The IPA sets out statutory powers used by public authorities, including law enforcement and the UK intelligence community, to obtain communications data. The notices regime, which is set out in the Act, provides for three different kinds of notices that the government can impose on service providers falling within the IPA's scope: data retention notices, technical capability notices and national security notices.
The IPA was legislated for after a lengthy period of debate about how to safeguard national security while also respecting individuals' fundamental rights and embedding safeguards including transparency and judicial authorisation. The end result was a regime that allowed authorised agencies to seek lawful access to data and to give notices where necessary and proportionate. It also provided recourse for service providers to seek a review of notices if they felt these were disproportionate, unlawful or conflicted with other laws that applied to them.
The Home Office is now reviewing how these notices operate. The Home Office states that this consultation is “not about the creation of new powers, it is about the efficacy of long-standing powers the necessity of which has long been established.” However, based on the information that has been made public so far, we believe that this statement understates the significance of what is being considered. Some initial work focused on data retention has been conducted by Lord Anderson KC however this does not cover the full extent of the proposals raised in this consultation.
Currently, it appears that some of the objectives set out in the consultation have the potential to:
- remove important safeguards concerning the use of existing powers under the IPA, or introduce new legal obligations and powers without clarity on what safeguards will surround their use;
- exacerbate conflicts of laws that put global businesses in impossible positions and make the UK a less attractive place to invest; and
- negatively affect how attractive the UK is as a place for techUK members, hindering business' ability' to innovate their services for their users globally, including to improve the privacy, integrity and security of their services, for example via gold standard technologies like end-to-end encryption.
At the moment, techUK and its members are concerned that the reforms proposed to the IPA in this consultation could upset the balance struck in 2016 between the legitimate aims of national security and public safety, and user privacy and security of the internet. This risks creating concerns over government invasion of user privacy and making it difficult for some companies to continue to provide their services in the UK by removing vital avenues for recourse and creating a burdensome notices regime.
Members are also mindful that any change in the UK could become a model for less democratic governments and must be worthy of emulation overseas.
We urge the government to provide more information about the proposed changes to the IPA notices regime, and in particular the rationale for the necessity and proportionality of the proposed powers, along with detailed explanations of the safeguards being considered, so that we can fully understand their implications.
We also urge the government to engage with techUK members and other stakeholders in a constructive dialogue to ensure that any changes to the IPA are made in a way that protects privacy and civil liberties, while also ensuring that the UK remains a competitive and attractive place for digital service providers. We also believe that any proposed changes to the IPA should undergo thorough debate, analysis and parliamentary scrutiny. This was also stressed by Lord Anderson in his review for the Government covering data retention notices.
Below we set out our perspective on the proposed changes and the implications they could have for user trust and privacy as well as the business environment for digital service providers in the UK.
Getting the right balance on investigatory powers
techUK and its members are concerned that some of the proposed changes could be disproportionate and impractical and remove important procedural safeguards concerning the use of existing powers under the IPA, or introduce new legal obligations and powers without clarity on what safeguards will surround their use.
For example, it is proposed that companies must comply with a notice before any requested review is completed. This would deprive companies of the opportunity to seek a review of the appropriateness of notices before being obliged to follow it. Thus, effectively nullifying the impact of an eventual appeal and weakening a vital safeguard established in the IPA 2016.
We are specifically concerned that, in situations where a notice requires a firm to collect and disclose specific communications data, if the firm discloses the data during the review process, even if they eventually win the review and do not have to comply with the notice, then that disclosure cannot be undone - in practice removing the intended safeguard.
Furthermore, there are concerns regarding the proposed but unspecified expansion of the notice regime's scope with respect to service providers overseas. This proposal raises serious questions. For example, it is unclear what sort of departure from this status quo is envisaged here and whether this change would amount to UK surveillance being extended into other territories.
It is also unclear whether the proposed changes are intended to bring new categories of companies into the notice regime including those providing infrastructure to providers of consumer services. The intent of this proposal could have significant consequences and therefore further clarity is needed on this point.
techUK and its members have additional concerns that the proposed changes could amount to UK legal entities being held liable for the actions of different legal entities in other jurisdictions over which they have no control.
This would risk undermining the principle established during the Bill stages of engaging with entities closest to the user and could disrupt the transparency commitments made by international providers regarding their responses to government data access requests, in turn making the UK a less attractive place to provide technology services. The potential creation of conflicts of law which companies cannot resolve is also a critical consideration.
Ensuring user trust and a secure internet
Ensuring the operation of the IPA regime does not compromise the security of the internet, or privacy of its users, is of utmost importance. As techUK members have submitted in previous consultations on the IPA, this is essential for their continued ability to innovate and offer products and services that empower individuals in their personal and professional lives, including through offering improved privacy, security and safety measures like end-to-end encryption.
Several aspects of the proposed changes risk being overly intrusive, and could negatively impact techUK members' ability to innovate their services for their users - indeed, they could see operators required to forgo such development altogether, even as threats to users' data security continue to grow.
The proposed requirements for “relevant” companies to refrain from making certain system or product changes during a review process, and to notify the Secretary of State before introducing certain changes to their products or services raise particular concern. Our members are requesting clarity as to the scope of these proposals and how they intersect with government expectations that internet infrastructure will be kept secure from external threats.
Maintaining a regulatory environment that global businesses can operate in
Government has pledged to make the UK the best place globally to do digital business and to develop a climate that promotes innovation and investment. As drafted, the proposals could create a disincentive for companies to provide their services in the UK by constraining the timing of product development, launches in the UK market and potentially restricting what features are available to UK users.
Were the Government to go ahead with a general requirement to notify the Secretary of State of product changes as suggested in the consultation this could create an unwieldy notification regime and a logistical burden for both the government and businesses to manage. The sheer volume of reports from companies making frequent changes to their systems could inundate the government, with both time and resource costs. Further this could make it harder and slower to identify the areas of concern while having a negative impact on businesses.
Moreover, these changes have the potential to erode user trust, which is pivotal to our members' ability to continue innovating and offering products and services that empower individuals in their personal and professional lives.
Providing clarity, continuing the dialogue and ensuring full Parliamentary scrutiny
Given the potentially far-reaching nature of what is being put forward in this consultation, it is crucial for the government to extensively engage with the industry. As consultation on these changes progresses, techUK and its members remain committed to engaging constructively with the government. It is vital to strike the right balance between security and human rights in order to build a sustainable and innovative technological landscape for both the UK and its global partners.
In light of the concerns raised, we ask Government to provide a clear and comprehensive rationale for the necessity and proportionality of the proposals, along with sufficient detail to allow companies to evaluate them.
You can read techUK's full response to the Home Offices' Consultation on the Investigatory Powers Act 2016 here.