 by Chris Bridges

It's not the end of the line for data retention

10th Apr 2014 by Chris Bridges

Section Pick September

Cherry v AG for Scotland, Part I: Is a No-Deal Brexit Necessarily Implied?

Editors' Pick Image

View More

KCTL News

Keep Calm Talk Law: Moving Forward

3rd Sep 2019

Changing of the Guard: Moving Keep Calm Talk Law Forward

12th Aug 2018

An Anniversary or Two: Four Years of Keep Calm Talk Law

11th Nov 2017

Rising from the Ashes: The Return of Keep Calm Talk Law

18th Nov 2016

Two Years On, Keep Calm Talk Law’s Legacy is Expanding

11th Nov 2015

Twitter

Javascript must be enabled for the Twitter plugin to function. Click below to visit us on Twitter.

Free Email Subscription

Subscribe to Keep Calm Talk Law for email updates, and/or weekly roundups. You can tailor your subscription on activation. Both fields are required.

Your occupation / Career stage is used to tailor your subscription and for readership monitoring.

Uncheck this box if you do not want to receive our monthly newsletter.

By clicking the Subscribe button, you agree to our privacy policy and terms of service. Please ensure you read these in full.

Free Subscription