Background
The government has recently announced its intention to legislate to update the 2016 Investigatory Powers Act (IPA), via the Investigatory Powers (Amendment) Bill. The Bill encompasses several changes to the IPA 2016, including modifications to the bulk personal dataset regime and internet connection records.
Of particular concern to techUK and its members are the proposed changes to the notices regime, set out in Part 4 of the Bill. techUK had previously set out its concerns in response to the Home Office's consultation on proposed changes to the notices regime (see here for more information). We thank the Home Office for their engagement. However, many of the concerns raised by techUK members have not been adequately addressed between the consultation and the final Bill. Members have also raised that while the Bill states it aims to provide small technical improvements the true impact of these could be far greater.
The notices regime provides for three different kinds of notices that the government can impose on service providers under the IPA 2016 scope: data retention notices (DRN), technical capability notices (TCN) and national security notices (NSN). The Bill would introduce a set number of changes that would apply to all three types of notices. We set out our key concerns in relation to those changes below.
Proposed changes
The Home Office asserts that the changes set out in the Bill are “not about expanding the powers but about maintaining them, and ensuring their effectiveness, in the modern digital economy,” and that they seek “to protect the existing capabilities that keep our citizens safe.”[1]
While techUK and our members strongly support these aims, based on the publicly available information, we believe that this statement does not reflect the true significance of the changes that are being introduced.
We are of the view that some of the changes set out in the Bill have the potential to be very far-reaching. We are concerned that the proposed changes could upset the balance struck in 2016 between the legitimate aims of national security and public safety, and user privacy and security of the internet.
This risks creating concerns over government invasion of user privacy and making it difficult for some companies to continue to innovate their services for their users globally, including enhancing privacy, integrity and security through technologies like end-to-end encryption. Additionally, these changes could exacerbate conflicts of laws and make the UK a less attractive place to invest, thus contradicting the essence of the Prime Minister's plan for innovation.
1. Global effects of the expansion of the regime scope
The Home Office said that it had identified gaps in the current application of the IPA 2016, stemming from the rapidly evolving nature of companies and their business operations, with their global structures becoming increasingly complex. The Bill seeks to address these gaps and ensure the Bill continues to apply to all those it was intended to by expanding the scope of the regime in two ways:
- Extraterritoriality: Clause 16 of the Bill expands the scope of the legislation to allow extraterritorial enforcement of data retention notices on companies whether they are in the United Kingdom or not, bringing it in line with technical capability notices.
- Bringing new entities into scope: Clause 18 of the Bill broadens the scope by including additional ‘entities' of companies. This is achieved by amending the definition of telecommunications operator to encompass not only UK-based companies, but also those not entirely based in, or controlled from, the UK. Furthermore, the Bill introduces measures aimed at ensuring that “large companies with complex corporate structures are covered in their totality by the IPA 2016”. Finally, the changes clarify that technical capability notices can be issued to one part of a company regarding the capabilities of another part.
The Home Office suggests that the proposed changes will not bring any new companies into scope, only new ‘entities.' However, we have strong reservations regarding the lack of clarity around what type of entities fall within the scope. Unless this definition is designed correctly then the Home Office may give the impression or create powers to capture new companies running contrary to the stated intentions of the Home Office.
This could have serious global repercussions. Additionally, it could infringe upon the sovereignty of other nations, their rule of law, and users' expectations in those countries not to be surveilled by foreign governments, and could make the UK a less attractive place to provide technology services, disadvantaging consumers.
2. Ensuring the security of consumers
Clause 20 sets out that the Secretary of State “may give a relevant operator a notice in writing under this section requiring the operator to notify the Secretary of State of any proposals of the operator to make any relevant changes specified in the notice.” The legislation defines relevant operators as “operators that provide lawful access of significant operational value and who currently provide assistance with warrants, authorisations or notices under the IPA 2016.”[2]
The Home Office has stated that the “notification requirement will not allow the Secretary of State to prevent a technical change to an existing service, rollout of a new service or any other relevant change. Equally, it is not intended as an approval mechanism. There will be no method within the notification requirement itself for the Secretary of State to intervene in any way with the decision the operator has chosen. The requirement will be just to notify the Secretary of State. The notification requirement is intended to ensure law enforcement and other relevant public authorities have time to adjust accordingly and mitigate the impacts wherever possible to continue to keep the public safe.”[3]
However, we have concerns regarding scenarios where, if an operator informs the Home Office of a planned change, the Home Office could then use this as a basis to start a notice process, which, if successful, could lead to the Home Office requiring operators to make changes to their systems or products. This would in effect could grant the Home Office de facto power to prevent companies from making changes to their services that are in the interests of their customers.
Ensuring the operation of the IPA regime does not compromise the security of the internet, or privacy of its users, is of utmost importance. As techUK members have previously stressed, this is essential for their continued ability to innovate and offer products and services that empower individuals in their personal and professional lives, including through offering improved privacy, security and safety measures like end-to-end encryption.
3. Providing transparency and accountability
The Home Office outlined its consultation process for proposed changes, including an internal review by the Home Secretary and a subsequent review by Lord Anderson. A separate consultation, focused on notices regime, was then carried out.
However, techUK members noted that the review had come as a surprise to many, with the government not having sufficiently informed its key stakeholders.
Furthermore, the notices regime consultation was perceived as very high-level, generating numerous additional questions, particularly regarding the unclear definition of what new ‘entities' will be in scope. Consequently, there are concerns about the absence of further formal consultation on specific proposals, which could have addressed these pivotal questions.
Despite these industry-wide concerns, the government has swiftly introduced the Bill, raising apprehension about the speed of its passage through the Parliament and a lack of proper scrutiny.
Our overarching concern is that the significance of the proposed changes by the Home Office might be downplayed. Therefore, we stress the critical need for adequate time to thoroughly discuss these changes, highlighting that rigorous scrutiny is essential given their potentially severe impacts.
Some of the questions that we would welcome more clarity on
- Given the concerns raised about the lack of clarity on what new 'entities' will be in scope, how will the Home Office ensure specific definitions provided in the Bill to avoid potential misunderstandings?
- How will the Home Office ensure that the extraterritorial application of data retention notices do not exacerbate the conflict of laws?
- How will the Home Office ensure that there is sufficient time and rigorous scrutiny for the proposed changes, considering their potentially severe impacts?
[2] Paragraph 296 of the Explanatory Notes: https://bills.parliament.uk/publications/52906/documents/3980