Government Consults on Changes to Soften UK Internet Snooping Law

The Home Office has launched a consultation that proposes to make a number amendments to their controversial internet snooping Investigatory Powers Act 2016, which at the end of last year ran into trouble after the CJEU found that some aspects were not compatible with EU law.

The IPAct contains a variety of measures, such as one that forces broadband ISPs (e.g. BT, Sky Broadband, Virgin Media, TalkTalk) to retain basic Internet Connection Records on all of their subscribers for up to 12 months (e.g. details of all the websites / servers you’ve visited), which can then be supplied to a valid authority without a warrant (here). This occurs irrespective of whether you’re even suspected of a crime.

A preliminary Code of Practice, which was published last year, suggested that an ICR’s “core information” will most likely include the customer’s “account reference, a source IP and port address, a destination IP and port address and a time/date” (details), but it noted that some providers may be expected to collect even more than this. NOTE: Access to the content of a communication would still require a warrant.

Possible Interpretation of an ICR Log (Example)

However, at the end of last year the Court of Justice of the European Union (CJEU) threatened to deal a major blow to the IPAct, which it achieved by ruling that EU law does not allow “general and indiscriminate retention of traffic data and location data,” except for “targeted” use against “serious crime” (here). The civil rights group, Liberty, has also been pursuing the Government over this ruling (here).

CJEU Statement (Joined Cases C-203/15 & C-698/15)

EU law precludes a general and indiscriminate retention of traffic data and location data, but it is open to Members States to make provision, as a preventive measure, for targeted retention of that data solely for the purpose of fighting serious crime, provided that such retention is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the chosen duration of retention, limited to what is strictly necessary.

Access of the national authorities to the retained data must be subject to conditions, including prior review by an independent authority and the data being retained within the EU

After a long wait the Home Office has today published a consultation in response to last year’s judgement and admitted that “some aspects of our current regime for the retention of and access to communications data do not satisfy the requirements of the CJEU.” The consultation also includes a number of proposed amendments and notes that some related areas are still the subject of on-going litigation, which may impact the outcome.

For example, the Home Office said that national security activities fall outside the scope of EU law and are not subject to the requirements of the CJEU’s judgement, which is still being disputed through the courts. This is quite a big catch-22 because all sorts of things, including “data for the statutory purpose of crime“, could be said to fall under the guise of national security and thus outside of EU law.

Otherwise most of the amendments appear to focus upon firming up the authorisation regime and improving oversight, which should make it harder to gain access to related data. But at the same time this doesn’t strictly appear to prevent the blanket retention of data by ISPs and telephone companies.

The Government’s definition of “serious crime” is also open to question (i.e. offences carrying a potential prison sentence of 6 months or more) and they note that the CJEU ruling did not seek to define this. The documents also reveal that communications data will no longer be collected for the purpose of public health, collecting taxes or regulating financial markets etc.

Basic Summary of Proposed Amendments

The Government has given careful consideration to the judgment and we are now consulting on proposed new safeguards to ensure we comply with the judgment while still allowing the police to use communications data to solve crimes, catch paedophiles and protect the public.

The new proposals include:

* The introduction of independent authorisation of communications data requests by a new body, known as the Office for Communications Data Authorisations, under the Investigatory Powers Commissioner Lord Justice Fulford. This body will be responsible for authorising the vast majority of communications data requests.

* Restricting the use of more intrusive communications data to investigations into serious crime.

* Additional safeguards which must be taken into account before a Data Retention Notice can be given to a telecommunications operator (e.g. setting up a new Office for Communications Data Authorisations (OCDA)).

* Clarification in the code of practice of when notification of those whose communications data has been accessed can occur.

* Additional guidance in the code of practice on the protection of retained data in line with European data protection standards.

A whole heap of tedious documents have been released to accompany and explain the many changes being proposed (see them all here), although some of them may only make sense to an experienced lawyer. Clearly not everybody is going to be convinced by the changes.

Jim Killock, Executive Director of Open Rights Group, said:

“The government has evaded the main point of the Watson judgment: they cannot keep data on a blanket basis.

Without narrowing what they keep to specific places, incidents or investigations, these changes will not meet the standards set by the courts.

Combined with the so-called Request Filter, which could be a power for a police search engine for retained data, this will remain an incredibly intrusive surveillance power, unparalleled in democratic countries.”

The consultation will now run until 18th January 2018 and it’s open to responses from telecommunications operators, postal operators, public authorities that have powers under the IPAct, as well as professional bodies, interest groups and the wider public.