On November 29, 2016, the United Kingdom’s controversial surveillance bill received royal assent and officially became law. The nearly 300-page law, known as the Investigatory Powers Act 2016, replaces and expands upon the Data Retention and Investigatory Powers Act 2014 (“DRIPA”), which is set to expire on December 31, 2016. The new law has been heavily criticized by civil liberties groups and tech companies. The UK’s Home Secretary, Amber Rudd, however, referred to the new law as “world-leading legislation” that provides “unprecedented transparency and substantial privacy protection.”
According to the UK’s Home Office, the government department responsible for immigration and counter-terrorism, the new law is necessary so that law enforcement and security and intelligence agencies have the powers they need in a digital age to disrupt terrorist attacks. The Home Office describes the law as “world-leading” due to the fact that its most intrusive elements require the issuance of a warrant approved by both the Secretary of State and a senior judge – referred to as a “double-lock” approval system. Additionally, a new Investigatory Powers Commissioner will oversee how the powers are used, and tough criminal sanctions can be imposed for misuse. When the legislation was introduced, former Home Secretary (now Prime Minister) Theresa May emphasized that the proposal did not compel overseas companies to comply with domestic retention obligations.
The Investigatory Powers Act’s most hotly debated provisions permit authorities to access individuals’ web browser histories without a warrant and force companies, subject to a warrant, to decrypt customer devices and data. Specifically, the law requires internet service providers and telecommunications providers to retain users’ “internet connection record,” which includes a user’s web browser history, for up to 12 months. Authorities may then access a user’s internet connection record with the approval of a “designated senior officer” within the government. The law also requires companies to maintain the ability to remove any encryption of its devices or data and to assist authorities in circumventing encryption. The threshold for requiring companies to decrypt data is high, however; it can only be achieved by obtaining a warrant through the “double-lock” system, which requires approval from both the Secretary of State and a senior judge.
Leading up to its passage, the Investigatory Powers Act was heavily criticized by civil liberties groups and tech companies. The UK civil liberties group, Liberty, said the law had “eye-wateringly intrusive powers and flimsy safeguards” and called the law “world-leading – but only as a beacon for despots everywhere.” In December 2015, shortly after the draft legislation was announced, Apple submitted an 8-page letter to the joint select committee considering the draft bill. Apple argued that weakening encryption would diminish security protections for hundreds of millions of law-abiding customers just so authorities could decrypt data for the very few who pose a threat.
The law may complicate the UK’s data transfer agreements with members of the European Union. The United States and the EU negotiated a new basis on which international data transfers from the EU to the US are permissible – the Privacy Shield. Agreement on the Privacy Shield was reached over the summer following the EU Court of Justice striking down the existing Safe Harbor data sharing agreement out of concern that it did not provide an adequate level of protection for EU citizens’ data. However, having voted to leave the EU, the UK may find itself in a position that it has to negotiate with the EU with respect to its own ability to share data within the EU.
The Investigatory Powers Act, particularly the provisions permitting bulk data collection, may face future legal challenge, as has been the case with DRIPA, which is currently subject to a challenge before the EU Court of Justice. A decision on this matter is expected by the end of the year. Although DRIPA will be repealed on December 31 and replaced by the Investigatory Powers Act, a decision adverse to DRIPA likely would impact future challenges to the Investigatory Powers Act.
