Investigatory Powers Act 2016 becomes law

by White & Case LLP

White & Case LLP

The UK Investigatory Powers Bill has received royal assent and passed into law as the Investigatory Powers Act 2016. The Act will have a significant and far reaching impact on data, technology and communications businesses, and not just those in the UK.

On 29 November 2016, the UK Investigatory Powers Bill (the "Bill") received royal assent and passed into law as the Investigatory Powers Act 2016 (the "Act"). Published as a bill on 4 November 2015, the Act will govern the use and oversight of investigatory powers by UK law enforcement, security and intelligence agencies, strengthen safeguards, as well as introduce new oversight arrangements.

The Act builds on the work of three independent reviews undertaken during 2015 and aims to do three things:

  • consolidate the powers already available to UK law enforcement, security and intelligence agencies to obtain the content of, and data about, communications;
  • overhaul the mechanism for authorising and overseeing these powers; and
  • ensure that the powers afforded in existing legislation are fit for the digital age.

The Act has been controversial throughout its passage through Parliament due to the far-reaching powers it hands to government agencies to require technology and communications businesses, based within and without the UK, to retain personal data of their customers. Such businesses should take note, as the Act's extraterritorial reach could potentially require non-UK entities to assist UK law enforcement agencies, or even result in them becoming subject to "bulk equipment interference" (i.e., interception) warrants.

In a press release, the Home Office has stated that some provisions of the Act will not be in place for some time as they require "extensive testing". The Home Office is reportedly developing plans for implementing these provisions and will set out a timetable in due course. It further stated that such a timetable will be subject to detailed consultation with industry and operational partners, without indicating who such partners might be.

Key provisions

The Act imposes data retention and access obligations to providers of "over-the-top services", such as providers of messaging and other apps, and expands the current obligations that affect traditional telecoms companies under existing legislation. Some of its more significant provisions include:

  • Retention of Internet Connection Records ("ICRs") and communications data: Communications Service Providers ("CSPs") will be required to keep ICRs (a record of the internet services to which devices have been connected) and, when issued with a retention notice, communications data, for a maximum period of 12 months for access by law enforcement agencies, and other public bodies, without a warrant.
  • Bulk powers and encryption removal: The Act has provisions that give certain government agencies the power to access large volumes of data. However, it requires that bulk interception and bulk equipment interference warrants may only be issued where the main purpose of the interception is to acquire intelligence relating to individuals outside the UK, even where the conduct occurs within the UK. Similarly, interference with the privacy of persons in the UK will be permitted only to the extent that it is necessary for that purpose. CSPs may also, when served with a notice, be required to remove any applied encryption to assist in giving effect to interception warrants. The Act also provides for the possibility of regulations being passed which impose obligations relating to the removal of electronic protection (i.e., encryption) applied by technology providers.
  • Overseas enforcement: The Act allows certain obligations and powers to be enforced against overseas companies through proceedings for an injunction or specific performance, together with local enforcement in the applicable overseas country using appropriate bi- or multi-jurisdictional enforcement agreements.

The Act also contains new safeguards, including:

  • A "double-lock"; the decision of whether to issue a warrant in a particular case will be taken by the newly created Investigatory Powers Commissioner ("IPC") together with one of a number of appointed judicial commissioners to determine whether the warrant is necessary and the conduct authorised under the warrant is proportionate. In urgent cases, a warrant can be issued without judicial approval subject to review by a judicial commissioner within five working days. There is a legitimate question however, as to whether review by a judicial commissioner either before or, in urgent cases, after the grant of a warrant is sufficient.
  • The IPC will have an expanded role in authorising the use of investigatory powers, and a wide-ranging and self-determined remit to oversee the use of these powers and capabilities by the security and intelligence agencies in the UK, as compared to the oversight granted to the Information Commissioner's Office under the previous regime.
  • The Act also strengthens the right of redress for individuals by allowing a domestic right of appeal from the Investigatory Powers Tribunal.

Impact on legal professional privilege

Initially, the Bar Council raised concerns that the Bill would erode legal professional privilege through: (i) its failure to distinguish between privileged and non-privileged communications; and (ii) the power given to authorities to monitor "sensitive, highly confidential communications that have nothing to with criminality, national security or threats to individuals". The government subsequently added a number of further protections for legal professional privilege. Under the Act as passed, a warrant may be issued for the interception and review of information that is subject to legal privilege. The authority issuing the warrant must have regard to the "public interest in the confidentiality of items that are subject to legal privilege". Further, the Act requires public interest, necessity and prevention of death, or serious injury, conditions to be satisfied before such a warrant can be issued.

The Bill, as originally drafted, only imposed an obligation to inform the IPC as soon as reasonably practicable of the retention of privileged information. The Act as passed requires the IPC to either: (a) direct that the information be destroyed; or (b) impose one or more conditions as to the use or retention of that information, unless there are strong public interest, safety or national security reasons justifying continued retention without restrictions. Even if these reasons exist, the IPC can impose conditions on retention which it considers necessary to protect the public interest in the confidentiality of privileged information.

Effect on the Data Retention and Investigatory Powers Act 2014

The UK's law on data retention had previously been set out in the Data Retention and Investigatory Powers Act 2014 ("DRIPA") which is set to expire on 31 December 2016, after the High Court ruled that section 1 of DRIPA was incompatible with EU law, following the Digital Rights Ireland case. The High Court ruling was confirmed by the Court of Appeal, but a subsequent referral was made to the Court of Justice of the European Union ("CJEU").

Although the CJEU heard the case in April 2016, the Advocate General Henrik Saugmandsgaard Øe (the "AG") only issued his Opinion on 19 July 2016 and the CJEU has yet to rule on the matter. In his Opinion (which is not binding on the CJEU, although AG Opinions are often followed), the AG indicated that a general obligation to retain data imposed on providers of electronic communication services may be compatible with EU law, provided that: (i) any interference with fundamental rights is in the pursuit of "an objective in the general interest", such as the fight against serious crime; (ii) the general obligation is strictly necessary (i.e., no other measures could be as effective in pursuing this objective); and (iii) the general obligation is proportionate. However, the AG also indicated that it would be up to national courts to determine whether these requirements are met.

It is unclear how the AG's Opinion, and the forthcoming CJEU decision, will impact the obligations imposed by the Act, which are more expansive than those under DRIPA. It may be the case that, following the CJEU's ruling on DRIPA, there will be a further court challenge against the Act.

Impact of the Act on businesses

The Act will impact businesses in three important ways:

  • Businesses in the online communications sector (whether traditional ISPs, or providers of over-the-top services) are likely to be classified as CSPs, and are therefore likely to face retention obligations in relation to customer data under the Act.
  • Businesses that use online communications services need to be aware that their data may be subject to interception and decryption under the Act.
  • Businesses should be mindful of the fact that, in certain limited circumstances, online communications with their legal counsel could be the subject of interception, examination and retention under the Act, even if those communications are privileged.

Consequently, businesses in all sectors should keep a close eye on developments under the Act.

Chris Ewing, a Trainee Solicitor at White & Case, assisted in the development of this publication.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© White & Case LLP | Attorney Advertising

Written by:

White & Case LLP

White & Case LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.