Government Responds to UK Internet Snooping Law Consultation

The Government has today published its response to the recent consultation on proposed amendments to the controversial 2016 Investigatory Powers Act, which among other things would force broadband ISPs to log the Internet Connection Records (ICR) of all their customers for up to 12 months.

Interestingly today’s response and proposed amendments consider the outcome of three rulings against related legislation. This includes a 2016 ruling by the Court of Justice of the European Union (CJEU), which found that EU law does not allow “general and indiscriminate retention of traffic data and location data,” except for “targeted” use against “serious crime” (here).

On top of that the Government said it has now also considered two recent rulings, which includes an April 2018 verdict by the High Court of Justice (Queen’s Bench Division) that found part of the new IPAct to be unlawful (here and here).

The High Court essentially agreed that Part 4 of the IPAct is incompatible with fundamental rights in EU law because in the area of criminal justice: (1) access to retained data is not limited to the purpose of combating “serious crime“; and (2) access to retained data is not subject to prior review by a court or an independent administrative body.

At the time the court told the government to amend its law by 1st November 2018. As part of that they were told to change the law to require prior review by a court or independent administrative body and – in the context of crime-fighting – to only allow access to data for purposes of combating “serious crime.” Sadly this doesn’t stop the data collection itself due to the case only focusing upon access to the data (a separate case may challenge that).

The new document, which was published today but dated for June 2018, provides both an overview of the representations received during the consultation period and the Government’s response to them, and outlines the changes that will be made as a consequence of these comments, and the next steps. The key paragraphs are as follows.

Restriction to serious crime

We received a number of responses to the consultation that were supportive of our proposed definition of serious crime for use solely in the communications data context, including the proposed removal of three statutory purposes. There was also recognition of the essential role communications data plays in a broad range of investigations, for instance domestic abuse cases, where offending may quickly escalate in terms of seriousness and risk of harm to the victim. However, the majority of respondents who commented on that proposal considered that an offence for which an adult was capable of being sentenced to six months imprisonment was not sufficiently serious to merit being described as ‘serious crime’, and therefore did not meet the requirements of the judgement.

Some respondents misinterpreted the existing regime, believing that all communications data requests must already be for serious crime purposes, and that our proposal would therefore lower the existing threshold. The Act currently permits communications data to be retained and acquired for the purpose of preventing or detecting crime or preventing disorder, rather than being restricted to serious crime. The intention we laid out in the consultation document is to introduce an additional serious crime threshold which is relevant solely in the context of the retention and acquisition of communications data. This remains our intention. It is recognised that communications data is a less intrusive capability than others provided for by the Act, such as interception of communications, and the types of investigations in which it plays a vital role can carry shorter lengths of prison sentence. As was stated in the consultation document, in some circumstances, such as where the criminality takes place online, communications data may be the only way to progress an investigation. This change does not affect the serious crime threshold for other powers in the Act as some respondents feared.

Respondents made suggestions for how the proposed serious crime definition could be tightened, for instance by defining the exact type of crimes covered, or by increasing the minimum prison sentences available for certain crimes to the three year threshold provided in section 263 of the IPA. It would not be right to inflate sentencing thresholds in this way, as each sentencing threshold should be an appropriate punishment for the crime, not appropriate to the use of a particular investigative technique. In addition to this, as sentencing for different crimes are set out in the relevant statutory framework, to increase the minimum sentences for each offence would require each piece of legislation to be amended. This is not a feasible approach.

We have, though, listened to the concerns expressed by respondents that our proposed serious crime threshold in the communications data context was too low.

Therefore in the regulations that have been laid before Parliament, we have increased the crime threshold for which events data can be acquired to crimes for which a person is capable of receiving 12 months in prison. This will means data cannot be acquired for the investigation of crimes where a person is not capable of being sentenced to 12 months imprisonment. Depriving a person of their liberty by handing down a prison sentence is, of course, a serious issue.

We also understand the concerns that respondents expressed about the broad spectrum of seriousness that could be captured within the serious crime definition we are proposing for communications data acquisition. For example the offence of theft carries a maximum sentence of 14 years but also includes more low level offences such as shoplifting. To address such cases we have set out explicitly in the code of practice the considerations that must be addressed by public authorities when considering whether the crime is sufficiently serious to justify the acquisition of such data. This makes clear that relevant public authorities should also consider factors such as the particular circumstances of the case, the offender, the impact on the victim, the harm suffered, and the motive of the crime in order to demonstrate that the acquisition of communications data is proportionate.

Of course it will still only be possible to acquire communications data on a case-by-case basis, and only where the officer authorising the application considers that it is necessary and proportionate in that specific case. In the future this decision will, in the vast majority of cases, be made by the independent Office for Communications Data Authorisations once it is established.

One respondent was concerned that removing ‘for the purpose of protecting public health’ might affect the investigation of infectious diseases, including where there is a serious epidemic. The Government is content that in such circumstances where it is necessary and proportionate to acquire communications data, the ‘purpose of preventing death or injury or any damage to a person’s mental or physical health, or of mitigating any injury or damage to a person’s physical or mental health’ would be sufficient and that there will not, therefore, be damage to public health resulting from this change.

One respondent expressed concern at removing ‘tax evasion from the list of reasons for the collection of data’. It is important to be clear that criminal offences relating to tax evasion attract a maximum sentence above the proposed 12 month threshold and therefore the removal of the tax purpose will have no impact on HMRC serious criminal investigations into tax evasion.

Scope and permissibility of the regime

There was general consensus amongst respondents that an EU Member State’s data retention regime should not be general and indiscriminate, in accordance with the requirements of the CJEU judgment. For the reasons laid out in the consultation document, we believe that our existing regime meets the requirements of the judgment in this area, and we will be making no further amendments to our proposals in this respect.

In the recent challenge to Part 4 of the IPA, the High Court ruled that “it could not possibly be said that the legislation requires, or even permits, a general and indiscriminate retention of communications data”, rejecting the claim that it is inconsistent with EU law because it provides for the general and indiscriminate retention of communications data. The High Court was therefore clear that the existing regime is consistent with EU law in this regard and is not general and indiscriminate.

Broadly speaking the government appears to stick to their earlier proposed amendments to the IPAct and makes a few more tweaks, although it’s not yet clear whether this will be enough to satisfy opponents. In any case the revised regulations and code of practice have now been laid before Parliament for debate and approval.

Future legal challenges are also being proposed by Liberty in order tackle the rules that allow the state to hack our computers, hoover up information about who we speak to, where we go, and what we look at online, and collect profiles of individual people even without any suspicion of criminality (here).